Firmware Hex Debug Tool

[merlin]

Thanks for the CH-721 head info, I may have use for that.
As for the test radio, I don't know of anything keeping you from loading a new personality.
Still, you should save the tracking and feature files. The latest firmware wouldn't hurt either.

 

[BMDaug]

So I don’t understand why nobody has tried using a can bus sniffer on these radios. It seems like an easy point of entry. Can bus is a standard protocol and while the exact command set is not standardized, one could theoretically use a sniffer to find the entire command set while operating the radio and actually make a computer application to control every function of the radio! In addition, since a cable exists that can program the radio from the control head, you could even glean that programming information via can bus. A can sniffer is $25 or less and come in several varieties and seems like a valuable tool for troubleshooting since you could see what the radio is spitting out (or not spitting out) during a lost mru event…

-B

 

[ElroyJetson]

Total honesty: I don't really know anything about the CAN bus except that it's the serial communications method for communicating between the radio and the remote head, if so equipped, and that the CAN bus needs termination plugs on it.

I am unable to load or read the LOST MRU radio, as RPM reports that it's not in programming mode. It's the same whether I attempt this via the back panel RS232 port or the programming cable attached to the front panel mic connector. (The usual method as it's always accessible.)

I have not gotten any data via hyperterminal to the RS232 port, either. (19200-N-8-1 settings) Tried other baud rates as well.

The radio also powers up when power is applied. Turning it off via the front panel volume/power switch does not turn it off.

 

[merlin]

So I don’t understand why nobody has tried using a can bus sniffer on these radios. It seems like an easy point of entry. Can bus is a standard protocol and while the exact command set is not standardized, one could theoretically use a sniffer to find the entire command set while operating the radio and actually make a computer application to control every function of the radio! In addition, since a cable exists that can program the radio from the control head, you could even glean that programming information via can bus. A can sniffer is $25 or less and come in several varieties and seems like a valuable tool for troubleshooting since you could see what the radio is spitting out (or not spitting out) during a lost mru event…

-B

I have done that. the issue with trying to incorporate that into hyperterminal, is the vast amount of data one would have to send to the radio.
As mentioned, the initial connect is 9600-N-8-1. then the switch to 115200 after the first block.
That also goes into RS485 mode and another encapsulation level like 'STX" "ETX'.
I have one radio with (=) lost MRU. I connect, and get into the first block. When the speed shifts, everything goes dead, no data.

 

[ElroyJetson]

Please describe your connection to that one radio with lost MRU. What model? What configuration? What port are you using?
Hyperterm/putty settings, etc.

I remember that somebody says that the connection is at 19200 baud?

 

[merlin]

Total honesty: I don't really know anything about the CAN bus except that it's the serial communications method for communicating between the radio and the remote head, if so equipped, and that the CAN bus needs termination plugs on it.

I am unable to load or read the LOST MRU radio, as RPM reports that it's not in programming mode. It's the same whether I attempt this via the back panel RS232 port or the programming cable attached to the front panel mic connector. (The usual method as it's always accessible.)

I have not gotten any data via hyperterminal to the RS232 port, either. (19200-N-8-1 settings) Tried other baud rates as well.

The radio also powers up when power is applied. Turning it off via the front panel volume/power switch does not turn it off.

Well, with lost MRU, that means the head and radio are not communicating. The radio is not getting any of the button codes like power off.
Can bus itself is simple, 3 differential lines, like tripple USB. Only one of those lines goes to the controller. bi directional asynchronous.
The other two lines are for digital audio.
All this sounds like you will be taking up JTAGing to fix this.

 

[merlin]

Please describe your connection to that one radio with lost MRU. What model? What configuration? What port are you using?
Hyperterm/putty settings, etc.

I remember that somebody says that the connection is at 19200 baud?

In my case, the radio is Motorola XTL5000. This only programms on the one CAN bus on the front of the radio. The MMCU. The other Can connector is to the head.
CAN bus does start out at 19200 baud, but like serial port, shifts to 115200 or greater for data transfer or it would take an hour to program a radio. When I saw the massive amount of data at 119200, that is when I said 'nope, this isn't going to work'.
This is the radio that goes dead when the speed shifts.
The M7100 does the same thing, but RS232. Initial talk is 9600 then shifts to 115200.
Starting HDT, it stays at 9600 until power cycled.
I get the same thing with a P7100.
CAN bus is a standard adopted by Harris and Motorola alike, just different coding throughout.
One would think after 75 years engineering radio, a product wouldn't go self destruct with no magic port to recover.
With this particular XTL, it means replacing the board. (everything but the aluminum.)
With Harris, radios after the 7200, include a JTAG port to recover a total meltdown of firmware.

 

[BMDaug]

Total honesty: I don't really know anything about the CAN bus except that it's the serial communications method for communicating between the radio and the remote head, if so equipped, and that the CAN bus needs termination plugs on it.

I am unable to load or read the LOST MRU radio, as RPM reports that it's not in programming mode. It's the same whether I attempt this via the back panel RS232 port or the programming cable attached to the front panel mic connector. (The usual method as it's always accessible.)

I have not gotten any data via hyperterminal to the RS232 port, either. (19200-N-8-1 settings) Tried other baud rates as well.

The radio also powers up when power is applied. Turning it off via the front panel volume/power switch does not turn it off.

I don’t know anything about Harris’ implementation, but tons of industrial equipment and commercial vehicles use it for control. It’s a 50r balanced data stream, hence the termination requirement.

Ya, you would have to sniff it with a working radio and just dump it all to see how the radio interfaces with the head. You probably couldn’t just use hyperterminal… you would need a logic analyses like this: https://nci-usa.com/

The way I like to think of it is that canbus is like an alphabet. Many languages may be derived from that alphabet. I’ve worked with it on custom wiring harnesses before where the whole harness uses canbus to connect the dash panel and switches to the power distro panels, which provide fet controlled switching. It’s really cool stuff!

-B

 

[merlin]

I don’t know anything about Harris’ implementation, but tons of industrial equipment and commercial vehicles use it for control. It’s a 50r balanced data stream, hence the termination requirement.

Ya, you would have to sniff it with a working radio and just dump it all to see how the radio interfaces with the head. You probably couldn’t just use hyperterminal… you would need a logic analyses like this: https://nci-usa.com/

The way I like to think of it is that canbus is like an alphabet. Many languages may be derived from that alphabet. I’ve worked with it on custom wiring harnesses before where the whole harness uses canbus to connect the dash panel and switches to the power distro panels, which provide fet controlled switching. It’s really cool stuff!

-B

I have heard of people using auto ECU tools for sniffing can bus, just one of the many uses that founded can bus.

 

[BMDaug]

I have heard of people using auto ECU tools for sniffing can bus, just one of the many uses that founded can bus.

Totally! You could just take the termination off of one end and connect an analyzer that has termination built in. I have the part numbers for the can connectors and make my own to length whenever I do an install.

Also, I take it that the VA menu idea with the ‘format flash drive’ didn’t work for anyone? It definitely does wipe the personality along with the VA audio files, but it may be different on an OMAP.

-B

 

[merlin]

The problem with that VA menu, like ElroyJetson's is the radio does not recognize commands from RPM.
That really shows what there is for firmware is corrupt.
Couple years back, a person had a P7200 that was bricked. Looking at schematics and board layout, It had a JTAG port.
Adding a headder and using JKEYS, we finally got a good firmware loaded and would program with RPM.
A hunch tells mee this will be the same.
Remember we are working with embedded control here.

 

[ElroyJetson]

Merlin, if you are willing to try to bring my M7300 back to life by interfacing with the on-board JTAG interface, and I'm SURE there is one, I'd be glad to pay you for your time. ( Within reason.) And if it doesn't work out, you can play with my radio for free. You have nothing to lose, we both have something to gain.

 

[rjschilder]

Sorry, I'll be 100% honest when I write this...I didn't read every response here.

Sorry if this was asked. Did you try to putty/ teraterm with a null modem cable to the MRU? 19200bps or it won't work. If you can 'atz-1' into burnapp then you can probably restore the radio. If not, it's a brick. This is how I'd recover a radio bricked during programming.

 

[merlin]

Sorry, I'll be 100% honest when I write this...I didn't read every response here.

Sorry if this was asked. Did you try to putty/ teraterm with a null modem cable to the MRU? 19200bps or it won't work. If you can 'atz-1' into burnapp then you can probably restore the radio. If not, it's a brick. This is how I'd recover a radio bricked during programming.

There are only very few cases where this has been successful. It depends on how much of the firmware still works.
With 'atz-1' burnapp has to run, it doesn't always.
No null modem, the brick acts just like a modem.

 

[merlin]

Merlin, if you are willing to try to bring my M7300 back to life by interfacing with the on-board JTAG interface, and I'm SURE there is one, I'd be glad to pay you for your time. ( Within reason.) And if it doesn't work out, you can play with my radio for free. You have nothing to lose, we both have something to gain.

I would need the full setup, brick, accessories head, and CAN cable so shipping would run about $30.
My pay would be the experience of hands on with this radio. I don't have anything M7300.
If the radio is permanently bricked, I can offer to buy it from you as an experimental platform.
If successful, you get your working radio back. Sounds fair enough to me.
PM me, we can go over details.
73s

 

[ElroyJetson]

The only catch is that the only CAN cable I have is the one that is installed in my car and currently runs between the remote head and the radio unit which is a working system. I'm not willing to tear the car apart and disable my radio for that.

I'd just buy another CAN cable from the local dealer instead.

This radio in question has an attached control head. It's not a remote mount. But of course that configuration can be changed if you have the right parts.

Got a power cable for this? I may have to buy one of those if not. Or I could ship it in the CS7000 console.

 

[rjschilder]

There are only very few cases where this has been successful. It depends on how much of the firmware still works.
With 'atz-1' burnapp has to run, it doesn't always.
No null modem, the brick acts just like a modem.

I've done it several times on mobiles and portables. If bootapp or burnapp are corrupted, then you can't easily wipe the firmware and reload. If not, boot into burnapp, erase the right code mode and record mode, and reload it. It's not complicated.

 

[rjschilder]

Also if you need to see what code modes your radio currently has, atz-1 to burnapp, then atz99 for a list of modes.

 

[ElroyJetson]

It has crossed my mind that I can just get another radio unit off of ebay for under 50 bucks. But who knows what feature set will be in it? Some listings show that information, others don't.

For my CURRENT needs, any of them might do the job. But the one I'm trying to recover has a very GOOD feature set in it. Or at least I think it does. It's been so long I'm not sure anymore.

But then again, I think it IS an M5300 which means no Phase II trunking permitted. Unless option 30 got deleted from its option list...

It'd be cool if someone reverse engineered the fimware enough to break the feature encryption system....and write an app that figures out what your new string would be if you added certain features to your list.

 

[merlin]

It has crossed my mind that I can just get another radio unit off of ebay for under 50 bucks. But who knows what feature set will be in it? Some listings show that information, others don't.

For my CURRENT needs, any of them might do the job. But the one I'm trying to recover has a very GOOD feature set in it. Or at least I think it does. It's been so long I'm not sure anymore.

But then again, I think it IS an M5300 which means no Phase II trunking permitted. Unless option 30 got deleted from its option list...

It'd be cool if someone reverse engineered the fimware enough to break the feature encryption system....and write an app that figures out what your new string would be if you added certain features to your list.

There is no phase II with either of these (?) and the limit of the 5300 is 800 Mhz.
Your last statement has been a work in progress for a couple years now