|
1
|
# Baofeng BF-T1 comm logics, by Pavel CO7WT #
|
|
2
|
|
|
3
|
All coms are 9600 8N1
|
|
4
|
|
|
5
|
## Magic to put radio on program mode ##
|
|
6
|
|
|
7
|
TX > "\x05\x50\x52\x4f\x47\x52\x41\x4d" => ".PROGRAM"
|
|
8
|
RX < "\x06" {ACK}
|
|
9
|
|
|
10
|
## ID Query ##
|
|
11
|
|
|
12
|
TX > "\x02" {IDQ}
|
|
13
|
RX < "\x20\x42\x46\x39\x31\x30\x30\x53" => " BF9100S"
|
|
14
|
TX > "\x06" {ACK}
|
|
15
|
RX < "\x06" {ACK}
|
|
16
|
|
|
17
|
## EEPROM manipulation and flow of the data ##
|
|
18
|
|
|
19
|
### Logic of the request ###
|
|
20
|
|
|
21
|
Basic structure is 4 Bytes:
|
|
22
|
|
|
23
|
Byte 0:
|
|
24
|
"\x52" => "R" {Read request}
|
|
25
|
"\x57" => "W" {Write request}
|
|
26
|
Bytes 1 & 2:
|
|
27
|
Address of the request from "0x0000" to "0x0170"
|
|
28
|
In steps of byte 3 position (always "\x10" = 16 bytes)
|
|
29
|
Memory size is then 368 chunks of 16 bytes
|
|
30
|
Total size is 5888 bytes.
|
|
31
|
Byte 3: Payload size "\x10" = 16 bytes at a time
|
|
32
|
|
|
33
|
When we are writing (Byte 0 = "\x57" "W") we follow with the 16 bytes of the payload.
|
|
34
|
|
|
35
|
### Logic of the answer ###
|
|
36
|
|
|
37
|
To any request we receive an answer like this:
|
|
38
|
|
|
39
|
#### Request to read from EPROM/RADIO ####
|
|
40
|
|
|
41
|
20 bytes:
|
|
42
|
4 bytes mimic of the request we made
|
|
43
|
16 bytes of payload, so far with no coding but a structure at a glance.
|
|
44
|
|
|
45
|
#### Request to Write to EPROM/RADIO ####
|
|
46
|
|
|
47
|
Just one "\x06" {ACK} byte by each request.
|
|
48
|
|
|
49
|
## Radio comm closing ##
|
|
50
|
|
|
51
|
Just write "\x62" => "b" then close the serial port
|
|
52
|
|
|
53
|
## Interesting facts ##
|
|
54
|
|
|
55
|
* Mem space transfered from/to the radio appears to be only 384 bytes (0x180)
|
|
56
|
* So far there is no easy fingerprint but the filesize.
|
|
57
|
* There is a big chance for a bigger mem space than that, the OEM software is just reading what it needs?
|
|
58
|
* Baofeng radios answer with a ID that is stored on a protected to write but readable higher memory space (90% chance here) If I'm right the " BF9100S" string must be present on the higher mem space.
|
|
59
|
* If there is a bigger mem space we need to hack in there with a radio at hand.
|
|
60
|
* There is no obvious place for the FM freq in use, yet; that reinforce the last two statements.
|
|
61
|
* File saved from the OEM software **IS NOT an eeprom image**, it's a kind of csv text file.
|
|
62
|
* Settings and details will be difficult & slow without a radio at hand to test, like with the BTECHs at the moment.
|
