# Baofeng BF-T1 comm logics, by Pavel CO7WT # All coms are 9600 8N1 ## Magic to put radio on program mode ## TX > "\x05\x50\x52\x4f\x47\x52\x41\x4d" => ".PROGRAM" RX < "\x06" {ACK} ## ID Query ## TX > "\x02" {IDQ} RX < "\x20\x42\x46\x39\x31\x30\x30\x53" => " BF9100S" TX > "\x06" {ACK} RX < "\x06" {ACK} ## EEPROM manipulation and flow of the data ## ### Logic of the request ### Basic structure is 4 Bytes: Byte 0: "\x52" => "R" {Read request} "\x57" => "W" {Write request} Bytes 1 & 2: Address of the request from "0x0000" to "0x0170" In steps of byte 3 position (always "\x10" = 16 bytes) Memory size is then 368 chunks of 16 bytes Total size is 5888 bytes. Byte 3: Payload size "\x10" = 16 bytes at a time When we are writing (Byte 0 = "\x57" "W") we follow with the 16 bytes of the payload. ### Logic of the answer ### To any request we receive an answer like this: #### Request to read from EPROM/RADIO #### 20 bytes: 4 bytes mimic of the request we made 16 bytes of payload, so far with no coding but a structure at a glance. #### Request to Write to EPROM/RADIO #### Just one "\x06" {ACK} byte by each request. ## Radio comm closing ## Just write "\x62" => "b" then close the serial port ## Interesting facts ## * Mem space transfered from/to the radio appears to be only 384 bytes (0x180) * So far there is no easy fingerprint but the filesize. * There is a big chance for a bigger mem space than that, the OEM software is just reading what it needs? * Baofeng radios answer with a ID that is stored on a protected to write but readable higher memory space (90% chance here) If I'm right the " BF9100S" string must be present on the higher mem space. * If there is a bigger mem space we need to hack in there with a radio at hand. * There is no obvious place for the FM freq in use, yet; that reinforce the last two statements. * File saved from the OEM software **IS NOT an eeprom image**, it's a kind of csv text file. * Settings and details will be difficult & slow without a radio at hand to test, like with the BTECHs at the moment.