|
# Baofeng BF-T1 comm logics, by Pavel CO7WT #
|
|
|
|
All coms are 9600 8N1
|
|
|
|
## Magic to put radio on program mode ##
|
|
|
|
TX > "\x05\x50\x52\x4f\x47\x52\x41\x4d" => ".PROGRAM"
|
|
RX < "\x06" {ACK}
|
|
|
|
## ID Query ##
|
|
|
|
TX > "\x02" {IDQ}
|
|
RX < "\x20\x42\x46\x39\x31\x30\x30\x53" => " BF9100S"
|
|
TX > "\x06" {ACK}
|
|
RX < "\x06" {ACK}
|
|
|
|
## EEPROM manipulation and flow of the data ##
|
|
|
|
### Logic of the request ###
|
|
|
|
Basic structure is 4 Bytes:
|
|
|
|
Byte 0:
|
|
"\x52" => "R" {Read request}
|
|
"\x57" => "W" {Write request}
|
|
Bytes 1 & 2:
|
|
Address of the request from "0x0000" to "0x0170"
|
|
In steps of byte 3 position (always "\x10" = 16 bytes)
|
|
Memory size is then 368 chunks of 16 bytes
|
|
Total size is 5888 bytes.
|
|
Byte 3: Payload size "\x10" = 16 bytes at a time
|
|
|
|
When we are writing (Byte 0 = "\x57" "W") we follow with the 16 bytes of the payload.
|
|
|
|
### Logic of the answer ###
|
|
|
|
To any request we receive an answer like this:
|
|
|
|
#### Request to read from EPROM/RADIO ####
|
|
|
|
20 bytes:
|
|
4 bytes mimic of the request we made
|
|
16 bytes of payload, so far with no coding but a structure at a glance.
|
|
|
|
#### Request to Write to EPROM/RADIO ####
|
|
|
|
Just one "\x06" {ACK} byte by each request.
|
|
|
|
## Radio comm closing ##
|
|
|
|
Just write "\x62" => "b" then close the serial port
|
|
|
|
## Interesting facts ##
|
|
|
|
* Mem space transfered from/to the radio appears to be only 384 bytes (0x180)
|
|
* So far there is no easy fingerprint but the filesize.
|
|
* There is a big chance for a bigger mem space than that, the OEM software is just reading what it needs?
|
|
* Baofeng radios answer with a ID that is stored on a protected to write but readable higher memory space (90% chance here) If I'm right the " BF9100S" string must be present on the higher mem space.
|
|
* If there is a bigger mem space we need to hack in there with a radio at hand.
|
|
* There is no obvious place for the FM freq in use, yet; that reinforce the last two statements.
|
|
* File saved from the OEM software **IS NOT an eeprom image**, it's a kind of csv text file.
|
|
* Settings and details will be difficult & slow without a radio at hand to test, like with the BTECHs at the moment.
|
