Keyboard Shortcuts
ctrl + shift + ? :
Show all keyboard shortcuts
ctrl + g :
Navigate to a group
ctrl + shift + f :
Find
ctrl + / :
Quick actions
esc to dismiss
Likes
- Xcat
- Messages
Search
|
Re: Code plug Rx and Tx frequencies cracked
@ Dennis,
?That's some nice detective work.? Might not be far from generating some "roll you own" DPL codes. Might be some ANDing or masking going on as well. Without Excel's "proper" alignment, I dont think I would have ever seen that in the PL data I was disecting. Yeah, today's variable fonts/display formats rarely play nice with the "alignment by column" human vision want to see when comparing information. @ Skip, Yeah, I've got a secret compartment under the Flux Capacitor where keep that stuff.... |
|
Re: Code plug Rx and Tx frequencies cracked
Great work. I spent last evening going back over and re familiarizing myself with the synth driver code. I'm becoming more and more persuaded that with discoveries?like yours and the ability to drive?the synth as well as the ability to talk over the SB line we could very well end up ripping out the entire uP, placing a hybrid carrier in place with a modern uP/CPU and away we go. Same goes for a control head potentially. On Thu, Sep 1, 2022 at 2:11 AM Dennis Boone <drb@...> wrote: I spent most of today's X9000 hacking staring at DPL.? I think I've |
|
Re: Code plug Rx and Tx frequencies cracked
I spent most of today's X9000 hacking staring at DPL. I think I've
found part of the pattern. 'Scusing the crappy formatting, here are several DPL codes, their bit patterns, the two byte hex value generated by RSS, and the bit pattern for that. dpl 000000023 dpls 000010011 rss f864 rsss 1111100001100100 dpl 000000025 dpls 000010101 rss fc54 rsss 1111110001010100 dpl 000000026 dpls 000010110 rss f434 rsss 1111010000110100 dpl 000000031 dpls 000011001 rss fc4c rsss 1111110001001100 dpl 000000116 dpls 001001110 rss f039 rsss 1111000000111001 dpl 000000125 dpls 001010101 rss f855 rsss 1111100001010101 dpl 000000131 dpls 001011001 rss f84d rsss 1111100001001101 dpl 000000244 dpls 010100100 rss e912 rsss 1110100100010010 dpl 000000245 dpls 010100101 rss fd52 rsss 1111110101010010 dpl 000000251 dpls 010101001 rss fd4a rsss 1111110101001010 dpl 000000411 dpls 100001001 rss ecc8 rsss 1110110011001000 dpl 000000412 dpls 100001010 rss e4a8 rsss 1110010010101000 dpl 000000413 dpls 100001011 rss f0e8 rsss 1111000011101000 dpl 000000734 dpls 111011100 rss e99d rsss 1110100110011101 dpl 000000743 dpls 111100011 rss f5e3 rsss 1111010111100011 dpl 000000754 dpls 111101100 rss fd9b rsss 1111110110011011 The full bit pattern sent by the transmitter, read left to right, consists of 11 Golay parity bits (p10-p0), then the '100' (4) that's part of every DPL code (c2-c0), then the nine bits that represent the part of the DPL code that is typically listed in the table (d8-d0). But all of this is sent LSB (d0) first, i.e. for the code '023', the first bits sent are '110010000' -- the reverse of the dpls column entry shown above for 023. Mike has some nice diagrams of the bit layout on the DPL page at onfreq. This is the full word for 023: 11101100011-100-000/010/011 Number the bits of rsss from b0 at the low order end to b15 at the high end. If you compare d0-d6 (i.e. reversed) of dpls for each code above to b6-b0 (i.e. not reversed) of rsss, you'll see they match. Then d7-d8 of dpls to b8-b7 of rsss again match. That leaves b15-b9 of rsss to explain. Skip thinks there are a couple of flags in there. In the X, the top three Golay parity bits are part of the code plug, so something like that could be going on here. De |
|
Re: Code plug Rx and Tx frequencies cracked
Don't go to a lot of trouble. I can generated .RDT files as well.
Just if you had some lying around I'll parse them just to throw some variety at my dumper. 73's Skip WB6YMH On Wed, Aug 31, 2022 at 6:08 PM swguest via groups.io <swguest@...> wrote:
|
|
Re: Code plug Rx and Tx frequencies cracked
@ Skip,
Are you still in need of .rdt files? I dont have anything built that's useful. I can build you whatever you need modes, band, PLs/MPLs etc. ?Not all .RDTs are interchangable across different versions of RSS. I have V6.0.0 and I think I have the HAM version of V6 also. I ran a "print/report" and was looking it over. There is a lot of irellevant info in it. It you need one you made "parsed out" to the essentials I can import it to Excel, parse it, and post it back.? Let me work on it a bit and I should be able to add freq to bytes to the parsed data as well. |
|
Re: Code plug Rx and Tx frequencies cracked
I could use any .RDT files anyone would like to share to test my CP> dumper utility and our understanding of the CP format. Ideally I'd > like a "printout" from RSS showing the values as well, bit it appears > the RSS only prints to an actual printer? I have some binary images of ROMs, but no good way to turn them into .RDT files now. Need to get to the point I could have RSS read those radios. De |
|
Re: Code plug Rx and Tx frequencies cracked
Skip,
I think I've got a deal for you. This should work. It's a TSR that redirects LPT1 to a file. Run it at the command line/prompt as "prn2file c:\foo.txt" before you run the RSS. I have had to run it twice sometimes to get the last mode or few modes to go to the report. Something probably times out. It does concoct/append the reports so if you want to preserve a given dump you'll have to change foo.txt to foo1.txt, foo2.txt or whatever before you "print" again. Let me know how it works out. |
|
Re: Code plug Rx and Tx frequencies cracked
Yes some form of text dump of the .RDT files so I can verify if I'm
dumping the correct values. Currently I'm running version 6.00.00 under Dosbox on Linux. The output menu offers a printOut option, but it's just that and expects a printer. I haven't tried any later versions do they offer saving a .TXT file output option by chance? 73's Skip WB6YMH On Wed, Aug 31, 2022 at 3:03 PM swguest via groups.io <swguest@...> wrote:
|
|
Re: Code plug Rx and Tx frequencies cracked
I could use any .RDT files anyone would like to share to test my CP dumper utility () and our understanding of the CP format.? Ideally I'd like a "printout" from RSS showing the values as well, bit it appears the RSS only prints to an actual printer???
73's Skip WB6YMH |
|
Re: Code plug Rx and Tx frequencies cracked
I dont have any MDC option boards so I've never really looked at the menu, much less tried toconfigure anything.
I cant say if the codeplugs I did see these "random" bytes above 1FFFh were sporting any MDC settings or not. It sound like a viable means to transport temp data to the uC to configure accessories/options that need not reside in the codeplug proper. That discovery also means for any configuration that requires data be transported to the uC via space above 1FFFh will require the emulated codeplug to also be full size (>8k) to accomodate the feature, at least for the initial write to the radio. Presumably the accessory/option retains that info/configuration on re-boot? Another twist in the Saga that is X9000....... |
|
Re: Code plug Rx and Tx frequencies cracked
Yes, Using your R8.01 in a cmd window would be ideal.
I keep a 32b XP box handy to handle the stuff that wont run on the later 64b platforms. The only part that's kind of a hassle is to find where the codeplug data is in RAM. HxD 1.7.7.0 has an "Open RAM" option under the Extras tab. This opens a dropdown of the apps running/using RAM. When I launch R8.01 in XP, the app name in the dropdown is ntvdvm.exe. The space allocated for the RSS is not always in the same place so you have to do a search for a string of hex values. Pick a set of bytes you know are in the codeplug (I use E5 04 00 it is in every mode before it is modified) Searches over 3 bytes long seem to take a long time. When a re-occuring pattern is found, back up about 265 bytes or so from the 1st occurance of that pattern and you should see the beginning of the codeplug....00 0F FF? for a 2k? or 00 1F FF for an 8k codeplug. After that, the rest is pretty straight forward. Edit the hex data and save, then go look at the RSS for the changes or edit a arameter in RSS the go look in the RAM display for the changes. Both will need an action to force it's respective program to refresh the changed data. The RSS does not calc/store to RAM? the checksum until you select the output menu page. I open a new "dummy tab" in the editor so I can toggle back and forth to make HxD refresh it's display of the RAM contents after each change. Give it a try. It starts out a bit bumpy, but can be a time/aggrevation saver in the long run. It works with DOSBox too, but same deal. The effort is in searching the? RAM for where the program is storing the codeplug. ? |
|
Re: Code plug Rx and Tx frequencies cracked
Yeah, I'm not sure if it's sloppy DOS, sloppy RSS or memory leak but> I've seen it several times as well. If I were betting, my money would > be on PC memory leak. This is not sloppy or leaky behavior. The code plug for the radio proper starts at 0x01 in the .RDT file. But there are other configurations stored in this file that need to be written into devices on the bus at programming time. The control head has a separate file, but in playing with MDC stuff last night it became clear that stuff past the end of the radio code plug proper must be for e.g. the MDC-600 or MDC-1200 option boards. For MDC-600, most of the setup seems to be in the radio code plug, but for MDC-1200, I have yet to find _anything_ it stores there. Instead it's all down around 2053 to 20B5. I'm guessing that during programming, RSS probably spends a little time talking to the option board to write this stuff, in a separate (set of) transactions from the one(s) used to write to the radio proper. Note that the MDC option boards may be under the shield on the P-board, or in the external options chassis. De |
|
Re: Code plug Rx and Tx frequencies cracked
On Wed, Aug 31, 2022 at 10:33 AM, Dennis Boone wrote:
I want to change something in RSS and see what all changes in theYes it will do that. You change a setting in the codeplug in RSS and the RAM that the RSS is using is updated to those changes. You do have to toggle the tab to make the editor refresh the RAM but yes it works thst way. It also works the other way. Change and save the change in RAM and the RSS will show the altered parameter. Same thing though, you have to move somewhere in the menu then come back to see the updated parameter. Yes HxD is an X32/64 application so it's all a moot point if you are not running any of your test on a Windoze platform. |
|
Re: Code plug Rx and Tx frequencies cracked
On Wed, Aug 31, 2022 at 09:50 AM, Dennis Boone wrote:
and the impediments are the bat$#!& insane userCopy that...lol Yeah I like 8.01 too. Streamlined menus, has some CH alphatag support? and plays nice under Windoze. Anyway, I've got an old, reliable, but limited copy of Hexworkshop 5 that I use for nearly all hex related stuff. The CS algos dont support the method used by the RSS. A version (V3?) of 010 editor does but is a bit harder to use, to me anyway. While looking for how to program my range 2 XPR's below 450 mhz, I came across a method that edits the codeplug in memory via HxD editor. I applied the same method to 8.01 and RDprog v6 in a dosbox and it works. The advantage is that you see "real time" changes w/o having to save/re-open in you hex editor to view the changes. Is that something you'd be interested in trying out? |
|
Re: Code plug Rx and Tx frequencies cracked
What RSS and method are you using to build evaluate codeplug changes?> I've come up with a means that shortcuts some of the steps. I'm just using 8.01. Change, save, diff the before and after RDT files. It's reasonably quick, and the impediments are the bat$#!& insane user interface design decisions that we can't fix. De |
to navigate to use esc to dismiss