Difference between revisions of "Kenwood TH-D74A"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
Line 42: Line 42:
 
</gallery><br />
 
</gallery><br />
  
 +
== Reverse Engineering Efforts ==
 +
[[File:Kenwood TH-D74 and JTAGulator.jpg|none|thumb|Kenwood TH-D74 connected to JTAGulator]]
 +
 +
=== High level goals ===
 +
 +
* Obtain a copy of the firmware for analysis/modification
 +
* Understand how the radio works and what test ports are available internally
 +
 +
==== Obtaining firmware ====
 +
 +
* Determine routes of attack
 +
** JTAG Port
 +
** Serial Port
 +
** Hardware attack - Remove Flash Memory and read directly (possibly encrypted)
 +
 +
Initially the radio was opened and wires were soldered to test points and a port of interest as seen in the video below.
 +
<br />
 +
 +
==== Understand how the radio works ====
 +
<br />
 
==Datasheets==
 
==Datasheets==
 
[[:File:Kenwood TH-D74A Datasheet - IC-701 - DRAM.pdf|Kenwood TH-D74A Datasheet - IC-701 - DRAM]]
 
[[:File:Kenwood TH-D74A Datasheet - IC-701 - DRAM.pdf|Kenwood TH-D74A Datasheet - IC-701 - DRAM]]

Revision as of 23:11, 7 June 2020

Fully Assembled Kenwood TH-D74A

Teardown Video

6 minute video @ 3x playback speed showing full disassembly of the radio with commentary, full length video with no audio here.

Teardown PCB Pictures

Modules and Interconnects


Mechanical Pictures


Reverse Engineering Efforts

Kenwood TH-D74 connected to JTAGulator

High level goals

  • Obtain a copy of the firmware for analysis/modification
  • Understand how the radio works and what test ports are available internally

Obtaining firmware

  • Determine routes of attack
    • JTAG Port
    • Serial Port
    • Hardware attack - Remove Flash Memory and read directly (possibly encrypted)

Initially the radio was opened and wires were soldered to test points and a port of interest as seen in the video below.

Understand how the radio works


Datasheets

Kenwood TH-D74A Datasheet - IC-701 - DRAM

Kenwood TH-D74A Datasheet - IC-702 - omap-l138

Kenwood TH-D74A Datasheet - IC-705 - FLASH MEMORY

IC-707 - Not exact match but same family - WM8940