Difference between revisions of "Kenwood TH-D74A"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
VisualWikitext
Line 42: Line 42:
 
</gallery><br />
 
</gallery><br />
  
== Reverse Engineering Efforts ==
+
==Reverse Engineering Efforts==
 
[[File:Kenwood TH-D74 and JTAGulator.jpg|none|thumb|Kenwood TH-D74 connected to JTAGulator]]
 
[[File:Kenwood TH-D74 and JTAGulator.jpg|none|thumb|Kenwood TH-D74 connected to JTAGulator]]
  
=== High level goals ===
+
===High level goals===
  
* Obtain a copy of the firmware for analysis/modification
+
*Obtain a copy of the firmware for analysis/modification
* Understand how the radio works and what test ports are available internally
+
*Understand how the radio works and what test ports are available internally
  
==== Obtaining firmware ====
+
====Obtaining firmware====
  
* Determine routes of attack
+
*Determine routes of attack
** JTAG Port
+
**JTAG Port
** Serial Port
+
**Serial Port
** Hardware attack - Remove Flash Memory and read directly (possibly encrypted)
+
**Hardware attack - Remove Flash Memory and read directly (possibly encrypted)
  
 
Initially the radio was opened and wires were soldered to test points and a port of interest as seen in the video below.
 
Initially the radio was opened and wires were soldered to test points and a port of interest as seen in the video below.
<br />
+
<br /><nowiki><youtube></youtube></nowiki>
  
==== Understand how the radio works ====
+
====Understand how the radio works====
 
<br />
 
<br />
 
==Datasheets==
 
==Datasheets==

Revision as of 23:23, 7 June 2020

Fully Assembled Kenwood TH-D74A

Teardown Video

6 minute video @ 3x playback speed showing full disassembly of the radio with commentary, full length video with no audio here.

Teardown PCB Pictures

  • Processor Board Top

  • Processor Shield Removed

  • Processor Board Bottom

  • JTAG Pinout

  • Transceiver Board Top

  • Transceiver Board Top Zoom 1

  • Transceiver Board Top Zoom 2

  • Transceiver Board Bottom

  • Transceiver Board Bottom Zoom 1

  • Transceiver Board Bottom Zoom 2

  • FM Radio Module Top

  • FM Radio Module Bottom

Modules and Interconnects

  • LCD Front

  • LCD Back

  • FM Antenna Front

  • FM Antenna Rear

  • Interconnect Top

  • Interconnect Bottom

  • Channel Selector


Mechanical Pictures

  • Front Case Interior

  • Metal Frame Front

  • Metal Frame Back

  • Metal Frame Connector Side

  • Metal Frame Button Side

  • Metal Frame Top

  • Rubber Gaskets

  • Screws and Knobs


Reverse Engineering Efforts

Kenwood TH-D74 connected to JTAGulator

High level goals

  • Obtain a copy of the firmware for analysis/modification
  • Understand how the radio works and what test ports are available internally

Obtaining firmware

  • Determine routes of attack
    • JTAG Port
    • Serial Port
    • Hardware attack - Remove Flash Memory and read directly (possibly encrypted)

Initially the radio was opened and wires were soldered to test points and a port of interest as seen in the video below.
<youtube></youtube>

Understand how the radio works


Datasheets

Kenwood TH-D74A Datasheet - IC-701 - DRAM

Kenwood TH-D74A Datasheet - IC-702 - omap-l138

Kenwood TH-D74A Datasheet - IC-705 - FLASH MEMORY

IC-707 - Not exact match but same family - WM8940

Retrieved from "https://wiki.recessim.com/w/index.php?title=Kenwood_TH-D74A&oldid=489"