Difference between revisions of "Kenwood TH-D74A"
| Line 19: | Line 19: | ||
File:TH-D74A FJ-X5 bottom.jpg|FM Radio Module Bottom | File:TH-D74A FJ-X5 bottom.jpg|FM Radio Module Bottom | ||
</gallery> | </gallery> | ||
| + | ==Port and Test Point Identification== | ||
| + | <br /> | ||
==Modules and Interconnects== | ==Modules and Interconnects== | ||
<gallery mode="packed" heights="200"> | <gallery mode="packed" heights="200"> | ||
| Line 40: | Line 42: | ||
File:TH-D74A Rubber.jpg|Rubber Gaskets | File:TH-D74A Rubber.jpg|Rubber Gaskets | ||
File:TH-D74A Screws.jpg|Screws and Knobs | File:TH-D74A Screws.jpg|Screws and Knobs | ||
| − | </gallery> | + | </gallery> |
| − | |||
==Reverse Engineering Efforts== | ==Reverse Engineering Efforts== | ||
[[File:Kenwood TH-D74 and JTAGulator.jpg|none|thumb|Kenwood TH-D74 connected to JTAGulator]] | [[File:Kenwood TH-D74 and JTAGulator.jpg|none|thumb|Kenwood TH-D74 connected to JTAGulator]] | ||
Revision as of 03:30, 14 July 2020
Contents
Teardown Video
6 minute video @ 3x playback speed showing full disassembly of the radio with commentary, full length video with no audio here.
Teardown PCB Pictures
Processor Board Top
Processor Shield Removed
Processor Board Bottom
JTAG Pinout
Transceiver Board Top
Transceiver Board Top Zoom 1
Transceiver Board Top Zoom 2
Transceiver Board Bottom
Transceiver Board Bottom Zoom 1
Transceiver Board Bottom Zoom 2
FM Radio Module Top
FM Radio Module Bottom
Port and Test Point Identification
Modules and Interconnects
LCD Front
LCD Back
FM Antenna Front
FM Antenna Rear
Interconnect Top
Interconnect Bottom
Channel Selector
Mechanical Pictures
Front Case Interior
Metal Frame Front
Metal Frame Back
Metal Frame Connector Side
Metal Frame Button Side
Metal Frame Top
Rubber Gaskets
Screws and Knobs
Reverse Engineering Efforts
High level goals
- Obtain a copy of the firmware for analysis/modification
- Understand how the radio works and what test ports are available internally
Obtaining firmware
- Determine routes of attack
- JTAG Port
- Serial Port
- Hardware attack - Remove Flash Memory and read directly (possibly encrypted)
Initially the radio was opened and wires were soldered to some test points and an interesting PCB footprint that I suspected was JTAG as seen in the video below.
The serial port turned out to just be control data sent from the CPU board to the transceiver board, explained further below. Removing the flash memory is an option although it is a BGA package so not sure about soldering wires to it so it can be read out. Furthermore, the OMAP-L138 processor seems to have a few protection mechanisms. Encryption of the firmware is one of them so that route might be useless.
If a donor radio is stripped down to bare PCB then perhaps the boot-up config register values can be tweaked or other hard coded settings (usually using resistors) to alter the boot procedure and allow further debugging.
Understand how the radio works
There is a serial port labeled SCTX and SCRX (See Processor Board Bottom picture above), both of these lines appear to be transmit only from the top CPU board down to the bottom transceiver board. As the radio is tuned from one frequency to another the SCRX line has a lot of activity, when the transmitter is keyed up the SCTX line has activity. Below is a sample of what is seen on the SCRX line. Travis Goodspeed commented to me on Twitter that these commands seemed similar to the Rig Control commands sent from PC's to radio's to control them.
| SCRX |
|---|
| J0000 |
| K0000 |
| G0283 |
| `0 |
| G1283 |
| B06EE14 |
| B0A03CE |
| B0C0028 |
| B11E960 |
| B180000 |
| B140000 |
| B1C2812 |
| B200018 |
| B280A68 |
| G;7:3 |
| K1900 |
| a7:6 |
| B1C2C12 |
| B140000 |
| B1C2812 |
| B200018 |
| B280A68 |
| F41 |
| J01 |
| G;7:3 |
| `0 |
Datasheets
Kenwood TH-D74A Datasheet - IC-701 - DRAM
Kenwood TH-D74A Datasheet - IC-702 - omap-l138
