Difference between revisions of "Kenwood TH-D74A"
Jump to navigation
Jump to search
Line 57: | Line 57: | ||
**Hardware attack - Remove Flash Memory and read directly (possibly encrypted) | **Hardware attack - Remove Flash Memory and read directly (possibly encrypted) | ||
− | Initially the radio was opened and wires were soldered to test points and | + | Initially the radio was opened and wires were soldered to some test points and an interesting PCB footprint that I suspected was JTAG as seen in the video below. |
<youtube width="320" height="240">EZP2DVU9IvQ</youtube> | <youtube width="320" height="240">EZP2DVU9IvQ</youtube> | ||
+ | |||
+ | There is also a serial port labeled SCTX and SCRX, both of these lines appear to be transmit only from the top CPU board down to the bottom transceiver board. As the radio is tuned from one frequency to another the SCRX line has a lot of activity, when the transmitter is keyed up the SCTX line has activity. Here is a sample of what is seen on the SCRX line. | ||
+ | {| class="wikitable mw-collapsible mw-collapsed" | ||
+ | |+ | ||
+ | !SCRX | ||
+ | |- | ||
+ | |J0000 | ||
+ | |- | ||
+ | |K0000 | ||
+ | |- | ||
+ | |G0283 | ||
+ | |- | ||
+ | |`0 | ||
+ | |- | ||
+ | |G1283 | ||
+ | |- | ||
+ | |B06EE14 | ||
+ | |- | ||
+ | |B0A03CE | ||
+ | |- | ||
+ | |B0C0028 | ||
+ | |- | ||
+ | |B11E960 | ||
+ | |- | ||
+ | |B180000 | ||
+ | |- | ||
+ | |B140000 | ||
+ | |- | ||
+ | |B1C2812 | ||
+ | |- | ||
+ | |B200018 | ||
+ | |- | ||
+ | |B280A68 | ||
+ | |- | ||
+ | |G;7:3 | ||
+ | |- | ||
+ | |K1900 | ||
+ | |- | ||
+ | |a7:6 | ||
+ | |- | ||
+ | |B1C2C12 | ||
+ | |- | ||
+ | |B140000 | ||
+ | |- | ||
+ | |B1C2812 | ||
+ | |- | ||
+ | |B200018 | ||
+ | |- | ||
+ | |B280A68 | ||
+ | |- | ||
+ | |F41 | ||
+ | |- | ||
+ | |J01 | ||
+ | |- | ||
+ | |G;7:3 | ||
+ | |- | ||
+ | |`0 | ||
+ | |} | ||
====Understand how the radio works==== | ====Understand how the radio works==== |
Revision as of 02:27, 8 June 2020
Contents
Teardown Video
6 minute video @ 3x playback speed showing full disassembly of the radio with commentary, full length video with no audio here.
Teardown PCB Pictures
Modules and Interconnects
Mechanical Pictures
Reverse Engineering Efforts
High level goals
- Obtain a copy of the firmware for analysis/modification
- Understand how the radio works and what test ports are available internally
Obtaining firmware
- Determine routes of attack
- JTAG Port
- Serial Port
- Hardware attack - Remove Flash Memory and read directly (possibly encrypted)
Initially the radio was opened and wires were soldered to some test points and an interesting PCB footprint that I suspected was JTAG as seen in the video below.
There is also a serial port labeled SCTX and SCRX, both of these lines appear to be transmit only from the top CPU board down to the bottom transceiver board. As the radio is tuned from one frequency to another the SCRX line has a lot of activity, when the transmitter is keyed up the SCTX line has activity. Here is a sample of what is seen on the SCRX line.
SCRX |
---|
J0000 |
K0000 |
G0283 |
`0 |
G1283 |
B06EE14 |
B0A03CE |
B0C0028 |
B11E960 |
B180000 |
B140000 |
B1C2812 |
B200018 |
B280A68 |
G;7:3 |
K1900 |
a7:6 |
B1C2C12 |
B140000 |
B1C2812 |
B200018 |
B280A68 |
F41 |
J01 |
G;7:3 |
`0 |
Understand how the radio works
Datasheets
Kenwood TH-D74A Datasheet - IC-701 - DRAM
Kenwood TH-D74A Datasheet - IC-702 - omap-l138