Maxon Data Radio

From RECESSIM, A Reverse Engineering Community
Revision as of 00:34, 25 May 2024 by Trevor229 (talk | contribs) (Added EEPROM reverse engineering info, added blank config files zip, reformatting too)
Jump to navigation Jump to search

Maxon America Inc. is a radio communications manufacturer headquartered in Lenexa, Kansas which makes a variety of Land Mobile Radios (LMR), Digital Mobile Radios (DMR), and original data telemetry modules.

Maxon Data Radio Model SD-161 (VHF)


Overview

Maxon data radios are a line of small radio transcievers developed for industrial telemetry and data reporting use. There are both analog and digital options, but here we will focus on the analog models.

Analog Models

  • SD-125EL
    • V2 - 5/1W VHF (148-174 MHz)
    • U1 - 5/1W UHF (400-430 MHz)
    • U2 - 5/1W UHF (440-470 MHz)
  • SD-170EL
    • SD-171EL - 5/1W VHF (146-174 MHz)
    • SD-174EL - 5/1W UHF (450-490 MHz)


Older discontinued models:

  • SD-161 - 2W VHF (148-174 MHz)
  • SD-164 - 2W UHF (450-490 MHz)
  • SD-171 - 5/1W VHF (148-174 MHz)
  • SD-174 - 5/1W UHF (450-490 MHz)


EEPROM Layout

Work in progress, but I have identified the most important stuff (Freq, CTCSS/DCS, etc)

Here are blank .dat configuration files for each model. I haven't touched the EL series yet. Use these as a base for editing and flashing to your unit.

Option Bytes

Model ID

The very first byte (0x00) is the model ID 01 through 04 as below. Also 0xB4, that changes based on frequency band. 04 for VHF models, 01 for UHF models.


Model ID
Model Value
SD-161 01
SD-164 02
SD-171 03
SD-174 04


Squelch

Most of the time you probably want this on. 0xC8 is the squelch byte. 00 is no squelch, 01 is squelch enabled

Wide/Narrow

W/N operation for a given channel is configured using the fifth byte after the end of the TX frequency. 00 is narrowband (default) and 01 is wide.

Scan Enable

Scan enable is the first byte after the frequency channel block. 00 is disabled, 01 is enabled.


CTCSS/DCS


Enable Byte

The RX CTCSS/DCS enable byte is located 13 bytes after the end of the channel frequency block. 00 for disabled, 01 for CTCSS, 02 for DCS. The TX CTCSS/DCS enable is 4 bytes after the RX byte.


Channel/Freq.

CTCSS is also stored as a float64 of the raw value. The values are stored starting 21 bytes after the channel frequency, with the first 8 for RX CTCSS, the last 8 for TX CTCSS.


Example: 9A 99 99 99 99 F9 51 40 = 71.9 (aka 71.9Hz)



DCS is stored starting 37 bytes from the end of the channel frequency block. It may use the 38th byte if the value is too high. These are uint8/uint16 respectively.


Example: 17 = 23 (aka DCS setting 023) | F2 02 = 754 (aka DCS setting 754)



Channel Frequencies

Frequencies are stored as float64 16 byte blocks with the first 8 for the receive frequency, and the last 8 for the transmit frequency. These both end in 0x40.

Channel Offsets (Hex)
Channel Start End
1 DC EB
2 140 14F
3 1A4 1B3
4 208 217
5 26C 27B
6 208 217
7 334 343
8 398 3A7
9 3FC 40B
10 460 46F
11 4C4 4D3
12 528 537
13 5BC 59B
14 5F0 5FF
15 654 663
16 6B8 6C7


Channel 1 Offsets

Since most people reusing these will probably only need one channel programmed, heres the exact offsets for channel 1


Ch. 1 Offsets
Parameter Value(s)
RX Frequency 0xDC-E3
TX Frequency 0xE4-EB
Scan Enable 0xEC
RX CTCSS/DCS Option 0xF8
RX CTCSS Value 0x100-107
TX CTCSS Value 0x108-10F
RX DCS Value 0x110 or 0x110-111
TX DCS Value 0x114 or 0x114-115


SD-161

This is the model that I have, so any of the info I have below is from my experimentaton on this model. It may apply to at least the SD-164, and the SD-171/174 line as well but you are entering unknown territory.

Resources

Maxon America functions as a dealer, so as an individual you cannot buy direct from them nor can you create an account to download software. However, after some searching I was able to find a company that is a reseller for these radios and lists the software freely on their site. The company is called MobileTrends.ca


Programming (With Cable)

These radios utilise a proprietary programming cable that converts RS-232 to TTL, as well as utilizing the RTS pin to control programming. That last part unfortunately prevents simply connecting TX and RX to a TTL to USB serial adapter...

I contacted Maxon directly and their technical department emailed me a schematic for the out of production ACC-2016 interface cable. After making the circuit on a breadboard trying several times, and swapping TX/RX, I was not able to get the interface cable to work. Maybe you can, but I went for a more direct route.


Programming (Without Cable & With Software)

Inside the radio, there is a small 8 pin SOIC I2C EEPROM (Catalyst 24WC04) which stores all the programmed info. This chip can be easily read and written to using an inexpensive CH341a based programmer. The programming software (ACC-916E) shows a full EEPROM mapping in hex of the data to be written to the radio. With both of these, we can easily use the software to configure things as we want, then manually remake the hex file and flash it to the EEPROM.


  1. The first thing to do regardless of your plans is to back up the current state of the EEPROM with the CH341a. This file will also be a good base for modification when you change settings in the software. Save that file in a safe place, then make a copy for modding.
  2. Install the programming software which can be downloaded here and open it. Select "No Modem" and change your model
    • You will need a serial port, be it in use or just a USB to serial adapter or virtual, just so the software will be happy and allow opening the R/W window
  3. Setup the channels with your desired info, you can (only tested on the SD-161 by me) go down into the ham bands. The software will let you force an out of band frequency, but from 147.5 and up, it won't say anything.
    • "S" is Standard (25kHz) bandwidth, and "N" is Narrow (12.5kHz) bandwidth. Choose standard if you are using for amateur radio, otherwise narrow for business band use.
  4. Once you have channels setup, save the config to a file
  5. Use the saved .dat file (may need to rename it) and flash the contents via CH341a programmer to the EEPROM


Programming (Without Cable or Software)

Using the info above and the blank .dat files you could probably piece together a working EEPROM image, though this is risky. As always, you are doing any of this at your own risk!


Channel Selection Switches

If everything went well so far, you should have your new config on your radio! One last thing to check is the channel DIP switches. The way maxon illustrated these is kinda confusing, but I figured it out.


  • Open the radio if you haven't already, making sure the DB-15 and BNC port are facing up/away from you like the diagram shows.
  • The correct way of interpreting the DIP configuration is that the switches on the board should match the BLACK areas on the diagrams. From there, its just a binary sequence.
    • For example, channel 1 is all switches DOWN.
    • If you get things wrong and select a channel thats not programmed, the radio will flicker the red and green LEDs on boot. As long as you follow the black positions, you should be ok.

Debugging

Here's a table of the status indications showing what the radio is doing, from the service manual page 18. There is plenty of other information in the service manual for troubleshooting and fixing that would be redundant to cover here, so make sure you give it a read.

SD-125

Some time ago, a group of amateur radio operators have done similar research into programming the SD-125 for packet radio use on amateur frequencies. Their work can be found here.

The programming cable is similar, though uses a DB-9 serial port instead of the DB-15. I suspect you could program via EEPROM directly like I did as well.