Changes

Jump to navigation Jump to search
157 bytes added ,  03:04, 22 October 2020
no edit summary
[[File:TH-D74A.jpg|none|thumb|Fully Assembled Kenwood TH-D74A|alt=]]Full teardown pictures and videos of the TH-D74 along with notes on reverse engineering and obtaining a copy of the firmware. 
==Teardown Video==
6 minute video @ 3x playback speed showing full disassembly of the radio with commentary, full length video with no audio [https://youtu.be/Q_n_bs6f8gE here].
<youtube width="320" height="240">EZP2DVU9IvQ</youtube>
===== Serial Port =====
The serial port turned out to just be control data sent from the CPU board to the transceiver board, explained further below. Removing the flash memory is an option although it is a BGA package so not sure about soldering wires to it so it can be read out. Furthermore, the OMAP-L138 processor seems to have a few protection mechanisms. Encryption of the firmware is one of them so that route might be useless.
==== Hardware Attack ====
* Desolder flash memory chip* Re-Ball BGA and clean in preparation for socket* Insert into BGA socket and read contents using [https://www.embeddedcomputers.net/products/FlashcatUSB_XPORT/ FlashCATUSB XPORT] with [https://www.embeddedcomputers.net/products/ParallelAdapters/ BGA-64 (LAE064)] socket
Other than the obvious challenge of desoldering and reballing a BGA, this worked great to get a complete image of the firmware! The firmware on the flash is not encrypted or obfuscated in any way so it's possible to make use of it immediately.
Cost breakdown to get complete firmware image using this method: '''$330 USD'''
* $145 - Replacement Processor board for TH-D74 (eBay)* $40 - [https://www.embeddedcomputers.net/products/FlashcatUSB_XPORT/ FlashcatUSB XPORT]* $145 - [https://www.embeddedcomputers.net/products/ParallelAdapters/ BGA-64 (LAE064)] Socket
Having a copy of the firmware for modification and analysis... PRICELESS!
==== USB Data Capture ====
This method costs a lot less than the hardware attack, like $330 less! See the YouTube video below for a walk-through. The software tools used are listed below, I am sure other tools would work but this is what I used.
'''''Have a better method? Create an account and update the wiki!'''''
(Insert YouTube video here)<youtube width="320" height="240">BwFnZOvw0wk</youtube>
[https://www.hhdsoftware.com/hex-editor Hex Editor Neo] - Allows bitwise operations and other cool features with a 14 day free trial!
[https://wiki.recessim.com/w/images/c/cd/IC-707_-_Not_exact_match_but_same_family_-_WM8940_v4.3.pdf IC-707 - Not exact match but same family - WM8940]
 <br /><references />

Navigation menu