Difference between revisions of "Kenwood TH-D74A"

From RECESSIM, A Reverse Engineering Community
Jump to navigation Jump to search
Line 100: Line 100:
  
 
====Understand how the radio works====
 
====Understand how the radio works====
There is a serial port<ref>Test citation to see if References header is automatically added.</ref> labeled SCTX and SCRX (See Processor Board Bottom picture above), both of these lines appear to be transmit only from the top CPU board down to the bottom transceiver board. As the radio is tuned from one frequency to another the SCRX line has a lot of activity, when the transmitter is keyed up the SCTX line has activity. Below is a sample of what is seen on the SCRX line. [[Travis Goodspeed]] commented to me on Twitter that these commands seemed similar to the Rig Control commands sent from PC's to radio's to control them.  
+
There is a serial port labeled SCTX and SCRX (See Processor Board Bottom picture above), both of these lines appear to be transmit only from the top CPU board down to the bottom transceiver board. As the radio is tuned from one frequency to another the SCRX line has a lot of activity, when the transmitter is keyed up the SCTX line has activity. Below is a sample of what is seen on the SCRX line. [[Travis Goodspeed]] commented to me on Twitter that these commands seemed similar to the Rig Control commands sent from PC's to radio's to control them.  
 
{| class="wikitable mw-collapsible mw-collapsed"
 
{| class="wikitable mw-collapsible mw-collapsed"
 
!SCRX
 
!SCRX

Revision as of 00:34, 7 September 2020

Fully Assembled Kenwood TH-D74A

Teardown Video

6 minute video @ 3x playback speed showing full disassembly of the radio with commentary, full length video with no audio here.

Teardown PCB Pictures

Port and Test Point Identification


Modules and Interconnects


Mechanical Pictures

Reverse Engineering Efforts

Kenwood TH-D74 connected to JTAGulator

High level goals

  • Obtain a copy of the firmware for analysis/modification
  • Understand how the radio works and what test ports are available internally

Obtaining firmware

  • Determine routes of attack
    • JTAG Port
    • Serial Port
    • Hardware attack - Remove Flash Memory and read directly (possibly encrypted/obfuscated)
    • USB data capture - Packet capture firmware update (possibly encrypted/obfuscated)

Initially the radio was opened and wires were soldered to some test points and an interesting PCB footprint that I suspected was JTAG as seen in the video below.

Serial Port

The serial port turned out to just be control data sent from the CPU board to the transceiver board, explained further below. Removing the flash memory is an option although it is a BGA package so not sure about soldering wires to it so it can be read out. Furthermore, the OMAP-L138 processor seems to have a few protection mechanisms. Encryption of the firmware is one of them so that route might be useless.

Hardware Attack

  • Desolder flash memory chip
  • Re-Ball BGA and clean in preparation for socket
  • Insert into BGA socket and read contents using FlashCATUSB XPORT with BGA-64 (LAE064) socket

Other than the obvious challenge of desoldering and reballing a BGA, this worked great to get a complete image of the firmware! The firmware on the flash is not encrypted or obfuscated in any way so it's possible to make use of it immediately.

Cost breakdown to get complete firmware image using this method: $330 USD

Having a copy of the firmware for modification and analysis... PRICELESS!

USB Data Capture

This method costs a lot less than the hardware attack, like $330 less! See the YouTube video below for a walk-through. The software tools used are listed below, I am sure other tools would work but this is what I used.

Have a better method? Create an account and update the wiki!

Hex Editor Neo - Allows bitwise operations and other cool features with a 14 day free trial!

USB Analyzer - By Eltima Software, it captures USB traffic and lets you easily export the binary data. It also comes with a 14 day free trial!

Firmware Parse Tool - Python program to strip header bytes from USB data captures

Understand how the radio works

There is a serial port labeled SCTX and SCRX (See Processor Board Bottom picture above), both of these lines appear to be transmit only from the top CPU board down to the bottom transceiver board. As the radio is tuned from one frequency to another the SCRX line has a lot of activity, when the transmitter is keyed up the SCTX line has activity. Below is a sample of what is seen on the SCRX line. Travis Goodspeed commented to me on Twitter that these commands seemed similar to the Rig Control commands sent from PC's to radio's to control them.

SCRX
J0000
K0000
G0283
`0
G1283
B06EE14
B0A03CE
B0C0028
B11E960
B180000
B140000
B1C2812
B200018
B280A68
G;7:3
K1900
a7:6
B1C2C12
B140000
B1C2812
B200018
B280A68
F41
J01
G;7:3
`0

Datasheets

Kenwood TH-D74A Datasheet - IC-701 - DRAM

Kenwood TH-D74A Datasheet - IC-702 - omap-l138

Kenwood TH-D74A Datasheet - IC-705 - FLASH MEMORY

Using the OMAP-L138 Bootloader

IC-707 - Not exact match but same family - WM8940