Open main menu

Teardown Video

6 minute video @ 3x playback speed showing full disassembly of the radio with commentary, full length video with no audio here.

Teardown PCB Pictures

Modules and Interconnects


Mechanical Pictures


Reverse Engineering Efforts

 
Kenwood TH-D74 connected to JTAGulator

High level goals

  • Obtain a copy of the firmware for analysis/modification
  • Understand how the radio works and what test ports are available internally

Obtaining firmware

  • Determine routes of attack
    • JTAG Port
    • Serial Port
    • Hardware attack - Remove Flash Memory and read directly (possibly encrypted)

Initially the radio was opened and wires were soldered to some test points and an interesting PCB footprint that I suspected was JTAG as seen in the video below.

There is also a serial port labeled SCTX and SCRX, both of these lines appear to be transmit only from the top CPU board down to the bottom transceiver board. As the radio is tuned from one frequency to another the SCRX line has a lot of activity, when the transmitter is keyed up the SCTX line has activity. Here is a sample of what is seen on the SCRX line.

SCRX
J0000
K0000
G0283
`0
G1283
B06EE14
B0A03CE
B0C0028
B11E960
B180000
B140000
B1C2812
B200018
B280A68
G;7:3
K1900
a7:6
B1C2C12
B140000
B1C2812
B200018
B280A68
F41
J01
G;7:3
`0

Understand how the radio works


Datasheets