Some questions

[rogerclarkmelbourne]

Hi,

I don't have this radio but I am curious about the ability to read the firmware and also upload unecrypted firmware

Normally bootloaders in Baofeng and TYT radios don't have the ability to read the program ROM in the radio.

I know the TYT bootloader had a bug which allowed Travis to read the bootloader and crack the encryption, but these tools appear to allow the entire program ROM memory in the MCU to be read, which implies that the bootloader is not secure becuase it allows functionality which the MD380 etc does not allow.

What hardware is in this radio ? STM32F4xx like in the MD380, what is the baseband chip AT1846S ?? and DMR chip (C5000 or C6000), what display does it use?

Thanks

VK3KYY

[sp2ong]

Hi Roger

I suppose that OK2MOP will answer better, but we discussed DM-1702 on https://opengd77.com/viewtopic.php?f=7&t=2361
It looks like DM-1702 (DM-X) has onboard STM32F405VGT6, HRC6000, AT1846S

I have DM-X model

73 Waldek SP2ONG

[rogerclarkmelbourne]

Waldek

Did you try using the DFU tool here to read unencrypted firmware from your radio ?

PS
No reply from the author yet. You could try to contact via QRZ.com for more information

[sp2ong]

Roger,
I did not try using the DFU tool. I use this radio as a backup to my GD77 :-)

I know that people who use DM-X/DM-1702 radio discuss on:
https://www.twowayradioforum.com/t/baofeng-dm-x-dmr/7249

where OK2MOP is as nickname "pm_cz"

Pavel OK2MOP does not have an account on QRZ.com

but I send PRIV messages via twowayradioforum website to Pavel

73

[rogerclarkmelbourne]

OK. Reading via DFU should not be a problem if the tool works OK. But I don't know how the DFU tool works.

[OK2MOP]

Hello, some clarifications, unfortunately I do not have much time to play with this device anymore:

• there are several hardware revisions which seem to be incompatible to a degree (especially with different bootloaders present)
• the tool reads firmware (only the part accessible) directly in running system (there is a command for reading data from program flash) so the HW DFU mode is not necessary and I did not try to trigger it, but it is not able to read/write the bootloader without a patched firmware (the programming mode in bootloader is not able either, as it is write-only)
• programming is done by erasing the part of program flash (0x08008000-) after bootloader (0x08000000-0x08004000) and configuration block (0x08004000-0x08008000), which also contains an device anti-cloning protection mechanism (checksum based on CPU serial number)
• the decryption of the firmware happens (for the devices I own) in CPS software, over USB the firmware is already sent unencrypted. The extracted firmware files I was able to obtain are on my google drive, linked in the forum above.
• I have data formats in a sheet but as I was not able to play with the radio further and the different HW/bootloaders and internal command format changes meant that what worked in one FW did not in a different branch
• CPU was the same as in RT3s if memory serves me right, the rest I did not check. If it helps, the FCC has some internal photos, I think https://fcc.report/FCC-ID/2AJGM-DM1702/4113210 is the URL
• I dug out some internal photos from my revision, or my HW revision (V1.1GPS) chip is HR_C6000, GPS ATGM336H, on display ribbon I see SLH1826 and FPC-HIB018A010-A1 with 22-pin connector. ARM CPU photo is incomplete but it should be STM32F405, AMPs LM2904D, TDA2822, baseband unknown.

[rogerclarkmelbourne]

@OK2MOP

Thanks

Baseband looks like AT1846S, same as in GD77, DM1801-V1, RD5R-V2, MD-UV380 / RT3S

The MCU is the same as the MD-UV380 and MD380, and MD9600.
Application start address is different from those radios where the application start address if 0x800C0000

GD77, DM1801 and RD5R also have an anti-cloning also based on the CPU serial number, but its stored at the end of the MCU program ROM. (GD77 etc use NXP MK22FN512 MCU not STM32F405 like in this radio)

I'll email you directly, because I can't access the unencrypted firmware on the forum