Hacking A Ham Radio

For Christmas, [Lior] received a Baofeng UV5R radio. He didn’t have an amateur radio license, so he decided to use it as a police scanner. Since the schematics were available, he cracked it open and hacked it.

This $40 radio communicates on the 136-174 MHz and 400-480 MHz bands. It uses a one-time programmable microcontroller and the RDA1846 transceiver. With the power traces to the MCU cut, [Lior] was able to send his own signals to the chip over I2C using an Arduino. He also recorded the signals sent by the stock microcontroller during startup, so that he could emulate it with the Arduino.

Once communication was working on an Arduino, [Lior] decided to get rid of the stock microcontroller. He desoldered the chip, leaving exposed pads to solder wires to. Hooking these up to the Arduino gave him a programmable way to control the device. He got his radio license and implemented transmission of Morse Code, and an Arduino sketch is available in the write up.

[Lior] points out that his next step is to make a PCB to connect a different microcontroller to the device. This will give him a $40 radio that is fully programmable. After the break, check out a video of the hacked radio in action.

47 thoughts on “Hacking A Ham Radio

  1. This is great. I often wonder when some enterprising company will make an “open source” ham radio — with a programmable microcontroller, a display, and a transciever. Design your own radio OS, your own display layout, etc. Nice work!

    73, Bill AD8BC

    1. Perhaps type acceptance would be an issue. As hams the FCC does allow us to build or modify our own devices but we aren’t allowed to market them without type acceptance.

      I’m thinking you would have to take a two-micro approach. One controls the transmit vfo/power while the other is the user interface. The user-interface one is open and can be hacked at will by the owner. No matter what values it sends on to the transmitter controler micro though it will not do anything outside of certain parameters.

      Something I have been thinking about though is an open protocol for controling a radio via computer, micorcontroler, etc… As part of the protocol the radio would ‘tell’ the computer what controls it has, what their ranges are, etc… It wouldn’e exactly define a user interface but it would tell that this control is volume, this one controls a vfo, etc…

      If connecting to a computer for example, the user’s application could decide how it wants to implement the control. Maybe volume gets a slider, vfo gets a numeric control, etc… Just plug it in and the computer talks to the device then generates an interface to control it. Users could change those defaults then, what kind of control should the vfo use, etc…

      We could use micros, touch panels, rotary encoders etc… to design and build our own head units that speak the protocol and work the same way.

      1. Yeah that was kind of my idea, the “radio board” itself would be fixed as a type-accepted radio. The “control board” for it would be open — and basically would send transmit freq, receive freq, PL/DCS tone, etc to the “Radio Board”. The radio could ship from the manufactuter with a basic operating and display program but the user could re-program, create memory arrays, scan routines, etc. Of course the manufacturer could build in a little TNC unit (a la https://www.argentdata.com/catalog/product_info.php?products_id=136) and it could be enabled/disabled by discrete output and serial data could flow into the processor so one could program it to be a standalone APRS radio too.

        I’m imagining a mobile 50W radio with a remote control head, the control head could attach serially and have rotary encoders for volume, tuning, and menu select, a few buttons for user-programmed features and navigation. The LCD display would almost be trivial.

      2. Check out the ghpsdr3-alex fork; control multiple RF backends across a network from anything with a screen that talks IP and runs Qt – supports HPSDR, softrock, RTL-SDR backends, and more…. control the SDR in your shack or on another continent on the LCD TV in your lounge…

      3. I think that once we perfect a hack on this radio or possibly the new uv-b5 some entrepreneurial techs will simply need to start a service where you can mail your radio to them for modification. Unfortunately, type acceptance is a detractor to making a production software controlled transmitter. Ultimately, a chip swap that adds a new open source controller and a bluetooth interface would be awesome. The XS3868 bluetooth chip allows bi-directional uart, and audio. Once this is integrated properly, we could publish a standard interface specification over bluetooth for the radio, and developers could begin integrating with any software platform they choose. You could simply use bluetooth to link via an android phone, iphone or pc.
        The FSK work by linvor is quite promising. The fact that there are 2 sinewave generators on the radio, may allow us to use both simultaneously to quadruple the transmission speed of data.
        You could have the radio in a backpack or briefcase and simply use it as a longrange modem, or have a qso through your bluetooth headset. I’m not 100% sure on the bluetooth headset yet, as the radio will link as a headset device to your phone, and you would need the ability to bridge 2 headset devices.
        This is the type of project ham radio has needed for a while. The major manufacturers and the fcc have been limiting creativity and innovation for quite some time.

  2. Nice hack. I just picked up a KST V6 220MHz. I love the radio. It’s 5W output on the band which is really nice.

    My Yaesu also does the 220MHz band but limits you to 300mW. Has to do with the PA being finicky about it. So the KST V6 fills that void. Plus it’s about 150g lighter than the Yaesu. Granted the Yaesu has a Magnesium case, the KST is plastic.

    1. Testing times, dates and locations vary, and they’re not always frequent. He got his license after he’d done part of the project.

      What I wonder is, why did he stop with a technician license? It looks to me like this project demonstrates that he knows electronics theory well enough to get the General, and probably Extra class license. There are a few regulatory questions on the exams as well, but those shouldn’t be too hard to study up on. True, the additional licenses would not add privileges relevant to this VHF/UHF project, but once you pay your $15 fee for an exam, you can keep taking tests until you either fail one or pass them all. So there’s no advantage to stopping at the technician level.

      Anyway, neat hack..

      1. Since I just got into ham, I did not plan/or know about the general or the extra. I was very happy to just be able to transmit. However, when I took the technician, I did try to take the general afterwards but missed it by 2 questions. I did not study for it at all, so I did not know any of the regulations (which seems to be a good portion of the general) as well as when and how to send HF radio signals. However, I am currently studying for both the general and extra, and will take them next month.

        Lior
        KK6BWA

        1. That’s fantastic! This is pretty much one of the main reasons I got my ham ticket back in November. The guy I share an office with is an old EE / ham so I had all the resources I needed literally staring me in the face.

          Seriously, great work. Everything you’ve done here embodies the entire movement of ham radio and the original innovators.

          Matt
          -KK4NAA

        2. Sounds good, and congrats. It’s true that some of the questions are a bit arcane, especially on the Extra exam. But you obviously have a huge head start with the background for much of the material which many “appliance operators” find difficult. With just a little bit of study, I’m sure you’ll do very well.

          Rich
          AG6QR

  3. The hack I did on this radio was all software based…
    It’s nice to see someone doing a hard mod though! I need to get ahold of this guy and see if we can reflash the firmware.

  4. hmm nice hack :) but i wonder if the filtering etc would be any good at 220mhz? Like most cheap radio’s from our far eastern cousins I feel they are only roughly on spec for what they quote :)
    73’s
    G7COG

  5. very cool. I recently picked up one of these radios too. for those interested in more info on the uv-5r there is a yahoo group that hosts tons of info on the radio itself. search for “baofeng uv-5r yahoo group”

  6. Makes me wonder if all of the frequency response is handled in the MC, or if it is still in hardware like they used to be. If it is all handled in the MC, then there is the possibility of reprogramming the MC to run the radio on frequencies that were never intended by the manufacturer, essentially, a “universal” radio.

    1. All the of the frequency response and modulations/demodulations happens in the RDA1846, which is basically a SDR with a DSP to do the modulations/demodulations. The RDA1846 has a fixed frequencies and modes that it will RX/TX on, and its controller by the MCU (http://sdr.ipip.cz/datasheets/RDA1846.pdf). I was going to try to mess around with the VCO of the RDA1846 to see if it can handle other frequencies (but its not made to work on frequencies other then the ones its made for). However, the RF amps and filtering on the chips are only made for the 2M/70cm band.

      Lior

      KK6BWA

  7. There are lots of “open source” radio designs. They’re sold as kits by lots of people. The more ambitious designs don’t often last past one run of kits because of the amount of work it is to prepare the kits. But all the documentation is available.

    The chief obstacle is not type acceptance, but lack of market. As for programmable RF sections there are many of those on the market as fully assembled units.

    FWIW I don’t recall ever seeing any requirement for type acceptance of amateur equipment. The operator is responsible for the legal operation of the equipment. Other radio services, CB, FMRS, etc do have a type acceptance requirement.

  8. At least here in the UK once you get your Intermediate license the only requirements are: 1- it is in band, 2- lack of interference and 3- power level. Foundation holders need CE marked equipment.
    de 2e0reb

      1. I’ve removed the qfp44 (that’s the EM78P568 microcontroller, correct?) but the datasheet linked only shows the pinout for a QFP100.

        I did find what I was looking for here, on the last page. http://goo.gl/oOFK6 It’s the service manual for the Wouxon KG-UVD1, which apparently uses the exact same IC.

    1. You may want to check out this other hack I have been working on. I have managed to upload a new firmware to the uv3r using an arduino. For now the firmware is a proof of concept so it only tunes to 145.525 and listens to a signal. When a strong signal is received it will play back 3 dtmf tones. Flashing the chip was accomplished with an arduino and only requires soldering 5 wires to direct pads on the radio (as seen in the video). So its much simpler then removing the cpu. Also, I am working on a firmware, which will allow you to control the radio fully using the serial port. I just finished this hack this weekend, and will need to assemble, clean up the code and post it on my website (www.liorelazary.com) by next week.

      You can see a video here:
      http://youtu.be/-bYRF7IxtLA

      I will be posting updates here: http://groups.yahoo.com/group/UV-3R/message/8141

      Once I have all the documentation, I will submit back to hackaday.

      Lior
      KK6BWA

      1. Very nice! I am working with a (mostly) destroyed UV5R, and mainly trying to scavenge the internals (case, keypad and screen destroyed.)

        I look forward to seeing your next project.

        P.S. After changing those registers, were you able to transmit on the 1.25M band?

      2. This is very cool! Nice use of the UV-3R there. It would be nice if there were “kits” that are basically barebones radios that can be easily interfaced to a microcontroller. That way, you don’t have to rip apart a Baofeng to experiment.

  9. This is very cool! For such a cheap radio, the UV5R is one of the best hackable little radios out there. It would be cool to use a UV-5R in something like a data telemetry project, where a sensor gathers data (like temperature) and then streams it back remotely via a microcontroller. Cool project ideas. 73s – Benjamin, KD8POH

  10. I would like to have you look at a radio to see if it would be possible to expand the channel bank with eeprom mods. The radio in question is a Maxon SM-4150m. I would be willing to donate you a radio for the project. At some point a group in the UK had a 99 channel kit for for the uk version dubbed the SMX-4150 but I can not locate any information on it.. My email is sam.rock(at)aadxa.org drop me a line and we can talk further..

  11. Looks like this idea rings true for many. The new IC uControllers frequently have pin outs with standardized power inputs, and most pins are programmable as I/O. The IC industry has standardized pin placements. With a cheap radio like this it is perfect for hacking. My interest is in a usable user interface – most HTs are confusing to use at best.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.