For Christmas, [Lior] received a Baofeng UV5R radio. He didn’t have an amateur radio license, so he decided to use it as a police scanner. Since the schematics were available, he cracked it open and hacked it.
This $40 radio communicates on the 136-174 MHz and 400-480 MHz bands. It uses a one-time programmable microcontroller and the RDA1846 transceiver. With the power traces to the MCU cut, [Lior] was able to send his own signals to the chip over I2C using an Arduino. He also recorded the signals sent by the stock microcontroller during startup, so that he could emulate it with the Arduino.
Once communication was working on an Arduino, [Lior] decided to get rid of the stock microcontroller. He desoldered the chip, leaving exposed pads to solder wires to. Hooking these up to the Arduino gave him a programmable way to control the device. He got his radio license and implemented transmission of Morse Code, and an Arduino sketch is available in the write up.
[Lior] points out that his next step is to make a PCB to connect a different microcontroller to the device. This will give him a $40 radio that is fully programmable. After the break, check out a video of the hacked radio in action.
Excellent hack. _This_ is what hacking is all about.
This is great. I often wonder when some enterprising company will make an “open source” ham radio — with a programmable microcontroller, a display, and a transciever. Design your own radio OS, your own display layout, etc. Nice work!
73, Bill AD8BC
Perhaps type acceptance would be an issue. As hams the FCC does allow us to build or modify our own devices but we aren’t allowed to market them without type acceptance.
I’m thinking you would have to take a two-micro approach. One controls the transmit vfo/power while the other is the user interface. The user-interface one is open and can be hacked at will by the owner. No matter what values it sends on to the transmitter controler micro though it will not do anything outside of certain parameters.
Something I have been thinking about though is an open protocol for controling a radio via computer, micorcontroler, etc… As part of the protocol the radio would ‘tell’ the computer what controls it has, what their ranges are, etc… It wouldn’e exactly define a user interface but it would tell that this control is volume, this one controls a vfo, etc…
If connecting to a computer for example, the user’s application could decide how it wants to implement the control. Maybe volume gets a slider, vfo gets a numeric control, etc… Just plug it in and the computer talks to the device then generates an interface to control it. Users could change those defaults then, what kind of control should the vfo use, etc…
We could use micros, touch panels, rotary encoders etc… to design and build our own head units that speak the protocol and work the same way.
Yeah that was kind of my idea, the “radio board” itself would be fixed as a type-accepted radio. The “control board” for it would be open — and basically would send transmit freq, receive freq, PL/DCS tone, etc to the “Radio Board”. The radio could ship from the manufactuter with a basic operating and display program but the user could re-program, create memory arrays, scan routines, etc. Of course the manufacturer could build in a little TNC unit (a la https://www.argentdata.com/catalog/product_info.php?products_id=136) and it could be enabled/disabled by discrete output and serial data could flow into the processor so one could program it to be a standalone APRS radio too.
I’m imagining a mobile 50W radio with a remote control head, the control head could attach serially and have rotary encoders for volume, tuning, and menu select, a few buttons for user-programmed features and navigation. The LCD display would almost be trivial.
Check out the ghpsdr3-alex fork; control multiple RF backends across a network from anything with a screen that talks IP and runs Qt – supports HPSDR, softrock, RTL-SDR backends, and more…. control the SDR in your shack or on another continent on the LCD TV in your lounge…
I think that once we perfect a hack on this radio or possibly the new uv-b5 some entrepreneurial techs will simply need to start a service where you can mail your radio to them for modification. Unfortunately, type acceptance is a detractor to making a production software controlled transmitter. Ultimately, a chip swap that adds a new open source controller and a bluetooth interface would be awesome. The XS3868 bluetooth chip allows bi-directional uart, and audio. Once this is integrated properly, we could publish a standard interface specification over bluetooth for the radio, and developers could begin integrating with any software platform they choose. You could simply use bluetooth to link via an android phone, iphone or pc.
The FSK work by linvor is quite promising. The fact that there are 2 sinewave generators on the radio, may allow us to use both simultaneously to quadruple the transmission speed of data.
You could have the radio in a backpack or briefcase and simply use it as a longrange modem, or have a qso through your bluetooth headset. I’m not 100% sure on the bluetooth headset yet, as the radio will link as a headset device to your phone, and you would need the ability to bridge 2 headset devices.
This is the type of project ham radio has needed for a while. The major manufacturers and the fcc have been limiting creativity and innovation for quite some time.
Did I type Linvor? I meant Lior. I guess I have bluetooth on my mind. Great work Lior!
On second thought, we should be able to double not quadruple the transmission speed with two sinewaves. We go from 2 symbols per cycle to 4 symbols.
open source radio = TenTec’s new fully open source HF rig.
NICE!! I got one for Xmas too. I’ll be sure to give you any feedback I may have.
That is really cool. As someone that is scoping out the amateur radio hobby, this is very interesting.
Nice hack. I just picked up a KST V6 220MHz. I love the radio. It’s 5W output on the band which is really nice.
My Yaesu also does the 220MHz band but limits you to 300mW. Has to do with the PA being finicky about it. So the KST V6 fills that void. Plus it’s about 150g lighter than the Yaesu. Granted the Yaesu has a Magnesium case, the KST is plastic.
You know, while he was at it he should have just gone and got his license…
” He got his radio license and implemented transmission of Morse Code,”
He did get his license.
RTFA – He did get his license. XD
Testing times, dates and locations vary, and they’re not always frequent. He got his license after he’d done part of the project.
What I wonder is, why did he stop with a technician license? It looks to me like this project demonstrates that he knows electronics theory well enough to get the General, and probably Extra class license. There are a few regulatory questions on the exams as well, but those shouldn’t be too hard to study up on. True, the additional licenses would not add privileges relevant to this VHF/UHF project, but once you pay your $15 fee for an exam, you can keep taking tests until you either fail one or pass them all. So there’s no advantage to stopping at the technician level.
Anyway, neat hack..
Since I just got into ham, I did not plan/or know about the general or the extra. I was very happy to just be able to transmit. However, when I took the technician, I did try to take the general afterwards but missed it by 2 questions. I did not study for it at all, so I did not know any of the regulations (which seems to be a good portion of the general) as well as when and how to send HF radio signals. However, I am currently studying for both the general and extra, and will take them next month.
Lior
KK6BWA
That’s fantastic! This is pretty much one of the main reasons I got my ham ticket back in November. The guy I share an office with is an old EE / ham so I had all the resources I needed literally staring me in the face.
Seriously, great work. Everything you’ve done here embodies the entire movement of ham radio and the original innovators.
Matt
-KK4NAA
Sounds good, and congrats. It’s true that some of the questions are a bit arcane, especially on the Extra exam. But you obviously have a huge head start with the background for much of the material which many “appliance operators” find difficult. With just a little bit of study, I’m sure you’ll do very well.
Rich
AG6QR
There is a lot of fun to be had on the HF bands :)
KB1WKI
According to the write up on this site, he did.
Very very cool! Stuff like this is why I read HaD.
The hack I did on this radio was all software based…
It’s nice to see someone doing a hard mod though! I need to get ahold of this guy and see if we can reflash the firmware.
CorrosiveOne,
Do you have info on your software hack somewhere?
hmm nice hack :) but i wonder if the filtering etc would be any good at 220mhz? Like most cheap radio’s from our far eastern cousins I feel they are only roughly on spec for what they quote :)
73’s
G7COG
very cool. I recently picked up one of these radios too. for those interested in more info on the uv-5r there is a yahoo group that hosts tons of info on the radio itself. search for “baofeng uv-5r yahoo group”
nice one!!
wanted to do this to a UV-3R since a year, but no time :(
will give your hack a try on it :)
Makes me wonder if all of the frequency response is handled in the MC, or if it is still in hardware like they used to be. If it is all handled in the MC, then there is the possibility of reprogramming the MC to run the radio on frequencies that were never intended by the manufacturer, essentially, a “universal” radio.
All the of the frequency response and modulations/demodulations happens in the RDA1846, which is basically a SDR with a DSP to do the modulations/demodulations. The RDA1846 has a fixed frequencies and modes that it will RX/TX on, and its controller by the MCU (http://sdr.ipip.cz/datasheets/RDA1846.pdf). I was going to try to mess around with the VCO of the RDA1846 to see if it can handle other frequencies (but its not made to work on frequencies other then the ones its made for). However, the RF amps and filtering on the chips are only made for the 2M/70cm band.
Lior
KK6BWA
There are lots of “open source” radio designs. They’re sold as kits by lots of people. The more ambitious designs don’t often last past one run of kits because of the amount of work it is to prepare the kits. But all the documentation is available.
The chief obstacle is not type acceptance, but lack of market. As for programmable RF sections there are many of those on the market as fully assembled units.
FWIW I don’t recall ever seeing any requirement for type acceptance of amateur equipment. The operator is responsible for the legal operation of the equipment. Other radio services, CB, FMRS, etc do have a type acceptance requirement.
At least here in the UK once you get your Intermediate license the only requirements are: 1- it is in band, 2- lack of interference and 3- power level. Foundation holders need CE marked equipment.
de 2e0reb
Has anyone tried this? I’ trying to determine the pinouts of the microcontroller.
If you look on the bottom of this page:
http://www.liorelazary.com/index.php?option=com_content&view=article&id=49%3Ahacking-the-baofeng-uv5r&catid=14%3Abaofeng-uv5r&Itemid=17&limitstart=2
You will see the pinout of thier microcontroller.
Lior
KK6BWA
I’ve removed the qfp44 (that’s the EM78P568 microcontroller, correct?) but the datasheet linked only shows the pinout for a QFP100.
I did find what I was looking for here, on the last page. http://goo.gl/oOFK6 It’s the service manual for the Wouxon KG-UVD1, which apparently uses the exact same IC.
Ok I see the confusion, I was referencing the uv5r schematics when I was tracing the pins.
I updated the page to be more specific and show the pin numbers as well as the mcu from the schematics.
Hope this helps.
http://www.liorelazary.com/index.php?option=com_content&view=article&id=49%3Ahacking-the-baofeng-uv5r&catid=14%3Abaofeng-uv5r&Itemid=17&limitstart=2
Lior
KK6BWS
Reblogged this on guardian of light and commented:
I’m attempting to replicate this project, and hopefully, I’ll turn it into a neat little software-defined radio for 2m, 1.25m, and 70cm. We shall see shortly.
You may want to check out this other hack I have been working on. I have managed to upload a new firmware to the uv3r using an arduino. For now the firmware is a proof of concept so it only tunes to 145.525 and listens to a signal. When a strong signal is received it will play back 3 dtmf tones. Flashing the chip was accomplished with an arduino and only requires soldering 5 wires to direct pads on the radio (as seen in the video). So its much simpler then removing the cpu. Also, I am working on a firmware, which will allow you to control the radio fully using the serial port. I just finished this hack this weekend, and will need to assemble, clean up the code and post it on my website (www.liorelazary.com) by next week.
You can see a video here:
http://youtu.be/-bYRF7IxtLA
I will be posting updates here: http://groups.yahoo.com/group/UV-3R/message/8141
Once I have all the documentation, I will submit back to hackaday.
Lior
KK6BWA
Very nice! I am working with a (mostly) destroyed UV5R, and mainly trying to scavenge the internals (case, keypad and screen destroyed.)
I look forward to seeing your next project.
P.S. After changing those registers, were you able to transmit on the 1.25M band?
Yea, if you look on this page:
http://www.liorelazary.com/index.php?option=com_content&view=article&id=49%3Ahacking-the-baofeng-uv5r&catid=14%3Abaofeng-uv5r&Itemid=17&limitstart=7
you can see a video transmitting on 223.5MHz. Unfortunately, I did not have a radio capable of tuning to 223.5MHz, so I used another UV5R tuned to the first harmonic (447MHz) to receive. It seems to work at 400 feet away.
Lior
KK6BWA
This is very cool! Nice use of the UV-3R there. It would be nice if there were “kits” that are basically barebones radios that can be easily interfaced to a microcontroller. That way, you don’t have to rip apart a Baofeng to experiment.
This is very cool! For such a cheap radio, the UV5R is one of the best hackable little radios out there. It would be cool to use a UV-5R in something like a data telemetry project, where a sensor gathers data (like temperature) and then streams it back remotely via a microcontroller. Cool project ideas. 73s – Benjamin, KD8POH
Quit writing his name is brackets you stupid fucking cunt. this article is shit too. what a crap idiot mod
Noted.
Hi, i have the UV-5R GT-3 Mark II and wand to change the frequence steps in 65-108MHz for 2,5kHz not 100KHz. Is there any way to do this by Software like CHIRP? 73@DL6GHI
I would like to have you look at a radio to see if it would be possible to expand the channel bank with eeprom mods. The radio in question is a Maxon SM-4150m. I would be willing to donate you a radio for the project. At some point a group in the UK had a 99 channel kit for for the uk version dubbed the SMX-4150 but I can not locate any information on it.. My email is sam.rock(at)aadxa.org drop me a line and we can talk further..
Looks like this idea rings true for many. The new IC uControllers frequently have pin outs with standardized power inputs, and most pins are programmable as I/O. The IC industry has standardized pin placements. With a cheap radio like this it is perfect for hacking. My interest is in a usable user interface – most HTs are confusing to use at best.