High-End Ham Radio Gives Up Its Firmware Secrets

Amateur radio operators have always been at the top of their game when they’ve been hacking radios. A ham license gives you permission to open up a radio and modify it, or even to build a radio from scratch. True, as technology has advanced the opportunities for old school radio hacking have diminished, but that doesn’t mean that the new computerized radios aren’t vulnerable to the diligent ham’s tender ministrations.

A case in point: the Kenwood TH-D74A’s firmware has been dumped and partially decoded. A somewhat informal collaboration between [Hash (AG5OW)] and [Travis Goodspeed (KK4VCZ)], the process that started with [Hash]’s teardown of his radio, seen in the video below. The radio, a tri-band handy talkie with capabilities miles beyond even the most complex of the cheap imports and with a price tag to match, had a serial port and JTAG connector. A JTAGulator allowed him to probe some of the secrets, but a full exploration required spending $140 on a spare PCB for the radio and some deft work removing the BGA-packaged Flash ROM and dumping its image to disk.

[Travis] picked up the analysis from there. He found three programs within the image, including the radio’s firmware and a bunch of strings used in the radio’s UI, in both English and Japanese. The work is far from complete, but the foundation is there for further exploration and potential future firmware patches to give the radio a different feature set.

This is a great case study in reverse engineering, and it’s really worth a trip down the rabbit hole to learn more. If you’re looking for a more formal exploration of reverse engineering, you could do a lot worse than HackadayU’s “Reverse Engineering with Ghidra” course, which just wrapping up. Watch for the class videos soon.

46 thoughts on “High-End Ham Radio Gives Up Its Firmware Secrets

    1. The first documented cases of “Spanish flu” were in Kansas, but censored due to world war I, as it would have a negative effect on moral (no preventive measures were taken). It was only neutral Spain where the free press could report on the epidemic.

      Blaming China for COVID-19, is a lot like blaming Africa (Haplogroup L0) for Homo sapiens, once all the prerequisites existed it was going to happen somewhere.

      1. When Canada restructured in 1990, the same thing with the Basic license. Though it’s worded more like “you can build antennas and accessories and even receivers, but not transmitters”.

        In 1972 when I was licensed, it was still called the “Amateur Experimental Service”.

      2. Sorry if your country doesn’t allow the engineering level privileges that we have here in the USA. Some UK hams have migrated to the USA just to have full Amateur Radio capability. Many other EU and Asia countries do give their Amateur radio licensees full engineering capabilities. This is a source of encourage and training for their next generation of skilled technicians and engineers.

        1. I find that hard to believe – the intermediate and full exams aren’t hard, they just test that you understand the basic theory behind the stuff you will be experimenting with. Or put it another way, chances are if you cant pass the full license, you probably shouldn’t be messing with high power radio transmitters anyway.

          1. But it changes the hobby.

            When I was licensed in 1972, I got everything except voice on the HF bands with the “entry level” license. The US Novice license was very limited, but the idea was to get people going, and whether or not someone built a transmitter, it was part of the lore.

            These license changes reflect a shift to quantity rather than quality. They formalize what too many think of the hobby, that it’s for “talking on the radio”. “Let’s make it simple so more people will get interested, nobody actually builds anymore”. And then enough time has happened that leadership has come from those hams who came for other reasons, likely at an older age, and see the hobby differently. And in turn they reinforce the change.

            In the US it’s not so different, just less blatant. Entry is generally at VHF, which for many is buy a 2M FM rig. Some progress, but the technical aspects seems missing.

      3. That seems just down right anti social….if you ask me, but then again, I was always “special” or at least EXTRA Special as a hacker growing up before the term “hacker” had a specific meaning😇….Larry R. KE5QMH Extra….

      4. Not quite, the Ofcom licence conditions state:

        7(2) Where this Licence is a Foundation Licence, the Licensee shall only use commercially
        available Radio Equipment which satisfies IR 2028. Foundation Licence holders may also
        use Radio Equipment constructed using commercially available kits which satisfy IR 2028.

        7(3) Notwithstanding any other terms of this Licence, the Licensee shall ensure that the
        Radio Equipment is designed, constructed, maintained and used so that its use does not
        cause any Undue Interference to any wireless telegraphy.

        So a Foundation licencee can use build a commercial kit that satisfies IR 2028 and all categories of licence holders should ensure as 7(3) states. Our UK regulations are quite sensible really and attempt to match knowledge/experience to ‘amateur freedoms’ especially with regard to power & frequency.

        Also ‘shall’ and ‘must’ cause confusion in law, ‘must’ would be the preferred way to express an absolute obligation and ideally ‘must not’ (or ‘shall not’ in this case) would express a prohibition.

    1. “A ham license gives you permission to open up a radio and modify it, or even to build a radio from scratch.”?

      No. It gives you permission to transmit on a specific set of frequencies. Anybody can open up a radio.

      1. Anyone can open up a radio… but not modify it, or use it afterwards legally. For that you need an intermediate level ham licence registered with ofcom (UK). The foundation licence just gives permission to transmit, but not build or modify a radio.

        Anyone can get a licence, it’s not a big deal. Just need some basic training and an exam to make sure you know what your doing. If you modify a radio and don’t do it properly, then you could be transmitting in the wrong frequencies and interfering with others transmissions.

        Just like driving a car… need an exam and a licence to prove you know what your doing.

      2. Commercial license holder s can’t modify commercial equipment or change the frequency or mode of transmission. So an American with a tech class license has more permissions than a First Class Phone

  1. I wouldn’t agree that all cheaper options are less capable now.

    The TYT MD380 / Retevis RT3 has the excellent MD380Tools firmware additions which have features like a full global DMR address book, promiscuous mode (receiving any conversation regardless of talkgroup) and on the fly talkgroup configuration.

    And there’s OpenGD77 which is a completely rewritten firmware for the Radioddity GD77 which is really amazing for HAM use.

    Both of these DMR radios are available around $100. The GD77 is even dualband. DMR is used more than D-Star right now as well so the Kenwood option is really hard to justify regarding its cost.

      1. I know he was involved in the MD380 project! I was just referring to the article saying that cheaper radios are less capable.

        And the Kenwood is D-Star only, perhaps it could become a multimode digital radio, in that case it would be more interesting (and actually worth the high price :) ).

        1. Does someone still think AMBE “One” does really have something to do against ALL OTHER digital modes running AMBE 2+ ??
          D-Star, as a first stone, was a really well dessigned sysgem and it has become almost obsolete. (Unfortunatelly).
          Updating it to AMBE 2+ may make it be “the king of the digital jungle”.

          Anyway, it’s allways good news when we get equipment more “alligned” to how/what we spect from them to do.

          Note:
          OpenGD77 project does also apply for a few more models rather than GD77:
          Baofeng DM-1801 and Baofeng RD-5R…
          And GD77S, the no-lcd model.

          73’Rafa.

          1. Dump that AMBE garbage alltogether, switch to Codec2. There are many reasons to be a ham and I have no problem with “appliance operators” plugging in their black box and talking but the experimenters should be able to homebrew to whatever extent they want without having to violate a patent or a copyright.

        2. It’s not dstar only. it also does plane Jane analog FM, has built in gps and aprs, has a Bluetooth kiss tnc, and is dual band and dual vfo.

          The “cheaper radios” they’re referencing is probably a jab at baofengs.

        3. Fun fact: Kenwod makes also DMR handhelds and mobile radios. But they aren’t for ham radio use and are actually not compatible with MOTOTRBO DMR. I think that they could sell a dual mode DMR/DSTAR version if they will.

        1. You can mod the radio to your heart’s content but you can’t use it outside the hams bands unless it’s certified. Some public agencies have found this out to the detriment of their budget. In the US ham radio service, you’re fine if you meet the spurious emission specs.

    1. But wait a second,, wasnt it travis lightspeed that did all that intisl work at hacking the chinese radios to give them so much oltional goodness, particularly with the whole DMR thing and especially promiscuous mode?!
      I bet that given his track record and the much more robust hardware , he will make this radio run circles around the others and it will likely fix your breakfast too.

    2. MD380Tools exists because of Travis Goodspeed, one of the people reverse engineering this Kenwood. It’s likely the Kenwood radio has more capable hardware and it’s certainly better built than an MD380.

      1. Yes I know Travis was involved, I was just referring to the article saying the Kenwood is “miles beyond” the cheap radios..

        These days I’d much rather have a GD77 on my belt than the TH-D74A because nobody here uses D-star anymore, even if the price was the same.

        If he can make it into a multimode radio (D-Star, Fusion, DMR) it would be great and finally deliver on the promises of the old CS7000 idea of an all-mode digital radio. But I doubt it, as D-Star radios use a slightly different AMBE codec than Fusion and DMR, and the modulation is different too.

  2. OK, you took it apart. I did that sort of thing when I was 10 years old. I’m far more interested in how it got put together. What CAD systems do they use? What’s their engineering process? I’ve worked for some companies who thought they were hot stuff because they used Fusion-360 but this indicates an engineering process way beyond anything I’ve ever done. That’s what I want to know more about. How do they merge the functional design with electrical, mechanical, PCB, firmware, test, etc?

    1. I think you missed the first link in the article, and your snark is somewhat misplaced. These guys are reverse engineering the entire firmware, and I wouldn’t be surprised if they end up writing their own, at least partially.

      The video is a teardown, yes.

      1. I appreciate that they’re reverse engineering the firmware and this is quite a complex undertaking. However, they’re starting with a sophisticated piece of hardware/software. How did it get that way? Functional and performance requirements, design trades, parts selection, toolchain, CAD support, manufacturing, testing. I’m far more interested in that part of the process than modifying an existing platform. I can take apart a Swiss watch and generally get it back together, possibly with a new dial and different hands. That’s entirely different than designing and building it.

        1. Well, as far back as we can infer, first there was the big bang. A lot of time went by, stuff happened. Rocks and clouds came together into planets and stars. Fish colonized the land. A big rock killed off a bunch of giant lizard-like pre-birds. Apes started getting smarter. Someone figured out fire. There was the wheel, the domestication of animals, mining and forging metals. There was some more stuff. There were frog legs twitching with zinc and copper strips. There were vacuum tubes and transistors. A moth landed in Grace Hoppers computer. People went to the moon a few times until then they discovered cable TV and online porn were less work. And then Kenwood used some of the spinoff technologies from that to make a radio.

          Does that clear it up for you?

          1. But you fail to mention that the French took the left over frog legs, telling everyone that they were a delicacy that tasted like chicken, and took over New Orleans taste buds by infiltrating Emeril LaGasse as a spy. But as they say, that is 🐸🐊🐢🐌….Larry R.

    2. The thing you took apart when you were 10 will look different at 20, 30, 40, 50 years old. You see new things based on your life and work experience that you didn’t see or appreciate. Technical experience along with business experience.

      When I take something apart I view it as an opportunity to ask “why” over and over. Why were the decisions made, why were test points placed, why were components selected, why was the PCB routed the way it is and on and on.

      Millions of dollars and thousands of engineering hours were spent creating the device you can buy for a few hundred dollars. A lot of that work can be replicated in your own projects and designs whether it’s mechanical, electrical or software.

      The more you learn about reverse engineering the better you become at “forward engineering.”

  3. I’ve been a licensed Ham for 45 years, and Okay, I really appreciate the technology and skill set going on here, but in the end, isn’t it still just a FM VHF hand-held? I mean, well, ….Yawn…

    1. It also does UHF…

      But seriously, it has quite a powerful processor and a lot of features for a handheld. It would make a nice platform for additional features created by the Ham community.

      If you have suggestions for a radio that would be a more interesting target, i’m all ears!

      73 AG5OW

      1. IC-705 is coming out soon. ;)

        Actually, it would be dope to do an IC-7300. It hasn’t had a firmware upgrade in two years. It would be nice to have a radio to really dig in to.

        1. Lucky guess, or you visit my QRZ page and see I happen to have an IC-7300…. :)

          I have been working on the Yaesu FT2DR and FT3DR as well. Very interested in the lack of architectural changes in those radio’s when it comes to processors. Seems bluetooth, color screen and better GPS antenna was added in the FT3 and that’s it. Nice way to sell a bunch of new radio’s!

          Check out pictures of the PCB’s at https://wiki.recessim.com/view/Amateur_Radio to see what I mean. Layout of the PCB changed to shrink FT3DR (made use of new space under screen) but overall looks the same. Compared to the Kenwood though I think Yaesu does a better job of reducing sub-assemblies.

          As someone on Reddit found and then posted on Hackaday (https://hackaday.io/project/167387-yaesu-ft1drft1xdr-cfw-development) the Renesas processors used in these radio’s can be directly hooked up to the firmware programming tools Renesas provides.

          Getting the firmware off of the radio is a whole other matter though…

Leave a Reply to CarlCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.