Port to TYT UV380/UV390

ZL1GW
Posts: 13
Joined: Sun Mar 22, 2020 10:41 pm
Location: Auckland, New Zealand
Contact:

Re: Port to TYT UV380/UV390

Post by ZL1GW » Fri Mar 27, 2020 1:40 am

VK3KYY wrote:
Fri Mar 27, 2020 12:22 am
Only very minor closures here, just restaurants, cafe's, bars, sports venus etc
Yeah I had heard that's basically most of the rest of the world... Very unfortunate... It would be fine if it was just darwinism (if they were only endangering themselves) but they are endangering everyone unfortunately...

Well either way try to be safe. And maybe we can take advantage of the time to see about getting some fun project work done since we can't really do much else (outside of work hours).

But yeah we're kind of derailing the topic for this doom and gloom stuff, so I'll leave it at that and let you know if I make any progress with the crypto on the firmware/dfu tools. And hope you can get your hands on a RT3S.

I'll see if I can hop on the TG you mentioned as well for OpenGD77, I try to leave my radio on monitoring my primary talk groups through the day. I'll have to add it to my codeplug so I can quickly monitor it. Might talk to you on the air.

(if you do hear me on the air, don't be surprised, I did mention in my welcome message, but I'm Canadian, immigrated to NZ. So I don't have a kiwi accent lol, I'm told I have a quite distinct Canadian accent).

Cheers!
73, ZL1GW

VK3KYY
Posts: 2017
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Fri Mar 27, 2020 2:01 am

ZL1GW wrote:
Fri Mar 27, 2020 1:40 am
...
And maybe we can take advantage of the time to see about getting some fun project work done since we can't really do much else (outside of work hours).
Actually, things are now getting more busy from me, because I always work from home because I'm self employed, in the IT field, and hence I'm fully setup to continue working.

If the current workload continues to increase, I don't know if I'm actually going to have any time to look at this even if I can get hold of a RT-3S.
I've not had time to do a new release of the OpenGD77 / OpenDM1801 for over 2 weeks already.

Weekends are now taken up with COVID-19 lockdown preparations.

ZL1GW
Posts: 13
Joined: Sun Mar 22, 2020 10:41 pm
Location: Auckland, New Zealand
Contact:

Re: Port to TYT UV380/UV390

Post by ZL1GW » Fri Mar 27, 2020 11:14 pm

Ok, so I've tried to use the code from Travis for the MD380 tools to work with the firmware images.

My first assumption was wrong (overlooked something). The MD2017 and MD380 use similar images, but not identical (and not the same key).

Looks like it's pretty easy to adapt though.

The MD2017 code seems to decode the image, unfortunately it's gibberish. Turns out the MD2017 code just doesn't validate the headers are sane, unlike the MD380 code. So it blindly decodes it.

So some reverse engineering will need to be done to figure the firmware image format/keys out.

I do suspect it's the same scheme, so very similar. So hopefully it won't be far of a reach from the examples we have in that code.

I have yet to test a connection to the radio with those tools, will try that next.
73, ZL1GW

VK3KYY
Posts: 2017
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Fri Mar 27, 2020 11:49 pm

If you need to analyse the decoded binary, you should try Ghidra

https://ghidra-sre.org/

I used it for the GD-77.

ZL1GW
Posts: 13
Joined: Sun Mar 22, 2020 10:41 pm
Location: Auckland, New Zealand
Contact:

Re: Port to TYT UV380/UV390

Post by ZL1GW » Sat Mar 28, 2020 2:30 am

VK3KYY wrote:
Fri Mar 27, 2020 11:49 pm
If you need to analyse the decoded binary, you should try Ghidra
Thanks! Yeah I'm familiar with Ghidra, already using it. Which is how I knew the decoded image that the MD380 tools spat out was gibberish ;)

Yeah I'll have to start digging deeper, to try and figure out the encryption, and format.
73, ZL1GW

IU2KIN
Posts: 7
Joined: Mon Mar 23, 2020 11:10 am

Re: Port to TYT UV380/UV390

Post by IU2KIN » Sat Mar 28, 2020 8:52 am

Hi ZL1GW,
I'm catching up with this post, we managed to craft a firmware which can be flashed
and loaded from the TYT recovery.
For the flashing part we were lucky and my radio is compatible with the "wrapping"
scripts from md380tools, however booting the thing was non trivial.
In the end we cracked it, as IU2KWO discovered the TYT recovery is basically the
STM32 USB DFU example, with a few modifications. Before jumping in the firmware,
it checks if two buttons are pressed and performs a bit mask check on the stack
address.
Hope you can crack your shitty encryption soon, we'll start working on the display
and keyboards and seems that we can share the effort there! ;)

User avatar
4I1RAC
Posts: 170
Joined: Thu Nov 28, 2019 5:25 am
Location: Philippines
Contact:

Re: Port to TYT UV380/UV390

Post by 4I1RAC » Sun Mar 29, 2020 9:06 am

I do have both MD-390 (the retevis RT8) and MD-UV390. Glad to help test once you have some releases out.

Regarding my contact from Retevis, she has not given feedback yet about the possibility of getting review units--perhaps they've been busy dealing with the impact of COVID-19. But now that things have somewhat cleared up in China, maybe I can ask again.
Angelo, 4I1RAC / N2RAC
Brandmeister Philippines support team
Talkgroups
- 51518 crosslinked to DX1ARM 431.600 MHz Fusion repeater, Metro Manila
- 98977 Opengd77
- 515 Philippines

https://n2rac.com

VK3KYY
Posts: 2017
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Sun Mar 29, 2020 9:58 am

Hi Angelo

No worries. I think they will be too busy. I will ask the local vendor if he has any RT-3S units

Post Reply