Porting to the Retevis RT50 (aka TYT MD-680D)

Discussions related to the firmware code development
EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Porting to the Retevis RT50 (aka TYT MD-680D)

Post by EA5JAQ » Mon Feb 13, 2023 12:11 pm

Hi!

I'm trying to port the OpenGD77 firmware to a couple Retevis RT50 (aka TYT MD-680D), that also uses the MK22, C6000, AT1846S, the RT3S rotary, etc. So far I've mapped the entire MK22 100 pins (took me ages), found out how the "hidden" 7-segment display works and I'm currently working on the source code (I'm gonna start with a simple version that just lights up the LED, or makes a sound, etc and then I'll move on to FM Rx, etc).

Sadly, as I said in a previous topic, the bootloader was impossible to get, so the only way to write to this MCU's memory is by attaching a JLink and erasing the whole memory. Also it doesn't have a flash memory, so all the calibration, codeplug, etc. has to be added to the code before compiling. So this little project of mine won't benefit many people unless they do all this. But it's an interesting radio and it's keeping me busy :D

I found inside the radio an interesting IC, and I can't figure out what's its use. So far the info I could get is:
  • It's labeled "VOICE-D" (sorry if the picture is not that clear).
  • Pins 2 and 3 are connected to MK22's ports E24 and E35 (so I assume it's an I2C device).
Image

Image

My first assumption is that it's some kind of voice scrambler or encryptor (as this radio is advertised as having one) so I won't find much use to it. However, some radios came with another pcb attached to the pins you can see on the side (mine didn't and the scrambler didn't work, so I'm not sure this IC is the scrambler).

It might also be some kind of memory, as I haven't found any Flash or EEPROM IC in this radio (so I don't know where the CPS stores the codeplug... maybe in the actual MK22 program flash, as the original binary is quite small compared to the OpenGD77 one, so that leaves some space there).

Also, the original firmware has an option where it broadcasts an alarm if you fall, so somewhere it must have some kind of accelerometer(could't find it also).

Anyway, if anybody has ever seen an IC like this please tell me, just out of curiosity (as it doesn't seem relevant for Ham radio or OpenGD77 features).

73!

G4EML
Posts: 919
Joined: Sat Nov 16, 2019 10:01 am

Re: Has anyone seen this IC in a chinese radio?

Post by G4EML » Mon Feb 13, 2023 12:39 pm

All of the radios seem to have a chip like this.

The GD77 diagram show it as ALPU-MP-1413. The MD9600 shows it as HRV-3000S.

A Google search on ALPU-MP confirms it is an AES-128 encryption chip.

As we are not interested in encryption it is safe to just ignore it.

Colin G4EML

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: Has anyone seen this IC in a chinese radio?

Post by EA5JAQ » Mon Feb 13, 2023 12:59 pm

G4EML wrote:
Mon Feb 13, 2023 12:39 pm
All of the radios seem to have a chip like this.

The GD77 diagram show it as ALPU-MP-1413. The MD9600 shows it as HRV-3000S.
Yeah, at first I thought it was an ALPU-MP clone or copy, as it’s also connected to the I2C in the GD77. But I wasn’t sure, as I checked the datasheet and the ALPU has 6 pins and this one has 8.

I’m just ignoring it as those I2C pins are not used for anything else. The RF chip in this radio is connected to the pins where the ALPU is in the GD77, and this unbranded chip is connected to the RF chip GD77 pins in the MK22. I’ve just swapped the pins in gpio.c and it’ll work fine, as the firmware already ignores the ALPU.

Thank you!

VK3KYY
Posts: 7490
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia

Re: Has anyone seen this IC in a chinese radio?

Post by VK3KYY » Mon Feb 13, 2023 8:08 pm

EA5JAQ wrote:
Mon Feb 13, 2023 12:59 pm
I’ve just swapped the pins in gpio.c and it’ll work fine, as the firmware already ignores the ALPU.
Good idea. Its easier to access pins that are connected to a chip, but cutting the power pin to the chip would guarantee it does not respond

Do any of the pins to this chip support UART RX? Because it could be an easy way to connect a GPS module

VK3KYY
Posts: 7490
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia

Re: Has anyone seen this IC in a chinese radio?

Post by VK3KYY » Mon Feb 13, 2023 8:18 pm

Re loading by JLINK

Yes. This is a problem with most Chinese radios

Did d you just flash the GD77 bootloader in this radio, ?

The problem however could be the GPIO pin mapping of SK1 and SK2

It would be possible to hack the bootloader e.g. using Ghidra, but its not easy.

NXP publish an example bootloader, but I can't remember if it uses HID. I did not have time to investigate it.


Another target radio is the Aluince HD1, as the encryption and loading has already been cracked , and it uses the same chipset.

However the HD1 is / was very expensive, and because it uses the same CPU as the GD77, I suspect it is no longer being manufactured.

The MK22FN512 and STM32F407 CPUs are now unobtainable because of the global chip shortage

VK3KYY
Posts: 7490
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia

Re: Has anyone seen this IC in a chinese radio?

Post by VK3KYY » Mon Feb 13, 2023 8:25 pm

Interesting that there is no Flash memory.

Most radios have very similar calibration settings, so it would not be a big problem.
Originally the OpenGD77 did not read the calibration data at all.

The codeplug could potentially be stored in the MCU ROM. However there is no space after the OpenGD77 firmware is loaded.

There is a large area of the official ROM which is merged , by the CPS, with the OpenGD77, But some of it is probably not used by the AMBE codec. However its impossible to know the area used by the AMBE codec.

Possibly you could compile the AMBE codec used by DroidStar, but you may have legal problems if you distributed it

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: Has anyone seen this IC in a chinese radio?

Post by EA5JAQ » Mon Feb 13, 2023 10:02 pm

VK3KYY wrote:
Mon Feb 13, 2023 8:08 pm
Do any of the pins to this chip support UART RX? Because it could be an easy way to connect a GPS module
You read my mind!

That's my next step if I manage to make the firmware work and make the radio usable (as there is no flash, I can't use voice prompts, but I've developed on paper a way to operate the radio just using beeps and the stock screen).

Luckily enough, the pins you can see in the second picture between the orange and yellow cables I (quite badly) soldered are conveniently connected to the ports A1 and A2, which are the UART0 pins. So adding a GPS will be extremely easy and that was my plan since the start.

VK3KYY wrote:
Mon Feb 13, 2023 8:18 pm
Did d you just flash the GD77 bootloader in this radio, ?

The problem however could be the GPIO pin mapping of SK1 and SK2

It would be possible to hack the bootloader e.g. using Ghidra, but its not easy.

NXP publish an example bootloader, but I can't remember if it uses HID. I did not have time to investigate it.
I haven't done anything yet. I'm considering two options. In fact, you recommended them several months ago when you helped me out in another thread. I can't thank you enough. I've been really busy so I couldn't start with this project until a week ago.

My first option is to modify the linker files, VTOR, etc (I'll investigate where else) so the program starts at 0x00 instead of at 0x4000. I'm gonna be always flashing the firmware via SWD, as SK1 and SK2 are mapped somewhere else. If this doesn't work, I'll just manually add the GD77S bootloader to the start of the firmware (only start the actual firmware, not flash it or anything else) and still flash everything via SWD.

I think it's easier to program the MCU via SWD as changing SK1 and SK2 in the bootloader would be a nightmare (decompiling, understanding it, etc.). Making the firmware work is hard enough and all that work only with the bootloader would be a waste of time. I can just add some kind of flat 4-pin cable through the casing and hide it behind the battery, in case in the future I wanna modify the firmware without opening the radio. Also, the USB pins are connected to the UART0 terminals I'll be using for the GPS (I don't know who designed this radio but they did a horrible job), so if I add the GPS, USB communication won't be possible. The original firmware used UART instead of USB to connect to a PC (and the cable had an UART to USB converter).

VK3KYY wrote:
Mon Feb 13, 2023 8:18 pm
However the HD1 is / was very expensive, and because it uses the same CPU as the GD77, I suspect it is no longer being manufactured.
I think this radio is also not being manufactured. That's why this won't be useful for many people I think. But still I'm gonna try to do it (already erased the MK22 ROM, so there's no turning back :lol: )

VK3KYY wrote:
Mon Feb 13, 2023 8:25 pm
Most radios have very similar calibration settings, so it would not be a big problem.
Originally the OpenGD77 did not read the calibration data at all.

The codeplug could potentially be stored in the MCU ROM. However there is no space after the OpenGD77 firmware is loaded.
I'm just gonna add my DM-1801 calibration data to a variable and that'll work fine. In the future I'll manually adjust it, but that's the least of my concerns.

At the moment I'm just gonna load a couple channels as variables. When I get it working, I'll free a lot of space by removing all the language strings (my screen is a 7-segment display so I don't need them) and create a codeplug in a .h file. There's no point in storing the codeplug separately as USB communication won't be possible once I add the GPS, so all the channels will be in the firmware (I know it's a dirty solution, maybe in the future I'll think of something, like modifying the hardware so UART doesn't interfere with USB). Also I don't have the sources for the CPS, and even if I did, it might be too much work to create a working CPS for this radio with no flash or EEPROM, when I can just compile a binary with my channels.

I will be using a section in the ROM to store the settings, but that's the last step, and it doesn't take that much space.

VK3KYY wrote:
Mon Feb 13, 2023 8:25 pm
There is a large area of the official ROM which is merged , by the CPS, with the OpenGD77, But some of it is probably not used by the AMBE codec. However its impossible to know the area used by the AMBE codec.

Possibly you could compile the AMBE codec used by DroidStar, but you may have legal problems if you distributed it
I obtained the codec bin sections by extracting them from an MCU ROM dump from my DM-1801. If I make this work I'll be happy to share the source and the whole (complicated) process to add the channels, compile it, and send it to the radio with a JLink. However, I won't be providing the codec sections (but they are really easy to obtain).

Maybe if in the future this radio is produced again and the bootloader and encryption is cracked, it'll be worth all the work to find a way to flash the firmware and the codeplug via USB. But I'm not sure that'll happen, especially with the MK22 shortage, manufacturers changing chips like with the DM-1801, etc.

VK3KYY
Posts: 7490
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia

Re: Has anyone seen this IC in a chinese radio?

Post by VK3KYY » Mon Feb 13, 2023 10:48 pm

I agree. Just change the linker etc and put the firmware at 0x0000 and flash via JTAG.

I did this with the UV380 for a while.

Another option for storage is to solder an I2S EEPROM to the I2S connections to the AT1846S. This is effectively what the GD-77 has, as both the EEPROM and AT1846S share the same I2S bus.

Or if you don't want GPS, then perhaps use the connectons to the AES chip


Re: Codec linker sections

OK.
I was going to offer to emial them to you, but they must be kept private because of legal reasons.
But its not difficult to just read the MCU from from your other radio and extract the data.


Re: Patching the bootloader

Yes. Not easy.
Just finding where the GPIO is initialised would not be easy.

Probably easier to find a DFU bootloader and use some other tool like dfu-util to upload to it as a DFU device.

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: Has anyone seen this IC in a chinese radio?

Post by EA5JAQ » Tue Feb 14, 2023 12:22 am

VK3KYY wrote:
Mon Feb 13, 2023 10:48 pm
Another option for storage is to solder an I2S EEPROM to the I2S connections to the AT1846S. This is effectively what the GD-77 has, as both the EEPROM and AT1846S share the same I2S bus.

Or if you don't want GPS, then perhaps use the connectons to the AES chip
That's actually a great idea. I'll try to see if I can solder an EEPROM chip. Not to the AT1846S (the pins are really small and I already almost broke them while testing them), but to the AES chip, which is in the front and easily accessible. I think it won't interfere with the GPS, as this uses UART (but still, USB communication won't be possible). I could use the EEPROM for settings and to store some data from the codeplug that I could change from the radio itself (like per-channel power, etc).

Or maybe it'll be simpler just to avoid the hardware change and just use the 16 kB extra I get by not using a bootloader and the 20 or so kB I estimate I'll get by removing the language strings. Having those 36 kB of ROM should be enough for a simple codeplug and the settings (the AT24C512C has 64 kB if I remember correctly).

This radio has no screen so many of the things that take up a lot of space (channel, contact and zone names, mainly) are not needed.

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: Has anyone seen this IC in a chinese radio?

Post by EA5JAQ » Tue Feb 14, 2023 12:24 am

BTW, I might ask for help later with the rotary control. It's exactly the same as the MD-UV380/390 uses (not the one in the GD77S). I haven't figured out yet how it works, but first I need to make the firmware work and the radio boot up ;)

Post Reply