Now that I have a hardware debugger connected to my GD-77, and the processor is not read protected, I’ve been able to take some snapshots of the 128k internal RAM memory in the GD-77 by while the firmware was paused.
To make the files easy for anyone to read, I’ve exported the raw data, using the Hxd hex editor program, using its Editor View
These first 2 files, are where its in channel mode, and I’m changing from a channel on talk group 505 to a channel with the same frequency, but on talkgroup 3801
The next to were both on the same channel, but with and without monitor mode
I had hoped to be able to spot which memory location holds the monitor mode flag, but the problem is that just turning on or off monitor mode, changes the display (briefly) and plays a beep sound, so that a lot of the memory is changed, not just the variable that contains the monitor mode setting. Hence I’ve not been able to find the monitor mode variable using this method.
Last, I took some snapshots of the RAM with the GD-77 in VFO mode, where I changed the frequency between each snapshot.
The frequency in the first snapshot was 439.125MHz and in the second one its 439.1375 Mhz
I think it should be possible to find where the current frequency is being stored, but I’ve not had chance to investigate this as yet.
Having a general look at the memory snapshots, there are some things to note.
- I prefilled the RAM with 0xDEADBEEF, so any areas that still contain this pattern, do not seem to be used by the official firmware, and hence can hopefully be used for enhancements
- A lot of RAM is filled with the word “kats” (over and over again). I don’t know why kats is used, but its 4 bytes long, which is a good size to use for a 32 bit processor as most variables and pointers will be 32 bits (4 bytes long).
I suspect perhaps “kats” is the Chinese equivalent of DEAFBEEF but I’m not sure.
I think that this pattern is used to somehow reserve memory, but again, I’m not sure how or why.
- The RAM seems to contain what appears to be a history of some channels which I selected in the radio a few days ago. These are analog channels and not part of the Zone which I had selected for all the tests.
I will need to look in the external flash, and also the EEPROM, because the RAM is volatile and would not have retained this information.
- There appears to be other things in memory which I didn’t expect to me there, like what appears to be bitmap patterns for the display characters
Anyway, I though I may as well post this, in case anyone else can spot anything useful in the RAM
Following a very useful comment from @rootstar
I have recreated a binary dump using firmware 3.1.8, just after the radio has booted up. No buttons have been pressed etc
I’ve uploaded a zip of this RAM dump and also included my codeplug. The channel selected is in the DHS zone and is called DHS 505:2
TG is 505 on TS2, Tx freq is 431.800Mhz and Rx freq is 438.800Mhz
I’m going to try using Ghidra to decompile version 3.1.8 and see if I can also import this RAM snapshot