Thanks to the work of Kai DG4KLU and @forkoz aka @rootstar, and of course myself ;-)….
The work to reverse engineer the GD-77 is progressing…
@forkoz has done some great work to analyse the operating system used by the GD-77, which is called MQX, and has identified at over 100 functions associated with this, including the top level “Tasks” including
| Task_0x01_main |
| Task_0x03_shutdown |
| Task_0x05_decode_0 |
| Task_0x06_encode_0 |
| Task_0x07_decrypt |
| Task_0x08_encrypt |
| Task_0x0B_rxcsbk |
| Task_0x0C_rxvoice |
| Task_0x0D_txmsg |
| Task_0x0E_rxmsg |
| Task_0x0F_cpchan |
| Task_0x11_beep |
| Task_0x14_csbk |
| Task_0x20_callptt |
| Task_0x21_callrx |
| Task_0x22_msg |
| Task_0x24_USB_HID_0 |
| Task_0x25_test |
Plus a whole load of other things.
I have found the AMBE codec related functions, by decompiling the MD-380 firmware and cross referencing the “annotations” list produced by the MD-380 toolz guys, to find any telltale mathematical constants associated with the codec, and by looking for the same constants and other patterns in the GD-77 firmware.
In the end, I found a 100% match between the functions in the MD-380 firmware and the GD-77 firmware, which means that Radioddity (aka TYT), used exactly the same source code for the codec in both radios, and probably used the same compiler (called IAR workbench).
I have also tracked down all the functions related to the AT1846 transceiver chip, using a similar technique; but this time, I looked for patterns of “register” use in the AT1846, because I knew that the registers to set the frequency are 0x29 and 0x2A.
Searching though the binary file of the code, I identified occurrences 0x2A and looked for close occurrences of 0x29, and when I found a match, I used the Ghidra decompilation to confirm that I had indeed found the function to set the frequency.
Once I’d found one AT1846S function it was relatively simple, although time consuming, to follow the hierarchy upwards and downwards, to find where the set_frequency function was used, and also what sub functions the set_frequency function used.
Then cross referencing the incomplete documentation of the AT1846, I was able to find this list of functions
| AT1846_calibrate |
| AT1846_disable_TX_and_RX_no-mute_1 |
| AT1846_reg_0a_max_bias_min_voice_analog_gain_reg_0x30_bit_7_low |
| AT1846_set_af_gain_etc |
| AT1846_set_agc |
| AT1846_set_bandwidth |
| AT1846_set_bandwidth |
| AT1846_set_CTCSS |
| AT1846_set_CTCSS_reg_0x40 |
| AT1846_set_digital_voice_gain |
| AT1846_set_digital_voice_gain_disable_DTMF |
| AT1846_set_drive_and_power |
| AT1846_set_frequency |
| AT1846_set_multi_agc |
| AT1846_set_multiple_CTCSS_regs |
| AT1846_set_noise_threshold |
| AT1846_set_reg_44_af_gain |
| AT1846_set_reg_58_filters_and_emp_etc |
| AT1846_set_register |
| AT1846_set_register_special |
| AT1846_set_regs_0x33_0x41_0x42_digita_voice_gain_etc |
| AT1846_set_regs_from_array_1 |
| AT1846_set_rssi_lpfilter |
| AT1846_set_rssi_lpfilter_conditional |
| AT1846_set_squelch |
| AT1846_set_subaudio |
| AT1846_set_Time_interval_for_dual_tone_transmission |
| AT1846_set_TX_and_RX_and_mute_2 |
| AT1846_set_TX_and_RX_band_reg_30_hex |
| AT1846_set_Tx_power_and_bias_etc |
| AT1846_set_Tx_Rx_gain_1 |
| AT1846_set_Tx_Rx_gain_2 |
| AT1846_set_undocumented_reg_0x60 |
| AT1846_set_undocumented_register_0x35 |
| AT1846_set_voice_gain_digital_and_disable_DTMF |
| AT1846_setup_1 |
| AT1846_setup_2 |
| AT1846_undocumented_register_0x3f |
| AT1846_unknown_purpose_1 |
| AT1846_unknown_purpose_2 |
| AT1846_unknown_purpose_3 |
| AT1846_voice_sel_TX_NOTHING_disable_DTMF |
| AT1846S_set_regs_from_global_vars |
I’ve also loaded RAM snapshots into Ghirda, and I have found the location of the active TalkGroup / PC ID, which I can change using the debugger, and have confirmed, changes the TG or PC that the radio uses.
I’ve also found the current Rx group list
Kai (DG4KLU) has been busy building some firmware from scratch, which will hopefully eventually become an alternative Open Source firmware for the GD-77, but just getting the radio to work on FM will require, hundreds if not thousands of hours of work.
Kai has also supplied information on the way the radio reads the keypad, and I have now identified 6 hidden commands that are activated by holding various keys down when the radio is turned on, as well as many other snippets of information.
PLEASE DON’T TRY THESE BUTTON COMBINATIONS ON YOUR RADIO, BECAUSE I DON’T KNOW WHAT THEY DO 😉
Blue button and “3”
Blue button and “6”
Both look like they are doing something like resetting back to factory settings, as the radio seems to reboot after using these sequences.
However I could not see any difference to the codeplug in the radio after pressing these combinations
Also
Black button and “1”
Black button and “2”
Black button and “5”
Black button and “6”
See to set some internal configuration inside the GD-77, but I don’t know what these configuration do. They could potentially reset the codeplug or the calibration or anything.
Now that I know where the keyboard reading and decoding function is, I’m hoping to be able to patch the code to allow direct input of TalkGroup, but one complication is that the new TG would need to be added to the Rx Group list, so I think I first need to modify the Rx group handling so that the Tx TG is automatically added to the Rx Group list.
IMHO the Tx TG should always be part of the current Rx Group list, as this is a gotya that catches people out when they select “None” for the Rx Group list on a Channel in the CPS and then find they can’t hear any audio.
So I want to patch the Rx Group list code, to also read the Tx TG, under all circumstances first – though this is easier said than done.
After that I want add a function, where pressing the star key, will allow direct entry of a Talkgroup.
But I think it could be a few weeks before I manage to even get the initial change to the Rx Group handling to work.
What we really need is more people to help with analysing the GD-77 firmware, its only going to be slow progress with me and @forkoz doing the analysis 🙁
29 Responses
ken
wow looks complicated but well done
Anonymous
In the documents attached to the update it is written to use
SK2+9.
e. Press [SK2] + number [9] to reboot. Then shut down
Roger Clark
Thanks
It sounds like it runs some code associated with the update
Wilhelm Onken
This is fantastic news and great work
Anonymous
I forgot add that use: press and hold keys SK2+9 and next trun on radio after this a few seconds LED is in yellow color
Jasmine Chow
Hi Roger,
This is Jasmine from Radioddity. Can I have your email address? I’d like to discuss with you about building cooperation. You can reach me by emailing marketing@radioddity.com
Roger Clark
Hi Jasmine
OK. I will email you
Scott
Roger, this labor of love for the hobby is astounding! I know nothing of analyzing firmware or I would gladly assist. Thank you for your efforts & hopefully communications with Jasmine @ Radioddity will be positive. I have dealt with Jasmine on other efforts and she has been a great ally.
Rafael García Barrilado
Hi Roger,
Keep doing !!
Regards,
Rafa.
Roger Kolakowski
Very clear and patient explanation of the inner workings and hidden mechanisms. Although I am not a coder I was comfortable reading about your progress. Congratulations on your successes!
Roger Clark
Hi Scott
Analysing firmware on this scale is new to me as well, but Jason VK7ZJA and I have been analysing the GD-77 for over a year, so I have a large amount of background knowledge on the GD-77 in general.
The release of the reverse analysing tool, Ghidra, by the NSA only a couple of weeks after Kai cracked the firmware, has been of amazing help.
Prior to Ghidra being available, I had to use Radare2 , but that only disassembles to ARM assembler.
Luckily @rootstar posted a C decompilation of the firmware, which I still refer to , because AFIK Ghidra does not have a way to export the entire firmware as C code, it only lets you view the C decompilation of one function at a time.
Ghidra does however have some excellent visual tree ( node diagram ) generating features, and once I find one function in a specific area, it’s fairly easy to identify all the associated functions.
I also already have the datasheets for most of the hardware.
The only devices we don’t have full documentation for are the AT1846 transceiver chip, and the C6000 DSP chip.
With the AT1846, there are about 10 registers, controlling various parameters, which are not documented in any datsheets that we can find.
But this isn’t really a problem since I don’t think any of the problems with the radio are related to the RF transceiver .
We are beginning to piece together the datashseet for the DSP. Thanks to Andrea Contini.
Again it’s not essential to have this datasheet, but it does make reverse engineering easier.
Anyway, if you fancy poking around in the code to see if you can find anything , I can let you know how to get started.
Perhaps I should write a detailed blog article about how to get started with Ghidra, including how to make a copy of the unencrypted firmware
Adam
Very clever work. Congratulations. Hope that marketing not squelch you forever 😉
Keep going.
Regards
Adam
Btw. If you have time I have some questions about AMBE.
Roger Clark
Hi Adam
I don’t know much about AMBE. I know its the audio codec used by DMR and some other digital modes.
The firmware seems to have a function to encode and to decode. The MD-380 team also labelled a function called ambe_unpack, but I’m not sure its really part of the AMBE codec, I think its just possibly the function to process the DMR data into a form that can be used by the codec function(s)
Roger Clark
I sent an email to Jasmine at Radioddity marketing, but she has not replied.
I made some more progress yesterday, and I have found one of the functions which reads from the 1Mb flash chip, which stores the codeplug and the DMR ID and RF calibration data etc
This will allow me to identify the parts of the firmware which are associated with the CPS, and DMR ID etc.
Anonymous
Hi Roger,
At first Congratulations 🙂
and second https://github.com/rogerclarkmelbourne/Radioddity_GD-77/tree/master/reverse_engineering/fw_3_8_1 has a typo, i think that fw version is 3.1.8 (fw_3_1_8)
Roger Clark
Thanks
I’ve fixed that folder name.
Adam
Hi Roger, thank you for your reply. About AMBE: take look at https://github.com/travisgoodspeed/md380tools/wiki/MD380-Emulator
It doing voice ambe code and decode without physical layer. Only by software. If I good count I have 12 various devices that I buy with this codec inside. I thing to myself it is fair use if this codec will be translated to x86 programm. To translating audio without problems between other radio systems (for example DMR Fusion).
Greetings
Adam
Roger Clark
Thanks for the link to the MD380 emulator.
I did know that Travis did demo on a Linux machine using QEMU, where he was able to use the codec in the MD-380 firmware to decode and play some audio.
However the Md-380 and the Gd-77 both use ARM proeessors, so the firmware can’t be run on an x86 machine unless you use an emulator.
David
Roger, Jasmine’s local time is 12 hours ahead of East Coast time, Their weekend will be over by 8pm eastern.
Roger Clark
I am in Australia, hardly anyone is ahead of my Timezone 😉
Though seriously… I sent an email on Thursday evening at what was 6pm on Thursday evening in China.
Even if Radioddity do eventually reply, I doubt they could help, because they are probably locked into various contracts and licenses to software and hardware suppliers, which make it impossible for them to share any information.
They may just want us to stop this work, in which case it would just go underground.
Roger Clark
Update.
I just got a reply from Jasmine @ Radioddity
Anonymous
Good news from Jasmine or not?
Roger Clark
It was good news, because Radioddity are happy for me to continue with my work.
But at the moment, I don’t know how much assistance they are able to provide.
Adam
So, they do not know how 77 works? It is a little funny. Seriously speaking I think they do not handle CPS in proper way and do not know how to reduce errors in firmware. Copy paste techniques cannot remove technology and engineering.
Roger Clark
I suspect that Radioddity will be very limited about what information they can disclose publicly, because like all companies, a large part of the hardware and software is linked to NDA’s and licenses and various other contracts.
It’s not been possible to get full data about 2 of the main IC’s in the radio (AT1846S and the C6000), as they are both designed and made in China, and the manufacturers do not publicly release the data sheets.
We have managed to discover some old and incomplete datasheets and other bits of information on the AT1846S over the last year, and more recently Andrea Contini has paid for the C6000 datasheet (I presume that the C6000 datasheet was available via one of those Chinese file sharing sites, where you get credits for uploading obscure files and datasheets, which you can use to download other obscure files; or you can pay to download the files.
We already know the hardware is actually made by TYT and sold as a MD-760 in China, so Radioddity probably can’t even release the schematic because of their NDA agreement with TYT.
Rafa_RGB
Roger,
Yes, you’re right, GD-77 is TYT MD-760 (this could be easyly seen by opening DAT file with Notepad)… but;
Some kind of agreement must be between them as TYT did NOT sold MD-760 since several months later GD-77 was “widely spread away”.
Anyway, getting info for those “custom” chips can be somehow an “IMPOSSIBLE MISSION” (play the proper music yourself) 🙂
Roger Clark
Thanks for the comments that people have posted about Raddioddity, but I think at the moment its best if we limit the speculation.
I’m wait for a response to my last, rather long and detailed email to Jasmine, and I will update my blog when I have any definite information
Sergiy Lagoda
Hi! maybe you will be interested. has released the first firmware file to baofeng 1801. but it’s already version 2.1.9.
dropbox.com/s/b5q6kml1l2j3e28/DM1801FirmwareV2.1.9.zip?dl=0
baofengradio.ca/pages/support-download
Roger Clark
See https://github.com/rogerclarkmelbourne/Radioddity_GD-77/issues/14