Non-invasive GD-77 debugger connections

posted in: DMR, Ham radio | 3

I wanted to connect a hardware debugger into another of my Radioddity GD-77s, but didn’t want to drill a hole in the side like I did on one of the radios…

 

But I then realised that the rubber protector that goes over the 2 jack sockets in the side of the radio, can be removed, and this gives a handy hole, through which I can feed the Serial Wire Debug wires.

 

Inside the radio, the wires are soldered on 4 pads on the back of the main PCB, roughly in the area between the # and 0 buttons on the keypad.

To prevent the wires either breaking off where they are soldered or worse, pulling the pads off the PCB (which is a common problem), I have used hot glue to secure the wires close to where they are soldered to the PCB

 

 

Taking the GD-77 this far apart is relatively easy, as its actually only held together by 2 screws near the base of the radio, and also by the 2 ring nut’s around the SMA connector and the volume / on/ off knob.

The 2 obvious solder pads just in from the 2.5mm jack socket are the speaker connections, which I have temporarily unsoldered as the wires to the speaker are very short.

The white and black connector on the left in the photo is for the flexible ribbon cable for the display / keypad PCB which screwed to the front of the radio.

To detach the ribbon cable, you have to separate the black part of the connector from the white part, using a small flat blade screwdriver.

 

The trickiest thing when re-assembling the radio is re-inserting the ribbon cable and then pushing the black part of the connector across so that it crimps the ribbon in place.

But I’m becoming a dab hand at doing this as I’ve repaired server GD-77’s for members of the local radio club, where they received GD-77s where the ribbon cable was not securely clipped or the cable was not pushed in far enough, so that over time the display became partially disconnected.

 

BTW.

Some eagle eyed readers will notice that I pealed off the Radioddity logo, because I wanted to see if anything was underneath. As you can see, nothing is…

 

It may however be fun to make another label to replace the Radioddity one, but I’m not sure yet, the best way to do this.

 

Another small note…

To erase the CPU, it needs to be halted by the debugger, which requires the Reset pin to be connected. In my case that’s the purple wire.

However once the CPU has been erased once, the Reset is no longer required, so I could in theory open the GD-77 again and remove that wire.

But Its not causing too much hassle at the moment, so I simply leave it disconnected, or connect it via a resistor to +3.3V from the debugger, to prevent RF pickup on the reset pin which can cause the radio to reboot if you transmit with 5W, or sometimes even with 1W!

3 Responses

  1. Andrea
    |

    Hi Roger, thanks for this post. I have squeezed the cables from the pad underneath the battery and they are coming out on a side. I also experienced the random reset while transmitting. I have uploaded the dm-860 firmware on GitHub and it’s password it’s the same as the other Baofeng firmwares. My next step is to understand how to upload an unlocked firmware.

  2. Roger Clark
    |

    Before you unlock the MCU, you need to back up the hardware key that is at address 0x7f800 (for about 40 bytes).

    What I did was to use the special firmware created by Kai DG4KLU

    https://github.com/talentraspel/GD-77/blob/master/GD-77_flash_readout/flash_readout_patched_firmware/GD-77_V3.1.8_flash_readout_patched.sgl

    download and install this patched version of GD-77 firmware 3.1.8

    Then download and install my FlashManager

    https://github.com/rogerclarkmelbourne/radioddity_gd-77_flash_manager/tree/master/installer

    Then on the GD-77, boot while holding Blue side button, Green menu and * (star), which will enter memory access mode

    In my new Flash manager, tick on the tick box on the left labelled “Read internal Flash”

    To do a full backup, read from 0x0000 for 0x80000, which will take several minutes.

    Once its downloaded, look at address 0x7f800 and there should be about 34 bytes of data in that area and the surrounding bytes are zeros or 0xff

    Now save the whole file, as you will need to use this to restore the radio to a working state, specifically the bytes at 0x7f800

    If you don’t manage to save the bytes, or you already erased your radio, all is not lost as Kai has a tool to generate those 32 bytes, but you then need to use a debugger e.g. GDB to read the CPU Unique serial number registers (all 4 of them), which I don’t have time to write a tutorial on right now

  3. ken
    |

    very interesting. thank you

Leave a Reply