|Hacking the Baofeng UV5R|
|Opening The Radio|
|Hacking the Radio|
|Interfacing with the voice chip|
|interfacing with the RDA5802|
|Interfacing with the RDA1846|
|Removing the MCU|
Hacking the radio
Before trying to change anything I posted on the baofeng_uv5r yahoo groups to see what I would need to insure that I will not radiate any RF energy. I found out that I could not just remove the antenna, and would need to place a dummy load. Per James Hall suggestion I ordered a dummy load from here qrpkits.
As soon as I got the radio, I signed up to take the license test. Unfortunately, the next one is on Jan 20. I can not wait to get licensed, so I can finally transmit and test this on the HAM frequencies. I also have not done anything with TX on this radio yet, which I am so attempted to try to see if that works.So for now I am just going to try to RX until I get my license.
Looking at the schematics, there are two main ICs on the radio. The first one is RDA1846 which does all the radio communications, and the other is an EM78P568 microcontroller which controls the RDA1846, LCD, keypad, etc.
I first tried to solder some wires directly onto the RDA1846 TX/RX pins and monitor them to see what the radio sends the chip.
First, I was hoping that the microcontroller will not communicate with the RDA1846 under various conditions (like switching to the RDA5802 FM radio) so I can also send commands to it. However, I monitored the SCLK and SDIO and it looks like its under constant communication. Since P93 and P92 are shared with the LCD (DB6, and DB7) as well as the keypad, the uv5r MCU is constantly setting/reading these pins. So their code probably has a loop setting the LCD, reading the keypad, and then transmitting serial commands to the RDA1846.
To resolved this I lifted P93 and P92 legs from the MCU (SCLK and SDIO) and solder two wires to it. I also soldered another line to P77 which is the SEN line. From the schematics, it looks like the MODE pin is tied to V+, which means it's communicating via SPI instead of I2C and the SEN line is used for ~EN.
I hooked up an arduino to the pins and tried to communicate over SPI, with no success. However, I should have not rushed into things, and noticed that the chip is 3.3V and not 5V (I was looking in their programming manual the whole time, and should have read the datasheet first).
Another small setback happened when I tried to remove the SEN pin, and the pcb trace lifted right up. So much for communicating with SPI, but luckily the chip can communicate over I2C, so I placed some solder on the RDA1946 chip to place it into I2C mode and remove the V+ tied to the MODE pin.
I also traced all the pins out of the cpu to insure that I know what each pin is doing. Here are the pins description:
Pin 1: PB5 keypad COL 1
Pin 2: PB6 keypad COL 2
Pin 3: PB7 keypad COL 3
Pin 4: P90 LCD DB4/keypad ROW 1/eeprom SDA
Pin 5: P91 LCD DB5/keypad ROW 2/
Pin 6: P92 LCD DB6/keypad ROW 3/RDA1846 SDIO
Pin 7: P93 LCD DB7/keypad ROW 4/RDA1846 SCLK
Pin 8: P94 RDA5802 DATA/keypad ROW 5
Pin 9: P95 LCD RS
Pin 10: P96 LCD CE
Pin 11: P97 Red LED on LCD
Pin 12: P57 The LED Flashlight
Pin 13: P56 VHF/UHF 1 UHF/ 0VHF
Pin 14: P55 Green LED on LCD
Pin 15: Analong VDD
Pin 16: No Connection
Pin 17: No Connection
Pin 18: No Connection
Pin 19: No Connection
Pin 20: TONE
Pin 21: PLCC
Pin 22: GND
Pin 23: P67 TX Power lever: 1.5V for LOW 1W and 2.67V for HIGH 4W
Pin 24: P66 TX power switch (low to activate TX)
Pin 25: P65 AURX Turn Speaker AMP on
Pin 26: P64 Low BAT input
Pin 27: P63 VOX from radio
Pin 28: P62 GPIO6 SQ on RDA1846
Pin 29: OSCI
Pin 30: OSCO
Pin 31: VSS
Pin 32: RESET
Pin 33: VDD
Pin 34: P77 SEN from RDA1846
Pin 35: P76 SDA for VOICE U5
Pin 36: P75 RX LED (square light on the radio)
Pin 37: P74 SCK for EEPROM U10
Pin 38: P73 SCL for VOICE U5
Pin 39: P72 TXD Serial input for programmer/ TX LED (square light on the radio)
Pin 41: P70 GPIO0 on RDA1846
Pin 40: P71 RDX serial input for programmer/ PPT on
Pin 42: PC0 CLK on RDA5802 U1
Pin 43: PC1 RX Power (PWM for save mode)
Pin 44: PC2 Keypad Col 4
I used the MSO19 to capture the data and see what the radio was doing. The nice thing about the MSO19, is that it has a pattern generator, so I was able to replay the commands back to the radio.