Ham Radio
Ham Radio, Electronics, Software and more...

Home » Ham Radio » Programming Radios » Ritron DTX-142 Hardware Hacking (Ritron DTX-142 Hardware Hacking)
Ritron DTX-142 Hardware Hacking [message #3235] Tue, 13 December 2016 03:42 Go to next message
kc2nda is currently offline  kc2nda
Messages: 44
Registered: December 2004
Location: New Paltz
Member
This radio is a very nice radio designed by Ritron. The model is a DTX-142.

This first thing I like to do is to look at the processor. Of course it is an Atmega8.

Ritron EEprom Atmega8

I pulled out the Bus Pirate and read the eeprom and flash.
I have successfully read the eeprom with a Raspberry Pi as well. I will post another thread showing exactly how to do this.

Ritron Eeprom Reading Hacking

Here is the Hex Data Dump of the Atmega8 eeprom and what I have discovered so far:

Ritron Radio Hex Dump

The Ritron eeprom can be written to using an eprom programmer. Changing the frequency is very easy to do using the 6 pin Serial Peripheral Interface (SPI) bus which is a synchronous serial communication interface specification used for short distance communications. Serial Clock:
SCLK : SCK, CLK.

Master Output -> Slave Input:
MOSI : SIMO, SDI,[2] DI, DIN, SI, MTST.

Master Input <- Slave Output:
MISO : SOMI, SDO,[2] DO, DOUT, SO, MRSR.

Slave Select:
SS : nCS, CS, CSB, CSN, EN, nSS, STE, SYNC, SSQ.

The Ritron's receive shield was removed to reveal the Receiver Synthesizer chip. The microprocessor connects to the LMX2316 which tells the radio what RX frequency to tune to. It loads the synthesizer via serial communications.

Ritron Radio Receiver

We can see that the mechanical potentiometers can and will be replaced with digital potentiometers.



[Updated on: Sat, 25 February 2017 12:22]

Report message to a moderator

Ritron DTX-142 Reverse Engineering EEPROM Data [message #3240 is a reply to message #3235] Sat, 31 December 2016 02:53 Go to previous messageGo to next message
kc2nda is currently offline  kc2nda
Messages: 44
Registered: December 2004
Location: New Paltz
Member
The left dump is the EEPROM from the Ritron. The right is the saved file from the Ritron software. You can see clearly that there are 255 bytes that are exactly the same. They literally write exactly what is in the EEPROM to a file and pad the first 48 bytes with the radio type, etc...

Ritron Reverse Engineering
Ritron DTX-142 S-Meter Add on [message #3247 is a reply to message #3240] Sun, 23 April 2017 23:10 Go to previous messageGo to next message
root is currently offline  root
Messages: 208
Registered: December 2004
Senior Member
Here is the OLED added to the Ritron. The OLED is controlled by an Arduino and the RSSI was taken from the Ritron and fed into the Analog to Digital pin on the Arduino.

Ritron DTX-142 Frequency Storage in EEPROM [message #3264 is a reply to message #3235] Fri, 16 March 2018 00:55 Go to previous messageGo to next message
kc2nda is currently offline  kc2nda
Messages: 44
Registered: December 2004
Location: New Paltz
Member
Here is how the frequencies are stored in the EEPROM for the Ritron DTX-142:

Ritron Frequency Storage in EEPROM

Looking at figure above, the left part of the image has the hex values that are stored in the EEPROM. The first 8 rows correspond to the 8 channels on the Ritron. Columns 0 and 1 contain the receive frequencies. Columns 4 and 5 contain the transmit frequencies. The right part of the figure shows the calculations used to find how the frequencies were stored. Since a frequency in the MHz range (12 digits, cannot be stored using 1 byte, two bytes were used to represent the whole frequency. The largest number a byte can hold is 255. The largest number two bytes can be together would be 65,535. So if there was a frequency of 146,450,000 Hertz, to store this in two bytes of only 65,535, it would be impossible. The last three numbers of the frequency is not used, they will always be zeros. Even storing 146,450 in two bytes would not be possible. A formula needed to be used to accomplish this.
The transmit frequencies where calculated as follows; The lowest value of the Ritron's frequency is 136MHz or 136,000,000 Hertz. This base value is added to the product of Column 04 in the EEPROM and 2.5K. This is then added to the product of Column 05 and 640K.

Transmit Frequency example: Column 04 = 136 (decimal) Column 05 = 16 (Decimal) (136 * 2500 + 136,000,000) + (16 * 640,000) = 146,580,000 Hz

For the receive frequencies, they stored the frequencies in the EEPROM a different way. The lowest value or frequency the radio can receive or transmit on is 136MHz. The values in the EEPROM were changed until the frequency on the Frequency Counter showed 136MHz. The values in the corresponding columns for the receive frequencies were 52 and 68. This was given as base values and were used in the calculations to figure out the frequencies in the same manner as the transmit was done.

Receive Frequency example: Column 00 = 188 (decimal) Column 01 = 84 (Decimal) (((188 52) * 2500) + 136,000,000) + ((84 68) * 640,000) = 146,580,000 Hz

Coding was written in C for the Arduino to calculate the frequencies as they were read from the EEPROM. A bug was introduced in the code causing negative numbers to not be handled properly when doing the math. The formula had to be adjusted to make sure there were no negative numbers.

Adjusted Receive Formula:

(((188 * 2500) + 136000000) - (52 * 2500)) + ((84 - 68) * 640000) = 146,580,000 Hz

[Updated on: Fri, 23 March 2018 11:42] by Moderator

Report message to a moderator

Raspberry Pi Reading EEPROM from Ritron DTX-142 [message #3265 is a reply to message #3264] Fri, 16 March 2018 01:21 Go to previous message
root is currently offline  root
Messages: 208
Registered: December 2004
Senior Member
I have been getting a lot of emails asking me for more information on how I dumped the EEPROM of the Ritron DTX-142 with a Raspberry Pi. This is very easy to do but depends on your version of the Raspberry Pi that you have. DISCLAIMER, you must follow the pinouts on your pi to make sure they are the same as we have below. Not all PIs have the same pinouts.

How to Read an EEPROM with Raspberry Pi
How to Read an EEPROM with Raspberry Pi


Make sure you use the ICSP port from the first post on this thread. Match the pins on the Ritron to the pins on the Pi here.

Log into the Pi and use AVRDude to dump the EEPROM. AVRDude is a package that is included in Linux. If it isn't already installed, you must install it. AVRDude uses the SPI protocol to read the EEPROM and write it to a file to be read by any hex editing software. Again, the Raspberry Pi's SPI pins were hooked directly to the ICSP port of the Ritron.

AVRDude commands to follow..

[Updated on: Fri, 16 March 2018 01:28]

Report message to a moderator

Previous Topic: Ritron DTXM-254 Reverse Engineering
Goto Forum:
  


Current Time: Sun Oct 21 10:43:16 EDT 2018

Total time taken to generate the page: 0.03452 seconds