Sunday, November 20, 2011

Hacking FRS radios (walkie talkies)

Back in the early 90s, I got an 8 channel desktop scanner (radio receiver) on clearance at Radio Shack for about 20 bucks. The thing was real basic, with just a 7 segment LED display, no search capability and only 8 channels of "memory". I quickly got bored with just using it and decided to crack it open to see what made it tick. I was able to identify the microcontroller and another IC that I assumed was the PLL tuner. At the time, I didn't know much about PLLs and couldn't find the datasheet for the one in that radio, so I found one that was similar in function in a Motorola databook. After reading the datasheet and an appnote, I got to probing around on the radio. Long story short, I cut the traces between the PLL and the microcontroller and diverted the PLLs serial and other control lines to a 25 pin connector so it could interface with a PC via the printer port. I wrote a DOS based C program to control it and wound up with a 200 channel (about what I could fit on a 43 column VGA text screen) scanner with an automated, active frequency search function. That was a very educational 2 or 3 weeks I spent on it.

With my interest in amateur radio ramping back up recently, I decided to buy a pair of FRS/GMRS radios to check their ease of hacking for Ham use. FRS frequencies are very close to the amateur radio 70 cm band and I figured "all that's needed" is to tweak the frequencies a bit to be able to operate a really cheap transceiver for ham use. I bought a pair of Cobra brand MicroTalk model radios for $40. Before even powering them up, I took one apart to check the guts. Oh, then I googled "hack microtalk" and found this blog post. Not much active info or progress there, though.

When I dug into the MicroTalk radio I found the highly integrated AN29160AA transceiver IC from Matsushita (a different, Uniden radio is shown below which uses a AN29160A variant).



This chip does about everything except drive the display and handle the pushbutton inputs. Its functions, the PLL counters/divisors that set the tuning frequency as well as volume control and more, are operated by an external microcontroller through a 3 wire serial interface. My obstacles in attacking the MicroTalk radio were the very fine pitch surface mount leads and the fact that its microcontroller is hidden under the LCD display assembly. Not impossible to deal with, but tricky.

It occurred to me to check an older pair of Uniden brand FRS radios (model GMR638-2CK) that I already had. They actually turned out to not only use the same transceiver IC, but (in my opinion) to be a bit easier to hack. In this radio, the microcontroller was not buried under other stuff and even has handy little test point pads for every pin!


As you can see in the picture above, I've identified the basic signals that I need to hijack from the microcontroller. I may also need to monitor the squelch logic output and possibly provide an analog signal to generate tones. The earlier picture of the transceiver IC is also from the Uniden radio. Below is an o-scope snapshot of the DATA line being used while the radio was scanning FRS channels:



So far I've identified some necessary signals and the means to calculate the PLL counter values for arbitrary frequencies. Next I must plan what microcontroller I'll use to operate this thing, along with which other signals between the 29160 and the existing micro that must be hijacked or just piggyback onto. I also need to figure a clean way to put it all back together so that it can still be a handheld!

I may use Cypress Semiconductor's First Touch kit as the controller. It's a PSoC and probably way overkill, but for a few points: it's small, has all the IO I need and... I have one!

Check back later for more progress.

11 comments:

  1. This post is fantastic! I am also hacking radios for ham use. At the moment I am having trouble identifying the parts on a cheap chinesse car fm transmitter :)

    Best of luck, I am looking forward reading this :)

    ReplyDelete
  2. If you are still monitoring this blog, email me @ jb0nd38372 "@" gmail.com

    I currently have an arduino with the ATMega328p Controller and a couple of Motorola FRS radio's. As a previous 70cm / 2m / 440 talker I am VERY interested in getting my FRS to become more controllable than they currently are. I would love to pick your brain since I lack the electronic equipment to reverse engineer an unknown PIC to find the right limes I should be tapping.

    I would be very willing to send some funds your way via PayPal if you would be willing to be my guide. Thanks for the consideration.

    ReplyDelete
  3. Trans Communications experience, technical skills, availability and reliability, price and interest in our project made them our first choice for this service and a pleasure to work with. They are a full service provider, with the ability to assist at all times. transcommunications provide services Motorola Walkie-Talkies for 2-Way Radio System, online sales in AUS , wireless radio system, radio walkie talkie and more in your area.

    ReplyDelete
  4. We offer a complete and comprehensive product line of high quality two way radio replacement batteries. Our two way radio batteries are designed to be fully compatible with the original equipment.
    http://www.cutratebatteries.com/

    ReplyDelete
  5. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again. Visit soon for exclusive Walkie talkie radios of Motorola, Hytera, Digital radios, Kenwood, Business, Atex radios at walkie-talkies.com.

    ReplyDelete
  6. A walkie-talkie (more formally known as a handheld transceiver, or HT) is a hand-held, portable, two-way radio transceiver. Its development during the Second World War has been variously credited to Donald L. Hings, radio engineer Alfred J. Gross, and engineering teams at Motorola.

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. It's really awesome that got an 8 channel desktop scanner (radio receiver) on clearance at Radio Shack for about 20 bucks. Some days ago, i also viewed some awesome two way radios Articles from
    this anchor .

    ReplyDelete
  9. Nice post. I learn something more challenging on different blogs everyday. It will always be stimulating to read content from other writers and practice a little something from their store. I’d prefer to use some with the content on my blog whether you don’t mind. I’ll give you a link on your web blog. I recently came to know about http://toysuae.com/, their Walkie Talkies are very effective.
    Walkie Talkies Thanks for sharing.

    ReplyDelete