Hacking FRS radios (walkie talkies)

Back in the early 90s, I got an 8 channel desktop scanner (radio receiver) on clearance at Radio Shack for about 20 bucks. The thing was real basic, with just a 7 segment LED display, no search capability and only 8 channels of "memory". I quickly got bored with just using it and decided to crack it open to see what made it tick. I was able to identify the microcontroller and another IC that I assumed was the PLL tuner. At the time, I didn't know much about PLLs and couldn't find the datasheet for the one in that radio, so I found one that was similar in function in a Motorola databook. After reading the datasheet and an appnote, I got to probing around on the radio. Long story short, I cut the traces between the PLL and the microcontroller and diverted the PLLs serial and other control lines to a 25 pin connector so it could interface with a PC via the printer port. I wrote a DOS based C program to control it and wound up with a 200 channel (about what I could fit on a 43 column VGA text screen) scanner with an automated, active frequency search function. That was a very educational 2 or 3 weeks I spent on it.

With my interest in amateur radio ramping back up recently, I decided to buy a pair of FRS/GMRS radios to check their ease of hacking for Ham use. FRS frequencies are very close to the amateur radio 70 cm band and I figured "all that's needed" is to tweak the frequencies a bit to be able to operate a really cheap transceiver for ham use. I bought a pair of Cobra brand MicroTalk model radios for $40. Before even powering them up, I took one apart to check the guts. Oh, then I googled "hack microtalk" and found this blog post. Not much active info or progress there, though.

When I dug into the MicroTalk radio I found the highly integrated AN29160AA transceiver IC from Matsushita (a different, Uniden radio is shown below which uses a AN29160A variant).



This chip does about everything except drive the display and handle the pushbutton inputs. Its functions, the PLL counters/divisors that set the tuning frequency as well as volume control and more, are operated by an external microcontroller through a 3 wire serial interface. My obstacles in attacking the MicroTalk radio were the very fine pitch surface mount leads and the fact that its microcontroller is hidden under the LCD display assembly. Not impossible to deal with, but tricky.

It occurred to me to check an older pair of Uniden brand FRS radios (model GMR638-2CK) that I already had. They actually turned out to not only use the same transceiver IC, but (in my opinion) to be a bit easier to hack. In this radio, the microcontroller was not buried under other stuff and even has handy little test point pads for every pin!


As you can see in the picture above, I've identified the basic signals that I need to hijack from the microcontroller. I may also need to monitor the squelch logic output and possibly provide an analog signal to generate tones. The earlier picture of the transceiver IC is also from the Uniden radio. Below is an o-scope snapshot of the DATA line being used while the radio was scanning FRS channels:



So far I've identified some necessary signals and the means to calculate the PLL counter values for arbitrary frequencies. Next I must plan what microcontroller I'll use to operate this thing, along with which other signals between the 29160 and the existing micro that must be hijacked or just piggyback onto. I also need to figure a clean way to put it all back together so that it can still be a handheld!

I may use Cypress Semiconductor's First Touch kit as the controller. It's a PSoC and probably way overkill, but for a few points: it's small, has all the IO I need and... I have one!

Check back later for more progress.