Well here we are again. this time with a different aproach. I have received very interesting information from some very talented people and here it is. With this stuff you no longer have to use the shift key to program out of range frequencies or worry about doing checksums everytime you make a change to gp300.mdf.
Editing gp300.exe to disable the encryption process when writing to disk
Look for the following string in gp300.exe ( all these values are in hex format )
26 80 7F 0C 14 74 somewhere around offset 6F79 and modify 14 to FF
old string : 26 80 7F 0C 14 74 new string : 26 80 7F 0C FF 74
for P110 look for 26 80 7F 0C 1C 74 and change 1C to FF
look for the following string in gp_2.ovl
89 46 FC 83 7E FC FF 74 06 83 7E FC 00 7E and change the last byte to EB you will have to look for the string twice and change both of them. one is when reading saved codeplug from disk and the other when reading from radio.(this will disable the crc check for the gp300.mdf file)
old string : 89 46 FC 83 7E FC FF 74 06 83 7E FC 00 7E new string : 89 46 FC 83 7E FC FF 74 06 83 7E FC 00 EB
this will allow you to make changes to gp300.mdf or to the radio's codeplug data and not have to worry about crc check.
this will allow you to read a radio and program the information to another radio. all aspects of the radio will be cloned including serial number, model number, freq. range etc.
Look for the following string in gp_2.ovl 66 46 FC 00 9A E3 08 at offset 2AC5 and make the following changes.
old string : C6 46 FC 00 9A E3 08 XX XX ** ** ** new string : C6 46 FC 00 9A E3 08 XX XX 90 90 90
XX means the value doesn't matter leave them the way they are , just change the ** to 90
After all this is done we can talk about the changes you can make to the radios codeplug data and to gp300.mdf. I will explain what I know and you take it from there.
If you look at the information the first thing you will see isthe serial number of the radio , at address 0B starts the radio's model number, at address 0F is the ROM version. If the version is 02 or less it will allow you to change the radio's codeplug data without any problems.
Here is an example:
To change this radio into a gp300 16 chan modify the 521C (which is a p110 hex model) to 0314(which is a gp300 hex model) the new radios cannot be modified this way, BUT , if you modify the MDF file you can make changes to someof the new radios.
Some notes on editing the codeplug data directly... (by Batwing):
If you make any changes to the first 17 bytes of the radio's codeplug file (after you've unencrypted it), you will need to correct the checksum. The checksum is the 18th byte in from the beginning of the codeplug file.
To generate a new value after you make your changes, use Hex Workshop and select the first 17 bytes, hit F12 and make sure the "HEX" and "1's Complement" boxes are selected, hit GENERATE and the checksum for your selection will appear in the "Checksum-8" box. Enter this new value in the 18th byte position and save the file.
If you cant read a radio because of some error message, you can use debug.exe to look at the informationon memory.
The gp300.mdf file is probably the most useful file. It contains the information about all the models. You can change it to allow all models to have 16 channels. You can even change your radios model number for a number not on the list, and change the radio's codeplug data to that same non-existent model number, and you have yourself an Electronic Lock. Now if someone tries to read your radio they will get an Error 21 radio not supported. You can expand the freq. range, the Number of channels etc.
Around adress 0020 it shows where the models start. But it shows the address backwards. For example if at address 0020 it shows DE05 it means the models start at address 05DE. And at address 0026 it tells how many model numbers exist. Use this if you want to add new model numbers to the program. Just place your list of the models at the end of the mdf file and tell the program at address 0020 where your list starts and at address 0026 how many models you have. And it will recognize those models.
Around address 0400 there is a list of the bandsplit for the different models if you change this you will change the freq range. You can have all radios recognized as 0 to 999 MHz radios.
| BandSplit | Low edge as shown in Rss | High edge as shown in Rss | LowEdge RX | HighEdge RX | LowEdge TX | HighEdge TX | Freq Identifier |
| 136-162 | 5005 | 5406 | 5005 | 5406 | 5005 | 5406 | 0200 |
| 146-174 | B405 | CC06 | B405 | CC06 | B405 | CC06 | 0300 |
| 174-195 | CC06 | 9E07 | CC06 | 9E07 | CC06 | 9E07 | 0F00 |
| 192-208 | 8007 | 2008 | 8007 | 2008 | 8007 | 2008 | 1000 |
| 205-225 | 0208 | CA08 | 0208 | CA08 | 0208 | CA08 | 1300 |
| 336-368 | 200D | 600E | 200D | 600E | 200D | 600E | EA00 |
| 403-433 | 1C11 | 5C12 | 1C11 | 5C12 | 1C11 | 5C12 | 0500 |
This are just examples but there are more. If you change B405 from Intel hex to decimal it gives you 1460 which stands for146.0 MHz and CC06 = 1740 as 174.0 MHz. You can change these ranges to make all radios 0 to 999MHz just look for the freq. identifier for your radio and change all the ranges to 0000 and 0627.
Let me show you a Radio's model number in hex format
In gp300.mdf the models are as follows 14 01, 14 02, 1C 53, etc. but in the radio's codeplug data they are inverted example 01 14, 02 14, 53 1C, etc.
The models start near address 05 DE. That is where 1401 starts.
In this example I am going to modify the file to allow me to program 16 channels to an 8 channel radio
* look around address 0815 to modify model P94YPC20D2 from 8 to 16 channels
* Change where it says 8 Chan to 16 Chan
| old string : | 14 1B 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 08 04 A7 40 |
| new string : | 14 1B 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 10 04 A7 40 |
Remember in hex 10=16chann
Try this with all the models and see how many of your radios work with 16 channels. The Radio is still an 8 Channel radio if read using someone else's program, but for your program it is a 16 Channel radio.
Remember what I said about the Electronic Lock? Well in the above example also change the model number from 141B to 1B14
| old string : | 14 1B 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 08 04 A7 40 |
| new string : | 1B 14 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 10 04 A7 40 |
And in the Radio's codeplug data change the model number at address 000Bto 141B remember this will not work with ROM 4 radios If you loose your radio no one will be able to read, program or adjust that radio with the regular Software. You NEED your modified software to read that radio. I don't recommend sending the radio like this to Motorola if it later on needs repair.
If you need more information about this, post a note to alt.2600 or alt.hacker with the subject line "Looking for Hoffis" and I will get in touch with you.
If you have worked with these programs let me know what you have come up with. If you have some programs you would like to share or other information, use the above method to post a note.
See you around.
Hoffis
Jan 2 1998