From 81db7532479d43637ca11f7c1a5ec74f51432f1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Roh=C3=A9e?= Date: Mon, 6 Nov 2023 14:05:18 +0100 Subject: [PATCH 1/5] eeprom -> EEPROM --- uvk5.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uvk5.h b/uvk5.h index 395c444..bfbd588 100644 --- a/uvk5.h +++ b/uvk5.h @@ -1,4 +1,4 @@ -/* UV-K5 eeprom programmer */ +/* UV-K5 EEPROM programmer */ #ifndef UVK5_INCLUDE_H #define UVK5_INCLUDE_H From a9e37bbd50026ae8c7dda78e6b585ac0fc792166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Roh=C3=A9e?= Date: Mon, 6 Nov 2023 14:07:31 +0100 Subject: [PATCH 2/5] eeprom -> EEPROM --- k5prog.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/k5prog.c b/k5prog.c index aa1327f..f711678 100644 --- a/k5prog.c +++ b/k5prog.c @@ -1,7 +1,7 @@ /* Quansheng UV-K5 EEPROM programmer v0.9 * (c) 2023 Jacek Lipkowski * - * This program can read and write the eeprom of Quansheng UVK5 Mark II + * This program can read and write the EEPROM of Quansheng UVK5 Mark II * and probably other similar radios via the serial port. * * It can read/write arbitrary data, and might be useful for reverse @@ -110,8 +110,8 @@ unsigned char uvk5_hello2[]={0x14, 0x05, 0x04, 0x00, 0x9f, 0x25, 0x5a, 0x64}; /* commands: * 0x14 - hello - * 0x1b - read eeprom - * 0x1d - write eeprom + * 0x1b - read EEPROM + * 0x1d - write EEPROM * 0xdd - reset radio */ @@ -455,7 +455,7 @@ struct k5_command *k5_receive(int fd,int tmout) { return(cmd); } /******************************/ -/* eeprom read/write support */ +/* EEPROM read/write support */ /******************************/ int k5_readmem(int fd, unsigned char *buf, unsigned char maxlen, int offset) { @@ -542,7 +542,7 @@ int k5_reset(int fd) r=k5_send_buf(fd,uvk5_reset,sizeof(uvk5_reset)); return(r); } -/* end of eeprom read/write support */ +/* end of EEPROM read/write support */ /******************************/ From a3faca61d96614720bf51ae59b03bb9562313817 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Roh=C3=A9e?= Date: Mon, 6 Nov 2023 14:12:43 +0100 Subject: [PATCH 3/5] Better messages --- k5prog.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/k5prog.c b/k5prog.c index f711678..5b3a514 100644 --- a/k5prog.c +++ b/k5prog.c @@ -748,14 +748,14 @@ void helpme() "cmdline opts:\n" "-f \tfilename that contains the eeprom dump (default: " DEFAULT_FILE_NAME ")\n" "-b \tfilename that contains the raw flash image (default " DEFAULT_FLASH_NAME ")\n" - "-Y \tincrease \"I know what i'm doing\" value, to enable functionality likely to break the radio\n" + "-Y \tincrease \"I know what I'm doing\" value, to enable functionality likely to break the radio\n" "-D \twait for the message from the radio flasher, print it's version\n" "-F \tflash firmware, WARNING: this will likely brick your radio!\n" "-M \tSet the firmware major version to during the flash process (default: " DEFAULT_FLASH_VERSION ")\n" "-r \tread eeprom\n" "-w \twrite eeprom like the original software does\n" - "-W \twrite most of the eeprom (but without what i think is calibration data)\n" - "-B \twrite ALL of the eeprom (the \"brick my radio\" mode)\n" + "-W \twrite most of the EEPROM (but without what I think is calibration data)\n" + "-B \twrite ALL of the EEPROM (the \"brick my radio\" mode)\n" "-p \tdevice name (default: " DEFAULT_SERIAL_PORT ")\n" "-s \tserial speed (default: 38400, the UV-K5 doesn't accept any other speed)\n" "-h \tprint this help\n" @@ -998,7 +998,7 @@ int main(int argc,char **argv) /* arbitrary limit do that someone doesn't flash some random short file */ if ((i_know_what_im_doing<5)&&(flash_length<50000)) { - fprintf(stderr,"Failed to read whole eeprom from file %s (read %i), file too short or some other error\n",file,flash_length); + fprintf(stderr,"Failed to read whole EEPROM from file %s (read %i), file too short or some other error\n",file,flash_length); if (flash_length>0) { fprintf(stderr,"This failsafe is here so that people don't mistake config files with flash.\nIt can be ignored with an 'i know what i'm doing' value of at least 5\n"); } @@ -1079,7 +1079,7 @@ int main(int argc,char **argv) } } close(fd); - if (verbose>0) { printf("\rSucessfuly read eeprom\n"); } + if (verbose>0) { printf("\rSuccessfully read EEPROM\n"); } if (verbose>2) { hdump((unsigned char *)&eeprom,UVK5_EEPROM_SIZE); } write_file(file,(unsigned char *)&eeprom,UVK5_EEPROM_SIZE); @@ -1090,7 +1090,7 @@ int main(int argc,char **argv) case MODE_WRITE_MOST: case MODE_WRITE_ALL: if ((mode==MODE_WRITE_ALL)&&(i_know_what_im_doing<1)) { - printf("ERROR: the \"I know what i'm doing\" value has to be at least 1 to confirm that you know what you're doing\n"); + printf("ERROR: the \"I know what I'm doing\" value has to be at least 1 to confirm that you know what you're doing\n"); exit(0); } @@ -1102,7 +1102,7 @@ int main(int argc,char **argv) } r=read(ffd,(unsigned char *)&eeprom[i],UVK5_EEPROM_SIZE); if (r!=UVK5_EEPROM_SIZE) { - fprintf(stderr,"Failed to read whole eeprom from file %s, file too short?\n",file); + fprintf(stderr,"Failed to read whole EEPROM from file %s, file too short?\n",file); exit(1); } close(ffd); @@ -1146,7 +1146,7 @@ int main(int argc,char **argv) } } k5_reset(fd); - if (verbose>0) { printf("\rSucessfuly wrote eeprom\n"); } + if (verbose>0) { printf("\rSuccessfully wrote EEPROM\n"); } break; From bc02b2460c6037b5e4fac81002c07ee0bd3ca74b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Roh=C3=A9e?= Date: Mon, 6 Nov 2023 14:14:41 +0100 Subject: [PATCH 4/5] Various typo fixed --- README | 56 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/README b/README index 1733bde..a01ac10 100644 --- a/README +++ b/README @@ -1,14 +1,14 @@ k5prog - Quansheng UV-K5 EEPROM and flash programmer v0.9 (c) 2023 Jacek Lipkowski -This program can read and write the eeprom of Quansheng UV-K5. +This program can read and write the EEPROM of Quansheng UV-K5. It can read/write arbitrary data, and might be useful for making backups of the configuration, mass programming of radios or reverse engineering of the radio configuration. Please note that it is probably possible to break your radio by writing a bad configuration to it, so please use at your own risk. -Note that this program does not edit the contents of the eeprom. Use an +Note that this program does not edit the contents of the EEPROM. Use an external hex editor. @@ -19,7 +19,7 @@ here: https://github.com/fagci/qs-uvk5-firmware-modder An example decrypted file is provided in k5_flash_test.raw, this is the vendor 2.01.23 firmware without any modifications. -Please use extreme caution, as reprogramming the radioflash can potentially i +Please use extreme caution, as reprogramming the radioflash can potentially brick your radio. If unsure, please use the vendor flashing software. The flashing support in k5prog was used in at least 2 cases to recover radios @@ -31,38 +31,38 @@ To compile, please see the compiling section at the end. The program is written to (hopefully) run on POSIX systems. Testing was done -on GNU/Linux, but MacOS X and windows under cygwin should work too. +on GNU/Linux, but macOS and Windows under Cygwin should work too. For licensing see the file LICENSE. ---- Usage ---- -for help run the programwithout arguments, or with the -h option. +to display help run the program without arguments, or with the -h option. The configuration options are: Quansheng UV-K5 EEPROM programmer v0.8 (c) 2023 Jacek Lipkowski cmdline opts: --f filename that contains the eeprom dump (default: k5_eeprom.raw) +-f filename that contains the EEPROM dump (default: k5_eeprom.raw) -b filename that contains the raw flash image (default k5_flash.raw) --Y increase "I know what i'm doing" value, to enable functionality likely to break the radio +-Y increase "I know what I'm doing" value, to enable functionality likely to break the radio -D wait for the message from the radio flasher, print it's version -F flash firmware, WARNING: this will likely brick your radio! -M Set the firmware major version to during the flash process (default: *.01.23) --r read eeprom --w write eeprom like the original software does --W write most of the eeprom (but without what i think is calibration data) --B write ALL of the eeprom (the "brick my radio" mode) +-r read EEPROM +-w write EEPROM like the original software does +-W write most of the EEPROM (but without what I think is calibration data) +-B write ALL of the EEPROM (the "brick my radio" mode) -p device name (default: /dev/ttyUSB0) -s serial speed (default: 38400, the UV-K5 doesn't accept any other speed) -h print this help -v be verbose, use multiple times for more verbosity ----- Reading/writing the configuration eeprom ---- +---- Reading/writing the configuration EEPROM ---- -For a basic usage use -r to read eeprom, -w to write eeprom. The -v option +For a basic usage use -r to read EEPROM, -w to write EEPROM. The -v option gives more verbosity. Read configuration: @@ -72,10 +72,10 @@ Quansheng UV-K5 EEPROM programmer v0.5 (c) 2023 Jacek Lipkowski -"I know what i'm doing" value set to 1 +"I know what I'm doing" value set to 1 ******** k5 command hexdump [obf_len:44 clear_len:36 crc_ok:1 ********** ## obfuscated ## @@ -143,13 +143,13 @@ Flasher version is: [2.00.06] The radio can also be flashed with the raw unencrypted binary. An example binary is provided in the k5_flash.raw file (this is the 2.01.23 firmware). The binary file can be specified with the -b option. -Flashing the radio requires the "i know what i'm doing value" of at least 5. +Flashing the radio requires the "I know what I'm doing value" of at least 5. ./k5prog -b k5_flash.raw -YYYYYY -F Quansheng UV-K5 EEPROM programmer v0.5 (c) 2023 Jacek Lipkowski -"I know what i'm doing" value set to 6 +"I know what I'm doing" value set to 6 ******** k5 command hexdump [obf_len:44 clear_len:36 crc_ok:1 ********** ## obfuscated ## @@ -190,19 +190,19 @@ simple makefile: sq5bpf@dellix:~/k5prog-0.1$ make gcc -O2 k5prog.c -o k5prog -Other POSIX platforms should work also, including MacOS X. +Other POSIX platforms should work also, including macOS. The software compiles under Cygwin/Microsoft Windows, but has not been tested. -According to the cygwin documentation you should use /dev/comX to use port comX +According to the Cygwin documentation you should use /dev/comX to use port comX (for example using com6: k5prog.exe -v -r -p /dev/com6) -If port this to another platform, or do anything interesting with this +If you port this to another platform, or do anything interesting with this software, tell me about it. ---- Other uses ---- -The file uvk5_original_eeprom.raw contains an eeprom downloaded from a UV-K5 +The file uvk5_original_eeprom.raw contains an EEPROM downloaded from an UV-K5 radio. Maybe it can be used to resurrect another radio of the same type if it was broken (perhaps by the use of this software :). @@ -226,7 +226,7 @@ The data is protected by a typical CRC-16 xmodem algorithm. The data bytes and the CRC are obfuscated by xor-in it with an 8-byte sequence. -Fortunately the eeprom data contains a lot of 0xFF and 0x00 bytes, so the XOR +Fortunately the EEPROM data contains a lot of 0xFF and 0x00 bytes, so the XOR sequence is easy to find by observing the traffic. @@ -235,7 +235,7 @@ The datagram sent from the radio is the same, but the CRC field is set to obfuscation (same as the XOR). -I intend to publish a further description of the protocol, and the eeprom +I intend to publish a further description of the protocol, and the EEPROM contents, meanwhile the sources can be used as documentation. From 83e1118a41fa6fbd1725725b6852501a0aae257a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20Roh=C3=A9e?= Date: Tue, 7 Nov 2023 13:51:15 +0100 Subject: [PATCH 5/5] typo fix --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index a01ac10..6bb2ba9 100644 --- a/README +++ b/README @@ -220,7 +220,7 @@ The format of the datagram sent to the radio is: 0xAB 0xCD len 0x00 <2 bytes CRC> 0xDC 0xBA -The length is the length od the data bytes. +The length is the length of the data bytes. The data is protected by a typical CRC-16 xmodem algorithm. The data bytes and the CRC are obfuscated by xor-in it with an 8-byte