We all know about using SHIFT key (hold down shift key and type the freq. release the shift key to type the decimal point hold down the shift key and finish typing the freq.) To program out of range freq. to the radios. The following is something completely different.
This is intended to be used by people who know how to program this type of radios, and a little knowledge of hex is required.
In this file I will tell you some information I have gathered in the past years. Some I was told and Some I found out by myself. As an example I will be using the GP300 software. You will need the following:
1. The Motorola Software to program the gp300 radios
2. the RIB
3. the proper cables
4. a good hex editor (one that performs CheckSums)
5. a radio so you can make tests (preferably not yours)
6. and plenty of coffee to help you stay awake.
Before starting , run your software, read the radio and save the file to disk. Make backups of the software as well as the file you just saved to disk.
This file I will be referring to as the "Radio's codeplug data file".
* First I need to tell you a little about how I think the software works.
The Motorola software reads the radio's information (codeplug data) and allows you to make changes. This information includes the radio serial number, model number, ROM version number, information about the channels (freq, signl, etc.). Once you read a radio you could change the model number or serial number and reprogram the radio to add channels, signaling, etc. but Motorola has taken several precautions so this can not easily be done.
This is what I have found out:
1. When first reading the radio, the software compares the model number of the radio to a list of models in a file called gp300.mdf (master database file), that file tells the program if the radio is vhf or uhf, the range of freq are allowed to be programmed, how many channels are allowed in the radio (2, 4, 8, 16 etc.), and how many watts of output power. It also performs a checksum to verify that the information is okay.
2. When saving the information to disk, the program encrypts this information so you can't change it in any way. And when reading from disk it does a checksum to make sure it wasn't tampered with.
* The first thing you need to do is to disable the encryption process when writing to disk. This will allow you to look at the radio information file that was written to disk and allow you to make the changes you like.
1. Get a good hex editor. One that performs checksums like Hex Workshop. You are going to have to modify the exe file. Since there are many version of the programming software, each one has different addresses that need to be changed. I'll tell you what to look for and you are going to have to do it yourself.
2. All gp300 radio models start with 14 (hex) and p110's with 1C (hex) so look for occurrences of 14 74 and 1C 74 ( run the hex editor and load gp300.exe), this is where the program decides if the information will be encrypted.
In the GP300 software version I have (r05.03.00 20-AUG-93) the addresss to change are 6E8F and 6E9D. Once you find it, change the 14 and 1C to something else like ff or 00. This will allow you to write the radio's codeplug data to disk without encryption. In the P110 software version I have (r08.00.00 08-FEB-96) the address to change is 7031. you need to change the 1C to FF.
Note from Batwing: In version R.05.00.00 the adresses are 6D9F and 6DAD. Test run the program and try saving some files and exiting, we have found that depending on what you change the 1C74 and 1474 to, the program crashes. In R.05.00.00, try replacing the specified addresses with 1C1C and 1414, respectively. We have been told that changing the addresses to FF74 and FF74 should work as well. If you are looking for the strings to change in a different version of GP300 RSS, look for the first instance of 1474 and 1C74 after the Copyright statement near the beginning of the exe file, these will be the locations you need to change.
3. Now you can read a radio and write the information to disk. If you look at the information in the saved codeplug file, the first thing you will see is the serial number of the radio.( Run the hex editor and load the file with the radio's codeplug data. It's name is the same as the radio's serial number ).
At address 0B starts the radio's model number at address 0F is the ROM version number of the radio. If the version is 02 or less, it will allow you to change the radio's codeplug data without any problems.
Here is an example:
address Serial number model # version #
0000 31 32 33 46 54 4E 31 32 33 34 00 52 1C 04 01 02
0010 00 2E
The program performs a checksum from address 0 to 11. The checksum must be 0300 (read the help file for your hex editor to find out how to do a checksum).
To change this radio into a gp300 16 chan modify the 521C (which is a p110 hex model) to 0314 (which is a gp300 kex model) and do a checksum from address 0000 to 0011. Modify address 0011 so that the checksum equals 0300, (if you fucked up then read the radio again and save the file to disk and start all over) save the file to disk and run the software. Load the file with motorola's software and program the radio.
the new radios cannot be modified this way, BUT, if you modify the MDF file you can make changes to some of the new radios.
Now lets take a look at another very interesting file called GP300.mdf
This is where all the model numbers are stored. It also contains information like how many channels, what range of frequency, how many watts of output power, etc. for each model.
* The gp300.mdf file is probably the most useful file. It contains the information about all the models. You can change it to allow all models to have 16 channels. You can even change your radios model number for a number not on the list, and change the radio's codeplug data to that same non-existent model number, and you have yourself an Electronic Lock. Now if someone tries to read your radio they will get an Error 21 radio not supported. So lets get started.
1. First thing you must do is a complete checksum. WRITE IT DOWN, you are going to need it if you make any changes. I got a checksum-16 of 3620.
If you make any changes and fail to leave the checksum the same, the program will not work and will be useless. Don't forget to Backup all your files. When making changes use the trash at the beginning of the file to make the checksum be the same as when you started .
Example : Standard Radius MaxTrac etc, etc, etc.
change these to add or subtract to the checksum so you can leave it the same.
2. Let me show you a model number in hex format
- 14 00 19 50 39 33 59 50 43 32 30 4C 4142 5F 03 00 10 05 27 40
- Hex model number gp300 start with 14 and p110 with 1C
- Model name P93YPC20LAB_ but in hex format
- Range of frequency 03 are vhf 150-170, 04 is vhf 170-190, 05 uhf 450-470 more or less
- How many channels remember these are hex values 10hex=16 channels (This is very important. If you change all of the models into "10" all the radios read with this software will be recognized as 16 channel radios)
- How many watts of power 04 for uhf and 05 for vhf 3.
In gp300.mdf the models are as follows 14 01, 14 02, 1C 53, etc. but in the radio's codeplug data they are inverted example 01 14, 02 14, 53 1C, etc.
4. The models start at address 05 DE. That is where 14 01 starts.
5. In this example I am going to modify the file to allow me to program 16 channels to an 8 channel radio
* Get a checksum. I got a checksum of 3620 from address 0000 to 14D5 (the entire file)
* Write it Down. When you are working late at night you might forget to write it down and if you make any changes and leave the wrong checksum, the program will run no more
* Goto address 0815 to modify model P94YPC20D2 from 8 to 16 channels
* Change where it says 8 Chan to 16 Chan
14 1B 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 08 04 A7 40
14 1B 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 10 04 A7 40
Remember in hex 10=16chann
* Do another checksum and compare with the first checksum . I got 3628 a difference of + 8
* Make the necessary changes in the beginning of the file. You have to return the checksum to the value it had before the changes. I used address 004E and changed it from 78 to 70.
* Get another checksum it should give you the original checksum. I got 3620.
* Save the file to disk and Run the program. It will allow you to add up to 16 channels.
Try this with all the models and see how many of your radios work with 16 channels. The Radio is still an 8 Chan radio if read using someone else program, but for your program it is a 16 Chan radio.
6. Remember what I said about the Electronic Lock? Well in the above example also change the model number from 14 1B to 1B 14
14 1B 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 08 04 A7 40
1B 14 19 50 39 34 59 50 43 32 30 44 32 5F 5F 05 1B 10 04 A7 40
And in the Radio's codeplug data change the model number at address 000B from 1B14 to 141B 
Since I only inverted the model number I do Not need to do a checksum.
If you choose a different model number you will need to do a checksum of the radio's codeplug data from address 0000 to 0011 and change address 0011 so that the chacksum is 0300 note: the radio's codeplug data is saved in a file probably in the /mrss/gp300/archive directory and is named after the serial number of the radio.
Now Run your modified Gp300.exe and read the modified file for your radio. That's the file with the radio's codeplug data you modified.
Now program the radio. You now have an Electronic Lock in your radio.
If you loose your radio noone will be able to read, program or adjust that radio with the regular Software. You NEED your modified software to read that radio.
I don't recommend sending the Radio like this to Motorola if it later on needs repair since they are likely to confiscate it.
If you need more information about this, post a note to alt.2600 or alt.hacker with the subject line "Looking for Hoffis" and I will get in touch with you. Don't forget to mention my name in the post.
Well That's all for now. I plan on making a more detailed FAQ but since there are some things I still haven't found out, I will wait until then to release the complete thing.
I know this doesn't work on ROM version 3 radios but I have seen this work on some ROM 4 version radios.
This is what I am trying to find out :
* What address of the exe file does the comparing to see if the checksum is correct?
* What address of the exe file does the comparing to see if the radio's serial number matches ?
* What address of the exe file does the comparing to see if the radio's models are the same when cloning your radio ?
If you have worked with these programs let me know what you have come up with. If you have
some programs you would like to share or other information, use the above method to post a note.
