Skip to content
This repository has been archived by the owner on Apr 10, 2024. It is now read-only.

Latest commit

 

History

History
36 lines (29 loc) · 2.29 KB

k5_v2.01.19_mod_TX_50to850mhz.bin.md

File metadata and controls

36 lines (29 loc) · 2.29 KB

Same as k5_v2.01.19_mod.bin, but allows transmission between 50 and 850 MHz.

WARNING WARNING WARNING

PLEASE do not blame me if you burn the finals on your radio, get imprisoned for illegally transmitting on military or aeronautical frequencies, or cause a thermonuclear war. This modification is UNTESTED and is for RESEARCH PURPOSES ONLY, to explore the capabilities of the device and its chipset. DO NOT transmit on illegal frequencies. DO use a dummy load. DO report results, preferably spectrum analyzer screenshots, to this repo for research. The author(s) and contributor(s) of this repository are NOT liable for any damages, litigation, or other consequences of the misuse of this research firmware and do not accept any culpability. By installing any firmware from this repository, you accept full responsibility for any consequences that may arise.

TX MOD Description

@0x1df2: cf 2a -> 5D e0

at address @0x1DE8 starts function which check current frequency range and check if you can transmit here or not. Function is totally bypassed by inserting jump to end of function at the beginning.

ROM:00001DE8 F0 B5                   PUSH    {R4-R7,LR}
ROM:00001DEA 01 46                   MOV     R1, R0
ROM:00001DEC 82 7F                   LDRB    R2, [R0,#0x1E]
ROM:00001DEE 00 20                   MOVS    R0, #0
ROM:00001DF0 C0 43                   MVNS    R0, R0
ROM:00001DF2 CF 2A                   CMP     R2, #0xCF            ; PATCH HERE, 5D E0 opcode result in:  B  loc_1EB0
ROM:00001DF4 2F D2                   BCS     locret_1E56
ROM:00001DF6 2F 4A                   LDR     R2, =byte_20000369
ROM:00001DF8 49 69                   LDR     R1, [R1,#0x14]
ROM:00001DFA 12 78                   LDRB    R2, [R2]
ROM:00001DFC 09 68                   LDR     R1, [R1]
ROM:00001DFE 2E 4B                   LDR     R3, =0xFF244600
...
ROM:00001EA8 17 49                   LDR     R1, =byte_200003DD
ROM:00001EAA 09 78                   LDRB    R1, [R1]
ROM:00001EAC 01 29                   CMP     R1, #1
ROM:00001EAE E4 D1                   BNE     locret_1E7A
ROM:00001EB0 00 20                   MOVS    R0, #0              ; after patch it jumps directly here
ROM:00001EB2 F0 BD                   POP     {R4-R7,PC}