This one will be short as I don’t have a lot of time and there isn’t so so much to report. I have been able to identify the EPROM checksum routine and was able to trace where in the code the frequency entry code checks the entered frequency for correct range.
Thus, I was able to patch the bounds checking routine as well as the checksum to get this when entering 28 MHz:
Looks good as a first step!
Unfortunately, after several seconds I get this:
So there is a second bounds checking. Tomorrow I will try and trap on that message to find where that code is and do another patch.
At least I have verified that I found the data entry bounds checking code and know how to patch the checksum to not produce a BITE error.
I ended up with an interesting little VHF low band transceiver made by Tadiran:
The frequency range is 30.000 to 87.975 MHz, FM wide or narrow band.
The radio seems to operate as intended.
But it’s boring to have it only cover the 6 meter band. I wonder if it can be made to go down into the 10 meter band? The first step would be to change the lower frequency limit in firmware from 30 to 28 MHz.
So I opened it up and looked for the control processor. Found this:
Processor is a 80C188EB. Like the PRC-2200 made by Tadiran, the EPROM chip only has the four corner pins soldered with the rest in mini sockets.
I removed the EPROM and read it on a programmer. Then I started analyzing using Ghidra. One of the first things I look for are ASCII messages. This can sometimes lead to hidden features. I did find a lot of strings, but very strangely there were long messages which looked like they were for some kind of debugging work.
Then going through the startup code I saw that the area where these messages were was in an area of ROM that wasn’t mapped as active! And there were no ASCII messages, like are seen in normal operation, anywhere in the EPROM! That’s when it dawned on me there may be another processor in this radio.
Sure enough, on another board I found this:
This one is a NSC800D, which is like a Z80. Same deal with the EPROM pins so I removed it and read it on a programmer. 27C512 part.
Loading into Ghidra showed all the messages you would see in normal radio operation so this is the correct processor to start my hacking with.
By the way, I found this in the code:
I was able to locate Michael Rapoport but he has not responded to my inquiries. I wanted to tell him I found his little comment.
Even with Ghidra it is not easy to reverse engineer code so I like to trace code execution using a logic analyzer. I use a huge, noisy and heavy HP 16702B. It is an old beast but quite capable and was a steal at around $200 for analyzer and a bunch of cards and cables.
Hooking up to the microprocessor bus can be a challenge and I have worked out a quick hack which not only solves that but helps later on when I want to try different patches to the EPROM. I make an extender for the EPROM itself, like this:
I use a ZIF socket so it is easy to put different chips in and 0.025″ headers wired to each pin for connecting the logic analyzer. Here’s how it looks once connected to the analyzer pods:
Now I can watch as code is executed. The analyzer setup looks like this:
What I am doing is looking at the EPROM address and data lines and triggering each time the chip select goes inactive after being asserted. This shows me every EPROM read, whether code or data.
MY next step was to set trigger on seeing address 0000 as this is the processor reset vector. This will allow me to quickly find the EPROM checksum test and I will need to understand that before making any patches.
After that I found the address of the INV FREQ message which is displayed when I try to enter 28.0000 MHz. I set the analyzer to set the middle of its 2 million address read memory on the trigger of seeing address C15E which is the message. Note that the analyzer needs to be armed for capture AFTER the radio boot-up as otherwise the analyzer will trigger on the EPROM checksum routine scanning through.
Both captures were made and a quick look shows they make sense and are good.
The second trace is extremely useful in that it tells me many things:
I now know where the routine to display messages is and how it works. This tells me how the display is addresses which helps fill out the hardware addressing puzzle.
I can see how the message display routine is called especially the argument which is the message pointer. I can now backtrack to every place which calls this routine and by looking at the messages, I can get a good idea of what each section of code does.
In this case, I can backtrack to the keypad entry routine and see how that is addressed. This is helpful to further solve the hardware interface puzzle and if I ever want to modify the keypad routine.
And finally, this will lead me to where the 28.000 I entered was compared to the lower limit 0f 30.000 and rejected. Now it will be easy to change.
All for part 1 of this adventure. Analysis follows.
Update: If you look carefully you will notice I was disassembling the backplane wiring. This was actually being done on a separate, scrapped unit. I still have the fully intact IMU in the photos.
The reason I was removing wires is because there is virtually no information or documentation available for this unit. The Technical Orders (manuals) are not released to the public. Since the wiring is extremely dense and in layers, the only way for me to trace it out and reverse engineer this unit is to carefully remove each wire and mark what it connects to.
You may consider this insane and hopeless, but at this point I am able to power up the unit, get the gyros to spin, the platform to erect and respond to movement and see data output. I found a photo of the control head and have identified (sort of) how it interacts with the unit at a high level. Next I will start the ALIGN process where the unit carefully measures accelerations from the stabilized platform to determine the unit orientation in reference to true north. Apparently this can take 15 minutes and I will monitor the completion signal “Ready to Nav”.
The data buses will take some work to figure out as the unit does not just spit out all the internal data, you have to request it. There are no microprocessors in this thing, it is just a large collection of state machines with logic that resembles the backplane wiring – spaghetti. I do see 3 phase roll and pitch synchro outputs and can even drive a small 26 volt synchro and have it move when I pick the IMU up and move it about.
Powering this thing was a little bit of a challenge. It needs 120 volts 400 Hz 3 phase power. I tried, you can’t get away (at least not easily) running it on single phase 400 Hz even though the gyros and all electronics are run from a switching power supply that runs from 32 volts DC rectified from the 3 phase as there are some reference signals based on the phases.
I have an old 750 VA 3 phase inverter. Hooked it up with a 30 amp 28 volt DC supply and it promptly fried one of the power bridges. Big germanium transistors! I eventually troubleshot it to the startup surge taking enough current to collapse the DC supply and the low input voltage to the inverter was what killed it. Now I have two big supplies feeding into the inverter and it runs well.
To start the IMU, first I turn on the 3 phase power. Then I momentarily apply 28 volts DC to a pin and the internal power relays pull in and latch. There is an input line which must be grounded to enable gyro spin (this seems to be the standby/operate line from the control head). After about 45-60 seconds the gyros stabilize and the platform is enabled and erects itself.
I have identified the ALIGN input which causes a precision leveling of the platform and precise measurement to determine earth’s rotation and hence true north. That will be next and I watch for a signal which indicates completion.
By the way, the mating connectors were a challenge to find as they are a discontinued size and contact configuration. I finally found someone who could identify them and supply them at surplus prices (both normal and A rotation, too!).
The PRC-104 is an interesting portable radio. Some complain it is hard to repair, but fortunately they are pretty reliable if they are working, and extremely rugged.
There are two battery boxes, a small one which you can put your own cells or small pack into, and the larger pack which takes the standard BB-390 batteries. It is designed with a charger circuit for those packs with an external connector.
The problem is, that while the case will take modern BB-2590 batteries, those have a higher fully charged voltage than the radio can work with and this could damage the RT power supply.
I decided to use a cheap Chinese buck-boost DC-DC converter to solve this problem and another one, the lack of ability to run the 104 from a 12 volt supply. Here I removed the original (useless) BB-390 charger and have the DC-DC mounted on a small piece of fiberglass.
This is a difficult install. This DC-DC is just a tad too long to fit and the case needs some modification internally. I think if you just decide to drill more holes in the aluminum plate you could dispense with the intermediate fiberglass board and it would work out better.
The switch has two functions: one, to select batteries or external power as the source, and two, to disconnect the DC-DC from the batteries to eliminate the 32 mA idle drain when not using the set. I set the DC-DC output to 26.0 volts. The output is steady from 8 to 35 volts (the LTC3760 chip is rated for a max of 36 volts).
Here it is all finished:
I wired a cigarette lighter plug to the external connector. It works very well, here it is running on 13.6 volts:
The drain is 422 mA with the RT in receive.
Here is the display during this test:
During transmit into a dummy load wattmeter the voice peaks look good at close to 20 Watts and the current (using the larger power supply below the digital one above due to current requirements) the peaks are showing at about 4.5 amps on the analog meter.
I tried the radio in my car and it works great.
The advantage of this DC-DC is that it is under $12 shipped and based on a great LTC part.
I checked for RFI and found I could hear weak birdies with the antenna terminated that varied with DC input voltage. However, the levels are low enough that as soon as an antenna is connected there is no way they could be heard.
Sadly, I am forced to shut off comments on my postings. Even with spam filtering add-ons I am getting 5-8 spam comments every day and I’m tired of having to delete them.
