Author Topic: Quansheng UV-K5(8) firmware modding  (Read 8138 times)

0 Members and 3 Guests are viewing this topic.

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Quansheng UV-K5(8) firmware modding
« on: April 23, 2024, 10:30:53 am »
just bought Quansheng UV-K5-8 radio.
I want to play with custom firmwares with AM/SSB and spectrum view.
But first I want to backup factory firmware and calibration data. But it's not clear, how to do it on linux?

I read that on windows it can be done with k5prog-win which is designed for Windows and is based on k5prog which is available on linux.

Tried k5prog:
Code: [Select]
$ ./k5prog -r -v
Quansheng UV-K5 EEPROM programmer v0.9 (c) 2023 Jacek Lipkowski <sq5bpf@lipkowski.org>

k5_prepare: try 0
cmd: 15 05 ok:1
******  Connected to firmware version: [2.01.32]
Successfully read EEPROM

It wrote k5_eeprom.raw file with size 8192 bytes. But I'm not sure is that eeprom file contains calibration data, or is it needs to be read with different command?


And I don't see the option in k5prog to read exiting firmware from radio. In documentation it has option -b to write firmware, but I want to read it from the radio. Is it possible?
« Last Edit: April 23, 2024, 10:43:42 am by radiolistener »
 

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Re: Quansheng UV-K5(8) firmware modding
« Reply #1 on: April 23, 2024, 11:28:44 am »
According to source code, it seems that the EEPROM size is 0x00002000 (8192) bytes.
And the last 0x00000200 (512) bytes is a calibration data block. Is it correct?

So, if I understand correctly, k5prog -r reads all EEPROM include factory calibration data and it is enough for backup. Is it correct?
« Last Edit: April 23, 2024, 11:31:17 am by radiolistener »
 

Online mag_therm

  • Frequent Contributor
  • **
  • Posts: 747
  • Country: us
Re: Quansheng UV-K5(8) firmware modding
« Reply #2 on: April 24, 2024, 06:58:27 pm »
In case you have not already,
search "Chirp" and "Quansheng UV-K5-8 firmware"
They might get you to a forum with users
 

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Re: Quansheng UV-K5(8) firmware modding
« Reply #3 on: April 25, 2024, 02:05:34 pm »
I was used Chirp on windows. But now I'm on linux and looking for linux software which is open source. Chirp is more general software, I want some specific for the radio to avoid a bunch of unwanted code and data.

At a glance it looks that k5prog is good enough for all modding stuff. I saved backup of EEPROM calibration data.

But I still didn't tried to flash custom firmware, because I don't know how to backup existing firmware.

It looks that there is no way to read existing firmware through baofeng cable. Is it correct?
« Last Edit: April 25, 2024, 02:08:21 pm by radiolistener »
 

Offline pienari

  • Regular Contributor
  • *
  • Posts: 88
  • Country: fi
Re: Quansheng UV-K5(8) firmware modding
« Reply #4 on: April 25, 2024, 07:51:48 pm »
Hi.
I backupped old fw of my K5.
But never going to back, new modded works so well.
There is 2 different programs, fw updater and other to add frequency etc.
I have heard Chirp works but havent tested yet.
 

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Re: Quansheng UV-K5(8) firmware modding
« Reply #5 on: April 25, 2024, 08:53:21 pm »
I backupped old fw of my K5.

How?

According to source code research, I can backup entire EEPROM with this command:
Code: [Select]
./k5prog -r -v
it reads 8192 (0x2000) bytes, the last 512 (0x200) contains calibration data.

At offset 0x1F40 there are 8 uint16_t values which define battery indicator values:
Code: [Select]
[0] - 0 bar value
[1] - 1 bar value
[2] - 2 bar value
[3] - 3 bar value it equals to ADC value for 7.6 V
[4] - 4 bar value
[5] - always 0x2300 ???
[6] - always 0xFFFF ???
[7] - always 0xFFFF ???
The battery voltage can be calculated as V = (760 * ADC) / [3] / 100



And I can write new firmware to the radio with this command:
Code: [Select]
./k5prog -F -YYY -b firmware.bin
Still looking for a way to get current firmware from the radio
« Last Edit: April 25, 2024, 09:07:53 pm by radiolistener »
 

Offline dobsonr741

  • Frequent Contributor
  • **
  • Posts: 688
  • Country: us
Re: Quansheng UV-K5(8) firmware modding
« Reply #6 on: April 26, 2024, 12:01:20 am »
Instead getting FW from radio you can always go the official firmware as posted on http://qsfj.com/products/3268
 

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Re: Quansheng UV-K5(8) firmware modding
« Reply #7 on: May 21, 2024, 07:31:01 pm »
Some update :)

Since existing tools using some dirty coded protocol with mistakes, I wrote my own tool to read/write EEPROM and upload firmware.  :)

It has more checks and detailed protocol log, so if something will going wrong you can read the log and check what is going on.

The tool supports both formats of firmware image - packed (as it come from manufacturer) and unpacked (decrypted). Also it allows to perform firmware image file conversion.

https://github.com/qrp73/K5TOOL

Regarding to my original question, it appears that currently there is no tool to read firmware from the radio. But you can find firmware image with your version on internet. In my case, 2.01.32 is available here:
https://github.com/ludwich66/Quansheng_UV-K5_Wiki/tree/main/firmware

See RT590_v2.01.32_publish.bin

The firmware and bootloader version of your radio can be checked with this command:
Code: [Select]
$ k5tool -reboot
Opening /dev/ttyUSB0
Handshake...
   Firmware:         "2.01.32"
   HasCustomAesKey:  0
   IsPasswordLocked: 0
Reboot device...
   Bootloader:       "2.00.06"
Done

Full EEPROM backup can be done with command:
Code: [Select]
$ k5tool -rdee
Opening /dev/ttyUSB0
Handshake...
   Firmware:         "2.01.32"
   HasCustomAesKey:  0
   IsPasswordLocked: 0
Read EEPROM offset=0x0000, size=0x2000 to eeprom-0000-2000.raw
   Read 0000...0080: OK
   Read 0080...0100: OK
   Read 0100...0180: OK
...
   Read 1f00...1f80: OK
   Read 1f80...2000: OK
Done

Upload firmware can be done with command:
Code: [Select]
$ k5tool -wrflash RT590_v2.01.32_publish.bin
Opening /dev/ttyUSB0
Read packed FLASH image from RT590_v2.01.32_publish.bin...
Unpack image...
CRC check passed...
Write FLASH size=0xe5dc
Waiting for bootloader beacon...
   Bootloader: 2.00.06
Send version "2.01.32"...
   Bootloader: 2.00.06
   Write 0000...0100: OK
   Write 0100...0200: OK
   Write 0200...0300: OK
   Write 0300...0400: OK
...
   Write e300...e400: OK
   Write e400...e500: OK
   Write e500...e5dc: OK
Done
« Last Edit: May 21, 2024, 07:39:19 pm by radiolistener »
 

Online nali

  • Frequent Contributor
  • **
  • Posts: 676
  • Country: gb
Re: Quansheng UV-K5(8) firmware modding
« Reply #8 on: May 22, 2024, 05:18:20 pm »
That looks like it might be fund to play with, I think I might order one...

Are they USB programmable now, or do they still need a programming cable?
 

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Re: Quansheng UV-K5(8) firmware modding
« Reply #9 on: May 22, 2024, 11:49:46 pm »
Are they USB programmable now, or do they still need a programming cable?

USB connector on UV-K5 is used for charge only. For programming you're needs programming cable, you can use one from Baofeng radio or just hand made by using USB-serial module, but it requires connector.
 
The following users thanked this post: nali

Offline nealix

  • Regular Contributor
  • *
  • Posts: 77
  • Country: us
Re: Quansheng UV-K5(8) firmware modding
« Reply #10 on: June 10, 2024, 10:42:53 pm »
I just received my new radio and have a related question on firmware backup, if someone knows for sure;

When Chirp saves an ".img" file with your choice of memory channels and frequencies, is that file portable
to other Quansheng UV-K5(8) radios, or just your specific one?

For example, when I flashed the IJV ver 2.9r5  3rd party Firmware, their instructions first had me use the K5prog.exe
to make a backup of the specific radio calibration data and config data.  After flashing the 3rd party firmware,
nothing in the instructions had me restore the calibration and config data.   The radio works great.
Should I assume that programs like Chirp are only writing/flashing frequencies and settings into channel memory,
and that their ".img" file does not over-write Radio Calibration and Factory Config data (like the ones we backed up)?
If that is true, then my Chirp .img file can be used for a friends UV-K5(8) with a different serial#, correct?

Thanks for any guidance, education, assistance,

Neal
 

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Re: Quansheng UV-K5(8) firmware modding
« Reply #11 on: June 11, 2024, 01:55:46 am »
When Chirp saves an ".img" file with your choice of memory channels and frequencies, is that file portable
to other Quansheng UV-K5(8) radios, or just your specific one?

it depends on plugin implementation. As I discovered there is often used dirty coding with mistakes.

Also note that custom firmware may overwrite some calibration data, so take calibration backup before flashing some firmware. The calibration is unique for device and if you copy it from another UV-K5 it will not be compatible and may lead to some issues, for example squelch issues, battery indicator, etc.

Should I assume that programs like Chirp are only writing/flashing frequencies and settings into channel memory,
and that their ".img" file does not over-write Radio Calibration and Factory Config data (like the ones we backed up)?
If that is true, then my Chirp .img file can be used for a friends UV-K5(8) with a different serial#, correct?

You can read calibration data with command:
Code: [Select]
./k5tool -rdee 0x1E00 0x0200 eeprom-calib.raw
it will consists calibration data only with no user settings.


then just compare these files before and after Chirp edit.
If it changed, then some calibration data was changed by Chipm.
You can convert raw calibration data file to text hex file:
Code: [Select]
xxd -c 16 -g 1 eeprom-calib.raw eeprom-calib.hex

and then use meld to compare changes before and after Chirp edit.
In that way you can find which data exactly was changed

« Last Edit: June 11, 2024, 02:05:36 am by radiolistener »
 

Offline ftg

  • Regular Contributor
  • *
  • Posts: 68
  • Country: fi
    • ftg's RF hax paeg
Re: Quansheng UV-K5(8) firmware modding
« Reply #12 on: June 11, 2024, 12:37:04 pm »
...
When Chirp saves an ".img" file with your choice of memory channels and frequencies, is that file portable
to other Quansheng UV-K5(8) radios, or just your specific one?
...

Should I assume that programs like Chirp are only writing/flashing frequencies and settings into channel memory,
and that their ".img" file does not over-write Radio Calibration and Factory Config data (like the ones we backed up)?
If that is true, then my Chirp .img file can be used for a friends UV-K5(8) with a different serial#, correct?

One can usually assume that CHIRP is only for channels.
Thus the CHIRP .csv channel file works for other K5's.

As for what firmwares are compatible with CHIRP and all that is firmware specific.
There are now separate CHIRP drivers for some alternative firmwares as those use different memory maps.

Additionally some firmwares support swapping the original 24C64 channel EEPROM to a larger one to get more channels.
Naturally that also needs support from CHIRP, if CHIRP is to be used with them.

I'm unsure what I'd do with 999 or more channels, but some folks seem to like it.

I'm mostly in it to see how much power and sensitivity I can get from the thing on 1297MHz.
 

Offline radiolistenerTopic starter

  • Super Contributor
  • ***
  • Posts: 3576
  • Country: ua
Re: Quansheng UV-K5(8) firmware modding
« Reply #13 on: June 12, 2024, 02:30:15 am »
just updated K5TOOL to version 1.4: https://github.com/qrp73/K5TOOL/releases/tag/v1.4

- fixed bash script to run it on linux from any folder
- some minor fixes
- extended max flash address to a tested value 0xf000 to support egzumer/ 1o11_fagci_spectrum_v0.6_packed.bin firmware (size=0xeff4 bytes)
- improved UV-K5 bootloader simulator, now it uses proper crc checks, better update-complete event detection

Now it supports firmware size up to 0xf000 bytes. Tested, works ok :)


You can simulate UV-K5 bootloader with this command:
Code: [Select]
$ ./k5tool -port /dev/ttyUSB1 -simula

where "/dev/ttyUSB1" is a port name which is used as device simulator.

You can use it for testing different firmware updater software. Just put two USB-serial dongles and wire it for loopback (TX-RX, RX-TX, GND-GND). Then start k5tool -simula on one port and run firmware uptate software on second port.


PS: during testing K5TOOL I also tested web updaters whosmatt/uvmod and it's fork egzumer/uvtools and found that these updaters sending incorrect frame size to the radio during firmware update process. So, be careful when using web updaters, it may upload corrupted firmware to the radio. K5TOOL and k5prog don't have this issue, they sending correct frame size, the same as original firmware updater.



 
« Last Edit: June 12, 2024, 12:06:49 pm by radiolistener »
 
The following users thanked this post: nnixralaer


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf