[Looking at Motorola/Vertex hand helds...]

On 5/12/2021 at 9:05 AM, Lscott said:

I don't know about Vertex or Motorola radios how the frequency range is verified, but with Kenwood I do. Maybe Vertex or Motorola radios are similar.

The radio programming software reads the code plug which has the radio's model number and sub type embedded in it. When the software tries to write the code plug to the radio it first queries the radio for model and sub-type. If the two don't match the software generates an error message. One version of the software with the license key I used for installation even offered to let me change the "market code" changing a radio from a European or Asian model to a US type! The service manual claimed if you used the wrong model type, and the associated market code, to program the radio "the first time" it can't be changed later. Apparently that's not true if you have the right software.

Some of the Kenwood radios use "XOR" encryption on the code plug contents I discovered, for example the popular TK-3170 and TK-3173 radios. After some lucky guesses and looking I found where in the code plug the encryption key is stored. It seems to be located in the same place even between totally different radio models. I suspect the software programmers used the same code plug file structure for the beginning section across model types. The key however can vary from code plug to code plug even for the same model type.

After decrypting the code plug the version of the radio software, radio model type and the installation license key, used to install the software which created the code plug, was found. The frequency was stored in little Endian integer BCD  format. For example 462.67500 MHz was stored as 00 75 26 46, two BCD digits packed into each byte.

Any passwords set in the radio, such as power up enable, radio read or radio over write are also stored in the code plug. Without the engineer's license key for example even if you loaded the code plug in to the programming software the radio over write password is blanked out with asterisks. If you know where to look in the decrypted code plug even that password is in the clear and can be recovered allowing a radio to be reprogrammed. The software will prompt the user for the password if one is used and will refuse to either read the radio or over write the current code plug depending on which passwords are set.

The channel names, group names, strings in general, are stored in normal ASCII format.

Other options and features are likely stored as bit fields or some other type packed data structure. Since none of this will ever be documented by the manufacture so a good deal of experimenting has to be done to reverse engineer the code plug further.

@wayoverthere @Lscott Looks like I am a fool. The Vertex CPS yells at you when you try to program OOB but it lets you do it. I swear my eyes were playing tricks on me and the frequency was reverting to the low end when I did it a month ago. Played with it again tonight and I now have a Moto branded EVX-S24 (403-480) RXing public safety in the 480's and a Vertex branded EVX-534 (450-512) TX-RXing in the 440's (can do 4 & 5 KHz deviation as well) just using the CPS. The RX in the 480's sounds good, I don't notice any sensitivity loss. I will put the 534 on the SA and Watt meter tomorrow and see what it looks like TXing in the 440's into a dummy.

Thanks for all the input.

EDIT PS: Next step is to get the 7.2 volt Mitsubishi MOSFET running on the S24

[Looking at Motorola/Vertex hand helds...]

On 11/26/2019 at 3:34 PM, Radioguy7268 said:

The only potential GMRS trouble I've seen with the Motorola branded EVX-S24 and EVX-261 is getting them to work in Wideband. The Motorola units I've gotten in are strapped as Narrowband out of the Box, and I've yet to be successful in changing them over to Wideband. I've done that with ease on Vertex labeled units, but there's something that I haven't bothered to figure out when it comes to the MSI branded version.

 

I've heard people say that you NEED to use the FIF-12 cable in order to use the Wideband enablement mode (as well as using the Export version of software) - but I haven't bothered to try that out, as my basic Vertex cable worked for updating (backdating?) previous Vertex units to Wideband enablement.

 

They do seem to be great little units for the price.  Be aware that the EVX-S24 is only listed at 2 watts for Analog UHF (3 watts DMR).

 

*Edit - just noticed that you specifically said the VX-261.  Same issues may apply, but the analog VX-261 is a screaming steal in the Used market. I've been snatching them up in good condition at less than $40 per unit with accessories.

I have a Vertex branded EVX-539 that the recovery tool 1.03 is stating "Product Type Error" using the FIF-12. This same tool worked on Moto branded S24's and lists "EVX-530 Series" in the dropdown selection but no dice when it runs. Would you have any clues?

[Looking at Motorola/Vertex hand helds...]

23 minutes ago, wayoverthere said:

I'll have to check the version a little later, but I believe it's CE151 (I have the later display models). And no decryption, just straightforward load with the cps

I see, I take it the file was plain binary that you could read/edit with no type of encryption?

If the radio rejected that this may be a dead end without modifying the FW in the radio.

Also, did you drop the 512 down by 10MHz as well or did you go for 440-512? Or were you just trying to hack a single channel out of band?

[Looking at Motorola/Vertex hand helds...]

On 4/28/2021 at 1:35 PM, wayoverthere said:

Following as well. Unlike kenwood, vertex seems pretty solid about not letting you program out of the listed bands. I was trying for something in the 440's with a stated 450-512 setup (evx539's), and it just errored and didn't load anything

Interesting information. What was your method of modifying the plug?

Did you attempt xor decryption of the plug? 

Were you using CE157 CPS?

[Looking at Motorola/Vertex hand helds...]

I don't know about Motorola but some of the Kenwood radios the code plug is encrypted too. I found out it's a simple XOR type encryption using a key byte stored in the code plug. For the several radio models where the code plugs are encrypted that key was always stored in the same place. Using a hex editor to load the code plugs and the data manipulation tools I was able to decrypt the code plugs easily. Maybe Motorola does some similar.

 

Could be, but it seems to key off of date/time/filename as well perhaps. If I save the same plug twice with different names the binary compare is a sea of red all through the file.

[Looking at Motorola/Vertex hand helds...]

I received 2 new US EVX-S24's a couple of weeks ago. Was able to run the wide band recovery with no issue using the USB cable. Great radios, fantastic TX/RX audio. The dual watch polling drop outs are very minimal compared to my Alinco, scan speed is great and superb tail suppression. A little lacking in power and buttons but I can't expect more from a package this size. I have been running some EX-560XLS's which I also like very much as well,

 

I am looking to receive some public safety in the 480+ range. I was able to do this with the EX-560's but the S24 seems locked down pretty tight. Looks like the plugs are encrypted. 

 

I am wondering if anyone has had any success at increasing the upper RX frequency limit on the EVX-S24.

[Digital in GMRS - which mode is most appropriate?]

...I'd try looking up someone like FIT (Forest Industries Telecommunications) or EWA (Enterprise Wireless Assocation). They'll walk you through the steps. I find FIT to be a little more personable - but EWA is very professional & capable. Up front cost isn't cheap to get the 10 year FB6 license & coordination - expect to see something around $700, but it's still pennies per day. If you tell them you're looking for an FB6 UHF repeater pair with DMR/Trbo emissions, you'll be off to the races....

Yes, as you mentioned, for example, FIT (Forest Industries Telecommunications) or EWA (Enterprise Wireless Assocation).

​I am in eastern MA, a good bit south of the line.

[Digital in GMRS - which mode is most appropriate?]

I'm not sure how close you are to Canada - but just wanted to make sure I'm clear. Business frequencies under Part 90 do not share any frequencies with amateur radio. Your comment about 440 and 222 makes me wonder if you checked availability with an amateur Frequency Coordinator. There is no "waiting list" in the Business bands for Part 90 UHF.

I had checked with NESMC. VHF is waitlisted, UHF is not, but getting tight.

But correct, I should have been looking at 450-470 frequencies I believe.

[Digital in GMRS - which mode is most appropriate?]

I think you've got the concept - run under Part 90 as an FB6/IG - but you need to certify that you're going to provide communications service to "Part 90 eligibles" - which means US Citizens and US Companies that would be otherwise eligible under Part 90. Technically - you could also provide FB6 Private Carrier service to Public Safety entities - or a non-profit Town Watch group.

 

I'm not the law, and I'm not the FCC, but I've done this type of licensing for other entities. You are the one who needs to certify what you are planning to do, but I'm not aware of any requirement to "show your books" to the FCC to prove that you're running a for-profit business, or any site inspections. You will need to run Part 90 type accepted equipment, and you will need to certify buildout/construction within 1 year of your License being granted by the FCC.

 

Judging by your GMRS license, you're located in a fairly populated area, so finding a decently clear frequency pair might be a bit of a challenge in the Part 90 spectrum. If you've already got a 60 foot mast, try to monitor some frequencies and see if you can identify any open frequency pairs in the area. Used to be that some of the older 451.8xxx pairs were clean, but most communications companies have snatched those up - at least in my area.

 

I'd try looking up someone like FIT (Forest Industries Telecommunications) or EWA (Enterprise Wireless Assocation). They'll walk you through the steps. I find FIT to be a little more personable - but EWA is very professional & capable. Up front cost isn't cheap to get the 10 year FB6 license & coordination - expect to see something around $700, but it's still pennies per day. If you tell them you're looking for an FB6 UHF repeater pair with DMR/Trbo emissions, you'll be off to the races.

 

 

 

Thanks RG7268, Makes perfect sense.

It does seem that there are some 440 and 222's available for co-ordination. I certainly wouldn't want to grab a pair off a waiting list in a hot market if the frequencies would be idle 90% of the time, doesn't seem fair. Maybe its time to start a for-profit communication business, put a 100 footer up at my business site $700 is a great price considering what you are getting. Aligns with the cost of quality feed-line, antenna, duplexer, maintenance, time, time and more time. Still cheaper than a boat.

[Digital in GMRS - which mode is most appropriate?]

I'll just point out that if anyone wants to do UHF DMR, the FCC already allows for that. It's called Part 90 Private Carrier (FB6 designation). Go get a 10-year license - get a Coordinated Frequency pair, and have at it. You no longer need to be concerned about getting Part 95 certified equipment, you don't need to worry about who qualifies as a "Family" member, and you can go ahead and "rent" airtime to anyone you want to, at any price you choose to. There's no requirement to charge a set amount or fee to anyone as a Private Carrier - you get to set your own rates (Zero if you wish), and you get to decide who uses your system.

 

 

 

Hello RadioGuy,

This is interesting.

 

1. Would FB6 be part of Part 90 "IG - Industrial/Business Pool - Private, Conventional" frequency pair?

2. Does this mean that I could get a DBA for my business such as "XYZ Comm", get a frequency pair and "rent" time to myself/family and friends for business and personal use?

3. I have a 60 foot mast at my residence currently, would it be allowed to run an FB6/IG transmitter at my residence (legal business address)?

4. Would I be subject to a site inspection prior to operation?