TK-3170/3173 software - special functions

[Lscott]

I had to do some screwing around, basically hacked the install, to get the latest version of the software to load and work with the dealer/engineer serial install key. Version 2.40 of KPG-101D seems to reject the engineer's key when you put it in during the install. I needed this to blow by a used eBay radio I just got that somebody had used a data-read and a data-write password on it. I read where more radio shops are doing this crap. The hacked install took care of that headache.

 

Anyway now I have several menu settings that never showed up with the normal user install keys. These are marked by an asterisk next to them in the drop down menus. The problem is none of them are even mentioned in any of the help files so their purpose is a bit of a mystery in a few cases.

 

Edit -> *Advance Settings -> *Setting 1 (TX LED, QT Reverse Burst Phase, GPS ACK Request)

                                              *Setting 2 (Look like settings to use the side pin ports as a serial port)

                                              *Setting 3 (Tuning Frequency)

                                              *Setting 4 (Parameter 1 - no clue what this is even doing)

Tools -> *Password Recovery (Window pops open asking to enter a serial number)

 

Program -> *Memory Map

                   *Memory Map EEPROM (These two look like a hex editor display)

 

Some I can sort of guess what they are for and the last two look like they're for trouble shooting the code plug that's saved in the radio's internal memory. For all I know this might even let me change the radio's stored electronic serial number. I always wondered how that gets set during manufacturing.

 

So does anybody out there have any info on what the extra functions might be good for or documentation?

[axorlov]

Memory map: from my experience as a HW and FW developer, that is usually the mapping of the microcontroller's registers to memory addresses, and also the microcontroller's memory too. They can be read-only, read-write and write-only. But I think, somebody who succeeded hacking the installer, already knows that. You certainly can look up serial number, but it is open question if you can change it, i.e. the system will accept the write attempt at the specific address.

[Lscott]

Memory map: from my experience as a HW and FW developer, that is usually the mapping of the microcontroller's registers to memory addresses, and also the microcontroller's memory too. They can be read-only, read-write and write-only. But I think, somebody who succeeded hacking the installer, already knows that. You certainly can look up serial number, but it is open question if you can change it, i.e. the system will accept the write attempt at the specific address.

I have a junky TK-3173, TX and RX LED doesn't work and several of the front panel PF keys don't either, I might use to experiment on. I also have the latest firmware for these radios too, V1.25. 

 

I've also been hacking the code plugs for these radios using a hex editor. The code plugs are XOR encrypted past a small header at the beginning. One interesting thing I discovered is the software key used to install the radio programming software is saved in the code plug along with the version of the software and radio model number type. I'm not sure if its saved in the radio when you write it or not at this point.

 

I don't have any ProTalk radios, the 2 watt jobs with fixed frequencies, to look at either. I'm beginning to suspect the code plugs for those can be hacked to change the default frequencies to some custom ones the software won't allow. Some posts on other forms suggest that a few have done exactly that to get the radios on the GMRS channels.

 

I've also looked at the code plugs for a couple of the Kenwood analog/digital radios I have, TK-D340U (DMR) and the NX-340U (NXDN). They also seems to use the same simple XOR encryption past the code plug header. In addition to the info I found in the TK-3170/3173 code plugs the radio serial numbers seemed to be there too.

[wqrh320]

I know this is an old topic, however I just purchased a TK-3173-K off fleaBay and its locked where I can't read it or write to it with a blank data archive allowing me to change frequencies. I have the Kenwood Version 2.40 of KPG-101D software but need details on the "dealer/engineer serial install key" mentioned at the start of this thread.  Any input on how to make this radio programmable would be greatly appreciated. Thanks

[Lscott]

1 hour ago, wqrh320 said:

I know this is an old topic, however I just purchased a TK-3173-K off fleaBay and its locked where I can't read it or write to it with a blank data archive allowing me to change frequencies. I have the Kenwood Version 2.40 of KPG-101D software but need details on the "dealer/engineer serial install key" mentioned at the start of this thread.  Any input on how to make this radio programmable would be greatly appreciated. Thanks

See your private messages. I sent you the info on how to do it. I've had other password locked radios off or eBay. It sucks when you get one unless you have a way to remove them.-

Oh, the TK-3173 is a very nice radio for GMRS. Its basically the same, uses the same software as the TK-3170, but it also includes trunking. If you have a Ham license you can program out of band frequencies in the radio, the software with generate a warning but will accept the entry, allowing you to put in some Ham 70cm repeaters.

[wqrh320]

On 1/9/2024 at 12:48 PM, Lscott said:

See your private messages. I sent you the info on how to do it. I've had other password locked radios off or eBay. It sucks when you get one unless you have a way to remove them.-

Oh, the TK-3173 is a very nice radio for GMRS. Its basically the same, uses the same software as the TK-3170, but it also includes trunking. If you have a Ham license you can program out of band frequencies in the radio, the software with generate a warning but will accept the entry, allowing you to put in some Ham 70cm repeaters.

Sent you a message, I am unable to find PM's.