UV-5RM PLUS frequency limits

[AlphaRne]

I did some rev engineering on the firmware 5RH_NRF_Fangti_V0.14_231124.BF to figure out how
to unlock all channels.
The external flash location 0xF255 contains a value that sets the limits, with '3' being the most restrictive (ITU1) '5' regular amateur bands and other values fully open.

Here is a little tool that does the job based on the code from the chirp project.

https://github.com/AlphaRne/baofengCtrl

[Tuxprogrammer]

Not sure if this is more appropriate to post here or to post in your repo, so apologies if this isn't relevant.

I am working on my newly purchased GM-5RH radios to see what I can do about unlocking them. They report at firmware version 5RHL 1.05 GMRS with hardware revision V01.

One note is that this model requires a different nonce to begin serial communication. I had to change PROGRAMBFNORMALU to PROGRAMBFGMRS05U to get it working. I've used the reading portion of your tool without writing because I'm not sure about bricking these just yet and got the following log:

using ttyUSB0
res:06
res:01 36 01 74 04 00 05 20 02 00 02 60 82 87 8A 98
res:5RH     +L00000
res:06
read[F240]:52 F2 40 40 82 87 8A 98 A0 B4 09 09 0A 0A 0A 0B 0B 00 00 00 30 30 30 30 30 30 09 00 00 00 00 00 00 0E 0E 0E 0C 0C 0C 0B 0B 0C 0C 0C 0C 10 10 10 10 00 00 00 01 01 36 01 74 01 04 00 05 20 01 02 00 02 60 00

It seems like 0xF255 reports the value 0x30 on my specific radio? I think the firmware might be different between these two.

Is there a way I can dump the firmware out of the radio to back it up before I try to flash an alternative firmware?

Also worth noting on this radio: despite it not having airband capability, I was able to flash an AM channel to the memory by patching the BF GMRS CPS app but when I try to go to the channel on the radio, it is like the channel doesn't exist. Either by directly typing the channel number or going up/down in the menu. The channels do show up in CHIRP as AM though if you dump the memory.

Thank you!

[Aguspeke]

@AlphaRne

I did some rev engineering on the firmware 5RH_NRF_Fangti_V0.14_231124.BF to figure out how to unlock all channels. The external flash location 0xF255 contains a value that sets the limits, with '3' being the most restrictive (ITU1) '5' regular amateur bands and other values fully open.

Here is a little tool that does the job based on the code from the chirp project.

https://github.com/AlphaRne/baofengCtrl

Hello good afternoon, could you help me or specify how your code can be executed, I am interested in unlocking the TX in the AM band as well as opening its frequencies.

My email is aguspeke2@gmail.com

[porkfreezer]

@Tuxprogrammer
The value at 0xF255 is actually ASCII 0-9, so 0x30 is '0'. On my GM-5RH I found that changing the number affected what frequencies I could receive but not what I could transmit.

Since the GM-5RH hardware is the same as the UV-5RH L (with an AT1846) I flashed it with the 5RH_AT1846S_V0.07_FangtiBlueBG_230918.BF firmware and it became a normal triband 5RH that can transmit outside of the GMRS channels.

[Tuxprogrammer]

@porkfreezer Good Advice! I was able to flash that file to one of my radios successfully and it appears to be functioning as a fully unlocked 5rh. Flashing left my channels and custom boot logo intact, and I confirmed transmission on a local 2m repeater. Testing out the other values 0-9 I found the same results as you and @AlphaRne. No selection opens up Airband but selecting 5 does remove several of my repeater channels from being able to be selected. So far enjoying messing around with these radios, I've got some 5rm GPS ones in the mail to me now should be here from CN to play with in a couple weeks.

[OK2MOP]

AT1846S does not have airband

[69factorial]

I can confirm that firmware V0.07 will fully unlock a Baofeng UV-5G Plus. I used the Chinese factory firmware flashing tool on a Windows 7 PC with a FTDI programming cable. It didn’t erase any of the existing GMRS channels, the startup screen, or any of the menu settings. The radio was originally running GMRS firmware V1.05
73s