- Display: 128x64 monochrome
- Frequency range:
- VHF: 136.000-174.000
- UHF: 400.000-480.000
The USB cable exposes the radio native USB port, as it is visible from dmesg:
usb 1-1: new full-speed USB device number 11 using xhci_hcd
usb 1-1: New USB device found, idVendor=0483, idProduct=df11, bcdDevice= 2.00
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: Digital Radio in USB mode
usb 1-1: Manufacturer: AnyRoad Technology
usb 1-1: SerialNumber: 00000000010C
| GPIO | Mode | Function | Notes |
|---|---|---|---|
| PA0 | analog | ADC1_IN0 | |
| PA1 | analog | supply voltage | ADC1_IN1, ~1:5.7 voltage divider |
| PA2 | analog | ADC3_IN2 | |
| PA3 | analog | mic level (VOX) | ADC1_IN3 |
| PA4 | |||
| PA5 | |||
| PA6 | analog | mic SW2 line | ADC1_IN6, 95k pullup |
| PA7 | analog | mic SW1 line | ADC1_IN7, 95k pullup |
| PA8 | output | ?? | |
| PA9 | output | gps pwr? | |
| PA10 | gps data | ||
| PA11 | |||
| PA12 | |||
| PA13 | output | ?? | |
| PA14 | output | ?? | |
| PA15 |
| GPIO | Mode | Function | Notes |
|---|---|---|---|
| PB0 | analog | ADC1_IN8 | |
| PB1 | analog | ADC1_IN9 | |
| PB2 | output | ?? | |
| PB3 | AF | SPI1_SCK | |
| PB4 | AF | SPI1_MISO | |
| PB5 | AF | SPI1_MOSI | |
| PB6 | output | speaker enable | active low |
| PB7 | output | ?? | |
| PB8 | |||
| PB9 | |||
| PB10 | input | channel sel. encoder | internal pull-up |
| PB11 | input | channel sel. encoder | internal pull-up |
| PB12 | output | W25Q128 chip select | to be confirmed |
| PB13 | AF | SPI2_SCK | W25Q128 and LCD |
| PB14 | AF | SPI2_MISO | W25Q128 and LCD |
| PB15 | AF | SPI2_MOSI | W25Q128 and LCD |
| GPIO | Mode | Function | Notes |
|---|---|---|---|
| PC0 | input | TimeSlot interr. | EXTI0 |
| PC1 | input | Sys interr. | EXTI1 |
| PC2 | input | TX interr. | EXTI2, to be confirmed |
| PC3 | |||
| PC4 | output | ?? | |
| PC5 | analog | heatsink temp. | ADC1_IN15, to be confirmed |
| PC6 | output/AF | display backlight | |
| PC7 | alternate | CTC/DCS output | TIM8_CH2, to be confirmed |
| PC8 | alternate | 2T/5T/DTMF - beep | TIM8_CH3, to be confirmed |
| PC9 | output | ?? | |
| PC10 | |||
| PC11 | |||
| PC12 | |||
| PC13 | output | TBD audio control | |
| PC14 | |||
| PC15 |
| GPIO | Mode | Function | Notes |
|---|---|---|---|
| PD0 | input | front keys col. 1 | |
| PD1 | input | front keys col. 2 | |
| PD2 | input | front keys row 1 | |
| PD3 | input | front keys row 2 | |
| PD4 | input | front keys row 3 | |
| PD5 | output | ?? | |
| PD6 | output | ?? | |
| PD7 | output | ?? | |
| PD8 | output | PLL1 select | |
| PD9 | output | PLL2 select | |
| PD10 | output | PLL SDO | MCU -> chip |
| PD11 | output | PLL SCK | |
| PD12 | output | LCD reset | active low |
| PD13 | output | LCD data/cmd | |
| PD14 | output | LCD chip select | active low |
| PD15 | output | general power enable |
| GPIO | Mode | Function | Notes |
|---|---|---|---|
| PE0 | input | front keys col. 3 | internal pull-up |
| PE1 | input | front keys col. 4 | internal pull-up |
| PE2 | output | HR_C6000 chip select | |
| PE3 | output | HR_C6000 SCK | |
| PE4 | output | HR_C6000 SDI | chip -> MCU |
| PE5 | output | HR_C6000 SDO | MCU -> chip |
| PE6 | output | ?? | |
| PE7 | output | TBD audio control | |
| PE8 | output | ?? | |
| PE9 | output | ?? | |
| PE10 | input | PTT | active low |
| PE11 | |||
| PE12 | |||
| PE13 | |||
| PE14 | |||
| PE15 |
The display is a monochrome 128x64 pixel LCD with an ST7567 controller. Command and data are sent through an SPI interface connected to the SPI2 peripheral, shared with the external flash memory. The other GPIOs are:
- PD12 - reset, active low
- PD13 - data/command (A0 on controller datasheet)
- PD14 - chip select, active low
Framebuffer starts at address 0x2001AC08.
Backlight is controlled by PC6 and dimming is controlled by TIM8_CH1.
Functions identified:
-
0x0804C278 - initialisation routine
-
0x0804C1B8 - send command
-
0x0804C218 - send data
-
0x08025BB0 - clear screen and framebuffer
-
0x0804ACC6: function configuring backlight GPIO
-
0x0804AD48: function for turning on LCD backlight, with brightness control
-
0x0804ADC8: function for turning off LCD backlight
Mapping of front keypad buttons:
| PD0 | PD1 | PE0 | PE1 | |
|---|---|---|---|---|
| PD2 | ENT | P1 | P4 | |
| PD3 | down | red | P3 | |
| PD4 | ESC | up | green | P2 |
PD2, PD3 and PD4 also have external pull-up resistors, which allows to read their status also when PE0 is in input mode.
The SPI control interface is connected to the following GPIOs:
- PE2 - chip select
- PE3 - SCK
- PE4 - SDI
- PE5 - SDO
These SPI connections are shared with some other chip, since the firwmare locks a semaphore/mutex before initiating any kind of data transfer through the SPI interface. The semaphore variable is at address 0x2001EC90.
Functions identified:
- 0x080710E6 - software SPI implementation for the control interface
- 0x08071152 - function for sending a data block through the control interface
- 0x08071192 - function to acquire exclusive ownership of the SPI GPIOs and select the HR_C6000
- 0x080711AA - function releasing exclusive ownership of the SPI GPIOs and deselecting the HR_C6000
- 0x08051168 - function for writing to a control RAM register
- 0x08050674 - function where the code for the main HR_C6000 configuration resides.
There are two PLLs, configured by the "RF PLL" task. At least in the older models, the PLLs are Skyworks SKY72310 and they are configured through an SPI interface. The PLL SPI interface occupies the following GPIOs:
- PD8 - chip select of PLL 1
- PD9 - chip select of PLL 2
- PD10 - SDO
- PD11 - SCK
Data is sent through a bit-banging routine located at address 0x0806A296.
The external flash memory for CPS and calibration data storage is a Winbond W25Q128. Data is exchanged through the SPI2 peripheral and chip select seems to be PB12. The SPI bus is shared with the LCD controller and at least another peripheral whose chip select is on PB13.
Functions identified:
- 0x080463FC - function reading a data block from main memory
- 0x08046824 - function reading a data block from a security register
- 0x080464AE - function to acquire exclusive ownership of the SPI GPIOs and select the external flash
- 0x080464D8 - function releasing exclusive ownership of the SPI GPIOs and deselecting the external flash
Calibration data are stored in security registers at addresses 0x1000 and 0x2000 and are loaded into a 512-byte RAM block starting from address 0x2001BE14. The function loading the calibration data from the security registers is at address 0x0802B9C8.
The STM32F405 microcontroller has three Analog to Digital Converters, here is how they are used in the original MD-9600 firwmare.
ADC1 is initialised in the function starting at 0x080664AA, and configured for the sampling of eight channels through a regular sequence of conversions. Conversion order is: ADC1_IN9 (PB1), ADC1_IN15 (PC5), ADC1_IN8 (PB0), ADC1_IN0 (PA0), ADC1_IN3 (PA3), ADC1_IN1 (PA1), ADC1_IN6 (PA6), ADC1_IN7 (PA7). Data is transferred through DMA2_Stream0 to a sample buffer starting at 0x2001e8d4, from here the samples are retrieved and processed in various functions in the firmware image.
ADC2 is initialised in the function starting at 0x080664AA, and configured for the sampling ADC2_IN13 (PC13). Data is transferred through DMA2_Stream3 to a buffer starting at 0x2001c014. The IRQ handler for DMA2_Stream3, at address 0x080B2D38, copies data from the sample buffer to another buffer located at 0x2001C214 and, before exiting, sends a signal to a task through the semaphore at address 0x2001ECB8.
Data is processed by a task whose function body is located at 0x0806B308. This task is spawned by the function at 0x0806B1B8 and is assigned the name "Tone fft": from this we can conclude that PC13 is connected to the analog audio output of the receiver stage and is used for CTCSS/DCS and DTMF decoding through the FFT task.
ADC3 is initialised in the function starting at 0x0804B160, and configured for the sampling ADC3_IN2 (PA2). Where the data is processed is yet to be discovered, anyway no DMA transfer is involved.
- 0x08049924: function starting various system tasks
- 0x2001AC08: start of display framebuffer
- 0x2001EC90: semaphore for concurrent access to HR_C6000 control SPI bus
- 0x2001BE14: calibration data
- 0x2001E8D4: ADC1 sample buffer
- 0x2001C014: ADC2 sample buffer
- 0x2001C214: FFT buffer
- 0x2001ECB8: semaphore signalling that new data for FFT processing are available
- 0x2001EC8C: semaphore for concurrent access to SPI2, shared between external flash and LCD
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x080505FC | 0x20013448 | 7 | 7
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x08049C38 | 0x20012C48 | 23 | 23
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0805D790 | 0x20013c48 | 20 | 20
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x08049FDC | 0x20014448 | 21 | 21
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0804A46C | 0x20018804 | 6 | 6
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0804A490 | 0x20014C48 | 24 | 24
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x080BC4B8 | 0x20018C04 | 25 | 25
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x08043FC0 | 0x20019004 | 26 | 26
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x080452cc | 0x20019404 | 13 | 13
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x08050636 | 0x20015448 | 8 | 8
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0804552C | 0x20019804 | 15 | 15
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0806063C | 0x20019C04 | 17 | 17
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0805E3B8 | 0x2001A004 | 18 | 18
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0805E8B0 | 0x2001A804 | 16 | 16
Body address | Stack address | ID | Priority --- | --- | --- | --- 0x0805728C | 0x2001A404 | 5 | 5