Up two levels
Back to Home
from BatLabs, cleaned up and corrected
|
Up one level Up two levels Back to Home |
Spectra Lab RSS Hacks from BatLabs, cleaned up and corrected |
|
General Information:
This page has all of the tips/tricks/hacks for using the Spectra LAB RSS. This includes things like changing model and serial numbers, adding features by changing Moflag bits, etc. The main reason for creating this page was for the Moflag documentation.
Spectra LAB RSS and Moflag Bits:
The Spectra Lab RSS (R04.04.04) has a utility called the MOFLAG Programmer and it lets you edit a series of Moflags "bits" in the code plug.
The list of the Moflags and what feature each bit controls is listed in the table below.
The bits control what features are available, and what aren't. The problem is the MOFLAG programmer only edits the code plug. You could program features in, but when you read your newly upgraded radio the features disappeared in the RSS. If you keep reading below you will see why.
Note that not all features are available with all MLM firmware versions. If you think you are going to turn on zone operation in your version 2.0 MLM, keep dreaming. It takes at least version 6 for zones to be supported. Other features (MPL, RSSI, etc.) may have other requirements. Another thing to remember is you cannot read or open a code plug from a firmware version 6.xx radio with the LAB RSS.
Spectra Hacking History:
Just prior to the true MOFLAG breakthrough, to properly hack more features into a radio involved taking a radio that had lots of features, and cloning Command Board Location range B681 - B693 to another radio, which you wanted to clone the feature set to. You could also upgrade the firmware (with an EEPROM burner) to the same or newer level than the radio you cloned the feature string from. Then you would virtually have a clone of the original good radio's features and get Zones, SecureNet or whatever else the original had. At this time it was known that this string controlled the features but it wasn't cross-referenced to the individual Moflags... yet.
This method works a lot better than the original way people added features to their radios. That way involved just cloning a more featured code plug into your radio, overwriting the feature string in the code plug only and usually giving you what you wanted. The problem was that when you read the radio with the RSS, your features would vanish because the RSS got the feature data from the MOFLAG bits on the command board and the new code plug only changed data in the code plug. If you read carefully below, you will see why that happens.
The latest and greatest method, which this page is all about lets you selectively enable or disable the exact features that you want. No more all or nothing!
How the Moflags Work and are Stored in the Spectra:
The following locations are the locations reported when you use the BitBanger function of the Lab RSS. They are the general locations that are going to be important to changing the features of the radio.
NOTE: The addresses for the bytes in the Command board should almost always be the same. The address locations for the MLM may be slightly different, depending on the firmware version and features enabled. However, you will know you have found the correct range in the MLM since it will be the same data as the string in the Command Board.
So, you should check the Command Board range first, and write down the data that is there. Then, go through the MLM range and find where that data is living. It should be somewhere near location 6200 so scroll through the area until you find it.
Command Board Range: B681 - B690 / B691 + B692 = Checksum MLM Range: 6183 - 6192 / 6193 + 6194 = Checksum (*the MLM values are relative*)
How MLM and Command Board Features are Checked on POST:
The radio on POST checks the Command Board range B681 - B690, with some proprietary checksum algorithm and compares the result with B691 + B692.
If the checksum doesn't match, the radio grabs the entire range from 6183 - 6194 on the MLM, and throws it into the Command Board (assumes the Command Board is corrupted, so it reloads it).
With the original feature string cloning method if you were hacking a radio and messed up on one character in the Command Board, (in this range) when you power cycle the radio, goodbye changes.
How the RSS Knows What Features to Allow Access to:
Moflags are nothing more than single bits stored at those locations that tell the radio and RSS what features it gets to have and what ones it doesn't.
Some people in the past were forcing zone enabled code plugs in their radios which would allow zones to work but when you read the radio zones wouldn't appear in the RSS.
This is because the RSS reads the Moflag data off the Command Board. Since the Command Board isn't written to when you load a code plug, you don't truly get Zones and other features correctly enabled.
How to Make Your Own Feature String:
You can now make your own string of data using the Moflags as a reference, and turn on whatever you want.
First create a string of data with the features you want. You can use the string below, which came out of a very full-featured conventional radio as a reference point to create your own. This string has Zones / SecureNet / Dual Control Heads. Use the Moflag table below to enable/disable what you want.
Command BoardB Range B681 - B690 / MLM Range 6183 - 6192:
00 76 40 A3 19 FF F1 FF 64 84 90 1F 1F 00 00 00
The best part of this is, if you hack the MLM Range 6183 - 6192 and Command Board B681 - B690 (Moflag bytes 0 - 15, 16 total) you can put any data you want in (any custom string). When you read the radio and rewrite it will create the checksum and put it at the end of the MLM string (at 6193 + 6194). Then, after it is done programming it will reboot the radio and then that checksum gets copied to the Command Board, because the Command Board checksum fails. So it essentially calculates the checksum for us automatically and fixes the radio!
Important Notes:
I believe repetory refers to remembering the last number you used when using the scratchpad for MDC call or Phone DTMF etc.
Compander and Adaptive Splatter are generally found on 900 MHz radios for "Hearclear".
The rest is pretty straightforward but there are some oddball SP items in the list that are unknowns.
Also when you are doing things like making trunked radios into conventional and vice versa it is a good idea to force a code plug similar to what you want before you hack it. Otherwise it will still show a trunked mode in the RSS when you read the radio even though you have hacked it to be conventional only.
You can force code plugs in from other radios with different bands too. Just change the serial number to match a code plug you want to use and force it in. Then change the model number, head type, band-split and serial number back using LAB BitBanger. See further down the page for more BitBanger info.
Don't forget that if you turn on SecureNet or Trunking on a radio that didn't have it enabled prior the deviation will need alignment for those TX modes because the radio was never tuned for operation in those modes.
| Bit | Moflag Byte 0 | Moflag Byte 1 | Moflag Byte 2 | Moflag Byte 3 |
|---|---|---|---|---|
| 0 | Unused | Out Of Range Display | Call Alert 2 | Unused |
| 1 | Unused | Horn and Lights | Call Alert Unlimited | Unused |
| 2 | Sys Search Lock | Unused | Call Alert Repertory | Trunk Sys Opsel Scan |
| 3 | AMSS | Privacy Plus | Conv With Sys Scan | Trunk Mode Slave Scan |
| 4 | Dynamic Regrouping | ATG B9 PP (DON'T USE) | Private Call Master Enable | Trunk Message |
| 5 | Emergency Call | Phone Unlimited | Private Call Repertory | Conv Message |
| 6 | Emergency Alarm | Phone With Repertory | Call Alert Master Enable | Trunk Status |
| 7 | Emergency Trunk | Trunk Phone RX | Private Call Unlimited | Conv Status |
| Bit | Moflag Byte 4 | Moflag Byte 5 | Moflag Byte 6 | Moflag Byte 7 |
| 0 | DTMF Encoder | OpSel Talkaround | DTMF 8 Digit IDs | Perm Horn And Lights |
| 1 | Compander | MDC Emergency | NEVER to be USED | MDC Call Response |
| 2 | Adaptive Splatter | Conv Opsel Scan | Data Radio | MDC Call List |
| 3 | Time Out Timer | SecureNet | Hand Held Control Head | MDC Call Unlimited |
| 4 | Mode Names | Talkaround | Phone Interconn Decode | Zone Mode |
| 5 | Trunk Pri Opsel Scan | MDC Signalling | DTMF SelCall Decode | MDC Call Alert |
| 6 | Trunk Pri Scan | Non-Pri Mode Slave Scan | DTMF SelCall Enc Unlimited | MDC Auto SelCall |
| 7 | ID 64K | Pri Mode Slave Scan | DTMF SelCall Enc Repetory | MDC Enhanced SelCall |
| Bit | Moflag Byte 8 | Moflag Byte 9 | Moflag Byte 10 | Moflag Byte 11 |
| 0 | Unused | Multi Radio System | Aux3 | MDC 600 |
| 1 | SmartNet Features | Auxiliary Receiver | Algeria SP | New Control Head |
| 2 | Siren | Variable Power Output | PC/CA ID Aliasing | Vehicle Repeater |
| 3 | Expanded Data | Home For TX Revert | PC/CA Variable List | Internal PA |
| 4 | Motorcycle SP | Metro Radio | Dual Control Head | Speaker A/B |
| 5 | S9K Control Head | Failsoft By Mode | RHKPF | Metro Conv |
| 6 | Multiple PL | Auto Affiliation | No Adap Dev or Volume | PL Monitor |
| 7 | Transmit Inhibit | Last ACC/First Rel Dig | External SecureNet | One Button Call Alert |
| Bit | Moflag Byte 12 | Moflag Byte 13 | Moflag Byte 14 | Moflag Byte 15 |
| 0 | Re-Arm Horn and Lights | Unused | Unused | Unused |
| 1 | MDC1200 RAC | Unused | Unused | Unused |
| 2 | MDC RAC List | Unused | Unused | Unused |
| 3 | MDC RAC Unlimited | Unused | Unused | Unused |
| 4 | Single Tone | Unused | Unused | Unused |
| 5 | Railroad Radio | SIU | Unused | Unused |
| 6 | Electronic Mode Stops | Data On Trunking | Unused | Unused |
| 7 | Parallel Data Interface | New Trunked NYCTA | Unused | Unused |
How Moflag Bytes Break Down Into Bits:
If your radio for example reads hex 03 at address B681, this translates to 00000011
binary.
This corresponds to Moflag byte 0: Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0.
Bit 0 - Unused - Enabled
Bit 1 - Unused - Enabled
Bit 2 - Sys Search Lock - Not Available
Bit 3 - AMSS - Not Available
Bit 4 - Dynamic Regrouping - Not Available
Bit 5 - Emergency Call - Not Available
Bit 6 - Emergency Alarm - Not Available
Bit 7 - Emergency Trunk - Not Available
In Lab 4 Moflags can be changed to 3 settings (Not available/Enabled/Disabled).
Enabled/Disabled will still give you a binary 1 and just reflects whether it is turned on in the RSS/Code plug. Not Available is set with a 0.
The problem with Lab 4 is it will let you edit the Moflags in the code plug stored on the PC. You then could force the code plug into the radio with new features. But when you read the radio again those features aren't available.
That is because they do not write over the string in the Command Board (which would be the ideal fix).
This means that you can mess around with a code plug and change the features that you want, but when you finally figure out what you want to use for a feature string, you need to Bit Bang it into the proper location on the Command Board, before writing the new code plug to the radio.
Spectra Tips For use with Lab RSS R05.03.00:
Consider the following before trying any of these tips. When using the Lab software "Bit Banger" feature it is very easy to create an absolutely brain dead MLM, so be careful. Also, there is no guarantee that all tips will work with every Spectra. Forget about using this RSS with an Astro Spectra.
Bit Banging the Model Number:
This is necessary if you want to clone a different model number Spectra's features into your radio.
The model number starts at location 0x6048 on the MLM and after location 0xB670 on the command board. After making any changes using the Bit Banger read the radio and then program the radio before doing anything else. When the clone operation is started you will most likely get a warning message that the radios features are different, tell it to proceed.
Now you have changed the model number in your radio to match your source, perform the following:
But, before you do it, make sure that you're not trying to tell a dash mount 50 watt Spectra A5 that it's suddenly a 110 watt A9, it won't work.
Upgrading Control Head Type:
If your Spectra only shows an A5 faceplate in the RSS, you will want to change location 0x6060 on the MLM to 0xED. If you want to force an A9 type head, change this location to 0xCD. Remember to check F4-F2-F9 first to see what heads are allowed before making this modification.
Spectra Serial Number:
If you want to change the serial number in your radio, there is a C program that is supposed to do it. It is supposed to work with Spectra version 5.03. I have not tried to run it, so compile it your self and try it out. It should compile with almost any C compiler.
The other way to change the serial numbers (command board AND MLM) in a Spectra is to use LAB RSS and use the serial number change utility (service menu I believe).
If that won't work, you can use the Bit Banger in the Lab RSS. The serial numbers start at location 0x601D on the MLM and at location 0xB61C on the command board.
Spectra Band-split:
The frequency/band-split of the MLM is in memory location 0x605F. To change the band-split of the code plug in the radio, use the BITBANGER function and change 0x605F as follows:
61 = 136-164 MHz
62 = 146-174 MHz
63 = 403-433 MHz
64 = 438-470 MHz
65 = 450-482 MHz
66 = 806-870 MHz
67 = 896-941 MHz
68 = 482-512 MHz
After you change the memory using BITBANGER, read the code plug from the radio and it will have the new band-split. NOTE: This will NOT change the actual band-split of your radio. You can't make a radio operate in a new band-split without changing the hardware (VCO). However, it will allow you to take a code plug with desired features but the wrong band-split and modify it so you can clone it into another radio.
This might possibly be a roundabout way to program out of band frequencies. Program up all the modes using fictitious frequencies for your out of band channels and write to the radio. Then use BITBANG to change the band-split to one the covers your out of band frequencies and read the code plug. Change the out of band modes to the correct frequencies and then write to the radio. Finally, BITBANG the radio back to the correct band-split matching the hardware and then read and write the radio without modifying the modes. This has been tried with some limited success.
As always, LAB software in general and BITBANGing specifically should be exercised with extreme caution. You can easily convert your radio to a paperweight.
This information was obtained from the BatLabs.com web site, corrected, cleaned up, and reformatted by WA1MIK on 15-Oct-20, because everything on that site is cast in stone and not able to be changed or corrected.
Back to the top of the page
Up one level (Spectra index)
Up two levels (Moto index)
Back to Home
This page originally posted 15-Oct-20.
Article HTML and some text © Copyright 2020 by Robert W. Meister WA1MIK.
This web page, this web site, the information presented in and on its pages and in these modifications and conversions is © Copyrighted 1995 and (date of last update) by Kevin Custer W3KKC and multiple originating authors. All Rights Reserved, including that of paper and web publication elsewhere.