Contents

Memory dumper for the COTRE CO01D radio

Radio 632 words 3 minutes
Want to see what is going on inside your Auctus A6 based COTRE CO01D or other radio? This script lets you read the memory of your device.

The COTRE CO01D uses a different CPS format from the other radios on the market. It would be nice if the programming of this radio could be done with a standard opensource program such as qdmr. This utility was a step in this direction.

This utility reads from the radio memory at a low level. In order to read from the radio, it requires writing to the RAM on the device in the same way as the CPS software does. Thus far, I have had no problems which couldn’t be resolved by power cycling the device. Use this software at your own peril.
  1. Install Python3 and pySerial
  2. Clone this repository
  3. Attach your radio to your computer using an FTDI or CH340 serial cable.
  4. radiodump.py > dump

CPS software communication with the radio was captured using Wireshark and USBpcap. The CPS software sets the port to 921600 baud, 8N1, XON/XOFF. And then proceeds to send thousands of commands back and forth in order to read and write the codeplug.

There is a lengthy preamble where the CPS software makes repeated transmissions of some special frames followed by a series of reads or writes.

The basic frame has the following format

1
2

00 01 02 03 04 05 06 07 08 09 0A
ad 00 07 ff 02 a8 fd 00 82 01 2b
bytes value description
00 ad begin frame
01 - 02 00 07 length
03 ff ff in every frame
04 02 command
05 - N-1 a8 fd 00 82 01 command content
N 2b Check value

The length is the length from byte 03 to N - 1. Which is the payload of the frame.

The check value is simply the XOR of all the values in the range of byte 03 to N - 1.

command name description
00 read byte read 1 byte from memory address
01 read half word read 2 bytes from memory address
02 read word read 4 bytes from memory address
04 read register reads from a CPU register (format of command unknown)
83 write block write a variable number of words (4 byte blocks) beginning at a memory address
84 write register write to a CPU regsiter(format currently unknown)

Because of the XON/XOFF communication, some values need to be escaped and this escaping does not change the length or check value. These values are 0x11, 0x13, and 0x5C. These are escaped by inserting 0x5C before the value and XORing the value by 0x5c ^ value ^ 0xa3. (Huge thank you to DM3MAT for solving this calculation)

This protocol looks to be identical to that used on some other devices like the LUAT, the A9G and some RDA devices. In the data sheet for the RDA5851S, RDA lays out the protocol in its all its glory.

The memory of the COTRE CO01D and other Auctus A6 based radios can be accessed using a small utility I have made. You can use this to get the codeplug out or to poke around inside of the radio’s internals. Beware that this utility does write a small amount of data to the radio to replicate the behavior of the CPS software. Without this write command, the CPS area is not populated.

If you are interested, the utility is here in this repository.

Occasionally, the utility will hang while reading from the radio. This is mostly due to timing issues. Power cycle the radio and try again.

You can use the verbose option to watch the packets fly back and forth if you like as well.