VE7XEN's ham radio and electronics blog

Quansheng TG-45UV Protocol Reversing

| Comments

On a whim, I recently purchased the apparently new Quansheng TG-45UV to replace the Quansheng TG-UV2 I lost this last summer. A review and/or video might be forthcoming, but in the meantime I spent some time reverse engineering the serial protocol / data structure. If you have one of these radios and want programming software, the Quansheng TG-K4AT UV software works and is what I based my efforts on.

Most of this post will just be a text file document that I created for myself while doing the work. The protocol is a simple memory access scheme, and it appears that you read/write directly to the internal EEPROM. Unfortunately it’s not useful as a CAT scheme.

A final note is that while I was able to deduce most of this looking at the saved data files (which are raw memory dumps) from the software, I didn’t test the serial protocol reversing, so there might be additional reset codes etc. that are required. Good luck if you decide to implement a module for CHIRP or similar, that would be great to see!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
MEMORY MAP FOR QUANSHENG TG-45UV
================================

OFFSET        LENGTH  DESC

0x0000        0x10    Fill with 0xff
0x0010        0x10    CH1 SETTINGS
0x0020        0x10    CH2 SETTINGS
...
0x07f0        0x10    CH127 SETTINGS

0x0b00        0x10    DTMF1 SETTINGS [1-9 0xa=0 0xb=* 0xc=# 0xd=A 0xe=B 0xf=C 0x10=D]
0x0b10        0x10    DTMF2 SETTINGS
...
0x0be0        0x10    DTMF15 SETTINGS

0x0bf0        0x10    Fill with 0xff

0x0e20        0x40    RADIO OPTIONS
0x0f60        0x10    VFOA SETTING
0x0f70        0x10    VFOB SETTING
0x0fd0        0x40    Unknown data

0x1000        0x10    Fill with 0xff
0x1010        0x10    CH1 NAME [0-9A-Z]
0x1020        0x10    CH2 NAME
...
0x17f0        0x10    CH127 SETTINGS

0x1f60        0x10    VFOA OPTIONS
0x1f70        0x10    VFOB OPTIONS

CHANNEL SETTINGS BLOCK
----------------------

0x00      0x4     RX FREQ [BCD LE]
0x04      0x4     TX FREQ [BCD LE]
0x08      0x2     RX TONE [i16 LE]
           - all bits set - no tone
           - n & 0x2000 - DCS - code is in lower 12b
           - n & 0x8000 - if DCS, inverse code
           - neither bit set - CTCSS - tone is lower 12b * 0.1Hz
0x0a      0x2     TX TONE [i16 LE] (see above)
0x0c      0x1     FLAGS:
                        [ MSB |     |     |     /     |     |     | LSB ]
                        [     |     |     |     / BCL       |     |     ]
                        [     |     |     |     / Y:1 |     |     |     ]
0x0d      0x1     FLAGS:
          [ MSB |     |     |     /     |     |     | LSB ]
                        [     |SCAN?| POW | W/N /PROG?|     |     |     ]
                        [     | Y:1 | H:1 | W:1 / N:1 |     |     |     ]
0x0e      0x1     UNKNOWN:
                        [ MSB |     |     |     /     |     |     | LSB ]
                        [     |     |     |     /      SIGCODE-1 i4     ]
                        [     |     |     |     /                       ]
0x0f      0x1     UNKNOWN

RADIO OPTIONS BLOCK (0xe20)
---------------------------

0x00      0x1     B_DISPLAY - 0=number 1=name 2=freq
0x01      0x1     VFOA_STEP - 0=2.5 1=5 2=6.25 3=10 4=12.5 5=25
0x02
0x03
0x04
0x05      0x1     VOX, 0 = off 1=on
0x06
0x07      0x1 BDR (dual watch) - 0=off 1=on
0x08
0x09      0x1     TOT - (n+1) * 15s, max value 0x27 = 600s
0x0a      0x1     ANI_ONPRESS - 0=off 1=on
0x0b      0x1     ANI_ONRELEASE 0=off 1=on
0x0c
0x0d      0x1     BEEP - 0=off 1=on
0x0e      0x1     VOICE - 0=off 1=on
0x0f
0x10      0x1     DTMF_SIDETONE - 0=off 1=keypad 2=id code 3=both
0x11
0x12      0x1     VFOB_STEP - 0=2.5 1=5 2=6.25 3=10 4=12.5 5=25
0x13      0x1     POWER_SAVE - 0-4
0x14      0x1     PTT_ID_DELAY - 0-30 ms
0x15      0x1     PTT_ID - 0=off 1=begin 2=end 3=both
0x16
0x17      0x1     A_DISPLAY - 0=number 1=name 2=freq
0x18      0x1     SCAN_RESUME - 0=time 1=carrier 2=search
0x19      0x1     AUTO_LOCK - 0=off 1=on
0x1a
0x1b      0x1     DTMF_ON_TIME  - n*10 + 50 ms, 0-195 (max 2000)
0x1c      0x1     DTMF_OFF_TIME - n*10 + 50 ms, 0-195 (max 2000)
0x1d      0x1     WAIT_COLOR - 0=off 1=green 2=red 3=yellow
0x1e      0x1     RX_COLOR   - 0=off 1=green 2=red 3=yellow
0x1f      0x1     TX_COLOR   - 0=off 1=green 2=red 3=yellow
0x20      0x1     ALARM_MODE - 0=tone 1=code 2=site
0x21
0x22      0x1     TX_DURING_DW - 0=disable 1=CHA 2=CHB
0x23      0x1     TAIL_NOISE_CLEAR - 0=off 1=on
0x24      0x1     PASS_REPERT_NOISE (???) - n * 100
0x25      0x1     PASS_REPERT (???) - n * 100
0x26      0x1     POWER_ON_DISLAY - 0=all segments 1=message
0x27      0x1     ROGER_BEEP - 0=off 1=on
0x28      0x1     CH_MODE_MENU - 0=off 1=on
0x29      0x1     FM_RADIO_ENABLE - 0=off 1=on
0x2a
0x2b      0x1     RESET_ENABLED - 0=off 1=on
0x2c      0x1     VFO_MEM - 0=vfo 1=mem
0x2d      0x1     KEY_LOCK - 0=off 1=on
...
0x3a      0x5     ANI_CODE
...
0x4e      0x1     ABR (backlight timer) - 0-5 (seconds)

VFO OPTIONS BLOCK (0x1f60)
--------------------------

0x00      0x1     SHIFT - 0=off 1=+ 2=-
0x01      0x4     OFFSET - BCD * 10KHz
...


COMMANDS
========

serial 9600bps

MAGIC NUMBER - 0x49 0x69 0x4e 0x48 0x53 0x47 0x30 0x4e 0x02
  EXPECT 0x06

IDENTIFY RADIO - 0x02
  EXPECT 0x06 + MODEL "J5602C" + 0xf8 (cksum?)

ENTER MEMORY MODE? - 0x06
  EXPECT 0x06
  
READ MEMORY - 0x52 [2 byte address] [1 byte length]
  EXPECT 0x57 [2 byte address] [1 byte length] [n bytes data]
  
WRITE MEMORY - 0x57 [2 byte address] [1 byte length]
  EXPECT 0x06

Comments