Same as k5_v2.01.19_mod.bin, but allows transmission between 50 and 850 MHz.
PLEASE do not blame me if you burn the finals on your radio, get imprisoned for illegally transmitting on military or aeronautical frequencies, or cause a thermonuclear war. This modification is UNTESTED and is for RESEARCH PURPOSES ONLY, to explore the capabilities of the device and its chipset. DO NOT transmit on illegal frequencies. DO use a dummy load. DO report results, preferably spectrum analyzer screenshots, to this repo for research. The author(s) and contributor(s) of this repository are NOT liable for any damages, litigation, or other consequences of the misuse of this research firmware and do not accept any culpability. By installing any firmware from this repository, you accept full responsibility for any consequences that may arise.
@0x1df2
: cf 2a
-> 5D e0
at address @0x1DE8
starts function which check current frequency range and check if you can transmit here or not. Function is totally bypassed by inserting jump to end of function at the beginning.
ROM:00001DE8 F0 B5 PUSH {R4-R7,LR}
ROM:00001DEA 01 46 MOV R1, R0
ROM:00001DEC 82 7F LDRB R2, [R0,#0x1E]
ROM:00001DEE 00 20 MOVS R0, #0
ROM:00001DF0 C0 43 MVNS R0, R0
ROM:00001DF2 CF 2A CMP R2, #0xCF ; PATCH HERE, 5D E0 opcode result in: B loc_1EB0
ROM:00001DF4 2F D2 BCS locret_1E56
ROM:00001DF6 2F 4A LDR R2, =byte_20000369
ROM:00001DF8 49 69 LDR R1, [R1,#0x14]
ROM:00001DFA 12 78 LDRB R2, [R2]
ROM:00001DFC 09 68 LDR R1, [R1]
ROM:00001DFE 2E 4B LDR R3, =0xFF244600
...
ROM:00001EA8 17 49 LDR R1, =byte_200003DD
ROM:00001EAA 09 78 LDRB R1, [R1]
ROM:00001EAC 01 29 CMP R1, #1
ROM:00001EAE E4 D1 BNE locret_1E7A
ROM:00001EB0 00 20 MOVS R0, #0 ; after patch it jumps directly here
ROM:00001EB2 F0 BD POP {R4-R7,PC}