900 MHz MaxTrac VCO Range Switching

MaxTrac index
Motorola index
Back to Home 900 MHz MaxTrac
VCO Range Switching
By Robert W. Meister WA1MIK

The 900 MHz conventional MaxTrac radio VCO has two ranges: one covers receive plus normal transmit (896-902 MHz) and the other covers talk-around transmit (935-941 MHz). A signal from the logic board selects the range based on the transmit frequency. This switch occurs around 903 MHz. Anything lower (receive plus normal transmit) uses the low range; anything higher (talk-around) uses the high range. This is determined completely by the radio; RSS has no control over it. From previous experimentation and info I found on the web, I figured that the MaxTrac switches VCO ranges at 903 MHz, so I tried to find the code that selects the proper range. It was straight-forward after I figured out how the radio deals with frequency information.

The information presented here applies to firmware product FVN4019A (conventional 900 MHz MaxTrac).

Most 900 MHz repeater operation uses the 902-903 MHz range for inputs, but there are times when it could be useful to have the radio transmit properly at frequencies just above 903 MHz.

Unfortunately the 900 MHz trunking MaxTrac radio, which uses different firmware, switches VCO ranges at 902.5 MHz. This same fix, implemented at different locations, should also work on radios with trunking firmware. It has not been tried. (Similar code was found around memory address C255h.)

Frequency Encoding:

Transmit (and receive) frequencies in the MaxTrac are stored as a 16-bit value which is the number of steps above a base frequency. In the 900 MHz radio, the step size is 12.5 kHz and the base frequency is 894,400 kHz. (It's easier to deal with frequencies in kHz rather than MHz.) To convert 903,000 kHz to the step number, we do the following calculations. Throughout this article, hexadecimal values will have an "h" at the end.

903,000 - 894,400 = 8,600 (kHz above the base frequency)
8,600 / 12.5 = 688 (steps above the base frequency)
688 decimal = 02B0h (the hex value to look for)

I opened a copy of the 900 MHz firmware (FVN4019A) image file with Hex Workshop. I then searched for the hex value determined above: 02B0h. I found exactly one occurrence, shown in red below, as part of the following instruction sequence. Note that the "File" column lists the addresses in the image file, while the "ROM" column lists the addresses that the code is executing at, when in the radio's EPROM. All of the addresses and data are hexadecimal.

File ROM Data Bytes Instruction Comments

2E21 AE21 DC 4E LDD $004E Get data from RAM

2E23 AE23 1A 83 02 B0 CPD #$02B0 Compare to memory value

2E27 AE27 25 0E BCS $AE37 Branch if lower (carry-set)

2E29 AE29 1D 00 40 BCLR 0,x,$40 Code to select HI range follows

File	ROM	Data Bytes	Instruction	Comments
2E21	AE21	DC 4E	LDD $004E	Get data from RAM
2E23	AE23	1A 83 02 B0	CPD #$02B0	Compare to memory value
2E27	AE27	25 0E	BCS $AE37	Branch if lower (carry-set)
2E29	AE29	1D 00 40	BCLR 0,x,$40	Code to select HI range follows

That sure has a familiar ring to it. If we change the value 02B0h to something more useful, we should be able to get the VCO to switch ranges at a more convenient frequency. For a test, I chose 915 MHz, because it's the middle of the 902-928 MHz amateur band. Running through the calculations above, I now get a new value of 0670h, which goes into the file at hex addresses 2E25h and 2E26h. Could it be this easy?

Seemed Simple Enough:

To test the operation, I programmed some transmit frequencies into a radio at 902, 903, 904, 914, 915, and 916 MHz and measured the PIN SHIFT signal with a DC voltmeter on pin 14 of the connector that goes between the logic board and the RF board. This pin is low when the VCO's high range (talk-around) is selected and high otherwise (RX and normal TX). At each frequency, a quick press of the PTT button causes the radio to transmit (into a dummy load, of course) and the PIN SHIFT signal can be observed. The data is recorded in the table shown later.

After burning a new EPROM, I installed it into the radio and turned it on. I got a continuous steady beep sound, indicating a problem, which I correctly figured was a checksum error. So I had to find and fix that issue before continuing. See, I knew it couldn't be that easy.

Second Attempt:

After searching through a partial disassembly of the firmware, I found code where the program verifies that the EPROM's data is correct when the radio is turned on. It does this using a simple 8-bit checksum routine (which is used in a lot of other places in the radio). This table shows the upper half of the radio's memory.

Start End Location Contents Checked? Checksum

8000h B5FFh EPROM Firmware Yes 7Bh

B600h B7FFh EEPROM Code Plug No None

B800h FFFFh EPROM Firmware Yes 85h

Start	End	Location	Contents	Checked?	Checksum
8000h	B5FFh	EPROM	Firmware	Yes	7Bh
B600h	B7FFh	EEPROM	Code Plug	No	None
B800h	FFFFh	EPROM	Firmware	Yes	85h

The two resulting checksum bytes of the EPROM, when added together, must equal zero. With the original firmware, the 8-bit checksums for these areas were as shown above; with the new VCO switch frequency value discussed above, these changed to 3Fh and 85h. I changed file location 35FFh (EPROM location B5FFh) from FFh to 3Bh and that restored the original 7Bh checksum value for that half of the EPROM. I erased the previous EPROM and burned a new version. This time the radio powered up and worked perfectly.

With the new firmware, I repeated this test including frequencies around 915 MHz, the "new" magic frequency. As expected, the PIN SHIFT line switched at the new frequency. Here are the tabulated results showing the channel number, transmit frequency, and voltage level on pin 14 (H = ~5VDC, L = ~0VDC):

Ch Freq Orig New

1 902 H H

2 903 L H

3 904 L H

4 914 L H

5 915 L L

6 916 L L

Ch	Freq	Orig	New
1	902	H	H
2	903	L	H
3	904	L	H
4	914	L	H
5	915	L	L
6	916	L	L

If you want to use a switching frequency that's different from the 915 MHz I chose, you must calculate and fix the checksum for the lower half of the EPROM yourself. To do that, change location B5FFh to 00h, generate the checksum for 8000h-B5FFh, subtract that value from 17Bh, and put the low two digits into location B5FFh. Generate the checksum again and verify that the result is 7Bh.

What You'll Need:

To do this job, you'll need a hex editor, an EPROM burner, and either an erased EPROM or an EPROM eraser. I had all of this, including a copy of the firmware already in a disk file that I read from another EPROM. The steps you might need to do are:

Unplug the radio's power cord. Open the radio. Remove the logic shield.
Remove the existing EPROM from the radio.
Read the existing EPROM into a disk file.
Keep the original EPROM data for backup purposes.
Hex-edit a copy of the data.
Erase the existing EPROM, or use another erased EPROM.
Write the new data to an EPROM.
Install the new EPROM into the radio.
Install the logic shield. Close the radio. Plug the radio back in. Test your work.

I use Hex Workshop, available from BPSoft. I use the True-USB PRO GQ-4X Willem Programmer, which I bought for about $100, available from MCUMall. The eraser was an inexpensive ($50) ultra-violet unit that can handle four ICs at a time, available from Circuit Specialists.

As usual, performing such a modification will void the warranty. I cannot be held responsible for any damage you incur during this process.

Contact Information:

The author can be contacted at: his-callsign [ at ] comcast [ dot ] net.

Back to the top of the page
Up one level (MaxTrac index)
Up two levels (Motorola index)
Back to Home

This page originally posted on Friday 05-Aug-2011

This web page, this web site, the information presented in and on its pages and in these modifications and conversions is © Copyrighted 1995 and (date of last update) by Kevin Custer W3KKC and multiple originating authors. All Rights Reserved, including that of paper and web publication elsewhere.