Unlocking a cheap Baofeng GM-5RH GMRS radio

October 12, 2024

Reverse Engineering

I unlocked a Baofeng GM-5RH GMRS radio to transmit on non-GMRS frequencies by reflashing it with firmware from Amo Xu’s 5RM/5RH reverse engineering project. The hardware of the GM-5RH is identical to the UV-5RH ‘L’ version with an AT1846S transceiver chip, so I was able to just wipe and reflash the MCU through its SWD port and turn the GM-5RH into a UV-5RH.

I attempted to use the firmware upgrade tool to ‘update’ the radio over its serial port, but it was unable to connect. The GMRS version has a different code to start programming frequncies than other radios, so perhaps it also has a different code to start a firmware upgrade.

Connecting to the SWD port

The SWD pins are conveniently broken out to pads on the main PCB, but they are also used to drive the RX/TX LEDs, so I had to solder to the reset pin as well to hold it in reset while starting the debugger. The reset lead is soldered to the resistor and capacitor next to the crystal, connected to pin 7 of the MCU.

I followed these instructions to turn a blue pill into a ST-Link since I don’t have a dedicated SWD debugger.

Flashing with OpenOCD

The processor is an Artery AT32F421 so I used Artery’s fork of OpenOCD. The included flash driver (as far as I can tell) doesn’t support the 4KiB bootloader flash extension that the firmware uses, but a quick patch fixes that.

I think this is the important part to flash the new firmware, although the process I went through was a lot longer and convoluted:

reset init
flash disable_access_protection 0
flash write_image <path/to/5rh-v07-flashable>

I actually disabled the access protection manually beacuse I didn’t realize the driver provided a helper function to do so.

Making the binary

I used the dumped bootloader and the 5RH_AT1846S_V0.07_FangtiBlueBG_230918.BF firmware from Amo Xu’s 5RM/5RH reverse engineering project. Their decryption tools extract and decrypt the two application sections from the firmware file. I consolidated the bootloader and application sections into one ELF binary to make the flashing simpler:

First copy the raw binaries into ELF objects…

arm-none-eabi-objcopy -I binary -O elf32-littlearm --rename-section .data=<section>,code,contents,alloc,load,readonly <in-file>.bin <out-file>.o

…then a quick linker script…

SECTIONS
{
    . = 0x08000000;
    .btldr : { *(.btldr) }
    . = 0x08001000;
    .app : { *(.app) }
    . = 0x1fffe400;
    .bootmem : { *(.bootmem) }
}

…and finally put everything together.

arm-none-eabi-ld dumped_btldr.o out-dec-1.o out-dec-2.o -T flashable.ld -o 5rh_v07_flashable

Files

ELF binary for UV-5RH: 5rh_v07_flashable
Artery OpenOCD patch (apply manually)
Board photos: Top Bottom