home
Zicht op Andijk
Hoofd
pagina
DCF77
Ontvanger
Si RF
Module
Useless
Machine
AIS
Ontvanger
GPS
Ontvanger
Uniden
69 XLT
Metaal
Detector

The Uniden UBC69XLT-2 mod project

(niet in nederlands)



A handheld scanner I use on my boat. It's a nice robust receiver. Sensitive and can stand a drop on the floor.
But that's about it. Hard to program, not connectable to any computer so most of the time it's laying around.
I made a discriminator tap on it to use it for AIS, PocSag and amateur bands.

Let's do the ultimate Uniden XLT-69-2 mod.

IF tap
I was wondering if the XLT can be used with the SDR by the IF. There's no IF connection but maybe it can be made.
On the internet I found a service manual with a schematic. I found the IF block close to 21.3 Mhz IF instead of the regular 10.7 Mhz.
That doesn't matter. The PMSDR can be tuned to 21 Mhz. If I connect the IF to the SDR maybe I can use the SDR on higher frequencies.
The XLT receives and send the IF to the SDR for further processing. A nice extension on the SDR.

CAT
The receiver is not programmable by a computer. Hmmm, let's see how this XLT works. A little processor, a rom memory and a Ic2 bus.
Ic2 bus? That's interesting. That means parts are using a data bus and a data bus can be sniffed and even intercept and manipulated.
Let's take a look at the eprom. That's a standard eprom easy programmable and readable by the data bus.
If I connect a serial port to the eprom data bus I sure can read and program it.
What about the processor? The firmware is hidden so nothing to do there. Back to the eprom
Suppose the processor is in a loop of memory scanning. I hope it is retrieving the frequencies one by one from the eprom.
Than it tunes into the frequency and checks for signal etc. I need to get in between.
The plan is to intercept the memory call, than send back a frequency on the data bus via a serial port.
In that way I emulate the eprom but control any time what frequency to use and make it a SCR (Software Controlled Radio). That's the plan.

Step one. Make an IF tap.
Step two. Attach a serial port to the data bus and see what is happening there.

(On the schematic is also a close-call connection option but is not in the firmware. This can be fun.)

Step 1: Making the IF tap (9 december 2012)
And so I opened the receiver to find the chip where the IF is located.
On the left picture you can see the chip and the yellow arrow is pinpointing the connector.
The right picture shows the connection after the wire is connected. The green arrow pinpoint the 1.5 nf capacitor to block the DC.
I glued it to the board just to the protect the wiring from breaking while working on the receiver.
The last picture shows the print board from the other side where the arrow points the 1.5 nf and the circle the ground.
I connected the other side to a SMA connector and that was it. The IF tap 21.3 MHz.

(The gray wire is the discriminator tap)
Uniden UBC69XLT-2 mod Uniden UBC69XLT-2 mod
Uniden UBC69XLT-2 mod

After this I was curious if the tap works. Yes it did! Close to perfect.
Programmed the XLT receiver on the pager frequency what can be received here even without an antenna.
The transmitter is located just 500 meters from my house. Imagine the inter modulation I have to deal with :(

Then the SMA connector was connected to the PMRSDR antenna and after tuning to 21.3 Mhz there was a signal.
Real hard about one billion over 9 as you can see on the picture below and noisy but hey that's the purity of IF.
And so I started some programs. Look at PDW decoding pagers, or Trunk View doing Tetra and also APRS from the amateur band.
Uniden UBC69XLT-2 if tap Scannner PDW
Scanner Tetra Scanner APRS

This all look nice. Better than a discriminator tap. Now I can do all digital modes and modulations.
One thing I noticed was the bad quality of the Uniden audio and squelch part.
While scanning the CB band, used by farmers and truckers in this area, I noticed some strong voice signals on the waterfall.
The Uniden squelch didn't respond on it. When I opened the squelch there was some noise but not making sense.
But when I listened the same signal via IF on the PMSDR the voices became crystal clear.
Conclusion: a very nice and sensitive receiver, a very bad audio and squelch.
If Uniden had made that part better this 69xlt was the king of portables.
More reason to mod it to a VHF/UHF SDR.

To the next step. Sniffing the Ic2 bus and try to understand the data bus.
Instead of interfacing the EEPROM I think a better approach will be manipulating the PLL.
The PLL is a standard MB15U36 Dual PLL Frequency Synthesizer with On-Chip Prescaler. (whatever that all is but sounds good..)
This means the frequency can be set just by sending the right values to the data pin of the PLL.
I expect the frequency range of the receiver can be stretched and the gaps in the banks to be available.
How to program a PLL? Don't know yet, never did that before. Have to study the protocol.
But first I have to order a Bus Pirate

As you have noticed, step three is also named. Converting this hand scanner into a vhf-uhf SDR.


Step 2: Research I2C Bus. December 28, 2012
I have decided to design a RS232 interface on the XLT69 for controlling by SDR software. Just like the Kenwood THF7.
But something must translate the RS232 commands into I2C commands....
To make that mod work I probably need a PIC microprocessor. In a far past I did some smart card PIC programming to unlock sat receivers but that knowledge is faded out.
Back to "school". Pic's are so nice and fun to program that I spend almost two weeks on a row to get familiar with them.
I'm getting somewhere now. I'm able to serial interface the PIC and send I2C read/write commands to the 24c01 eprom on the development board. (pc -> rs232 -> pic -> i2c -> 24c01 -> i2c -> rs232 -> pc)

Now the RS232<->I2C interface is working I need to know what kind of commands the XLT69 is using. For that I bought a Bus Pirate.
That's the hardware hack tool pur-sang! For learning the 24c01 eprom on the PIC development board was sniffed to see where to look for. I know what I programmed in the PIC and how he's interacting with the eprom. That makes it easy to understand how things are working. And guess what? It works! All commands and responses are on the screen and no hocus-pocus for me.

Maybe programming the PLL is far over my limit and must I slow down a little. Back to the initial plan. Manipulating the eprom memory.
Suppose the frequency limits are only in the BIOS when data entry find place and after that the frequencies are just read and scanned without any validation. Why should Uniden check this a second time anyway, nobody will change the eprom via a bypass ;)
Let's hope the programmer thought the same. That would be nice and it will be easy to do the trick. If not, I have to control the PLL. That's more work.

First I'm going to make a tap on the BR24L16F-WE2 , the XLT68 eprom, so the content can be read.
Then connect that to the Bus Pirate and "listen" to the eprom memory. Let's see how the Uniden is using the eprom and for what.

Here's the connection to the chip and the Bus Pirate in action sniffing the PIC development board:
Uniden memory Uniden sniffer


Fallback: Processor is hack proof. December 30,

Sniffed the I2C commands inside the XLT. It's almost clear how the memory is used and where values are stored.
Results here. I can send commands to the memory, write values and thus program the thing.
Well, the Uniden programmer is smarter then I hoped for. Writing memory outside the band plan will work but when the receiver detect an outside range frequency it will clear the memory channel and not scan it. Outside the band plan on this way will not work.
Change the memory on the fly won't work either. At boot the processor read the memory content and all the processing goes without any memory interaction. Resetting the processor after a memory change will take to much time to be workable. Uniden you're not helping....

There are some things I'm confused about.
Some memory areas are written after a full reset and never used again. Not for read or write. It's in the 0xAC and 0xAE area. Why should anyone do that?
And most interesting is a part at the bottom of the memory (0xA0) with 16 byte values. The processor read it when booting.
If the receiver is reset or any of these 16 values are changed, the processor clears the whole memory at boot and restores the original values after that.
The whole eprom can be changed with any value you like. But not those 16 bytes. Might be the key to something. If anyone know what the meaning is of those 16 bytes just let me know.

The result for now. The device is programmable with an I2C interface. Backup and restore memory is possible now.
PLL is an option but takes more time I think, maybe to do when I'm out of projects some day.
But this is not the goal I'm heading for, controlling the receiver by CAT is still the plan before closing this project.
I figured that the most handy way is a keyboard route. A small PIC like the 12f629 and a pair of CD4051 will make it possible to emulate key presses and control it via a serial port. The XLT can then be controlled. Let's try that.

4x4 Keyboard Emulator. January 3.
Today I designed a keyboard emulator. The idea of a 4x4 matrix is that for every key press 2 out of 8 lines are connected.
Those 8 lines are connected to the processor and he knows what key is pressed. See here more explained.
The idea is to send a command trough the serial port to a PIC and the PIC controls two 4052 multiplexers. Those multiplexers are like 4 switches.
If I use 2 multiplexers a 4x4 keyboard can be emulated. And so I programmed a 12f675 PIC for that.
Below the schematic and the prototype. Left you see the small PIC. On the right 2 multiplexers. On the far right some led's for testing.
As you can see there are 2x4 led's where on every group 1 led is active when a valid key is pressed.
Keyboard emulator
Keyboard emulator

Now I have to build the 3 chips into the Uniden and viola, a computer controlled XLT-69. The first in the world!
But that is not going to happen. :(
The keyboard connections in the XLT ar so small that I can't get wires soldered to it. I made a quick look voor the PLL but these connections are even smaller. My eyes are getting to weak and my hands shaking a little to much. Maybe someone somewhere will manage to do the final step. Let me know if so.

Closing the project.
It is time to close the project. My wife need some attention and my boss want me back to work.
Anyway, I think the project is a succes. I know now how those receivers operate and did some funny things with it.
I leave the I2C connection intact so I can manage the memory. That's a direct profit.
Maybe one day I'll put a PIC in between for programming by the serial port and with an easy command set instead of the hard I2C commands.

The 4x4 keyboard emulator is a great result of the project. It can be used for any device with a matrix keyboard. New or old.
As long as you can make the connections it's usable. On my pic page you find the source code.

 
Webdesign door mezelf en alle content is auteursrechtelijk beschermd.