CREATIVE CHAOS   ▋ blog

Hacking Retevis B63H aka B3H

PUBLISHED ON 10/11/2023 — EDITED ON 13/12/2023 — HAM

It is illegal to use higher power that 0.5W on PMR446 frequencies. Use this only if you want to use the radio on other frequencies you are licensed to use (HAM).

As the radio (B63H) is sold as a PMR radio in EU, official programming software (CPS - code plug software) makes it impossible to change RX and TX frequencies, power and channel width. Similar thing is over the pond where B3H variant is locked to FRS.

The predecessor RT622P, had a possibility to unlock the CPS from the menu so altering of the otherwise immutable data was really easy. You can find more info here at Github. This one unfortunately does not provide such commodity.

As a HAM radio operator, maybe you would like to program the radio to work on some UHF frequencies with higher power and different channel width?

With a little help from reverse engineering, here are some of my findings that can mitigate the issue.

The save file that CPS provides consists of multiple lines of seemingly hexadecimal code.

Each channels data is stored in two lines, starting at line 4+5 for CH1, 6+7 for CH2, etc.

Immutable data

The things you can’t change in the official programming software are RX and TX frequencies, power and channel width, so lets start with that.

Channel, Power, Channel width

Frequency and subtone are stored in little-endian notation.

U280 (433.500MHz)

Even lines:

57 00 10 08 25 06 60 44 25 06 60 44
            AB CD EF GH                 - RX freq 446,00625
									    -         GHE FCDAB
                        AB CD EF GH                 
						                - TX freq 446,00625
									    -         GHE FCDAB

Odd lines:

57 00 18 08 FF FF FF FF F7 FF FF FF
			xx xx                   - RX subtone
			      xx xx             - TX subtone
					    x           - scan add F=OFF E=ON
						 x          - 3=L/W, 7=L/N, B=H/W, F=H/N

Example of frequency 443.500MHz (TX and RX) with high power and narrow channel width:

57 00 10 08 00 00 35 44 00 00 35 44
57 00 18 08 FF FF FF FF FF FF FF FF

After you change the values, store the file, open it with CPS, check for validity and write it to the radio.

Other research

All of this, one can change in the CPS, noting it here just for fun.

Subtone

Little-endian notation in the channel lines.

Off:

57 00 18 08 FF FF FF FF F7 FF FF FF
			xx xx                   - RX subtone
			      xx xx             - TX subtone

On:

57 00 18 08 48 11 48 11 F7 FF FF FF

Squelch, ToT, VOX, Vox delay, battery save

Line 122

57 03 C0 08 8B 03 00 02 05 02 FF 00
			    x                     - Possible values 0-9, currently 3.
			          x               - Time out timer values 0-6 (off, 30, 60, 90, 120, 150, 180 seconds)
			             x            - Vox level 1-9   
			                      x   - Vox delay timer 0-5 (0.5s, 1s, 1.5s, 2s, 2.5s, 3s)
          x                           - battery save 8=ON, 9=OFF

See Also

TAGS: B3H, B63H, HACK, HAM, RADIO, RETEVIS