« Return to Tools & Documents
« Return to Documents & HOW-TOs

CPS Out of Band Modification HOW-TO
v2.0 03/17/2012

Introduction

This document details how to make modifications to currently available Customer Programming Software (CPS) for the Motorola Astro and Astro25 series tranceivers, to allow out of band programming. Modification methods discussed herein may be applicable to other CPS packages; the reader is encouraged to experiment on their own.

The Basics

Out of band (OOB) programming is the process of programming a frequency into a radio outside of its rated bandsplit. For example, Astro25 portables (such as the XTS5000) in the upper UHF split (which is called the UHF Range 2, or S split), have a rated bandsplit of 450-520. However, each physical RF component has slightly different tolerances, and may operate within specification (power output, frequency stability, etc) up to several MHz outside of the rated bandsplit. CPS will in some few cases (depending on band, model, etc) allow such programming without modification. In all other cases, it is necessary to modify CPS to allow such frequencies to be programmed without error.

Notice & Disclaimer

This guide is intended to allow Motorola enthusiasts to operate a radio tranceiver in a modified condition, on frequencies for which FCC type acceptance is not required (for example, on the amateur radio bands). A radio tranceiver modified thusly should not be used for commercial or public safety service, or in any situation where communications are critical or convey life and safety information.

The author(s) of this work hereby disclaim that the information given herein is suitable for any purpose whatsoever, and do not make any warranties or guaruntees, either implied or expressed, of the suitability of the information for any purpose. The author(s) of this work disclaim all liability in the event that the use of the information given herein results in harm to persons or property, to any extent.

Important: Please remember to make a backup of any executable file you modify before you begin. Make sure also to make backups of any codeplug on which you intend to use modified CPS. It would probably be a good idea to rigorously test any modified CPS on a test codeplug (to guard against inadvertent modification of non-bandsplit edge value data) prior to reading from or writing to any radios.

---

Section 1: History & Notes

This HOW-TO is based on the original WinCPS OOB document located at Batlabs.

Reference Band Edge Tables

For each CPS package (Portable and Mobile) there are generally two sets of band edges for each bandsplit, one for the bandsplit lower edge and one for the bandsplit upper edge. The table below shows the band tables for the Astro CPS packages, as presented on Batlabs. There is band info for various VHF, UHF, and 800 splits, which is generally represented in integer MHz values (except for the VHF value of 162.550):

---

Section 2: Current CPS Bandsplit Edge Discussion

Throughout this section, we will be using examples derived from Astro25 Portable CPS R09.01.02

Please Note: This document assumes that the reader has some basic knowledge of the tools mentioned, such as hex editors and debugging tools. Advanced topics, such as decompilation, are beyond the scope of this document.

In order to understand how bandsplit edge values are modified, it is first necessary to understand the basics of how the CPS executable functions. Astro and Astro25 CPS executables are what are known as Windows Portable Executable files. Such files are comprised of one or more sections of raw information, which can contain executable code, data, Win32 Resource objects, etc. The sections are defined by the section table, which immediately follows the PE header at the beginning of the file.

It is important to understand that these sections exist, because they in part define how we go about searching for bandsplit edge values (and collections of values in tables). Classically, bandsplit edge values were defined strictly in PE sections that contained only data (do not contain executable code). However, as time has progressed, it appears that some values that pertain to what frequency ranges the radio is allowed to operate in are being placed in sections of executable code. This seems to be especially prevalent for radios that operate on the 700 MHz band (more on this below). Thus, one might find a situation in which modifying bandsplit edge values in strictly data sections of the file do now allow certain OOB frequencies to be input, and in such situations additional values might need to be found and modified elsewhere within the CPS executable.

A useful tool to examine the contents of an executable file is a debugger. One of the better debuggers for Windows (and Windows executables) is OllyDbg. This kind of debugger will attempt to analyze the raw information in the executable file, determine which parts are executable code, and which are strictly data. A very useful and essential accompanyment to a debugger is the document that defines the the processor's instruction set. In the case of Astro and Astro25 CPS, this is the Intel x86 instruction set, reference material for which may be found on Intel's website.

To date, all Astro and Astro25 CPS executables examined have had four PE sections, as follows:



In this case the ".rdata" and ".data" sections contain raw data, and the ".rsrc" section contains Win32 Resource Objects (such as program icons, dialog boxes, etc). The ".text" section contains the executable code, and is the largest of the sections. If you load up the executable in OllyDbg, this should be the only section that shows up as executable module memory.

---

Section 2a: Bandsplit Edge Values in PE data-only sections

Before we look at where and how we find the actual bandsplit edge values, let's look at the layout of the tables.

Each table is comprised of a number of columns and rows. Astro CPS uses a table with 18 columns, and Astro25 CPS uses a table with 20 columns. Below is a meta-table showing a general description of each column and what that column is used for in the CPS packages of each platform.



Some notes on the columns:

• The "narrow" range columns typically apply to VHF & UHF Astro Spectra & Astro Spectra+ radios
• The "wide" range columns typically apply to VHF & UHF Astro Sabers and all XTS/XTL radios
• 700/800, 800, and 900 columns apply to both mobiles and portables in those bands

Now let's look at the rows. Each table is comprised of 5 rows which represent starting bandsplit edges, and 2 rows which represent ending bandsplit edges. Below are tables showing bandsplit edge values rounded to MHz (with annotations for values that are not represented in the table as integer MHz), for the CPS packages for each platform.






Now that we've seen how the tables are layed out, let's look at how to find them in the file.

Looking at Tables 4 & 5 from above, note that some rows share the same starting values. If we convert the first three frequency entry values in Hz into a little-endian longint (which is how the values are stored in the executable, this is discussed in more detail in Section 3 of this document), we get the following:



You should be able to use the resulting hexadecimal strings to search the executable file with your favorite hex editor (also discussed in further detail in Section 3) to find the offsets within the file. For reference, below is a list of the offsets for the current CPS as of this date:



If you find one of these hexadecimal strings in a part of the file far away from all the others, examine it carefully to make sure that it is in fact part of a bandsplit edge table, and that it doesn't appear in any part of the file identified as executable code by your debugger.

Please Note: There may be additional bandsplit edge values within the data-only sections of the executable, either individually or as small tables. If modifying the main bandsplit edge tables does not let you enter the desired frequency, you will probably need to search further for the necessary value to modify.

---

Section 2b: Bandsplit Edge Values in PE executable sections

As mentioned above, sometimes the bandsplit edge value you are looking for to allow a particular OOB frequency will not appear in data-only sections of the file. First let's look at one of the main reasons for this, the "700MHz Problem".

The 700MHz Problem

The extensive machinations surrounding the allocation of 700MHz frequencies vacated by TV broadcasters at the advent of digital TV broadcasts is outside of the scope of this document. Briefly, although the Astro25 700MHz capable radios are physically capable of and type accepted for continuous operation from 764MHz to 870MHz, the FCC rules governing use of the 700MHz spectrum allow LMR service on only portions of the spectrum from 764MHz to 806MHz. Because of this, CPS should only allow the programmer to input frequencies within these specified ranges. Additionally, between 2005 and 2008, the FCC realigned the public safety portion of 700MHz band from two 3MHz narrowband ranges (and a planned 6MHz wideband range), to two 5MHz narrowband ranges. Below is a visual synopsis of this change.



Note the difference in subscriber frequency ranges. More importantly, note that the CPS still covers the pre-2008 ranges, and has been expanded to cover the post-2008 ranges only where they were not already covered. Below are the changes summarized numerically:



Please Note: These values do not include the radio physical bandsplit edge values as those are defined by the hardware, not software.

Under normal circumstances you would not need to modify CPS to allow these additional frequencies to be used - you would have long ago upgraded your CPS accommodate the change. However, there are are circumstances in which you might be constrained to an older CPS version, say R09.01.02, which was built prior to this change. In that case, you can make these kinds of modifications.

Finding Bandsplit Edge Values in Executable Code

Values like the above 700MHz "sub" bandsplit edge values are pretty clearly not in the main bandsplit edge tables, and might reside in the executable sections of the CPS executable file. In fact, for 700MHz, this has been found to be true. Finding these values within executable code is more difficult than searching the data-only sections of the file if you are just using a hex editor, because it is hard to be sure if what you are seeing is code or data.

It's time to turn back to our handy debugger and x86 instruction set. Once you have identified the exact value to change, you can search through the analyzed code for the hex string representing the little-endian longint. What you're looking for is an instruction containing an opcode and the longint. Most commonly this is liable to be a PUSH (storing the value) or a CMP (compare). You might find something like this:



In this case we have searched for the frequency 766.993750 and found both a PUSH and a CMP. Note that the mnemonic will reverse the byte order of the longint.

Once you have verified that the hex string you found is indeed a data value, you can go ahead and modify it.

---

Section 3: Modifiying a Band Edge

The original document described the proceedure using the popular HexWorkshop hex editor. Another option is a freely available hex editor called XVI32. The proceedure is essentially the same in either application.

In the following example we will modify the CPS so that we can program 440 amateur radio frequencies into a S split (450-512) radio. The proceedure for any other band edge is the same.

Convert Values

As mentioned briefly above, the frequency values are stored in the executable file as little-endian longint (long integers), and are referenced in integer Hz.

For example:

Frequency: 450 MHz
Frequency in Hz: 450000000
Frequency in longint: 80 74 D2 1A

So, let's go convert us some numbers.

Open up XVI32, and open up the CPS exe file. (You made a backup... right?). Go to "Tools > Encode Number...". Set the encoding options, type the original frequency (in this case, 450MHz) as Hz into the input box, and press enter.



In Figure 1, we see that we have configured the encoder for LongInt, and chosen to display the output in the output box. Copy the hex string, we'll need that later.



We're almost ready. Use the encoder to encode the longint for 440 MHz, and copy the hex string:



Replace Values

Locate each instance of the original value you wish to change. Once you've located the string, go to "Edit > Overwrite String...". Paste in the 440 MHz hex string, and click on Overwrite. You've now replaced that instance of 450 MHz with 440 MHz.

Once you've replaced all the original values, save the modified file, and open CPS. You should now be able to program frequencies as low as 440.000 MHz into the CPS without it complaining.

Happy hacking!

---

Copyright © 2000-2013 by Peter "Akardam" Acord

questions, comments, suggestions? contact me