The ANYTONE 878UV and most likely most other radios based on the same firmware have a secret factory settings mode. This mode is already know as “full test / self adjustment mode”. Details about it can be found here.
This mode allows the a technician to fine tune various settings within the firmware. The currently known way to enable it as described in the article above is rather complicated. There is a much easier way.
Enabling the Factory Settings Mode
You can use the python script below to simply enable the factory mode on your device. Please make sure that the device is currently the only serial device attached to the computer as the script is pretty dump and will simply try to enable this mode on all attached serial devices.
WARNING! This is a purely educational article. Don’t try this at home as it might break your radio if you start to change settings which you are unfamiliar with. This voids your warranty. You have been warned, proceed on your own risk.
import serial
import serial.tools.list_ports
serialPort = None
def open_com(portname):
global serialPort
try:
serialPort = serial.Serial(port = portname, baudrate=115200, bytesize=8, timeout=1, stopbits=serial.STOPBITS_ONE)
except:
print('ERR: Could not open port ' + portname)
exit()
def send_com():
global serialPort
serialPort.write(b'FALTORY')
resp = serialPort.read()
while serialPort.in_waiting > 0:
resp += serialPort.read()
print("DBG: done!")
print(resp)
if __name__ == '__main__':
print('Anytone Factory Enabler')
ports = serial.tools.list_ports.comports()
for p in ports:
print(p.device)
open_com(p.device)
send_com()
print("DBG: %s ports found", len(ports))
As you can see, the serial command to enable this mode is simply “FALTORY”, which is more likely the obscured variant of FACTORY.
Operation
You can use the middle up/down button to switch between the settings or turn the top middle knob to adjust them. To leave this mode just turn the radio off.
If you want to try a change, make sure that you note down the initial value of the option you are going to change. Randomly changing values will break your radio! This mode was made for service at the factory, not general usage, keep that in mind. Some settings might even cause bad or disturbing signals.
Additional Operation
After taking a deeper look into the USB handler of the firmware I was able to identify the entire serial protocol used by the device. It also showed that there are certain device commands which seem to be bound to this factory mode. Below is a list of the identified commands.
If you notice gaps in the internal IDs, this is normal. There seem to be some IDs which are not used. Also, there are some IDs which are processed but not handled by the firmware. I marked them as “not processed” in the comments. To my knowledge these are responses codes sent by the firmware itself. Why they are included in the parser? No idea.
[ACK] in the list is a normal \x06 Byte. There are some commands with ? in them, I was unable to identify the correct keyword. From the code it looks like these commands are only validated by their starting byte? I will update the list with new findings as soon as I have new findings.
Bootloader Commands
| Command | Length in Byte | Comment |
| UPDATE | Enable Update Mode | |
| \x01 | 4 Byte address | 32 Byte data | 2 Byte Checksum | [ACK] | 40 | Send update data to the device, requires update mode |
| \x02 | 1 | read device type and information I<device type>\x00<band byte><version>\x00\x00\x06 |
| \x18 | 1 | End Update Mode, reboot |
The commands in the table above are only useable if the device is in bootloader mode (blinking red light). A read command does not exist. The best way to dump the bootloader is using a ST-Link in SWD mode.
App Commands
| Internal ID | Command | Factory Only | Length in Byte | Comment |
| 1 | PROGRAM | Programming mode “PC Mode” | ||
| 5 | QX[ACK] | 3 | not processed | |
| 9 | FALTORY | Factory Mode | ||
| 10 | End | end current mode | ||
| 11 | R | 4 Byte address |1 Byte count | 6 | read command, count up to \xFF | |
| 12 | W | 4 byte address | 1 byte length | 16 byte Data | 1 byte checksum | [ACK] | 24 | write command | |
| 16 | Newerom | not processed | ||
| 17 | T???[ACK] | x | 5 | |
| 18 | D???[ACK] | x | 5 | |
| 19 | G?[ACK] | x | 3 | |
| 20 | q?[ACK] | x | 3 | |
| 21 | Y?[ACK] | x | 3 | |
| 22 | B????????????[ACK] | x | 14 | |
| 23 | A???????????[ACK] | x | 14 | |
| 24 | J???????????[ACK] | x | 14 | |
| 25 | K????????????[ACK] | x | 14 | |
| 30 | \x06 | [ACK], not processed | ||
| 32 | C?????????????????????????????????????????????????[ACK] | x | 50 | |
| 33 | \x82?[ACK] | x | 3 | returns a C cmd (ID 32) |
| 34 | S????? | x | 6 | |
| 35 | \xA4 | x | 1 | |
| 36 | X????? | 6 | ||
| 37 | V????? | 6 | ||
| 38 | M????????? | 10 | ||
| 39 | H??????????????????????? | 24 | ||
| 40 | kindrecord | get mp3 recordings? | ||
| 41 | recording | Sets Screen to “PC Record” | ||
| 42 | Z??????[ACK] | 8 | ||
| 43 | h[ACK] | 2 | ||
| 44 | kaprs | UVII only |
If you are interested in investigating into the protocol yourself, look at offset 0807BF5A in the 2.04 firmware of the 878UVII.