Menu
Finest Hacking and HAM
  • Home
  • About me
  • Links
  • Imprint
    • Privacy Statement (EU)
    • Cookie Policy (EU)
    • Disclaimer
Finest Hacking and HAM

ANYTONE Factory Settings Mode and Serial Communication (USB)

Posted on 1. January 20227. January 2022

The ANYTONE 878UV and most likely most other radios based on the same firmware have a secret factory settings mode. This mode is already know as “full test / self adjustment mode”. Details about it can be found here.

This mode allows the a technician to fine tune various settings within the firmware. The currently known way to enable it as described in the article above is rather complicated. There is a much easier way.

Enabling the Factory Settings Mode

You can use the python script below to simply enable the factory mode on your device. Please make sure that the device is currently the only serial device attached to the computer as the script is pretty dump and will simply try to enable this mode on all attached serial devices.

WARNING! This is a purely educational article. Don’t try this at home as it might break your radio if you start to change settings which you are unfamiliar with. This voids your warranty. You have been warned, proceed on your own risk.

import serial
import serial.tools.list_ports

serialPort = None

def open_com(portname):
   global serialPort

   try:
      serialPort = serial.Serial(port = portname, baudrate=115200, bytesize=8, timeout=1, stopbits=serial.STOPBITS_ONE)
   except:
      print('ERR: Could not open port ' + portname)
      exit()

def send_com():
   global serialPort

   serialPort.write(b'FALTORY')

   resp = serialPort.read()
   while serialPort.in_waiting > 0:
      resp += serialPort.read()

   print("DBG: done!")
   print(resp)

if __name__ == '__main__':
    print('Anytone Factory Enabler')

    ports = serial.tools.list_ports.comports()

    for p in ports:
       print(p.device)
       open_com(p.device)
       send_com()

    print("DBG: %s ports found", len(ports))



As you can see, the serial command to enable this mode is simply “FALTORY”, which is more likely the obscured variant of FACTORY.

Operation

You can use the middle up/down button to switch between the settings or turn the top middle knob to adjust them. To leave this mode just turn the radio off.

If you want to try a change, make sure that you note down the initial value of the option you are going to change. Randomly changing values will break your radio! This mode was made for service at the factory, not general usage, keep that in mind. Some settings might even cause bad or disturbing signals.

Additional Operation

After taking a deeper look into the USB handler of the firmware I was able to identify the entire serial protocol used by the device. It also showed that there are certain device commands which seem to be bound to this factory mode. Below is a list of the identified commands.

If you notice gaps in the internal IDs, this is normal. There seem to be some IDs which are not used. Also, there are some IDs which are processed but not handled by the firmware. I marked them as “not processed” in the comments. To my knowledge these are responses codes sent by the firmware itself. Why they are included in the parser? No idea.

[ACK] in the list is a normal \x06 Byte. There are some commands with ? in them, I was unable to identify the correct keyword. From the code it looks like these commands are only validated by their starting byte? I will update the list with new findings as soon as I have new findings.

Bootloader Commands

CommandLength in ByteComment
UPDATEEnable Update Mode
\x01 | 4 Byte address | 32 Byte data | 2 Byte Checksum | [ACK]40Send update data to the device, requires update mode
\x021read device type and information
I<device type>\x00<band byte><version>\x00\x00\x06
\x181End Update Mode, reboot

The commands in the table above are only useable if the device is in bootloader mode (blinking red light). A read command does not exist. The best way to dump the bootloader is using a ST-Link in SWD mode.

App Commands

Internal IDCommandFactory OnlyLength in ByteComment
1PROGRAMProgramming mode “PC Mode”
5QX[ACK]3not processed
9FALTORYFactory Mode
10Endend current mode
11R | 4 Byte address |1 Byte count6read command, count up to \xFF
12W | 4 byte address | 1 byte length | 16 byte Data | 1 byte checksum | [ACK]24write command
16Neweromnot processed
17T???[ACK]x5
18D???[ACK]x5
19G?[ACK]x3
20q?[ACK]x3
21Y?[ACK]x3
22B????????????[ACK]x14
23A???????????[ACK]x14
24J???????????[ACK]x14
25K????????????[ACK]x14
30\x06[ACK], not processed
32C?????????????????????????????????????????????????[ACK]x50
33\x82?[ACK]x3returns a C cmd (ID 32)
34S?????x6
35\xA4x1
36X?????6
37V?????6
38M?????????10
39H???????????????????????24
40kindrecordget mp3 recordings?
41recordingSets Screen to “PC Record”
42Z??????[ACK]8
43h[ACK]2
44kaprsUVII only

If you are interested in investigating into the protocol yourself, look at offset 0807BF5A in the 2.04 firmware of the 878UVII.

2 thoughts on “ANYTONE Factory Settings Mode and Serial Communication (USB)”

  1. Tomas says:
    19. August 2022 at 15:22

    Hi Alexander,

    thanks for your great work providing those useful pieces of information. I would like to ask you if you have/stored your factory mode ‘values’ for your device anytone 878 . I am wondering about different values on the same device. I have two anytones 878 the same revision and HW and same firmware. But when I took a look at the factory mode there are different values. Therefore I will be really glad if you can provide me your factory mode values to compare them with mine. I can also provide you mine values to compare with yours. Thanks for the reply. Thomas

    Reply
    1. Avatar photo Alex says:
      1. September 2022 at 9:47

      The values you are seeing in factory mode are partially calibration data. If you change it it’s possible the device will work worse, I strictly recommend not changing these unless you are sure what you are doing and why. May I ask which values are interesting to you?

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

(c) 2021-2024 - Alexander Pick - DO1ALX/K2API
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}