From W9CR
Jump to: navigation, search


This was originally put together when I got into the HT1250 200 MHz radios. They modified ok, but the way of doing it as suggested left much to be desired, and the DTMF pad didn't work and the radios were narrow band only.

Over time, I've gotten more into these with the CDM1250/1550 and other waris series radios. I've not seen any of the European ones, but I've been working with the US versions for FM service in ham radio.

What I've found is the radios features are determined by the "codeplug" settings. This is simply a packed (hex) data written into the eeprom chip of the radio containing tuning, feature and programing data. This is the same area the programing data from CPS is written in, but CPS is unable to change it. The majority of modification of these radios to amateur service is done with modifications to the codeplug. The codeplug layout appears to be the same for most US versions of the radios, but there are some which are different.

Types of Radios


HT750 - No Display, 4 or 16 channels

HT1250 - One line display, multiple channels up to 128

HT1250ls - limited version of the HT1250, normally missing MDC on conventional

HT1550xls - 4 line display radio, 160 channels, VHF/UHF only

EX500 - No display, smaller submersible radio, 16 channels

EX560xls - one line, smaller submersible radio,

EX600 - one line

EX600xls - one line, 160 channels

CP200 - no display, 4/16 channels

CP200xls -

PR400 - VHF 1/VHF 2, UHF 1/UHF 2/UHF 3 - comes in 16, 32 or, 64 channels

These have EMEA (Latin America/export) versions known as GP

GP340 - HT750

GP344 - EX500

GP360 - HT1250

GP366 - EX560xls

GP380 - HT1250

GP580 - HT1250 ls?

GP680 - MPT 1250

GP1280 - MPT 1550

Programming and Flash Cables

The CDM and HT series are programmed using windows based CPS. A rs-232 level converter is needed to talk to the radio, and in the OEM Motorola soultion consists of a Programming Test cable (AARKN4083/AARKN4074), a RIB (level converter) and a test box (RLN4460A/B).

<#gallery of shti>

The HT series program and flash via the 13 pin accessory port. The CDM mobiles program and flash via the back 20 pin accessory port or via the front RJ-50 (10 pin) connector. The font connector presents some issues when programming and flashing a unit with a remote head, and the rear connector should be used for that.

Notes on the RIB based Cables

You should not use a RIB to Flash the radio at anything other than 9600 bps. Even then I've run into issues with this setup. Programing works well though.

A very strange issue popped up using the built in serial port on the Dell Latitude D830 with docking station. When using the docking station serial port the radio will "lock-up" and require the cable to be disconnected to be programed.

I've found the Prolific and FTDI serial adapters to work fine with the RIB for flashing/cptool. However the Prolific adapters have an issue in CPS unless they run the right version of the driver,

File:Prolific USB-to-Serial Comm Port 2303 VER del 17-04-2006 OK.zip

Notes on RIB-less Cables

RIB-less cables are the preferred way to work with the radio. These can be either serial or USB based. In the USB case it's simply a FTDI or Prolific serial port with a level converter.

I've used the following cables for programming

Be sure you use the proper drivers if using the prolific cable.

Flashing and Flash adapters

If you want to flash the radio you need to put it in bootstrap mode. This is done using a flash adapter that puts the CPU (68HC11) into a special mode. The flash program loads a boot loader/flash application via the serial port and then writes the new image to flash chip.

The US Waris unofficial upgrade kit is something that was built by possibly a internal Motorola programmer, or a hack based off the official upgrade kit. Using this tool you can load any of the images on any radio, but you must ensure the image selected is the same size as the flash chip. Note this tool requires all images and default codeplugs as srecord format.

The official upgrade kit includes default codeplugs, firmware images and boot images. These are in an encrypted format, and it appears the unofficial kit has decoded these as the included codeplugs/firmware.

Flash adapter for CDM1250 radio

220 HT1250ls and CDM 1550ls

This is the same as any other to modify to the amateur service from a software perspective. The issue is these radios are narrow band only on the receive path, as the 200 MHz band was never used for 25 KHz channels. Transmit will support wide band (and must be aligned for wide band first!) The IF filters simply need to be swapped with their wide band parts and wide band receive alignment performed.

Hardware Mod

Their are 3 filters in the radio, 1 at 44.85 MHz 1st IF and 2 at 455khz, 2nd IF.

In a VHF/UHF Waris there is a 15KHz filter at the 1st IF followed by a 15KHz filter at the second IF and then followed by another filter. It's this last filter that is switched between narrow and wide in the VHF/UHF radios. TX deviation is a setting in programming/alignment.

In the 220 version, there 1st IF Filter is the same, but it has a 12KHz and then a 9 KHz filter at the second IF.

I've changed out the second filters and found it works much better on the ham bands. You need to adjust the squelch for 20/25khz channels after doing this. The tuner software (2.00.02) will do this for the HT1250 only, it will not work with the mobiles. Use winabler to access the greyed out menus in tuner 2.16.

HT1250 Filters:

Function                         Part      Manu P/N      Moto P/N     Desc
220 front end     44.85MHz       FL3201    MXF45         9180022M10   4-pole +-7.5khz bandwidth
IF2 First filter  455KHz         FL3204    CFUCJ455F     9180468V04   4-pole 12khz                
IF2 filter narrow band filter    FL3206    CFWC455G      9180469V03   6-pole 9khz

The UHF handhelds use the same arrangement, but with a wider middle filter (1st @455). In wide band they switch only the 2nd 2nd IF filter to a narrow band filter.

uhf front end     44.85MHz       FL301    MXF45          9180022M11  
IF2 First filter  455KHz         FL302    CFUCJ455E      9180468V05   4-pole  *                
IF2 filter wide band filter      FL303    CFWC455E       9180469V05   6-pole  *
IF2 filter narrow band filter    FL304    CFWC455G       9180469V03   6-pole

You'll need to order the parts with the * from motorola parts for the 220 radios. The mobile and HT use the same filters.

In the HT the 1st IF is under the shield, and very hard to remove. I've not messed with it, as it appears to be the same part in the UHF, and doesn't look like it's limiting.

Based on the following codes for muratta filters

Muratta filters 
E is +- 7.5 (15)
F is +-6 (12)
G is +- 4.5 (9)

The 220 Filters are 12 and 9 Khz wide at the 2nd IF. Switching them to the E filters of the UHF HT1250 is rather easy, as they are just on the underside of the board, not under a shield. An under board heater with a hot air station makes this rather easy.

Ive found an under-board board pre-heater is mandatory to work with this and 630f at 7 l/m of airflow will prevent hurting the board/parts/

I've found the sensitivity to be a bit better and no squelch clipping on 3.2kc tone at 7khz of deviation (Most ham rigs on 220 have WIDE deviation!).

Software mod

This is easiest with CP tool and a hex editor.

First upgrade the Firmware using the firmware update. This will load the default codeplug back in the radio.

Read the radio using the CP tool and save the binary codeplug. I typically will read this from 0x0000 to 0x1000 which will capture the entire default codeplug (Tuning, Features, and Programing). Save this file and set is aside for safe keeping. If anything goes wrong, you can blow it back into the radio and restore it to defaults with out needing to retune.

If you want to use the pre-made binary codeplugs, if one exists, rather than edit your own you can go right to Writing the Modified Codeplug below.

Editing the Codeplug

Now open up a copy of this code plug and edit it based on the Codeplug Map for the feature blocks. This is from 0x280 to 0x2ff.

You'll need to change the following parts:

  1. Serial number, ASCII spaces are blank (optional)
  2. Channel step needs to be 0x01
  3. Upper Frequency: 0x5F50 for 225 MHz
  4. Signaling: 0xFF is everything enabled (MDC, QCII, DTMF) for trunking and conventional
  5. Conventional Personalities: 0xFF for 255 channels

Once this is done, be sure the checksum 8 on both FDB blocks are 5A. You will need to adjust the checksum bytes for this.

Writing the Modified Codeplug

Open this file with the CP tool and put 0x280 to 0x2ff into the radio, no need to write the entire file. This makes it easy to do many units at once, just blow the Feature Block in, while leaving the tuning and programing alone.

Codeplug tool with a fdb ready to be written to a HT1250

Tune the radio

You'll need to now tune the 20 and 25 KHz squelch settings in the tuner software. The issue here is the tuner software will not let you select the 20 and 25 KHz from the drop down menu. Using Winabler this can capture the tuner menu and enable these.

I use the auto squelch setup and found a good value is -127.5 dBm for hams. My radio is -124 dBm for 12db SINAD so this is about 6 dB SINAD at -128, very noisy but understandable. Auto tune makes this really easy. You can always program a button to set the squelch to tight in CPS.

I've found I needed to play with the RSSI settings too, as the S meter was setup for commercial strong signal service. I've only seen this with certian 220 radios.

It's also a good idea to check the frequency/modulation/power out alignments too. The CDM1550's from the New Jersey Turnpike all were aligned wrong for the power output, and we 20W out when set for 30W. Align it in tuner properly, and then use CPS to lower the power if you want.

If you've set the serial number to blank, it's a good time to set it to what you want in tuner before you disconnect.

Once you're done with all this, you should have a great radio that covers 216-225 MHz, wide band FM, MDC/QCII/DTMF, 30W power out, and damn sensitive squelch.

UHF 450-527 Ham Band Mod

The basic issue with modifying these radios to cover down to 440 by only adjusting the High & [[#Low Frequency|Low] Frequency settings in the feature region of the codeplug is the tuning for deviation/squelch/signaling/etc. is setup on 7 frequencies. When the radio tunes between two of these frequencies the value is interpolated based on the curve of the tuning values. For example deviation response will vary from 450 to 520 MHz, the same voltage at 450 will be an unacceptable amount of deviation at 520.

As the frequency "piers" only go down to 450 MHz, the radio has nothing to interpolate with if it's programed 440.450 MHz. This causes this interpolate calibration code to fail and deviation and other calibrations are all over the place. Luckily this is a rather easy fix.

Video of how to do the hex editing of the code plug from a HT1250ls 450-527.

There is a new way to do this using chirp and the plugin below:


video explaining the new way using chirp

Code Plug Map

This is based on the Srecord file loaded as binary

0x000 - 0x27f group, 5A checksum. 0x27f is the checksum byte
This group contains the tuning information for the radios.  
The frequencies it's aligned on are in the same format as the band limits.  
There are 3 groups of frequencies in here, not sure what they all do, but can confirm 
changing them all moved the tuning frequencies on a 6 meter CDM.
0x282 - 0x2D7 - group, needs to be 5A checksum, adjust 0x2D7 to make it.
0x285-0x28E - Serial number
0x291-0x2A0 - Model number, Blank should be spaces 0x20

0x2AC      Channel steps 
*0x01   - 12.5, 20 and 25 KHz
*0x05   - 12.5 only
0x2AF       Lower Frequency Limit 
0x2B1       Upper frequency limit 
Desired limit - Base freq (200mhz models the base freq is 103mhz) times 1000 then 
divided by 5. this gives you the new value in dec, you have to change it to hex 
216 MHz is 5848
225 MHZ is 5F50
58485F50 across both bytes

Below is only valid for the 3.08 codeplug tool codeplugs
0x2D8 to 0x2E9 - group, needs to be 5A checksum, adjust 0x2E9 to make it.

0x2E2 - Number of personalities is at in hex.    
*128 - 0x80
*160 - 0xA0
*255 - 0xFF
Below is only valid for the 2.08 codeplug tool codeplugs
0x2D8 to 0x2E4 - group, needs to be 5A checksum, adjust 0x2E4 to make it.

0x2E2 - Number of personalities is at in hex.    
*128 - 0x80
*160 - 0xA0
*255 - 0xFF

The 8 bit checksum must be 0x5A for this bit of code. Byte 0x2E9 is the checksum fix bit. Find the difference after editing between the checksum and 0x5A, then add or subtract this from the value in offset 0x2E9.

Codeplug Map

Waris Codeplug Map
Byte Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0x000000 Tuning len Tuning Data
0x000010 Tuning Data Cont.
0x000270 Tuning Data Cont. Checksum
0x000280 Feature len FDB 1 Header Serial Number Null
0x000290 Null Model Number
0x0002A0 Mod Cont. Null CP version CP Source CP Date Chan Step Base Freq Low Frequency
0x0002b0 Low Freq Cont. High Frequency CP Part Number
0x0002c0 CP P/N Cont. Unknown Null Pad TANAPA Unknown
0x0002d0 Unknown Region Checksum FDB 2 Header Trunk Pers Signaling Unknown
0x0002e0 Unknown Conv Pers Unknown Checksum 9
0x0002f0 Unused FDB Checksum

Tuning length

These two bytes are the length of the tuning block. Typically 0x0280

Tuning Checksum

This is a byte which is modified to make the Checksum(8) of the tuning block 0x5A

Feature Length

These two bytes are the length of the feature block. Typically 0x0080

Block Header

This is the block header for the FDB. This is a recurring format for storing data throughout the codeplug

In this case it's typically 0x805201

This is a magic number of 0x80 a length of 52 and a repeat of the length of 01.

In this case it would start at 0x285 and go to 0x2D7 (the checksum correction byte). Note the 3 bytes of the Block Header are not counted, but are included in the checksum calculation.

Serial Number

These are 10 bytes of the serial number. You can make it whatever you want of keep it blank with spaces (0x20) to allow you to set it in tuner.

Model Number

These 16 bytes are the model number. This must match exactly if you want to use the CPS to program the same CP into multiple radios (along with the other FDB blocks).

Codeplug Version

The version of the Code plug 2 bytes, Major.Minor in BCD format

Programing Source

1 Byte that shows the source of original programing

  • 0x0 - Factory
  • 0x1 - Depot
  • 0x2 - CPS

Programing Date

6 bytes showing the original programing date BCD format

Example = 0x1984 06 25 2344

  • 2 bytes year - 1984
  • 1 byte month - 06
  • 1 byte day - 25
  • 1 byte hours - 23
  • 1 byte minutes - 44

Channel Step

1 byte giving the channel step

  • 0x0 - UNKNOWN - only used on VHF Low Band
  • 0x1 - 12.5/20/25 KHz - Used on VHF only
  • 0x2 - UNKNOWN - used on UHF R1, R2 only
  • 0x3 - UNKNOWN - used on 800 MHz Only
  • 0x5 - 12.5 KHz only - used on 200 MHz only
  • 0x6 - UNKNOWN - Used on 700 MHz Only

Base Frequency

2 Bytes

Base frequency in hex expressed as the following formula:

Value * 25000 = Base Frequency in MHz

  • 0x320 - 800d - 20 MHz - VHF Low Band
  • 0x1080 - 4120d - 103 MHZ - VHF and 200 MHz
  • 0x32C8 - 13000d - 325 MHz - 330 MHz
  • 0x3A98 - 15000d - 375 MHz - UHF R1/R2
  • 0x6D88 - 28040d - 701 MHz - 700 MHz
  • 0x7D28 - 32040d - 801 MHz - 800 MHz

Low Frequency

2 bytes - Low Frequency of tuning

Value = (Low Frequency in MHz - Base Frequency in MHz) * 1000 / 5

Example Low at 200 MHz - 0x5848 = 22,600d

22,600/200 = 116 MHz + 103 base = 216 MHz

High Frequency

2 bytes - High Frequency of tuning

Calculated same as Low Frequency

Code Plug Part Number

16 Bytes of the code plug part number No idea what it's used for


16 bytes The TANAPA is a configuration code of the hardware in the radio. Model numbers can vary but the TANAPA can be close or the same. Not sure what TANAPA stands for.


1 byte This is the Region code.

  • 0xFF is the default used in the unofficial codeplugs.
  • 0x00 Super TANAPA ?
  • 0x01 - US


Not sure what this does, but I encountered a UHF R1 HT model H25RDH9DP5, that was 0xCC78 and it would not load the codeplug from a H25RDH9DP9 HT with everything in the FDB being the same other than the source CP was 0xCE79.

I tried changing each byte independently and CPS still would not allow the CP to be written to the HT. Only with both flipped to the proper 0xCE79 of the source radio would CPS write the unit.

Any more information would be helpful

Software & Docs


HT1250LS+ 220 700MHz Service Manual

File:CDM1550 200-700 Mhz detailed service manual.pdf - CDM1550 200-700 Mhz detailed service manual


File:Professional CPS R.06.12.09 AA.zip - Latest CPS Release as of 12/14/2016

File:Global Tuner R 02.18.00.zip - Latest Tuner Release as of 12/14/2016

File:HVN9025 v6.12.05.zip Waris CPS 6.12.05

File:R02.02.00 Waris Tuner.zip Waris Tuner 2.02

Firmware Upgrades

File:Upgradekit Conv Mobile R05.10.04.zip - Latest Firmware for Mobiles as of 12/14/2016

File:UpgradeKit Portable R05.18.01 Non Four Lines Display Radios.zip - Latest Firmware for Portables as of 12/14/2016

Binary Codeplugs

These codeplugs are binary and have been edited for no serial number, 255 channels, 25-20-12.5 KHz deviation and signaling. Note when writing them using the CP tool you need to write 0x280-0x2ff. If you write the entire codeplug, you'll fuck up your radio. If you fuck it up, rewite your backup (you do have a backup, right?).

File:220 CDM 1550 mobile binary codeplug modified for channels AAM25MNF4DP5A - No Serial.mot

File:AAH25MDH4DP6A- Blank Default 220 HT.mot

Unofficial software

File:Waris Codeplugtool.zip allows writing and reading raw codeplug from a radio.

File:Unofficial Global Tuner R02.16.05.zip Hacked global tuner for editing the serial number

File:Warisdepot R01.04.00.zip Depot tool to edit serial number and tempeture compensation values.

File:Us waris lab upgradekit r03.08.00.zip Waris Codplug Tool 3.08

File:Waris.py Chirp Waris plugin for editing the tuning piers and feature blocks


Winabler utility for windows to enable greyed out menus in tuner

File:Prolific USB-to-Serial Comm Port 2303 VER del 17-04-2006 OK.zip

Outdated stuff

Don't use any of the following srecord format anymore, as CP tool is easier. Only use these with the Unofficial Lab upgrade kit if you plan to. I don't update anything like this anymore.

File:HT1250LS 217-222 split to 216-225 split.s19 This has problems when going into alignment. DO NOT USE Based on 3.08 upgrade kit (R05.17.01)

HT1250ls 255 Channel, 216-225, 12.5/20/25 step srecord for TANAPA PMUD1760B Blank Serial Number NOTE: DTMF pad doesn't work in this, don't use. Only up here for reference DO NOT USE

HT1250ls 255 Channel, 216-225, 12.5/20/25 step srecord for TANAPA PMUD1761A Blank Serial Number, based on 2.08 Lab Upgrade Kit.