Racal Cougar Standalone Programmer - Part 4

Since i posted about the stand alone programmer earlier this year i have been working on the protocol used to fill the crypto keys, a PCB for the programmer and a 3D printed case to house the electronics of the programmer.

Inside the programmer

In this post will try to give some details including the schematic and binary version of the code driving the programmer (the sketch it self will be released later).

Important:

This information is supplied "As is" meaning i'm not responsible for any damage to your precious Cougar. Also i don't have the time to support you on your build, feel free to send me an email message with questions but don't expect 24/7 support.

Schema

The design is basically made up of all the components described in a previous post, Racal Cougar Standalone Programmer - part 2 with the addition of some additional parts in a single schema used to create a custom PCB.

The programmer code should also work on a default Arduino Nano with a 4x4 keypad, an I2C LCD driver and a 20x04 LCD as long as you keep the pins connecting them to the ATMEGA 328 the same as used in the above schema.

A note on the I2C LCD driver

The I2C LCD driver is based on the NXP PCF8574A I2C 8-bit I/O expander. There are two versions of this IC: the PCF8574 and the PCF8574A which only differ in the usable I2C address range:

PCF8574         0x20 ... 0x27
PCF8574A      0x38 ... 0x3F

(see datasheet)

On the PCB and in the code i used the PCF8574A set to address 0x38.

PCB

I had some PCB's made that could be placed on top of the 20x04 LCD. This PCB contains the following parts:

• DC-Jack and power regulator to generate 5 volt to drive the battery charger
• Single cell Li-Po/ Li-Ion charger circuit with status leds.
• 5 volt DC DC converter (without under-voltage protection so use li-po/li-ion's with protection circruit)
• ATMega 328 micro controller (as used in Arduino Nano).
• PCF8574A I2C 8-bit I/O expander set to address 0x38 (see datasheet)
• Racal interface circuit (level shifter, DB9 connector)

The Gerber files for the PCB can be downloaded using this link.

Battery

I used a 18650 Li-Ion battery to power the programmer. There is no under voltage or reverse polarity protection so make sure you use a battery containing a protection circuit and when you accidentally connect it the wrong way around it will for sure damage the DC-DC converter IC.

The Sketch

I'm still working on the sketch and will release the code as soon as i think it is ready to be released. In the mean time i will provide a binary version of the sketch which can be downloaded using this link.

More information about how to upload hex files to the Arduino can be found on the Arduino forum using this link for example.

3D printed case

The housing of the programmer is made up of 3 separate parts that are tied together using M3 hex screws and M3 stand-off nuts:

• Top part containing all the elctronics
• 18650 battery holder that is placed on top of the keypad using 4 short M3 screws.
• Bottom part with ventilation slots.

I printed these parts using PLA and PETG with a 0.4 mm nozzle and 0.2 mm layer height and as long as you set the correct speed/ nozzle temperature there is little shrinkage. I haven't tried to print the casing using  ABS.

The STL files for the housing can be downloaded using this link  

3D printed Racal Cougar Battery

I have been thinking of 3D printing accu's for the Racal Cougar for a while and this weekend i fired up OpenSCAD and had a go at it.

Like most of the older surplus radio devices there is a shortage of batteries for the Racal Cougar also. You can find them but most of them are dead and need their cells to be replaced. Replacing the cells is a matter of carefully opening the casing using a hobby knife or saw, removing the old cells and replacing them with newer cells.

The problem with this is there is little room in the casing and you need to solder the cells together which is tricky. I did this a couple of times and in some cases i even overheated the cells damaging them.

3D printed accu

Inspired by the MA-4516B from Racal i wanted to have something which i could take apart easily and use regular cells in without have to solder them.

Center, top and bottom parts

I designed the accu so it has 3 sections: a top section containing the locking mechanism and the power connections, a center section containing the cells and a bottom part.

Center part of the accu housing the cells.

Using the dremel i created two pieces of pcb and soldered battery springs coming from a couple of cheap battery clips. These boards connect the batteries together so the accu is made up of 8 serial connected cells.

When the bottom and top parts are connected to the center part using M3 bolts these boards will be sandwiched between it and stay in position.

The center contact is made up of a M3 Hex bolt cut to length and both metal lips on each side are coming from a dead donor accu.

What is next ?

The design is a tight fit, a bit to tight causing some tension on the bottom part. I need to redesign the parts so all parts fit without applying some tension. Also the metal lips currently come from a donor accu and i would like to create the from metal strips also so we have a 100% DIY accu.

Racal Cougar Standalone Programmer - Part 3

It has been a couple of months since my last post so its time for a quick update.

Last couple of months i have been busy working on the Racal Cougar Programmer and made two changes. I have made some hardware changes (more on that in a following post) and added support for crypto keys to it.

Have a look at the video above where i demonstrate how to program the keys using the programmer.

Filling the Racal Cougar Crypto Keys using an Arduino Part II

This post will be about the protocol used by the Racal Cougar to fill the keys into the Crypto Board.
Before reading this post i recommend to read my previous posts about the mechanism used to program the Cougar: Program the Racal Cougar - Part 2 & Part 5

MA4083(G) Fill gun

Reverse engineering (again)

Like i did when figuring out the protocol used by the E.C.U and programmer to control the Cougar and fill the channel information, the first thing i did was hook up a fill-gun filled with known keys to the Racal Cougar and using the tap-cable making the data visible on an oscilloscope  (actually i used 2 fill-guns but more on that later) .

Tap cable

The difference compared with analyzing the date before was i now had a technical manual for the MA4073 programmer which provided me with useful information and hints.

Two different PWM data streams:

The datastreams used to fill the Racal Cougar can be divided in two types of data:

1. Racal Cougar control data
2. Key fill data

PWM timing

Control data:

The control data stream is described in the previous posts mentioned above, it uses PWM data modulated with a frequency of ~4 Khz. where one period takes 250 μS.

A logical '0' is send by pulling the F pin low for ~64 μS and high for 186 μS and a logical '1' is send by pulling it low for ~186 μS and high for 64 μS.

Control data takes 4 bytes (32 bit) and expect a echo to be returned from the Racal Cougar.

Key fill data:

The key fill data stream uses the same PWM modulation but with some differences compared to the control data. First of all the frequency of the PWM data is lower, it is ~1.42 Khz and second it is one continuous stream of 520 bits.

A key fill PWM modulated bit has a period duration of ~700 μS where a logical '0' is send by pulling the F pin low for ~96 μsec and a logical '1' is made by pulling it low for ~224 μS.

Fill commands and data

When sending key data to the Racal cougar the key fill data is preceded with 3 control commands each expecting an echo response :

1. FTL command (HEX 7F8B)
2. DSN command (HEX 7F03)
3. ZA command (HEX 7F07)

After the ZA command, zeroise keys, is received the Cougar is generating a 1 Khz alarm tone on the audio line indicating the unit doesn't contain any crypto keys (you would get the same alarm when using the zeroise button on your Racal Cougar and select a crypto channel).

Next the 520 bits of key fill data are send which is handled directly by the crypto module. When no error's occurred the keys are stored in the crypto module which in turn disables the key alarm indicating a successful transfer.

Simplified overview of key fill commands

Key fill data

Information about the commands being send can be found in the technical manual of the MA-4073 and it tells you what in the previous paragraph but it doesn't tell you the actual structure of the key fill data. This is where the fun started :-)

Key fill data

Every transfer of key data starts with a fill instruction command, this command shouldn't be confused with the normal command structure, the fill instruction command are 8 bits preceding the actual key data and have the hexadecimal value of 30 (00110000).

Next there are 512 bits of key data, 128 bits for each key. 4 keys in total where the keys are stored in the following order: B, A, D, C.

Although the Racal Cougar can only handle 2 crypto keys, A & B, the crypto module can store 4 of them.

The 128 bits of a key contains the following data:

• 12 bits of a predefined value, this is value is hard wired in the programmer and can be changed on customer's request. In general these are 12 one (1) bits.
• 108 bits of actual key data, 36 octal (0...7) digits each using 3 bits.
• 8 bit CRC using a different CRC-polynomial value for the different crypto boards.

Key data:

After the 12 predefined bits comes the actual key data, for every of the 36 digits 3 bits are added to the key data stream. The three digit bits are representing a binary value of 0 to 7 (octal) in Little Endian order (least  significant bit first).

The bit (LE)  values for the octal key digits:

0	1	2	3	4	5	6	7
000	100	010	110	001	101	011	111

To illustrate this, imagine we have a key made up of 8 digits with a value of '01234567'. The key data part of the stream would be the following 3 bytes:

Byte 1: 00010001

Byte 2: 01100011

Byte 3: 01011111

CRC

The last part of the 128 bit key data stream is used by a 8 bit CRC (cyclic redundancy check) value. This CRC value is used by the crypto module to check if all received bits are correct and the data hasn't been corrupted during communication between the programmer/ fill-in and the module.

CRC calculation is done by using a 8 bit CRC-checksum using a specific polynomial value. The crypto modules requiring a 'C' programmer/ fill gun are using a different polynomial value then the modules requiring the 'G' version.

C polynomial value: 1 11000000

G polynomial value: 1 01000010

By changing this polynomial value to match the target crypto module both can be programmed using the same Arduino programmer.

Filling the Racal Cougar Crypto Keys using an Arduino Part I

After being able to fill the Racal Cougar with custom channel frequencies using an Arduino the next step was being able to add new crypto keys using an Arduino also.

After spending a couple of days doing some reverse engineering using both a C and G MA7083 fill gun filled with known keys i was able to write a little Arduino Sketch that recorded the PWM modulation being send over the F-pin of the audio/fill connector.

At first the data stream didn't make any sense but after looking at it using a scope i noticed why the grabbed data looked like garbage and i had to change the grabber sketch to show the correct data.

Reading both tech manuals for both the programmer and a 4515 i got some info on the commands needed to be executed to do a key-fill and these were quickly identified in the datastream. The 'difficult' part was the key-data datastream and CRC checksum used.

In the movie at the top of this post you can see me changing and testing the Crypto Keys of two Racal Cougars.

Next post(s) will be about the commands and key-data datastream used.

Racal Cougar Standalone Programmer - Part 2

After playing with the initial version of the Arduino Racal Cougar standalone Programmer i decided i didn't like the cheap stick-on 4x4 keypad used so i replaced it with a different one. After make a new 3D model of the case and printing it this is the result:

Version 2 of the standalone programmer

Wonder what's inside it ? Besides a 4x20 LCD, Arduino Nano and a 4x4 keypad there is also a 3.7 volt 1200 m.a.h rechargeable battery with a Adafruit charger/ booster inside the case.

Inside the programmer

Programmer in action:

Besides working on the hardware i also completed the Arduino Sketch making the programmer fully functional and able to program the PRM-4515. 

An introduction and programming a cougar using the programmer can be seen in this video:

Used components:

I used the following components in this programmer. Please note that the provided links are displayed for  reference purposes and i am not affiliated to both shops.

• Arduino Nano (or clone) (opencircuit.nl)
• 20 x 4 LCD (opencircuit.nl)
• I2C LCD interface module (opencircuit.nl)
• 4 x 4 keypad (opencircuit.nl)
• 5V Step-Up/Step-Down Voltage Regulator S9V11F5 (opencircuit.nl) 
• Adafruit 5V Lipo USB boost, 500mA (www.kiwi-electronics.nl)
• 3.7v Lipo battery 1200 mah (www.kiwi-electronics.nl)

Besides the component mentioned above i also used some items you probably have in your spare box:

• DB9 female connector + mounting screws
• Small power switch 
• Power adapter  9 - 12v DC + chasis connector 
• 2N7000 N-Channel mosfet
• 10K resistor

Racal Cougar Standalone Programmer - Part 1

After completing the first version of the Racal Cougar Programmer i decided to make a standalone version of this programmer.

This post is a little sneak preview of this project i am currently working on.

 Development version of programmer with 4x20 LCD and keypad.

After collecting the required parts like an Arduino, 4x20 LCD, 4x4 keypad and rechargeable battery i started working on the user interface and menu. This was taking longer as expecting mainly because the existing menu libraries didn't fit my needs so i needed to write my own menu code.

At this moment the menu and user interface are complete, all features of the programmer can be controlled using the keypad and all what is left to do at software level is copying the code which is handling the actual programming  from the original programmer and execute it when the program menu option is selected.

The hardware displayed on the picture is a 3D printed case i made with the purpose of keeping all parts together while writing the Arduino code.

Development version inside view.

As you can see on thee picture it is missing some essential parts like a bottom and parts like the rechargeable battery and controller are just tossed in there.

So on the Hardware part there is still a lot to do and this will be next on my to do list.

Programmer in action:

If you are in a hurry and looking for a working solution to program your Racal Cougar PRM4515 check this post were you can find the schematic and a linkt to the Arduino sketch of my console-based programmer using an Arduino.