zondag 12 november 2017

3D printed Racal Cougar Battery

I have been thinking of 3D printing accu's for the Racal Cougar for a while and this weekend i fired up OpenSCAD and had a go at it.

Like most of the older surplus radio devices there is a shortage of batteries for the Racal Cougar also. You can find them but most of them are dead and need their cells to be replaced. Replacing the cells is a matter of carefully opening the casing using a hobby knife or saw, removing the old cells and replacing them with newer cells.

The problem with this is there is little room in the casing and you need to solder the cells together which is tricky. I did this a couple of times and in some cases i even overheated the cells damaging them.

3D printed accu

Inspired by the MA-4516B from Racal i wanted to have something which i could take apart easily and use regular cells in without have to solder them.

Center, top and bottom parts

I designed the accu so it has 3 sections: a top section containing the locking mechanism and the power connections, a center section containing the cells and a bottom part.

Center part of the accu housing the cells.
Using the dremel i created two pieces of pcb and soldered battery springs coming from a couple of cheap battery clips. These boards connect the batteries together so the accu is made up of 8 serial connected cells.

When the bottom and top parts are connected to the center part using M3 bolts these boards will be sandwiched between it and stay in position.

The center contact is made up of a M3 Hex bolt cut to length and both metal lips on each side are coming from a dead donor accu.

What is next ?

The design is a tight fit, a bit to tight causing some tension on the bottom part. I need to redesign the parts so all parts fit without applying some tension. Also the metal lips currently come from a donor accu and i would like to create the from metal strips also so we have a 100% DIY accu.

woensdag 4 oktober 2017

Racal Cougar Standalone Programmer - Part 3

It has been a couple of months since my last post so its time for a quick update.

Last couple of months i have been busy working on the Racal Cougar Programmer and made two changes. I have made some hardware changes (more on that in a following post) and added support for crypto keys to it.

Have a look at the video above where i demonstrate how to program the keys using the programmer.

donderdag 8 juni 2017

Filling the Racal Cougar Crypto Keys using an Arduino Part II

This post will be about the protocol used by the Racal Cougar to fill the keys into the Crypto Board.
Before reading this post i recommend to read my previous posts about the mechanism used to program the Cougar: Program the Racal Cougar - Part 2 & Part 5

MA4083(G) Fill gun

Reverse engineering (again)

Like i did when figuring out the protocol used by the E.C.U and programmer to control the Cougar and fill the channel information, the first thing i did was hook up a fill-gun filled with known keys to the Racal Cougar and using the tap-cable making the data visible on an oscilloscope  (actually i used 2 fill-guns but more on that later) .

Tap cable
The difference compared with analyzing the date before was i now had a technical manual for the MA4073 programmer which provided me with useful information and hints.

Two different PWM data streams:

The datastreams used to fill the Racal Cougar can be divided in two types of data:
  1. Racal Cougar control data
  2. Key fill data

PWM timing

Control data:

The control data stream is described in the previous posts mentioned above, it uses PWM data modulated with a frequency of ~4 Khz. where one period takes 250 μS.

A logical '0' is send by pulling the F pin low for ~64 μS and high for 186 μS and a logical '1' is send by pulling it low for ~186 μS and high for 64 μS.

Control data takes 4 bytes (32 bit) and expect a echo to be returned from the Racal Cougar.

Key fill data:

The key fill data stream uses the same PWM modulation but with some differences compared to the control data. First of all the frequency of the PWM data is lower, it is ~1.42 Khz and second it is one continuous stream of 520 bits.

A key fill PWM modulated bit has a period duration of ~700 μS where a logical '0' is send by pulling the F pin low for ~96 μsec and a logical '1' is made by pulling it low for ~224 μS.

Fill commands and data

When sending key data to the Racal cougar the key fill data is preceded with 3 control commands each expecting an echo response :

  1. FTL command (HEX 7F8B)
  2. DSN command (HEX 7F03)
  3. ZA command (HEX 7F07)

After the ZA command, zeroise keys, is received the Cougar is generating a 1 Khz alarm tone on the audio line indicating the unit doesn't contain any crypto keys (you would get the same alarm when using the zeroise button on your Racal Cougar and select a crypto channel).

Next the 520 bits of key fill data are send which is handled directly by the crypto module. When no error's occurred the keys are stored in the crypto module which in turn disables the key alarm indicating a successful transfer.

Simplified overview of key fill commands

Key fill data

Information about the commands being send can be found in the technical manual of the MA-4073 and it tells you what in the previous paragraph but it doesn't tell you the actual structure of the key fill data. This is where the fun started :-)

Key fill data

Every transfer of key data starts with a fill instruction command, this command shouldn't be confused with the normal command structure, the fill instruction command are 8 bits preceding the actual key data and have the hexadecimal value of 30 (00110000).

Next there are 512 bits of key data, 128 bits for each key. 4 keys in total where the keys are stored in the following order: B, A, D, C.

Although the Racal Cougar can only handle 2 crypto keys, A & B, the crypto module can store 4 of them.

The 128 bits of a key contains the following data:

  • 12 bits of a predefined value, this is value is hard wired in the programmer and can be changed on customer's request. In general these are 12 one (1) bits.
  • 108 bits of actual key data, 36 octal (0...7) digits each using 3 bits.
  • 8 bit CRC using a different CRC-polynomial value for the different crypto boards.

Key data:

After the 12 predefined bits comes the actual key data, for every of the 36 digits 3 bits are added to the key data stream. The three digit bits are representing a binary value of 0 to 7 (octal) in Little Endian order (least  significant bit first).

The bit (LE)  values for the octal key digits:

0 1 2 3 4 5 6 7
000 100 010 110 001 101 011 111

To illustrate this, imagine we have a key made up of 8 digits with a value of '01234567'. The key data part of the stream would be the following 3 bytes:

Byte 1: 00010001
Byte 2: 01100011
Byte 3: 01011111


The last part of the 128 bit key data stream is used by a 8 bit CRC (cyclic redundancy check) value. This CRC value is used by the crypto module to check if all received bits are correct and the data hasn't been corrupted during communication between the programmer/ fill-in and the module.

CRC calculation is done by using a 8 bit CRC-checksum using a specific polynomial value. The crypto modules requiring a 'C' programmer/ fill gun are using a different polynomial value then the modules requiring the 'G' version.

C polynomial value: 1 11000000
G polynomial value: 1 01000010

By changing this polynomial value to match the target crypto module both can be programmed using the same Arduino programmer.

zondag 28 mei 2017

Filling the Racal Cougar Crypto Keys using an Arduino Part I

After being able to fill the Racal Cougar with custom channel frequencies using an Arduino the next step was being able to add new crypto keys using an Arduino also.

After spending a couple of days doing some reverse engineering using both a C and G MA7083 fill gun filled with known keys i was able to write a little Arduino Sketch that recorded the PWM modulation being send over the F-pin of the audio/fill connector.

At first the data stream didn't make any sense but after looking at it using a scope i noticed why the grabbed data looked like garbage and i had to change the grabber sketch to show the correct data.

Reading both tech manuals for both the programmer and a 4515 i got some info on the commands needed to be executed to do a key-fill and these were quickly identified in the datastream. The 'difficult' part was the key-data datastream and CRC checksum used.

In the movie at the top of this post you can see me changing and testing the Crypto Keys of two Racal Cougars.

Next post(s) will be about the commands and key-data datastream used.

maandag 22 mei 2017

Racal Cougar Standalone Programmer - Part 2

After playing with the initial version of the Arduino Racal Cougar standalone Programmer i decided i didn't like the cheap stick-on 4x4 keypad used so i replaced it with a different one. After make a new 3D model of the case and printing it this is the result:

Version 2 of the standalone programmer

Wonder what's inside it ? Besides a 4x20 LCD, Arduino Nano and a 4x4 keypad there is also a 3.7 volt 1200 m.a.h rechargeable battery with a Adafruit charger/ booster inside the case.

Inside the programmer

Programmer in action:

Besides working on the hardware i also completed the Arduino Sketch making the programmer fully functional and able to program the PRM-4515. 

An introduction and programming a cougar using the programmer can be seen in this video:

Used components:

I used the following components in this programmer. Please note that the provided links are displayed for  reference purposes and i am not affiliated to both shops.
Besides the component mentioned above i also used some items you probably have in your spare box:

  • DB9 female connector + mounting screws
  • Small power switch 
  • Power adapter  9 - 12v DC + chasis connector 
  • 2N7000 N-Channel mosfet
  • 10K resistor

dinsdag 16 mei 2017

Racal Cougar Standalone Programmer - Part 1

After completing the first version of the Racal Cougar Programmer i decided to make a standalone version of this programmer.

This post is a little sneak preview of this project i am currently working on.

 Development version of programmer with 4x20 LCD and keypad.
After collecting the required parts like an Arduino, 4x20 LCD, 4x4 keypad and rechargeable battery i started working on the user interface and menu. This was taking longer as expecting mainly because the existing menu libraries didn't fit my needs so i needed to write my own menu code.

At this moment the menu and user interface are complete, all features of the programmer can be controlled using the keypad and all what is left to do at software level is copying the code which is handling the actual programming  from the original programmer and execute it when the program menu option is selected.

The hardware displayed on the picture is a 3D printed case i made with the purpose of keeping all parts together while writing the Arduino code.

Development version inside view.

As you can see on thee picture it is missing some essential parts like a bottom and parts like the rechargeable battery and controller are just tossed in there.

So on the Hardware part there is still a lot to do and this will be next on my to do list.

Programmer in action:

If you are in a hurry and looking for a working solution to program your Racal Cougar PRM4515 check this post were you can find the schematic and a linkt to the Arduino sketch of my console-based programmer using an Arduino.

zaterdag 4 maart 2017

Program the Racal Cougar - Part 7

This week i added support for the PRM 4515 H (132-174) models to the Arduino Racal Cougar Programmer.

PRM 4515 H

I received a package from the UK containing a PRM 4515 H model from a fellow OM for me to use to test the programmer for this particular model. (Thanks Dave !)

After making some changes to the frequency logic in the programmer code, mainly add support for the 100 Mz digit which was hard coded to '0', the programmer was able to program this model also.

Model selection:

When the Cougar is turned on it sends a 52 bit datastream, 7E 0D 7E 0D 60 4C 4, which i thought was some kind of model identification used by peripheral devices. This could be useful for the programmer to automatically select the right model and frequency bounds supported by the model.

The fist thing i did after receiving the H model was slide it in a S.M.T. and hook it up to an Arduino using the tap cable between the S.M.T and E.C.U and turn it on to register this data datastream and the result was a bit disappointing: the same datastream as the L model was send by this model. This means it's not possible to automatically identify the model connected to the programmer so this has to be done manually.

Main menu with model selection option.

To select the model connected to the programmer i added the 'm' (lower case M) menu option which brings up the model selection sub menu:

Model selection sub menu
Model selection is needed to define the lower and upper bounds of the programmable frequencies, use the correct Eeprom stored frequencies and determine if the model supports disabling the transmitted 150 hz pilot tone.

By default the programmer starts up with the L model selected, this can be changed in the Arduino sketch by changing the following line:

uint8_t selectedModel = MODEL_L;

uint8_t selectedModel = MODEL_H;

H model frequencies

The PRM 4515 H model operates from 132 to 174 Mhz in 20 Mhz bands. Which band it operates on is defined by the model number:

ModelBand startBand end
H3TAU132 Mhz151.9875 Mhz
H3TBU134 Mhz153.9875 Mhz
H3TCU136 Mhz155.9875 Mhz
H3TDU138 Mhz157.9875 Mhz
H3TEU140 Mhz159.9875 Mhz
H3TFU142 Mhz161.9875 Mhz
H3TGU144 Mhz163.9875 Mhz
H3THU146 Mhz165.9875 Mhz
H3TIU148 Mhz167.9875 Mhz
H3TJU150 Mz169.9875 Mhz
H3TKU152 Mhz171.9875 Mhz
H3TLU154 Mhz173.9875 Mhz

This band can be changed by changing some resistor jumpers as described on the pmrconversion.info site.

It is important to know the band your H model is operating on before using the Arduino Racal Cougar programmer. Trying to program a frequency outside your model its band will result in a program error.

150 hz pilot tone

The PRM 4515 H model doesn't support disabling of the 150 hz pilot tone using the programmer. This setting will be ignored when programming the H model.

Arduino Sketch

The new version, lets call it v0.0.3 to illustrate this is experimental software, can be downloaded using this link.

Update 15-10-2015: A new version v0.0.4 is available that fixes the default channel data being garbage when a fresh Arduino was used and channel data hasn't been stored before. Download this version using this link

See my previous post on the Arduino hardware used and installation instructions.