Spectra Lab RSS Hacks

General Information

This page will gather all of the tips/tricks/hacks for using the Spectra LAB RSS. This includes things like changing model and serial numbers, adding features by changing Moflag bits, etc.


Spectra LAB RSS and Moflag Bits

The Spectra Lab RSS (R04.04.04) has a utility called the MOFLAG Programmer and it lets you edit a series of MOFLAGs "bits" in the codeplug.

The list of the Moflags and what feature each bit controls is listed in the chart below.

The bits control what features are available, and what aren't. The problem is the MOFLAG programmer only edits the codeplug. You could program features in, but when you read your newly upgraded radio the features disappeared in the RSS. If you keep reading below you will see why.

Note that not all features are available with all MLM firmware versions. If you think you are going to turn on zone operation in your version 2.0 MLM, keep dreaming. It takes at least version 6 for zones to be supported. Other features (MPL, RSSI, etc.) may have other requirements. Another thing to remember is you cannot read or open a codeplug from a firmware version 6.xx radio with the LAB RSS.

Spectra Hacking History

Just prior to the true MOFLAG breakthrough, to properly hack more features into a radio involved taking a radio that had lots of features, and cloning Command Board Location range B681 - B693 to another radio which you wanted to clone the feature set to. You could also upgrade the firmware (with an EEPROM burner) to the same or newer level than the radio you cloned the feature string from. Then you would virtually have a clone of the original good radios features and get Zones, Securenet or whatever else the original had. At this time it was known that this string controlled the features but it wasn't cross referenced to the individual moflags... yet.

This method works a lot better than the original way people added features to their radios. That way involved just cloning a more featured codeplug into your radio, overwriting the feature string in the codeplug only and usually giving you what you wanted. The problem was that when you read the radio with the RSS, your features would vanish because the RSS got the feature data from the MOFLAG bits on the command board and the new codeplug only changed data in the codeplug. If you read carefully below, you will see why that happens.

The latest and greatest method, which this page is all about lets you selectively enable/disable the exact features that you want. No more all or nothing!

How the Moflags Work and are Stored in the Spectra

The following locations are the locations reported when you use the Bit Banger function of the Lab RSS. They are the general locations that are going to be important to changing the features of the radio.

NOTE: The addresses for the bytes in the Command board should almost always be the same. The address locations for the MLM may be slightly different, depending on the firmware version and features enabled. However, you will know you have found the correct range in the MLM since it will be the same data as the string in the Command Board.

So, you should check the Command Board range first, and write down the data that is there. Then, go through the MLM range and find where that data is living. It should be somewhere near location 6200 so scroll through the area until you find it.

Command Board Range : B681 - B690 / B691 + B692 = Checksum
MLM Range : 6183 - 6192 / 6193 + 6194= Checksum (*the MLM values are relative*)

How MLM and Command Board Features are Checked on POST

The radio on POST checks the Command Board range B681 - B690, with some proprietary checksum algorithm and compares the result with B691 + B692.

If the checksum doesn't match, the radio grabs the entire range from 6183 - 6194 on the MLM, and throws it in the Command Board (assumes the Command Board is corrupted, so it reloads).

With the original feature string cloning method if you were hacking a radio and messed up on one character in the Command Board, (in this range) when you power cycle the radio, good bye changes.

How the RSS Knows What Features to Allow Access to

Moflags are nothing more than single bits stored at those locations that tell the radio and RSS what features it gets to have and what ones it doesn't.

Some people in the past were forcing zone enabled codeplugs in their radios which would allow zones to work but when you read the radio zones wouldn't appear in the RSS.

This is because the RSS reads the Moflag data off the Command Board. Since the Command Board isn't written to when you load a codeplug, you don't truly get Zones and other features correctly enabled.

How to Make Your Own Feature String

You can now make your own string of data using the Moflags as a reference, and turn on whatever you want.

First create a string of data with the features you want. You can use the string below which came out of a very full featured conventional radio as a reference point to create your own. This string has Zones / Securenet / Dual Control Heads. Use the Moflag table below to enable/disable what you want.

CB Range B681 - B690 / MLM Range 6183 - 6192  
00 76 40 A3 19 FF F1 FF 64 84 90 1F 1F 00 00 00 

The best part of this is, if you hack the MLM Range 6183 - 6192 and Command Board B681 - B690 (Moflags#0 - 15, 16 total) you can put any data you want in (any custom string). When you read the radio and rewrite it will create the checksum and put it at the end of the MLM string (at 6193 + 6194). Then, after it is done programming it will reboot the radio and then that checksum gets copied to the Command Board, because the Command Board checksum fails. So it essentially calculates the checksum for us automatically and fixes the radio!

Important Notes

I believe repetory refers to remembering the last number you used when using the scratchpad for MDC call or Phone DTMF etc.

Compander and Adaptive Splatter are generally found on 900Mhz radios for "Hearclear".

The rest is pretty straight forward but there are some odd-ball SP items in the list that are unknowns.

Also when you are doing things like making trunked radios into conventional and vice versa it is a good idea to force a codeplug similar to what you want before you hack it. Otherwise it will still show a trunked mode in the RSS when you read the radio even though you have hacked it to be conventional only.

You can force codeplugs in from other radios with different bands too. Just change the serial number to match a codeplug you want to use and force it in. Then change the model number, head type, bandsplit and serial number back using LAB bitbanger. See further down the page for more BitBanger info.

Don't forget that if you turn on Securenet or Trunking on a radio that didn't have it enabled prior the deviation will need alignment for those TX modes because the radio was never tuned for operation in those modes.

Moflag 0 Moflag 1 Moflag 2 Moflag 3 Moflag 4
Bit 0 Unused Out Of Range Display Call Alert 2 Unused DTMF Encoder
Bit 1 Unused Horn and Lights Call Alert Unlimited Unused Compander
Bit 2 Sys Search Lock Unused Call Alert Repertory Trunk Sys Opsel Scan Adaptive Splatter
Bit 3 AMSS Privacy Plus Conv With Sys Scan Trunk Mode Slave Scan Time Out Timer
Bit 4 Dynamic Regrouping ATG B9 PP (DONíT USE) Pvt Call Master Enable Trunk Message Mode Names
Bit 5 Emergency Call Phone Unlimited Private Call Repertory Conv Message Trunk Pri Opsel Scan
Bit 6 Emergency Alarm Phone With Repertory Call Alert Master Enable Trunk Status Trunk Pri Scan
Bit 7 Emergency Trunk Trunk Phone RX Private Call Unlimited Conv Status ID 64K
Moflag 5 Moflag 6 Moflag 7 Moflag 8 Moflag 9
Bit 0 OpSel Talkaround DTMF 8 Digit IDs Perm Horn And Lights Unused Multi Radio System
Bit 1 MDC Emergency NEVER to be USED MDC Call Response Smartnet Features Auxiliary Reciever
Bit 2 Conv Opsel Scan Data Radio MDC Call List Siren Variable Power Output
Bit 3 Securenet Hand Held Control Head MDC Call Unlimited Expanded Data Home For TX Revert
Bit 4 Talkaround Phone Interconn Decode Zone Mode Motorcycle SP Metro Radio
Bit 5 MDC Signalling DTMF Sel Call Decode MDC Call Alert S9K Control Head Failsoft By Mode
Bit 6 NonPri Mode Slave Scan DTMF SelCall Enc Unlimited MDC Auto Sel Call Multiple PL Auto Affiliation
Bit 7 Pri Mode Slave Scan DTMF SelCall Enc Repty (*Repetory?*) MDC Enhanced Sel Call Transmit Inhibit Last ACC/First Rel Dig
Moflag 10 Moflag 11 Moflag 12 Moflag 13 Moflag 14
Bit 0 Aux3 MDC 600 Re Arm Horn and Lights Unused Unused
Bit 1 Algeria SP New Control Head MDC1200 RAC Unused Unused
Bit 2 PC/CA ID Aliasing Vehicle Repeater MDC RAC List Unused Unused
Bit 3 PC/CA Variable List Internal PA MDC RAC Unlimited Unused Unused
Bit 4 Dual Control Head Speaker A/B Single Tone Unused Unused
Bit 5 RHKPF Metro Conv Railroad Radio SIU Unused
Bit 6 No Adap Dev or Volume PL Monitor Electronic Mode Stops Data On Trunking Unused
Bit 7 External Securenet One Button Call Alert Parallel Data Interface New Trunked NYCTA Unused
Moflag 15
Bit 0 Unused
Bit 1 Unused
Bit 2 Unused
Bit 3 Unused
Bit 4 Unused
Bit 5 Unused
Bit 6 Unused
Bit 7 Unused

How Moflag Bytes Break Down Into Bits

If your radio for example reads hex 03 at address B681...

This translates to 00000011 Binary.

This corresponds to Moflag0 : Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0 

Bit0 - Unused - Enabled 
Bit1 - Unused - Enabled 
Bit2 - Sys Search Lock - Not Available 
Bit3 - AMSS - Not Available 
Bit4 - Dynamic Regrouping - Not Available 
Bit5 - Emergency Call - Not Available 
Bit6 - Emergency Alarm - Not Available 
Bit7 - Emergency Trunk - Not Available 

In Lab 4 Moflags can be changed to 3 settings (Not available/Enabled/Disabled).

Enabled/Disabled will still give you a binary 1 and just reflects whether it is turned on in the RSS/Codeplug. Not Available is set with a 0.

The problem with Lab 4 is it will let you edit the Moflags in the codeplug stored on the PC. You then could force the codeplug into the radio with new features. But when you read the radio again those features aren't available.

That is because they do not write over the string in the Command Board (which would be the ideal fix).

This means that you can mess around with a codeplug and change the features that you want, but when you finally figure out what you want to use for a feature string, you need to Bit Bang it into the proper location on the Command Board, before writing the new codeplug to the radio.


Spectra Tips For use with Lab RSS R05.03.00

Consider the following before trying any of these tips. When using the Lab software "Bit Banger" feature it is very easy to create an absolutely brain dead MLM, so be careful. Also, there is no guarantee that all tips will work with every Spectra. Forget about using this RSS with an Astro Spectra.

Bit Banging the model number

This is necessary if you want to clone a different model number Spectra's features into your radio.

The model number starts at location 0x6048 on the MLM and after location 0xB670 on the command board. After making any changes using the Bit Banger read the radio and then program the radio before doing anything else. When the clone operation is started you will most likely get a warning message that the radios features are different, tell it to proceed.

Now you have changed the model number in your radio to match your source, perform the following:

But, before you do it, make sure that you're not trying to tell a dash mount 50 watt Spectra A5 that it's suddenly a 110 watt A9, it won't work.

Upgrading control head type

If your Spectra only shows an A5 faceplate in the RSS, you will want to change location 0x6060 on the MLM to 0xED. If you want to force an A9 type head, change this location to 0xCD. Remember to check F4-F2-F9 first to see what heads are allowed before making this modification.

Spectra serial number

If you want to change the serial number in your radio, here is the C source for a program that is supposed to do it. It is supposed to work with Spectra version 5.03. I don't have a radio to try it on, so compile it your self and try it out. Supposedly you can use DJCC compiler to compile it.

The other way to change the serial numbers (command board AND MLM) in a Spectra is to use LAB RSS and use the serial number change utility (service menu I believe).

If that won't work, you can use the Bit Banger in the Lab RSS. The serial numbers start at location 0x601D on the MLM and at location 0xB61C on the command board.

Spectra bandsplit

The frequency/bandsplit of the MLM is in memory location 0x605F. To change the bandsplit of the codeplug in the radio, use the BITBANGER function and change 0x605F as follows:

After you change the memory using BITBANGER, read the codeplug from the radio and it will have the new bandsplit. NOTE: This will NOT change the actual bandsplit of your radio. You can't make a radio operate in a new bandsplit without changing the hardware (VCO). However, it will allow you to take a codeplug with desired features but the wrong bandsplit and modify it so you can clone it into another radio.

This might possibly be a roundabout way to program out of band freq. Program up all the modes using fictitious frequencies for your out of band channels and write to the radio. Then use BITBANG to change the bandsplit to one the covers your out of band freqs and read the codeplug. Change the out of band modes to the correct freq and then write to the radio. Finally, BITBANG the radio back to the correct bandsplit matching the hardware and then read and write the radio without modifying the modes. This has been tried with some limited success.

As always, LAB software in general and BITBANGing specifically should be exercised with extreme caution. You can easily convert your radio to a paperweight.


Home