Bao1702B is a Windows desktop Customer Programming Software and CLI toolkit for the Baofeng DM-1702 and BF-1702B dual-band DMR/analog radios. The clean release in this repository is intended for public reference, evaluation, and portfolio display.
Copyright (c) 2026 Ryan Walsh. All rights reserved.
This repository is published for public viewing and professional reference only. No license is granted to use, copy, modify, distribute, deploy, or create derivative works from this software without prior written permission from Ryan Walsh. This codebase is proprietary commercial software and is not open source. See LICENSE.md.
The solution includes a WPF desktop application, a command-line tool, a binary codeplug model, protocol tooling, firmware analysis helpers, and a substantial automated test suite. It was developed around reverse-engineering of the OEM codeplug format and radio protocol with a safety-first write model.
- Full codeplug read / write / save / open — reads the 245,760-byte native image from the radio, decodes all entity types, and writes validated images back. The codeplug model is the sole source of truth for writes — every byte is generated from modeled fields or known OEM constants (source: 8 OEM
.datacaptures + Ghidra CPS decompilation). - Six entity editors — Channels, Zones, Scan Lists, Contacts, RX Groups, and Group Lists with full add / delete / detail editing.
- Parameter and button editors — radio name, DMR ID, squelch, VOX, backlight, power, battery saver, CTCSS tail revert, keypad lock, DTMF codes, startup text, and 7 programmable keys with short/long press assignments. All fields OEM-validated via cross-capture binary diff (source:
NativeCoverageAudit.md). - Safety-first write model — mandatory pre-write backup, write-intent validation, and a safety policy engine that blocks writes to unrecognized radios.
- CSV import / export — bidirectional CSV for all six entity types.
- Firmware analysis — reads firmware images, computes checksums (SHA-256, SUM16, XOR8), extracts strings, and validates compatibility.
- Advanced tools — hex dump, entropy map, transport diagnostics, and capture transcript analysis.
- CLI companion — headless read, write, verify, diff, and restore operations for automation.
| Radio | Family | Read | Write | Status |
|---|---|---|---|---|
| Baofeng DM-1702 | Bao1702 | ✅ | ✅ | Validated against 8 OEM captures |
| Baofeng DM-1702B | Bao1702 | ✅ | ✅ | Validated against 8 OEM captures |
The radio connects over USB using a printer-class interface (VID 0483 / PID 5780). No special drivers are required on Windows.
This software treats radio writes as inherently dangerous operations:
- Backup-before-write is mandatory — the safety policy engine blocks writes unless a codeplug backup exists for the target radio.
- Unknown radios are read-only by default — writes to unrecognized hardware are blocked unless explicitly overridden.
- Unsafe write paths require explicit acknowledgement — the CLI
force-writecommand demands the stringI_ACCEPT_THE_RISK_OF_BRICKING_THE_RADIO. - Clean-write architecture — the codeplug model is the sole source of truth.
Dm1702NativeImageBuilder.Build()generates every byte from the model and known OEM constants. There is no preserved-image overlay — all fields are explicitly modeled or set to validated OEM defaults (source: cross-capture byte-level comparison of 8.datafiles).
See QUICKINSTALL.md for the fastest local setup path.
- Windows 10 or later
- .NET 10 SDK (or Visual Studio 2026 with Desktop workload)
- Baofeng DM-1702 or DM-1702B radio with USB cable
powershell -ExecutionPolicy Bypass -File .\scripts\test-release.ps1powershell -ExecutionPolicy Bypass -File .\scripts\install-local.ps1The published desktop output is staged to dist\local.
dotnet run --project .\src\Bao1702.Cli\Bao1702.Cli.csproj -- help
dotnet run --project .\src\Bao1702.Cli\Bao1702.Cli.csproj -- read --output codeplug.bin
dotnet run --project .\src\Bao1702.Cli\Bao1702.Cli.csproj -- verify --image codeplug.bin
dotnet run --project .\src\Bao1702.Cli\Bao1702.Cli.csproj -- write --image codeplug.bin
dotnet run --project .\src\Bao1702.Cli\Bao1702.Cli.csproj -- diff firmware --left a.bin --right b.bin| Project | Purpose |
|---|---|
Bao1702.Desktop |
WPF desktop CPS application |
Bao1702.Cli |
Command-line codeplug and firmware tools |
Bao1702.Codeplug |
Codeplug data model, CSV import/export, write validation |
Bao1702.Protocol |
Radio protocol sessions, safety policy, packet codec, discovery |
Bao1702.ReverseEngineering |
Native image serializers, decoders, and binary analysis tools |
Bao1702.Firmware |
Firmware image parsing, checksums, and compatibility validation |
Bao1702.Transport |
USB printer-class, serial, and mock transport layers |
Bao1702.Tests |
176 tests covering serialization, protocol, safety, and round-trip fidelity |
| Document | Description |
|---|---|
| User Guide | Desktop CPS and CLI usage guide |
| Architecture | Solution structure, dependencies, and design decisions |
| Binary Format | DM-1702 native codeplug image specification |
| Safety Model | Backup, validation, and write-safety system |
The clean public snapshot keeps the shipping source tree, documentation, representative samples, firmware notes, and reverse-engineering evidence that support the implementation. Generated outputs, IDE state, test results, captures, and temporary debugging artifacts are excluded.
All critical binary regions are Ghidra-validated and OEM-confirmed:
| Region | Offset | Status |
|---|---|---|
| Channels | 0x3000 | ✅ Linear + paged overflow, 256 max |
| Zones | 0x6000 | ✅ Linear (0–13) + paged (14+), 250 max |
| Contacts | 0x1F000 | ✅ Paged, 170 per page, bitmap + sorted index |
| Scan Lists | 0xB000 | ✅ 32 max, stride 0x39, count byte at area[0] |
| RX Groups | 0x8000 | ✅ Split layout with member lists |
| Config | 0x5000 | ✅ DMR ID, radio name, DTMF, keys, startup |
| GPS | 0x5500 | ✅ 16 entries × 16 bytes |
See docs/BINARY_FORMAT.md for the complete field-level specification.
The ghidra/ directory contains decompiled CPS functions used as the primary evidence source. Every binary layout claim in the codebase references specific Ghidra function names and line numbers.
Key evidence sources:
FUN_0041f960— Zone and scan list serialization (lines 571–816, 1090–1293)FUN_004191f0— Channel record paging formulaFUN_00419600— Contact paging and bitmap layout- Binary captures from multiple radios (Ryan Whidbey, factory baseline, PNW repeaters)
- The repository is public for display, but the software remains proprietary.
- Third-party frameworks and libraries retain their own licenses.
- Radio write operations remain high-risk and should only be performed by operators who understand the recovery implications.