|
|
|
|
|
|
|
Crypto Data Telefunken ETM-1810/M
Control commands
This page describes how the ETM-1810/M ECHOTEL Modem can be
controlled externally via the CONTROL port at the rear (X2).
Note that this information is not obtained from original
AEG Telefunken
sources or documentation, but rather via reverse engineering by an anonymous contributor [1] — without any prior knowledge of the system —
complemented by our own findings.
Reverse engineering is a laborious task which requires a lot of patience and
a lot of trial and error.
As a result, there may be errors or omissions in the information below.
If you find any mistakes, omissions or anything else that may help us to
improve this page, please let us know.
|
|
There are many different versions of the ETM-1810/M firmware.
In addition, there is an extension board with two additional DSPs,
which can be fitted on top of the existing one. Such versions offer support
for additional waveforms like ISB.
So far, we have recorded the following versions:
|
| Ver. | Extra | Reported version | Year | Comment |
|
|
| 4GI | ✔ | 4GI | ? | |
| M9IQ | | 8010001/0051799 | 1999 | Single-board version |
| 7JO | ✔ | 7JO | 2002 | Extra DSP board with HDR, S4539 and ISB |
| JET | ✔ | JET | 2006 | |
| 1 | 2 | 3 | 4 | 5 |
|
|
In this table, column 1 shows the version number that appears on the display
on startup.
Column 2 is ticked when the extra DSP board is present.
Column 3 shows the version number that is reported via the CONTROL interface,
in reply to a ' ?VER ' command.
Column 4 shows the estimated year of
manufacturing, based on the date codes on the components.
So far, we have not found any logic in the rather obscure version numbering.
➤ Supported waveforms for each version
|
Connect the control port (X2) to the serial port of a PC with a
straight DB25/M-to-DE9/F cable.
A serial port is also known as COM-port or RS232 port.
If your PC does not have a serial port with a
DE9 connector,
use an USB-to-RS232 dongle as well.
Note that not all dongles are suitable, as they may not support certain
baudrates and/or control signals.
➤ Pinout
Set the configuration of the PC's serial port to 19200 8N1, and ensure
that the ETM-1810 is set accordingly. 19200 is the default baudrate of the
ETM-1810. It means: 19200 bits per second. 8N1 is the data format. It means: 1 start-bit, 8 data-bits,
no-parity and 1 stop-bit.
Note that there are two different control protocols
that can be used to remotely control the ETM-1810/M:
|
- Standard protocol
This protocol gives access to all features of the ETM-1810/M
and ETM-1810/M-A
in a way that can easily be implemented on a regular computer. This is the
default protocol of the device, when any waveform other than MAHRS is
selected.
It gives access to all parts of the device and is described in detail below.
➤ More
- Arcotel protocol
This is a more obscure protocol that is used when the MAHRS waveform is
selected. It is backward compatible with the protocol used by the
ETM-1810. In this mode, the device fully relies on support from
the ARCOTEL ACT-1810 computer, and does not respond to any of the commands
of the standard protocol.
➤ More
|
|
This is the default control protocol when any waveform other than MAHRS is
selected. It allows selection of the waveform and gives full control over
its parameters. Use the front panel display to verify that MAHRS is not
selected, before trying commands from this protocol. Also ensure (via the
display) that the control interface is set to 19200 8n1.
Most of this protocol was discovered by mans of reverse engineering
by an anonymous contributor [1], who started by observing the initialisation
command(s) between an ACT-1810 computer and the ETM-1810/M-A.
A Python script was then used to try arbitrary commands and check whether
they yield a result.
|
All commands use this syntax:
<LF><type><cmd><CR>
in which <LF> is a linefeed (ASCII 10, hex 0A)
and <CR> is a carriage return (ASCII 13, hex 0D).
Each command starts with a <LF>.
The second parameter is the command type, which is always exactly one
character long.
It is followed by the command, which has an arbitrary length.
The command string is terminated with a <CR>.
Some commands may invoke a reply.
|
|
Note that from firmware version JET onwards, there is a timeout
of 1 seconds on the command string. All characters of the command (including
the LF prefix and the CR suffix) must be sent before the timeout occurs.
As a result it is no longer possible to enter commands manually using a
terminal emulator. Firmware versions M9IQ and 7JO do
not have a timeout.
|
|
The second parameter (following the initial LF) is the command type.
It is always exactly one character long.
The following command types are currently known:
|
| Type | Name | Description |
|
|
| ? | Query | From computer to ETM (ETM replies with a '!' message) |
| * | Command | Regular command from computer to ETM (no reply, or error message) |
| ! | Reply | Reply from ETM on a '?' query |
| # | Message | Message from ETM to computer (may pop up at any moment) |
| % | ? | Currently unknown |
|
|
The '?' command can be used to request a specific parameter or status.
After entering a valid command, the ETM-1810 will always
reply with a '!' message, followed by the requested
information. If a command is not recognised, the ETM-1810
replies with an ' #? ' status message.
|
| Cmd | Name | Description |
|
|
| ?B | Mode | Request working mode (Betriebsart) with full details |
| ?BIT | BITE | Start built-in test equipment (BITE, self-test) |
| ?D | Data | Data type ( !DS =synchronous, !DA =asynchronous) |
| ?DP | Polarity | FSK polarity ( !DPN =Normal, !DPI =Inverted) |
| ?FH | Freq. Hopping | Frequency hopping state ( !FH0 =off, !FH1 =on) |
| ?S | Signal | Signal level |
| ?SBI | ? | ? |
| ?SCM | ? | |
| ?PE | PTT | PTT delay in [ms] |
| ?TQ | ? | Reports some kind of quality report (6 hex digits) |
| ?VER | Version | System and software version |
| ?W | Waveform | Reports current waveform (e.g. ' !WSC' for STANAG 4285-C) |
| |
|
|
Commands
*
|
|
|
|
|
In the description below, 'x' indicates a fixed numeric or
alphanumeric character position. These commands have a fixed format, whilst
'...' indicates a command with an arbitrary length.
|
|
*B...
|
Mode
|
Set waveform and parameters (see below)
|
| *Dx | Data type | Set serial data type ( S = synchronous, A = asynchronous) |
| *DPx | Polarity | Set FSK polarity ( N = Normal, I = Inverted) |
| *FHx | Freq. Hopping | 0 = off, 1 = off |
| *FSET... | ? | Frequency Hopping Set? |
| *PExxxxx | PTT | Set PTT delay in [ms], e.g. *PE00003 = 3ms |
| *TESTx | Test | TEST1-TEST4 returns a result |
|
*Wx
|
Waveform
|
Set waveform (see below)
|
| |
|
|
Waveform selection
*
|
|
|
|
|
| *WB | S4539 | STANAG 4539 |
|
*WF
|
MAHRS
|
Select MAHRS mode (different control protocol, ' *WT ' to return)
|
| *WH | HDR | |
| *WI | ISB | Independent Side Band |
| *WK | FSK | Frequency Shift Keying |
| *WL | MSK-LF | |
| *WM | MILSTD | |
| *WN | NARROW | STANAG 4529 WN=WN0=WN1 |
| *WS | 4285-C | STANAG 4285-C |
| *WT | STANAG | STANAG 4538 (with ALE) |
| |
|
|
Additional waveforms in version JET
|
|
|
|
|
|
The following commands work in firmware version 'JET'
but not in 7JO.
|
| *WC | HRS | |
| *WS0 | 4285-C | Coded |
| *WS1 | 4285-U | Uncoded |
| *WSC | 4285-C | Same as *WS0 (coded) |
| *WSU | 4285-U | Same as *WS1 (uncoded) |
| *WW | MULTI | ? |
| |
|
|
Messages
#
|
|
|
|
|
Arbitrary messages can be sent by the ETM-1810 whenever the system deems it
necessary. They are not sent as a reply to a specific request, and may
therefore come unexpectedly. The computer software should be able to
handle this.
|
| #T | BITE | Startup or self-test (BITE) running |
| #DAU | ? | |
| #DEBUG | ? | |
| #E:... | Value | Value returned by some commands |
| #EDSP1 | ? | |
| #EDSP2 | ? | |
| #EDSP3 | ? | |
| #EDSP4-1 | ? | |
| #EDSP4-2 | ? | |
| #ERROR | ? | |
| #OD | ? | |
| #RA | Rx Active | Reveiver active |
| #RE | Rx End | Receiver stopped |
| #RBxxxxx | Rx Bearer | Modem bearer type (auto-select) |
| #TA | Tx Active | Transmitter active |
| #TAD | ? | |
| #TE | Tx End | Transmitter stopped |
| #TRD | ? | |
| #TRE | ? | |
| #TTE | ? | |
| #TTS | ? | |
| #? | Error | Unknown command or not supported in this mode or version |
| #UNB | ? | |
| #W | ? | |
|
|
|
Mode setting with the *B command
|
|
|
|
The *B-command can be used to select a waveform, along with its parameters,
such as baudrate and tone frequencies. The exact syntax of the command
depends on the selected waveform. To find the correct syntax, select the
desired waveform and options via the front panel, and then issue a
' ?B ' command. The returned string (e.g. '!BN0L0600C1600 ')
can be used as a guideline for creating a '*B ' command.
Below are some examples. For clarity, numbers are shown in red.
|
| Waveform | Example | Meaning |
|
|
| FSK | *BK0N0050M21250S22950O+000 | K = Mode FSK
0 = no meaning (must be 0)
N = Normal polarity
0050 = 50 baud
M21250 = MARK 2125.0 Hz
S22950 = SPACE 2295.0 Hz
O+000 = Offset +0 Hz |
| MSK-LF | *BL | L = MSK-LF |
| NARROW | *BN0L0600C1600 | N = Narrow S4529
0 = no meaning (must be 0)
L = Large 1
0600 = 600 baud
C1600 = Center freq. 1600 Hz |
| HDR | *BH1L9600 | H = HDR
1 = no meaning (must be 1)
L = Large 2
9600 = 9600 baud |
| 4285-C | *BS1L0600 | S = STANAG 4285
1 = Coded
L = Large buffer 1
0600 = 600 baud |
| 4285-U | *BS0N | S = STANAG 4285
0 = Uncoded
N = No buffer 3
1200 = 1200 baud |
| ISB | *BI1l19k2 | I = ISB
1 = no meaning (must be 1)
l = Very large buffer 2
19k2 = 19200 baud |
|
-
S = small, L = large.
-
u = ultra small,
v = very small,
S = small,
m = medium,
L = large,
l = very large.
-
Fixed (cannot be changed).
|
|
When the device is first powered on, it performs a self-test (BITE),
which is indicated by a #T message. As the test progresses, more
status messages will be reported. On a proper startup, you should see
the following status messages:
|
#T BITE started #TA Transmitter Active #RA Receiver Active #TE Transmission End #RE Reception End
|
|
Unfortunately there is no 'ready' message at the end of the sequence,
so it is difficult to determine when the device is ready to accept
commands. In practice it is best to wait until the #RE message has
been seen. Alternatively, it is possible to repeatedly send an empty command
(i.e. <LF><CR>) and check whether the system replies with a #?
message.
|
|
To request the system version number, send a version query:
|
|
The system replies with a '!' message, for example:
|
|
This means that the firmware version is 7JO and the hardware version
is ETM 1810/M-A. The format of the version string appears to be
arbitrary, as different versions return a competely different string.
|
|
|
Built-in self-test (BITE)
|
|
|
|
The device has a so-called Built-In Test Equipment (BITE), which means
that its hardware can fully be tested by the device itself. On power up,
it performs a limited BITE that tests the transmission and reception
circuits.
A more elaborate test can be started by pressing the TEST-button on the front
panel or by sending the command ' ?BIT '.
During the test, someting like this is displayed:
ETM 1810/M-A
Version 7JO
Built-In-Test
RAM :00000
EPROM : 0
FLASH : 0
WATCHDOG : 0
ADDR-ERR : 0
SIO-LOOP : 000
TIMER : 000
EEPROM : 0
DSP1..3 : 000
DSP4..5 : 0000
A/D-D/A : 0
TOTAL LOOP: 0
|
|
The zeros at the end of each line, indicate that there are no errors.
Any number or text other than zero indicates a fault. The command replies with
a ' !BIT ' message followed by a 16-bit binary number, in which each '1'
indicates an error. Note that the self-test takes quite some time to complete,
which means that it takes a while before the '!BIT ' reply is received.
During this time, it may report a number of status messages (#).
|
#T #TA #RA #TE #RE !BIT0000000000000000
|
|
|
Arcotel protocol
MAHRS mode
|
|
|
|
The Arcotel protocol relies on support from the ARCOTEL ACT-1810 computer.
It is active (only) when the MAHRS waveform is selected, in which case the
device is backward compatible with its predecessor ETM-1810.
When the MAHRS waveform is selected, all characters sent to the control port
will be echoed. Furthermore, the device does not respond to any of
the regular commands of the standard protocol, except for the one
that is used to select the STANAG waveform ' *WT' .
This requires sending the sequence: <LF>*WT<CR> .
It re-enables the standard protocol.
At present, no further information about the Arcotel protocol is available.
It is doubtful whether it would make any sense to use it, as it delegates
many tasks — including Forward Error Correction (FEC) and Automatic
Repeat Request (ARQ) — to the ACT-1810 computer.
|
|
Below is an overview of the various waveforms found in devices with
different firmware version numbers. Differences with the default set of
waveforms are shown in green and blue.
|
|
|
M9IQ
(1999, main PCB only)
|
|
|
- 4285-C
- FSK
- MAHRS
- MSK-LF
- NARROW
- MILSTD
- 4285-U
|
|
|
7JO
(2002, with additional DSP card)
|
|
|
- 4285-C
- FSK
- MAHRS
- MSK-LF
- NARROW
HDR S4539 ISB - MILSTD
- 4285-U
|
|
|
JET
(2006, with additional DSP card)
|
|
|
- 4285-C
- FSK
- MAHRS
- MSK-LF
- NARROW
HDR S4539 ISB HRS MULTI - MILSTD
- 4285-U
|
|
The software (firmware) of the ETM-1810/M-A
(i.e. the version with the additional DSP board) runs on a currently
unknown operating system (OS) that is stored in the ROMs on the
extension board. The ROM also holds a number of programs that can be used
to perform memory and DSP operations, and for updating the onboard
Flash ROM (EEPROM) with new waveforms.
The programs can be started from the
command line interpreter (CLI) of the internal OS.
|
Connect a PC with a terminal emulator to the CONTROL port and select
a standard terminal (e.g. VT102). Ensure the terminal inserts a LF after
every CR. Set the baudrate to 19200 8N1.
On the front panel: hold the MODE and ESC buttons when switching the
device on. The display will now show a different startup message, for example:
RACOMS Loader f.
*ETM Version 2JR
The device is now in 'loader' mode and the CLI of the internal OS
can be accessed via the CONTROL port. At this point, the terminal should show
the command line prompt:
>>
Type ? and press enter (CR). This returns a list of possible commands:
<DSP> for testing the DSPs
<PROGRAM> for program management
<MEMORY> for testing the memory
<SYSTEM> for system utilities
<TEST> for misc. tests
<VERSION> for showing the link date
<item.HELP> for displaying topic help
We are currently investiging the possibilities with these commands.
Note that the above is only possible when the extra DSP board is present
(i.e. version ETM-1810/M-A only).
|
- Anonymous contributor, Connector pinouts and reverse-engineered command set
Crypto Museum, January-April 2025.
|
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Wednesday 05 March 2025. Last changed: Thursday, 08 May 2025 - 15:36 CET.
|
 |
|
|
|
|
| | |
