Retevis RT40 Reverse Engineering

I initialy didn't want to upload the modified config file because I don't want to get into legal troubles with the Retevis Company. But since I got a few private messages recently, asking how to enable the high power mode or select different frequencies, here is how:

Just download the official flash tools for both the PMR and the FRS version of the radio here, install and start both programms, export the default config files from each of both, diff/compare the files with diffchecker.com, NotePad++ or something and you'll easily spot the difference between both files. It's not just one bit though, the settings are kind of spread out across a few locations in the config file! Btw the flash tool is a little buggy, make sure to set your Windows Localisation Setting to US!  Have fun and let me know if it worked :)

I just completed a first successful DMR call with a local radio amateur via the local relay :)
Next thing to do: measure transmission power over frequency to estimate the bandwidth of the front end!

GOOD NEWS EVERYONE!
It is possible to change the reception frequency out of the PMR band and into the 70cm HAM band, I tuned the radio to a local DMR relay frequency and it successfully decoded the traffic of the radio amateurs talking on that relay! To transmit, I Need to register for the DMR network and figure out all necessary settings now..

ROFL! Now that I actually reverse engineered the cable, the serial data transmission format, the config flash and after writing my custom flash tool, I discovered that it actually IS possible to just export the config file from the official app, edit it manually and load it back to achieve the same results! Lot's of time wasted but nevermind, who knows how the additional effort in understanding this will pay off in the future!

Hack Level 1 successful, high TX power unlocked! :)
I downloaded the flash configuration, changed one single bit, uploaded the modified content with my tool, and it read back ok!
The led now turns red instead of orange if PTT is pressed and the official tool also shows the high power setting!
4m 1 4 r34l h4xx0r n0w? ;)

It took me long to understand how the channel frequency settings are stored in flash but now I do and I was able to write my own command line tool to read device flash data! By reading the complete content, I found:

a) Flash content wraps at 0x2000
b) Unknown content starting at 0x1A00, that is neither read nor written by the official app. Possibly relicts from developement?

I reverse engineered the programmer cable, check out the schematics I uploaded. It does not use any of the handshake lines as I assumed at first, instead it uses a few transistors and resistors to combine the two seperate RX and TX lines to one single, level-shifted TRX line (5V <-> 3.3V). Due to this circuit, all transmitted characters are immediately echoed back.