Those TDM'd bands 40MHz wide, with digital data and modulation past the limits of sanity, and the entire RF system being integrated into one die somehow? Oh boy.

Indeed.

The problem with many modern ham radios of any sufficiently complex feature set - especially when it comes to cheap hackable radios or digital radios - is that a lot of the functionality is hidden away in blackbox ASIC hardware blocks that have no public datasheets (e.g. BK4819 powering Quansheng's radios, Si4732, or for anything DMR, the AMBE-2020 vocoder).

It's truly a miracle what the hacker community has gotten out particularly out of the Quansheng chipset.

I've reverse engineered lots of things, but the one time I actually got paid for it (this is more a hobby to me), I got the exact opposite of what happened to you.

I quoted some small amount to document the protocol to configure some embedded device that I thought would take a day or so, and it turned into a two-week nightmare. Turned out there was no configuration protocol, it was firmware updates always -- and internal parameters were just overwritten along with the code. So I ended up having to disassemble a big chunk of the firmware before I could configure the device.