| Author |
 Topic  |
|
ddabcd277
307 Posts |
 Posted - 29 déc. 2010 : 08:51:37
|
Yes, do it please! PouchX what programmer where you using to make the dumps? Did you use special software?
Thanks, |
Edited by - ddabcd277 on 29 déc. 2010 08:52:09 |
 |
|
|
lolypop000
Slovenia
146 Posts |
Posted - 29 déc. 2010 : 11:00:24
|
| If you share program then can any of us send dump of nuvi we have. |
|
|
|
PouchX
Poland
272 Posts |
|
|
turboccc
Canada
782 Posts |
Posted - 29 déc. 2010 : 22:35:55
|
@PouchX, if you have the 37xx... I am interested!
BTW, don't you have anything else to do other than unsolder all those flash memories and read them with a programmer? LOL! |
Edited by - turboccc on 29 déc. 2010 22:36:54 |
|
|
|
PouchX
Poland
272 Posts |
Posted - 29 déc. 2010 : 22:37:09
|
I dont have :(
Only TSOP48 NAND Flash units.
BTW. I repaired many units with broken flash. Manual programming was only one cure. |
Edited by - PouchX on 29 déc. 2010 22:47:24 |
|
|
|
kunix
Belarus
187 Posts |
Posted - 29 déc. 2010 : 23:56:39
|
@PouchX
Thank you for theese dumps. I'm sure I will extract lots of useful info about flash regions. I've seen NV in such dumps, so now I'm sure that NV is just a pice of flash, nothing more.
I'm curious why are they so small? Where is file system located in flash? |
|
|
|
ddabcd277
307 Posts |
Posted - 30 déc. 2010 : 00:00:13
|
| Cool!!! Thanks Pouchx! |
Edited by - ddabcd277 on 30 déc. 2010 00:00:59 |
|
|
|
turboccc
Canada
782 Posts |
Posted - 30 déc. 2010 : 00:18:10
|
| You can make a search for a piece of code (such as "020000EA") and you will find fw_all.bin. You will find things the same way as they are saved using RGN_Tool. You will notice they are divided in 2048-byte chunks by the file system with FS information of 64 bytes in between the chunks. I was able to find the logo.bin for the nuvi 660. I could create logo.bin files for these units to be used with GIR_Editor. |
Edited by - turboccc on 30 déc. 2010 02:42:54 |
|
|
|
kunix
Belarus
187 Posts |
Posted - 30 déc. 2010 : 00:34:35
|
@turboccc
"You will notice they are divided in 2048-byte chunks by the file system with FS information of 64 bytes in between the chunks"
I didn't understang. Please explain a bit more detailed. |
|
|
|
turboccc
Canada
782 Posts |
Posted - 30 déc. 2010 : 02:41:58
|
Here's the start of one dumpIt contains the first 2kB of data
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 40 00 00 00 76 2D 00 00 00 00 00 00 00 00 00 00 @...v-..........
00000010 00 00 00 00 58 2D 4C 4F 41 44 45 52 00 00 00 00 ....X-LOADER....
00000020 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000030 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000040 02 00 00 EA B6 31 00 20 6C 27 00 20 6E 27 00 20 ...ê¶1. l'. n'.
00000050 0C 80 A0 E1 7C 03 9F E5 00 10 90 E5 17 10 C1 E3 .€ á|.Ÿå..å..Áà
00000060 06 10 81 E3 00 10 80 E5 6C 03 9F E5 00 10 90 E5 ..à..€ål.Ÿå..å
00000070 07 10 C1 E3 00 10 80 E5 60 03 9F E5 60 13 9F E5 ..Áà..€å`.Ÿå`.Ÿå
00000080 00 10 80 E5 5C 03 9F E5 5C 13 9F E5 00 10 80 E5 ..ی\.ٌ\.ٌ..ی
...
000007C0 07 15 00 20 60 29 00 20 FF B5 83 B0 14 1C 04 9A ... `). ÿµƒ°...š
000007D0 00 20 5A 49 02 90 88 5C 1D 1C 2C 23 58 43 58 4A . ZI.ˆ\..,#XCXJ
000007E0 80 18 46 68 00 2E 02 D1 0B 20 07 B0 F0 BD 03 9F €.Fh...Ñ. .°ð½.Ÿ
000007F0 71 78 B0 78 22 1C 2C 23 09 1A CA 40 01 32 8A 40 qx°x".,#..Ê@.2Š@
Then there is a 64-byte chunk probably used by the file system. It may contain a checksum/crc of the chunk and a pointer to the next chunk which may not be contiguous.
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000800 FF BF 40 A5 E2 E2 DD E2 1D 78 49 B6 4B 00 00 00 ÿ¿@¥ââÝâ.xI¶K...
00000810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Then, another 2kB block of data, then 64-byte chunk, etc... |
|
|
|
PouchX
Poland
272 Posts |
Posted - 30 déc. 2010 : 08:04:43
|
quote:
Originally posted by kunix
I'm curious why are they so small? Where is file system located in flash?
These are only first MBs of whole flash that are enough to start unit when you will program blank flash chip. There is no need to program whole chip. Also, these dumps contains first sectors of file system. Some contains basic files like gmapbmap.img.. itc.
N3xx/N6xx will start without any files.
N2xx need few basic files.
So, it depends on what unit you need to repair.
For exmaple, you can flash N200 with N270 dump.
But N270 boot looks for second flash chip on the PCB.
http://www.garniak.pl/viewtopic.php?p=45511#p45511 |
Edited by - PouchX on 30 déc. 2010 08:19:39 |
|
|
|
Yilmaz
88 Posts |
Posted - 30 déc. 2010 : 09:01:39
|
@Hi Pouchx,
I am also curious on what tools you use for soldering the Chip on PCB ?
Mind to share the picture of your tools ?
How to prevent the Chip's pin burn when soldering ?
Thanks
|
|
|
|
kunix
Belarus
187 Posts |
Posted - 30 déc. 2010 : 09:14:53
|
@turboccc
Indeed, flash is formatted in 2048-bytes data blocks with 64-bytes headers (or footers?). This looks strange to me. For the following reason. To execute firmware we need to make it contiguous in address space. I thought it's done with help of memory page mapping. But pages are larger that 64 bytes. So that's impossible. Moreover, I think firmware should be executed from flash directly. This is how (I suppose) it's usually made in embedded devices. So I have an idea that those 64-byte headers somehow are not visible for processor. Otherwise it's not possible to execute firmware from flash and firmware should be copied to RAM before execution.
Also did you notice that bootloader is contained 4 times in N670 flash? Maybe it's possible to choose from that 4 when booting device? |
Edited by - kunix on 30 déc. 2010 09:32:47 |
|
|
|
turboccc
Canada
782 Posts |
Posted - 30 déc. 2010 : 15:26:24
|
@kunix,
For performance, I am pretty sure the gps is running from ram not flash. Remember the program offset (ie 0x800080000) we discussed about a few weeks ago with little_frog? About boot: could be garmin boot, mass storage boot, ... I do not know, but yes I have seen a couple X-Loader strings. |
|
|
|
kunix
Belarus
187 Posts |
Posted - 30 déc. 2010 : 15:58:18
|
@turboccc
Huh, perfomance reasons.. good idea. But there are two facts that contradict it.
1) it's not possible to write to firmware addresses while device is fully loaded (device crashes). Maybe it's some special MMU magic, but I didn't investigate deeper. Though I've seen a piece of code in the beginning of booloader that copies some bytes to fw_all addresses and executes them.
2)it's not clear who does copying bootloader to RAM and execution it (because bootloader is definitely compiled to execute without that 64-byte headers)
What about 4 copies of booloader.
This is not a bootloader from boot.bin, though it definitely looks like a piece of software. I met the booloader from boot.bin just one time. X-LOADER string is placed before any copy of a new strange bootloader. Don't know what this string is for... |
|
|
|
Topic |
|
- 
- 
RGN_Tool - Utility to create/convert RGN/GCD
