| Versions |
  |
|
| Author |
 Topic  |
|
Dale-R
United Kingdom
4 Posts |
 Posted - 05 mars 2011 : 13:27:57
|
Hi All,
Have just bought a Nuvi 860 (BMW Portable Navigation Pro)
Is there any way I can upload an alternative firmware from another model on to this?, i.e. 865, 765 etc.
I don't mind a bit of hex editing and not afraid to brick the device, I would really like to have some form of "lane assist"/"junction view" and am really disappointed that this model doesn't have it.
Any help would really be appreciated. |
|
|
Ads
|
|
|
Dale-R
United Kingdom
4 Posts |
Posted - 05 mars 2011 : 16:39:44
|
It seems the firmware update file is the same for all the 8xx Models, so the software is identical.
There must be something I can edit/change that is hardcoded on the device to tell to that software/firmware what model it is
and to enable those features?.
Or is there a "service" type of firmware for the 865/885? |
Edited by - Dale-R on 05 mars 2011 16:40:23 |
 |
|
|
kunix
Belarus
187 Posts |
Posted - 05 mars 2011 : 19:16:35
|
I don't think there are any patched firmwares in internet. The .RGN format for 860 is different. Also some people say there is a checksum on firmware (not that primitive checksum used on non-linux garmin devices).
But I have some things to do with 860...
So sooner or later I will have to start researching it's firmware. And you would really help if you upload a USB dump of firmware flashing process. Then I could try to help you... |
Edited by - kunix on 05 mars 2011 19:28:54 |
|
|
|
Dale-R
United Kingdom
4 Posts |
Posted - 05 mars 2011 : 20:23:57
|
Thank you for the reply,
It does apear there isn't any patched firmware anywhere. As this device is Linux it works differently to the others, A "Generic" firmware for all 8xx get's sent to the device and then it either compiles it on the device by pre set flags such as HW ID, or even some form of config file.
The update software doesn't seem to configure anything relating to model.. It's quite dumb and just sends a file to the device (or you can copy that file to the "Update" folder and it will update on reboot.. As stated I have compared all the firmware files for the 8xx series and they are all identical.
I'm trying another way to get in to it, you can put the device in to "ethernet over usb" mode, I have been trying to write a driver all day to work with RNDIS or CDC using USB8023.sys but not having much joy yet :(, I may be going over old ground as someone may already have an "ethernet over usb/ethernet gadget" driver?.. If anyone is interested the ID of the device is USB\VID_0525&PID_a4a1&rev_020: or USB\VID_0525&PID_a4a1... If we can get in this way we should be able to play around with stuff :D, especially if SSH ports are open!.
I'd be happy to try get some dumps or any information you need though.
*EDIT*
Some progress here..
I have managed to get "ethernet over usb" working through Linux, set up a static I.P. and got a ping response :).
Next I tried the following:
Telnet = Connection refused
FTP = Connection refused
ssh = Connection refused
So then installed open ssh client/server and then it connects!!! but its asking for a password!, some progress made though... Not sure how I am going to get this password, does anyone have ideas what it could possibly be or how we can find out?.
*Update*
Well I have been looking at the source code and the garmin patches and can safely say there is no way in via ssh unless someone knows someone in Garmin to get the password, it's all encypted so will take a million years to crack the password.
I give up, it's going on ebay :)...
Will start posting back here when I find a different device from Garmin that's suitable for my needs.
|
Edited by - Dale-R on 09 mars 2011 21:54:15 |
|
|
|
cr2
14 Posts |
Posted - 17 oct. 2011 : 00:22:03
|
quote:
its asking for a password!, some progress made though... Not sure how I am going to get this password, does anyone have ideas what it could possibly be or how we can find out?.
There is no password for 'root', so you can't login as root.
Try user=unpriv password=unpriv :)
unpriv@daisy:/sys/devices/platform$ cat /proc/cpuinfo
Processor : XScale3-Monahans L rev 1 (v5l)
BogoMIPS : 411.64
Features : swp half thumb fastmult edsp
CPU implementer : 0x69
CPU architecture: 5TE
CPU variant : 0x0
CPU part : 0x688
CPU revision : 1
Cache type : undefined 5
Cache clean : undefined 5
Cache lockdown : undefined 5
Cache format : Harvard
I size : 32768
I assoc : 4
I line length : 32
I sets : 256
D size : 32768
D assoc : 4
D line length : 32
D sets : 256
Hardware : Garmin Daisy
Revision : 0000
Serial : 0000000000000000
I can post a lot of other interesting hardware information, if somebody is interested.
Our only hope for a flash update is a local root exploit for this
kernel
unpriv@daisy:/sys/devices/platform$ uname -a
Linux daisy 2.6.17.7-nuvi8xx-4.40 #1 PREEMPT Mon Jan 1 00:00:00 CST 1980 armv5tel unknown
|
|
|
|
Boyd
USA
1649 Posts |
Posted - 17 oct. 2011 : 02:39:50
|
Wow, nice work - I'm impressed. This got me interested, so I dug out my old Nuvi 5000 and went to switch it to Ethernet over USB mode. But it appears that feature is no longer available in the menu with current firmware (4.10). I'm sure it used to be there, because I found an old thread where I mentioned it myself: http://www.gpspassion.com/forumsen/topic.asp?TOPIC_ID=113288
So decided to downgrade to earlier firmware, which I found here: http://www.gawisp.com/perry/nuvi/
But no luck. After running the updater, it copies the file to the \garmin\update folder on the Nuvi, but when the unit starts up it is still running firmware 4.10 instead of the 3.30 that I installed. Is there some trick to downgrading firmware on the linux-based Nuvi's?
Assuming I can get past this, I don't understand how ethernet over USB works. Can you explain how you were able to open the ssh session? I have a fair knowledge of unix, although not enough to write a driver.  |
Edited by - Boyd on 17 oct. 2011 02:40:27 |
|
|
|
cr2
14 Posts |
Posted - 17 oct. 2011 : 21:45:27
|
quote:
Originally posted by Boyd
Is there some trick to downgrading firmware on the linux-based Nuvi's?
I did a serious mistake, and upgraded from 4.60 to 4.70
There is a recovery RGN file linked here http://www.gpspassion.com/forumsen/topic.asp?TOPIC_ID=141338 , with a pretty old kernel version
Linux-2.6.17.7-nuvi8xx-3.10.
AFAIR the vmsplit kernel bug is still newer than my latest update :)
quote:
Can you explain how you were able to open the ssh session? I have a fair knowledge of unix, although not enough to write a driver.
Once you have switched to the USB-Ethernet mode on device
the host should provide an CDC-Ethernet gadget
$ lsusb
...
Bus 001 Device 006: ID 0525:a4a1 Netchip Technology, Inc. Linux-USB Ethernet Gadget
...
You do then 'ifconfig usb0 192.168.1.100'
and 'ssh unpriv@192.168.1.101'
debian:/home/cr2/Downloads# ifconfig usb0 192.168.1.100
debian:/home/cr2/Downloads# ssh unpriv@192.168.1.101
unpriv@192.168.1.101's password:
unpriv@daisy:~$
|
|
|
|
cr2
14 Posts |
Posted - 17 oct. 2011 : 22:34:13
|
There is another interesting option of breaking in:
to use the blob serial console on /dev/ttyS2
(a bit different on nüvi5000, which uses /dev/ttySE1)
Both devices have 5 serial ports:
/dev/ttyS0 (aka FFUART, used for ANT on 8xx)
/dev/ttyS1 (aka BTUART, used for BT on 8xx)
/dev/ttyS2 (aka STUART, used for TMC on 8xx in normal operation)
/dev/ttySE0 and /dev/ttySE1: this highspeed UART has shared irq,
so i didn't yet detect which port is used by MTK GPS chipset.
This is a tough job without having root access ;-)
I also need to find out the electrical parameters of TMC UART:
whether it's plain RS-232 or just TTL (3.3V or 5V)
Another cool feature is the USB host on external connector
for using other USB peripherals.
Edit
I've looked at the garmin's blob patch (thanks God for GPL license)
and these guys are really smart. To enable the blob serial console
instead of TMC on 8xx, some (unknown yet) ID pin on the external connector should be shorted to ground. Then it is read out by TSC2200.
On 5000' they use the DS2450 1-wire ADC
int get_serial_okay( void )
{
// ADC values range from 0 to ~3.3V.
// Dev. mount ID = 0 to 95 mV.
Now i'm wondering, which CPU did garmin use in the 7xx series ?
Several kernel drivers mention 7xx in their names,
so maybe we can boot linux also on 7xx after all :)
At least these devices do not have such nasty crypto for reflashing ;) |
Edited by - cr2 on 17 oct. 2011 23:04:24 |
|
|
|
kunix
Belarus
187 Posts |
Posted - 17 oct. 2011 : 23:03:39
|
@cr2
I think you can always break in by reflashing rootfs :)
Also if I remember it right firmware update service (don't remember binary name) reads system_version with fgets into local buffer without checking signature first. I haven't tried exploiting this because of lack of time and device. |
|
|
|
cr2
14 Posts |
Posted - 17 oct. 2011 : 23:32:49
|
quote:
Originally posted by kunix
I haven't tried exploiting this because of lack of time and device.
As long as you don't plan to write into NOR flash at the blob location,
i don't mind rewriting the whole iNAND on my 860.
Modifying blob for dual boot off the SD card still should be the most interesting option.
|
Edited by - cr2 on 17 oct. 2011 23:40:08 |
|
|
|
cr2
14 Posts |
Posted - 19 oct. 2011 : 21:47:49
|
quote:
Originally posted by cr2
Both devices have 5 serial ports:
Actually, according to the kernel source nüvi5000 has 7 (!) serial ports.
int get_serial_okay( void )
{
// ADC values range from 0 to ~3.3V.
// Dev. mount ID = 0 to 95 mV.
For 8xx it is necessary to check whether the 'Pin 4 -DeviceID' mentioned here
http://www.gpspassion.com/forumsen/topic.asp?TOPIC_ID=91718&whichpage=16
is the '// Dev. mount ID' cited by kernel source.
I must admit, that 'Development' sounds as a better option:
Pin 32- Cradle ID (With a resistor between this two, you can get:
.38V -> 7,4kohm -> Volvo
.2V -> -> Car (This one is the cradle I have)
.0V -> -> Development (I don t know what this is for)
One more indirect hint for 'Cradle ID':
...
/sys/devices/platform/adc.0/usb_id
/sys/devices/platform/adc.0/serial1_id
/sys/devices/platform/adc.0/mount_id
...
USB ID
Device ID
Cradle ID
...
|
Edited by - cr2 on 19 oct. 2011 23:28:44 |
|
|
|
cr2
14 Posts |
Posted - 27 mai 2012 : 22:19:24
|
quote:
I also need to find out the electrical parameters of TMC UART:
whether it's plain RS-232 or just TTL (3.3V or 5V)
Quoting the Garmin_FMI page @ http://wiki.argentdata.com/index.php?title=Garmin_FMI
Serial signals are 9600 baud, 0-3.3v, inverted (0v = 1, 3.3v = 0).
Although this information is located in the 'Mini-B' section,
it also applies to Hirose 18-pin connector.
I can confirm it after disassembling the GTM-21 TMC receiver,
which uses ATMEGA32L microcontroller for communication with Nüvi.
FTDI chip FT232RL allows to invert the logical levels, so
it should be possible to connect a notebook through the Hirose TMC-UART port, using a breakout board
http://www.sparkfun.com/products/8772
Then you can also spam nuvi with the fake TMC data ;-)
|
Edited by - cr2 on 27 mai 2012 22:25:30 |
|
|
|
cr2
14 Posts |
Posted - 01 juin 2012 : 22:10:36
|
I have downloaded the toolchain, kernel source and blob source
from garmin's site,
installed the toolchain, applied kernel patches.
All 3 targets (daisy, daisy_dev and daisy_ldr) compile without
any problems:
cd ~/Downloads
bash arm-2006q3-26-arm-none-linux-gnueabi.bin
tar xfv nuvi8xx-v4.40-sources.tar.bz2
cd nuvi8xx-v4.40-sources/GPL/linux-daisy-2.6.17.7-daisy-4.40
tar xfv linux-daisy-2.6.17.7-daisy-4.40.orig.tar.bz2
tar xfv linux-daisy-2.6.17.7-daisy-4.40.diff.tar.bz2
patch -p0 < linux-daisy-2.6.17.7-daisy-4.40.diff/garmin_mods.patch
PATH=~/CodeSourcery/Sourcery_G++/bin/:$PATH CROSS_COMPILE=arm-none-linux-gnueabi- make daisy_defconfig
PATH=~/CodeSourcery/Sourcery_G++/bin/:$PATH CROSS_COMPILE=arm-none-linux-gnueabi- make -j 3
PATH=~/CodeSourcery/Sourcery_G++/bin/:$PATH CROSS_COMPILE=arm-none-linux-gnueabi- make daisy_dev_defconfig
PATH=~/CodeSourcery/Sourcery_G++/bin/:$PATH CROSS_COMPILE=arm-none-linux-gnueabi- make -j 3
PATH=~/CodeSourcery/Sourcery_G++/bin/:$PATH CROSS_COMPILE=arm-none-linux-gnueabi- make daisy_ldr_defconfig
PATH=~/CodeSourcery/Sourcery_G++/bin/:$PATH CROSS_COMPILE=arm-none-linux-gnueabi- make -j 3
There is a problem to recompile 'blob', but it's a known
bug in this old codesourcery toolchain
cd blob-1.13-daisy-4.40/
tar xfv blob-1.13-daisy-4.40.orig.tar.bz2
tar xfv blob-1.13-daisy-4.40.diff.tar.bz2
patch -p0 < blob-1.13-daisy-4.40.diff/garmin_mods.patch
CC=~/CodeSourcery/Sourcery_G++/bin/arm-none-linux-gnueabi-gcc KSRC=~/Downloads/nuvi8xx-v4.40-sources/GPL/linux-daisy-2.6.17.7-daisy-4.40/linux-daisy-2.6.17.7-daisy-4.40.orig make
The last command fails with
.../gcc/config/arm/lib1funcs.asm:1000: undefined reference to `raise'
This bug can be easily fixed, but recompiling blob is not really a high priority. A new blob is needed only if you want to create your
own update images with (your own) GPG signature.
|
|
|
|
kunix
Belarus
187 Posts |
Posted - 01 juin 2012 : 22:27:16
|
quote:
Then you can also spam nuvi with the fake TMC data ;-)
Did you see any TMC protocol specifications? I was playing with dumping incoming and outcoming TMC packets and I didn't understand much.
quote:
A new blob is needed only if you want to create your own update images with (your own) GPG signature.
So have you ever succeeded in flashing modified/recompiled firmware? |
Edited by - kunix on 01 juin 2012 22:38:15 |
|
|
|
cr2
14 Posts |
Posted - 01 juin 2012 : 23:05:58
|
quote:
Originally posted by kunix
Did you see any TMC protocol specifications? I was playing with dumping incoming and outcoming TMC packets and I didn't understand much.
No, but we can open a new topic for decoding the grmn tmc protocol.
Do the dumped packets have something in common with GNS TMC ?
http://www.china-rns.com/blogs/zoulou/68-gns-tmc-protocol-partly-disclosed.html
If the ATMEGA32L firmware updates are not encrypted, then it should be possible
to disassemble them.
Edit
GTM-25 is more or less the same receiver, only with a miniUSB connector:
http://www.ruuvipenkki.fi/foorumi/viewtopic.php?f=3&t=162
quote:
So have you ever succeeded in flashing modified/recompiled firmware?
I need to create an appropriate RGN file with HWM_RGN_RAM_CODE section, containing the
newly compiled daisy zImage as payload. If it will boot, then the new rootfs can be simply
mounted from the SD card (root=/dev/mmcblk1p1 instead of default root=/dev/mmcblk0p2)
|
Edited by - cr2 on 01 juin 2012 23:21:18 |
|
|
|
kunix
Belarus
187 Posts |
Posted - 02 juin 2012 : 07:12:47
|
GTM-26 and GTM-35 protocols seem to be completely different from GNS TMC. Request/response length are not fixed and there are no any boundary bytes at the beginning and at the end of a message. Instead there are 2-byte message code and 2-byte data length followed by data itself, so the protocol looks like the Garmin USB protocol, used by updater.exe, for example.
Learning protocols form disassembling is really painful, I'd like to avoid this :)
So, as I understand, something (blob or linux kernel) is not GPG-signed, so we can make it do what we want. Right?
Then wouldn't it be easier to patch that "root=/dev/mmcblk1p1" stuff using a HEX editor? |
Edited by - kunix on 02 juin 2012 07:17:55 |
|
|
|
Topic |
|
|
|
| This page was generated in 1,01 seconds. |
 |
|
- 
- 
Garmin Nuvi 860, Alternative Firmware?
