Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Important User haute's Avatar
    Join Date
    Mar 2010
    Location
    Spain
    Age
    44
    Posts
    481
    Rep Power
    400

    Default Garmin firmware Understanding

    Hello, I think this post because I think there is nothing like it. I hope someone can help.

    I'm trying to understand how some features of garmin firmware.
    For now I'll start with these two.
    HWM_read_rgn
    HWM_write_rgn

    HWM_read_rgn: reads a number of bytes in a region.
    r0 = number of the region
    r1 = Position
    r2 = length
    r3 = pointer of data?, this record not sure. Is that so? ..

    HWM_write_rgn: No, if you are able to write x number of bytes, or just write the entire region.? ..
    r0 = number of the region? ..
    r1 = Position?? ...
    r2 = length?? ...
    r3 = pointer of data?? ...

    I hope this information is going to expand to the knowledge of all.
    The code of the two functions:

    Code:
    Please Login or Register to see the links

    Code:
    Please Login or Register to see the links

  2.    Advertissements


  3. #2
    Important User haute's Avatar
    Join Date
    Mar 2010
    Location
    Spain
    Age
    44
    Posts
    481
    Rep Power
    400

    Default

    hello, wanted to ask if there is any way to debugger the garmin firmwares.
    All GPS have a debug mode screen. I wanted to know if there is any way to read the registers and put some breakpoint through usb port.

    Another option would be to resort to more complicated OCD, on-chip debugger. Through the JTAG port, and using compatible hardware (FT2232) and OpenOCD software.

    Through these systems could be programmed and also the nvram bootblock, if we have a garmin brickedd.

    I hope someone can provide some information.
    A greeting.

  4. #3
    Navigation software Moderator

    kunix's Avatar
    Join Date
    Sep 2011
    Location
    Belarus
    Posts
    1,041
    Rep Power
    601

    Default

    As far as I know there are no debuggers embedded in the firmware and no one has published a way to connect to JTAG port yet.
    I'm sure it's possible to create our own debugger which would be embedded into the firmware and which would communicate to the PC through the firmware's USB functions (or, even better, using a serial port). It would setup breakpoints and simulate single stepping by patching the firmware code, as ARM debuggers normally do.
    But it's 1) waaaaay too complicated even for me 2) just a waste of time, to be honest.

  5. #4
    Important User haute's Avatar
    Join Date
    Mar 2010
    Location
    Spain
    Age
    44
    Posts
    481
    Rep Power
    400

    Default

    I have JTAG port located in many Garmin, is a 8-pin connector in most cases.

    I have not checked to 100%, but if I have seen in pcb shows that at least 3 of those pins are the jtag port.
    I think maybe Alviora can help on this.

    As you can see, in 60csx model photography, it is clear that three of the pins correspond to signals, TDI, TCK and TMS, we just need to locate the TRST, TDO signals. GND is easy.
    [Only registered and activated users can see links. ][Only registered and activated users can see links. ][Only registered and activated users can see links. ][Only registered and activated users can see links. ][Only registered and activated users can see links. ]
    The link of images.
    [Only registered and activated users can see links. ]
    Last edited by haute; 11th July 2013 at 23:52.

  6. #5
    Navigation software Moderator

    kunix's Avatar
    Join Date
    Sep 2011
    Location
    Belarus
    Posts
    1,041
    Rep Power
    601

    Default

    How did you find those "TDI, TCK, TMS" pin names? Was it written somewhere?

  7. #6
    Important User haute's Avatar
    Join Date
    Mar 2010
    Location
    Spain
    Age
    44
    Posts
    481
    Rep Power
    400

    Default

    In the model 60csx, you can see in the red circle I've pointed out, marking three pins, TMS, TDI and TCk.

    If the photo of the post, no detail, get off the link with more quality.
    Some of these photos are of models, with which Garmin does the testing, so the PCB have marked the points of testing.
    Surely if we look more PCB models, we find more interesting points.

    If communication is achieved via JTAG, be possible to modify the Bootblock without any risk.
    On-chip Debugging many functions, to determine the input and output parameters.
    In the OpenOCD documentation, we can find variety of compatible hardware and low price.

    [Only registered and activated users can see links. ]
    Last edited by haute; 12th July 2013 at 12:45.

  8. #7
    Important User Alviora's Avatar
    Join Date
    Aug 2011
    Location
    Kyiv, Ukraine Karavaevy Dachi
    Age
    31
    Posts
    248
    Rep Power
    308

    Default

    We conducted our research in this direction, but need datasheets for processors to find the missing point. My engineer for repair retired, with whom we engaged in reverse engineering platform. Now I have myself to perform and the software and hardware warranty repairs and customer communications tech. support by phone and website. I do not physically have time to all: (
    Last edited by Alviora; 14th July 2013 at 15:16.
    Обожаю смотреть как русскоязычные пользователи общаются между собой на англоязычных ресурсах..

  9. #8
    Important User Alviora's Avatar
    Join Date
    Aug 2011
    Location
    Kyiv, Ukraine Karavaevy Dachi
    Age
    31
    Posts
    248
    Rep Power
    308

    Default

    There are points on the board to connect to the chip memory, bypassing the CPU, but they are not available on all models. in many revisions of memory can not be overwritten\read without having to remove bga chip from the pcb. These developments led the talented engineer [Only registered and activated users can see links. ], but he went to work for another company without navigation technologies.
    Unfortunately in Ukraine companies are not interested in research and development. They are important only sale. But the enthusiasm of many will not.

    -----------------------------------
    Есть точки на плате для подключения к чипу памяти в обход процессора(это не Jtag, это прямой доступ к памяти), но они есть не на всех моделях. в многих ревизиях память невозможно перезаписать память не снимая её с платы.

    Этими разработками руководил талантливый инженер Александр Кучерявый, но он перешел работать в другую компанию без навигационных технологий (домофоны).
    К сожалению в Украине компаниям не интересны исследования и разработки. Им важны только продажи. Но только на энтузиазме много не сделаешь.
    Обожаю смотреть как русскоязычные пользователи общаются между собой на англоязычных ресурсах..

  10. #9
    Important User haute's Avatar
    Join Date
    Mar 2010
    Location
    Spain
    Age
    44
    Posts
    481
    Rep Power
    400

    Default

    Hi, I'm trying to understand the concept Region device.
    Here are examples of two tables of regions, two different Garmin models.
    As can be seen there are several regions device normally. 0,2,3 and 5
    Device "3", are virtual regions.
    Device "0" corresponds to an IC (eMMC flash), and device "1" to another IC (256 nor flash) different?.
    This is so?.

    Code:
    Please Login or Register to see the links

  11. #10
    Navigation software Moderator

    kunix's Avatar
    Join Date
    Sep 2011
    Location
    Belarus
    Posts
    1,041
    Rep Power
    601

    Default

    Most probably you can discuss this stuff only with very few Garmin engineers. They don't visit noeman I guess

    UPD: on both devices fw_all.bin is executed directly from flash (as its base address differs from boot.bin's one). As far as I know only NOR flash can be mapped to processor's address space directly (and NAND flash cannot).
    Therefore, device 0 is NOR flash.
    Device 5 is NAND flash, I guess.
    Device 2 has region 12 which is mapped to RAM. So I guess device 2 consists entirely of RAM-mapped virtual regions.
    Device 3 consists of virtual regions, which can be mapped to files.
    Therefore, it looks like SD/MMC card doesn't have a region, which can be read with HWM_read_rgn. And that's logical, as those cards can be huge, but HWM_read_rgn can only read first 4GB (it has 32-bit parameters).
    Last edited by kunix; 21st July 2013 at 10:56.

 

 
Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.