Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Page 1 of 3 123 LastLast
Results 1 to 10 of 27
  1. #1
    Navigation software Moderator kunix's Avatar
    Join Date
    Sep 2011
    Location
    Belarus
    Posts
    908
    Rep Power
    438

    Tool gfw.exe: a simple Garmin firmware manipulation utility.

    gfw.exe is a simple Garmin firmware manipulation utility.
    Basically, it can do just two things:
    1) unpack GCD/RGN file as a bunch of .bin files, which represent sections/regions of the file.
    2) pack a bunch of .bin files to GCD/RGN file

    Each .bin file name is formatted like this:
    TYPE--HWID-SWVR.bin
    TYPE--HWID-SWVR_SEQ.bin
    where:
    1. TYPE is the section type in hexadecimal or "XXXX" string if GCD/RGN file doesn't specify TYPE for this section.
      frequently used section types are:
      1. 0008 section contains boot.bin
      2. 02BD section contains fw_all.bin
      3. 05XX section contains region number XX
    2. HWID is the section hwid in hexadecimal or "XXXX" string if GCD/RGN file doesn't specify HWID for this section.
    3. SWVR is the section version in hexadecimal or "XXXX" string if GCD/RGN file doesn't specify SWVR for this section.
    4. SEQ is a decimal number which is used to create a unique file name in the case of conflict.


    As an example let's consider a folder with two files: 0008--0342-01FE.bin and 0008--0342-01FE_1.bin.
    These files represent two sections of TYPE=0x0008 (boot.bin), HWID=0x342 (=834 in decimal, which is nuvi nuvi 2xx), SWVR=0x1FE (=510 in decimal, or 5.10).
    And also the second file has SEQ part added in order to avoid file name conflict.

    The command line parameters of gfw.exe are the following:
    gfw.exe bldfldrsmpl <folder with input .BIN files> <output .GCD folder>
    gfw.exe bldfldr <folder with input .BIN files> <output .GCD folder> <output .RGN folder>
    gfw.exe unpack <input .GCD or .RGN file>
    gfw.exe dump_gcd <input .GCD file>
    gfw.exe ?

    1. "gfw.exe bldfldrsmpl ..." will combine .bin files from <folder with input .BIN files> into gupdate.gcd file in <output .GCD folder>.
    2. "gfw.exe bldfldr ..." does roughly the same, but also creates RGN file in <output .RGN folder>. In addition it determines the software version of all .bin files and stores it in SWVR attribute of all GCD sections.
      All .bin files have to be of the same HWID.
      For example, if you have 0008--0342-01FE.bin with version 5.10 stored internally and 02BD--0342-01FE.bin with version 5.11 stored internally,
      "gfw.exe bldfldr ..." will store version 5.11 in GCD section attributes, which is required to avoid looping when installing this GCD.
    3. "gfw.exe unpack" will unpack <input .GCD or .RGN file> file as a bunch of .bin files to the folder containing <input .GCD or .RGN file>.
    4. "gfw.exe dump_gcd ..." will load GCD file and output some info about its low level structure.
    5. "gfw.exe ?" will print help.


    Currently the source code can be built by Visual Studio 2010 only.
    And there are pre-built binaries for Microsoft Windows.
    Code:
    Please Login or Register to see the links
    Last edited by kunix; 30th May 2015 at 10:21 AM.

  2.    Advertissements


  3. #2
    haute
    Guest

    Default

    Hi, There is a new headers of GCD,RGN(boot and fw_all)?
    Fenix3_420.rgn
    Edge25_230.rgn

    D:\Garmin\Firmwares\pruebas>gfw unpack Fenix3_420.rgn

    **********EXCEPTION**********
    XRgn::DetectHWIDandSWVER(): firmware region 0x0E has invalid format

    Fenix3_420.rgn
    D:\Garmin\Firmwares\pruebas>

    Fenix3_420.rgn
    Code:
    Please Login or Register to see the links

    Fenix3_420.bin
    Code:
    Please Login or Register to see the links
    Last edited by haute; 4th August 2015 at 02:25 PM.

  4. #3
    Navigation software Moderator kunix's Avatar
    Join Date
    Sep 2011
    Location
    Belarus
    Posts
    908
    Rep Power
    438

    Default

    haute, in both cases:
    1) region 0x0E is itself an RGN file and inside it there is another region 0x0E.
    2) yes, it has a very different firmware structure (the same for both cases). There is probably a new processor model used (Thumb2-only).
    I currently have no time to investigate it deeper.

  5. #4
    haute
    Guest

    Default

    When a file "* .gcd" is signed, it read last 100 bytes of the end of the file.
    But there are some flag in the file * .gcd that says that the file is signed ?.
    Or they are all signed and firmware, applying or not the new function (gcd_validate_signature).

  6. #5
    Navigation software Moderator kunix's Avatar
    Join Date
    Sep 2011
    Location
    Belarus
    Posts
    908
    Rep Power
    438

    Default

    I don't know about any flags. You can try checking if there is some data after the end-of-GCD marker (FF FF 00 00 bytes).

  7. #6
    haute
    Guest

    Default

    hi, it is a standard header of rgn file.

    Code:
    Please Login or Register to see the links
    it is a boot region of etrex20/30.
    0A B2 0A 00 = Lenght region +0xa
    52 0c 00 = Region 0xC = boot
    10 27 00 00 = i dont know, it is important?
    00 B2 0A 00 = Lenght region

    There is no byte that indicates the version of hardware and software, at the head of rgn file?
    there is any checksum?
    10 27 00 00 ?
    Regarding the files mentioned in previous post, firmware Fenix3 indeed is a region in another region, then there is the firmware that has a different header than normal. I have not looked yet, when I have time I give a look.

    The problem of finding the signature at the end of the GCD files already corrected. thx

  8. #7
    Moderator flagmax's Avatar
    Join Date
    Jun 2014
    Location
    Ca
    Posts
    448
    Rep Power
    347

    Default

    From my memory those bytes 10 27 00 00 are for time out the uploading process.

    The hwid and sw version are at end of each image like boot and fwall. There is checksum for rgn at end of file.
    Last edited by flagmax; 15th August 2015 at 08:04 PM.

  9. #8
    haute
    Guest

    Default

    Quote Originally Posted by flagmax View Post
    From my memory those bytes 10 27 00 00 are for time out the uploading process.
    ok

    The hwid and sw version are at end of each image like boot and fwall. There is checksum for rgn at end of file.
    are you sure?, there is a checksum but it is of the fw_all.bin or boot.bin, i think.

  10. #9
    Moderator flagmax's Avatar
    Join Date
    Jun 2014
    Location
    Ca
    Posts
    448
    Rep Power
    347

    Default

    Quote Originally Posted by haute View Post
    are you sure?, there is a checksum but it is of the fw_all.bin or boot.bin, i think.
    I think I wrong about the checksum.

    Here is makergn by kunix that could be useful [Only registered and activated users can see links. ]

  11. #10
    haute
    Guest

    Default

    From what I can see in the source, the rgn file has no checksum.

    Looking on the other hand, the heads of the firmware, there are many more of those that support the current app.
    Documented in gfw.exe and idaloader.

    All headers:
    21002000 Forerunner15_250.rgn / edge 20/25 / vivosmart_350.rgn
    e28ff020 StreetPilotIII_regionfileonly__280.rgn
    ea000002
    ea000003
    ea000004 GPSMAP60C_60CS_76C_76CS_forWebUpdater__420.rgn / edge205 / Forerunner301_forWebUpdater__320.rgn / Foreruner 201/205 / eTrexLegendC_VistaC_forWebUpdater__270.rgn / some Rinos / Quest /
    e28fff46 NavtalkGSM_regionfileonly__260.rgn
    e59ff008
    e59ff00c
    002a940c DC20,DC30,DC40_regionfileonly__410.rgn
    ea000000 GPSMAP196_regionfileonly__460.rgn /
    0000f04f Forerunner620,Taiwan_regionfileonly__330.rgn / a some of Forerunners / Fenix3_430.rgn
    00000200 VIRB_400.gcd / VirbCHN_GCDfile__380.gcd
    e59ff018 GTU10EU_290.rgn / GPS18x5Hz_340.rgn /
    e28ff01c GPSMAP76SRev.B_regionfileonly__400.rgn / GPSMAP295_regionfileonly__250.rgn / Rino 110/120
    f010f8df Edge520_230.gcd / ApproachS6_320.gcd

    Documented in gfw.exe:

    0xEA000002
    0xEA000003
    0xE59FF008
    0xE59FF00C


    Documented in IdaLoader pluguin


    switch(dw[0])
    {
    case 0xE59FF008:
    fwi.base = dw[4] - 0x14;
    break;
    case 0xE59FF00C:
    fwi.base = dw[5] - 0x18;
    break;
    case 0xEA000002:
    case 0xEA000003:
    default:
    fwi.base = dw[1] - (pend - p);
    }


    We could try to adapt all headers if possible.!!!

    For idaloader 0xEA000004 can be:

    case 0xEA000004:
    fwi.base = dw[2];
    break;
    case 0xEA000000: like 0xEA000002 and 0xEA000003, default case.
    Last edited by haute; 16th August 2015 at 11:28 AM.

 

 

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •