This is the right loading address of boot.bin. Also you can use garmin-ida-loader loader module for IDA. It knows lots of Garmin firmware formats.
The boot go to 0x04180000.
I followed the advice of Alex to find out.
This is the right loading address of boot.bin. Also you can use garmin-ida-loader loader module for IDA. It knows lots of Garmin firmware formats.
This really is magic. Here you could have started a few days ago jejejej.
I did not know the existence of this loader you have created ...
Hello, we have done some testing with three possible values to write in 0x40014D4, 1, 3 and 5. These values can also be 2 and 4.
I think 1, 3 and 5 are for etrex30. and the values for models 2 and 4 etrex20
I believe that these values may correspond to different versions of the same model PCB etrex20.
In my gps etrex20:
1 - white screen. But it seems to work the gps.
2 - Gps eTREX20 mode operating normally
3 - normal operation mode Gps eTREX30 (not sensors: barometer, compass, ant+, add some menus)
4 - Not tested
5 - white screen. But it seems to work the gps.
In another gps eTREX20 of other forum:
1 - white screen. But it seems to work the gps.
2 - white screen. But it seems to work the gps.
3 - white screen. But it seems to work the gps.
4 - Gps eTREX20 mode operating normally
5 - normal operation mode Gps eTREX30 (not sensors: barometer, compass, ant+, add some menus)
In the absence of further evidence, is what we can conclude.
GRMFW:80203732 sub_80203732 ; CODE XREF: sub_802037B8+1Cp
GRMFW:80203732 LDR R0, =0x12009000
GRMFW:80203734 PUSH {R4,LR}
GRMFW:80203736 LDR R3, =0x40014D4
GRMFW:80203738 LDR R2, [R0,#0x20]
GRMFW:8020373A MOVS R1, 0x1E0000
GRMFW:8020373E ORRS R2, R1
GRMFW:80203740 STR R2, [R0,#0x20]
GRMFW:80203742 LDR R2, [R0,#0x24]
GRMFW:80203744 BICS R2, R1
GRMFW:80203746 STR R2, [R0,#0x24]
GRMFW:80203748 LDR R0, [R0]
GRMFW:8020374A LSLS R0, R0, #0xB ;r0*0x800 ?
GRMFW:8020374C LSRS R0, R0, #0x1C ;r0/0x1000000 ?
GRMFW:8020374E STRB R0, [R3]
GRMFW:80203750 LDRB R0, [R3]
GRMFW:80203752 STRB R0, [R3,#1]
GRMFW:80203754 BL sub_80200AD0
GRMFW:80203758 POP {R4,PC}
You could somehow find the bytes that are written to the address 0x12009000, I think that is where you define the motherboard model.?
Leave a link with versions 1, 3 and 5 in case anyone wants to try it. All versions 2.80 with jnx patched eTREX20to30.
Using usb-boot method, by updater.exe.
It's the cleanest way to do the update.
[Only registered and activated users can see links. ]
Last edited by haute; 11th September 2012 at 10:30 PM.
Hello, in the boot there is the same function as in the firmware to identify the pattern of PCB. I think memory is a memory 0x12009000 own the pcb that identifies it.
When you access USB-boot mode, this routine displays the gps as eTREX20, since it is not patched. In normal power mode is shown as eTREX30, (Windows Explorer, Basecam, etc ...).
I pass the link of boot 2.80.[Only registered and activated users can see links. ]
Very interesting TXT file commands, will try to prove if I understand.
Boot: 0418491C sub_4598491C; CODE XREF: +16 sub_459849A2? P
Boot: 0418491C LDR R0, = 0x12009000
Boot: 0418491E PUSH {R4, LR}
Boot: 04184920 LDR R3, = 0x428003C
Boot: 04184922 LDR R2, [R0, # 0x20]
Boot: 04184924 MOVS R1, 0x1E0000
Boot: 04184928 Orrs R2, R1
Boot: 0418492A STR R2, [R0, # 0x20]
Boot: 0418492C LDR R2, [R0, # 0x24]
Boot: 0418492E BICS R2, R1
Boot: 04184930 STR R2, [R0, # 0x24]
Boot: 04184932 LDR R0, [R0]
Boot: 04184934 LSLS R0, R0, # 0xB
Boot: 04184936 LSRs R0, R0, # 0x1C
Boot: 04184938 STRB R0, [R3]
Boot: 0418493A LDRB R0, [R3]
Boot: 0418493C STRB R0, [R3, # 1]
Boot: 0418493E BL sub_4599380A
Boot: 04184942 POP {R4, PC}
Boot: 04184942; End of function sub_4598491C
0x12009000 is just RAM, as it's writable.
I've extracted the boot.bin and found that function at 0x0418491C. But I'm not talking about boot.bin. I'm talking about the bootloader, which is not boot.bin. Bootloader is stored inside flash region number 5. Put rrgn,5,1:/5.bin into update.txt to dump it.
Those names boot.bin and fw_all.bin are quite bad, they don't reflect the real things.
hi, i test update.txt in /garmin/update.txt, /garmin/Updater/update.txt, sd:/garmin/update.txt, sd:/garmin/Updater/update.txt and it not write "5.bin".
How many regions have the GPS, when it is updating it show erase and writing in region 14.
You should create the following files:
sd:/Garmin/Updater/1305/update.txt (make sure it has one byte per character (ANSI encoding, not UNICODE))
sd:/Garmin/Updater/1305/ldr.bin (it's just renamed boot.bin)
The following files should be created after update.txt execution in case of success:
sd:/Garmin/Updater/1305/update.log
sd:/Garmin/Updater/1305/last_id.bin
sd:/5.bin
Bookmarks