If not too much trouble, and your time allows, could you share with us your Ida Database?
Thank you very much ..
Printable View
If not too much trouble, and your time allows, could you share with us your Ida Database?
Thank you very much ..
Hello, I have no good news. After reviewing a motherboard of a etrex 30 and compare it with a model etrex20, I have seen the 3 sensors missing in the x20 model.
Therefore, the only valid 20to30 etrex firmware to activate the elevation plot in x20 models.
Of the three missing sensors, and barometer, is perhaps, which might add.
The chip would model: MS5607-02BA01. only 8 pin solder.
This would work with firmware 20to30.
If people are interested might further information.
Patch etrex 20to30
FIRMWARE 2.87 Beta (offset Fw_all.bin)
OLD NEW
10A546: 18 40
10A547: 70 1C
10A549: 78 70
FIRMWARE 2.87 Beta (offset *.gcd)
OLD NEW
18C7F1: 18 40
18C7F2: 70 1C
18C7F4: 78 70
leave a link for you to try with the last two versions of firmware 2.87 Beta eTREX20-30
- Patched version JNX
- Patched version JNX + 20to30.
[Only registered and activated users can see links. Click Here To Register...]
If someone can try to communicate results.
A greeting.
hello.
This is a comparison of the PCB of the two models of Garmin GPS Etrex 20 and 30.
As you can see, the Model 20 has no more sensor if they are in version 30.
That is why the 20to30 firmware does not work exactly like a etrex 30.
In the images leave the 3 models of chips used, if anyone WANT add.
Although I think only the barometric sensor is easy to solder.
Furthermore you can see in the last picture the 3 main chips used in these models.
CPU: STA8088EXG
2GB Memory: Samsung KLM2G1DEHE-B101 This memory can have two configurable boot. ¿Region 5 - Boot Block? and ¿region 12- Boot.bin?
256kb Memory: K5N5629ATA [NOR 256Mb] Could this be the NV?
Combining KLM2G1DEHE-B101 + K5N5629ATA [NOR 256Mb] is widely used in some mobile phones, so maybe you could read and write these memories with some software used in phones, to repair firmwares (boots corrupt).
Someone can provide more info?
[Only registered and activated users can see links. Click Here To Register...]
I thank Kunix, assistanceCode:Table of regions eTREX20/30
****************************
Region(hex)dec Length Offset Region Device Coments
-------------- ------ ------ ------------- --------
BootBlock software(0x5)5 0x40000 0x80000000 0
Boot.bin/RamLoader(0xC)12 0x100000 0x80180000 2
NVram(0xD)13 0x200000 0x81E00000 0
System software, Fw_all.bin(0xE)14 0x900000 0x80100000 0
Logo(0x10)16 0x80000 0x80080000 0
(0x20)32 0x100000 0x81D00000 0 All bytes 0xFF
(0x60)96 0x80000 0x81C80000 0
(0x84)132 0x20000 0x80C00000 0 All bytes 0xFF
Mass Storage Software(0x94)148 0x40000 0x80040000 0
Filesystem(0x30)48 0x4281744 5 Filesystem. Not sure what is 0x4281744
Filesystem(0x53)83 0x4281744 5 Filesystem. Not sure what is 0x4281744
Notes: Regions 0xC, 0xD and 0x30 are protected to write by the boot.bin.
Region device 3, includes many virtual regions: 0xA,0x3,0x15,0x2E,0x31,0x4d,0x33,0x4c,0x5a,0x5d,0x4a,0x4b,0xf5,0x32,0x11,
0x13,0x7b,0x66,0x26,0x88,0x63,0x64,0x86,0x87,0x83.
I've written a new disasm script. I think it's better than the previous one I posted in this topic. It works by treating all the 4-bytes aligned 4-byte integers as pointers and judging if each one points to a function. Also smart_disasm requires that the firmware entry point is named "fw_base".
Code:#include <idc.idc>
//0 - ARM
//1 - THUMB
//<0 - func not detected
static smart_disasm_check_func(ptr,min,max)
{
auto addr;
addr = ptr & (~1);
if(!(min <= addr && addr < max)) return -1;
if((ptr % 4) == 0 && max - addr >= 4 && (Dword(addr) & 0xFFFF4000) == 0xE92D4000)
{
return 0;
}
if((ptr % 2) == 1 && max - addr >= 2 && (Word(addr) & 0xFF00) == 0xB500)
{
return 1;
}
return -1;
}
static smart_disasm_region(min, max)
{
auto p, addr, ret;
Message("smart_disasm_region(%08X,%08X)\n", min, max);
for(p = (min + 3) & (~3); max >= p && max - p >= 4; p = p + 4)
{
addr = Dword(p);
ret = smart_disasm_check_func(addr, min, max);
if(ret<0) continue;
addr = addr & (~1);
Message("%08X - %s function detected\n", addr, ret==0 ? "ARM" : "THUMB");
SetReg(addr, "T", ret);
MakeFunction(addr, BADADDR);
Wait();
}
}
static smart_disasm()
{
auto addr, min, max;
addr = LocByName("fw_base");
if(addr == BADADDR) return -1;
Message("smart_disasm(): started; fw_base = %08X\n", addr);
min = SegStart(addr);
max = SegEnd(addr);
if(Dword(addr)==0xE59FF00C /*|| Dword(addr)==0xEA000003*/)
{
max = min + Dword(addr + 0x10);
Message("smart_disasm(): detected GIR at %08X\n", max);
}
smart_disasm_region(min, max);
}
you are going to upgrade too, the ida pro loader?
Do you think I should incorporate the script into the loader? Hm, I don't know... It's much easier to keep them separated. Also starting disassembling right after loading the firmware is a bad idea, so disassembling should be called by a separate function, and I don't know how to add a new function from a plugin.
Do not quite understand that improving this script (IDC), I tested with a firmware without using the (IDA Pro loader).
smart_disasm_region (0x80100000, 0x803C0000), and located only a few functions, very few.
I do not know if this script is a complement (IDA Pro loader).
I mean, what is the procedure?
Loading a firmware with (IDA Pro loader) and then apply this script?.
Honestly, the (IDA Pro loader) does a very good job, just need a script to look and put some names of important functions.
Do not really understand the function of this script you have posted, if we have the (IDA Pro loader)