cmonex,

I also try to use pdocread but I get a strange error. Can we do something about that? maybe I didn't use correctly pdocread !?

C:\temp>pdocread -l
43.00M (0x2b00000) SMFlash
| 39.00M (0x2700000) Part00
1.86G (0x77200000) DSK1:
| 1.86G (0x771ff000) Mio
STRG handles:
handle#0 2fd0c0de 1.86G (0x771ff000)
handle#1 0fe14a3a 39.00M (0x2700000)
disk 2fd0c0de
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 0fe14a3a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


C:\temp>pdocread -o -h 0fe14a3a MSFls720.bin
ERROR: ITTFFSGetInfo - The parameter is incorrect.

WARNING: using default 512 bytes for sectorsize
HexdumpTFFSToStdout(0x0, 0x200)
WARNING: no more data

C:\temp>

g_alin: pdocread isn't really compatible with most PNA's, unfortunately. the diskrw program is good as that uses totally standard ways to read the partitions (of course if your OS was in binary partition you'd have tough luck).

pmemmap: that's good for knowing where ram, where the memory mapped io etc is.

mktech: wow. I'm getting Tfgbd to try this on his c320.

cmonex - could you find flashable bootloader image for C320 - i would like to try to work on it with IDA ;-). Meaby i will find some way to invoke it :>

cmonex,
Can you convert the image uploaded by me to a flashable image.
good news: ste ( http://www.gpspassion.com/forumsen/topic.asp?TOPIC_ID=97741&whichpa... ) was able to make a connection with C520 (in bootloader menu) using USB. I have also the software needed for upload. the software is DNW (in about I found: USB Tx format: addr(4)+size(4)+data(n)+cs(2) Serial Tx format: size(4)+data(n)+cs(2) Magneto UBOOT is supported).

mktech,
Did you find the JTAG pins? Can you download the bootloader? Maybe we can figure out the procedure to enter in bootloader menu. Is possible to be the same like C520 ... but for the moment I didn't heard any success on C320 (or C720).

good news ...
I was able to connect to my GPS using the upgrade software ... sow if you convince your GPS not to restart ... you can do the upgrade using USB connection. If you are interested download DNW from http://www.gpspassion.com/forumsen/topic.asp?TOPIC_ID=97741&whichpa... and make o copy of "Copy of secusb2.sys" and rename it to wceusbsh.sys. connect the GPS and upgrade the driver from your PC using wceusbsh.inf.from then you can use DNW.

cmenex can we use other softwares (similar to DNW) that give us the option to download firmware or bootloader?

Hi ! Thanx for idea . But the problem at this moment is, that PC don't see my C320 - after connect to USB on mio screen i see first "prompt" to USB and then "insufficient memory" - no USB connection .So i think i can't use DNW untill i've got valid USB connection.

er, does that device boot up at all? bootloader is definitely required for this DNW stuff

C320 bootloader is in the official update. I can upload it and an idb of it tomorrow. I havent looked into it in much detail yet.

g_alin: congrats on DNW
I can convert the image but are you sure you want to flash it without having a bootmenu first. or you are not talking about C320 here? or you mean you used DNW on the 320??

Hi ! Yes, this device (C320) boot up - as you can see on the pictures i've upload. Device boot-up, but windows doesn't start - only some message box appear saying there is insufficient memory and i shall remove some files (nice text - specialy when you don't have any control on device ) . I don't also have USB connection.

For bootloader - i DON'T want to flash it at the moment - i would like to work with IDA on seeking entry point to boot menu. Hopefully after invoking boot menu
there will be possible to flash using "some"image

cmonex,
I used this on My C720. Interesting is that is not needed to be in bootloader menu to upgrade ... you can do it after PNA booted to wince. No I don't intend to flash my device. ... for now ... maybe later if we can figure out how can we reflash after a flash update failure. new data come up on ( http://www.gpspassion.com/forumsen/topic.asp?TOPIC_ID=97741&whichpa... ). The bootloader menu; was happening after a firmware fail update ... there are some files needed to boot in the bootloader menu. I think that bootloader is "looking" after a specific file name and start that file not the OS ... some sort of "boot from floppy" Can you check those files? Do you think you can figure out (some how) if I am right with those assumption? Do you know how can we make a program to work without any OS!? (that is a good question ... ). Can you disassembly the bootloader and see if is not trying to start something from SDCard also (is entering in bootloader only if it has a SDCard! ... according to ste) ... it will be interesting to boot from SDCard ... would be a great news if is true.
Thank you

cmonex - could you try to find bootloader code on your resources :-) - i think we need work on disassembly to recover my C320 ;-).

g_alin - i think you are right, few people was able to enter on to boot screen in variouse way, but no one can repeat on it's own device.
That suggest method know at this moment are not true "boot-enter" method - they are one working on some already "altered" devices.

Anyway, i would like to say that it seems - C320/C520/C720 use same mother board - for C320 - C520 i'm 99,9% sure, in this week
i take some pictures and you will see. C320/C520 PCB is same, - it differ in component placement (of course C520 have more of them -
B/T). For C720 i haven't see main board, BUT i'm 99% sure - why ? i.e. PCB for power button in C320, have place for additional button
for camera operation, beside C320/C520 use same assembly - on C320 is even "light-path" for additional blue LED.

So what's outcome - i suppose bootloader for C320/C520/C720 is same, it only detect additional devices on board and set-up them self
correcty. So gowning futhure - boot enter method shall be same, but we need to find out what's true method of entering in to bootloader.
I think only way to do so is disassembly boot-loader code, so we count on you cmonex !! Please try to post this code

Hopefully tomorrow i will finish JTAG work (i will do CPU resoldering)

g_alin,

from what I remember from last year when I briefly looked at the c320 bootloader disassembly, the mio updater boots into the bootloader by setting a flag in RAM and rebooting the device. the bootloader then sees the flag and then starts the flash from the card where the updater extracted four files into:
winceimg.bin
winceimg.cks
uboot.bin
uboot.cks

these files are flashed in.

I can re-check if the above description is accurate, and find another way to boot into bootloader as well

booting from SD is a different thing, that would load the image into ram but not flash it. not every bootloader has this option built into it - for example my nec 900c has it, but many other devices don't.

Edited by cmonex 2008-08-11 6:51 PM

mktech - as I said it (bootloader) was in the updater.

I'll upload it in a few mins.

in what way were those devices altered? we can hack bootloader itself if needed. I did that for other devices, for example on one device, I changed some of the code (patches) that enabled boot from SD card, flash from SD without active boot partition (the bootloader would only load/flash the files from SD if it had active boot partition in the MBR)
maybe we can do something similar to the mio

good luck with the jtag! have you not succeeded with the pinout finding tricks?

Edited by cmonex 2008-08-11 6:54 PM

can't find the original disassembly i had, here is a new one.
this is quite rudimentary, just looked at it a bit, and named some functions (go to Functions tab in IDA for a list of them), and commented stuff (especially function args and the boot/updateflags).

the bootloader seems to be in three parts so three IDB's of the file.
1st: IPL, in the bin file at 0x0, 4KB.
2nd: some extra bootloader named VFL by OEM, in the bin file at 0x3000
3rd: I called this SPL, this can flash etc. otherwise called FTL by OEM, in the bin file at 0x3D000.
(the bin file just gets flashed into nand when upgrading, starting in nand from 0x0.)

download:
http://hpcmonex.net/utdisasms.zip


BTW some of the filenames I had slightly wrong..

UT+CE (uboot and CE) upgrade file: UTCEIMG.BIN
chksum file for it: UTCEIMG.CKS

what was correct is confirmed now:
CE image (CE only) upgrade file: WINCEIMG.BIN
chksum file for it: WINCEIMG.CKS

and clearly it is the usual UT flashable format, that has the SIG-BINFS stuff (header) at the start. see the PNA images on my romstuff page on my site, they are the same format.

I still don't see any other way to boot into update mode on this C320 other than setting the bootflags in RAM, but it is certainly possible that I missed something only looked at this a bit so far. very interesting: I could see that VFL checks some other stuff not just the flags in RAM (see "bootup" function in VFL disasm).

I'm sure there is also the standard UBOOT bootmenu somewhere, at least I found the strings for it. no code references yet (other than manually disassembled ones).

finally, what I find interesting is the string "UTLOCKED". (see it in disasm)


EDIT: ok, I found the usbdownloader is referenced right from bootup. so if this FTL can boot up, then the usbdownloader is also ran. you just need the right timing with usb cable plugged in, the string at 0x3000311C is probably helpful:
ROM:3000311C 55 53 42 3A+aUsbIn_endpoint DCB "USB: IN_ENDPOINT:1 OUT_ENDPOINT:3",0xA,0
ROM:3000311C 20 49 4E 5F+ ; DATA XREF: usbdownloader+1DCo
ROM:3000313F 00 DCB 0
ROM:30003140 46 4F 52 4D+aFormatAddrData DCB "FORMAT: <ADDR(DATA):4>+<SIZE(n+10):4>+<DATA:n>+<CS:2>",0xA,0
ROM:30003140 41 54 3A 20+ ; DATA XREF: usbdownloader+1E4o
ROM:30003177 00 DCB 0
ROM:30003178 4E 4F 54 45+aNote1_PowerOff DCB "NOTE: 1. Power off/on or press the reset button for 1 sec",0xA,0
ROM:30003178 3A 20 31 2E+ ; DATA XREF: usbdownloader+1ECo
ROM:300031B3 00 DCB 0
ROM:300031B4 20 20 20 20+aInOrderToGetAV DCB " in order to get a valid USB device address.",0xA,0
ROM:300031B4 20 20 20 20+ ; DATA XREF: usbdownloader+1F4o
ROM:300031EA 00 DCB 0
ROM:300031EB 00 DCB 0
ROM:300031EC 20 20 20 20+a2_ForAdditiona DCB " 2. For additional menu, Press any key. ",0xA,0
ROM:300031EC 20 20 32 2E+ ; DATA XREF: usbdownloader+1FCo
ROM:3000321B 00 DCB 0



then I assume if you press any key it goes to bootmenu which you can also see in the disassembly (without direct references though, probably executed through some jumptable/function pointers?)


Edited by cmonex 2008-08-11 9:53 PM

cmonex - you do great job

1) For JTAG - for now i haven't suceed, today i will try one more with "some" device i've prepeare for finding JTAG points - if i fail, i will do resoldering to have
JTAG "case" finally closed - i think sooner or later it will be usefull.

If gowning about this "altered" device - unfortunatelly i don't know what kind of software changes are inside. There are three persons,
who are abble to enter in to boot menu after unsucessfull "unlock" - i think we can't assume what happen.Maybe something mess in flash and now
device "think" that's good time for bootloader ? :-)

For USBboot i will try first to play with pressing (only one) button - i think i try all possible variants to make mio visible by PC, but it seems there are
additional possibilities .

Thank you very much for disassemblies i will also work on it - hopefully i still remember "some" (last time i work on Sony Ericsson firmware some time ago - hi hi).