Ttsystem images
From OpenTom
Contents |
Booting
Image file format
A TomTom Go firmware image consists of several parts:
Image magic
unsigned char magic[4] = {0x54, 0x54, 0x42, 0x4c}; // "TTBL" -> TomTom BootLoader
Data section(s) to be loaded into memory
unsigned int sect_size; // size of section unsigned int sect_addr; // memory address to load section to unsigned char[sect_size]; // actual data for that section unsigend char sect_sign[16]; // Blowfish encrypted MD5 hash of section data
Our analysis of the bootloader tells us that there may be as many of those data sections as you wish. Nevertheless TomTom only has two of them in their images. After each section another section to load can be appended. Stop signal is a sect_size of 0x00000000 as you can see in the next step.
End sequence
a sect_size of zero signals that there are no more data sections. After those zero-bytes there are two DWORDs forming the end of the image file.
unsigned int end_signal = 0x00000000; // no new section comming unsigned int start_addr; // start address of kernel unsigned int ram_start; // start address of RAM area
All firmware images we have seen so far consist only of two image sections: An initrd image (initial ramdisk, in gzip'd cpio format*) with the root filesystem and the linux kernel itself in zImage format. The only exception to that rule is the BIOS update image contained in the firmware update package from the TomTom website. This contains a new BIOS image in the initrd area and a flash tool in the kernel area.
The Blowfish encryption key used to sign the sections in the firmware image:
unsigned char sign_key[16] = {0xD8,0x88,0xd3,0x13,0xed,0x83,0xba,0xad,0x9c,0xf4,0x1b,0x50,0xb3,0x43,0xfa,0xdd};
Tools for handling ttsystem files
See Ttimgextract for details on splitting ttsystem into parts and extracting the files withing the *cpio image.
See Mkttimage for details on creating ttsystem files from parts.
