User:LA2

From OpenTom

Jump to: navigation, search

LA2 is the OpenTom username for Lars Aronsson, Sweden [1] since January 1, 2006. The same name is used on OpenStreetMap and Wikipedia.

http://aronsson.se/img/osm-banner.png

[edit]

Diary

October 2, 2006: I recently bought a PDA with an integrated GPS receiver, so I'm not very likely to get into OpenTom. The OpenTom project seems to attract few active contributors and the wiki is victim to spam bots. I just cleaned up some spam made on September 29.

February 7, 2006: At an open lecture at LYSATOR, my friend Christer Weinigel explained how he was able in the spring 2005 to run Linux on the Acer n30 PDA. See also the handhelds.org wiki for the n30. This model is no longer sold, but the same code runs on the newer Acer n35, which instead of a Bluetooth chip has a GPS receiver! The n35 is also almost identical to the Navman PiN 570 GPS receiver. The Acer/Navman models use the same ARM processor used for the TomTom receivers. The open lecture was filmed (19.5 GB of raw digital video), but is entirely in Swedish. The main difference between the two models seem to be the bundled navigation software: Acer n35 is sold with PowerLoc Destinator 3 residing on the SD card, while Navman PiN 570 comes with the software Navman Smart St 2005 installed in 32 MB of extra ROM (in addition to the 32 MB ROM that holds Windows Pocket PC).

January 30, 2006: Todo: Translate the 22C3 texts at http://www.maintech.de/index.php?id=23

January 1, 2006: I learned about OpenTom when reading the proceedings of the 22nd Chaos Computer Club Conference (22C3) in Berlin. In June 2005 I bought a Garmin Foretrex 201 as my starter unit, and lately I have been looking at the new Garmin nüvi 350, a very nice unit but a bit expensive. But now the OpenTom project has got me thinking in the direction of getting a TomTom unit. Does OpenTom work with the new, slim, and affordable TomTom ONE?

[edit]

Current Prices

Current TomTom prices in Sweden,
VAT not included, from dustin.se:
Model Features Price (SEK)
TomTom ONE SiRF Star III, 20 channels, 34 mm thick, 260 grams, USB 1.1 3036
TomTom GO 300 260 MHz S3C410 CPU 4012
TomTom GO 500 ASN, USB 1.1 4716
TomTom GO 700 2.5 GB hard disk, 64 MB RAM, ASN, USB 2.0 5836
TomTom Rider 20 channels, 5 hours battery time, motorcycle unit 6396
Garmin nüvi 350 22 mm thick, 8 hours battery time, 145 grams 5436
All TomTom models, except where otherwise stated, run on 12/24 Volts,
are 58 mm thick, have 12 channels, 320x240 TFT screen, 380 MHz S3C2440 CPU,
32 MB RAM, USB, Bluetooth, external antenna connector, SD card, weigh 310 grams
ASN = Assisted Satellite Navigation (for use in tunnels)
[edit]

OpenTom Presentation, November 2004

There is currently a shortage of English language introductions to OpenTom, as the project founders are Germans. An excellent introduction is the PDF slides from tne November 2004 assembly of Kommunikationsnetz Franken (KNF-Kongress), found here. If you flip through the 21 slides, the following is my English translation of the German texts.

1. (Title) Reverse Engineering of an Embedded Linux System, the case of the TomTom Go

2. Embedded systems are everywhere. (Note that the top left image is the Linksys wireless router, for which Linksys/Cisco was forced to open up the source code after it was discovered that the unit was based on Linux.)

3. Added value of "open" systems (i.e. possible new applications that could be developed if the TomTom Go was an open platform): Navigation, MP3 player, Bluetooth handsfree kit, mobile copy station, driver's log book, ...

4. Operating system. Complex "embedded systems" need an operating system. The most commonly used are: Windows CE, Linux, VxWorks, QNX, ...

5. Linux & GPL. For systems that use Linux, reverse engineering shouldn't be necessary. The GPL requires the manufacturer to publish all things needed for your own development of extra functionality: Sources for kernel and GNU tools, toolchain, system specific build tools. But manufacturers often ignore or neglect the GPL. In these cases "reverse engineering" is necessary both to prove that this is the case and to "take over" the system.

6. First steps. Just by "playing around" with the system, you can often bring useful information out of the system: bootloader, debug tools, error messages, system crashes

7. Analysis of the filesystem

8. Extracting the kernel. zImage: Loader (uncompressed, with strings). Kernel (gzip compressed), gzip files begin with the "magic bytes" 8b 1f. Parameter block. Everything following the "magic bytes" is copied to a new file and unpacked with gunzip. This way you have a "clean" kernel for further analysis.

9. Analysis of the kernel. Analysis with "strings" reveals (excerpt): ... and much more. Console on serial port, Init Ramdisk, Linux 2.4, FAT for SD Cards, Ext2 for Init Ramdisk(?).

10. End of proof. We now have sufficient proof that they have used GPL code (Linux kernel). We can approach the manufacturer and convincingly point out the breach of GPL. String constants in the kernel prove which individual features were included. If needed, the right holders (authors) of these features (e.g. Initrd) can speak against the manufacturer. If this doesn't immediately or after some time lead to success, we would have to investigate the system further...

11. Extraction of the Init-Ramdisk. The Init-Ramdisk is loaded into memory by the bootloader - the starting address is handed over to the kernel. The kernel searches for filesystem or gzip magic. Apparently there is a further gzip compressed block at the beginning of the ttsystem - this contains an Ext2 filesystem, which is the Init-Ramdisk.

12. Analysis of the Init-Ramdisk. The Init-Ramdisk contains a miniature Linux system, based on BusyBox. Also the navigation software (/bin/ttn) is contained in the Init-Ramdisk. The Init scrit (/etc/rc) features a debug mode with a shell! The console is set to ttyS0 in the kernel. ttyS0 is probably available.

13. The TomTom hardware. 5V power supply. External GPS antenna. USB (host/device selectable). 2x10 pins for docking station & car kit.

14. The serial port. Level converter 3V <-> RS232.

15. The TomTom bootloader. "TTBL". Length of Ramdisk. Target address of ramdisk. Data on ramdisk. 16 unknown bytes. Length of kernel. Target address of kernel. Data in kernel. 16 unknown bytes. "TTBL" footer. Alteration of the Init-ramdisk. Creation of a "new" TomTom image. Correction of the length parameters. Our own image is not accepted by the bootloader. What do those mysterious 16 bytes after the kernel and Init-ramdisk mean??? Trial-and-error fails (no MD4, MD5 or anything similar).

16. Analysis of the "system". "TTBL". Length. Target address. Data. 16 unknown bytes. Length. Target address. Data. 16 unknown bytes. "TTBL" footer. Instead of the Init-ramdisk, we store exactly 256K data. Instead of the kernel, we store a small program (c. 5 KB code). Apparently it is some kind of bootloader update. Further investigations show: bootloader -> loads -> system (with update) -> loads -> ttsystem (Linux).

17. Analysis of the bootloader. So the file "system" basically contains the bootloader code!

18. Analysis of the bootloader II. To try the suspicion of MD5, we sought for some typical constants. The bootloader apparently contains a MD5 implementation. But MD5 alone is not enough.

19. Analysis of the bootloader III. We also looked for constants for cryptography... and found this in Blowfish!

20. Analysis of the bootloader IV. The further analysis of the bootloader using a disassembler leads to this Blowfish key. Only images signed with this key are accepted by the TomTom bootloader. Now the "real" work can begin!

21. Done! Many thanks! Further information about the project "OpenTom" can be found at http://wiki.opentom.org/

Retrieved from "http://www.opentom.org/User:LA2"
Personal tools