The Navman iCN 330 - now with linux
|By Rasmus Rohde|
This document should help you to put linux on your Navman iCN 330 (other models might work, but you probably need to do some work on your own). At the moment I have not put together a root fs so you will only see Tux and some console output, however this is a nice start for moving further.
To the people who do not know what this device is I can quickly summarize it as a handheld GPS sporting an Intel PXA255, 32 MB RAM a 2.8" color LCD at 320x240 and a GPS connected to a serial port. Put in other words - an obvious device for Tux to assimilate.
I will skip the usual warnings and disclaimers and let you do the math yourself, but let me make a few points:
As the iCN 330 will only run signed elf files (seems to me they use an RSA-512 signature together with hashing that is either sha-1 or md5) we need to exploit a little buffer overflow in the loading of Navman/system/poitypes.dat, but before all that we need to build a lot of stuff.
First let's detail how we build all the code we need and then how it should be put on an MMC card for the Navman to boot.
The very first step is to build a cross-compiler and I suggest you use buildroot for this. Buildroot is pretty straight-forward to use so the only help you are going to get is we neeed a cross compiler for ARM little endian XScale and that binutils-126.96.36.199.3 and gcc-3.4.6 should work for you.
Download u-boot-2006-06-30-2020 and apply this patch. Type
CROSS_COMPILE=arm-linux- make and you should now have u-boot.bin
Download the latest 2.6.18 kernel and apply this patch together with this .config. The just type
ARCH=arm CROSS_COMPILE=arm-linux- make oldconfig uImage and you should have a kernel in some minutes named arch/arm/boot/uImage. Note that you need mkimage, which is found in the tools directory of u-boot.
The last thing we need to build is the code that will allow us to bypass the security mechanisms in the iCN 330 and boot u-boot. Get icn330-hack.tar.gz, unpack and build with make. Construct the file poitypes.dat that will allow us to take control over the iCN 330 with
cat boot.bin stackcon >poitypes.data.
We now have all that is needed and just need to make an MMC card with the right contents. To do this you need an original Navman iCN 330 card because we need to lift some files from this. On the card you should make a structure looking like this:
./iCN320u.elf - Comes from the original card and is named Navman/system/iCN320.elf. It must have md5sum c34fbb9bc203a21c5d5710d754b492f8 ./Navman ./Navman/system ./Navman/system/config.ini - Comes from original card ./Navman/system/iCN320.bm - Comes from original card ./Navman/system/poitypes.dat - Generated earlier on ./Navman/cdkeys.dat - Comes from original card ./code.bin - Rename bootuboot.bin to this ./uImage - The linux kernel we built ./u-boot.bin - The u-boot we built
Ok - that is basically it. You should now have a card that will boot linux. TODOs includes building a file system for our linux and making an app to control the unit. Mainly a way of switching it off so you do not need to open it and pull the battery :)
For all you lazy folks who just want to see Tux here is a package of the binaries I am able to redistribute. Note that Navman copyrighted files are not included.
You may be wondering why you cannot just copy the maps from an original card to your own favorite card so I will try to detail why. Upon startup the Navman application will try to authenticate the card using a well-known signature scheme involving sha1 and rsa-1024. The steps involved are as follows:
Ok - so this is pretty much it and by now you have probably figured out that by putting the maps on a new card step 1 will result in an "incorrect" buffer because the CID has changed. Not a big problem so far as we can just calculate what comes out of step 2 and put that into sigreg.dat. But what we cannot do is to calculate the rsa-1024 encrypted buffer which also needs to match the new sha1 value. To do this we need the secret rsa exponent which is pretty hard to come by.
Put in other words: Making a copy of your card is probably only going to happen by removing this check from the Navman application. This is pretty easy except for the fact that changing the application is a no go too since the bootloader does a signature check on loaded elf files. Fixing this little issue can be done by patching the bootloader located in flash and after these steps you should be in business.