Technical Information about the GXP-2000 Firmware
- Back to GXP-2000 Front Page GXP-2000
Basically I started trying to reverse engineer the GXP2000 firmware, so that i could modify it and load hacked firmware onto my phones but first i had to work out how the boot55.bin and gxp2000.bin files were constructed… I decided to document it here so that others can contribute and learn. – SoloFlyer (Feb21/06)
Might be a good idea to create a project like rockbox to provide generic firmware for a range of phones. ~~ Rick: Such firmware is being built at http://devel.0cpm.org/firmerware/
0x00 – 0x0F
The First 16Bytes of every GXP-2000 firmware look like this in hex 🙂
| Firmware Versions | File | File Version | 00 | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 0A | 0B | 0C | 0D | 0E | 0F | ACSII |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1.0.1.9, 1.0.1.12, 1.0.1.13 | boot55.bin | 1.0.1.2 | | 00 | | 00 | | 41 | | 8A | | AF | | 69 | | 01 | | 00 | | 01 | | 02 | | 07 | | D5 | | 04 | | 16 | | 0C | | 0E | ..A. ¯i…..Õ…. |
| 1.0.2.6, 1.0.2.3 | boot55.bin | 1.97.1.99 | | 00 | | 00 | | 44 | | 78 | | 97 | | 24 | | 01 | | 61 | | 01 | | 63 | | 07 | | D6 | | 01 | | 13 | | 10 | | 22 | ..Dx.$.a.c.Ã-…” |
| 1.0.2.3, 1.0.2.6, 1.0.2.8, 1.0.2.13 | boot55a.bin | 1.0.2.3 | | 00 | | 00 | | 43 | | 7E | | D5 | | 4B | | 01 | | 00 | | 02 | | 03 | | 07 | | D6 | | 01 | | 13 | | 0E | | 11 | ..C~ÕK…..Ã-…. |
| 1.0.1.9 | gxp2000.bin | 1.0.1.9 | | 00 | | 04 | | 88 | | C5 | | E5 | | C7 | | 01 | | 00 | | 01 | | 09 | | 07 | | D5 | | 06 | | 01 | | 10 | | 39 | …Ã…Ã ¥ÃƒÆ’”¡…..Õ…9 |
| 1.0.1.12 | gxp2000.bin | 1.0.1.12 | | 00 | | 04 | | CA | | 25 | | A9 | | B0 | | 01 | | 00 | | 01 | | 0C | | 07 | | D5 | | 08 | | 0F | | 0F | | 39 | ..Ê% ©Ãƒâ€š °…..Õ…9 |
| 1.0.1.13 | gxp2000.bin | 1.0.1.13 | | 00 | | 05 | | 1D | | 31 | | F2 | | EC | | 01 | | 00 | | 01 | | 0D | | 07 | | D5 | | 0A | | 0D | | 13 | | 00 | …1à ²ÃƒÆ’ ¬…..Õ…. |
| 1.0.2.3, 1.0.2.6 | gxp2000.bin | 1.0.1.99 | | 00 | | 05 | | 1D | | 8B | | 81 | | A0 | | 01 | | 00 | | 01 | | 63 | | 07 | | D6 | | 01 | | 13 | | 12 | | 32 | ….. …c.Ã-…2 |
| 1.0.2.3 | gxp2000a.bin | 1.0.2.3 | | 00 | | 06 | | 99 | | 2F | | A9 | | 5D | | 01 | | 00 | | 02 | | 03 | | 07 | | D6 | | 01 | | 18 | | 0D | | 27 | …/Â ©]…..Ã-…’ |
| 1.0.2.6 | gxp2000a.bin | 1.0.2.6 | | 00 | | 06 | | A9 | | C0 | | 1A | | 82 | | 01 | | 00 | | 02 | | 06 | | 07 | | D6 | | 02 | | 02 | | 12 | | 34 | .. ©ÃƒÆ’€…….Ã-…4 |
| 1.0.2.8 | gxp2000a.bin | 1.0.2.8 | | 00 | | 06 | | 4C | | A4 | | EC | | D9 | | 01 | | 00 | | 02 | | 08 | | 07 | | D6 | | 02 | | 06 | | 10 | | 0C | ..L ¤ÃƒÆ’ ¬ÃƒÆ’™…..Ã-…. |
| 1.0.2.13 | gxp2000a.bin | 1.0.2.3 | | 00 | | 06 | | 56 | | D2 | | E8 | | F1 | | 01 | | 00 | | 02 | | 0D | | 07 | | D6 | | 02 | | 15 | | 0D | | 23 | ..VÃ’Ã ¨ÃƒÆ’ ±…..Ã-…# |
0x00, 0x01, 0x02, 0x03 decimal size of file in bytes(including header) devided by 2 and converted to hex
0x04, 0x05 Checksum
0x06, 0x07, 0x08, 0x09 Version Number of File in decimal converted to hex
0x0A, 0x0B Build Date year
0x0C Build Date month
0x0D Build Date day
0x0E Build Time Hours
0x0F Build Time Minutes
0x010 – 0x1EF
| Firmware Versions | File | File Version | 00 | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 0A | 0B | 0C | 0D | 0E | 0F | ACSII |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1.0.2.8 | boot55.bin | 1.0.2.8 | 62 | 6f | 6f | 74 | 35 | 35 | 2e | 62 | 69 | 6e | 00 | 00 | 00 | 00 | 00 | 00 | boot55.bin…… |
The Filename is hard coded into the file starting at 0x10 and is padded with 00’s. the 00’s continue until 0x1EF in every file i have looked at
0x1F0 – ????
0x1F0 – 0x2D1 in 1.0.2.13 gxp200a.bin
0x1F0 – 0x32D in 1.0.2.13 boot55a.bin
There is another Unique string here…. followed by some sort of table of values i dont know what it is but i suspect its important…
Internals of HW v0.4
DSP: Texas Instruments TMS320VC5501
RAM: 4MB
FLASH: 2MB (29LV160BBTC)
AUDIO: Realtek ALC202A
NETWORK: Realtek RTL8019AS, Realtek RTL8305SC
External Info
The TI TMS320VC5501 DSP is used, and there are some documents about it:
- Eratta: http://focus.ti.com/lit/an/spra911c/spra911c.pdf
- Bootloader: http://focus.ti.com/lit/an/spra911c/spra911c.pdf
- Unorganised links: http://www-s.ti.com/sc/techlit/spru371 http://www-s.ti.com/sc/techlit/sprs206 http://www-s.ti.com/sc/techlit/spru374 http://www-s.ti.com/sc/techlit/spru375 http://www-s.ti.com/sc/techlit/spru376 http://www-s.ti.com/sc/techlit/spru630
~~ Rick: For an analysis of BT102 firmware, visit http://devel.0cpm.org/reverse/grandstream/firmware-bt102.html — headers are completely accounted for and probably apply to all GrandStream models. The only unknown is the signature on code files.
April 7, 2023
Phone System 