Home/GPS/Trimble/Trimble 4000 GPS Receiver Resources/4000SSi Deep Dive

4000SSi Deep Dive

Tools

My research into the Trimble fourth generation firmware has been facilitated though a tool I developed to translate and mangle the .X firmware firmware images. That tool is available for download here:

convertx.go

Three Firmwares

There are three separate versions associated with the 4000 SSi firmware: nav, sig and boot.

Nav (CPU)

This is the firmware that runs on the Motorola MC68332 CPU. This can be extracted from the images included with the update utility.

Nav Memory Map

 Code 1: 000000-07CEC7
 Code 2: 720000-73DC87

The nav firmware lives in battery backed memory. When the lithium primary cells backing up the memory die, the receiver loses its firmware. Fortunately, this does not kill the receiver because it has a built in recovery mode.

Sig (DSP)

The sig firmware runs on a TMS320C25 DSP. This DSP has 4K of on-board ROM, which would make the firmware un-upgradable. From what I can tell, the DSP ROM contains a small boot loader, with the full DSP firmware being loaded into the DSP RAM by the CPU at boot time. It appears the The DSP RAM is mapped into the MC68332’s address space, and the nav code copies the DSP firmware into the DSP RAM one word at a time. The DSP code isn’t stored in the CPU memory in clear text, it seems to be stored in blocks so that areas of empty memory can be skipped, and the total storage inside the nav rom needed is reduced. The TMS320C2 has a little endian architecture, while the MC68332 has a big endian architecture, so if you feel compelled to write some code to extract the firmware, keep this in mind. Presumably the sig RAMs are wired ‘backwards’ relative to the MC68332’s data bus to make any kind of endian-ness correction unnecessary, because it doesn’t appear to be done in firmware.

Boot (PPU)

The boot code version reflects the version of the firmware stored in the S87C552 microcontroller, known as the PPU. The S87C552 is an OTP device, so the version of the boot firmware is fixed from when the device was manufactured. It appears the boot firmware also contains the ROM monitor code that is executed on the 68332 when the receiver boots up with no firmware, or when the receiver is forced into firmware upgrade mode.

The ROM Monitor

The ROM Monitor code is executed by the CPU, but loaded into the CPU by the PPU. I’ve created a separate page to describe that here: Trimble 4000SSi ROM Monitor.

Front Panel

The front panel connects to the main PCB via a 40 pin connector. The panel is completely dumb, and all connections are exposed on this 40 pin connector, including:

The approximate pinout of that connector is:

(currently drawn on a scrap of paper awaiting transcription)

The front panel buttons are laid out in a 4x8 matrix, with the rows on pins 18-21, and the columns on pins 22-29. The power button is not part of the matrix, and is independently connected on pins INSERT PINS HERE.

I needed to figure out the matrix to figure out what secret power-up button combinations the receiver was using. I could see that a mechanism exists to read out the state of all of the front panel buttons as a 32 bit value, then this value is checked to determine which buttons are being held down. To figure out which button is which required two things: mapping out the matrix, then making a semi-educated guess about how the matrix is mapped into memory.

I first worked out which pins on the 40 pin front panel connector belonged to the LCD, beeper and backlight connectors. Then I picked a block of 16 pins, and connected 8 to one lead of a multimeter, and 8 to the other lead. With this setup, I got a beep when I pressed 7 or 8 of the front panel buttons, so I knew I found the matrix. Through a process of elimination, I found two pins that would beep for the ‘2’ button, giving me a known row and column pin. Then I just worked through trial and error to first find all of the other column pins, then to find all of the row pins.

I knew that 0x40000040 represented the CLEAR and LOG DATA buttons, so I then worked with different representations of the row and column order and direction until I had an arrangement that matched that bit pattern, with the CLEAR and LOG DATA buttons in the correct position. This is what I ended up with:

Row Pin Column Pin Bit Button
18 29 31 STATUS
18 28 30 CLEAR
18 27 29 ENTER
18 26 28 3
18 25 27 2
18 24 26 1
18 23 25 >
18 22 24 <
19 29 23 n/c
19 28 22 SESSIONS
19 27 21 ALPHA
19 26 20 6
19 25 19 5
19 24 18 4
19 23 17 SAT INFO
19 22 16 A
20 29 15 CTRL
20 28 14 n/c
20 27 13 0
20 26 12 9
20 25 11 8
20 24 10 7
20 23 9 n/c
20 22 8 B
21 29 7 MODIFY
21 28 6 LOG DATA
21 27 5 n/c
21 26 4 n/c
21 25 3 n/c
21 24 2 n/c
21 23 1 D
21 22 0 C