Garmin Hacking Project Report 6 The speed limit has been fixed. It's not easy but it can be done. In the months after this was first released a few people have been brave enough to open their GPS. So far none of them have reported a successful fix. Most didn't even try once they had a look at the circuit board. I was going to wait until someone else pull off this hack but since no one has, it's time to post the details of the entire operation. Firsts off this is not an easy operation. It requires that you have steady hands and access to some nice equipment as well as the right tools for the job. I broke two GPS 45's while trying this. Do this at your own risk! The first unit I broke the flex circuit to the display. The second one I got the flex circuit too hot and it melted and destroyed 4 traces so my "fixed GPS45" is missing 4 columns on the display. 1) Removal of the case To open the case I used a screw thread sizer. This is a piece of thick metal with a bunch of holes with different size threads in it. The holes are unimportant but it was the right thickness to help pry open the case. It was a die cut (or stamped) out of thick sheet metal so that edges are rounded but it's thick enough to break the seal. start at the battery end and apply force till the the case separates. Next work around the sides and then the antenna end. The antenna end will be more difficult since your breaking a seal where you can't easily apply force. You do not need to remove any rubber bits and the rubber bumper at the end will help hold it together for testing later. Watch out for static electricity. You could zap something. 2) Removal of the circuit board Remove the connector. Remove the 4 Phillip s screws. You will need the right screwdriver for this. If you get the wrong size, you will strip the heads out of the screws. You will then need to remove the entire circuit from the board. You will notice that the board seems to fold out. This is because the LCD glass is still attached and the connector is bending. Don't flex it too much. Garmin chose to use a off shore flex circuit that is prone to break instead of a US made one that wouldn't. The glass can be loosened by gently flexing the case. Once one end pops off the tape (it uses two sided tape) then pry out the glass on that edge. I used a dissecting probe but a small screwdriver will work. Once that edge of the glass is out you can grab the glass and pull it out of the foamy sticky stuff used on the other side. Once this is out you can plug the connector back in and see if you already broke it beyond all repair. 3) Removal of the light The next step is to take a soldering iron to your toy. With the glass partially folded out of the way you can desolder the leads to the EL light. One side should be under some force if you fold it a bit so it should be easy to remove. Don't worry about cleaning up the solder now, that can wait. If I were to fix another one I would try removing the LCD at this stage but I'm not risking another one. 4) Removal of the ROM At this point you should have the ROM clear. All you have to do is unsolder it. If you use hot air, be very careful of the flex circuit since it can't deal with much heat. I would use a soldering iron unless your lucky enough to have a soldering station that is set up for TSOP packages. I did this with a standard Weller soldering station and a microscope. Once you heat up some pins then you can slide an xacto blade under the package and apply a bit more force and work your way down the package. Plastic this small tends to be a bit more flexible than the older DIP packages. Once one side is done then the other side is easy, just don't get too carried away with the force on the last few pins or you might rip them off. When soldering be sure to keep in mind that the pads will get hot so don't over heat them or they will come off. Also notice that there are several ways the ROM could go. Make sure you can put it back where you found it. It will have fewer pins than there are pads so take note. 5) Reprogram the ROM There are two ways of doing this. The first is to select the right bits in the current ROM and change them or burn your self a new ROM. The second is easiest so I'll cover it. It does violate Garmin's copyright but its the only choice on the GPS38 and newer devices that use ROM and not EPROM. Load the ROM image into your PROM burner and then to your PC (unless you can edit on the burner like the Dataman) Once you have the hex data, you will need to find the binary sequence of 54 34 39 42 and change it to what ever you feel you should have as the top limit of your GPS45. I would pick the values of 2d 74 69 6d which gives a nice high value. On my GPS45 the value was at location 3fbd8. Note that this change won't interfere with the government controlled speed limits for exports. The unit will still have a speed limit of 999 kts for your own protection. Once you have the new data values in you will need to fix the checksum by changing a value near the end of the ROM (3ffe0 or so) so that the total sum of all the ROM is 0. There should be several bytes with the value of FF near the end of the ROM but watch out for the start up vector hiding at the very end. Once you have the changes made, program a new device (you can erase the old ROM if you have the right X-ray equipment or gamma ray source). 6) Putting the ROM back This is fun. you need to put the device on the right set of pads and then solder down one corner. Then work your way down the device making sure you haven't knocked the other side out of alignment. Make sure all the legs are attached. A microscope will help for that inspection as well (assuming your not using one just to do the work). Once the ROM is back on you can turn the device back on and see if it works. Just be careful not to turn on the back light. I'm not sure if that could damage it. 7) put the light back on You can solder the EL back in place now. Clean up the pads now if you messed them up before. 8) install the board You can now put the glass back where it came from. You might want to clean it with something like windex since it most likely has lots of finger prints all over it. It seems to stick quite well even after begin removed several times. Put the screws back in and plug the wires back in and you should have a functional GPS once again. 9) seal the case All you need is a ultrasonic welder and just seal it up. I have never seen such a device so I don't know how to do this. I didn't seal mine since I like to open it up. There is a screw in the back under the rubber part. if you remove that then you can suck all the air out and fill it with nitrogen, seal it with silicon rubber and it could be in better shape than new.