A while ago I was fed up with Android Wear smartwatches and bought a Garmin Fenix 5 Plus. After using it for a while I started to explore the possibilities beyond the manufacturer specifications. This lead to a firmware patcher based upon work from Alex Whiter (who sadly passed in 2019). That patcher modified the firmware update file and disabled the license check for Garmin Maps. After installing a patched firmware, you were able to use any downloaded Garmin map on the watch without having to buy a license. Alex himself also offered a patcher to enable the use of custom made JNX “BirdsEye” files. (These JNX files can be easily created with SAS.Planet / SAS.Планета, a Windows tool to download map tiles and export them to different formats.)
These patchers sparked my interest in the firmware format as I’ve noticed they not only patched the few Bytes in the code but also modified other areas in the file.
I’ve soon stumbled upon these great documentations from Herbert Oppmann: Garmin GCD Format, the older RGN format and the contained binary blobs.
Studying these ended up in me writing gcd-parser to analyse and output the various metadata fields.
This was also when I learned about Garmin’s HWIDs. This is an identifier that Garmin assigns to everything. E.g. my Fenix 5 Plus had the HWID 006-B3100-00 which is also its SKU. Inside the firmware, the HWID is stored as a 2-Byte word containing only the digits after the B. For some reason, the firmware files showed the HWID 2900 but a short search revealed that this was the SKU of the smaller version watch, the Fenix 5S Plus. This meant that all 3 sizes used the same firmware – which made sense. Why develop different hardwares and maintain different firmwares when you can use a one-fits-all approach.
When searching with a hex editor through the firmware file, I’ve also noticed various other HWIDs in the format 006-Bxxxx-yy (and without dashes in some cases). In case of my Fenix 5 Plus, I saw these:
006B219602006B315300006B295700006B282201006B219602(again)006-B3181-02006-B1752-02006-B2079-02006-B2161-02006-B2162-02006-B1743-02006-B2327-02006-B2593-03006-B2787-03006B162100006-B2196-02(followed by2196and3153shortly after)006-B2900-00(The Fenix 5S Plus’s SKU!)
If we only take the 4 digits in the middle, we end up with these: 1621, 1743, 1752, 2079, 2161, 2162, 2196, 2327, 2593, 2787, 2822, 2900, 2957, 3153, 3181.
Now where did I see some of those before? Right! The beta firmware!
Garmin offers beta versions of their firmware which allows you to be one of the first to update to a newer version firmware. These come in a zip file and often also contain new versions for various “components” of the watch, e.g. the GPS or Bluetooth module, to be installed separately. An update file for the Bluetooth/ANT+ module is named GUP3153.GCD. The update for the GPS module is GUP2957.GCD. The WiFi module’s firmware comes in a GUP2196.GCD. Now would you look at that!
Using my tool, I could verify that these GCD files list those HWIDs in their file header. There’s also a so-called “SensorHub” firmware which didn’t pop up in the firmware code in full, but only in its short form 3014.
Now I downloaded and analysed firmwares from other Garmin watches and created this table. This clearly shows that many models use the same components, e.g. the Fenix 5 Plus range and the D2 Delta range. And even while the ANT/BLE/BT firmwares show different HWIDs for those, if you compare both with a hex editor, they turn out to be identical.
So my next goal was to turn my Fenix 5 Plus into the much more expensive D2 Delta.
After a few initial attempts at modifying the HWID in the firmware header file failed, I’ve found out about the so-called “PREBOOT” mode in many Garmin devices. This is a recovery mode where the device accepts basically any firmware using Garmin’s WebUpdater tool. I read that it works better with the firmware being in RGN format as there are fewer security measures, so I converted a D2 Delta GCD file into RGN beforehand using RGN_Tool.
The way this went was like this: You have to power off the watch with no cable attached. Then start WebUpdater and go to the screen where it searches for a device. Now with the USB end already plugged into your computer, hold the START/STOP button on the watch and keep holding it while connecting the cable to the watch (still holding down the button!). (I held the button until the update completed – just to be sure.) Now WebUpdater should find the watch and ask for a firmware file. I selected the converted RGN file … and a few seconds later the watch booted up as a D2 Delta. Success! Albeit in a much more complicated way than needed as we’ll find out later.
But when trying to do it the other way around, there was big surprise: The D2 Delta firmware didn’t seem to have a Preboot mode. At least no key combination worked like it did when flashing the D2 firmware.
So now it was time to experiment with modifying the firmware files to flash them using the watch’s own firmware update feature. After asking around in various forums, I was referred to Alex Whiter as THE man to ask about Garmin firmwares. And so I did.
He replied with some vital hints about the header of the actual binary data and how the checksum is calculated.
And after a lot of trial and error I finally succeeded. My watch accepted my Frankenstein’d firmware and turned back into a Fenix 5 Plus again. Turns out the watch does not only check the HWID of the firmware file but there are also 2 fields with some kind of flags that are compared agains the watch’s configuration.
- Fenix 5 Plus: HWID:
3196, Flag1:200, Flag2:1 - D2Delta: HWID:
2900, Flag1:200, Flag2:59
And with the HWID and flags matching, a version number higher than already installed (and a correct checksum), the watch accepted my file.
I incorporated this new information into my gcd-parser tool which enabled me to unpack and re-pack firmwares while auto-correcting the checksum. I was now able to freely convert my Fenix 5 Plus into a D2 Delta and back – just by using different firmware files.
To enable all the D2 features in your Garmin account, you have to completely remove your Fenix 5 Plus via Garmin’s website first and then re-register it using Garmin Connect. While it will show up with the picture of a Fenix on the website, all other apps should show the D2. After that, you can register on flyGarmin to install the navigation database which then enables all aviation features.
One minor issue, though: The aviation navigation database doesn’t update automatically via Garmin Express or Garmin Connect. So you’ll have to visit flyGarmin once a month to update it from there.
Nevertheless, have fun with Nexrad weather, the airport database and all the other aviation features. All other features from the Fenix range are still there, too.
For ease of use, I’ve uploaded all needed files to this MEGA folder. There are also files to convert a Fenix 5X to a D2 Charlie in the same manner and a few more experimental files that I never got around to test properly (Fenix 3/D2 Bravo, Fenix 3 HR/D2 Bravo Titanium).
So to convert your Fenix 5 Plus, you’ll first have to make sure you have one of the compatible firmwares. If your firmware is newer than 15.40, download the file fenix5Plus_1540_Backdate.gcd. Then rename it to GUPDATE.GCD and put it into the GARMIN folder on your watch. Then disconnect the cable. The watch should prompt about a new firmware update – install it.
Now it will boot up with firmware 15.40. You can then download the file f5P1540_to_D2Delta710.gcd. Again, rename it to GUPDATE.GCD and put it into the GARMIN folder. Unplug, flash and you should be greeted by a “D2 Delta”. To make sure everything works fine, now is a good time to do a factory reset on the watch.
Going back works the same. First make sure you’re on a compatible firmware version by using the proper backdate file. Then use the correct conversion firmware.
Enjoy!