The usual way I start such reverse engineering tasks is I try to get as much raw data as possible, and then try to make sense of it. I compiled the driver module (bcm4751-gps.ko) with a lot of debug printouts, restarted nped, started maps and looked at the results to see what the intresting parts were. Then I added more thorough logging to get at the data buffers passed between the kernel driver and nped. Now next step would be to try to make sense of the data, and try to decipher the protocol specification. When that's done the positioning daemon can be replaced with a new implementation. The source of nped is closed, but the algorithms on GPS calculation are public so the task should be doable.