dumprom produces bad files from blueangel and ipaqhx4700 rom - Windows Mobile Development and Hacking General

I'm working on a polish localization for some PDAs. What I already got is:
1) extract files from rom using dumprom & xda os image tool
2) extract resources from dll and exe files
3) compile mui files from resources
4) translate them into polish using MS LocStudio
5) activate mui usage on PPC2003
Everything works ok for qtec2020 rom, but the first step fails for BlueAngel and HP Ipaq hx4700 because most files that dumprom extracts from ROM image are corrupted.
Enyone has an idea why the files are corrupted?
Thanks for any hints

Re: dumprom produces bad files from blueangel and ipaqhx4700
there may be only 1 reason - you incorrectly dump image or extract files with dumprom.
I've extracted all files from BA ROMs and ROMs of several other devices without problems. Even the first XIP of 2005 ROM dumped fine. The only problem that caused Restorator 2004 (I use it to edit resources) to stop recognising resources was a bug in Restorator. This dumb program looks for resources only in ".rsrc" section, and most extracted files have them in ".data".

Re: dumprom produces bad files from blueangel and ipaqhx4700
mamaich said:
there may be only 1 reason - you incorrectly dump image or extract files with dumprom.
I've extracted all files from BA ROMs and ROMs of several other devices without problems. Even the first XIP of 2005 ROM dumped fine. The only problem that caused Restorator 2004 (I use it to edit resources) to stop recognising resources was a bug in Restorator. This dumb program looks for resources only in ".rsrc" section, and most extracted files have them in ".data".
Click to expand...
Click to collapse
hi mamaich,
how did you dump first xip? I can't get it working...
thanx
buzz

Re: dumprom produces bad files from blueangel and ipaqhx4700
buzz_lightyear said:
how did you dump first xip? I can't get it working...
Click to expand...
Click to collapse
Take ROM image, copy everything starting from 0x1C0000 address and to the end of file to some file. And run dumprom on it.
The data from 0x1c0000 looks like:
Code:
00001C0000: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
00001C0010: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00001C0020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00001C0030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00001C0040: 45 43 45 43 C4 49 33 80 │ C4 49 17 00 00 00 00 00 ECEC─I3А─I
00001C0050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
Dumprom would crash, but it would produce:
device.exe filesys.exe nk.exe busenum.dll cecompr.dll
ceddk.dll certmod.dll coredll.dll crypt32.dll devmgr.dll
diskcache.dll fatfsd.dll fatutil.dll fsdmgr.dll fsreplxfilt.dll
hd.dll imgfs.dll msflash.dll mspart.dll osaxst0.dll pm.dll
regenum.dll relfsd.dll 1626e49a-abc6-48a6-bcad-05c134149131.dsm
723fb954-d931-4348-b672-82a188e587b5.dsm boot.hv
sysroots.p7b boot.rgu mxip_initdb.vol
The files have import table broken, but after some playing they can be analyzed in IDA.

Re: dumprom produces bad files from blueangel and ipaqhx4700
To fix import table in DLL you need to manualy edit PE-file directory. It is shifted 4 bytes. For example in fatfsd.dll:
Code:
╔═ Name RVA Size ═╗
║ Export C07586C1 0000FDB0 ║
║ Import 0000041A 0000F984 ║
║ Resource 0000003C 00000000 ║
║ Exception 00000000 00012000 ║
║ Security 00000690 00000000 ║
║ Fixups 00000000 00000000 ║
║ Debug 00000000 00000000 ║
║ Description 0000001C 00000000 ║
║ MIPS GP 00000000 00000000 ║
║ TLS 00000000 00000000 ║
║ Load config 00000000 00000000 ║
║ Bound Import 00000000 00000000 ║
║ Import Table 00000000 00000000 ║
║ Delay Import 00000000 00000000 ║
║ COM Runtime 00000000 00000000 ║
║ (reserved) 00000000 00000000 ║
╚════════════════════════════════╝
Here Export RVA is 0000FDB0 (written in size), Size = 0000041A (written in import's RVA), imports RVA is 0000F984 size = 0000003C, the same is for resources. This is for WM2005 dumped images only. For 2003 OS dumprom always produce correct files (except for relocs missing in XIP)

@mamaich
THANX 4 reply... EXCELLENT as always...
buzz

Re: dumprom produces bad files from blueangel and ipaqhx4700
mamaich said:
there may be only 1 reason - you incorrectly dump image or extract files with dumprom.
I've extracted all files from BA ROMs and ROMs of several other devices without problems. Even the first XIP of 2005 ROM dumped fine. The only problem that caused Restorator 2004 (I use it to edit resources) to stop recognising resources was a bug in Restorator. This dumb program looks for resources only in ".rsrc" section, and most extracted files have them in ".data".
Click to expand...
Click to collapse
I use XDA OS image tool to copy ROM to my PC. Then I use dumprom like that:
dumprom -4 -d files pda2k.nb1
Is it correct?
I've found that for example addrstor.dll is missing about 3kb of data. I'm sure that i'm doing something wrong but i don't know why. The same method works ok for qtec2020 and i-mate jam.
Thank U in advance for any hints

Re: dumprom produces bad files from blueangel and ipaqhx4700
You are using dumprom correctly.
I've looked inside addrstor.dll. It does not contain any resources. And in XDA2 ROM it also does not have any resources in 2K3SE ROM. Resources are present only in first edition ROM.

Related

extract from raw rom image?

I was attempting to use dumprom on a PDA phone other than XDA... I extracted the memory address from 0x80000000 to 0x81FFFFFF using pmemdump, and ran it through dumprom. As it turns out only the bootloader and a small part of the kernel got extracted. Nothing of the OS or the application files came out. As it turns out, looking at the dumped file, the 'good part' is missing and seems to be located elsewhere in the memory.
But then I have a rom image that can be used to flash the device, so I tried to use the image with dumprom, but that gave me an error, obviously, as the image is not laid out like how it's mapped out in the memory.
So how should I go about in extracting the files? For example, what do I have to do to modify the rom image to work with dumprom? I'll upload the rom image in question or the memory dump if need be.
To dump ROM of any PocketPC, you should extract first 32 Mb of physical memory starting from 0 address. They contain bootloader and ROM image at least on PXA25x, 26x and 27x CPUs. For example you may use my program: http://mamaich.kasone.com/imate/ROMDump.rar
it comes with source code and dumps 64Mb of ROM to any directory on SD card. Later you can extract files from this dump with "dumprom.exe dump.bin -4 -d C:\dump"
I've tested this method on several devices and it worked. If device contains 32mb ROM, the second half of a dump would be identical to the first 32 mb.
The BIN/NBF files used to flash are sometimes stored in a format with unnecessary parts removed. Such files normally start with "B000FF" signature and their format is explained in PlatformBuilder documentation. You may try to write a program that would convert them to a "normal" dump that dumprom understands.
Unfortunately, that didn't go well. The CPU is PXA255 and the OS is WM2003, but whatever ROMDump pulled out, it wasn't of any relevance. The attached file is what it put out. It's 64MB, but as you can see from the size of the compressed result, there's not much useful information in it. It's just a repetitive garbage data that goes on for the whole 64MB. Maybe the program was accessing the wrong area? To be sure, I ran the file through dumprom, and the program hanged. This isn't even as good as pmemdump, sadly. What seems to be the problem?
Probably the problem is in wrong addresses to dump. You should modify my RomDump code so that it would check all 4Gb of adress space in 32-mb blocks to find a block that looks like a ROM start. Rom starts with someting like:
Code:
0000000000: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000010: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000040: 45 43 45 43 4C 4B 12 84 │ 00 00 00 00 00 00 00 00 ECECLKД
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
I.e. XX XX XX EA bytes (it is a BL command opcode) followed with garbage (may be 00, may be FFs, may be other XX XX XX EA bytes), and "ECEC" string from offset 0x40 from the ROM start. "ECEC" is present at this offset in my device and several other. But this may be not in yours.
mamaich said:
Probably the problem is in wrong addresses to dump. You should modify my RomDump code so that it would check all 4Gb of adress space in 32-mb blocks to find a block that looks like a ROM start. Rom starts with someting like:
Code:
0000000000: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000010: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000040: 45 43 45 43 4C 4B 12 84 │ 00 00 00 00 00 00 00 00 ECECLKД
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
I.e. XX XX XX EA bytes (it is a BL command opcode) followed with garbage (may be 00, may be FFs, may be other XX XX XX EA bytes), and "ECEC" string from offset 0x40 from the ROM start. "ECEC" is present at this offset in my device and several other. But this may be not in yours.
Click to expand...
Click to collapse
I met this problem also. In my case, the BIN code of the ROM file that I ROMDumped from my device is looked like this
and the result of "dumprom.exe dump.bin -4 -d d:\111" is shown as following.
How can I solve this problem?
Thanks a lot.

Need help extracting files from ETEN M600 ROM

Okay, so I've tried everything. PDOCREAD, DUMPROM, pget, grab_it, testdump.exe, FiziFetch. I need help with getting at all of the files and doing a complete ROM dump of the device. The only ROM Dump I have is the one that ETEN provides for upgrading the phone, I have attached that here. EUU.exe is the exe you run on the pc, and normally the rom file is called temp.dat, and it uses the other .exe which is compiled for windows ce to the phone to do the updating process.
Any help here would be greatly appreciated. In particular I want btagext.dll in the /Windows directory and full instructions on how to do it myself for other protected files.
The ROM can be obtained by going to updates.eten.ch and downloading the latest English ROM file for the M600. The direct link is here:
ftp://support.com:[email protected]/Download/Updates/M600/ENG/EUU_M600_WWE_R01_100_0171.EXE
To get the ROM file and the update file, goto your documents and settings/profile name/local settings/temp folder and clear out all the files.
Run the .exe you downloaded from above, and then look in the temp folder you just cleared. You should see a temp.dat which is the ROM file, EUU.exe which is the file that facilitates the transfer of the file to the ETEN M600 and another file USBDLUpdate_Console.exe which is a windows CE compiled file that facilitates the flashing process in some way.
Pdocread part of the itsutils is able to read see some of the information on my device:
pdocread –l lists the following:
122.19M FLASHDR
| 1.03M Part00
| 1.52M Part01
| 33.98M Part02
| 85.47M Part03
1.89G DSK1:
| 1.89G SD
STRG handles: a34cc21e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 1.89G) e3b41b8a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 85.47M) e3b4153e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 33.98M) 83b41436
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 1.52M) a3b412be
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 1.03M)
However it is not able to do anything other then that. All attempts at trying to access those partitions or device (flashdr) fail with errors such as these (this is just a small list of commands command options i've tried):
C:\itsutils\build>pdocread -d DSK1
ERROR: ITTFFSGetInfo - The handle is invalid.
C:\itsutils\build>pdocread -d DSK1:
ERROR: ITLogDiskInfo - An exception occurred in the service when handling the co
ntrol request.
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
C:\itsutils\build>pdocread 0x0 0x200 foo.bin
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x200, foo.bin)
ERROR: ITReadDisk - An internal error occurred.
C:\itsutils\build>pdocread -o -p part03
ERROR: ITTFFSGetInfo: outbuf==NULL
WARNING: using default 512 bytes for sectorsize
C:\itsutils\build>pdocread -d FLASHDR -w
ERROR: ITTFFSGetInfo - The handle is invalid.
Re: Need help extracting files from ETEN M600 ROM will pay $
I don't think that you'll be able to get a working dump of btagext.dll or any other system DLL. It does not have relocation information.
temp.dat in eten upgrade is in some strange format, it seems that data blocks are mixed.
What is the result of testdump.exe? I've attached the WM5 build of this program.
Re: Need help extracting files from ETEN M600 ROM will pay $
I've tried that before. That just dumps some information that is in memory. You can see calendar information, contact information, etc. If you put in 128mb which is the ROM size, it says DUMP OK this time (it had filesys errors the time I tried it a couple weeks ago) See here:
http://www.eten-users.net/topic1085
Anyways, in the end it dumps a 64 meg file instead of the 128 you specified, which is just the stuff in memory the 64 megs of RAM that this thing is suppose to have. If you use romdump on that file it doesn't get to many files, just about 30 or so and none of them are very important (most you can get via windows explorer and activesync)
FB
Re: Need help extracting files from ETEN M600 ROM will pay $
why do you think that eten has 128Mb OS ROM? It has only 48Mb ROM, other is left to persistent storage. So these tools would never dump full 128Mb, only 64Mb max.
You should upload somewhere the output of testdump tool, so I can look at it. It should produce _correct_ ROM dump. You just cannot extract files from it correctly. "dumprom" is for older oses, and with "-5" switch it would extract only files from XIP section (about 20 files). Use my "viewimgfs" tool to get everything from IMGFS.
I looked in the control panel, you are right it appears that the system part takes up about 48 mb, with the rest of the 128mb as user storage. It's kind of wierd though that testdump would stop at 64mb, wouldn't it stop at 48mb instead? If not why is it not doing the full 128 mb.
I tried what you had suggested and unfortunately that doesn't work either. I dumped a 64mb image, and a 48mb image. viewimgfs.exe didn't work on those images. I tried prepimgfs on the 48mb one and it couldn't find imgfs start location. I tried it on the 64mb one and it found it but the resulting file was about 256kb with a 4kb "removed_data" file which is definately not right.
I tried it without first running prepareimgfs and it just says "unable to load compress .dll".
I can't send a rom dump of what I have yet as it contains all of my contacts and calender information in looking at the memory dump in a hex editor, I'll have to whip the device clean again and I can send one but that may take awhile, i've got a lot of stuff setup right now.
Any other suggestions?
I found another bit of information. I played around with MTTY, which I know is for HTC devices, just to see what it would do though I thought I would try. It connects to the bootloader, however you never get to a command prompt. It appears that i can send a command, but then it trys to just download a file (the updated ROM). So I'm not sure if anything else can be done with this, I was hoping I could do something like "d2s" but it appears that with MTTY that doesn't seem possible.
I'm wondering if there is some way to map a USB port to a COM port so I can use regular hyperterminal. Does anyone know how to do this as Hyperterminal only supports COM ports...
MTTY is identical to hyperterminal
Ahh okay, it must be that they haven't implemented a nice interface like HTC devices where you can issue all of those commands
Hi!
Until now can you dump it? I can help you dump....
PM me,OK?
Okay, so i've finally been able to get these files from Vijay, however I'm still running into issues as describe here:
http://www.eten-users.net/topic1500
Anyone have any information on how to reconstruct PE files?

32mb pagepool ba wm6

Many Thanks to xda- developers esp helmi c xplod and mamaich for wm6.
We're luving it
Has anyone tried making a 32mb pagepool version of this yet ?
Actully,I make my BA‘s pagepool be 0M,Its speed is the same as that of 16M pagepool.If you like,you can change pagepool to any number as you wish.Following the list.
adrress:0x2565D3
00 00 00 00 =0M
00 00 80 00 =8M
00 00 C0 00 =12M
00 00 00 01 =16M
00 00 80 01 =24M
00 00 00 02 =32M
00 00 00 03 =48M
wongjam said:
Actully,I make my BA‘s pagepool be 0M,Its speed is the same as that of 16M pagepool.If you like,you can change pagepool to any number as you wish.Following the list.
adrress:0x2565D3
00 00 00 00 =0M
00 00 80 00 =8M
00 00 C0 00 =12M
00 00 00 01 =16M
00 00 80 01 =24M
00 00 00 02 =32M
00 00 00 03 =48M
Click to expand...
Click to collapse
is this a hex edit? and if so, which file do we need to make it to? thx in advance.
hi, koi_desi_pagal
Have you tried to perform search and what results you get? Is there anything you dont understand or causing problems in tutorial you've found?
unsuccessful
wongjam said:
Actully,I make my BA‘s pagepool be 0M,Its speed is the same as that of 16M pagepool.If you like,you can change pagepool to any number as you wish.Following the list.
addrress:0x2565D3
00 00 00 00 =0M
00 00 80 00 =8M
00 00 C0 00 =12M
00 00 00 01 =16M
00 00 80 01 =24M
00 00 00 02 =32M
00 00 00 03 =48M
Click to expand...
Click to collapse
I am using winhex and realize that it doesn't use hexadecimal but decimal address, so I changed 0x2565D3 into 2450899 but it seemed unable to work although I tried 4 choice of searching (from begin, from back...). I also tried to find the value 00000001 but unsuccessful.
All works were done in nk.nbf
Any ideas?
oradoe said:
I am using winhex and realize that it doesn't use hexadecimal but decimal address, so I changed 0x2565D3 into 2450899 but it seemed unable to work although I tried 4 choice of searching (from begin, from back...). I also tried to find the value 00000001 but unsuccessful.
All works were done in nk.nbf
Any ideas?
Click to expand...
Click to collapse
@oradoe
In order to successfully hex edit a rom, you first need to convert the nk.nbf into NK.nba. Then, you hex edit, and finally reconvert it to nk.nbf.
Since you might ask how to do that, you may want to go to the Blue Angel Upgrading forum and look for the thread called "the Reason for the BA slowdown". If I am not mistaken, you should look within the first 5 to 7 pages and you will see a post from Forza that explains how to do the whole thing. Just remember that the WM5 address for the page pool is different from that of WM6.
Happy Hexing
Did anybody test different pagepool?
i been searching for 8hrs at wiki n forum, downloading more than 50 files (typho5.exe, xda3nbftool.exe etc:..) but still nothing.
Still trying....
And the addresses for Wm6.1? Thanks.

Request: Please post HOWTO for dumping Orginal ROM

Hi folks,
i've been reading quite a bit here, but found nothing real specific for dumping a original rom of the polaris. could someone please state a little howto, like for the other devices? or can other howtows (eg: dumping elf rom) be used for the polaris ?
thanks a lot....
seminiox said:
Hi folks,
i've been reading quite a bit here, but found nothing real specific for dumping a original rom of the polaris. could someone please state a little howto, like for the other devices? or can other howtows (eg: dumping elf rom) be used for the polaris ?
thanks a lot....
Click to expand...
Click to collapse
found with search...
http://forum.xda-developers.com/showpost.php?p=1847607&postcount=13
cheers!
thanx for your answer, will try to make a backup now.....
cu
ok, i extracted the 4 files, part00-04.raw. how can i create a file to flash for my device ?
seminiox said:
ok, i extracted the 4 files, part00-04.raw. how can i create a file to flash for my device ?
Click to expand...
Click to collapse
And do you want a coffee?
do you know how to search in this board ?
Just found with search function..........
http://wiki.xda-developers.com/index.php?pagename=Elf_HowtoDumpRom
bye
ouioui01 said:
And do you want a coffee?
do you know how to search in this board ?
Just found with search function..........
http://wiki.xda-developers.com/index.php?pagename=Elf_HowtoDumpRom
bye
Click to expand...
Click to collapse
well sorry for that, i have just been not shure if the description for an elf will work on my polaris. but still got some new question:
i first did a hardspl. to create an archive the guide says is have to:
take the extracted 05_OS.nb as shell/template for your ROMdump, will be overwritten!
D:\_ROM>make_imgfs.exe 05_OS.nb -nosplit
Searching for IMGFS start... Found at 00620000
Fixing... Done!
which can be extracted from
the ruu_signed.nbh from valid RUU_update.exe
so, if i don't have a valid ruu_update.exe (with original german xda orbit2 rom) i have no possibility to follow the instructions...... ???
I'm in the same boat. I want a "clean" orbit 2 but, as we all know, any O2 shop will a) give me **** and b) ask me for a lot of money if I arrive with a custom-flashed orbit 2 I want repaired.
The guide looks good, but isnt really tailored for the current Polaris situation, is it?
From what I know, I guess that I can just take the generic HTC Polaris WWE on the FTP as a signed template and compile my backup ROM that way, right?
And last question: will that revert olis HardSPL too?
schaggo said:
And last question: will that revert olis HardSPL too?
Click to expand...
Click to collapse
not with my device
I also would like to know, if the files provided here
http://wiki.xda-developers.com/index...f_HowtoDumpRom
are lgood to dump my original polaris rom?
Did someone ldo that already?
A step by step guide how to ldump my original polaris rom lwould be great...
Dumping a ROM isnt the problem. Getting the slightly branded/altered O2 ROM (in perspective to the original HTC factory Polaris ROM) back onto the device without an original O2 Updater is going to be the problem, right?
Since the HTC 1.25.405.1 Updater doesnt equal an (whenever it arrives) O2 Updater, right?
So compiling a backup ROM consisting of the currently available HTC WWE Updater and my Orbit 2 ROM backup is going to result in a device which could be identified as a Touch Cruise with O2 ROM extentions and not an original Orbit 2 with an O2 ROM, right?
I tried to dump according the wiki, but it looks different. (see below)
There seem to be some errors. Can anyone help?
D:\rom>pdocread.exe -l
210.88M (0xd2e0000) FLASHDR
| 3.12M (0x31f000) Part00
| 3.75M (0x3c0000) Part01
| 86.00M (0x5600000) Part02
| 118.00M (0x7600000) Part03
7.61G (0x1e6e80000) DSK1:
| 7.60G (0x1e6a80000) Part00
STRG handles:
handle 85ba9956 7.60G (0x1e6a80000)
handle 873ff0f6118.00M (0x7600000)
handle 874995a6 86.00M (0x5600000)
handle 47499582 3.75M (0x3c0000)
handle a74993b2 3.12M (0x31f000)
disk 85ba9956
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 873ff0f6
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 874995a6
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 47499582
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk a74993b2
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
D:\rom>pdocread -w -d TrueFFS -p Part02 -t
ERROR: ITTFFSGetInfo - Das Gerõt kann nicht verwendet werden.
WARNING: using default 512 bytes for sectorsize
real nr of sectors: 1 - 512.00byte (0x200)
D:\rom>
http://forum.xda-developers.com/showpost.php?p=1923718&postcount=121

[Qualcomm] Subsystem Interface Control

I'm looking for any information on the DMSS subsystem commands. I have a list of subsystem ids but none of the commands that correspond. My goal is to figure out how the Wireless Messaging Service (WMS) subsystem works. DCN 80-V1294-6 contains the information on building the payload packet but I can't find it anywhere. QXDM doesn't have any SMS controls as far as I know, so I can't spy on its communications. If anyone knows how to construct the proper packet request, I'd be very grateful.
Thanks
Doing some testing with the information I have, came up with the following responses. I spied on the Call Manager subsystem command and figured the structure would be similar to the rest of the subsystem payload markup.
STRUCTURE
Code:
4b 0e 01 ZEROED BUFFER df 80 7e
4b is DM command for subsystem
0e is subsystem id for Wireless Messaging System
Next is a sequence of 1 - 8 that I've sent. Anything after 8 results in response code of 13 which is an invalid command.
Zeroed buffer length of 258
The usual CRC high low
7e terminator
RESPONSES
Code:
4b 0e 01 00 bf 23 7e
4b 0e 02 00 d7 09 7e
4b 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 74 44 7e
4b 0e 04 00 00 00 00 00 63 d7 7e
4b 0e 05 00 df 44 7e
4b 0e 06 00 00 00 00 00 35df7e
4b 0e 07 00 6f 77 7e
4b 0e 08 00 a7 f4 7e
Looks like subsys commands of 3, 4, and 6 are interesting. Need to figure out what else to pass in the payload.
Quick question --> How did you spy on the Call Manager?

Categories

Resources