Here is a file IO monitoring tool for WM5 - Windows Mobile Development and Hacking General

I've wrote a tool that hooks CreateFileW function and writes its parameters and a name of a caller process to "\Storage Card\fileio.txt" file. Here is a sample output:
Code:
Hooked CreateFileW...
17FB4002: CreateFileW("\Windows\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Release\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 3 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Windows\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Release\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 3 ("\Windows\nk.exe")
B6FA4402: CreateFileW("RIL1:",c0000000,0,0,3,0,0) -> F6769D16 ("\Windows\shell32.exe")
B6FA4402: CreateFileW("\windows\Default_stwater_240_320.gif",80000000,0,0,3,80,0) -> FFFFFFFF, Err: 2 ("\Windows\shell32.exe")
16DD2DCA: CreateFileW("\Windows\ActiveSync\CtrlLog.txt",40000000,3,0,4,0,0) -> 165DD2AE ("\Windows\repllog.exe")
16DD2DCA: CreateFileW("\Windows\Profiles\guest\Temporary Internet Files\Content.IE5\4TEF45QZ\SyncStat[1].dll",40000000,3,0,1,10000080,0) -> 7661E6E6 ("\Windows\repllog.exe")
16DD2DCA: CreateFileW("\Windows\ActiveSync\CtrlLog.txt",40000000,3,0,4,0,0) -> B65DD2F6 ("\Windows\repllog.exe")
575A36A6: CreateFileW("BAT2:",c0000000,0,0,3,0,0) -> 3660EBD2 ("\Windows\device.exe")
It would also create file "Log.txt" in the root directory with some diagnostics information.
The program works only under WM5, though it can be recompiled for older OSes. The idea is simple - hooking SystemAPISets table.
I can give the source code of the tool for someone who would finisth the project: add logging of CreateFileForMappingW, DeviceIOControl and registry functions.
Installation process:
copy TestApiSetHookDll.dll and TestApiSetHook.exe to \Windows directory on the device and run TestApiSetHook.exe. It would output a message "CreateFileW hooked" and logging would start. To stop logging reboot your device.
This program may conflict with the installed antivirus programs on PocketPC, so use it on your own risk.

mamaich - I'd be interested in looking at the code if you don't mind; I'm interested in hooking system functions, but I'd like to use this tool on WM200se as well.. Please PM if you don't mind sharing it..
V

Hi there,
I was looking for some ways to hook the DeviceIOControl function.
mamaich, would be great if you would like to share the source code.

Do you think it's possible to hook all RIL API using the same method?
Could you post the source code?
Thanks.
Bye
Sektor

Attached the source code
About hooking RIL. This method cannot be used, there are different ways to hook RIL functions.
Regarding DeviceIOControl. My other tool that hooks EnterCriticalSection function can be used to hook it, the trap address to hook is 0xF000E3D4

Thank's so much Mamaich. I've got nothing to use it for right now, but you've got my very sincerest thanks, as ever!
V

Hmm....
This + CeRegSpy == install logger = making proper uninstalls possible
/me crosses fingers

Thanks Mamaich.
Could you explain me the different ways to hook RIL functions, please?
Bye
Sektor

Sektor said:
Could you explain me the different ways to hook RIL functions, please?
Click to expand...
Click to collapse
You may try this - http://www.xs4all.nl/~itsme/projects/xda/rilhook.html
Or if you are hooking RIL for only one program, you can just patch its import table on the fly, or RIL.DLL export table. The process is almost identical for hooking DLL exports on a normal PC.

What changes are required in order to make it work under WM 2003SE for example?

this is obvious - internal WM structures in undoc.h should be changed

Mamaich - very interesting code, how would I go about hooking the file close events?
Have tried hooking method 0 of w32 API (20) but the handles look wrong.
Also tried mapping the File API, but the SysytemAPISet[7] doesn't seem to have any methods - but I know it must be loaded,
very confused...

I see this is using PerformCallback4. Apparently that function would be killed off in WM5, how come you can still use it ?

TheBlasphemer said:
I see this is using PerformCallback4. Apparently that function would be killed off in WM5, how come you can still use it ?
Click to expand...
Click to collapse
I think that this function fould be left forever, but it would be allowed to be called only from trusted apps. And even if it is removed - there are dozens of other methods that can inject your code into address space of other process or kernel.
2 mgargett
Regarding hooking CloseHandle. Maybe hooking 0xF0010000 would not be enough, but if you'll look into its disassembly:
Code:
CloseHandle
04 E0 2D E5 STR LR, [SP,#var_4]!
1C 30 9F E5 LDR R3, =unk_1FFFA54
00 30 93 E5 LDR R3, [R3]
00 00 53 E3 CMP R3, #0
0C 30 9F 05 LDREQ R3, =Int_CloseHandle
0F E0 A0 E1 MOV LR, PC
13 FF 2F E1 BX R3
04 E0 9D E4 LDR LR, [SP],#arg_4
1E FF 2F E1 BX LR
you'll see that unk_1FFFA54 may be set to an address of a function that would be called instead of CloseHandle. For example this method is used by LMemDebug.DLL.
Of cause unk_1FFFA54 would have different addresses on different devices, but this is not a problem.

Hi mamaich.
I've tried to change the code from testcritsect.rar to hook DeviceIoControl function.
However, because my wisdom in that area is not far away from 0, the program doesn't work as expected.
Code:
if(SystemAPISets[ApiSet]->cMethods<=Method)
{
puts("Invalid method number");
return 0;
}
The program ends in the if above. Don't know what I have wrong.
As you said above, I did that: #define FAULT_ADDR 0xF000E3D4 //DeviceIoControl
Are you sure this is the right number?
BTW, how did you get all this info?
I mean:
CreateFileW 0xF000AFDC
TakeCritSect 0xF000FF20
MessageBoxW 0xF000BB38

This is very interesting.
Would it be 'easy' to adapt it in order to catch registry modifications?
CERegSpy, doesn't work well for WM5.0. At least it doesn't work at all with my Qtek 9000.

Isn't there a WM5 update for CERegSpy available from the Author?
V

vijay555 said:
Isn't there a WM5 update for CERegSpy available from the Author?
V
Click to expand...
Click to collapse
At least not at its website http://www.forwardlab.com/ceregspy.htm
Still on release 1.0
Does someone knows about a newer version?

ZeBoxx does I think. But you have to write to the author for the new version.
V

Yep... I've got a WM5 version, but the evaluation download location doesn't work anymore - didn't keep a copy around, I'm afraid :/
So just write to the author, and you should be able to get the preliminary WM5 version. Alternatively, I think the app mentioned here *could* be coded about to keep an eye on the registry as well. But I'm no coder

Related

tool to fix broken bootloader

here http://www.xs4all.nl/~itsme/download/bootloaderfix.zip a tool to fix
a broken bootloader.
use with extreme care, only as a last resort.
This tool depends on specific memory locations for certain roms.
It does verify that it is talking to a known rom. It also does a very
minimalisitc check if the file presented to it resembles a bootloader.
I tested it with 3.16.52, 4.00.10 and 3.04.00 ( the very old ppc2003 rom ).
It should also work with 3.17.03, 3.19.01, 4.00.01 and 4.00.05.
unpack the archive, from the command prompt, in the 'build' directory
run 'pnewbootloader bl515.nb0'.
it should take about 10 seconds.
output should be something like this:
Code:
C:\fix\build>pnewbootloader.exe bl515.nb0
protection found at 8c0d62d8
result: 00000000 00000000
if you get my ce utilities ( http://www.xs4all.nl/~itsme/projects/xda/tools.html )
you can check the current bootloader version with
Code:
C:\>pmemdump 0x80001880 0x40
80001880: 20 00 00 00 20 72 30 00 ff ff 00 f1 e0 07 1f 00 ... r0.........
80001890: 00 00 00 00 20 20 20 20 56 35 2e 31 35 20 20 20 .... V5.15
800018a0: 20 00 00 00 20 20 42 6f 6f 74 6c 6f 61 64 65 72 ... Bootloader
800018b0: 20 00 00 00 20 57 41 4c 4c 41 42 59 20 00 00 00 ... WALLABY ...
hi,
thanks for taking the time to make this utility. I am about to try it but i'm not sure if i should run it on my xda or on my desktop pc.
Could you please elaborate on how to use it?
Rico
Developer-#X2PL
Thanks for the new tool.
Unless I'm mistaken this requires an Active Sync connection ?
I am stuck on Wallaby 5.17 and a corrupted Rom image (My fault) and so can't establish an active sync connection. The only way to recover is to run an SD card restore but I have had no joy with the Wallaby patch to overcome the bootloader's security (Loads to SD card o.k but does not patch the bootloader on startup)
Is there any way of running your bootloader tool from a serial connection using the load and go command ?
Thanks
Richard
this tool runs on your desktop pc,
it requires a working activesync connection.
and also a working windows ce.
it is most useful for people who accidentally selected the same file for bootloader and osimage in xdarit. and are now stuck without a bootloader.
and it provides an easy way to change bootloader for people with a working xda and bootloader 5.17.
richard, sounds like the only way to fix your xda would be to get the patchloader working. does it say something about loading diagnostics, and bootloader detected, patching .... etc?
K2pl
Thanks for reply.
I get no messages at all when entering bootloader with patched SD card. I am wondering if XDArit is actualy writing to the SD card. I have been recieving the succesful write message and had assumed that it had done so but after asking it to write a CE image it confirmed this in about 2 seconds which I'm sure it couldn't have acheived. I have presumed that I wouldn't be able to see this file under windows file explorer even if it had written it is this correct ? I have also tried the 1.4 MB version but this just crashes (Win XP) at the write stage. I have a unix box as well if this program is available for this platform I could try that.
It sounds like sods law to me just two hours after corrupting my image a tool is released that would have allowed me to get out of it if only I had applied it first Oh well such is life.
Any help much appreicated.
Richard
XDA developer Itsme said:
this tool runs on your desktop pc,
it requires a working activesync connection.
and also a working windows ce.
it is most useful for people who accidentally selected the same file for bootloader and osimage in xdarit. and are now stuck without a bootloader.
and it provides an easy way to change bootloader for people with a working xda and bootloader 5.17.
Click to expand...
Click to collapse
Hi Itsme. Is there any link to download the bootloader 5.15.
Appreciate if U can post a link. :wink:
Thks.
OCMAX
It is included in the zip file just follow the instructions above. Don't forget if this goes wrong you will have a paper weight so don't do it unless you feel you really need to.
Richard
I think there are many more uses for a romless xda besides weighing on paper. you could also use it as a beercoaster. or it being a nice shine surface might invite you to deposit thin lines of certain powders on it.
xdarit being done writing way to quick is possibly not a good sign, maybe it is writing to the wrong disk?
I guess I'm going to get a chance to try them all whilst I wait for my old laptop to re-load XP (currently Red Hat) in the hope that its simplistic setup might allow the XDArit to function.
Happy sniffing
Richard
YEP 8)
That was the problem although it reported to be writing to the SD card it was actualy writing to my backup drive (No harm done) Once it was on my old laptop there is so little on it that I could quickly see what was going wrong. Anyway thanks for help.
Richard
Richjn said:
OCMAX
It is included in the zip file just follow the instructions above. Don't forget if this goes wrong you will have a paper weight so don't do it unless you feel you really need to.
Richard
Click to expand...
Click to collapse
Ge.. guys thks :lol: .
I just try it with XDA
Cooked ROM 4.00.05 from Jeff, Wallaby 5.17, xdarit 1.02, 256 MB SD Panasonic, time of bootloader -overwrite ROM less than 4 min.
It looks as work well
Thanks for hard working
Waiting for ROM 4.00.10 :roll:
Hi,
This sound like good news. :lol: This tools can re-build my bootloader ? because last time i errased my bootloader (its my fault), untill now i stuck on ROM : 3.04.00 ENG / PW10B1 and can't upgrade ROM for my device anymore. Please show me how to use this tools because i m not expert on computer programer. Sorry for this stupid question and i hope you can help me for this problem.
Many Thanks & nice work for XDA Develeper Team
Regards
Sandy[/quote]
for those who ran into a missing pput.exe.
the http://www.xs4all.nl/~itsme/download/bootloaderfix.zip is now updated,
and contains pput.exe.
pput.exe is also part of http://www.xs4all.nl/~itsme/download/itsutils.zip
Well it worked!!!
Thanks so much. My XDA is once again fully operational. I did run into the missing pput.exe error. But once i downloaded this file it worked like a charm.
Only thing is the result line did not show. So i waited quite some time before i just assumed it was done. And it was. :lol:
Thanks again XDA-developers.
Rico
My Bootloader Back
Hi XDA DEVELOPER Itsme,
I LOVE YOU MAN...hahahahahah i m so happy you help me to solve this problem....many many thanks..and great job. From now i can upgrade my device again...THANKS WILLEM....GOD BLESS YOU.
Regards
Sandy
XDA Developers you a Hero
Hi Guys,
Nice work....2 thumbs up for willem and another XDA Developer guys. You make me happy today.......btw good work. almost 1 month i waitting for help to solve this problem finally you did it...
Many thanks
Itsme
Thanks for help yesterday. As I live in Australia by the time you helped me figure out what was going wrong it was gone Midnight here so having recovered my XDA I went to bed. Got up first thing took a deep breath and ran your bootloaderfix tool and it worked flawlessly
I now have a SD card backup waiting for the next time I mess up
Only problem left is I seem to have one of the units that randomley hard resets itself when you enter the bootloader but thats a small price to pay.
Thanks again to all the Developers this is really great stuff.
Richard
Richjn,
u need turn the phone off before entering the bootloader. if u power it off and enter bootloader, it doesn't hard reset.
alex

mtty.exe & host11.exe ( flashing tools by HTC )

Hi All,
Maybe this is old hat, but is good to know.
I've seen these two programs on the internet made by HTC for the Ipaq:
1) mtty.exe = Multi-Port/USB TTY Version 1.10 2001 by HTC
2) host11.exe = Remote USB update 1.1
The first programme mtty.exe is a flashing utility made by HTC to flash the boot loader ( only *.bin files ) using the serial/USB cable for the Ipaq ( after a reboot using the Wallaby boot loader menu the Ipaq/XDA is connecting in the same way as using the Hyperterminal, spiting all the information about the hardware version and then looking for a *.bin file, containing the boot loader, if found it will start flashing the boot loader).
The second programme host11.exe is a flashing utility also made by HTC to flash the CE Rom only, via Usb, after a reboot using the Wallaby boot loader menu and pressing the “Volume button” on the left side of the XDA (sorry I don’t remember the button on the Ipaq ), will bring you the “Remote USB update 1.1” menu on the XDA as well on the Ipaq. If you have a file named “nk.nb0” located in the same directory with host11.exe, containing the CE Rom for the Ipaq ( probably it will do the same to the XDA) , it will start upgrading the CE Rom.
My question would be, if we can use these two programs to flash the XDA ( using the “wboot515.bin” file to flash the boot loader and “nk.nbf” – contained in Program A ver 3.17.03 CE Rom O2 UK, that we could edit with Ultraedit, cut the first two lines, save it and rename it “nk.nb0”, to flash the CE Rom ) as an alternative to the SD card flashing method ?
Please see down under a small procedure for the IPAQ.
I’ve got these info searching the Ipaq forums.
Mendo
Download the host11.exe file from here:
http://www.ultimatepocket.com/images/host11.exe
I have the mtty.exe program if you can't find it on the internet.
A very good explanation about the Ipaq upgrade using mtty.exe and host11.exe, english document:
http://www.wince.com.br/ftp/ipaq2002v214.doc
These are the links I've used for general info:
http://www.handhelds.org/z/wiki/HosT11
http://www.xonio.com/features/feature_unterseite_8750206.html
http://hardware.pchome.net/2002/07/13/3435.htm
I find this part of the upgrade procedure for the Ipaq very interesting:
-----------------------------------------------------------------------------------
Step 1- Check Pocket PC for Boot loader version number.
A) Establish a physical connection between your iPAQ and Desktop (Serial port). Use the "serial Auto-Sync Cable".
B) Open downloaded software folder. Execute the mtty.exe program on your desktop. Dialog box appears, select appropriate COM port settings. (i.e. COM1, COM2).
C) Press the speaker (game pad button) & reset button (Bottom right corner, you will need your stylus to get to the reset button.) at the same time.
D) Release the reset button, but ensure that you hold the speaker button until you see a parrot. On your desktop (Mtty.exe), you will see the following message being displayed:
******************************************************
InitDebugSerial using SERIAL PORT 3
******************************************************
Main=8C094D30
pTOC=FFFFFFFF
Init SCInitSerial
SCInitSerial-
HTC Integrated Re-Flash Utility for Strong ARM (Macaw) Version: 2.31
This version could be used for Parrot PPSH board to flash boot load
Built at: Mar 8 2001 13:40:39
Copyright (c) 1998-2000 High Tech Computer Corporation
CPU speed = 206 MHz
DRAM speed = 103 MHz
Main- no CF card
FW 0:4:38>
E) Note the Version Number. Since the Version number is 2.31 you will need to upgrade it to 2.43.
Step 2- Upgrade Boot loader Version.
A) Ensure that the mtty.exe & the file mboot241.bin are in the same folder or directory.
B) At the FW 0:4:38> prompt, type "l MBOOT241.bin" (Type as is, minding the case). A new boot loader will be flashed. This will enable one to flash the OS using the USB rather than serial. Since, flashing the OS by serial takes about 30 minutes to complete. The USB connection takes about 4 minutes. IMPORTANT!!!!! Don't remove the cables during this process. This process takes about 1min.
C) Due a cold reset of the device (Bottom right corner, you will need your stylus to get to the reset button).
D) You can check if the program was a success by repeating step 1 C and D. Note that the version number has changed.
-------------------------------------------------------------------------------------
It looks that is posible to use the USB cable to flash the boot loader, not only the serial cable.
Again I am interested if these things are good for the XDA as well, of course using the right boot loader and CE ROM files, as mentioned before.
Bootblaster utility for Ipaq ( very interesting, it would be good to have one for XDA):
http://www.hardce.com/htmlcn/CN/document/023/BACKUP_IPAQ_ROM.htm
Download from here:
ftp://ftp.handhelds.org/pub/linux/compaq/ipaq/v0.30/BootBlaster_1.18.exe
How to flash CE ROM image to the device via USB cable?
Initial condition: Windows 2000 or NT platform. The code being flashed and the flashing tool need to be put under the same directory.
1. Disable USB connection from the Connection Settings in Active Sync
(Uncheck the box for “ Allow USB connection with this desktop computer” )
2. Enter bootloader mode of the device by pressing down power button and soft reset at the same time.
3. Press Record button on the side of the device to enter USB Flash Mode
4. Plug in USB cable to the device, launch “mtty110 – USB” flashing tool and then choose USB port to start re-flashing.
5. Press Enter. Enter command to flash CE image when USB> is present. The command is l followed by the bin file name. For example,
USB> l wallaby233busa_2s.bin
6. After code-flashing process is finished, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash CE ROM image to the device via serial cable?
Initial condition: The code being flashed and the flashing tool need to be put under the same directory.
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck the box for “allowing serial cable or infrared connection to this COM port” )
2. Launch MTTY flashing tool
3. Connect the device with a desktop vial serial cable and enter bootloader mode by pressing down power button and soft reset at the same time
4. Enter command to copy CE image when FW> is present. The command is l followed by the bin file name. For example, FW> l wallaby233busa_2s.bin
5. After code-flashing process is finished, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash Bootloader to the device via serial cable?
Initial condition: The code being flashed and the flashing tool need to be put under the same directory.
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck the box for “allowing serial cable or infrared connection to this COM port” )
2. Launch MTTY flashing tool
3. Connect the device with a desktop vial serial cable and enter bootloader mode by pressing down power button and soft reset at the same time
4. Enter command to re-flash bootloader when FW> is present. The command is l followed by the bin file name. For example, FW> l wboot507.bin
5. After code-flashing process is finished, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash CE ROM image from the device to SD card?
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck box for allowing serial cable or infrared connection to this COM port)
2. Launch MTTY flashing tool
3. Connect the device with a desktop via serial cable and enter bootloader mode by pressing down power button with soft reset at the same time
4. Unplug serial cable from the device, insert 64MB SD card and then plug in serial cable again.
5. Enter command “r2c” to copy CE image to SD card. For example, FW> r2c
6. The message “SD flashing is success” is displayed after the process is finished.
How to flash CE ROM image on SD card to the device?
1. Insert SD card to the device
2. Enter bootloader mode by pressing down power button and soft reset at the same time
3. Press Action button to start SD flashing
4. Message indicates SD flashing is finished. Again, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash GSM code via serial cable?
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck box for allowing serial cable or infrared connection to this COM port)
2. Connect the device with a desktop via serial cable and enter bootloader mode by pressing down power button with soft reset at the same time
3. Launch Monitor flashing tool
4. Click “Target” on the menu bar, and choose “Connect…”
5. Enter bootloader mode again when seeing a message to switch on the target
6. Click on “Flash”, Choose “Erase all applications+ bootloader” the last option in the dropdown list
7. Click YES to start flashing
8. Hard Reset the device to ensure the new code overwrites the old one.
and where can I find the BIN file for example ("wallaby233busa_2s.bin"). Upgrading by USB is my only chance (broken SD card slot in MDA)
i have mistakenly installed a T-Mobile ROM on my O2 XDA n i want to switch back to the XDA Developers Special Edition ROM. For some reason the T-Mobile ROM doesnt let me use the setup they have. The SD Card method does not work for me since i do not have an external SD Card writer. Can i use mtty and host11 to do this? Where do i get the bin files that you mentioned?
thanx for your help
Hi Countster,
It's been a while since I was playing with my XDA.
The files I was talking "mtty" and "host11", you can find them on the Internet or post a message on the forum (I use to have them on an old PC in the office but I've lost them together with the bin ROM file), but I also never had to use the USB flash application, back then I was only preparing for the worst case, but my XDA never failed durring the upgrade.
But the best metod as far as I know is the one using an SD card (buy an external SD card reader from Ebay, it's only 15Euro max.)
I found this post on the net and these guys are having problems using the USB tool:
http://www.pdastreet.com/forums/showthread.php?threadid=21433
http://goodhyun.com/archives/2004/08/how_to_dump_new.php
My advice is to use the XDA forum for info and the SD card metod, because as far as I can remember it was the best.
The cooked ROM file should be available somewhere, on the forum.
If you decide to use the host11.exe, you might have to delete (trim) the first two rows of the "rom.bin" file and rename it "nk.nb0" (you need to open the file with an "bin to hex editor" and then delete the two hex encoded rows).
In the case of the T-mobile/O2, the flash application they are using to flash the XDA it is checking, validating and then trim the rom.bin file, after this it will flash the XDA.
A very important thing to know is that it hasn't been confirmed that the "host11.exe" works with the XDA (it might work only with the IPaq).
Apparently it might work to download the file but it is also important at what address (hex address) in the XDA flash memory, the program starts to write the firmware (the bin file). The danger is to overwrite the bootloader or part of it ( the bootloader is like your PC Bios) and this will destroy your XDA , because it wont boot any more and it wont communicate on any port.
I hope that your XDA it is still booting and you haven't lost the boot loader ( it is the worst case ).
My final advice, don't use the host11.exe but instead use the SD metod.
Regards,
Mendo
hmmm seems dangerous.. either i have to RTFM or try to get the SD card writer. thanx for your help!
How to dump new rom image into ipaq using host11.exe
If your OS upgrade image came with UpgradeUT.exe, I mean if you tried to upgrade your ipaq and got the popup screen "HP ROM UPGRADE Utlity v3.15" then the .nbf files couldn't be inserted directly using host11.exe
Certainly, there is a situation you want to dump the rom image into iPaq in a straightforward manner, not guided by the fixed routine. in that case, you have to trim your file's unnecessary portion.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Delete these inversed part and rename it to nk.nb0,
then set your ipaq to the usb memory upgrade mode and run host11.exe.
don't forget to kill activesync when you do this.
goodhyun (2004年08月02日 23:31) Technology
TrackBack
TrackBack URL for this entry:
http://goodhyun.com/mt/mt-tb.cgi/240
*************************************************************
For the XDA, the nk.nbf file should look like this, in the Ultraedit viewer (use Ultraedit to open the file and edit/save it):
00000000h: 50 57 31 30 41 31 2D 45 4E 47 2D 33 2E 31 37 2D ; PW10A1-ENG-3.17-
00000010h: 30 30 31 2D 38 37 32 2D 2D 2D 2D 2D 2D 2D 2D 2D ; 001-872---------
00000020h: FE 03 00 EA 00 00 00 00 00 00 00 00 00 00 00 00 ; þ..ê............
00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000060h: 45 43 45 43 00 10 0A 8C 00 00 00 00 00 00 00 00 ; ECEC...Œ........
Remove this bit "PW10A1-ENG-3.17-001-872---------" (the two hex lines too)
Then save the file and rename it "nk.nb0", then set your XDA to the "USB memory upgrade mode" (using the bootloader menu shortcuts) and run host11.exe.
Don't forget to kill activesync when you do this.
*************************************************************
Be carefull, this procedure can make your XDA useless, I've not done this myself on my XDA, this is info from the net.
Use this metod only if Programme A metod fails and don't use it to upgrade the radio stack.
Regards,
M
http://en.pdamobiz.com/en/forum/PDAforum_posts.asp?TID=406&PN=1
Message << Prev Topic | Next Topic >>
Posted By mottile on 23-Dec-05 at 06:51 Quote
Hi,
I have ipaq 3870. I upgraded to wm2003 using host11.exe and a rom image found in emule. But i had problems with certain software on it, so i decided to go back to 2002. I erased the 32 bytes from the beggining of the rom file, and used host11.exe.
My problems:
No asset tag and SN
No model information when trying to run official rom upgrade.
I have original backup, but i cannot flash it with official upgradeut.exe
motti
Posted By basf on 24-Dec-05 at 16:31 Quote
um .... I seen the communicaiton for this problem in this site before.
edit the rom nk.nb0, offest 01ff000ah to be your asset number.
http://en.pdamobiz.com/en/forum/forum_posts.asp?TID=50
Now what you need is file to upgrade to WM2003 (I don't know where to get now because hp thailand did not support to upgade or sell the upgrade file/Chan).
Upgrade file are compose of 3 files.
1. host11.exe - This program is to flash rom
2. nk.nb0 - rom data or firmware file
3. readme.txt - the method to flash rom
Then you need Hex Editor such as UltraEdit-32 (if you don't have one, try search google.com) to Edit nk.nb0.
UltraEdit-32 will show 3 parts,
First "0xxxxxxxh:" (shown the line and address of data)
Second in the middle is data in hex (on top there is ruler from 0 to f but if you can not see just go to set at menu at view > display ruler), then you can see at first line or address at 01ff0000h: = 31, 01ff0001h: = 00, 01ff0002h: = 2E, 01ff0003h: = 00, 01ff0004h: = 31, ....
Third is "ASCII CODE"
Picture 1 show Mark at Address 01ff000ah
Picture 2 show Mark at Address : 01ff0e00h
At this point that we have to change data in file nk.nb0, start from 01ff000ah: to 01ff0020h:
The original file "nk.nb0" show "ASCII CODE" in that position are "4.G.2.3.D.W.3.4.M.1.N.0". These numbers are Asset Tag # and Serial # that you have to use from your ipaq, can be found at the back at S/N.
Then Click at "ASCII CODE" in the position of Address that you want to change, this case have to click at number 4. Then key input the first digit of your ipaq S/N, then click at G and key input your second S/N until finish all number.
You also have to do the same thing at address 01ff0e00h to 01ff0e14h.
If complete correction all numbers, just save the file.
Next is to disable active sync, there are two method:
1. At Microsoft ActiveSync at PC, Click at File > Connection Settings... > "Unmark" (Click to uncheck) at CheckBox "Allow USB connection with this desktop computer" > OK.
or
2. End Process "wcescomm.exe", call "Windows Task Manager" by press three botton Ctrl, Alt, Del then at Tab "Processes" Click at "wcescomm.exe" then click at "End Process" botton.
Now at ipaq 38xx have to set in Mode "Remote USB Update"
Press botton 2 (Default : Contacts Button) and botton 4 (Default : iTask Button) and Power on botton then use stylus press at Reset (small hole at bottom of ipaq) wait until on the screen has message " Remote USB Update"
Put ipaq to usb cradle, and connect battery charger ac adapter for safty purpose.
Then Run "host11.exe"
(If the message "USB Lost connection" come out continuous, that means the connection has a problem, just take out ppc from cradle, retart your pc and reset PPC, then make PPC Mode to "Remote USB Update" then try runing file "host11.exe" again)
Start to update, now at 7 %
Nearly finish.
If there is no problem flash rom process will be finish as the message "Flash Done." at PC.
At PPC screen.
Then take out PPC from cradle and soft reset it. Now the screen of PPC will be pink color and Version of OS in the right bottom will be 4.00. Then wait for a while, everything will be as we just hard reset.
(in cause the screen in pink color wait too long, just do hard reset, vai presss at botton 1 (Default : Calendar Button) and botton 4 (Default : iTask Button) then use stylus press at reset, then wait till pink screen come again.)
Finally, you are now using WM2003 with your ipaq 38xx.
====================
If you use method 1 to disable usb of microsoft active sysnc.
You have to enable USB at Microsoft ActiveSync to sync all data back from PC to PPC.
- Connect PPC to USB Cradle
- Call Microsoft ActiveSync at PC
- Click ??? File > Connection Settings... > Click at botton Get Connected...
- Microsoft ActiveSync, check at CheckBox "Allow USB connection with this desktop computer"
- Then the program will ask for Set Partnership (I used default name as "Pocket_PC")
If you use method 2 of disable usb.
- Call Microsoft ActiveSync at PC
- Connect PPC to USB Cradle
- Click ??? File > Connection Settings... > Click at botton Get Connected...
- Microsoft ActiveSync, check at CheckBox "Allow USB connection with this desktop computer"
- Then the program will ask for Set Partnership (I used default name as "Pocket_PC")
====================
# Finally, you have ...
iPAQ 38xx "Old one" but "new OS" that change from PPC2002 to WM2003 (or Windows Mobile 2003) and Asset Tag # ??? Serial # are still the same as before.
To Check Asset Tag # and Serial #, at PPC Tap Start > Settings > System > Asset Viewer > Identity.
What you will fine new thing from PPC2002.
- Beautiful Bluetooth Icon.
- New Connections at Setting... may make you a little confusing.
- New bar of set volume.
- One more game, Jawbreaker (from only Solitaire).
- Faster Add/Remove Program.
- Overall are faster
====================
# Thanks to K. ImHoTep so much to suggest me many thing untill I can solve all problem.
# and thanks to K. pat2545 that guide me at first.
# and thank to all members that test and exchange experience in the forum.
(I have to thanks to K.Shine so much for contributing the detail method/howto, that make thing much more easier/Chan)
mendo said:
Download the host11.exe file from here:
http://www.ultimatepocket.com/images/host11.exe
I have the mtty.exe program if you can't find it on the internet.
A very good explanation about the Ipaq upgrade using mtty.exe and host11.exe, english document:
http://www.wince.com.br/ftp/ipaq2002v214.doc
These are the links I've used for general info:
http://www.handhelds.org/z/wiki/HosT11
http://www.xonio.com/features/feature_unterseite_8750206.html
http://hardware.pchome.net/2002/07/13/3435.htm
Click to expand...
Click to collapse
I'll be very gratefull that you send mtty to [email protected]
I have problems with hp 5550

How to add or change interrupt in WindowsMobile

Hi to ALL!
Is it possible to add or change exsisting hardware interrupts in WindowsMobile 2003/2005?
I mean this:
Code:
FFFF0000 LDR PC, =funс_ad_1
FFFF0004 LDR PC, =funс_ad_2
FFFF0008 LDR PC, =funс_ad_3
etc...
FFFF03E0 fund_aс_1
FFFF03E4 fund_aс_2
FFFF03E7 fund_aс_3
I want to add my own func_ad_X or change one of these addresses.
I tried to write in this part of memory in kernel mode (using SetKMode) but get an access violation.
Maybe I must use some kernel API functions (like HookInterrupt or something else) and reach a goal more correctly. Anybody knows?
So, help me please.
Thanks.

[Q] i can not enable my wirless

after upgrading my spl 1 in htc hermes (i mate jasjam) to spl 2.1 then install wm 6.1 the wifi is not working.
I can't turn on wifi. When I touch in switch it do not on. I already made several hard resets and this does not result.
some one solve that problem in this Thread:
http://forum.xda-developers.com/show...490681&page=34
****ok finaly it's all ok
i have read an eeprom good
so here the solution
load in your trinity olipro1.30
open trin100.nb with an hex editor
at 1b810 and 1b820 replace htxxxx.. with your s/n (htxxyyxxxxx)
at 1f850 replace aa with your mac address remember is on revers (real mac : 00-01-02-03-04-05-06 write on 6d 54 06 05 04 03 02 01 00
save file
now into bootloader
task 32
password BsaD5SeoA
lnb trin100.nb 500a0000 40000
reset
and enjoy****
but the problem that this thread for htc trinity and i have imate jasjam
i have maked the same step and when want to convert the "nb" file in mtty i write this command:
lnb trin100.nb 500a0000 400
mtty told me:
unkonwn cmd command!!
some one asked the same qusition and they told him:"you have had olipro1.30 in your mobile" and i can not find olipro1.30 for jasjam
pleas i need your help!!!!!

NetGear LM1200 LTE Modem

I wanted cellular service but wanted it separate from my router with wired and WiFi.
There were some OEM modems available but I ended up with a NetGear LM1200 LTE modem (USD 150).
I plugged it in using the SIM from my old MiFi 8800L and it booted and connected fine.
I was surprised that I could tracert to something VZW even without any service plan.
Screws are hidden under the rubber mat. I marked the position, pulled up a corner, used an office hole punch.
The UART is accessible. It uses 1.8V logic levels, 115.2 kbps, 8-n-1.
I mounted a JST XH-3 connector on the back panel and glued it in.
It works fine, but I need the UART login password.
Code:
mdm-perf 202108182013 mdm9607 /dev/ttyHSL0
mdm9607 login:
I loaded a software update on my usual connection and uploaded it to the modem.
The biggest difference is that the WAN input for fallback is now supported.
One thing that is nice is that the modem has a fixed IP (192.168.5.1) even when in bridge mode and having a network granted IP.
The web way to get status is through http://192.168.5.1/model.json?internalapi=1
You can add bogus query parameters if you are worried about something caching, &x=1234
Still, it only has one version of this JSON that is 12 kB and takes over 300 mS to deliver!
OTOH, it gives out information that my old 8800L didn't have, like Local Area code.
Many tower DBs won't give you anything with just the tower ID.
I really want to get into this to add my own CGI to get a terse and useful status.
I like to be able to easily see signal quality when driving around and considering where to park.
I have not had this device before, what protocol are you using, I assume telnet.
on those older devices alot of them dont have a root password, just user is root and blank password, I see I have an spk for this one but nothing I made and I have no notes for this one so it tells me I have not had it before. if I need to get into a device and cant get past the root password in sierra devices there is usually a port open for AT commands as I am sure you know on newer devices it is 5510 and on a few others (mostly non us models) 5511 so try 192.168.5.1:5510
use nmap or other ports scanner to check for open ports. you may have to use one of those ethernet ports if that usb-C has no endpoints, I would check the C port first it should work after enabling the ports .
if you can get in you can prob enable adb after you pass the security challenge, I can help you with passing that if you need it. here are some known root passwords you can try for sierra
GENERIC: "A710"
AC815s: "fallow"
MR1100: “lindeman”
AC790-Telstra: "sunflower"
LB1111: "granville"
AC810-100EUS: "whistler"
AC810S-1P1PLS: "seymour"
AC810S-1TLAUS: "grouse"
AC810S-1RDQAS: "cypress"
AC790-100EUS: "lavender"
AC790S-1SPSUS : "bluebell"
if all else fails I will give you the firm for it and you can pull the shadow file from it, it holds the root pass and ill show you how to reverse it and get the root pass from it
rich hathaway said:
What protocol are you using, I assume telnet.
Click to expand...
Click to collapse
No, I'm directly on the debug UART (shown in those photos).
I can see a normal Qualcomm sbl/abl boot over the UART.
I've tried to interrupt it here but haven't been successful:
Code:
CTRL+C: enter instruction mode
RECOVERY,PINTEST OR FASTBOOT
aboot_init char:
I've not seen a peep out of the USB.
Looking at the PCB I can see that they are using a "chopped down" Type C connector.
That is a connector that has no USB 3 pairs on it.
I can see that there are D+/D- traces for USB 2.
5510 & 5511 refuse a connection.
Code:
$ nmap -p- 192.168.5.1
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-10 15:00 BST
Nmap scan report for 192.168.5.1
Host is up (0.0025s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
I tried all the passwords.
I have the .spk and I've even updated with it successfully.
I don't know the format of it, but it is statistically "noise".
It's encrypted and/or compressed.
Try password – oelinux123
login: root
dwa_e said:
Try password – oelinux123
login: root
Click to expand...
Click to collapse
Thanks for the tip. I did try that and a few variations.
@rich hathaway anything new on this?
I'd love to get a CGI (or SNMP) module going on this.
Yesterday, out of the blue, I went from full bars to none and level dropped 40 dB (on all devices)! It stayed that way for hours with barely any intermittent connectivity. Then it finally came back.
I'm liking my LM1200. It's got a big stupid plastic case with vents. Without display or battery it stays nice and cool. Also the internal antennas get lots of space and separation. They are funky sheet metal three sided boxes with weird cutouts.
I also have a LM1200-100NAS, along with a Netgear 6000450 external antenna - both of which I bought almost a year ago. It was already updated to the latest firmware. I'll be interested if there are any new findings, and thanks for what you've already shared.
This is a good read about NetGear "spk" files:
https://www.pentestpartners.com/sec...ption-case-study-on-the-netgear-nighthawk-m1/
I'm going to look into this.
Edit: There's no repeating 16 bytes in the file that I have...
Edit^2: Have I mentioned lately how much I hate Python?
Code:
C:\>whatever.py
... you don't have blah-blah installed ...
C:\>pip install blah-blah
blah-blah installed successfully!
C:\>whatever.py
... you don't have blah-blah installed ...
Edit^3: Well, I patched past the stupid colored text stuff but the AES stuff is still unhappy:
Code:
aes = AES.new(aes_key, AES.MODE_ECB, "")
Nope, not accetable.
I'm in a really sketchy cell coverage zone and the LM1200 is disconnecting from my router occasionally.
I can see the little "3 box" network LED going out and pinging doesn't answer.
It could be my router but that is happily answering and connecting to local wired and WiFi stuff.
Part of the whole reason for separating router and modem was to get away from the MiFi 8800L disconnecting everything when it was flailing on a bad cell signal.
Renate said:
@rich hathaway anything new on this?
I'd love to get a CGI (or SNMP) module going on this.
Click to expand...
Click to collapse
HI sorry I saw that msg when you posted it and meant to respond that day but got sidetracked and just saw it again today.
I do not have this device and have not worked with it before so most of what I would say is speculation based on other Sierra devices.
it likely has a port open, nmap is a good tool but misses on occasion, the port tool from dfs is a much more thorough tool but hard to get ahold of, it was in some of the older builds of the Qualcomm tool and I think it may still be in the current suite tool.
The sierra source file for that device is a large file almost 3 gigs it is source for several legato platforms including MDM9X07
It is not suppose to be distributed so I wont link it here but you can hollar at me away from here and ill get it to you to look thru.
I just glanced over it I see port 4711 may be open
or at least is before final values are written to this device, try it.
the source shows the root pass is blank, that does not mean it is so as many of these type of values are written last and after the source/generic is built
those .spk's used to be handled by the swi tool from Sierra but it cannot handle newer spk's, they are base64 files and crypted & compressed at many different levels and many times, the reason you cannot get it decrypted is they have some proprietary zippers with custom algos as well as old crypt algos such as beecrypt and such, if you cant get into it by any port what I would do is find the testpoint on the board that should get you to an open 9008 port, you would at that point need a working patched ENPRG loader for MDM9x07 then you would be able to dump the device from 0 to 7FF and have all of what you need, if you have an extra one send it to me and Ill dump it and send you back the firmware in human-readable form.
I forgot to add the default password file in the source is below but like I said it may be overwritten by a proprietary value during the final programming
also, the nfsroot file for Linux if you have something running linux may be useful to you it is below
hope that helps
rich hathaway said:
hope that helps
Click to expand...
Click to collapse
Thanks. I tried "gazonk" and 4711 and neither worked.
I did find the EC25 manual with pinout: https://forums.quectel.com/uploads/short-url/yVwhmS9iLDp8K24V93xJw3L6zmS.pdf
The "USB_BOOT" is the EDL mode pin, pull to 1.8V for EDL.
I haven't checked this yet, but I will try to trace out if the test point appears on the main PCB (vs directly on the module).
I'll also try to see if it works.
Ok. We have luck. The test points are reasonably accessible.
There is a loader that works: https://github.com/bkerler/Loaders/...480e100000000_cc3153a80293939b_fhprg_9x07.mbn
I put in a little magnetic reed switch. Jeez, I'm running out of these, I put them everywhere.
The storage is NAND. It probably works with bkerler stuff. I've only half-baked for NAND on my EDL client. I have to work on it.
Code:
Found EDL 9008
HWID: 000480e100000000, QC: 000480e1, OEM: 0000, Model: 0000
Hash: cc3153a80293939b-90d02d3bf8b23e02-92e452fef662c749-98421adad42a380f
Sending loaders\qualcomm\factory\mdm9x07\000480e100000000_cc3153a80293939b_fhprg_9x07.mbn 100% Ok
Waiting for Firehose... Ok
<log value="[FLASH_INFO]"/>
<log value=";This section provides flash info"/>
<log value="FLASH_NAME=NM14F2KSLAXCL-3B"/>
<log value="SECTOR_SIZE_IN_BYTES = 4096"/>
<log value="NUM_PARTITION_SECTORS = 131072"/>
<log value="num_physical_partitions = 1"/>
<log value="TOTAL_SECTOR_SIZE_IN_BYTES= 4352"/>
<log value="PAGES_IN_BLOCK = 64"/>
<log value="CONFIGURATION SELECTION FOR THIS DEVICE: BLOCKSIZE:256KB and PAGESIZE:4KB"/>
<log value=""/>
<log value="[BAD_BLOCK_LIST]"/>
<log value=";This section provides bad block list"/>
<log value="BAD_BLOCK=1536"/>
<log value="BAD_BLOCK=1537"/>
<log value="BAD_BLOCK=1822"/>
<log value="BAD_BLOCK=1992"/>
<log value="TOTAL_BAD_BLOCK=4"/>
<log value="{"storage_info": {"total_blocks":2048, "block_size":262144, "page_size":4096, "mem_type":"NAND", "prod_name":"NM14F2KSLAXCL-3B"}}"/>
<response value="ACK" />
Ok, so who's good with this stuff? root:$1$uH6tuGYf$bjaX370zwmzgNHP/YhrAQ/:0
Online Password Hash Crack - MD5 NTLM Wordpress Joomla WPA PMKID, Office, iTunes, Archive, ..
OnlineHashCrack is a powerful hash cracking and recovery online service for MD5 NTLM Wordpress Joomla SHA1 MySQL OSX WPA, PMKID, Office Docs, Archives, PDF, iTunes and more!
www.onlinehashcrack.com
you can try them, I have used it before with success, it is a slow service though, I did a md5crypt on there it was successfully reversed but took 4 days.
or try john the ripper program, but really you don't need it you sent the loader so just send hello now then you can dump the firm and from there it should be fairly easy to enable the ports so u can just use adb with no need for a root pass.
rich hathaway said:
... but really you don't need it you sent the loader so just send hello now then you can dump the firm and from there it should be fairly easy to enable the ports so u can just use adb with no need for a root pass.
Click to expand...
Click to collapse
Um, I've got 500 MB of raw dump, not directories and files.
It's easy enough to find the password file in there but I'm not really sure what I'm looking at/for.
I fixed a bit of a bug in my edl.exe for NAND devices. Get the May 5th one in the sig.
I ran about 2 hours of cracker with no success yet.
I'll run some more today.
Edit: I'm still working on this, >4 days so far...
That works out to about 250 billion passwords tried.
Also: Power consumption isn't bad, average of 150 mA or so and peak of 450 mA.
Erm, hits a solid 500 mA when transmitting.
OMG, I've been running this JtR for almost 5 solid days now (I only run it when it's sunny).
I was beginning to doubt that JtR could crack a walnut.
For some reasons the LM1200 regenerates a password file each boot and if I modify it it doesn't generate it.
I've been using my (recently updated) EDL client to try to overwrite the password file.
I put in the password "$1$abcdefgh$rV6RhG4no19bGJfmub3Ui1".
I tried JtR on that and it came up in a fraction of a second that the password was "root".
Just to be clear, I didn't crack anything, yet.
thats good, does it work, thats usually the user lol
what is the filesystem do you know
yaffs2 or ubi ?
rich hathaway said:
what is the filesystem do you know
yaffs2 or ubi ?
Click to expand...
Click to collapse
It's UBI, because I've seen this:
Code:
000000 55 42 49 23 01 00 00 00 00 00 00 00 00 00 00 00 UBI#............
000010 00 00 10 00 00 00 20 00 25 a5 06 c3 00 00 00 00 ...... .%.......
000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000030 00 00 00 00 00 00 00 00 00 00 00 00 94 9e c8 d8 ................
000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
000050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
000060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
000070 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
The Python EDL client can print out partitions, but the support for NAND doesn't seem finished/working.
I don't know anything at all about UBI, but I did update my EDL client to correctly erase and write NAND.
There are 6 occurences of the $1$salt$hash in a complete dump.
The first two are in a different position each time you boot.
The middle two and the last two are identical, that is: A/B, A/B.
The last two you can change without any noticeable effect.
If you modify the middle two (overwriting the same number of chars) when you do a dump after rebooting there are only four $1$salt$hash and it's the first two that are missing.
So, I don't know if there is some checksum on files that I'm changing or what.
Who ever heard of passwd and shadow getting generated at each boot?
Is there some sort of secure repository that is sourcing this data and is my editing invalidating it?

Categories

Resources