All,
My project is working with a custom-built, CE 4.2 device. We have access to regular firmware updates (OS + drivers). With all of these discussions around hacking/breaking apart a firmware, is there anyway that we could reverse engineer some of the underlying components, such as the network driver, NDIS implementation, or any other bits of code? Or, is the furthest we could get is just break apart the image and see the contents of the image?
--j
Once we've got the image taken apart, we can normally dump the constituent files out of it. Once you get there, you can reverse engineer files in the usual way. That depends on your familiarity with ARM assembler.
V
Universal os.nb
this is the file i need from the new I-mate AKU3.2 Rom from there i can build a new wizard rom with platform builder granted i also get the OMAP BSP!
but do you know a way to extraxt os.nb from a universal?
vijay555 said:
Once we've got the image taken apart, we can normally dump the constituent files out of it. Once you get there, you can reverse engineer files in the usual way. That depends on your familiarity with ARM assembler.
V
Click to expand...
Click to collapse
Would anyone on this board be willing to be paid to perform this kind of work?
Related
Hello. I want to scan and modify every IP packet that goes thru PPP (dial-up) (or thru all interfaces if easier). I've done a lot of research and found that maybe the only way to achieve this on lousy wince is to patch the OS itself...I am an x86 programmer and I've done this relatively easily on winxp...
P.S. How can one debug wince os code in ROM with software debuggers?
P.P.S. So far I don't have any solution to my problem so it would be a success to do this even with one device (I have htc universal for tests...)
Today I've finally downloaded the platform builder and so called "Shared" code of wince 6.0...To my surprise I found ARM4 .lib files instead of source code for everything that I needed to look in (ip*.*) . However there is a binmod utility and other stuff for editing rom that you might need. I don't need to modify rom since i can neither debug ROM nor have it's source even from a different version of wince (I need for 5.0). M$ is sh*t as usual.
It is the har work to modify ppp packets on pocket pc (wince).
Yo can try the passthru sample in PB:
\PUBLIC\COMMON\OAK\DRIVERS\NETSAMP\PASSTHRU
and
\WINCE500\PUBLIC\COMMON\OAK\DRIVERS\NETSAMP\ASYNCMAC
i think you have to modify the drivers.
good luck !
I want to modify the messaging program but I've not done any WM coding before. I've looked at a number of posts on the forum and taken a look at the wiki but I'm still totally confused about where to start.
My current view is that I need to:
Extract the messaging program from the ROM I'm using
Is this possible? If so, what tools do I need? I found a few utilities that look promising on the wiki but there is no documentation for them so I've got no idea how to use them.
Disassemble the program
Can I do this with Visual Studio? Ideally I would like to step through the execution to find the bits I need to change, can I do that with the extracted program in the WM emulator? Or can I do it directly on my PDA?
Patch the program
I can probably figure this bit out by myself.
Get the patched program onto my PDA
As the program is in ROM, I'm assuming I'll have to re-make the ROM. Or can ROM files be updated/overwritten without rebuilding the ROM?
Each of those steps is assuming the previous one is the correct approach and is actually possible. I'm not looking for hand holding at every step, just some good pointers to relevant information and tools. Thanks.
0. - which programm you want to hack ?
1. What type of PDA you use ?
for example - for hx4700 -
prepare_imgfs.exe dump.dat
viewimgfs.exe imgfs_raw_data.bin
2. IDA - diassemble, or Visual Studio for debugging - if you know how
3. What type of PDA you use ?
for example - for hx4700 - like vivi kitchen.
4. ...
Thanks for your reply.
0. - which programm you want to hack ?
Click to expand...
Click to collapse
The messaging program, is it called Outlook Mobile? Do you know if it is native or managed code? If not, what's the easiest way to tell?
1. What type of PDA you use ?
for example - for hx4700
Click to expand...
Click to collapse
I've got a Kaiser. Currently running "udK 8.0 R0 Vega" ROM (WM6.1). Forgot to mention that in my previous post.
IDA - diassemble, or Visual Studio for debugging - if you know how
Click to expand...
Click to collapse
Does IDA support remote debugging on Windows Mobile? Also, are there any restrictions on what you can debug in VS, ie. do they stop you from debugging things you don't have the source for or are Microsoft applications (eg. Outlook) restricted from debugging in some way?
I'm finding it really hard to get decent information on these kinds of things. If I actually manage to get anywhere with this then I'll write up some kind of guide for the wiki.
Ok, I've used this tool to extract the ROM and get a file called 00_OS.nb. I then got these tools and managed to dump the NB file so that I now have all of the files inside the ROM.
I've been playing about with IDA but when I try and run poutlook.exe in the debugger, it runs but exits straight away (ie. it doesn't create a window on the PDA). I tried copying poutlook.exe onto my device but it doesn't run, I think I need to get it running from the exe before I do anymore IDA stuff. I remember reading somewhere that executables in the ROM image have been manipulated in some way (addresses rewritten or relocated or something), is that what is affecting it? Or do I need to run some additional tool on the extracted exe before it will run standalone?
How do I get an executable extracted from the ROM to run on my device? Or do I have to roll it all up into a ROM for it to work?
I dont like windows mobile because it differs from pc-version windows?
and there is no version of wm, based on wince6 - all are based on 5.2 which limits memory usage for process to 32mb
So i've built wince 6 with skd from ms site.
and i want to flash my device with it
i have 2 files - eboot.bin and nk.bin
when i am trying to flash, using nk.nb0 - flashrom says, that this is some kind of junk.. or smth1ng like this, because its format differs from one, that used in exsisting firmwares.
when i am trying to flash, using eboot.bin (ethernet bootloader)
FlashROM says that it will not flash because this is wrong bootloader and so on..
i've heard letters "jtag" but i dont know what is it and how to use it..
i have no idea how to do this.. could anyone help?
P.S.: PPC is AsusP750 with PXA270 cpu (ARMv4)
i think it will be easy to handle with drivers and other stuff like this
the main purpose is to flash and boot it.
tnx in advance
and only silence was the answer...
you might do better for support on this over at ppcgeeks.
Hi,
I extracted several executables (EXEs and DLLs) from the firmware image of a WinCE6 device.
In addition to that, I also build my own WinCE6 image with VS2005 that is running in the Device Emulator.
Now, what I'm planning to do is copy some of the extracted executable files to my emulator image and run them there.
For instance, it already worked to copy the "zlib.dll" to the emulated image and then load it with some customly written code.
However, this only works for a few DLLs. Most of them just crash.
I believe this is because of the memory mapping.
As you might know, WinCE6 has its own address space for shared libraries.
Typically they are loaded to the 0x40000000 region whereas libraries that are not shared are loaded to the address space of the application itself (i.e. 0x100000000 region).
While the DLLs from my own image mostly map to the 0x100000000 region, most of the extracted DLLs are loaded to the shared memory region which seems to cause problems.
Initially, the extracted zlib.dll did not work in the emulator image either.
However, increasing the RAM size of the emulator image did the trick.
Yet, the emulator supports at most 256MB of RAM. So further increasing the RAM size for DLLs that do not work yet is not an option.
Did anyone else try to run extracted binaries in an emulator environment ?
My ultimate goal is to run these extracted executables inside my emulated environment, so that I can debug and reverse engineer the code.
Is it possible to change the memory mapping of a DLL so that, instead of being loaded to the 0x40000000 shared region, it is loaded to the process space ?
There is a nifty freeware PE editor called CFF Explorer currently version VII.
http://www.ntcore.com/exsuite.php
One of the options under the Rebuilder tab is to change the Image Base of an object and rebuild it.
Make sure you are only doing this to a copy of your DLL. It's a long shot but it may work.
Good Luck.
Hi,
stephj said:
There is a nifty freeware PE editor called CFF Explorer currently version VII.
One of the options under the Rebuilder tab is to change the Image Base of an object and rebuild it.
Click to expand...
Click to collapse
cool, thanks !
I just tried it, but unfortunately the "New Image Base" functionality is greyed out.
I guess it's because the DLL I'm trying to change is not for x86_32/x86_64, but for the ARM platform.
Do you also debug WinCE stuff ?
I'm currently trying to get IDA Pro working with WinCE.
It seems to have debug support through ActiveSync.
The 5x5 and Life programs listed in my signature both have a separate CE version, but they were ported over to CE after I had shaken all the bugs out of the WinMo version in the WinMo Emulator and on the device itself.
The CE versions were only tested on the CE emulator, and given a quick spin round the block to make sure it all works. I do not have a 'real' CE device to test them on.
I have a copy of IDA Pro, but is only the freeware version, not the full blown paid-for versions. I don't know whether the free version has full CE debug support, I'll have to have a try sometime.
Testing in CE-Emulator is not enough at all
stephj said:
The CE versions were only tested on the CE emulator, and given a quick spin round the block to make sure it all works. I do not have a 'real' CE device to test them on.
Click to expand...
Click to collapse
Probably these CE-Emulator tests were not enough at all, because for example your SUDOKU does NOT work properly on my 800x480px sized unit based on CE 6.0 Professional. FileDialogs not populated, etc pp
Do not worry, I mainly are playing flash games, IMHO the better type of gaming applications ...
Only 5x5 and Life have versions specifically built ising the Windows CE SDK.
The others don't, as they were built using the Windows Mobile SDK.
Is it really surprising that it looks crap or doesn't work properly, if you try and run it under the wrong platform?
Likewise, CE versions look crap when run under Windows Mobile.
Hello guys,
I bought a car all-in-one unit (aka car dvd gps) from China, it has a better software than I thought and it's running with WinCE 6.0.
However, there are somethings that I'd like to change in the firware (or ROM?). For example, the music list of the USB player does not show the full file name, only around 10-11 characters and I'd like to increase it.
I managed to open a file explorer so I could take a look in the system files, but there is nothing relevant... only some logo images (from the boot screen) and some ini files.
I don't know if this is a software running in the WinCE startup or a firmware or a ROM.
Is there any way to export the firmware and modify it?
If this is a software, can anyone point me how can I put my hands on the files?
Thanks!
Your AIO technically consists of two parts: Windows CE w/ GPS and Multimedia. If you disassemble the AIO you can see there are two boards. The player you aren't lucky with is not part of Windows CE w/ GPS
jwoegerbauer said:
Your AIO technically consists of two parts: Windows CE w/ GPS and Multimedia. If you disassemble the AIO you can see there are two boards. The player you aren't lucky with is not part of Windows CE w/ GPS
Click to expand...
Click to collapse
Thanks.
Any chance to put my hands on the Multimedia software/firmware part?
I'm afraid you need aid by OEM/ODM