Database Users

Revolutionary study, the last etude s5k3bafx

Sorry for the title I just love Chopin
Sick of contacting the I-mate support team with no help, and no reply from HTC and Samsung, Microsoft is telling me to contact HTC, so again to the same circle.
I want to share my last idea about prophet before I do the last decision I made.
I always thought that is the low frame rate in prophet camera is because the DMA so if someone help me in this please.
I think the functions related to this issue are (aCamreaDMA and CameraInterface) and it could be fixed or at least improved debugging the file s5k3bafx.dll that contains the functions for the Samsung chip.
Code:
.text:10002018 ; ---------------------------------------------------------------------------
.text:10002018 CMP R4, #1
.text:1000201C BNE loc_100020C0
.text:10002020 LDR R3, =aCameradma
.text:10002024 MOV R2, #0
.text:10002028 MOV R1, #0
.text:1000202C MOV R0, #0
.text:10002030 BL CreateEventW
.text:10002034 ; ---------------------------------------------------------------------------
.text:10002034 CMP R0, #0
.text:10002038 STR R0, [R5,#0x10]
.text:1000203C BEQ loc_10002070
.text:10002040 MOV R1, #2
.text:10002044 BL EventModify
.text:10002048 ; ---------------------------------------------------------------------------
.text:10002048 LDR R1, [R5,#0x10]
.text:1000204C MOV R3, #0
.text:10002050 MOV R2, #0
.text:10002054 MOV R0, #0x1F
.text:10002058 BL InterruptInitialize
.text:1000205C ; ---------------------------------------------------------------------------
.text:1000205C CMP R0, #1
.text:10002060 BNE loc_10002070
.text:10002064 MOV R0, #0x1F
.text:10002068 BL InterruptDone
.text:1000206C ; ---------------------------------------------------------------------------
.text:1000206C MOV R6, #1
.text:10002070
.text:10002070 loc_10002070 ; CODE XREF: .text:1000203Cj
.text:10002070 ; .text:10002060j
.text:10002070 LDR R3, =aCamerainterfac
.text:10002074 MOV R2, #0
.text:10002078 MOV R1, #0
.text:1000207C MOV R0, #0
.text:10002080 BL CreateEventW
.text:10002084 ; ---------------------------------------------------------------------------
.text:10002084 CMP R0, #0
.text:10002088 STR R0, [R5,#0x50]
.text:1000208C BEQ loc_10002108
.text:10002090 MOV R1, #2
.text:10002094 BL EventModify
.text:10002098 ; ---------------------------------------------------------------------------
.text:10002098 LDR R1, [R5,#0x50]
.text:1000209C MOV R3, #0
.text:100020A0 MOV R2, #0
.text:100020A4 MOV R0, #0x2B
.text:100020A8 BL InterruptInitialize
.text:100020AC ; ---------------------------------------------------------------------------
.text:100020AC CMP R0, #1
.text:100020B0 BNE loc_10002108
.text:100020B4 MOV R0, #0x2B
.text:100020B8 BL InterruptDone
.text:100020BC ; ---------------------------------------------------------------------------
.text:100020BC B loc_10002104
.text:100020C0 ; ---------------------------------------------------------------------------
.text:100020C0
.text:100020C0 loc_100020C0 ; CODE XREF: .text:1000201Cj
.text:100020C0 LDR R3, [R5,#0x10]
.text:100020C4 MOV R4, #0
.text:100020C8 CMP R3, #0
.text:100020CC BEQ loc_100020DC
.text:100020D0 MOV R0, R3
.text:100020D4 BL CloseHandle
.text:100020D8 ; ---------------------------------------------------------------------------
.text:100020D8 STR R4, [R5,#0x10]
.text:100020DC
.text:100020DC loc_100020DC ; CODE XREF: .text:100020CCj
.text:100020DC MOV R0, #0x1F
.text:100020E0 BL InterruptDisable
.text:100020E4 ; ---------------------------------------------------------------------------
.text:100020E4 LDR R3, [R5,#0x50]
.text:100020E8 CMP R3, #0
.text:100020EC BEQ loc_100020FC
.text:100020F0 MOV R0, R3
.text:100020F4 BL CloseHandle
.text:100020F8 ; ---------------------------------------------------------------------------
.text:100020F8 STR R4, [R5,#0x50]
.text:100020FC
.text:100020FC loc_100020FC ; CODE XREF: .text:100020ECj
.text:100020FC MOV R0, #0x2B
.text:10002100 BL InterruptDisable
.text:10002104 ; ---------------------------------------------------------------------------
.text:10002104
.text:10002104 loc_10002104 ; CODE XREF: .text:100020BCj
.text:10002104 MOV R6, #1
.text:10002108
.text:10002108 loc_10002108 ; CODE XREF: .text:1000208Cj
.text:10002108 ; .text:100020B0j
.text:10002108 MOV R0, #0
.text:1000210C BL SetKMode
.text:10002110 ; ---------------------------------------------------------------------------
.text:10002110 MOV R0, R6
.text:10002114 LDMFD SP!, {R4-R6,LR}
.text:10002118 BX LR
.text:10002118 ; ---------------------------------------------------------------------------
.text:1000211C off_1000211C DCD aCamerainterfac ; DATA XREF: .text:loc_10002070r
.text:1000211C ; "CameraInterface"
.text:10002120 off_10002120 DCD aCameradma ; DATA XREF: .text:10002020r
.text:10002120 ; "CameraDMA"
I think if we change the constant value at loc text:10002038 and text:10002088 and all related values (0x10, 0x50 to R5; register will be load to memory) will improve the DMA transfer from the camera chip to the device RAM, and will load less CPU make it faster.
Please help in this, how to improve the S5K3BAFX.dll driver and DMA compatibility with HTC prophet.
For ROM cookers:
The hex values need to be changed from (10 to 2C, 50 to 88) in the module S5K3BAFX.dll.
Version 2.15, the file need to be modify S000 the offsets are: 1050, 1060, 10A0, 10B0, 10D8, 10F0, 10FC, 1110.
Version 2.20 (the module in the AKU2.2 I'll attach it as it provide better picture but can't over clock the CPU) the offsets in S000 are: 1038, 1048, 1088, 1098, 10C0, 10D8, 10E4, 10F8.
I'm not sure about the 2C and 88 values, if someone can help to improve the camera DMA.

here's how to fully and permanently disable sign/cert checking in WM5/WM6 (+bonus)

so, i got bored so why not post a new thread.
as the title says, here's how to fully and permanently disable sign/cert checking in WM5/WM6, so you can load unsigned files even during boot, just fine.
i've been asked several times on how to do it
sumup: you will need IDA Pro or some other disassembler and S000 from nk.exe module in the XIP. VerifyBinary is the function to be patched.
here's the code to be modified:
- first, some example ways to find it
1. locate nk.exe string in strings tab (the lower case one, "nk.exe"), go to the code that references it, below that, enter the second BL (it's the BL in next block), that function is LoadE32, now find the xrefs for it, should have about 3-4 references to it. one of them (InitModule) will look similar to example disassembly below, where 8002D0EC is LoadE32.
2. you might be able to search for LDREQ R0, =0x80090006 though in some nk.exe's ida won't resolve that too well (if the rom base is near the 0x80090006); you could still search for 06 00 09 80 in the nk binary - but that is referenced at other places too, still maybe this might make it easier to find the VerifyBinary function.
- anyway, next, example code
.text:80030CE4 7E 00 A0 03 MOVEQ R0, #0x7E ; '~'
.text:80030CE8 4E 00 00 0A BEQ loc_80030E28
.text:80030CEC 02 00 58 E3 CMP R8, #2
.text:80030CF0 00 80 A0 03 MOVEQ R8, #0
.text:80030CF4 02 00 19 E3 TST R9, #2
.text:80030CF8 01 E0 A0 13 MOVNE LR, #1
.text:80030CFC 00 E0 A0 03 MOVEQ LR, #0
.text:80030D00 0C 30 8D E2 ADD R3, SP, #0x44+var_38
.text:80030D04 04 20 8D E2 ADD R2, SP, #0x44+var_40
.text:80030D08 70 10 84 E2 ADD R1, R4, #0x70
.text:80030D0C 0A 00 A0 E1 MOV R0, R10
.text:80030D10 00 E0 8D E5 STR LR, [SP,#0x44+var_44]
.text:80030D14 F4 F0 FF EB BL sub_8002D0EC ---> LoadE32()
.text:80030D18 00 00 50 E3 CMP R0, #0
.text:80030D1C 41 00 00 1A BNE loc_80030E28
.text:80030D20 8C 30 94 E5 LDR R3, [R4,#0x8C]
.text:80030D24 CE 20 84 E2 ADD R2, R4, #0xCE
.text:80030D28 05 10 A0 E1 MOV R1, R5
.text:80030D2C 00 00 53 E3 CMP R3, #0
.text:80030D30 BC 3C D4 01 LDREQH R3, [R4,#0xCC]
.text:80030D34 0A 00 A0 E1 MOV R0, R10
.text:80030D38 03 90 83 03 ORREQ R9, R3, #3
.text:80030D3C 00 30 A0 E3 MOV R3, #0
.text:80030D40 BC 9C C4 01 STREQH R9, [R4,#0xCC]
.text:80030D44 3A E7 FF EB BL sub_8002AA34 ---> VerifyBinary()
in the example the BL after LoadE32, sub_8002AA34 is VerifyBinary. this is what you want to patch.
if you look you can see that if it doesn't return 0 it will exit the function that has this quoted code. so just go to VerifyBinary start and patch it to
MOV R0, #0 (00 00 A0 E3)
BX LR (1E FF 2F E1)
(why not just NOP the BL to it? because it is also called when an EXE is being loaded, so we need to cover that case too. the above code is DLL load code)
- IMPORTANT: to clean some things up when it checks whether a trusted process is loading an untrusted DLL... to avoid that we'll just put everything in full kernel trust mode which is neat anyway
so you should also patch the part after it returns.
example:
.text:80030D44 3A E7 FF EB BL sub_8002AA34
.text:80030D48 00 00 50 E3 CMP R0, #0
.text:80030D4C 35 00 00 1A BNE loc_80030E28
.text:80030D50 00 30 97 E5 LDR R3, [R7]
.text:80030D54 03 30 D3 E5 LDRB R3, [R3,#3]
.text:80030D58 02 00 53 E3 CMP R3, #2
.text:80030D5C CE 30 D4 05 LDREQB R3, [R4,#0xCE]
.text:80030D60 01 00 53 03 CMPEQ R3, #1
.text:80030D64 24 05 9F 05 LDREQ R0, =0x80090006
.text:80030D68 2E 00 00 0A BEQ loc_80030E28
.text:80030D6C 02 00 19 E3 TST R9, #2
1) nop the BEQ (or just put the following code in its place)
2) make sure that the byte at [R4,#0xCE] has #2 in it.
i.e patch it like this: insert two opcodes like this:
MOV R0, #2 (02 00 A0 E3)
STRB R0, [R4,#0xCE] (CE 00 C4 E5)
you can NOP the rest before the TST. do not touch the TST Rx, #2, or anything that comes after that line.
notes:
1. this will change KITL log in that it will not log module loads regarding cert checking. if you still want to log module (DLL and EXE too) loads in KITL i have another simple patch to do it if anyone wants nice KITL
2. you can also patch certmod.exe (or if you wish, filesys.exe) instead of nk.exe but this way is faster and cleaner, also nk.exe changes less often than certmod (or filesys). still, if someone's interested i can post that too.
+ bonus: old news maybe but afaik it was never made public so here's how to change a WM5 kernel to "upgrade" it to WM6 (i found that method last year to make WM6 porting possible / much easier).
i've mentioned LoadE32, well this is the function you want to patch.
example code:
LoadE32() (go to somewhere at the right in IDA if you are in graph view, to find it faster)
this is the CE major/minor version check in PE header of the EXE/DLL being loaded.
ROM:80032DEC STR R3, [R5,#4]
ROM:80032DF0 CMP R2, #5
ROM:80032DF4 BHI loc_80032E34
ROM:80032DF8 BNE loc_80032E08
ROM:80032DFC LDRB R3, [R5,#3]
ROM:80032E00 CMP R3, #1
ROM:80032E04 BHI loc_80032E34
CMP R2, #5 is comparing against CE major version i.e. CE 5.x
CMP R3, #1 is comparing against CE minor version i.e. x.1 for WM5 (CE 5.01), x.2 for WM6 (CE 5.02)
so you can just change the CMP R3, #1 to CMP R3, #2 (or do it in another way if you wish), encoding 02 00 53 E3
(of course R3 is only in this example)
that's it for now, maybe i'll post more tricks from now on.

cmonex said:
2. you can also patch certmod.exe (or if you wish, filesys.exe) instead of nk.exe but this way is faster and cleaner, also nk.exe changes less often than certmod (or filesys). still, if someone's interested i can post that too.
Click to expand...
Click to collapse
Please describe. I'm interested.
cmonex said:
+ bonus: [...]
that's it for now, maybe i'll post more tricks from now on.
Click to expand...
Click to collapse
Please. Don't stop. Please .... more
Many, many thanks.

cmonex said:
so, i got bored so why not post a new thread.
Click to expand...
Click to collapse
Please... be bored all the time
cmonex said:
2. you can also patch certmod.exe (or if you wish, filesys.exe)
Click to expand...
Click to collapse
It could be interesting, it could be used by some other apps maybe? Not just kernel...
cmonex said:
that's it for now, maybe i'll post more tricks from now on.
Click to expand...
Click to collapse
Keep'em going!

Cmonex, I was thinking.... I don't know smartphones really well, but does it mean, that if you patch SP's nk.exe, will they be able to run unpriviledged apps? Such as, for example RIL applications? I know, that they have to be signed with a priviledged certificate, not as in WM Pro...

I can confirm - disabling certificates works Ok.
cmonex - many, many thanks.

utak3r said:
Cmonex, I was thinking.... I don't know smartphones really well, but does it mean, that if you patch SP's nk.exe, will they be able to run unpriviledged apps? Such as, for example RIL applications? I know, that they have to be signed with a priviledged certificate, not as in WM Pro...
Click to expand...
Click to collapse
i think someone sent me an SP nk.exe and it looked the same loader code. so probably yes let me know if you tried that (i don't have a SP device)

utak3r said:
Please... be bored all the time
It could be interesting, it could be used by some other apps maybe? Not just kernel...
Keep'em going!
Click to expand...
Click to collapse
hehe, sure
as for certmod, OK, i'll post a guide on that soon. but basically you need to modify return value in CertVerify export. i prefer the NK.exe patch, because it is faster (no need to waste CPU time on dispatching the call from NK through filesys into certmod).
by the way it has some other interesting exports too, such as CabVerify (or similar), anyone ever seen that in use? we can patch all of them

cmonex said:
i think someone sent me an SP nk.exe and it looked the same loader code. so probably yes let me know if you tried that (i don't have a SP device)
Click to expand...
Click to collapse
Well, I don't have one, neither, but probably I will have some for a few weeks

cmonex said:
so, i got bored so why not post a new thread.
.......
.text:80030D14 F4 F0 FF EB BL sub_8002D0EC ---> LoadE32()
.text:80030D18 00 00 50 E3 CMP R0, #0
.text:80030D1C 41 00 00 1A BNE loc_80030E28
.text:80030D20 8C 30 94 E5 LDR R3, [R4,#0x8C]
.text:80030D24 CE 20 84 E2 ADD R2, R4, #0xCE
.text:80030D28 05 10 A0 E1 MOV R1, R5
.text:80030D2C 00 00 53 E3 CMP R3, #0
.text:80030D30 BC 3C D4 01 LDREQH R3, [R4,#0xCC]
.text:80030D34 0A 00 A0 E1 MOV R0, R10
.text:80030D38 03 90 83 03 ORREQ R9, R3, #3
.text:80030D3C 00 30 A0 E3 MOV R3, #0
.text:80030D40 BC 9C C4 01 STREQH R9, [R4,#0xCC]
.text:80030D44 3A E7 FF EB BL sub_8002AA34 ---> VerifyBinary()
in the example the BL after LoadE32, sub_8002AA34 is VerifyBinary. this is what you want to patch.
if you look you can see that if it doesn't return 0 it will exit the function that has this quoted code. so just go to VerifyBinary start and patch it to
MOV R0, #0 (00 00 A0 E3)
BX LR (1E FF 2F E1)
Click to expand...
Click to collapse
When trying to patch highlighted region with mov & bx lr , my pda locks at boot. Actually if i only make r0 = 0 then pda boots normally, but how can i check if certificates are disable ?
Or i have to patch directly VerifyBinary :
ROM:000353C4 ; =============== S U B R O U T I N E =======================================
ROM:000353C4
ROM:000353C4
ROM:000353C4 VerifyBinary ; CODE XREF: sub_3B584+150p
ROM:000353C4 00 00 A0 E3 MOV R0, #0 ; Rd = Op2
ROM:000353C8 1E FF 2F E1 BX LR ; Branch to/from Thumb mode
ROM:000353C8 ; End of function VerifyBinary
ROM:000353C8
I've already patch certmod.dll and i think that certs are disable ....
I've already patch nk.exe\s000 (full trust kernel mode) with success.
ThanX alot for your help .
p.s. Could you teach us how to patch any exe, dll or s*** with ida pro ?

of course you can't put a BX LR in the middle of InitModule(), it will totally **** up the loader.
the BX LR (with MOV R0, #0) must go inside of VerifyBinary().
to see if certs are really disabled... just take some driver dll that you know needs to load on boot, make sure it is not signed, and try to load it on boot.
or just take any dll or any exe, that is signed, then change some string inside, and do not re-sign and do not remove signing from it, and see if it still loads (on boot or at any other time).
if the answer is yes to these, then the patch works fine.
how do you mean your p.s.? the way to patch always depends on the goal. no general trick, just assembly, a logical enough mind and preferably some more high level programming knowledge is needed.

ThanX Alot !

Thank you very much from me, too. Nice work!

Could you write a little tutorial how to patch CertVerify (exported by certmod.dll) ?
Thank you again for your great work !

From what you post, looks like it'd be done the same way as the nk.exe way, but have it be
MOV R0, #2
BX LR

yes, CertVerify in certmod should return 2, but it is recommended to patch nk.exe instead of certmod for two reasons:
1) certmod is updated more often than nk
2) directly patching nk is better optimization.
+1: the second patch in nk.exe gives more advantages than just using the simple certmod patch.

cmonex, thank you for this beautiful patch, I wrote a small program for patching of nk.exe or full nb for rom developers.

ALEUT said:
cmonex, thank you for this beautiful patch, I wrote a small program for patching of nk.exe or full nb for rom developers.
Click to expand...
Click to collapse
thanx will try it . modified my os.nb and rom is booting so far ok . have to check the unsigned apps .
THNX

Confirmed booting.

ALEUT said:
cmonex, thank you for this beautiful patch, I wrote a small program for patching of nk.exe or full nb for rom developers.
Click to expand...
Click to collapse
thanks for helping with that, i never found the time to do this program

problems reported from users wont install some apps
I got no problem with version 2, all apps install very well, in version 4 i have problem installing garmin mobileXT after so many tries atlast sucessful, but card export after so many tries and 2 hardreset still wont install.
Click to expand...
Click to collapse

How to animate images in Mobile ie ::request::

Anyone here know how to write some simple html to animate some web images off a local weather station? I have it working on my desktop written in javascript but mobile ie doesnt seem to want to animate the images. Any help or suggestions will be appreciated.

Why don't you post your HTML and maybe someone can point out what to change to make it work. I have had luck with Javascript and DHTML in PIE so it may be possible to do what you are asking.

sahoopes said:
Why don't you post your HTML and maybe someone can point out what to change to make it work. I have had luck with Javascript and DHTML in PIE so it may be possible to do what you are asking.
Click to expand...
Click to collapse
Code:
<div id="radar">
<noscript><img src="http://xxx.com/xxx.gif" width="1"
height="1" border="0"></noscript>
<SCRIPT LANGUAGE="JavaScript" TYPE="TEXT/JAVASCRIPT">
<!--
var c = 9;
/* Preloading images */
var image1 = new Image();
image1.src = "http://xxx.com/1.jpg";
var image2 = new Image();
image2.src = "http://xxx.com/2.jpg";
var image3 = new Image();
image3.src = "http://xxx.com/3.jpg";
var image4 = new Image();
image4.src = "http://xxx.com/4.jpg";
var image5 = new Image();
image5.src = "http://xxx.com/.jpg";
var image6 = new Image();
image6.src = "http://xxx.com/.jpg";
var image7 = new Image();
image7.src = "http://xxx.com/7.jpg";
var image8 = new Image();
image8.src = "http://xxx.com/8.jpg";
var image9 = new Image();
image9.src = "http://xxx.com/9.jpg";
var image10 = new Image();
image10.src = "http://xxx.com/10.jpg";
function disp_img(w)
{
if (c <1)
{
c = 10;
}
var img_src = "http://xxx.com/" + c + ".jpg";
document.ani.src = img_src;
c=c-1;
}
t = setInterval("disp_img(c)", 1000);
//-->
</script>
<IMG SRC="http://xxx.com/10.jpg" BORDER="0" WIDTH="640"
HEIGHT="480" NAME="ani"><br>
</div>
Here is the code that is not working.

Gbc Answering Machine (Almost there, Need WAV1: Expertise)

Hi,
This week I have been working on the Gbc (GigaByte/O2 Stealth) Answering Machine. Everything works fine BUT...
Problem1 Major
I need an expert on WAV1: and DeviceIoControl. Example from AnsweringMachine.dll:
Code:
.text:1000188C STMFD SP!, {R4-R8,LR}
.text:10001890 SUB SP, SP, #0x2C
.text:10001894 MOV R5, R0
.text:10001898 MOV R3, #0
.text:1000189C STR R3, [SP,#0x44+var_2C]
.text:100018A0 LDR R0, =aWav1
.text:100018A4 MOV R3, #0
.text:100018A8 STR R3, [SP,#0x44+var_28]
.text:100018AC STR R3, [SP,#0x44+var_24]
.text:100018B0 STR R3, [SP,#0x44+var_20]
.text:100018B4 STR R3, [SP,#0x44+var_1C]
.text:100018B8 MOV LR, #0x20
.text:100018BC MOV R4, #3
.text:100018C0 MOV R8, #0
.text:100018C4 MOV R3, #0
.text:100018C8 MOV R2, #0
.text:100018CC MOV R1, #0x40000000
.text:100018D0 STR R8, [SP,#0x44+var_3C]
.text:100018D4 STR LR, [SP,#0x44+var_40]
.text:100018D8 STR R4, [SP,#0x44+var_44]
.text:100018DC BL CreateFileW
.text:100018E0 MOVL R3, 0x614
.text:100018E8 MOV R1, #0x1D0000
.text:100018EC STR R3, [SP,#0x44+var_28]
.text:100018F0 MOV R6, #0
.text:100018F4 MOV R7, #4
.text:100018F8 ADD LR, SP, #0x44+var_34
.text:100018FC MOV R3, #0x14
.text:10001900 ORR R1, R1, #0xC
.text:10001904 ADD R2, SP, #0x44+var_2C
.text:10001908 MOV R4, R0
.text:1000190C STR R5, [SP,#0x44+var_20]
.text:10001910 STR R6, [SP,#0x44+var_1C]
.text:10001914 STR R8, [SP,#0x44+var_38]
.text:10001918 STR R8, [SP,#0x44+var_3C]
.text:1000191C STR R7, [SP,#0x44+var_40]
.text:10001920 STR LR, [SP,#0x44+var_44]
.text:10001924 BL DeviceIoControl
.text:10001928 MOV R0, R4
.text:1000192C BL CloseHandle
.text:10001930 ADD SP, SP, #0x2C
.text:10001934 LDMFD SP!, {R4-R8,LR}
.text:10001938 BX LR
Why this code?
Answeringmachine service is activated from custphone.dll (security phone skin)
Then after some time it picks up the phone and launches AMAPP.EXE, the actual
recorder. You can also start AMAPP.exe from the windows folder yourself. It will play the welcome message to the speaker. Then it starts recording for a specific time.
If you are in a call the audio out should be redirected to the microphone of
WAV1: or to the speaker (like iSecretary?)
What we need is find a way to redirect the audio from AMAPP.exe when you are in a call.
Could be that AnsweringMachine.dll is doing that when it picks up the phone.
Problem2 Minor
The AnsweringMachine service (PRA0 goes into Stop and need to be restarted after soft reset.
Problem3 Minor
AMAPP.exe doesn't stop recording if the call is ended.
More info: http://msdn.microsoft.com/en-us/library/bb202002.aspx
Cheers
The whole Answering Machine is based on AMR files. If you can already play AMR files you don't need Tweakradje Emuzed AMR dshow.cab.

I have made some progress last night. It is all in custphone.dll. That turns on the Speaker (SPK1 before picking up the phone. SPK1: is device specific (Gigabyte)
So now is the question: what is the code to turn on the speaker in a generic way?
Code:
LDR R0, =aSpk1
MOV LR, #1
MOV R4, #3
MOV R5, #0
MOV R3, #0
MOV R2, #0
MOV R1, #0xC0000000
STR LR, [SP,#0x24+var_14]
STR R5, [SP,#0x24+var_1C]
STR R5, [SP,#0x24+var_20]
STR R4, [SP,#0x24+var_24]
BL CreateFileW
LDR R1, =0x8002201C
MOV R3, #4
ADD R2, SP, #0x24+var_14
MOV R4, R0
STR R5, [SP,#0x24+var_18]
STR R5, [SP,#0x24+var_1C]
STR R5, [SP,#0x24+var_20]
STR R5, [SP,#0x24+var_24]
BL DeviceIoControl
B loc_10001B38
Cheers

Users with ipag 614 might be lucky. I just found out that this phone also uses the AuRouter.dll for routing audio to SPK1.
I will test my package today with a hp ipag 614.
Keep you in touch.
Cheers

Hi tweakradje
I have Ipaq 614c, installed two cabs, but with no luck.
And it seems that it is not working with phonecanvas?
I made a call, answering machine started, but nothing recorded and didnt hear an operator voice
Also in settings i put to save files to storage card, but file recorded in my phone memory
BTW it is a great idea
PS Do you need a tester?

Dont you think in order to make this recording function work one has to have that HTC ICR driver installed on the device. May be I am saying something wrong but just curious to give my observation. Any how I am ready to beta test your app, you can pm me for any assistance if you deems fit. Great work allover bro.

Yes finally a Answering Machine for PPC that looks promissing Great app can't wait to try this out

sergiorus said:
Hi tweakradje
I have Ipaq 614c, installed two cabs, but with no luck.
And it seems that it is not working with phonecanvas?
I made a call, answering machine started, but nothing recorded and didnt hear an operator voice
Also in settings i put to save files to storage card, but file recorded in my phone memory
BTW it is a great idea
PS Do you need a tester?
Click to expand...
Click to collapse
If you use TaskMgr 2.3 and look at services, do you see the AudioRouter/Speaker service?
(AuRoute.dll) My 614 also runs wm6.1 (custom rom) but was completely drained. Charging as we speak. Will come back on this later.
If this doesn´t work we need another intermediate AudioRouter service. Perhaps someone can write a generic service for all phones? Otherwise it will never route the audio correctly.
Nothing is impossible.
Cheers

tweakradje said:
If you use TaskMgr 2.3 and look at services, do you see the AudioRouter/Speaker service? (AuRoute.dll)
Click to expand...
Click to collapse
Yes all three services are working.

Thanks. On my 614 ROM it also didn't work. Speaker was switched on, but no sound from announcer. If someone wanna give it a shot here is the AuRouter.dll and registry entries.
Cheers

tweakradje said:
Nothing is impossible.
Click to expand...
Click to collapse
Couldn't agree more... Unless it's a hardware issue

Why iSecretary can’t mute the microphone of my xperia x1 and why the caller can’t hear my answer message
How can I fix this using registry or any tweak tool for windows mobile 6.1
thanks

[CODE] Detect the NK.EXE version (6.1 or 6.5)

Code:
public static bool IsKernelNative(string NKS000File)
{
int[] pattern = new int[] { 0x0C, 0x00, 0x94, 0xE5, 0x1F, 0x03, 0x50, 0xE3 };
int lookingfor = 0;
using (FileStream input = new FileStream(NKS000File, FileMode.Open, FileAccess.Read))
{
for (int i = 0; i < input.Length; i++)
if (input.ReadByte() == pattern[lookingfor++])
{
if (lookingfor == (pattern.Length - 1))
break;
}
else lookingfor = 0;
}
return (lookingfor == (pattern.Length - 1));
}
Barin will probably be happy to have this (and probably be even happier to replace the code with a File.ReadAllBytes and a LINQ array search if he didn't chose to use NET 2.0 like I did).

very interesting. what does this array (0x0C, 0x00, 0x94, 0xE5, 0x1F, 0x03, 0x50, 0xE3) mean? i.e. what code does it contain? it really can be found in new kernels only.

airxtreme, thanks for the info
But why should i be happy? When i build a rom i know exactly which kernel i use
Anyway i'll add the code to show info about kernel in log window.
PS I don't use .ReadAllBytes method to search a pattern. Sometimes i use it when i need to keep something in memory.
Check your decompiler

l2tp said:
very interesting. what does this array (0x0C, 0x00, 0x94, 0xE5, 0x1F, 0x03, 0x50, 0xE3) mean? i.e. what code does it contain? it really can be found in new kernels only.
Click to expand...
Click to collapse
I don't remember what it exactly does since it's stuff from several months ago but it should be code that is related to the new slots allocation that can be found only on windows mobile 6.5 kernels.
-=Barin=- said:
airxtreme, thanks for the info
But why should i be happy? When i build a rom i know exactly which kernel i use
Anyway i'll add the code to show info about kernel in log window.
Click to expand...
Click to collapse
You certainly do but for first-time users it's not so immediate understanding that each device requires its own native kernel, that the kernel is specifically compiled for the windows mobile version it came with and that even though an old kernel may work on newer windows mobile builds the kitchen needs to know the version of the native kernel to do the proper slots allocation and if it's not chosen correctly the ROM could not work. If you auto-detect the kernel and remove the kernel selection option (that in the case of your kitchen being only labeled WM6.1/WM6.5 I think may confuse users into thinking the option has to do with the windows mobile version rather than the native kernel version) you can remove a considerable burden from beginners.