Hi,
I've been porting a large number of linux based programs to the Gizmondo (CE 4.2 device).
One of the main issues is the broken c-runtime of CE, specifically the lack of current dir support (not to mention no posix layer ). At any rate I wanted to be able to hook fopen etc. to call my own functions which would handle current dir.
To do this I thought I'd make some nice and easy IAT hooking code, that was until I discovered how complex this was on CE (relative to Win32 that is).
After much head scratching and looking at the stellar work of those such as mamaich, itsme etc. I finally managed to get it right.
I hope this is useful to someone (I searched this board, but couldn't find any code, though I do remember someone asking how to do it) and have attached a zip file with the hooking code. In order to use this you will need to provide your own undoc.h with the relevant kernel struct and function definitions for your wince flavour.
Once again, I stand on the shoulders of giants, without whom this would not have been possible
Enjoy
-(e)
Beatiful~
You are genius~
Thank you.
Wow~
You are so beautiful~ ^_____^
Thank you.
I just wanted to start asking questions here... sweetlilmre, THANK YOU VERY MUCH!!!
excellent job~
thank you
Does anybody have undoc.h created for windows mobile 6 (wince 5.x)? If not, where should I look for the undocumented type info?
Hi~ JKingDev
I have ever created undoc.h with referencing "private" directroty.
"private" directory is installed with Platform builder. ( I used Platform Builder 5.0 )
If PB is installed, then C:\WINCE500\PUBLIC and C:\WINCE500\PRIVATE is created.
( I don't know Window Mobile 6.0 environment. )
p.s :
If you can translate KOREAN, then visit http://www.digipine.com/programming/1310.
This site has attached file "WinCE_ARM_Hook.zip". ( bottom side )
It is not my post, maybe it is posted by "jung cheulwon".
Hi all,
first of all, thank you sweetlilmre for posting this.
Your solution works perfectly fine for platforms based on Win CE 5, e.g. Win Mobile 6.1 and Win Mobile 6.5.3.
However it does unfortunately not work on Win CE 6 and Win CE 7.
I assume that this is due to changes in the memory architecture of Win CE 6 and higher.
Does anyone have a clue on how to port the "Deep IAT Hooking" solution on Win CE 6 and Win CE 7?
Some techical details on what i have tried so far...
Code:
[INDENT]
PROC WINAPI DeepHookImportedFunction(
LPCWSTR pwszModuleToHook, // Module to intercept calls to
LPCWSTR pwszFunctionToHook, // Function to intercept calls to
PROC pfnNewProc, // New function (replaces old function)
LPWSTR* ppwszExcludeList // List of module names to exclude from the hook
) {
PROC pfnOriginalProc;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
PPROCESS pProcess;
struct info inf;
PMODULE pmods;
LPVOID baseptr;
BOOL bHooked = FALSE;
SetKMode(TRUE);
// Get current process struct from KData
pProcess = KData.pCurPrc;
// Get process import descriptor
[B][COLOR="Red"]inf = pProcess->e32.e32_unit[IMP];[/COLOR][/B]
[/INDENT]
The program crashes (at the red marked spot) when i try to access the member
Code:
pProcess->e32
.
This is because the structure
Code:
pProcess
is filled up by the value zero only.
This happens quite early in the implementation, therefore i didn't proceed very far. I still hope that somebody can help me out with this case.
Kind regards
Related
Hi Folks!
I'm trying to add GPS emulation to my navigation system, that is based on CellTracking via GSM.
Does anybody know how to create a virtual CommPort in eVC++ :?:
I tried it with function like ActivateDevice or RegisterDevice, but i always receive a zero Handle:
Code:
#include "winbase.h"
bool virtPortOpen(HANDLE& HandleGiveAway)
{
//HandleGiveAway = ActivateDevice(L"HKEY_LOCAL_MACHINE\\Drivers\\GPSvirt", 0);
HandleGiveAway = RegisterDevice(L"COM", 7, L"serial.dll", 0);
if ((HandleGiveAway == INVALID_HANDLE_VALUE) || (HandleGiveAway == NULL))
return false;
else
return true;
}
int virtPortClose(HANDLE& GetHandle)
{
return DeactivateDevice(GetHandle);
}
Did i use the right .dll-File? Need i create a own .dll-DeviceDriver with the DDK?
Please give me a hint!
Greetings,
Florian
http://www.eltima.com/products/virtual_drivers/
ELTIMA Solution to expensive
cairo31male said:
http://www.eltima.com/products/virtual_drivers/
Click to expand...
Click to collapse
Thanks for the URL, but i think that this solution is much to expensive for a student!
Any other suggestions?
Greetings,
Florian
http://mamaich.kasone.com/rover/IrCOMM.rar
Archive contains a sample virtual COM-port driver. It is installed as a COM8 and after opening COM8 it redirects all data to COM1. You may modify the driver as you like.
Post of "mamaich"
mamaich said:
http://mamaich.kasone.com/rover/IrCOMM.rar
Archive contains a sample virtual COM-port driver. It is installed as a COM8 and after opening COM8 it redirects all data to COM1. You may modify the driver as you like.
Click to expand...
Click to collapse
In this Archive is a C++ project, which deals with infrared communication. I don't know what it has in common with creating a virtual CommPort. - Haven't you postet the right file?
When i try to compile this project, i found out, that it calls some functions not included in the header files, or anywhere else! Look here:
Code:
Compiling resources...
Compiling...
IrCOMM.cpp
C:\Dokumente und Einstellungen\Administrator.MCFLOWNNET\Eigene Dateien\Programmierung\eVC\IrCommEmu\IrCOMM.cpp(34) : warning C4800: 'int' : forcing value to bool 'true' or 'false' (performance warning)
C:\Dokumente und Einstellungen\Administrator.MCFLOWNNET\Eigene Dateien\Programmierung\eVC\IrCommEmu\IrCOMM.cpp(47) : warning C4800: 'int' : forcing value to bool 'true' or 'false' (performance warning)
C:\Dokumente und Einstellungen\Administrator.MCFLOWNNET\Eigene Dateien\Programmierung\eVC\IrCommEmu\IrCOMM.cpp(77) : warning C4018: '<' : signed/unsigned mismatch
StdAfx.cpp
Linking...
IrCOMM.obj : error LNK2019: unresolved external symbol closesocket referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol recv referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol select referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol send referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol __WSAFDIsSet referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol accept referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol listen referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol bind referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol setsockopt referenced in function WinMain
IrCOMM.obj : error LNK2019: unresolved external symbol socket referenced in function WinMain
ARMRel/IrCommEmu.exe : fatal error LNK1120: 10 unresolved externals
Error executing link.exe.
Please give me further information! - Thanks in advance!
Florian
Re: Post of "mamaich"
oops. Wrong archive. Should be http://mamaich.kasone.com/rover/RIL_hook.rar
it contains 2 projects:
Serial - a wrapper around the standart COM1 driver
seRILal - a virtual COM8 driver that creates COM8 and redirects all its IO to the first driver.
Re: Post of "mamaich"
mamaich said:
oops. Wrong archive. Should be http://mamaich.kasone.com/rover/RIL_hook.rar
it contains 2 projects:
Serial - a wrapper around the standart COM1 driver
seRILal - a virtual COM8 driver that creates COM8 and redirects all its IO to the first driver.
Click to expand...
Click to collapse
Sounds good. - Thanks!
I'll give it a try in the evening! - Too good weather here in Germany!
Florian
How to install virtual ports?
This project seems to be exactly what I was searching for! - Much thanks!
But I still have a question: :arrow: How do I install the drivers? - Should I place a new Key in the registry, and in that case, which values do I need to add?
When I try to load one of the drivers with RegisterDevice, I always receive a NULL handle.
Is it a problem that I have deinstalled the standart serial COM1? - But the serial.dll is still existing!
Greetings,
Florian
Re: How to install virtual ports?
this project is coming from Anextek SP230. It had COM1 driver named xsc1_serial.Dll.
To install you should go to registry and modify COM1 driver to be serial.dll and add manualy COM8 driver to be seRILal.dll (you may choose any other COM-port number).
In case of Imate COM1 driver is com16550.Dll, so for this method to work you should recreate import library from com16550.Dll and overwrite Serial\serial.lib file with it. Otherwise your serial.dll would import functions from a nonexistent DLL and the system will crash.
Re: How to install virtual ports?
Well,
thanks very much for your explanations!
But I still have a problem: How do i edit the link to the "xsc1_serial.dll" in the .lib-file?
Need it to be rebuild? - My Problem is that i only have emVC++ without DDK or Platform Builder! - It isn't availibe for free, i think!
Why is the .lib-file needed? - Does it export the COM_Write etc. fuctions to the project?
Thanks in an advance!
Florian
Re: How to install virtual ports?
Probably you don't need this file.
My project is hooking COM1 and makes the real hardware accessible by both COM8 and COM1. As far as I understand you are trying to add a new COM-port to the system that would emulate a GPS receiver. You should take seRILal project, remove Redirected_COM_* functions, remove serial.lib from the project and write your own implementation of My_COM_* functions (they would be exported as COM_* functions, look into serial.def file).
Reed MSDN library for information on this, but remember that it is incorrect in most function prototypes .
You should implement COM_Init (typically driver reads its settings from registry), COM_Open (allocate buffers, return HANDLE for the opened port, that is typically a pointer to allocated buffer), COM_Read (read data), COM_Write (wite data), COM_Close (free the memory allocated in COM_Open). All other functions should be present, but they may do nothing (simply return "success"). You should later implement COM_IOControl function, so that your driver would correctly implement read/write timeouts. My code does not implements this. All timeouts are hard-coded.
My Problem is that i only have emVC++ without DDK or Platform Builder! - It isn't availibe for free, i think!
Click to expand...
Click to collapse
Everything is available for free (soft, beer, girls, etc ). At least in Russia.
Trial 120-day version of Platform Builder 4.20 is available for free from Microsoft.
http://franson.biz/gpsgate/index.asp
Maybe you could look here.
Sorry I can't be any help but...
I've been thinking about CellTracking via GSM for a while now.
Most folk I've talked to in the UK tell me that it's not possible for a GSM device to discover it's own position !?
Any links or pointers on tracking ?
Ideally i'd like to append coordinates of the device on every post to the backend db.
Cheers (and good luck with the comm port thingy!)
I need to creat on my ipaq 5550 a virtual comm port
Hi,
Have you solve your problem ?
I am working on a robotic project and I have the same problem but on a ipaq 5550 under ppc2003.
I need to creat on my pocket pc a virtual comm port.
Because I receive by WIFI, GPS NMEA sentences, so I want to redirect them to this virtual port, and finaly connect to this port my regular GPS navigation software.
Thanks
Laurent
FRANCE
http://ourworld.compuserve.com/homepages/richard_grier/CFSerial.htm
It's seems DllMain won't run when a dll loaded by LoadLibrary in wm5.0.
The dll is very simple,complied by vs 2005 beta2,just a MessageBox in dllmain
I load this dll in another process,using the api loadlibrary,In windows mobile 5.0 ppc emulator,no dialog box appear,but you can see that dll.dll had been loaded with remote file viewer.In Pocket PC 2003 SE emulator,every thing is ok
anybody has any idea about it?
Thanks
dll.cpp
#include "stdafx.h"
#include <windows.h>
#include <commctrl.h>
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
MessageBox(NULL,L"11",L"22",0);
return TRUE;
}
Hi,
There is no default entry point in a DLL. You are doing everything fine except you need to load the module (function) you want to call. I cant remember off hand the details but its LoadModule.
Look thought the documentation for calling a function in a dll some more.
Paul
psneddon said:
Hi,
There is no default entry point in a DLL. You are doing everything fine except you need to load the module (function) you want to call. I cant remember off hand the details but its LoadModule.
Look thought the documentation for calling a function in a dll some more.
Paul
Click to expand...
Click to collapse
Thanks for your reply.
I don't want to call any function,excep the default entry point DllMain when loading library.
There should be default entry point in the dll I complied,because in wm2003,everything is ok(Messagebox appears when loading or unloading library)
DllMain worked in my programs in 2K5. Maybe your messagebox appears behind today window? I never tried MessageBox in DLLs, but CreateFile worked fine.
oh right. Maybe I'm wrong - i always thought DLL's didnt have default entry points - I need to get reading the SDK's more
Paul
mamaich said:
DllMain worked in my programs in 2K5. Maybe your messagebox appears behind today window? I never tried MessageBox in DLLs, but CreateFile worked fine.
Click to expand...
Click to collapse
hi mamaich,what device are you using?Emulator?
I've tried in another way:return TRUE or FALSE in DllMain,then check whether the dll is loaded with remote process viewer.
In wm5.0 emulator,DllMain's return value is ingored,the dll is always loaded.And in wm2003 emulator,dll can be loaded only if DllMain's return value is TRUE
I've compiled the DLL with eVC4 and run it on XDA2 with WM5. That DLL was a part of a rather large project.
Maybe VS2005 produces incorrect DLLs?
mamaich said:
I've compiled the DLL with eVC4 and run it on XDA2 with WM5. That DLL was a part of a rather large project.
Maybe VS2005 produces incorrect DLLs?
Click to expand...
Click to collapse
The dll should be ok,it works well on ppc2003's emulator.I have also tried the dll produced by evc4.0.
Seems it's my fault,I got it work on wm emulator now
Thanks for all
I found it,dllmain not run just because the dll export no function.after add a not used fuction,MessageBox appear when loading
I don't have access to the shared source for Win CE 4.2 and I need a few #define values from the kernel header files. I am looking for the MID_GetMessageW, MID_PostMessageW, MID_SendMessageW and CreateWindowExW values. These are the indexes of the methods in the APISet function array kernel structures and they have changed implementation between 4.2 and 5.0. I can't seem to find an eval copy of the WinCE platform builder for 4.2 all that's out there is 5.0 and newer. Any help with the MID defines found in the Core OS header files would be much appreciated. It would be even better if someone could post all of the MID defines just in case I need to find another function.
In case your wondering why I need these defines, I'm trying to hook into the GWE message passing API for all processes so that I can intercept window messages and possibly inject my own.
Thanks in advance.
RG
I've been developing an MIDlet for some time now. I have the application working on both Blackberry and Symbian. My problem is creating a DatagramConnection object on Windows Mobile. I have been trying to guess the connection string to use as I have failed to find any documentation for java managers which i have at my disposal.
Currently I am testing with the Esmertec (Jeodek build 20060421-95649) manager on windows mobile 6. The connection strings I have tried so far are the following... (I have included the code which I use to test the connection string below)
datagram://test.com:22
udp://test.com:22
udpdatagram://test.com:22
What I would apprecicate is if someone could either advise me toward which protocol strings are available in the Esmertec manager or if you could point me toward some documentation I would be very thankfull.
Thank you in advance for all responses.
Code:
private void test(String string) {
log("trying ... " + string);
try {
Connector.open(string);
log("sucess!!");
} catch (Throwable e) {
log("Failed: " + e.getMessage());
}
}
I used Hsect2 a while ago to turn off WIFI and BT. Since then I have not been able to
turn them back on.
I checked the installation of IOPERM.SYS. there is no problem. So I reinstalled Windows Vista and started all new. Still, the devices are not coming up anymore.
I then installed some cab files in SnapVue to test compatibility and guess what, SnapVue is stuck at the Windows Mobile bootscreen
I tried to use ECshift and Hsect2 to get into the bootloader mode and hard reset
SV.
But it doesnt work.
The EC of my shift doesnt react to my commands, neither in Bash nor in DOS BOX
- Is your touchscreen working?
- Is your vista installation from the recovery partition or a new installation from a vista DVD? (I ask because I've seen some of your posts asking for a recovery partition and drivers).
- Can you post a screenshot of your device manager?
pof said:
- Is your touchscreen working?
- Is your vista installation from the recovery partition or a new installation from a vista DVD? (I ask because I've seen some of your posts asking for a recovery partition and drivers).
- Can you post a screenshot of your device manager?
Click to expand...
Click to collapse
Hey Pof...
my installation is not from the recovery partition. It was not possible, since the XVista.wim is broken.
My touchscreen is not working either.
Which point in the device manager do you want to see?
No exclamation marks.
Most probably you have installed a driver which is blocking i/o port access to 0x250-0x251, 0x68 and 0x6c. Those are the i/o ports used by the touchscreen and EC Controller. Check for properties of the device drivers you have installed and remove those "taking" these ports.
If that does not help, to make sure the EC controller is not really screwed you have two options:
a) find someone willing to share his recovery partition with you
b) install Linux and try if the EC Controller and the touchscreen are responsive there.
pof said:
Most probably you have installed a driver which is blocking i/o port access to 0x250-0x251, 0x68 and 0x6c. Those are the i/o ports used by the touchscreen and EC Controller. Check for properties of the device drivers you have installed and remove those "taking" these ports.
If that does not help, to make sure the EC controller is not really screwed you have two options:
a) find someone willing to share his recovery partition with you
b) install Linux and try if the EC Controller and the touchscreen are responsive there.
Click to expand...
Click to collapse
I will get right on it and install ubuntu.
I opened a fast FTP (100mbit up and down), its permanent. If someone want to upload Shift images and stuff, no problem. Have a few TB free
pof said:
Most probably you have installed a driver which is blocking i/o port access to 0x250-0x251, 0x68 and 0x6c. Those are the i/o ports used by the touchscreen and EC Controller. Check for properties of the device drivers you have installed and remove those "taking" these ports.
If that does not help, to make sure the EC controller is not really screwed you have two options:
a) find someone willing to share his recovery partition with you
b) install Linux and try if the EC Controller and the touchscreen are responsive there.
Click to expand...
Click to collapse
0x250-0x251 and 0x68-0x6c are used by Intel 82801GBM ICH-M LPC Interface.
I uninstalled it and disabled the device. ECshift says " Cant open EC"
err... you have disabled the LPC (low pin count) bus, which connects "legacy" I/O devices to the CPU. You should better keep it, otherwise it won't be possible to have I/O access to the EC controller.
pof said:
err... you have disabled the LPC (low pin count) bus, which connects "legacy" I/O devices to the CPU. You should better keep it, otherwise it won't be possible to have I/O access to the EC controller.
Click to expand...
Click to collapse
thats what I thought. I was under the impression that the guys using XP cannot get their touchscreen working, because the LPC shows up as "Unknown Device"
I guess I better wipe the disk and try ubuntu. See what happens.
I had some time tonight to install Ubuntu. Now I could activate everything again and I will keep ubuntu for a while.
However, I still cannot hard reset SnapVue
aquasesh said:
However, I still cannot hard reset SnapVue
Click to expand...
Click to collapse
I haven't found the EC values for hard reset yet, that's why hsect2 doesn't have this option. I will not have much time during this week, but it's on my TO-DO list
pof, is there a way to increase the frequency of the touchscreen? Its very slow and jerky, the cursor jumps while dragging.
I tried playing with TouchKit, but nothing much changed.
aquasesh said:
pof, is there a way to increase the frequency of the touchscreen? Its very slow and jerky, the cursor jumps while dragging.
I tried playing with TouchKit, but nothing much changed.
Click to expand...
Click to collapse
install a kernel debugger in vista (ie: syser) and figure out the correct initialization values to change the irq triggering speed. It's also on my TO-DO list
pof said:
install a kernel debugger in vista (ie: syser) and figure out the correct initialization values to change the irq triggering speed. It's also on my TO-DO list
Click to expand...
Click to collapse
Pau, your to-do list is very long.
But I am really thankful and I know everyone else appreciates your hard work.
I will donate some money, since I cannot buy you SERVECA
Thanks, we spell it "cerveza"
aquasesh said:
However, I still cannot hard reset SnapVue
Click to expand...
Click to collapse
Just had a thought:
Put it in bootloader mode (hsect2 -b) and then use HTCFlasher to connect to the bootloader Cmd prompt. There just type "task 28" and hit enter.
This will do a Hard Reset on SnapVue
pof said:
Just had a thought:
Put it in bootloader mode (hsect2 -b) and then use HTCFlasher to connect to the bootloader Cmd prompt. There just type "task 28" and hit enter.
This will do a Hard Reset on SnapVue
Click to expand...
Click to collapse
Thanks for the advice. Now I really owe you one.
Worked perfect.
Now, Linux is just a little slow.
aquasesh said:
Thanks for the advice. Now I really owe you one.
Worked perfect.
Now, Linux is just a little slow.
Click to expand...
Click to collapse
heh, I'd have to kill you for not reading - you said you tried ecshift and my ecshift thread describes how to do task 28!
pof said:
I haven't found the EC values for hard reset yet, that's why hsect2 doesn't have this option. I will not have much time during this week, but it's on my TO-DO list
Click to expand...
Click to collapse
I have two different ioctl's to do it, neither works.
one was taken from vistadiag - then tested and it is broken in vistadiag too.. this one would not hard reset though if WM is not fully booting as it sends the COLDBOOT string to the WM side EC driver.
the other is from the htc official software (don't know if this one hard resets if WM is not booting, but I doubt it as I didn't find anything in the SPL that'd look for a GPIO or anything, the normal hard reset function is simply edited out of the SPL, you only have task 28). that doesn't work either. I checked in debugger and my ioctl params are correct, but I must be missing something because this htc software definitely isn't broken.
I also looked at the software that HTC published in the support site to hard reset windows mobile. From the DLL disassembly I found the IOCTL which also didn't work in my tests, so I tried to do some brute-forcing with this code (look at hsect2 source code for the defines of wsio() macro and EC_PORT_INIT).
Code:
void ClearWMStorage()
{
int len = 0xc;
int checklen = 0xe;
int clearstorage = 0x80;
int i,checksum;
int total = 0;
/* the initial value should be something between 0xa and 0x29 */
//int val = 0x0; // switches to CE and asks for PIN (does it work always?)
//int val = 0x1 to 0x9; // does nothing
//int val = 0xa; // hangs EC controller
//int val = 0xb to 0xf; // does nothing
// issued a soft-reset after trying 0xc - nothing changed
//int val = 0x10 to 0x1f; // does nothing
// issued a soft-reset after trying 0x1f - nothing changed
//int val = 0x20 to 0x2f; // does nothing
// issued a soft-reset after trying 0x2f - nothing changed
int val = 0x0;
wsio(0x20, len); // mov byte ptr [esp+44h+var_44]
wsio(0x21, checklen);
wsio(0x22, clearstorage);
for (i = 0; i < 8; i++) {
wsio(0x23+i, val+i);
total += val+i;
}
checksum = 0x200 - (len + checklen + clearstorage + total);
wsio(0x2b, checksum);
outb_p (0xa1,EC_PORT_INIT);
}
However after trying al possible values I'm still unable to hard reset WinCE. I think we must be missing something obvious here, but don't know what
cmonex said:
heh, I'd have to kill you for not reading - you said you tried ecshift and my ecshift thread describes how to do task 28!
Click to expand...
Click to collapse
Dont kill me...pleeeease...Actually, I tried ecshift, but it gave me an error and couldnt establish a connection to SnapVue.
Sadly, I didnt try it under linux...only XP and Vista...