I want to modify the messaging program but I've not done any WM coding before. I've looked at a number of posts on the forum and taken a look at the wiki but I'm still totally confused about where to start.
My current view is that I need to:
Extract the messaging program from the ROM I'm using
Is this possible? If so, what tools do I need? I found a few utilities that look promising on the wiki but there is no documentation for them so I've got no idea how to use them.
Disassemble the program
Can I do this with Visual Studio? Ideally I would like to step through the execution to find the bits I need to change, can I do that with the extracted program in the WM emulator? Or can I do it directly on my PDA?
Patch the program
I can probably figure this bit out by myself.
Get the patched program onto my PDA
As the program is in ROM, I'm assuming I'll have to re-make the ROM. Or can ROM files be updated/overwritten without rebuilding the ROM?
Each of those steps is assuming the previous one is the correct approach and is actually possible. I'm not looking for hand holding at every step, just some good pointers to relevant information and tools. Thanks.
0. - which programm you want to hack ?
1. What type of PDA you use ?
for example - for hx4700 -
prepare_imgfs.exe dump.dat
viewimgfs.exe imgfs_raw_data.bin
2. IDA - diassemble, or Visual Studio for debugging - if you know how
3. What type of PDA you use ?
for example - for hx4700 - like vivi kitchen.
4. ...
Thanks for your reply.
0. - which programm you want to hack ?
Click to expand...
Click to collapse
The messaging program, is it called Outlook Mobile? Do you know if it is native or managed code? If not, what's the easiest way to tell?
1. What type of PDA you use ?
for example - for hx4700
Click to expand...
Click to collapse
I've got a Kaiser. Currently running "udK 8.0 R0 Vega" ROM (WM6.1). Forgot to mention that in my previous post.
IDA - diassemble, or Visual Studio for debugging - if you know how
Click to expand...
Click to collapse
Does IDA support remote debugging on Windows Mobile? Also, are there any restrictions on what you can debug in VS, ie. do they stop you from debugging things you don't have the source for or are Microsoft applications (eg. Outlook) restricted from debugging in some way?
I'm finding it really hard to get decent information on these kinds of things. If I actually manage to get anywhere with this then I'll write up some kind of guide for the wiki.
Ok, I've used this tool to extract the ROM and get a file called 00_OS.nb. I then got these tools and managed to dump the NB file so that I now have all of the files inside the ROM.
I've been playing about with IDA but when I try and run poutlook.exe in the debugger, it runs but exits straight away (ie. it doesn't create a window on the PDA). I tried copying poutlook.exe onto my device but it doesn't run, I think I need to get it running from the exe before I do anymore IDA stuff. I remember reading somewhere that executables in the ROM image have been manipulated in some way (addresses rewritten or relocated or something), is that what is affecting it? Or do I need to run some additional tool on the extracted exe before it will run standalone?
How do I get an executable extracted from the ROM to run on my device? Or do I have to roll it all up into a ROM for it to work?
Related
Hello ,
I'm a newbie and have used the introductions on http://wiki.xda-developers.com/wiki/HimalayaLinuxBooting to boot linux on my himalaya. Unfortunatily the pops up dialog "Launch a script file. Default ..." when i tap on HaRET-0.3.2d.exe . I can't connect to port 9999, too.
Please Help me
Thanks
Hi snowdrop,
the dialog means that your prepared scriptfile hasn´t been found and executed. This could be because you misspelled the name. Keep in mind that all filenames have a 3-letter extension which is not visible in windows. I.e. if your FileExplorer says "startup.txt" the filename is "startup.txt.txt".
Or maybe you installed the startup script in a different directory than HaRET. IMHO it´s easiest to install all 4 files (haret, startup, kernel, initrd) in a separate dir unter \Storage where you don´t have to reinstall it after a reboot.
Don´t hesitate to ask further if this doesn´t anwer your question.
Matthias
Hallo noone,
thanks for your reply. I copied all neccessary file under "\Storage Card\". The filename is "setup.txt" (the filexplorer says startup without extention but i'm sure it is named startup.txt through my activesync under Windows). All files are under "\Storage Card\", (also the HaRET-0.3.2d.exe and startup.txt files). :roll:
Greets
Hi snowdrop,
I'm not really sure about that. It works for me all the time.
Maybe you can track down the problem with a network connection. You have to disable ActiveSync on your host PC and to start a connection with SynCE. This requires usbserial and ipaq as well as ppp loaded into the kernel. When you cradle the himalaya you should get a message from usbserial about the attached device (usually /dev/ttyUSB0).
After synce-serial-configure (root), dccm (user) and synce-serial-start (root) the Himalaya should display the connection sign in the bottom bar. Be careful: ActiveSync on the Himalaya may or may not try to start a GPRS session. This can become expensive sometimes
After establishing the PPP connection from PC to Himalaya you connect to port 9999 (refer to SynCE's documentation about the IP addresses). Then you can enter the commands of the startup.txt script line by line.
HTH
Matthias
Hello Matthias,
what is SynCE? I'm using Windows as host PC.
Are synce-serial-configure (root), dccm (user) and synce-serial-start Linux Tools??? :?:
Thanks
Ok,
i after some hard work (and hardware reset), i'm now able to see the penguin(with red eyes and red thermometer) . But then nothing will be done
Actually I thought, that there is also a graphical user interface for linux. Now my question:
Do you ONLY remote login into your linux and have JUST a console application? Or have you also GUI applications and a desktop under linux for himalaya at the time.
Thanks for your answers
it will of cause never run any linux applications not compiled for it
like windows CE will not run pc windows applications
if you can find a kernel compiled for it
you can use it otherwise you'll have to compile your own
the same goes for a version of x11 and any other applications you may wish to run
though in the world of linux sourcecode is much easier to come but and compile yourself then they are under windows
Hi,
can you give some usefull links about linux application on PDA?
I want too much to run linux under my himalaya .
havent really messed with it
here is another distro for xda not sure if he ever got finished with it
http://www.pigeond.net/photos/xda-linux/
havent kept up on it really
what you have to look for is pretty much
applications for the arm cpu
and you can also look for linux of ipaq and other pda's which use the arm cpu they would also run on the xda
but i havent really kept up todate about the whole project
so i dont know how long any of the project have gotten
and i dont know how many applications can be portet because of graphical limits in the desktop manager like glib
but i'm sure there must be others in this forum who mess around with these things
Maybe the guys at handhelds.org could give you some more info, got lots of help getting linux running on my ipaq 5550 (never quite got it working to my liking though)
Hi
Sorry if this post is not in the right place. I am in great need of help. I am a mobile software developer. A client who is into automation contacted me. The client has a control application that he would like to start up whenever the pocket pc starts. This itself is not a problem, since you can simply create a registry key to handle this. The problem comes in that the application must still start even if the battery has been drained completely and the device start like it does after a hard-reset.
From what I have read, it is possible to create a custom ROM image that contains the key described above. The application could be stored in the backup storage area of the ROM.
I have looked at tools to edit the .nbf files that are available with the ROM updates for the pocket pc from the manufacturer (HP iPAQ running WM2003SE), but I cannot find a clear answer, and my knowledge of Unix is bad at best.
Any help and suggestions from anyone on how to edit the .nbf file or any other method to manage this would be greatly appreciated.
Thanks in advance.
Riaan
Hi,
Just an util I got together in no time.
Rapi Enabler, certificate disabler.
Enable all the security on your Windows Mobile 5 phone.
Credits to the author of the ce remote tools.
Instructions:
1. Download the attached file (you have to be logged into xda-dev);
2. Extract it somewhere in your computer
3. Connect your phone via activesync
4. Run the EnableRapi.bat (on your computer)
5. Done.
Have fun,
Ricardo
How does it differ from this CAB file I pulled off the HTC Apache?
I use this in my Extended ROM so that I can run unsigned applications, CAB files, and CPF files during the initialization procedure after a hard reset.
Hi BTT,
This is based on that exact cab. The only difference in enabling RAPI calls also, and doing it without needing user interaction, only needing a activesync connection.
Is a little utility I use for integration into batch files.
Bye,
Ricardo
Certificate disabler..
Probably a dumb question, but is it a replacement fort certchk on 2003 devices? Still looking for such a program.
Thx
Thanks Machinegod, this worked well. I used it on an XDA exec will it work with all WM5 devices?
Hi Machinagod
Is there a way i can call your routine from code?
I have developed software for WM5 but cannot access the database with the standard MS settings. I would like to give my users the option to unlock the rapi calls and install automatically.
Thanks in advance
Steve
ronaldovic said:
Certificate disabler..
Probably a dumb question, but is it a replacement fort certchk on 2003 devices? Still looking for such a program.
Thx
Click to expand...
Click to collapse
to ronaldovic: I believe this utility is for disabling signed applications so you can install apps that have not been signed. I have used BTT cert cab in my extended rom since he posted it (Thanks BTT, It has been very usefull)
If you are looking for disable cert check so you can activesync with MS exchange without a a SSL . Certificate connection, Micro$oft still offers a download to disable the cert sync check..
see http://www.microsoft.com/downloads/...b8-8b3a-4f1d-8e94-530a67614df1&displaylang=en
Miracle Registry
i checked many registry of "Security policies" in different device, and also SDK.
http://asukal.seesaa.net/article/12583144.html
You can understand how change it for your neccesity.
this was for your refference.
and also i got made one registry file which has many "Certificate Sotre"
from different setting devicees and CABs and SDK Emu.
This registry make your device to enable working many kinds of dll and exe or any other files without digital signed(not for all)
multi user interface files also can effect without digital signatures.
(shellress still can not, but worked with Smartphone signature)
The security revel will be same or lower than SDK emu.
but not completely finish to edit it.
so possibility of some side-effect or unkown problem.
Hope understand this point and use it as test.
But once you use this registry, you got understand why i said it miracle.
just import this registry and make soft reset.
"syntac error" displayed when you import this, but works.i will cheking the reason of this error.
lets test it.
Re: MachinaGod RAPI Unlocker - certificate disable on WM5 v0
I try to use it on my new Jamin but nothing happen.... Prog still not work.
Pls I'm a newbe, Can you help me ?
Thanks a l ot
Hi MachinaGod,
Could you tell me please what exactly this RAPI unclocker is doing? Is it possible to undo it? RAPI locker or something? Is there any security threat after you execute tis program?
Thank you!
cingular
please tell me what tool can unlock (simlock) my cingular 8525, Thank you very much!
hmmmmmmmmytfghvghdgfgfdtrsdr
unlocking spv m1500
hello,
i tried the RAPI unlocker but it did not work,
could it be because my Pocket pc is running 2003 CE?
hi
someone can send me the file i can download him pls
and one qwuestion this unlock mi simlock???
htc 8125 need help please
machinagod said:
Hi,
Just an util I got together in no time.
Rapi Enabler, certificate disabler.
Enable all the security on your Windows Mobile 5 phone.
Credits to the author of the ce remote tools.
Instructions:
1. Download the attached file (you have to be logged into xda-dev);
2. Extract it somewhere in your computer
3. Connect your phone via activesync
4. Run the EnableRapi.bat (on your computer)
5. Done.
Have fun,
Ricardo
Click to expand...
Click to collapse
i have a htc 8125 and tried your method and it never gave me a code but when i put my sim card in it says sim lock and unlock? explain how to unlock this d$$m phone.It is a cingular phone but i dont have that service.it is version 2.25
[email protected]
We need to update one of our old pocketpc programs to Windows Mobile. It's a pretty simple program, but I'm not a C#/VB programmer.
For a visitor center we give the visitors a PDA with a flash interface. The only thing the wrapper needs to do is:
Play a flash7 file Fullscreen (regardless of resolution on screen)
Disable all hardware keys (but send to flash) and flash right click if possible.
Receive quit & reset command from Flash
Flash Lite is not an option as we use flash communication server for all communication.
This was no problem for PPC2003, but the old program does not work in WM5/6. Since we have simplified our wrapper functionality I thought it would be simple to create a new flash wrapper. I can preinstall the flash7 plugin.
Option 1: I've managed to get a C# file running if I embed IE and let that open a html with a swf, but I still need to block all hardware keys and flash right click. I've tried several things, but nothing works. It also seems like using IE inbetween is a bad solution. Embedding the flash player directly by adding it as a reference like the VB example below.
Option 2: I VB if I add the flash.dll (extracted from cab file) as a reference and run the following code:
Code:
Dim FlashObj As New ShockwaveFlashObjects.ShockwaveFlash
FlashObj.Movie = "main.swf"
I don't get a error, but I also don't get a visible flash file...
Any ideas? I know several people need to play flash files on wm5/6 as Zinc and other commercial wrappers don't support it.
I would pay for a product like this
Hi,
I extracted several executables (EXEs and DLLs) from the firmware image of a WinCE6 device.
In addition to that, I also build my own WinCE6 image with VS2005 that is running in the Device Emulator.
Now, what I'm planning to do is copy some of the extracted executable files to my emulator image and run them there.
For instance, it already worked to copy the "zlib.dll" to the emulated image and then load it with some customly written code.
However, this only works for a few DLLs. Most of them just crash.
I believe this is because of the memory mapping.
As you might know, WinCE6 has its own address space for shared libraries.
Typically they are loaded to the 0x40000000 region whereas libraries that are not shared are loaded to the address space of the application itself (i.e. 0x100000000 region).
While the DLLs from my own image mostly map to the 0x100000000 region, most of the extracted DLLs are loaded to the shared memory region which seems to cause problems.
Initially, the extracted zlib.dll did not work in the emulator image either.
However, increasing the RAM size of the emulator image did the trick.
Yet, the emulator supports at most 256MB of RAM. So further increasing the RAM size for DLLs that do not work yet is not an option.
Did anyone else try to run extracted binaries in an emulator environment ?
My ultimate goal is to run these extracted executables inside my emulated environment, so that I can debug and reverse engineer the code.
Is it possible to change the memory mapping of a DLL so that, instead of being loaded to the 0x40000000 shared region, it is loaded to the process space ?
There is a nifty freeware PE editor called CFF Explorer currently version VII.
http://www.ntcore.com/exsuite.php
One of the options under the Rebuilder tab is to change the Image Base of an object and rebuild it.
Make sure you are only doing this to a copy of your DLL. It's a long shot but it may work.
Good Luck.
Hi,
stephj said:
There is a nifty freeware PE editor called CFF Explorer currently version VII.
One of the options under the Rebuilder tab is to change the Image Base of an object and rebuild it.
Click to expand...
Click to collapse
cool, thanks !
I just tried it, but unfortunately the "New Image Base" functionality is greyed out.
I guess it's because the DLL I'm trying to change is not for x86_32/x86_64, but for the ARM platform.
Do you also debug WinCE stuff ?
I'm currently trying to get IDA Pro working with WinCE.
It seems to have debug support through ActiveSync.
The 5x5 and Life programs listed in my signature both have a separate CE version, but they were ported over to CE after I had shaken all the bugs out of the WinMo version in the WinMo Emulator and on the device itself.
The CE versions were only tested on the CE emulator, and given a quick spin round the block to make sure it all works. I do not have a 'real' CE device to test them on.
I have a copy of IDA Pro, but is only the freeware version, not the full blown paid-for versions. I don't know whether the free version has full CE debug support, I'll have to have a try sometime.
Testing in CE-Emulator is not enough at all
stephj said:
The CE versions were only tested on the CE emulator, and given a quick spin round the block to make sure it all works. I do not have a 'real' CE device to test them on.
Click to expand...
Click to collapse
Probably these CE-Emulator tests were not enough at all, because for example your SUDOKU does NOT work properly on my 800x480px sized unit based on CE 6.0 Professional. FileDialogs not populated, etc pp
Do not worry, I mainly are playing flash games, IMHO the better type of gaming applications ...
Only 5x5 and Life have versions specifically built ising the Windows CE SDK.
The others don't, as they were built using the Windows Mobile SDK.
Is it really surprising that it looks crap or doesn't work properly, if you try and run it under the wrong platform?
Likewise, CE versions look crap when run under Windows Mobile.