I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
twice.
And the detected cpu type is unknown
Anyway i could start the application and open a tcp port
Here is the result of dump cp(0) :
c00: ffffffd2 | c08: ffffffd2
c01: ffffffd2 | c09: ffffffd2
c02: ffffffd2 | c10: ffffffd2
c03: ffffffd2 | c11: ffffffd2
c04: ffffffd2 | c12: ffffffd2
c05: ffffffd2 | c13: ffffffd2
c06: ffffffd2 | c14: ffffffd2
c07: ffffffd2 | c15: ffffffd2
And here is the result of dump mmu:
----- Virtual address map -----
Descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
Error: EXCEPTION reading coprocessor 15 register 2
MMU 1st level descriptor table is at FFFFC000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
Error: EXCEPTION CAUGHT AT MEGABYTE 0!
ffffffff | | | End of virtual address space
It seems that haret is having problem trying to read the CPU registeries,
what could be the problem?
So it means that I have to patch the source of haret before I can use it on a smartphone?
Or is it because of smartphone security policies? something about user-mode, kernel-mode in
wince?
I'm quite a nub but I think I have to know what to read first before I start reading books. Any info or help is appreciated.
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
...
Any info or help is appreciated.
Click to expand...
Click to collapse
You can try to add this code the the assembler file
and call the functions directly. Worked for
me with wince2.11, where i also had problems:
export |cp15_0|
|cp15_0| proc
mrc p15, 0, r0, c0, c0, 0
mov pc, lr
endp
export |cp15_2|
|cp15_2| proc
mrc p15, 0, r0, c2, c0, 0
mov pc, lr
endp
export |cp15_13|
|cp15_13| proc
mrc p15, 0, r0, c13, c0, 0
mov pc, lr
endp
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
Click to expand...
Click to collapse
Don't forget to post at least the 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4' here when
haret works
cr2 said:
... 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4'
Click to expand...
Click to collapse
Thank you for your help.
I signed the code with a privileged certification, then dump gpio and
physical address worked.
Code:
#dump gpio :
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 I 0 0 FE | 21 I 0 0 | 42 I 1 1 | 63 I 1 0 FE
1 I 0 0 RE FE | 22 O 1 0 | 43 O 1 2 | 64 O 1 0
2 I 0 0 RE | 23 O 0 0 | 44 I 1 1 | 65 O 1 0
3 I 0 0 RE FE | 24 O 0 0 | 45 O 1 2 | 66 O 1 0
4 I 0 0 RE | 25 O 0 0 | 46 I 1 2 | 67 I 1 0 FE
5 I 1 0 FE | 26 I 1 0 | 47 O 1 1 | 68 I 1 0
6 O 0 1 | 27 I 1 0 | 48 I 1 0 | 69 I 0 0
7 I 1 0 | 28 I 1 1 | 49 O 1 2 | 70 I 1 0
8 O 1 1 | 29 I 0 1 | 50 O 1 0 | 71 I 1 0
9 I 1 0 | 30 O 0 2 | 51 O 0 0 | 72 I 1 0 FE
10 I 1 0 FE | 31 O 0 2 | 52 I 1 0 | 73 O 1 0
11 I 1 0 | 32 I 1 0 | 53 I 1 0 | 74 O 0 0
12 I 1 0 RE FE | 33 O 1 2 | 54 O 0 0 | 75 O 1 0
13 I 0 0 RE FE | 34 I 1 1 | 55 O 1 0 | 76 O 0 0
14 I 0 0 RE FE | 35 I 0 1 | 56 O 0 0 | 77 O 0 0
15 O 1 2 | 36 I 0 0 | 57 I 1 0 | 78 O 1 2
16 I 1 0 | 37 I 0 1 | 58 O 0 0 | 79 I 1 2
17 O 1 2 | 38 I 0 0 | 59 O 0 0 | 80 O 1 2
18 I 1 1 | 39 O 1 2 | 60 O 1 0 | 81 I 1 1
19 O 1 0 | 40 O 0 0 | 61 O 1 0 | 82 O 1 1
20 O 1 0 | 41 O 0 0 | 62 O 1 0 | 83 I 1 2
#pd 0x41300004 4 :
41300004 | 00017bef | .{..
(What is so special about these four bytes?)
Then I tried to apply your code, but i don't know where should I call those fumctions, I tried calling them right before cpuDetect() or put it inside cpu-pxa.cpp and call them before cpuGetCP(), same effect.
The error message box doesn't show up but there is no message in the wince side console (detected cpu type),
then the same exception show up when I telnet it and when I dump any cp other then cp0.
phrack #63 - Hacking Windows CE said:
...
; SetProcessorMode.s
AREA |.text|, CODE, ARM
EXPORT |SetProcessorMode|
|SetProcessorMode| PROC
mov r1, lr ; different modes use different lr - save it
msr cpsr_c, r0 ; assign control bits of CPSR
mov pc, r1 ; return
END
...
Most of Pocket PC ROMs were builded with Enable Full Kernel Mode option, so all applications appear to run in kernel mode. The first 5 bits of the Psr register is 0x1F when debugging, that means the ARM processor runs in system mode. This value defined in nkarm.h:
// ARM processor modes
#define USER_MODE 0x10 // 0b10000
#define FIQ_MODE 0x11 // 0b10001
#define IRQ_MODE 0x12 // 0b10010
#define SVC_MODE 0x13 // 0b10011
#define ABORT_MODE 0x17 // 0b10111
#define UNDEF_MODE 0x1b // 0b11011
#define SYSTEM_MODE 0x1f // 0b11111
...
Click to expand...
Click to collapse
I guess smartphone is a little bit different from pocketpc?
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
I'd better start reading the ARM reference manual.
aybabtu said:
(What is so special about these four bytes?)
Click to expand...
Click to collapse
This is a ClocKENable (CKEN) register, so you have:
LCD,I2C,ICP,MMC,USB,NSSP,I2S,BTUART,FFUART,STUART,
SSP,AC97,PWM1,PWM0
enabled.
Then I tried to apply your code, but i don't know where should I call those fumctions
Click to expand...
Click to collapse
Add them to the wince/asmstuff.asm file,
and modify the cpuGetCP function in
wince/s-cpu.cpp to
Code:
uint32 cpuGetCP (uint cp, uint regno)
{
uint32 result=0xffffffff;
int ok=0;
if (cp > 15)
return 0xffffffff;
if (cp==15)
{
ok=1;
SetKMode (TRUE);
cli ();
switch (regno)
{
case 0:
result=cp15_0();
break;
case 2:
result=cp15_2();
break;
case 13:
result=cp15_13();
break;
default:
ok=0;
break;
}
sti ();
SetKMode (FALSE);
}
if (!ok) Output (L"Invalid register read cp=%d regno=%d\n",cp,regno);
return result;
uint32 value;
selfmod [0] = 0xee100010 | (cp << 8) | (regno << 16);
if (!FlushSelfMod ("read"))
return 0xffffffff;
__try
{
value = ((uint32 (*) ())&selfmod) ();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Complain (C_ERROR ("EXCEPTION reading coprocessor %d register %d"), cp, regno);
value = 0xffffffff;
}
return value;
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
Click to expand...
Click to collapse
Maybe, but how did you come to using this address ?
The 'dump gpio' shows that the phone is not using the
builtin LCD pins. Then there must be a
video chipset in the phone. Interesting,
because even HTC is saving money on that.
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Maybe, but how did you come to using this address ?
Click to expand...
Click to collapse
Well I got a leaked dump out rom and tried to extract it with itsme's tool.
and i got something similar to these:
Code:
img 00000000 : hdr=81d5352c base=81a00000 commandlineoffset=81a00000
img 00640000 : hdr=82c40878 base=81a00000 commandlineoffset=81a00000
img 01300000 : hdr=82d02dd8 base=81a00000 commandlineoffset=81a00000
img 01380000 : hdr=8356d204 base=81a00000 commandlineoffset=81a00000
there must be a video chipset in the phone
Click to expand...
Click to collapse
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later. And yes this phone is interesting, low price for it's high specification compared to other same generation phones but crappy customer service .
I'll post the result of dump mmu to the point it crash a little bit later.
aybabtu said:
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Click to expand...
Click to collapse
Unlikely.
Well I got a leaked dump
Click to expand...
Click to collapse
Then you can just lookup the static remapping
table.
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later.
Click to expand...
Click to collapse
The datasheet is available here
www.handhelds.org/platforms/hp/ipaq-h22xx/mq-lcd-interface-appnote.pdf
And the mapping table dumped out using itsme's pmemmap:
Code:
v81a00000-83a00000 -> p00000000-02000000
v86000000-86100000 -> pe0000000-e0100000
v86100000-86200000 -> p48000000-48100000
v86200000-88200000 -> p40000000-42000000
v8c000000-8e000000 -> pa0000000-a2000000
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
Dumped it out and i can only tell that the first 32MB is my rom data.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone,
at least I know what to read now.
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
And at the end of the rom, there are 2 copies of 256K code, in which I found
strings of the bootloader in it, and the second copy is 1 byte different from
the first one, 1:0x00 2:0x01, in the middle of the code.
I'm not sure these are Mitac only layout, just put it here in case anyone
knows.
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
aybabtu said:
And the mapping table dumped out using itsme's pmemmap:
Click to expand...
Click to collapse
v81a00000-83a00000 -> p00000000-02000000
32MB ROM
v86000000-86100000 -> pe0000000-e0100000
Weird.
v86100000-86200000 -> p48000000-48100000
PXA26x Memory Controller
v86200000-88200000 -> p40000000-42000000
PXA26x Peripherals
v8c000000-8e000000 -> pa0000000-a2000000
32MB SDRAM
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
mmaped devices.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone
Click to expand...
Click to collapse
You can also dump/decode the registry and identify the
use of the serial ports.
Your GPIO table suggests that the PXA MMC
controller is used.
Looks good
aybabtu said:
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
Click to expand...
Click to collapse
Battery monitoring or something like that,
maybe keyboard controller.
aybabtu said:
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
Click to expand...
Click to collapse
Not all wince devices have a bootloader,
wince2.11 and wince2005 un universal for example.
You can also look with 'strings -el' for
other useful strings.
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
aybabtu said:
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
Click to expand...
Click to collapse
Built-in ? BTW, does this device support SD cards or only MMC ?
Built-in ? BTW, does this device support SD cards or only MMC ?
Click to expand...
Click to collapse
Built-in, It should be the M-System DiskOnChip MD3831-D16-V3Q18-T inside.
Support both.
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
aybabtu said:
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
Click to expand...
Click to collapse
It is a normal UART, not blue at all , Himalaya
uses it for the serial cable.
That's not exactly the datasheet of
mq2100...
archive.org show that this was available
for downloads.. oh well
Put the list of all components and the known
information to wiki. That can help other people.
Hi there,
maybe not a XDA specific Question but maybe s.o. could still help me.
I've got a SIEMENS emem ES75 GSM Modem wich I wanted to use as a SMS receiver for my Party next month (receive sms and project them onto a wall )
But I have some trouble controlling it using the AT-Commandset.
For example: the AT+GMM Command which should give me the name of the Manufacturer) Sometimes AT+ Commands are working, sometimes not.
As it works, I printed out the current settings using AT&V:
Code:
ACTIVE PROFILE:
E0 Q0 V1 X4 &C1 &D2 &S0 \Q0 \V1
S0:000 S3:013 S4:010 S5:008 S6:000 S7:060 S8:000 S10:002 S18:000
+CR: 0
+CRC: 0
+CMGF: 1
+CSDH: 0
+CNMI: 0,0,0,0,1
+ICF: 3
+IFC: 0,0
+ILRR: 0
+IPR: 115200
+CMEE: 0
^SMGO: 0,0
+CSMS: 0,1,1,1
^SACM: 0,"000000","FFFFFF"
^SLCC: 0
^SCKS: 0,1
^SSET: 0
+CREG: 0,1
+CLIP: 0,2
+CAOC: 0
+COPS: "T-MOBILE D"
+CGSMS: 3
Remember: it says "CURRENT PROFILE"
Then I used the AT&V Command when it did not work:
Code:
Current Settings............
E0 H0 Q0 V1
&C0 &D0 &P1 &R0 &S0
S00=000 S01=000 S02=043 S03=013 S04=010 S05=008 S06=000 S07=030
S08=000 S09=000 S10=000 S11=000 S12=050 S13=000 S14=000 S15=000
S16=000 S17=000 S18=000 S19=000 S20=000 S21=000 S22=000 S23=000
S24=000 S25=005 S26=001 S27=000 S28=000 S29=000 S30=000 S31=000
S32=000 S33=001 S34=000 S35=000 S36=000
#0 :
#1 :
#2 :
#3 :
#4 :
#5 :
#6 :
#7 :
#8 :
#9 :
Why does it output the "CURRENT SETTING" instead of the "CURRENT PROFILE"? And why can't I read the SMS? With this Setting it does not accept most of the AT+(..) commands. (AT+GMM, ...)
I sniffed the serial port communication from working applications and used the same commands and init-strings, but nothing
Any advice?
Nothing?
Migrate from Hard disk ( HD ) to SSD? Solved​
Code:
[COLOR="Red"]Notification:
I am not responsible for any damage that may arise or that
you consider to have any connection to the mentioned
in this tutorial.
You only applied it by your own free will and because you
wanted to do!
Always perform a backup for security resons![/COLOR]
Hello my friends
How to migrate from hard drive to SSD?
To switch from hard disk to SSD I used 2 programs, MiniTool Partition Wizard and MiniTool ShadowMaker Free.
When i buyed the SSD it doesn,t not came with a defined partition and when i connected to the PC i don't see it on root. So i used the MiniTool Partition Wizard that detects it and managed to create an NTFS partition, then I used MiniTool ShadowMaker Free to clone the hard drive to the SSD, the rest of work is in the BIOS.
The only program that gave me an error was Office but using the installer and doing the repair it resolved (Office 2007).
And i already notice a difference in speed!!!
Let's speed up a little more by moving from IDE to AHCI!!!
If your BIOS has the AHCI option it will speed up the system more, but there is a trick!
If your installation is from Zero, just before installing the OS make the change in the BIOS from IDE to AHCI then install de OS but if it is already installed or as if you have cloned it will give an error and doesn´t boot.
That's how I solved it!
Open a text file and copy this commands (Windows 10) and paste it like this:
Code:
@echo off & @echo. & @echo.
rem remove old lines
powershell.exe remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\iaStorV' -Name Start
powershell.exe remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\iaStorV\StartOverride' -Name 0
powershell.exe remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\storahci' -Name Start
powershell.exe remove-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\storahci\StartOverride -Name 0
pause
rem default value for this lines is 3
powershell.exe New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\iaStorV -Name Start -PropertyType dword -Value 0
powershell.exe new-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\iaStorV\StartOverride -Name 0 -PropertyType dword -Value 0
powershell.exe new-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\storahci\StartOverride -Name 0 -PropertyType dword -Value 0
powershell.exe new-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\storahci' -Name Start -PropertyType dword -Value 0
pause
Save the file as a bat, create a system restore point and then run it as an administrator, restart PC in to BIOS, change from IDE to AHCI and restart 2x, in the first windows will install the disks and in the second it is safe to work.
With me it worked very well to the point that the PC starts faster than the TV takes to turn on ... :laugh:
I hope i helped you in some way! :highfive:
.