Related
Does anybody have the function and parameter for the Camera.dll from the XDA2
I get it working with Cam_Open and Cam_Close but i don't the other parameter like Cam_Read
What are the parameters for the methods you have been using?
I asked IA about the availability of the APIs, and they replied that it was up to O2 (who of course refer you back to IA). After a bit of chasing, they said...
No word yet from O2 about the next step (we send our question through a third company who in turn contacts them.) As I mentioned, our policy is that we do not make available the APIs for cameras or other hardware products that come bundled with our software unless we are specifically asked to do so by our customers at O2.
If or when we do hear from the O2 team, we will post information about APIs on our website. I am not sure if you know, but our company has recently been purchased. We will continue to answer email until the end of April, and our website will be online until August of 2004.
Click to expand...
Click to collapse
Andy,
You said that you had got two of the functions to work? Have you got a code sample? Or even the parameter list for those methods?
Cheers
Not me...
...and what can we do?
i'm trying trought my provider, but no way. I think this is a very ridiculous situation.
Why don't we insist all together to IAstyle!?
sims
I agree, I've emailed IA already, but no response as yet. Their official seems to be that they are talking with the hardware manufacturers to see if they can release the APIs. Meanwhile they have been taken over, which has in itself caused some headaches. We need to get something soon because apparently after April they will not be responding to user requests...
hello,
i got answer form IAStyle. As follows:
Hello, I am sorry to say that IA Style does not make available the APIs for cameras or other hardware products that come bundled with our software. My understanding is that our customers, the seller and distributor of the hardware system - in this case I assume it would be O2 - has the ability to provide APIs to their customers if they wish.
We have sent this question to the team at O2 (we need to go through a third company that actually makes the phone and camera hardware)to find out how they wish to move forward, but so far we have not heard back.
If or when we do hear from them, we will post information about APIs on our website. I also assume O2 will make the information available on their site -- I am not sure if you know, but our company has recently been purchased. We will continue to answer email until the end of April, and our website will be online until August of 2004.
Sorry about the negative news.
Click to expand...
Click to collapse
What do you think?
sims
No 'IA Camera Wizard Application Integration SDK' anymore...
Hi,
iastyle's website was just scrubbed from some previous interesting content. Just look at the page http://www.iastyle.com/camera_app/index.asp and you'll see the website gets some new tabs at the top... This page lists the 'IA Camera Wizard Application Integration SDK'. I asked their sales department about licensing and availability a few weeks ago and got no reply.
It's clear HTC made them kill this department/product/service to keep a leading edge in camera applications.
bigmac :x
so i see, that the only ones who can provide us of a correct API are providers who buys directly to HTC or carriers. right?
sims
Camera Functions
Hi Everyone,
I took apart the Camera.dll which is located in windows on the XDA11. The following functions are avaliable. Soz I cant extract any more information at the moment - will keep working on it!:
CAM_Close
CAM_Deinit
CAM_Init
CAM_IOControl
CAM_Open
CAM_PowerDown
CAM_PowerUp
CAM_Read
CAM_Seek
CAM_Write
Dan
great job!
by my part i'm still waiting for my providers news.
let's see....
sims
Re: Camera Functions
damcmillan said:
CAM_Close
CAM_Deinit
CAM_Init
CAM_IOControl
CAM_Open
CAM_PowerDown
CAM_PowerUp
CAM_Read
CAM_Seek
CAM_Write
Dan
Click to expand...
Click to collapse
Hi Dan,
managed to get this data too using dumpbin.exe.
Have you (or anyone else) managed to gain any more info about the function types and parameters.
Cheers,
Ben
I think they are pretty standard, and just map to the
createfile("CAM1:")', readfile, writefile, deviceiocontrol, etc.
functions that all devices implement.
the IoControl function is the most interesting, you would have to reverse it to see what ioctls it supports.
itsme said:
I think they are pretty standard, and just map to the
createfile("CAM1:")', readfile, writefile, deviceiocontrol, etc.
functions that all devices implement.
the IoControl function is the most interesting, you would have to reverse it to see what ioctls it supports.
Click to expand...
Click to collapse
Any chance you could go into a bit more detail?
Thanks,
BBB
a little bit more research; these are the required dlls for camera.exe
aacdll.dll Path not Found.
aygshell.dll Path not Found.
colorconvscaling.dll Path not Found.
coredll.dll Path not Found.
gsmamrdll.dll Path not Found.
gsmamrenc.dll Path not Found.
gx.dll Path not Found.
h263videoenc.dll Path not Found.
mfcce300.dll Path not Found.
midilib.dll Path not Found.
mp4_reader.dll Path not Found.
mp4spvd.dll Path not Found.
mp4writer.dll Path not Found.
mpeg4spvideoenc.dll Path not Found.
note_prj.dll Path not Found.
imports for MP4Writer.dll:
// Type : Imports
// gCreateMP4Movie Information not available
// gCloseMovie Information not available
// gMakeH263Atom Information not available
// gAddToStsdBox Information not available
// gMakeGSM_AMR_NB_Atom Information not available
// gCloseTrack Information not available
// gGetMovieAtomSize Information not available
// gAddNSamplesToTrack Information not available
// gAddSampleToTrack Information not available
// gGetTrackSize Information not available
// gAddTrack Information not available
// gMakeEsdsAtom Information not available
imports for MP4_Reader.dll
// gOpenMP4File Information not available
// gGetMovieInfo Information not available
// gGetTrakIds Information not available
// gGetNextSyncPoint Information not available
// gCloseTrakSession Information not available
// gReadSample Information not available
// gGetMaxSampleSize Information not available
// gIsSyncPoint Information not available
// gOpenTrakSession Information not available
// gGetTimeOfSampleNum Information not available
// gGetSampleNumForTime Information not available
// gCloseMP4File Information not available
// gGetTotalSamplesInTrak Information not available
// gGetDecoderCfg Information not available
can anyone post camera.dll here? i cannot get it off the device so i can't try to more infos about its export/imports
Hello,
What about "HTCCamera.dll" in "\Windows" ?
I've found this entrypoint in the dll :
Code:
start
Camera_Init
Camera_Begin
Camera_End
Camera_GetPreviewImage
Camera_GetStillImage
Camera_Deinit
Camera_GetStatus
Camera_GetProperty
Camera_SetProperty
Camera_GetSensorSupport
Camera_ReadRegister
Camera_WriteRegister
CreateFileW
CloseHandle
DeviceIoControl
SOFTWARE\\Drivers\\HTCCAMERAAPI
I'm not a developper, so i can't do anymore
Hi folks,
I've investigated the Pocket LOOX 720 and found the following: When I run the camera application, that comes with the device, then close that application, and after that execute this code below, then can I see the last picture from the camera on the display.
Code:
HINSTANCE hd = LoadLibrary(L"HTCcamera1.dll");
typedef int(*t)(void*);
t Camera_Init = (t)GetProcAddress(hd, L"Camera_Init");
t Camera_Begin = (t)GetProcAddress(hd, L"Camera_Begin");
int test[1000];
memset(test, 0, 1000*sizeof(int));
int rt = Camera_Init(test);
//test[3] = 1; // if value set -> no picture will be displayed
rt = Camera_Begin(test);
It means, the Camera_Init and Camera_Begin functions are something doing, but no new picture will be taken. Making the camera full running seems to be only a little step.
Intel / Infineon XMM6260 & X-GOLD 626 Modem Hack-Pack Release!
After several unsuccessful months of trying to get my phone (application) to
talk AT-commands with the baseband processor (BP), I've had to learn a lot of
hardware and internal Android and OEM based tricks and secrets. Although this
have not been enough to make anything of practical use, it is definitely worth
sharing. If not at least some more talented people may be able to continue
where I have left of...
Now, it should be immediately stated that there is nothing revolutionary
in here, apart the Infineon manual for tuning your GSM modem, using the
AT CLI and GTI sequencer. This is something that could potentially be very
useful for better understanding the advanced features that the modem
platform incorporates. However, it is also a sure way of making a an
expensive brick out of your phone! You have been warned...
Brief Modem Description
The XMM6260 is the "platform" that consists of:
The X-GOLD 626 baseband processor
The SMARTi UE2 RF-transceiver DSP
The 3GPP Release 7 HSPA+ protocol stack with:
Downlink: Category 14, Uplink: Category 7
The X-GOLD 626 baseband processor (labelled "PMB 9811") is communicating
with the DSP RF-tranceiver chip called SMARTi-UE2 (labelled "PBM 5712 A1"),
using a communication interface that corresponds to the MIPI DigRF-3G
(V.3.09) standard. Through this protocol the BP can control some or all
aspects of the RF DSP.
Alternative Names
Infineon IFX6260
Intel IMC6260
Intel XMM626
Some other devices using this platform:
Code:
- Lava XOLO X900 [Phone] FCC ID: ???
- Lenovo K800 [Tablet/Pad] FCC ID: ???
- LG-P920 (LG ?) [Phone] FCC ID: BEJP920
- LG-P925 (LG Optimus 3D?) [Phone] FCC ID: BEJP925
- Huawei E369 (3G Hi-Universe) [USB 3G Modem] FCC ID: QISE369 (Russian distrubutor: Merlion)
- Huawei MU733/MU739 [PC/CE Module] FCC ID: QISMU739
- Samsung Galaxy Nexus (I9200) [Phone] FCC ID: ???
Other devices that may (!?) also contain the X-GOLD 626:
---------------------------------------------------------
- LG Optimus 4X HD [Phone] FCC ID: ???
- HTC One X [Phone] FCC ID: ???
- Huawei Ascend D Quad [Phone] FCC ID: QIS ???
- Huawei E392 (E392u-511) [LTE Multi-mode USB stick] FCC ID: QISE392U-511
- Huawei E353 (E352s-6) [HSPA+ USB stick] FCC ID: QIS ???
Hack-Pack Content
Code:
- Pictures/Diagrams:
- XMM6260 colored pinout map
- XMM6260 mounted in a Samsung Galaxy S2
- SMARTi UE DSP RF-tranceiver chip mounted in the SGS-2
- IPC xxxxxx stuff
- Infineon PhoneTools testing program
- Raw 1byte greyscale PNG of modem.bin from XXKI1
- PDF files/documents:
- ITA-RF-Adjustment-GSM (XMM6260 Specification)
- Infineon MIPI-HSI Product Brief
- X-GOLD 616 Product Brief
- Fairchild FSA9280/88A USB/UART switch/MUX datasheet
- Similar Modem AT sets/documents:
- AT_Command_Set_3GPP-TS-27007-940.pdf
- AT_Command_Set_AMOD_HSPA.pdf
- AT_Command_Set_Gobi.pdf
- AT_Command_Set_Motorola_XM7200S.pdf
- AT_Command_Set_Teltonika_TM3.pdf
- AT_Command_Set_iWOW_TR-900.pdf
- Text Files:
- 3GPP 27.007 AT-list
- XMM6260 official AT-set
- XMM6260 internal AT-set
- XMM6260 homebrew specifications
+ X-GOLD 626 Modem pinouts
+ MUX pinouts
+ AP connections (SGS2)
+ AP relevant info
- Strings of modem.bin (stock firmware image: [B]XXKI1[/B])
- Strings of drexe
- Strings of rild
- Strings of libril.so
- Strings of libsec-ril.so
- GT-I9100 stock (GB 2.3.4) binary files:
(Taken from: PDA:[B]XWKI4[/B], Phone:[B]XXKI1[/B])
- libKiesDataRouter.so
- libril.so
- libsec-ril.so
- libsecril-client.so
- drexe
- rild
- Android hardware hacking binaries (tools):
- dbus-monitor
- dbus-send
- hciconfig
- hcidump
- hcitool
- i2cdetect
- i2cdump
- i2cget
- i2cset
- ipcfilter
- ipcdump
- ipctool
- procmem
- showmap
- showslab
- strace
- tcpdump
- viewmem
+ various other content
Download Here! (57.72 MB)
The modem firmware referred to and studied can be
found here (Modem.bin.7z) or here, under "XXKI1".​-------------------------------------------------------------------------------
DISCLAIMER:
All the material in this collection was found on internet by
appropriate Google-Fu and/or by laborious manual creation.
Nothing is stolen or reversed, so I am not held responsible
for the origin or problems affiliated with the use of these
documents, programs or other binaries.
-------------------------------------------------------------------------------
​If you are a developer or other corporate official of Intel or Infineon:
Please contact your superiors and ask them to release the proper
datasheets and documentation of these products to the public.
Why? Because:
It would significantly increase the sales of your hardware, by promoting
a much more open approach to hardware development. There are currently
more than 10 open-sourced and open-hardware smartphone projects around
the world, who would benefit from the use of a more modern baseband than
what is currently and openly available.
.
It would significantly promote your hardware in front of your competitors,
as your company would be the first one to open up your documentation to the
public. Thus increasing public technical knowledge of your hardware, which
would ultimately lead to you having an easier time to find qualified
developers that cost you less!
.
It would significantly reduce the cost and time for firmware development,
while increasing the firmware code-quality and compatibility, as you
would be able to benefit from the large community and knowledge from
other professional developers as well as hardware-hackers.
(Yes, there are several bugs found in your firmware, but since there is
no way to report and discuss these with your developers, they will
continue to cost you money and head-scratching for all developers
having to deal with your platform.)
.
Your competitive advantage due to 1-3, would promote new and better
future hardware developments, that would not only benefit your
company/business but also society as a whole.
.
Its simply the right thing to do!
The thread where all this become crisply relevant is this one:
[A][SGS2][Serial] How to talk to the Modem with AT commands
There you will find all documents which I have found to date, which
is essentially none. At least nothing that can be of ANY practical use.
UPDATE: [2012-04-17]
As soon as I get a chance I'll update the HackPack (HP) with new data regarding the MUX
and some other hardware used in the SGS2. This data, as presented within HP, is simply wrong!​
Reserved 2 me 3
Awesome info I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?
xd.bx said:
Awesome info I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?
Click to expand...
Click to collapse
Thanks! The ServiceMode app is mostly interesting because its code actually reside inside the Modem firmware, where the java app is acting as a wrapper. I'm not familiar with the Qualcomm modems, could you elaborate on what that "diagnostic mode" does? (The x-gold firmware is FULL of various modes. Just depends on what you want to do, and to get the proper documentation on how to use it!)
Just found ... a bit older, but still very interesting
http://hwplatform.googlecode.com/svn/trunk/Infineon/
RNC States from libsec-ril.so
Hi
Very valuable information! Does anyone have an idea about how to get the information displayed from serviceMode programatically? Looks like most of it is being polled directly to the libsec-ril.so. In my case I'm interested in obtaining information about the RNC states on the handset
Thanks for this information
Thanks for the info E:V:A. I did quite some figuring out about the Radio/DSP unit of the Nokia DCT3 back in the day and also the GSM protocol (anyone remember Project Blacksphere / OpenGPA?).
Things have likely come a long way since then. One thing that is clearly different is that the baseband processor is completely isolated from the application processor. In the DCT3 there was one ARM processor that drove both the user interface and parts of the GSM protocol, and connected to a DSP for the low-level radio stuff.
I wonder how other things have changed with 3G. I may get back in the game. This will give me an headstart
Memory map and boot process
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:
Code:
Offset Size Address Description
0x000000 0x00f000 0x00800000 PSI
0x00f000 0x019000 0x60000000? EBL
0x028000 0x9d8000 0x60300000 Main image
0x9ff800 0x000800 Used for verification (buliding ReqSecStart command)?
0xa00000 0x200000 0x60e80000 NV data (file contains default data)
0xc00000 0x000200 Unused?
Offset is offset in file, address is flash/ram offset on device. Whereabouts about the EBL are a bit unknown, address 0x60000000 is based on a guess the others are sure.
Also I did an attempt at constructing the run-time memory map of the device, based on static analysis but as I've not found a way yet to actually probe it there are quite a few question marks.
Code:
Device memory map:
0x00000000 RAM/ROM? (what is here?)
0x00080000 PSI bootloader *RAM*
0x40000000 Flash (what is flashed here?)
0x60000000? Code (EBL)
0x60100000 Flash
0x60300000 Code (Flash)
0x60e80000 NVram data (Flash)
0xe0000000 Peripheral mapping for memory-mapped I/O (256MB)
0xffff0000 Memory (initial stack)
As for I/O devices in peripheral mapping, my understanding is still very limited and based on the bootloader only. I have a longer list of addresses from static analysis, but as I can't yet label anything it is pointless to publish. As usual, the upper bits (how many? 8?) select which peripheral, the lower bits (20?) select a port within that peripheral.
Code:
0xe4d00164 ? status bits
0xe4d00384 ? status bits
0xe8000070 ? status bits
Entry points:
Code:
Offset Address Description
0x000000 0x00080000 Boot loader
0x00f400 0x60000000? EBL
0x1a8000 0x60480000 Main stack
I'm trying to run this in QEMU and created a basic environment, but as my understanding of ARM kernel space (interrupt handling, timers, etc) is very limited, it currently gets stuck in a loop waiting for some other thread (or interrupt handler) to update an address.
just thought it might be of interest and help - http---en.samaanet.com/?p=2390
direct link:
http://en.samaanet.com/?p=2390
Polarfuchs said:
direct link:
http://en.samaanet.com/?p=2390
Click to expand...
Click to collapse
That's a direct rip-off of my XDA thread!
Any more posts with such links will be removed!
How should I know, I just posted the link as "service" because the user above me could't post links.
I've been informed that the download link doesn't work. i will upload again as soon as I have time...
Really interesting stuff you have got here.
One thing I've been searching for a while now: I own a Galaxy Nexus, which has a XMM6260 modem. Samsung had on their stock ROM a feature in service mode where you can check the power modes of the 3G data connection. Since the Galaxy S2 has the same modem, thus it should be possible to get that feature.
I'm interested in this stuff because my Galaxy Nexus likes to drain like crazy on the 3G network that I use and I suspect that it has to do with the 3G data power modes. 3G+wifi is extremely efficient in power use but 3G+mobile date is al big battery hog.
I hope you post a working link soon, than I can start reading this stuff.
Seems like this might be the best place to ask this... I also asked in the "fun with AT commands" thread so my apologies up front for the spam.
I'm looking for a fastboot friendly radio baseband I can flash with a 4.2.1 friendly RIL. This may be more than what I actually need but I've got a full telephony build of the Nexus 7 3G going and while SMS and MMS are fully functional I'm getting a CME ERROR: 4 when I try to do voice dialing and don't see anything coming in via logcat on an inbound call.
The mobile plan I'm using is full voice capable and verified as functional.
Doing a strings of the included RIL (libxgold-ril.so) shows all the necessary voice functions listed (although I guess this could be a false positive if it is interface based).
The modem mounts up on /dev/ttyACM0 and I'm able to do all the basics with radiooptions, except voice dialing and answering of course.
Any pointers / advice / direction would be greatly appreciated... coming up to speed real quick in this area.
XGold626 One X Pinout
I have removed my BB CPU and here is the pinout if it helps anyone
How to start?
I'm a rookie so is anyone can provide a step-by-step tutorial about how to send AT commands to the baseband processor directly? Right now I only can use i2cdetect to list i2c channels, but how to do next?
Thanks,
Andong
XGold 626 Reversing
witchspace said:
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:
[snip]
Click to expand...
Click to collapse
Hi!
Nice work. I'm working on reversing the xgold626 baseband as well. Specifically, I'm looking at the NELK2 baseband for my GT-i9300.
Perhaps we could join forces? Anyone else working on reversing the xgold626 baseband is welcome to contact me as well.
I'm reachable at: je at clevcode.org, or on my ircd (irc.clevcode.org, port 7000, SSL, nick je).
Cheers,
Joel
witchspace said:
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:...
I'm trying to run this in QEMU and created a basic environment, but as my understanding of ARM kernel space (interrupt handling, timers, etc) is very limited, it currently gets stuck in a loop waiting for some other thread (or interrupt handler) to update an address.
Click to expand...
Click to collapse
clevcoder said:
Specifically, I'm looking at the NELK2 baseband for my GT-i9300. Perhaps we could join forces? Anyone else working on reversing the xgold626 baseband is welcome to contact me as well.
Click to expand...
Click to collapse
Yep, that is very interesting. Send me PM if there are more interest in pursuing this further! What's the primary interest of doing this?
i believe i could create the app relatively easily as i am a c++ programmer and would learn the language used for android providing if anyone can tell me if the wifi chip set on the Samsung galaxy s4 can write to disk. if not it would be impossible without connecting an external method of capturing and saving the packets. if anybody could direct me to the correct place for the information i need or if there is already a project underway could you provide information. would be interesting to see if it is possible with the existing wifi chip-set.
I'm not aware of any networking cards that can write directly to disk so thats really not a requirement for pcap. You are unlikely to be able to run pcap on just an android device however if you search google play for pcap you'll find the author of kismet implemented a rtl 8187 driver in userspace that runs without root, all you have to do is plug in a rtl8187 base usb wlan card and you're good to go. http://www.kismetwireless.net/android-pcap/
Please read forum rules before posting
Questions and help issues go in Q&A and Help sections
Thread moved
Thank you for your cooperation
Friendly Neighborhood Moderator
i believe i could create the app relatively easily as i am a c++ programmer and would learn the language used for android providing if anyone can tell me if the wifi chip set on the Samsung galaxy s4 can write to disk. if not it would be impossible without connecting an external method of capturing and saving the packets. if anybody could direct me to the correct place for the information i need or if there is already a project underway could you provide information. would be interesting to see if it is possible with the existing wifi chip-set.
Hi,
the search function doesn't work right now, and I'm looking for a solution for hours now. So please excuse me if this is solved already and please redirect me to the solution if so. If its important on any level: My phone is rooted and I use Nexus 5 Experiance rom 9.3 CAF
At work, we have a NFC key tag to open doors and use our copymachines. I would love to copy the Tag on my Nexus 4 and use it instead.
So, what I have done till now: I can read the NFC Tag (with NFC Tools and i can make a copy of it with NFC ReTag), and its a Mifare Classic 1k (NFC Tools, tells me, the Technology is "NfcA" and the serial number, which are 4 hex digits, one ATQA and one SAK number). Also if I hold my Nexus to the NFC Readers next to the doors, they respond to me, that they can't read it (which makes sense, because its just a Phone with NFC enabled, but without the needed information of the key). Summary: I can read my tag, can copy it to my phone, and the Readers also respond to my phone.
But: I can't come up with a solution to use this information, to use my phone as the key instead of the tag. As I understand, I need to copy the information on my phone and than tell it to be a tag instead of a phone (emulate). Now I read, that KitKat introduced HCE(host card emulation), which sounded like the right thing, but after reading a lot here I found, that this feature is specificly designed to money transactions (which probably was only implemented for Google wallet).
Now, dear community: I know, that this is indeed a security risk for the company, if this would really work (to copy the key), and this should not be possible in theory. But thats another topic. We use this system for 6 years now and maybe there is a possible way now.
So my question is: Is this possible at all? That means: Can somebody redirect me to the solution? Or is this NOT possible at the moment? Or will this not be possible at all (also in the future) with my Nexus 4, because of some technical differences, and I don't need to bother searching any longer?
edit: So I just found NFC Taginfo and it tells me, that Mifare Classic is not supported by the device. I still don't know, what to think, because NFC Tools had no problem of reading the Tag