Monday, February 19, 2007
Virus 4 WinCE
I have learned an internals of WM5 deeply. May be I have to recall older days and write a virus for it? Is it needed to enter kernel mode? No problem, there is the function SetKMode. Is it needed to read a memory of an application? No problem, just read it! Is it needed to intercept a system call, a driver, or an interrupt? And it is possible too. :)
Sunday, February 11, 2007
WM5EventSpy
Today is the very productive day. Today I have implemented an util to monitor system events of Windows Mobile 5 (2005). If you run WM5EventSpy, it will create a file with the name \SD-MMCard\WM5EventSpy.log. There it will write names of all events registered by applications. Then it will wait for these events and then notify about signalled events to the log file. Here is a zip archive with the WM5EventSpy executable file inside (run it on your PPC). And here are its sources. Undocumented structures of WM5 kernel has been used in implemenation of this tool, that is why it doesn't work on other versions of OS.
The following in an example of log file produced by WM5EventSpy:
The following in an example of log file produced by WM5EventSpy:
2007.02.11 22:28:36: Started ------------------------------------------------------
2007.02.11 22:28:36: - - - - Start of event list - - - -
2007.02.11 22:28:36: 1: 'WM5EventSpy/SomeEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 2: '50650_ConnMgr', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 3: 'PluginInitialized', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 4: 'HistoryMappingsClosedEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 5: 'CookiesMappingsClosedEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 6: 'ContentMappingsClosedEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 7: 'HistoryCloseMappingsEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 8: 'CookiesCloseMappingsEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 9: 'ContentCloseMappingsEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 10: 'ActiveSync:Started', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 11: 'CE2STATEEVENT1', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 12: 'CE2COMMANDDONEEVENT', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 13: 'CE2COMMANDEVENT', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 14: '__SD_CARD_INOUT', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 15: 'tiacwlnControlReady', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 16: 'tiacwlnResponseToControlReady', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 17: '_LEAP_LIST_CHANGE', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 18: '_BT_STATE_OFF', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 19: '_BT_STATE_ON', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 20: 'WLANStateNotified', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 21: 'LooxLight/FlashlightEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 22: 'LooxLight/SetupEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 23: 'LooxLight/ExitEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 24: 'SYSTEM\netui-TNETWLN1', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 25: 'WLANStatusHasChanged', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 26: 'ProfileStatusEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 27: 'ConnMgrApiReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 28: 'DTPT_SRV_STARTED', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 29: 'BindingMapSharedMemoryEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 30: 'All_Awake', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 31: 'BT_EVENT_SECURITY', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 32: '_KeyPress', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 33: 'Shell_Ready', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 34: '$*@DBChanged#%&', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 35: '$*@RegChanged#%&', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 36: 'SSTimeChange', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 37: 'SSUpdatePower', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 38: '$*EventInboxEnableSound*$', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 39: '$*EventInboxDisableSound*$', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 40: 'SSUpdateRecalc', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 41: 'SYSTEM\SipTimerActive', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 42: 'EventSounds_GlobalStopEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 43: 'MS_GWE_TPC_cont_startup', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 44: 'MS_GWE_TPC_startup', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 45: 'TouchPanelCommandEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 46: 'CgrTabletInnerEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 47: 'CgrTabletEvent', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 48: '_SSP_INIT_OK_EVENT3', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 49: 'WatsonUploadClientReady', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 50: 'WALNStatusChangeEvent', manualreset=0, pIntrProxy=8f9fba3c
2007.02.11 22:28:36: 50: 'system/events/bluetooth/PairingChange', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 51: 'system/events/bluetooth/HardwareChange', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 52: 'system/events/bluetooth/DeviceIdChange', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 53: 'system/events/bluetooth/ConnectivityChange', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 54: 'system/events/bluetooth/SecurityChange', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 55: 'system/events/bluetooth/ConnectionsChange', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 56: 'system/events/bluetooth/BasebandChange', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 57: 'system/events/bluetooth/StackInitialized', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 58: 'IP6_ROUTE_CHANGE_EVENT', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 59: 'IP6_ADDR_CHANGE_EVENT', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 60: 'TAPILINE00000000', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 61: 'IP_ROUTE_CHANGE_EVENT', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 62: 'IP_ADDR_CHANGE_EVENT', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 63: 'BTWCEShimShutdownThread', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 64: 'BTWCEShimFreeLibs', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 65: 'BTWCEShimLoadLibs', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 66: '_SSP_INIT_OK_EVENT2', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 67: 'Event_HS_PTT_Down', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 68: 'Event_HS_PTT_Up', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 69: 'CPUSpeed4lter', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 70: '_SSP_INIT_OK_EVENT', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 71: '_hLedChangeEvent_Name_', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 72: 'BackLightOverTempEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 73: 'BackLightNormTempEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 74: 'BackLightHighTempEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 75: 'BackLightChangeEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 76: 'BackLightActiveEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 77: 'BackLightNotifyEvent', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 78: 'PowerManager/SystemIdleTimerReset', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 79: 'PowerManager/ReloadActivityTimeouts', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 80: 'PowerManager/UserActivity_Inactive', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 81: 'PowerManager/UserActivity_Active', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 82: 'PowerManager/ActivityTimer/UserActivity', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 83: 'SYSTEM/SystemStarted', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 84: 'system/events/notify/APIReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 85: 'SYSTEM/ShellAPIReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 86: 'SYSTEM/BatteryAPIsReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 87: 'SYSTEM/NLedAPIsReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 88: 'SYSTEM/CertChange', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: 89: 'SYSTEM/BootPhase2', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 90: 'SYSTEM/DevMgrApiSetReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 91: 'SYSTEM/PowerManagerReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 92: 'SYSTEM/GweApiSetReady', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 93: 'LASS_SRV_STARTED', manualreset=1, pIntrProxy=00000000
2007.02.11 22:28:36: 94: 'WatsonEventDumpFileReady', manualreset=0, pIntrProxy=00000000
2007.02.11 22:28:36: - - - - End of event list - --- - - -
2007.02.11 22:28:37: We are going to monitor 63 events!
2007.02.11 22:28:37: We are going to monitor 31 events!
[...]
2007.02.11 22:28:56: Event 'PowerManager/ActivityTimer/UserActivity' is signaled, avgDelay = 54, count=10!
2007.02.11 22:28:56: Event 'PowerManager/ActivityTimer/UserActivity' is signaled, avgDelay = 46, count=11!
2007.02.11 22:28:56: Monitoring of 'PowerManager/ActivityTimer/UserActivity' is disabled, current count of monitoring events=69!
2007.02.11 22:29:16: Event '$*@RegChanged#%&' is signaled, avgDelay = 0, count=1!
2007.02.11 22:29:17: Event '$*@RegChanged#%&' is signaled, avgDelay = 24, count=2!
Friday, February 9, 2007
Synce & Linux & WM5 & Password
In a time I developed for WM5 under linux, I found that it was hard and tiresome to copy executable file to PDA for testing. Files were copied to PDA either by using of MMC card or by mounting of PDA as USB Storage. Both ways are not convenient at all when you do such actions every five minutes. In addition, the executable had to be executed to see how it did its job. I executed it by my hands. Indeed, there is no need to say that after I had developed in windows and such actions had been done by batch files there, I was annoyed in linux enough. Then when I tried to find a better solution for testing process, I came to synce project. At first, it seemed that usb-rndis driver for kernel had to be downloaded, compiled and installed. I did it, but it failed on compilation. Short studies of site were needed to found out that there was the new driver "usb-rndis-lite" It did well this time. As the result of installation I got new network device: rndis0. Then it was needed to setup synce utils and libs. It was hardest thing to complete. I tried to follow to the instruction from the wiki. But odccm gave me errors about d-bus, hal and so on. Error were dumb.. i.e. they were without any meaning of what really happened wrong. Then I tried vdccm... and it seemed that success was not even near to partitial... There was only one good thing - vdccm started without errors :). It was silent and sad. I started to google for the word vdccm and after a while I found out that one had used triggerconnection util to notify ActiveSync. But in my hands triggerconnection had no effect neither on vdccm nor on ActiveSync. I had walked through sources of the triggerconnection, it looked like it sends a pocket to the port 5679 of PPC. Then PPC was scanned by nmap. And nmap told me that there was no open ports on PPC!! I had no idea why port 5679 was not opened while ActiveSync had been started. I was exhausted and tired. Alas, I had spent a lot of time trying to figure out why port 5679 had been closed, although, at last, it came to me that the port could stay open for a few seconds after a device was plugged into a cradle. Indeed, vdcomm detected plug-event when I had started triggerconnection right after a PPC was plugged into a cradle. This time it made clear that one problem hid another one. At once, vdccm was able to detect a plugged PDA, but it was unable to hold connection more than a several seconds. And none of synce utils worked while it was connected these seconds. Again I googled. Somewhere someone wrote that vdccm doesn't work when device is protected by password. "@!#%@#%*#$!!!" cried me. I didn't wish to have device unprotected or to unlock it each time I plug it into my cradle. I made this patch for vdccm, when I had done reverse engineering of ActiveSync authorization protocol and synce sources had been explored enough for it. And ourtime time had came, patched vdccm worked great! Wheee! So, what I have done at last:
1. Installed usb-rndis-lite.
2. Installed libs: librapi2, libsynce.
3. Patched vdccm.
4. Installed ifplugd. It runs ifup/ifdown for rndis0 as needed.
5. Appended to /etc/network/interfaces:
6. Added line '169.254.2.1 local-pda' into /etc/hosts.
7. Wrote /usr/local/bin/triggerconnection-delayed:
8. Following lineds added to ~/.xsession:
9. Wrote my secret password into ~/.pda-pwd file (chmod 0600).
Now I could enjoy with all useful utils like pls, pstatus..., install cabs and etc.
It is all. Please, leave a comment if it was useful for you, or you have something to say about. Fell free to leave any kind of comment.
P.S. The patch I made is not fully featured. I wrote it in a very straightforward way. It does not support pending of password, so you must specify your password with the -p key-option. I really have no time to implement it well, sorry.
1. Installed usb-rndis-lite.
2. Installed libs: librapi2, libsynce.
3. Patched vdccm.
4. Installed ifplugd. It runs ifup/ifdown for rndis0 as needed.
5. Appended to /etc/network/interfaces:
iface rndis0 inet static
address 169.254.2.2
netmask 255.255.255.0
post-up /usr/local/bin/triggerconnection-delayed local-pda
6. Added line '169.254.2.1 local-pda' into /etc/hosts.
7. Wrote /usr/local/bin/triggerconnection-delayed:
#!/bin/sh
sleep 2
exec /usr/local/bin/triggerconnection $@
8. Following lineds added to ~/.xsession:
vdccm -d 3 -f -t -p `cat ~/.pda-pwd` 1>>~/logs/vdccm 2>>~/logs/vdccm &
9. Wrote my secret password into ~/.pda-pwd file (chmod 0600).
Now I could enjoy with all useful utils like pls, pstatus..., install cabs and etc.
It is all. Please, leave a comment if it was useful for you, or you have something to say about. Fell free to leave any kind of comment.
P.S. The patch I made is not fully featured. I wrote it in a very straightforward way. It does not support pending of password, so you must specify your password with the -p key-option. I really have no time to implement it well, sorry.
Tuesday, February 6, 2007
Emulation of Fork in Windows OS
The less we know, the better we sleep!
It is terrible:
Set up a pid in the shared memory area for the new child. Use setjmp() to capture state. First time (parent), set up some stuff and use CreateProcess to run a second copy of the same executable. The second copy will note in the shared memory area that it's a fork, and do the longjmp. They sync up and the parent copies all it's program memory to the child's address space. There's also code to reload dlls, map shared memory and mmap'd files, etc.
It is terrible:
Set up a pid in the shared memory area for the new child. Use setjmp() to capture state. First time (parent), set up some stuff and use CreateProcess to run a second copy of the same executable. The second copy will note in the shared memory area that it's a fork, and do the longjmp. They sync up and the parent copies all it's program memory to the child's address space. There's also code to reload dlls, map shared memory and mmap'd files, etc.
Sunday, February 4, 2007
LooxLight-2007-02-03
LooxLight is a tool for PDA Fujitsu Siemens C550/N560 (click here to find more information).
Update. I hope I fixed problem: owners of localized versions of WM5 were unable to install LooxLight. The error message is much more detailed now - it must help to understand cause of the problem if the problem still exists.
Zipped CAB file (2007-02-03).
New versions and latest news about LooxLight will be published right here.
Another project helps reduce power consumption on Fujitsu-Siemens Loox N560/C550.
Update. I hope I fixed problem: owners of localized versions of WM5 were unable to install LooxLight. The error message is much more detailed now - it must help to understand cause of the problem if the problem still exists.
Zipped CAB file (2007-02-03).
New versions and latest news about LooxLight will be published right here.
Another project helps reduce power consumption on Fujitsu-Siemens Loox N560/C550.
Friday, February 2, 2007
GoodWavPower
It is my third program for pocketpc. It is simple and sudden even for me. While reading firstloox forum, I found that "When you suspend your Fujitsu-Siemens Loox N560 or C550 with power button (with some application executed) and then resume the PDA again, it will consume after resume ~40 mA more power than before!". One suggested to use "Start" button. I tried to discover why "Start" button helped and soon it made clear for me that it was due to a bug in the audio driver! The program is wrotten just to simplify workaround and make it more convenient and not annoying at all. Just install it and forget about mentioned problem. It will prolong your book reading time to about 3 hrs more.
Zipped cab file (3k).
Sources (GPL, 11k).
Check for updates here.
(another program that helps you reduce power consumption (drops 15 ... 40mA) is here)
As usually, you are welcome for feedback.
Zipped cab file (3k).
Sources (GPL, 11k).
Check for updates here.
(another program that helps you reduce power consumption (drops 15 ... 40mA) is here)
As usually, you are welcome for feedback.
Thursday, February 1, 2007
LooxLight
I've done it! I wrote my second application for pocketpc. LooxLight is a tiny application which is intended to help you control lights (LEDs) of your FSC PPC.
Features:
Download zipped cab archive (17k).
How to install and setup.
1. Download the CAB file and copy it into your LOOX.
2. Run the CAB on LOOX. Proceed with an installation process as usually.
3. Go to Programs menu and click on the LooxLight Control icon.
4. Setup it in accordance with your desires.
Short description of dialog controls.
KBD stands for KEYBOARD, BTH is abbr of BLUETOOTH word, PWR is the POWER word as you already suppose. Each line of controls is prefixed with name of led.
"On" button just switches LED on and "Off" button switches LED off :). Blink means blink.
"KEEP ON"/"KEEP OFF" means that LooxLight must reset state to required when some other program changed it to unwanted.
Some controls are disabled for now, becouse they are not yet implemented.
Command line options:
LooxLightCtrl.exe
History:
Oneday, I found out KeyLightC. It was useful program but it lacked in ability to turn on/off individual led without touching others. Also I had to run the KeyLightC when some program was changed state of leds or just after PPC was awaked. I mailed Phill McManus. I asked him for command line options like +keyboard or -keyboard. I asked him to open KeyLightC sources in order to add these features by myself. But he didn't answered me. So I started my own research. It took nearly twenty evenings, before I found how to control leds in right way. Then it took ten evenings to find out how to program for PPC in MS Visual Studio and to learn WinCE API. Next it took three days to abandon that ugly MS Visual Studio and migrate to nice mingw32ce under linux. After all, I have to say I hate Win32 API for its tons of caveats.
TODO:
About firmware of Loox N560/C550.
I am too tired of this post. I am going to describe it in a next post.
Feel free to leave a comment with suggestions or information about how it works on your PPC (I am still not sure about 720/718).
Latest news about LooxLight are HERE.
Subscribe to:
Posts (Atom)