Part00|Part01.raw file extraction from KS20 dump? - Tilt, TyTN II, MDA Vario III General

Does anybody know how to extract the files from the Part00.raw or the Part01.raw of the KS20 image dump?
I've extracted from Part02.raw with the standard commands from the KaiserKitchen thread, but I can't seem to find the proper incantation for Part00 or Part01.
I'm missing some files (rex_wce.dll and TrsTai_extension.dll), and could really use a look into these files to implement some missing functions that don't exist in the Kaiser's version.
Incidentally, if somebody has the Kaiser's rex_wce.dll, it would help a lot too for code comparison with the KS20's version, eventually.

Good Luck! Contact Chainfire, He's already been there & done that. (To no avail if you're even thinking video issues)

GSLEON3 said:
Good Luck! Contact Chainfire, He's already been there & done that. (To no avail if you're even thinking video issues)
Click to expand...
Click to collapse
He's not answering his PMs unfortunately for me.

Well this is really surprising, you guys talk about wanting drivers, but the reality is ...
Here I am with partially working .dlls after I hacked up the KS20 ones, rewrote certain portions, and recreated the rest so that I can:
call eglGetDisplay(), got a valid response back
call eglInitialize(), got a valid response, and then some memory allocation dies in pmem_malloc() in the lower levels (specifically in ath2dati.dll) ...
Can I get some help extracting some other files? I've already rewrote msm_clk.dll as posted (notice the date and linker version), and currently I'm working through libgles_cm.dll

Try this utility:
http://legroom.net/software/uniextract
I am not sure if it will do what you need, but it was recommended on the User Customistaion thread for extracting files from exe's and cab's and it is constructed using autoit which is a great freeware pc scripting utility, so it comes from a good pedigree and has been written to cover just about all types of compression.
I hope it works for you and sorry for the wasted effort if it does not as anybody working on this should be encouraged.
Regards
Chapelhill

chapelhill said:
Try this utility:
http://legroom.net/software/uniextract
I am not sure if it will do what you need, but it was recommended on the User Customistaion thread for extracting files from exe's and cab's and it is constructed using autoit which is a great freeware pc scripting utility, so it comes from a good pedigree and has been written to cover just about all types of compression.
Click to expand...
Click to collapse
Thanks, but I'm trying to extract from a ROM dump which has a much different internal format.
Meantime, I think Chainfire just came through with files I've been asking for. Yay.
So, I've found some old old (June/2007) XIP files for the Kaiser now and I'll see if that's still useful to compare to the KS20's. Anybody got a link on how to extract the XIP from the .raw? Google's not helping me much.

Okay, I've found qooqoo's subthread which gives me the tools: http://forum.xda-developers.com/showthread.php?t=334680&page=6
And the actual commands:
mkdir XIP
dumprom.exe Part01.raw -5 -d XIP
Now I have the reference code to properly port these .dlls to the Kaiser. Thanks Chainfire and qooqoo.

is it safe to assume this project is dead?

Apparently, the LG KS20 does not have the needed drivers either.
janys said:
Maybe somebody already posted this...
HTC's driver issue is LG's, too
Click to expand...
Click to collapse

btprice2001 said:
Apparently, the LG KS20 does not have the needed drivers either.
Click to expand...
Click to collapse
There's some confusion as to what drivers mean. From the fringes I've been diving into, there isn't any specific Q-Dimension 3D support, but there's plenty of ATI-like 2D driver code in there including the ace_ddi interface, and possibly some MPEG2 decoding acceleration.
If the interview is describing 3D driver interface, then that much can probably be agreed to as not used/existing.

NuShrike said:
Well this is really surprising, you guys talk about wanting drivers, but the reality is ...
Here I am with partially working .dlls after I hacked up the KS20 ones, rewrote certain portions, and recreated the rest so that I can:
call eglGetDisplay(), got a valid response back
call eglInitialize(), got a valid response, and then some memory allocation dies in pmem_malloc() in the lower levels (specifically in ath2dati.dll) ...
Can I get some help extracting some other files? I've already rewrote msm_clk.dll as posted (notice the date and linker version), and currently I'm working through libgles_cm.dll
Click to expand...
Click to collapse
hey.
what did you rewrite? curious how far you got with this.

cmonex said:
what did you rewrite? curious how far you got with this.
Click to expand...
Click to collapse
redirected memory allocation calls in wce_rex.dll that is named differently in the KS20 version (get_virtual_address() -> RexGetVirtualAddress(), and nulled out free_virtual_address())
nulled out some function calls in TrsTai_extension.dll for calls that only exist in the KS20 version (I have to come back and resolve this with the new files I just got)
bypassed wce_pmem.dll calls to use qct_wce_pmem.dll directly instead (because QctDrv.dll is failing syntactically correct memory alllocation calls) during eglInitialize() (qct_wce_pmem.dll is almost identical to the KS20 version, so I'm assuming wce_pmem.dll + QctDrv.dll is some weird HTC shim layer to serialize memory allocations)
am currently digging through ahi2ati.dll's AhiInit() to see why there's a data abort (illegal memory access) further down in eglInitialize().
I don't program on weekends.

NuShrike said:
redirected memory allocation calls in wce_rex.dll that is named differently in the KS20 version (get_virtual_address() -> RexGetVirtualAddress(), and nulled out free_virtual_address())
nulled out some function calls in TrsTai_extension.dll for calls that only exist in the KS20 version (I have to come back and resolve this with the new files I just got)
bypassed wce_pmem.dll calls to use qct_wce_pmem.dll directly instead (because QctDrv.dll is failing syntactically correct memory alllocation calls) during eglInitialize() (qct_wce_pmem.dll is almost identical to the KS20 version, so I'm assuming wce_pmem.dll + QctDrv.dll is some weird HTC shim layer to serialize memory allocations)
am currently digging through ahi2ati.dll's AhiInit() to see why there's a data abort (illegal memory access) further down in eglInitialize().
I don't program on weekends.
Click to expand...
Click to collapse
Here's a hurdle I can see, most 3D GPU's require allocated memory on boot, or 'shared memory' (itsa friggin pc now), now from what I understand, the kaiser IPL bulks the memory into one wad of addy’s and uses it accordingly, now we need to dedicate some of the system memory as video memory to be dedicated to the GPU on system boot, no nand flash swap as the write rate will hose bits at an unacceptable rate.... This is why HTC would say it is too spensive to allocate programmers, my gawd, someone might have to think... (pffffft) POF...? The existance of an IPL has never been reported, but we know it is there, it functions as a system bios, you know, where in some lamer systems you can allocate deticated video memory.... POF....? Sir, your vast knowledge and presence has been humbly requested...
?Glitch

NuShrike said:
redirected memory allocation calls in wce_rex.dll that is named differently in the KS20 version (get_virtual_address() -> RexGetVirtualAddress(), and nulled out free_virtual_address())
nulled out some function calls in TrsTai_extension.dll for calls that only exist in the KS20 version (I have to come back and resolve this with the new files I just got)
bypassed wce_pmem.dll calls to use qct_wce_pmem.dll directly instead (because QctDrv.dll is failing syntactically correct memory alllocation calls) during eglInitialize() (qct_wce_pmem.dll is almost identical to the KS20 version, so I'm assuming wce_pmem.dll + QctDrv.dll is some weird HTC shim layer to serialize memory allocations)
am currently digging through ahi2ati.dll's AhiInit() to see why there's a data abort (illegal memory access) further down in eglInitialize().
I don't program on weekends.
Click to expand...
Click to collapse
hey,
thanks for the answers
what new files did you get? i have some, wondering which ones you meant there.

?Glitch said:
Here's a hurdle I can see, most 3D GPU's require allocated memory on boot, or 'shared memory' (itsa friggin pc now), now from what I understand, the kaiser IPL bulks the memory into one wad of addy’s and uses it accordingly, now we need to dedicate some of the system memory as video memory to be dedicated to the GPU on system boot, no nand flash swap as the write rate will hose bits at an unacceptable rate.... This is why HTC would say it is too spensive to allocate programmers, my gawd, someone might have to think... (pffffft) POF...? The existance of an IPL has never been reported, but we know it is there, it functions as a system bios, you know, where in some lamer systems you can allocate deticated video memory.... POF....? Sir, your vast knowledge and presence has been humbly requested...
?Glitch
Click to expand...
Click to collapse
no, there is no IPL on the MSM7xx devices.
there is a PBL that is not reflashable, then that initializes the radio bootloaders, initializing some hardware in the process, then those run the SPL and the radio image. SPL then runs wince

cmonex said:
no, there is no IPL on the MSM7xx devices.
there is a PBL that is not reflashable, then that initializes the radio bootloaders, initializing some hardware in the process, then those run the SPL and the radio image. SPL then runs wince
Click to expand...
Click to collapse
So, this write once PBL would remove any ability to deticate RAM to GPU and establish a handle for GPU drivers to use, unless there is a way to modify boot perameters, has anyone put the PBL through a debugger to check to see if there is an optional perameter file referenced?
?Glitch

cmonex said:
what new files did you get? i have some, wondering which ones you meant there.
Click to expand...
Click to collapse
I never had the wce_pem, wce_rex, and TrsTai_extension dlls from both devices to compare since some is part of the XIP. I don't know WinMob well enough to know about extracting this stuff then.
My first initial pass guessed what calls I could redirect. Now that I can see, that's why qct_wce_pmem is preferred over wce_pmem now, esp since the normal wce_pmem failed a simple pmem_malloc call for no reason that bypassing directly to qct_ worked fine.

NuShrike said:
I never had the wce_pem, wce_rex, and TrsTai_extension dlls from both devices to compare since some is part of the XIP. I don't know WinMob well enough to know about extracting this stuff then.
My first initial pass guessed what calls I could redirect. Now that I can see, that's why qct_wce_pmem is preferred over wce_pmem now, esp since the normal wce_pmem failed a simple pmem_malloc call for no reason that bypassing directly to qct_ worked fine.
Click to expand...
Click to collapse
oh you can just link me the rom image that has the stuff, i will extract it for you from xip.

?Glitch said:
So, this write once PBL would remove any ability to deticate RAM to GPU and establish a handle for GPU drivers to use, unless there is a way to modify boot perameters, has anyone put the PBL through a debugger to check to see if there is an optional perameter file referenced?
?Glitch
Click to expand...
Click to collapse
nope, the PBL isn't even HTC code ... it just loads the radio bootloaders. its purpose is really just to implement uncrackable signing (but HTC screwed up there of course so we have nice sim unlockers now).
and you can't debug the PBL, lol
not even the htc part of the radio bootloader counts, it runs on its own ARM chip - initializing the RAM for the OS is totally the responsibility of the SPL and the CE kernel.
though of course it initializes some GPIOs etc but not the memory mapping for the ARM11.

cmonex said:
oh you can just link me the rom image that has the stuff, i will extract it for you from xip.
Click to expand...
Click to collapse
Thanks, but I meant that Chainfire already helped me out with some initial files, and then I figured out how to extract everything else myself afterwards now that I had the necessary keyword: XIP ...

Related

POLL: move PowerPoint/Word/Excel .exe to EXTROM installer?

EDIT: Duh, forgive me, I have put the wrong KB sizes above. correct values are below.
PRO: if you don't use, have never used and will never use one or more of these apps the ROMs can pack more add-on software which won't have to be installed or take up storage space.
CON: If you use them it gets a little bit less convenient, as you have to install it after a hard reset.
NOTE: I don't know how much the system needs those dlls, but I guess they are not deeply embedded in it and might not even need to be installed, unless ActiveSync desperately needs them to convert files back and forth. Which does not make sense to me, at least images, when there is any conversion process, are processed in the PC, as it is much more powerful...
Footprint:
Office dlls:
office.dll: +63KB
officeres.96.dll: +95 KB
officeres.dll: +96 KB
Pocket PowerPoint:
ppt.exe: +2.277 KB
Pocket Excel:
pxl.exe: +852 KB
pxlfile.dll: +34KB
pxl2xls.dll: +47KB
xls2pxl.dll: +78KB
SubTotal: 1.011 KB
Pocket Word:
pwod.exe:+227 KB
Total: 3.769 KB
There could be more Office-related dlls scattered around, but I don't know how to identify them...
I say pack all those files into a self installer CAB and it can be up to the user to include it or not. In theory if we could ever agree on a nice stable base rom to build an online ROM kitchen like the XDA had/has and make everything else optional.
An online ROM kitchen would be sweet!
theloon said:
An online ROM kitchen would be sweet!
Click to expand...
Click to collapse
we'll see on the next couple of days... maybe we'll post it on the forum... BA WM5 rom kitchen... I sure Black6spdZ, xplode, thingonaspring, Midget and others will make it better :wink:
I just need to arange and fix a few stuff, since most people more prefer bepe's ways, for me it just gettin a little complicated to manage it work with bepe's way...lol...
I voted to keep it in the ROM, but only because I'm 99.99% sure that moving them will cause all sorts of problems. Any app launcher or today plugin that integrates with the office apps will break. They'll have hardcoded the path to the /windows directory, I'd put money on that. You might be able to replace the /windows exes with small launchers that point to the storage card I suppose.
I think the compression of the apps holds a lot of potential. Is there a compression tool that decompresses to the RAMdisk and runs from there? That would be the best of both worlds; the file is compressed in the ROM but only needs to be decompressed once on each RAM reset.
fraser said:
I voted to keep it in the ROM, but only because I'm 99.99% sure that moving them will cause all sorts of problems. Any app launcher or today plugin that integrates with the office apps will break. They'll have hardcoded the path to the /windows directory, I'd put money on that. You might be able to replace the /windows exes with small launchers that point to the storage card I suppose.
I think the compression of the apps holds a lot of potential. Is there a compression tool that decompresses to the RAMdisk and runs from there? That would be the best of both worlds; the file is compressed in the ROM but only needs to be decompressed once on each RAM reset.
Click to expand...
Click to collapse
We already have UPXed version of Office apps and dlls working, I believe Helmi will integrate them in the next version.
The 3.769 KB file footprint for the files above becomes around 1.450 KB, that's around 2.2MB of space saving.
For those who don't know:
UPX is a compression method meant to have extremely fast decompression speeds and very low resource comsumption. If I understood correctly, the ARM assembler-optimized UPX decompressor which is added to our dlls and exes is 224 bytes.
From the website, a memcpy on a Pentium 233 (dunno the OS) happened at 60MB/s, while the UPX decompression of the same data was 13MB/s.
fraser said:
I voted to keep it in the ROM, but only because I'm 99.99% sure that moving them will cause all sorts of problems.
Click to expand...
Click to collapse
This is VERY true. Accessing the files would require a launcher as fraser says, and/or accessing any UPX'd resources in the DLL, or EXE without loading it in will cause cataclysmic failures in the calling application. The dangers are VERY high.
Brazilian Joe said:
I think the compression of the apps holds a lot of potential. Is there a compression tool that decompresses to the RAMdisk and runs from there? That would be the best of both worlds; the file is compressed in the ROM but only needs to be decompressed once on each RAM reset.
Click to expand...
Click to collapse
In theory you could do this with the RamDisk now, and use a RAR/ZIP/7Zip style archive on a SD Card (or in ROM). Simply run (on boot) an unarchive of the contents to RAM, and away you go. But in theory this isn't any better (and in reality is worse than) just installing the applications to the RAMDisk in the first place, and/or keeping a second "SD Card" just for the hard-reset cases when you want to re-install everything.
Brazilian Joe said:
We already have UPXed version of Office apps and dlls working, I believe Helmi will integrate them in the next version.
Click to expand...
Click to collapse
Just take care of PIM Managers, and other applications which may make direct usage of these applications. Also, a UPX'd DLL will require longer/slower load times due to decompression overhead as well as the IMGFS decompression requirements itself (even though the IMGFS portion will be 1:1 - i.e. uncompressed).
Brazilian Joe said:
The 3.769 KB file footprint for the files above becomes around 1.450 KB, that's around 2.2MB of space saving.
Click to expand...
Click to collapse
It will unfortunately be MUCH less than that. Try building the ROM with the UPX'd applications and check the free sectors, and then compare that to a ROM with them replaced. The difference in free sectors * 512 bytes per sector is the REAL compression ratio achieved.
My guess is that UPX is about 40-60% better than the IMGFS, so this would mean a gain of around 1.1Mb in the ROM, and not 2.2Mb. But 1.1Mb of useful space is DEFINATELY nothing to be sneezed at! ;-)
Keep in ROM ...
Oh yeah, and I voted to keep the MS Apps in ROM.
Powerpoint could/should be compressed, and possibly Word/Excel if they're still 100% safe (they were in my testing in TuMa v1.3). Compressing any of the core OS though - ICK. I'm not in favour of that.
Save as much as we can, without going crazy ... and keep the Core OS, the Core OS. All the features we want to add should be exactly that - features!

GPSOneApp (powerful internal GPS configuration tool)

Hi! Check this out, it comes from the LG Incite.. explains a ton of the variables involved with the GPSOne chipset.. part of it is passworded, i'll dig the password out in a bit
This lets you tweak pretty much any variable involved with the GPSOne chipset internal to qualcomm msm7xxx devices.
Copy the .dll and .exe to the device in any folder you like, and run the .exe (it's hidden so make sure you have show all files on)
http://rapidshare.com/files/192175960/GPSOneApp.rar
Dood...YOU ARE THE MAN!
In helping people out in the threads on GPS issues, I was JUST THINKING I WISH I HAD THIS! I'm running tools from from other chipset vendors with so-so NMEA parsers and no access to binary or advanced chipset commands.
Installing...
*EDIT: This little app has a lot of potential. I'll need sometime to test and play with this.
Da_G said:
Hi! Check this out, it comes from the LG Incite.. explains a ton of the variables involved with the GPSOne chipset.. part of it is passworded, i'll dig the password out in a bit
This lets you tweak pretty much any variable involved with the GPSOne chipset internal to qualcomm msm7xxx devices.
Copy the .dll and .exe to the device in any folder you like, and run the .exe (it's hidden so make sure you have show all files on)
http://rapidshare.com/files/192175960/GPSOneApp.rar
Click to expand...
Click to collapse
LOL I gotta try this...
EDIT:: Threw together a quick cab file to install this. It creates a shortcut in Start Menu\Programs\Tools
can't launch it (i yet know it is hidden, but i've made a custom shorcut pointing to the hidden .exe).
it gives an error:
the file gpsoneapp cannot be opened. either it is not signed with atrusted certificate or one of its components cannot be found. if the problem persists, try reinstallling or restoring the file.
Did you copy the .dll to the same folder as the .exe or in your system path? (\Windows)
Thanks for the .cab dharvey4651 Although it's not HTC soft so i duno about the \HTC folder..
fourcc said:
can't launch it (i yet know it is hidden, but i've made a custom shorcut pointing to the hidden .exe).
it gives an error:
the file gpsoneapp cannot be opened. either it is not signed with atrusted certificate or one of its components cannot be found. if the problem persists, try reinstallling or restoring the file.
Click to expand...
Click to collapse
Try the cab file I posted right above your post.
Da_G said:
Did you copy the .dll to the same folder as the .exe or in your system path? (\Windows)
Click to expand...
Click to collapse
yes i did. dll and hidden exe is in its own folder. Custom made shortcut is rechecked for a typo. but everything seems fine.
edit 1
...now trying the cab.
edit 2
cab works! don't know why but now it works
Da_G said:
Thanks for the .cab dharvey4651 Although it's not HTC soft so i duno about the \HTC folder..
Click to expand...
Click to collapse
Yeah I didn't know who really made it so I just guessed. Ha oh well the cab file works. I tested it personally
Aside from the dll I included, all dependancies are on windows system files, so unless your system is missing something..?
with the cab, it works.
thanks to all
So now that we have established that I'm the man, let's get that password
lol
I won't have time to check that out for a while, i'm working on porting other drivers etc. from lg incite to raphael.. whee
I almost feel dumb for spending the time to look... I guess I just like doing things the hard way
The password is all 0's
Da_G said:
I almost feel dumb for spending the time to look... I guess I just like doing things the hard way
The password is all 0's
Click to expand...
Click to collapse
what part needs password? I played a little this morning, I wonder if we can disable the static nav like w/the sirf tools. Or can this tool only read stuff? Any luck yet Da_G?
it definitely writes, it doesn't write directly to NVRAM though, only through IOCTL's.. nothing to disable the 'static nav' like behavior though, that'll be in NVRAM. Gotta find the memory address for it so we can use RegisterEditor.. or get access to the radio ROM..
The passworded part(s) are the system settings menus.. the first "user setting" menu is tied to the LG's gpsid (it stores the registry entries in a different part) so you can't toggle the menu options there and have them take effect.. but it at least explains what the options do and you can find the corresponding registry entries in HKLM\Software\HTC\SUPL AGPS.. but the system settings.. in particular UMTS PDE IP, port, url are persistant through a hard reset.. stored in MFG partition probably.. using this you can change the AGPS PDE server you're talking to.. i have good results with supl.nokia.com 66.35.236.25 port 7275..
Oh wow, this is a great little app. Thanks to Da_G and dharvey for getting this to us. I bet now we can get our GPS to funtion like its supposed to.
Da_G said:
using this you can change the AGPS PDE server you're talking to.. i have good results with nokia.supl.com 66.35.236.25 port 7275..
Click to expand...
Click to collapse
What do you mean DA-G? that if we use these settings we will get a working AGPS service in our devices in any part of the world and with any operator?
I won't say that (as I cannot test to verify)
But you will certainly have a better chance, as supl.nokia.com is open to worldwide use, whereas the default AT&T servers may not be.
It might be placebo, but when I have gpsoneapp open a gps connection, with my system settings set to what i mentioned above, it seems to be using the assistance servers (as I get a sub-30 sec fix on cold start)
I don't see the same behavior with htc gps tool or any other gps program, so i'm tempted to think gpsoneapp issues an assistance IOCTL that kicks things into gear..
But again, i'm gonna call placebo effect on that until I do many more tests
Da_G said:
I won't say that (as I cannot test to verify)
But you will certainly have a better chance, as supl.nokia.com is open to worldwide use, whereas the default AT&T servers may not be.
It might be placebo, but when I have gpsoneapp open a gps connection, with my system settings set to what i mentioned above, it seems to be using the assistance servers (as I get a sub-30 sec fix on cold start)
I don't see the same behavior with htc gps tool or any other gps program, so i'm tempted to think gpsoneapp issues an assistance IOCTL that kicks things into gear..
But again, i'm gonna call placebo effect on that until I do many more tests
Click to expand...
Click to collapse
I have to concur with this. Completely. I am a US T-Mobile Customer and I'm using an AT&T Fuze. When I got the phone nothing worked(data, GPS, etc...). Since then it seems I've gotten everything figured out. Data works with a simple registry change. GPS works AWESOME now. I can now lock from a cold start(right after a reset) in less than 20 seconds(a minute in my bedroom with no visibility) and I'm a very happy man.
I just want to say thanks to everyone here at XDA!!! Especially Da_G for this post here. I used nokia's servers just now and changed my AGPS connection to T-Mobile Data and now my GPS is super fast!
Thanks again!!!
dharvey4651 said:
...now my GPS is super fast!
Click to expand...
Click to collapse
I'm also a USA T-Mobile customer (on an unbranded phone). Would you mind sharing what settings changes you made? I'd love to have the same GPS performance you're seeing.
If your changes are the same as what you put into the .cab you posted here:
http://forum.xda-developers.com/showthread.php?t=478199
then I've done that, and thanks already. Non-technical types like myself definitely appreciate the hard work of yourself and everyone else here.

Great Chefs please consider adding RAMDISK to your custom ROM

since blackstone has sufficient ram, it would be highly efficient to install a ramdisk and relocation all tmp file to the ramdisk. At least it will make web browsing and other related applications to start a lot faster. We can also use it to store some tmp files. A 8M ramdisk is good enough for general use and I believe a lot of program can make benefit from it. Thanks.
Uhm, Since the device uses ALL flash memory, wouldn't using a RAMdisk be pointless?
snootch said:
Uhm, Since the device uses ALL flash memory, wouldn't using a RAMdisk be pointless?
Click to expand...
Click to collapse
No, the RAM is a lot faster than the flash memory ...
I had the same idea a while ago, but figured out that it is quite useless. Using a ramdisk for browsers will make it faster on the one hand, but on the other hand you loose the possibility to cache content, so you'll have to download all data again and again, which means that you have to pay for it again and again .
Beside the browsers I don't see any usefull application, which uses temporary files (and the temporary files are slowing down the application).
So, what exactly do you have in mind?
johnpatcher said:
No, the RAM is a lot faster than the flash memory ...
I had the same idea a while ago, but figured out that it is quite useless. Using a ramdisk for browsers will make it faster on the one hand, but on the other hand you loose the possibility to cache content, so you'll have to download all data again and again, which means that you have to pay for it again and again .
Beside the browsers I don't see any usefull application, which uses temporary files (and the temporary files are slowing down the application).
So, what exactly do you have in mind?
Click to expand...
Click to collapse
I think a ramdisk can be used for a lot more than just browsers. It can be used as a cache for any program that needs to cache commonly used data (such as the theme files in G-Alarm) If it could be used as a cache for the .NET CF VM, that would be even better as it takes ~5-10 seconds for the VM to start up when you start an application built using .NET CF. P.S.: Were you thinking of having the chefs include this program? http://www.amv007.narod.ru/en/index.html
for the best performances, i would suggest to put the swapfile onto the ramdisk....do you agree?
This is something i was first asking when i joined. onoklog early roms for blackstone did have it but now ha stopped. it is good for dump tempory files and does have a feature in it that supports caching files so certain dumps are not lost on reset. Would be happy to see this intergrated into new roms.
install it by yourself.not veryone need it
mcdull said:
since blackstone has sufficient ram, it would be highly efficient to install a ramdisk and relocation all tmp file to the ramdisk. At least it will make web browsing and other related applications to start a lot faster. We can also use it to store some tmp files. A 8M ramdisk is good enough for general use and I believe a lot of program can make benefit from it. Thanks.
Click to expand...
Click to collapse
is there really that much difference in the access time between main storage and memory ?
for disks its milli seconds vs nano seconds so ram disks make sense
I can't tell how fast the RAM is .. but the nand is extremely slow...
web browsing does benefit noticably when u have opera, etc. cache writing to RAMdisk instead of "main" (nand) memory. also works great as a place for temp. storage (ie. all those files that usually get written to "Volatile" folder). that's about it though...
I don't think it needs to be cooked in either - self-installation is easy enough anyways

[DEVS ONLY] Crack/bypass/trick Boot.img Signature

Ok, so lets get cracking on this bootloader.
boot.img and recovery.img certs (thanks to ntwrkwizard):
http://ponack.net/designgears/atrix/mmcblk0p10 - cert extract.zip
http://ponack.net/designgears/atrix/mmcblk0p11 - cert extract.zip
Flaw in the X.509 certs:
http://www.darkreading.com/security/vulnerabilities/218900008/index.html
Boot.img & Recovery.img
http://www.ponack.net/designgears/dump.7z
DG, afaik, that exploit deals with the md2 hash algorithm. it is a good possible starting point. has the signing cert been found/recovered/viewed yet?
if moto signed it with an md5 hash cert, then that may not be possible.
Well if you guys need any processing power to help crack anything let me know. I am willing to donate my system. Current specs:
i7-970 six core 4.8ghz overclocked
4 gtx580 gpus
24gb ddr3 2000
HSDL 240gb ssd
Like I said, if you guys need any processing power let me know.
Sent from my "5 inch Galaxy Tab"
Atrix here on the 22nd
dtmcnamara said:
Well if you guys need any processing power to help crack anything let me know. I am willing to donate my system. Current specs:
i7-970 six core 4.8ghz overclocked
4 gtx580 gpus
24gb ddr3 2000
HSDL 240gb ssd
Like I said, if you guys need any processing power let me know.
Sent from my "5 inch Galaxy Tab"
Atrix here on the 22nd
Click to expand...
Click to collapse
Please don't post here. This is a dev only thread. Post your offer in General.
Thanks!
These downloads look like just CA certs. Could someone extract the x.509 cert embedded in the beginning of the boot.img and post it to this thread? I'm out and about this weekend and don't have a box with a hex editor handy.
perdurabo2 said:
These downloads look like just CA certs. Could someone extract the x.509 cert embedded in the beginning of the boot.img and post it to this thread? I'm out and about this weekend and don't have a box with a hex editor handy.
Click to expand...
Click to collapse
If you could tell me how to do that I will be more than happy to get those for you. I'm the go to guy, remember?
Here is the extracted cert from within mmcblk0p10.img. This hex dump is extracted from 7FF7FC through 7FFDF9.
Also is the extracted cert from within mmcblk0p11.img. This hex dump is extracted from 7FF7FC through 7FFE79.
Not sure the value of an extracted public side of the x.509 is post signature but I'm sure someone will define that.
Good luck..
NW
back on topic please.
Mr. Clown said:
back on topic please.
Click to expand...
Click to collapse
Who are you talking to? The cert conversation is applicable.
Hi friend,
is the bootloader encrypten the same as defy or milestone?
Or a new one?
Maybe we could get all a free bootloader if this would work?
Or other technical?
Thanks
perdurabo2 said:
Who are you talking to? The cert conversation is applicable.
Click to expand...
Click to collapse
He deleted some unnecessary posts which were getting off topic. That's all.
The structure of an X.509 v3 digital certificate is as follows:
Certificate
Version
Serial Number
Algorithm ID
Issuer
Validity
Not Before
Not After
Subject
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (optional)
Subject Unique Identifier (optional)
Extensions (optional)
...
Certificate Signature Algorithm
Certificate Signature
Click to expand...
Click to collapse
The extensions they come in are:
pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
.cer, .crt, .der - usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
.p7b, .p7c - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
.p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.
PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.
Click to expand...
Click to collapse
Flaws in the X509 Certificate:
Specification: Complexity and lack of quality
The X.509 standard was primarily designed to support the X.500 structure, but todays use cases center around the web. Many features are of little or no relevance today. The X.509 specification suffers from being over-functional and underspecified and the normative information is spread across many documents from different standardization bodies. Several profiles were developed to solve this, but these introduce interoperability issues and did not fix the problem.
Architectural flaws
Use of blacklisting invalid certificates (using CRLs and OCSP) instead of whitelisting
CRLs are particularly poor because of size and distribution patterns
Ambiguous OCSP semantics and lack of historical revocation status
Revocation of root certificates not addressed
Aggregation problem: Identity claim (authenticate with an identifier), attribute claim (submit a bag of vetted attributes) and policy claim are combined in a single container. This raises privacy, policy mapping and maintenance issues.
Delegation problem: CAs cannot technically restrict subCAs to issue only certificates within a limited namespaces and attribute set – this feature of X.509 in not in use. Therefore a large number of CAs exists in the Internet, and classifying them and their policies is an insurmountable task. Delegation of authority within an organization cannot be handled at all, like it is common business practice.
Federation problem: Certificate chains that are the result of sub-CAs, bridge- and cross-signing make validation complex and expensive in terms of processing time. Path validation semantics may be ambiguous. Hierarchy with 3rd-party trusted party is the only model. This is inconvenient when a bilateral trust relationship is already in place.
Problems of Commercial Certificate Authorities
Flawed business model: The subject, not the relying party, purchases certificates. The RA will usually go for the cheapest offer; quality is not being paid for in the competing market.
CAs deny almost all warranties to the user.
Expiration date: Should be used to limit the time the key strength is deemed sufficient. Abused by CAs to charge the client an extension fee. Places unnecessary burden on user with key roll-over.
Client certificates have zero protection value against dedicated attackers.
In browsers, the security is that of the weakest CA. There are very weak CAs.
“Users use an undefined certification request protocol to obtain a certificate which is published in an unclear location in a nonexistent directory with no real means to revoke it.“
Implementation issues
Implementation suffer from design flaws, bugs, different interpretations of standards and lack of interoperability of different standards. Some problems are:
Many implementations turn off revocation check:
Seen as obstacle, policies are not enforced
Would it be turned on in all browsers by default, including code signing, it would probably crash the infrastructure.
DNs are complex and little understood (lack of cononicalization, i18n problems, ..)
rfc822Name has 2 notations
Name and policy constraints hardly supported
Key usage ignored, first certificate in a list being used
Enforcement of custom OIDs is difficult
Attributes should not be made critical because it makes clients crash.
Unspecified length of attributes lead to product-specific limits
Exploits
In 2005, Arjen Lenstra and Benne de Weger demonstrated "how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys", achieved using a collision attack on the MD5 hash function.
In 2008, Alexander Sotirov and Marc Stevens presented at the Chaos Communication Congress a practical attack that allowed them to create a rogue Certificate Authority, accepted by all common browsers, by exploiting the fact that RapidSSL was still issuing X.509 certificates based on MD5.
X.509 certificates based on SHA-1 had been deemed to be secure up until very recent times. In April 2009 at the Eurocrypt Conference , Australian Researchers of Macquarie University presented "Automatic Differential Path Searching for SHA-1" . The researchers were able to deduce a method which increases the likelihood of a collision by several orders of magnitude.
Domain-validated certificates („Junk certificates“) are still trusted by web browsers, and can be obtained with little effort from commercial CAs.
EV-certificates are of very limited help, because Browsers do not have policies that disallow DV-certificates,
There are implementation errors with X.509 that allow e.g. falsified subject names using null-terminated strings or code injections attacks in certificates.
Click to expand...
Click to collapse
From the sound of it, the X.509 cerificate the Atrix uses will be in .p12 format, although I could be wrong.
Example of a Decoded X509 cert: http://pastie.org/1590676
Great post, this is def a way to go and explore , i have been messsing with NVIDIAFlash all day so far.. i think if i can get a bootstrap or something on here so that i can mount and add some files to system folder with phone off i may be on to something ..
t0dbld said:
Great post, this is def a way to go and explore , i have been messsing with NVIDIAFlash all day so far.. i think if i can get a bootstrap or something on here so that i can mount and add some files to system folder with phone off i may be on to something ..
Click to expand...
Click to collapse
Adding things to the system folder means nothing, the system partition is only check when a new system is flashed via (sbf_flash, rsdlite, or flashing a CG via an update.zip) otherwise you can add/remove items from the /system partition with no worries of the signatures.
I've got a question. Since we are dealing with a closed system. Can we not validate -enddate of the signed boot image. Make note of the exact date and time. Then change the system clock to less than 24 hrs. after this date. This will allow the entire system to think that the bootloader and cert have done their job and simply needs updated. Now we simply need to insert new boot.img that has a valid -startdate within that 24 hr period. The system should simply stop using the expired image and boot the "updated image". Once this generic image is booted, it can simply be swapped out with any further custom roms that we feel the need to use. Once all is done, the system clock will need to be restored to appropriate time. If I knew how to code, I would simply try this myself. But I don't, so I hope this might at least provide some insight to the possibility. I would love to work with developers on finding a solution to this problem, so feel free to ask questions.
jimmydafish said:
Adding things to the system folder means nothing, the system partition is only check when a new system is flashed via (sbf_flash, rsdlite, or flashing a CG via an update.zip) otherwise you can add/remove items from the /system partition with no worries of the signatures.
Click to expand...
Click to collapse
I 100% agree i didnt say that was the end all.... the reason for doing this is so that the computer recoginizes the device in NVIDIAFlash mode and i than can hopefully overwrite the bootloader with the dev version of bootloader.bin
t0dbld said:
I 100% agree i didnt say that was the end all.... the reason for doing this is so that the computer recoginizes the device in NVIDIAFlash mode and i than can hopefully overwrite the bootloader with the dev version of bootloader.bin
Click to expand...
Click to collapse
That will not work, the bootloader is just one piece of a longer chain..changing that out "will" just have the phone reboot and use the backup bootloader. The problem to cracking it lies in all parts. Especially the NvRam where it begins and the MBR.
jimmydafish said:
That will not work, the bootloader is just one piece of a longer chain..changing that out "will" just have the phone reboot and use the backup bootloader. The problem to cracking it lies in all parts. Especially the NvRam where it begins and the MBR.
Click to expand...
Click to collapse
I very much respect all of the work you and your team has put into this situation with other devices, and i very much appreciate the help given by you guys to this forum, and no one including myself wants to waste time, so that being said i have not seen any ideas contributed ... only negative posts on what isnt going to work, i agree that you guys know more than me on this situation perhaps if you could share some of your ideas or the approach or direction you are going i and others could be of some help. We our fresh and not quite so beat up , its like when debuging a program thats driving you nuts and you cant figure out whats going wrong , sometimes a break, sleep, etc is in order so that when you come back your whole train of thought has been altered and you see something differently because you were not looking there before.
I follow instructions well, so lead... i am willing to donate my time my resources, and more than likely my device (at least for the next 29 days )
t0dbld said:
I very much respect all of the work you and your team has put into this situation with other devices, and i very much appreciate the help given by you guys to this forum, and no one including myself wants to waste time, so that being said i have not seen any ideas contributed ... only negative posts on what isnt going to work, i agree that you guys know more than me on this situation perhaps if you could share some of your ideas or the approach or direction you are going i and others could be of some help. We our fresh and not quite so beat up , its like when debuging a program thats driving you nuts and you cant figure out whats going wrong , sometimes a break, sleep, etc is in order so that when you come back your whole train of thought has been altered and you see something differently because you were not looking there before.
I follow instructions well, so lead... i am willing to donate my time my resources, and more than likely my device (at least for the next 29 days )
Click to expand...
Click to collapse
I am not being negative just helping you all steer clear of dead ends. We are looking over some files now and may have some useful tidbits soon. I think we can tell the boot chain from start to finish.
Great!! thanks for the update... on a side note esp in loom of this whole ps3 thing i hope motorola uses the same signing keys for all devices, so that if our day ever comes its x-mas for all

Possible Tethering Hack?

So after that guy figured out the tethering hack for iOS by just changing a few lines of test, I decided to try to find one for Windows Phone 8. I have no idea how it would get on the phone (besides possibly flashing a new rom?), but I went and looked anyway. I mounted the VHD from the SDK and I think that I found something. If you use something like Visual Studio's Find in Files and search for ICSSVC, you'll find some interesting stuff.
First of all, in Microsoft,Net.NetCore.reg, I found this: puu.sh/3J9yS.png That's how I learned about ICSSVC. So then I searched for that and in Microsoft.Net.NetCore.policy.xml there is a bunch of capability stuff. I have no idea what to do past here, and the emulator doesn't have the Internet Sharing option. So, yeah.
MichaelC97 said:
So after that guy figured out the tethering hack for iOS by just changing a few lines of test, I decided to try to find one for Windows Phone 8. I have no idea how it would get on the phone (besides possibly flashing a new rom?), but I went and looked anyway. I mounted the VHD from the SDK and I think that I found something. If you use something like Visual Studio's Find in Files and search for ICSSVC, you'll find some interesting stuff.
First of all, in Microsoft,Net.NetCore.reg, I found this: puu.sh/3J9yS.png That's how I learned about ICSSVC. So then I searched for that and in Microsoft.Net.NetCore.policy.xml there is a bunch of capability stuff. I have no idea what to do past here, and the emulator doesn't have the Internet Sharing option. So, yeah.
Click to expand...
Click to collapse
Unfortunately, this involves dumping phone ROMs and modifying the policies (We don't know how crazy this process will be). Another set back involves the fact that the bootloaders for WP8 are signed which would require the the ROM to be signed with the correct cert, etc.
Basically, this will be extremely painful due to WP8 running a Windows NT Kernel (WP7 uses Windows CE) and all kinds of other obstacles that we haven't discovered yet.
snickler said:
Unfortunately, this involves dumping phone ROMs and modifying the policies (We don't know how crazy this process will be). Another set back involves the fact that the bootloaders for WP8 are signed which would require the the ROM to be signed with the correct cert, etc.
Basically, this will be extremely painful due to WP8 running a Windows NT Kernel (WP7 uses Windows CE) and all kinds of other obstacles that we haven't discovered yet.
Click to expand...
Click to collapse
Also while I was searching, I found a registry entry for 'DeveloperUnlock'. So when you run the program to dev unlock your phone, the program must modify the registry on the phone. I'm pretty sure that it would be possible to replicate that.
MichaelC97 said:
Also while I was searching, I found a registry entry for 'DeveloperUnlock'. So when you run the program to dev unlock your phone, the program must modify the registry on the phone. I'm pretty sure that it would be possible to replicate that.
Click to expand...
Click to collapse
As of now, we can't execute the native EXEs on the phone so we won't know whether we can replicate that or not. I know with talking with HeathCliff74, modifying the policy on WP7 took quite a long time and effort to figure out. I can almost guarantee the policies on WP8 are implemented completely different from WP7 and even a bigger pain to modify
snickler said:
As of now, we can't execute the native EXEs on the phone so we won't know whether we can replicate that or not. I know with talking with HeathCliff74, modifying the policy on WP7 took quite a long time and effort to figure out. I can almost guarantee the policies on WP8 are implemented completely different from WP7 and even a bigger pain to modify
Click to expand...
Click to collapse
I meant the program on your computer that comes with the SDK. I think that it modifies the phones registry to dev unlock it.
MichaelC97 said:
I meant the program on your computer that comes with the SDK. I think that it modifies the phones registry to dev unlock it.
Click to expand...
Click to collapse
You are correct, it does modify the registry to dev unlock it by connecting to a running service on the phone and executing native DLLs. The main DLL that interacts with the phone within the program's folder is an Win32 compiled .DLL rather than a .NET file which would require some disassembly to get an idea of what's going on. It also doesn't help that it is a signed DLL.

Categories

Resources