Database Develop

Introduction to Hexing, Programming, and General Game Modding - Off-topic

I have posted this on a few other places so I figured I'd post it in the best site around. I think it fits here because the principles can be easily transferred over to other things since instead of teaching you a specific way to do something it will teach you a specific way to think and look at a problem. Now without further ado here it is.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This will be an introductory guide for basic principles used to mod gamesaves and generally useful programming skills such as hex-editing, retrieving the gamesave, basic automation principles, concepts, and the like. Anyone with experience is welcome to post. This should be as comprehensive as possible. If you see an example of code in one language and know the equivalent in another language (you see c++ code and know the VB equivalent let's say) please quote the original code and post your port. Please post all code in code tags.
Example of ported code:
Example said:
dudeguy105 said:
Here's how to read a file in c++
Code:
#include <stdio.h>
int main ()
{
FILE * pFile;
pFile = fopen ("myfile.txt","r");
return 0;
}
Click to expand...
Click to collapse
Here's how you read one in autoit
Code:
#include <File.au3>
$sContents = FileOpen("myfile.txt",0)
Click to expand...
Click to collapse

What You'll Need​
A hex editor - I recommend Hex Workshop but any will work.
A gamesave of the game you wish to modify (if making a SE)
A JTAGed 360 (if modifying core files)
A method to put your gamesaves back on your device (USB drive is easiest)
A good grasp of numbers or the ability to "wing-it"
A copy of the game or program you wish to modify (obviously)
Cheat Engine (for use with modifying non-online PC games)(reinforce basic concepts)
Large quantities of Caffeine
Legend:
360 Specific Requirement
Normal Requirement
Recommended but not required

Basic Concepts​
Read the display of your hex-editor
Retrieve, modify, and replace gamesaves
Modify values in memory (either RAM or dump (aka gamesave)
Automation Fundamentals
Standard GUI Practices
Programming
More I can't think of at the moment

Basic Terminology​
Gamesave - A game's save-data
JTAG - 1)A method of modifying an xbox360 or other JTAGable hardware to run unsigned code and send/receive serial data 2)A JTAGed xbox360/system
360 - an xbox360
RAM - Random Access Memory, your computer's memory.
Hex-editor - A program that opens and displays a file's binary content for editing.
GUI - Graphical User Interface, a "face" for a program with buttons sliders and the like.
UI - User Interface, how a program is displayed and interacted with.
Console - 1)A gaming console 2)Command prompt or shell/bash/terminal 3)A UI, normally a rectangle with white text on a black background to accept a user's input through typing.
Plain-text - refers to readable language. "This is plain text", "LZAK AK FGL" (this is not)
will add more as needed

Next question. "What do the values displayed in the editor mean/represent, how do you know if a displayed value is one you need, and how do you search for a specific value?" That's a question that brings up 3 good points.
What do the values displayed in the editor represent?:
The numbers you see are the hex contents of the file that you opened. Hex is a numerical system, and is often used to represent binary values. What you're seeing in the editor is actually the content of the file on the most basic level, binary, displayed in a more readable fashion.
Binary:
Code:
0,1,10,11,100,101,110,111,1000,1001,1010,1011,1100
Decimal:
Code:
0,1,2,3,4,5,6,7,8,9,10,11,12
Hex:
Code:
0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F
Most of us are used to decimal, not hex or binary. If most people saw a file's binary content displayed in binary their brains would explode . Hex shows us the binary content in a very clear,concise way, and it can represent number and letters. This makes it the perfect choice to display binary, which also represents numbers and letters.
How do I know if a displayed value is one I need?:
For the most part you will be beginning your search looking for numbers you already know. Say you have 10,000 gold in a game. You would search for "2710", which is 10,000 in hex. You may find more than one result, you may find none. If you find more than one change one, save the changes, test the save, and see if your gold changed. If not revert your save back to the original and change the next in the series until you find the one that works. If you do not find any results then there is some sort of encryption on the file. Many times it's simply a math operation. Your game may save your value as 80,000(13880) instead of 10,000(2710) because it's less obvious. If you find only one result, chances are that's the value you need to change.
How do I search for a specific value?:
That really depends on your specific hex-editor, but most you can simply press ctrl+f and it will open a search window.
You also don't need to know any programming to start this, we'll get into that later. Pick the language that best suits your needs and works for you. Some like C#, some like c++, some like VB, and I like autoit.

Decrypting is a real pain in the ass, at least for me. A good way to tell if something is encrypted is if you don't see any plain-text in the save file. If you do it's probably not encrypted, maybe it just has a checksum. Decryption isn't really my specialty but I do know a bit about basic ciphers. I'm assuming most people who read this will at least know what encryption is so I don't need to explain that or how it works. Maybe someone with more decryption experience than myself can post more info but for now I'll stick to examples that don't use any real encryption, just checksums or no security. If there is encryption on the save file the easiest way is to get 2 or 3 saves that have no difference but what you're looking to change (such as gold). Just load those into your hex editor and do a file compare, you should see the areas that are different. Normally values for most things in games (stats, gold, items, etc) won't be too large. If you see a large difference then there are 1 of 2 possibilities. 1) If the chunk is somewhat large but not the entire file that's probably a checksum area. 2) If the entire file is different even though only one value changed then the encryption uses something as a seed (probably the checksum) so the encryption algorithm is the same but the output is different every time.

Actually I thought I mentioned the file compare method on here already . That's a method, also the most common, to find the values you need if the straight "search for them" method doesn't work. If you could read team names at all that means there's no encryption, I posted a bit more info about that in a previous post with an example of plain-text and basic encryption. I'm glad this is what you were looking for. Ok on to the next topic.
How to Hex​Most people think hexing is a really daunting task. It isn't. I actually already explained most of what you need to know in post #9 but I'll go over the basics again. Once you open a file in your hex editor you should see something like this on one side (the left usually)
Code:
0D 0A 3C 21 2D 2D 20 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 0D 0A 54 68 69 73 20 63 6F 64 65 20 73 68 6F 75 6C 64 20 62 65 20 70 6C 61 63 65 64 20 69 6E 20 74 68 65 20 68 65 61 64 65 72 20 6F 72 20 69 6E 20 61 20 43 53 53 20 66 69 6C 65 2E 0D 0A 49 74 20 63 61 6E 20 62 65 20 6D 6F 64 69 66 69 65 64 20 74 6F 20 6D 61 74 63 68 20 74 68 65 20 61 70 70 65 61 72 61 6E 63 65 20 6F 66 20 74 68 65 20 72 65 73 74 20 6F 66 20 74 68 65 20 73 69 74 65 2E 0D 0A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A
and on the other you should see what that represents, in this case it's some html
Code:
..<!-- ***************************************************************..This code should be placed in the header or in a CSS file...It can be modified to match the appearance of the rest of the site...*******************************************************
If the right side is easily readable like it is here, there's no encryption. If it looks something like
Code:
A2e76f!_ #[email protected] ......... emishUGLhvEEas~_
then it's probably encrypted. You need to look carefully though since some things may seem encrypted at first glance but really aren't like
Code:
sysSettings1sysSettings2sysSettings3.........weapon_023464........63
In this example you can see that system settings 1, 2, and 3 are unlocked and the player has 99 (which is 63 in hex ) of the item "weapon_023464". They won't always be this easy to read but this shows my point quite well. If we wanted to unlock system setting 4 in this example the first thing to try would be to change the right side (the "readable" side) to
Code:
sysSettings1sysSettings2sysSettings3sysSettings4.........weapon_023464........63
rehash/resign, load it back and see if it works. If it doesn't then the next method to try would be to find a savegame that already has it unlocked and compare the two. Let's say the save with it unlocked looks like this
Code:
sysSettings1sysSettings2sysSettings3sysSettings_04.........weapon_023593........03
We can clearly see that they changed the naming on menu 4. So all we need to do is change our modified file to
Code:
sysSettings1sysSettings2sysSettings3sysSettings_04.........weapon_023464........63
rehash/resign and load and all should be well.
"Oh but that's easy, what if the file is encrypted then what do I do?" I know some of you are thinking this. Well that's where the file-compare method comes into play again. Say we have 2 saves that look like this.
save1 said:
Hex:
Code:
61 6f 66 66 6f 69 68 39 68 28 2A 47 48 28 4F 48 28 51 32 6f 39 68 79 39 20 20 20 20 20 20 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 20 20 20 66 32 30 6A 66 6A 61 66 30 71 39 33 32 77 40 30 39 31 30 31 20 20 20 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 20 20 20 20 20 20 20 6A 61 68 44 26 40 6E 66 64 69 77 5F 44 5F 7E 6A 66 75 77 68 21 2e 2e 2e 2e
Text:
Code:
aoffoih9h(*GH(OH(Q2o9hy9 .......... [email protected] 01234567890123456789
jahD&@nfdiw_D_~jfuwh!....
Click to expand...
Click to collapse
save2 said:
Hex:
Code:
39 37 66 32 30 61 76 4E 68 28 2A 47 48 28 4F 48 28 51 32 6f 39 68 79 39 20 20 20 20 20 20 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 20 20 20 66 32 30 6A 66 6A 61 66 30 71 39 33 32 77 40 30 39 31 30 31 20 20 20 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 20 20 20 20 20 20 20 6A 61 68 44 26 40 6E 6A 44 46 45 64 20 20 6B 24 61 75 44 6E 7A 21 2e 2e 2e 2e
Text:
Code:
97f20avNh(*GH(OH(Q2o9hy9 .......... [email protected] 01234567890123456789 jahD&njDFEd k
$auDnz!....
Click to expand...
Click to collapse
We can see some similarities and some differences. Notice they both have "01234567890123456789" in them in the same place and they both end with "!....". The first 8 letters are different though and some of the middle is different. A safe assumption is usually if something changes at the very beginning of the file or at the very end it's a potential checksum. I'll explain more about those later. Say we only changed our stat for gold in the game between the two saves we have. Since we think the first change is a checksum that means the second change must be our gold number. Now we have no idea what the encryption method is at the moment but we do know how much our gold was and is and where in the file it's saved now. So we keep that information handy and build up our gold to an ungodly amount through work or cheats, save, and open the file. It now looks like this.
save3 said:
Hex:
Code:
38 61 66 6A 77 21 5F 20 68 28 2A 47 48 28 4F 48 28 51 32 6f 39 68 79 39 20 20 20 20 20 20 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 20 20 20 66 32 30 6A 66 6A 61 66 30 71 39 33 32 77 40 30 39 31 30 31 20 20 20 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 20 20 20 20 20 20 20 6A 61 68 44 26 31 64 75 76 6E 20 41 45 46 6E 20 20 5F 2E 2E 32 21 2e 2e 2e 2e
Text:
Code:
8afjw!_ h(*GH(OH(Q2o9hy9 .......... [email protected] 01234567890123456789 jahD&1duvn AEFn
_..2!....
Click to expand...
Click to collapse
We can clearly see that the same two places have changed. First thing to try (shot in the dark) is take the area we think is gold and put it in our first save. That would make it look like this
Modded_save said:
Hex:
Code:
61 6F 66 66 6F 69 68 39 68 28 2A 47 48 28 4F 48 28 51 32 6f 39 68 79 39 20 20 20 20 20 20 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 20 20 20 66 32 30 6A 66 6A 61 66 30 71 39 33 32 77 40 30 39 31 30 31 20 20 20 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 20 20 20 20 20 20 20 6A 61 68 44 26 31 64 75 76 6E 20 41 45 46 6E 20 20 0D 0A 0D 0A 5F 2E 2E 32 21 2E 2E 2E 2E
Text:
Code:
aoffoih9h(*GH(OH(Q2o9hy9 .......... [email protected] 01234567890123456789 jahD&1duvn AEFn
_..2!....
Click to expand...
Click to collapse
We ignore the possible checksum for now, rehash/resign and load it up to see if it works. To our shock it does! Our gold has jumped but everything else is exactly the same as the first save so we think to ourselves "what else could have changed between those two saves I had first?" The answer is simple. The time. The first few bytes of our file are our gameplay time. There are games that use checksums and if the edited save doesn't load up then that game probably does. This example was just to get you into basic hexing, not bypassing game security. If this made your head explode, please get a bucket and try again . It gets easier, I promise. Just re-read this a few times, eventually it will "click" and you'll understand.
Edit: Just in case my way was a bit difficult to understand I found another explanation posted by Emerald Lance, it's the same info just worded a bit differently. Maybe you can understand this one if you can't understand mine.
Emerald Lance said:
Hex editing can indeed be a daunting task for beginners. When I first started, I remember that it just looked like a swirl of coded nonsense. But there are only two things you need to get started: a hex editor, and knowledge on how to count in hex.
If you're talking about modding 360 game saves, programs like Modio and Horizon have a hex editor built in, so we'll skip that part. Assuming you don't know how to count in hex, this is the general basic concept. When you normally count, you go 0-9, and then it starts again as the zero of the next series of numbers, in this case 10-19, then 20-29, and so on. In hex, you count from 0-F; instead of going on to 10 after 9, you go from 9 to A. In hex, A means 10, and F means 15, so in hex 10 means 16, and so on. A lot of people starting off have a bit of trouble understanding at first, but you'll get it sooner or later; I learned by trying to count in hex in my everyday life, and by studying how color sliders that went up to 255 were different than the ones that went to FF (there is no difference, just decimal vs hex). Of course, this is assuming you don't already know how to count in hex.
While much of the hexing process is just changing values, you gotta know where those values are in in order to change them. Every game is different, so this is important. There are two methods you should be familiar with: Ctrl+F, and comparison. Let's say you want to edit a character's HP stat. While playing the game, take note of what it is. Let's say it's 590. Right it down and use a hex calculator (Windows has one that comes with it) to find out what it is n hex; in this case, 590 = 024E. Remember to add a 0 at the beginning of values that have an odd number of digits, since hex is in bytes (two digit values) and it helps make sure you don't get a bunch of values you don't want. Now, in your hex editor, hold the Ctrl key and press F, then type in the hex value you want to search for.
It isn't uncommon for the search to turn up multiple hit, especially when searching for lower (and by proxy, more common) values. When this happens, you need a comparison. Play the game normally and do something to change the value you want to edit, in HP's case I guess level up once. Take note of the new HP value in hex, and repeat the Ctrl+F process with this new save. Let's assume you're new hex number is 02D6. Since the only instance of 024E that changed was HP, then that should be the only instance that is now 02D6. Look for 02D6 now, and find the place where it sits that 024E used to sit. It's easiest to do this when you have both old save and new save open at once; you can also write down each address if there aren't a lot of instances. Once you find the value (and know that it's HP) change it to whatever you like. It can be sometimes risky to edit games with a maximum value of 9999 (270F in hex) to higher than their maximum, but in most games it works fine. Now just remember to resign/rehash the save (again, programs like Modio and Horizon do this) and inject it into your drive.
There are a few things that can go wrong with just simple hexing. While most older games can just be edited easy, newer or more popular games often have some measures put in place by the developer just to make sure it isn't hacked. The game save could be compressed or encrypted (will essentially show gibberish until decompressed or decrypted) or could have a checksum (a little line of encrypted code that changes every time values change during gameplay; if the values don't match the checksum, you get a corrupt save). Just remember that not everything can be edited with just hex knowledge alone.
Believe it or not, this is all there is to know (that can be taught) about hexing. Everything else is just picked up as you go, including better understanding of hex as a language (as opposed to just a number system). I hope this helps, and I hope it gets you started on your hacking way.
Click to expand...
Click to collapse

Basic Game Security​
As has been said before, many games have some sort of security be it encryption, a checksum, some mathematical manipulation, or a combination of these. The easiest (and the one I will be discussing first) is mathematical manipulation.
Mathematical Manipulation:
Even the name sounds imposing huh? Well it isn't as scary as it sounds. All it means is that the value we're looking for has had some math done to it. Say we're looking for our gold which is 100. We look through our saves but don't find any values of 100 but we know that it isn't encrypted because we can read it. Well we go through the file compare method and find a value that changed when we got another gold. The values that were changed are 800 and 808. We know that our gold values are 100 and 101 and this is the only thing that changed so they must correspond. This allows us to realize "hey, all they did was multiply our value by 8". That's mathematical manipulation and is quite easy to implement. For the more code-savy of you I will give an example code that could be found in-game.
Autoit:
Code:
$iVal = 800
$iGold = $iVal/8
GUICtrlSetData($txtGoldVal,$iGold)
C++:
Code:
int iVal = 800;
int iGold = iVal/8;
printf(iGold)
All this code does is take the value (800) and divide it by 8 to show you your real gold value. Since the game would add in increments of 8 for every gold piece we wouldn't find the display value (100) but only the real value of 800. Now onto checksums ^_^.
Checksums:
Checksums are bits of data that the game reads before the save is loaded to verify that it hasn't been tampered with. Some common checksums are the SHA1 or MD5 value of the data (not including the checksum itself of course), a proprietary key (such as the PSV header of a PSP's PS1 savegame), or sometimes even something as simple as your profileID. Most checksums are found at or close to the beginning of the file. Since it's the first thing read to verify security it makes sense that it would be there, but sometimes it's at the end of the file in an attempt to throw us off. Going back to our original example of "sysSettings1sysSettings2sysSettings3.........weapon_023464........63" we know the hex is
Code:
73 79 73 53 65 74 74 69 6E 67 73 31 73 79 73 53 65 74 74 69 6E 67 73 32 73 79 73 53 65 74 74 69 6E 67 73 33 2E 2E 2E 2E 2E 2E 2E 2E 2E 77 65 61 70 6F 6E 5F 30 32 33 34 36 34 2E 2E 2E 2E 2E 2E 2E 2E 36 33
but in our savegame we see
Code:
6d ed b1 c4 ff 91 39 9c 75 b4 bc fe fe 0e 69 63 73 79 73 53 65 74 74 69 6E 67 73 31 73 79 73 53 65 74 74 69 6E 67 73 32 73 79 73 53 65 74 74 69 6E 67 73 33 2E 2E 2E 2E 2E 2E 2E 2E 2E 77 65 61 70 6F 6E 5F 30 32 33 34 36 34 2E 2E 2E 2E 2E 2E 2E 2E 36 33
We can clearly see that "6d ed b1 c4 ff 91 39 9c 75 b4 bc fe fe 0e 69 63" is before the actual data we want but we don't know that that is because on the "readable" side of our editor it looks like this "m.....9.u.....ic". What do we do in this situation? Well first we swear, then we see if it matches up with any of the "common" checksums. We try the SHA1 of our data which is "fbce6651fad6a8461c9bc0751cf153dd044addb". Nope, not that one. We try the MD5 which is "6dedb1c4ff91399c75b4bcfefe0e6963", hmm...let's spread that out. "6d ed b1 c4 ff 91 39 9c 75 b4 bc fe fe 0e 69 63", bingo exact match. Now we know that it uses an MD5 hash of the data as its checksum. All we need to do if we change something is recalculate the MD5 value. There are several ways to do this an I won't go into specifics (google is your friend). Following our old example let's say we wanted to unlock menu 4. We would set our data to "sysSettings1sysSettings2sysSettings3sysSettings_04.........weapon_023464........63" and get the MD5 which is "388ff38b741b00fbbd1fc84f69362002". Now all we do is insert our new checksum in place of the old one to make our hex data look like this
Code:
38 8f f3 8b 74 1b 00 fb bd 1f c8 4f 69 36 20 02 73 79 73 53 65 74 74 69 6E 67 73 31 73 79 73 53 65 74 74 69 6E 67 73 32 73 79 73 53 65 74 74 69 6E 67 73 33 73 79 73 53 65 74 74 69 6E 67 73 5F 30 34 2E 2E 2E 2E 2E 2E 2E 2E 2E 77 65 61 70 6F 6E 5F 30 32 33 34 36 34 2E 2E 2E 2E 2E 2E 2E 2E 36 33
Notice how our checksum is at the very beginning? It's the same place as the original checksum we found. We never want to put it in another location. We always want to keep the data as close to the original as possible so we don't break our game or get a corrupted save.
Proprietary Checksums:
These are a *****. I'll be honest I don't know how to crack stuff like this so the best bet is to wait until someone figures it out or get help if you don't already know how. I'll give an example anyway. Using the same example we see our hex data as
Code:
fd fc 0c f4 4d b7 cf 1b 87 e6 78 46 58 ea 3b 04 73 79 73 53 65 74 74 69 6E 67 73 31 73 79 73 53 65 74 74 69 6E 67 73 32 73 79 73 53 65 74 74 69 6E 67 73 33 2E 2E 2E 2E 2E 2E 2E 2E 2E 77 65 61 70 6F 6E 5F 30 32 33 34 36 34 2E 2E 2E 2E 2E 2E 2E 2E 36 33
which means our checksum is "fd fc 0c f4 4d b7 cf 1b 87 e6 78 46 58 ea 3b 04". We run our data through the more common checksums and even some others we find out about through searching but we don't find any publicly available method of making the same checksum. First thing to try is leave the checksum alone and still change your data, then load it up and see if it runs. If it does then it's probably just an identifier, if it doesn't then it really is a checksum and we need help.
Encryption:
I've already talked about encryption . It's basically a type of mathematical manipulation but on a larger scale than just our data (for the techies more than just on variables/userdata). Normally they have an algorithm, a mathematical formula, that they run the entire save file through to make it totally confusing and unreadable. Well, if the game can read it so can we right? It's just a matter of figuring out how it works. Using our standard example I'll show you some very basic encryption. We already know what the hex of the file should be, but under encryption it looks like this
Code:
88 94 88 68 80 89 89 84 21 82 88 46 88 94 88 68 80 89 89 84 21 82 88 47 88 94 88 68 80 89 89 84 21 82 88 48 88 94 88 68 80 89 89 84 21 82 88 20 45 49 17 17 17 17 17 17 17 17 17 92 80 76 85 21 21 20 45 47 48 49 51 49 17 17 17 17 17 17 17 17 51 48
which translates on the "readable" side to
Code:
X^XDPYYTRX.X^XDPYYTRX/X^XDPYYTRX0X^XDPYYTRX-1\PLU-/013130
.
Gibberish right? Well we don't know the encryption algorithm so we're stuck with using the filecompare method and hoping they don't also have a checksum.
In all of these examples when data would be loaded onto your 360 you would need to rehash/resign your save somehow (Modio, Horizon, etc) to make sure the 360 recognizes it as proper data, even if the game won't. These are the basic concepts behind checksums. Simple(ish) right?
P.S. For those of you interested here's the basic encryption program I whipped up for this example. It just reads the binary values one-by-one and adds F to them but hey it works. It's written in AutoIt.
Code:
#include <file.au3>
Dim $i, $string, $hex
$file = FileOpen("test.txt",16)
$num = FileRead($file)
$num = @extended
While $i < $num
FileSetPos($file,$i,0)
$data = FileRead($file,1)
$data = StringReplace($data,"0x","")
$new_data = $data + 0xf
$hex &= $new_data & " "
$string = $string & ChrW($new_data)
$i += 1
WEnd
MsgBox(0,"",$hex)
MsgBox(0,"",$string)

Basic Programming Ideas and Principles​
Ok first a bit of terminology so people don't get too confused.
Variable - A variable is a storage device for data. Variables have certain types. They are:
Char - a single character or number (0-9,a-z,etc)(1 byte)
Integer - A whole number (2-4 bytes)
String - Text. Words. You know, language
Array - A variable containing other variables or multiple data sets/types.
Vector - Expanding/contracting array
Double - Can have decimals (8 bytes)
Float - Can have decimals (4 bytes)
Function - A piece of code that performs a single, specific task.
Data - information
Code - ...duh...
Parameter - A function-specific variable. Takes input to use in the function.
Loop - a piece of code that continues until certain conditions are met
Infinite Loop - never stops
Event - notifies the program and the OS that something happened.
Control - Something a user interacts with, such as a button, radiobutton, checkbox, etc
Now that that's out of the way lets get into the basics. "What is programming?" It's making a machine do what you tell it . There are different programming languages just like there are different spoken languages. Different ways of expressing the same idea. My preferred language is AutoIt (as I've stated before...I think) since I'm more familiar with it than anything else right now. "Which language is the best to use?" Well they all have merit, find the one you like the best and go for it. "Are you going to teach us a language?" No, I want you to find the language that you like best and learn it for yourselves. The ideas will carry over regardless of what the language is as long as you have a good grasp of what's going on.
Hello World
This is the most basic program for any language (at least any I've seen). Normally all it does is open a console/terminal window with the words "Hello World". Even in this basic example you're already learning valuable lessons. How to structure the code, how to open a console window, how to output text. These will all be used quite a bit at first, then the only one that will fade will be the console window as you move into GUIs.
Ok now onto something more advanced/useful, Loops. "When would I use a loop?" You would use a loop when you need something to happen over and over again, such as the main body of your program or a check for something (different value, specific value, button press event, etc). Loops are very common and make things much easier. If some data changes all you need to do is call your function again using the new data. Instead of doing this manually a loop could be set up. In this loop we would want to check for a change in the data (so as not to call the function needlessly and waste time) and if something changed then call the function with the new data. Loops also keep our program running, you don't want your program to just flash for 1/10th of a second do you?
There are a few basic types of loops. The For loop, the Do loop, and the While loop.
The For loop is usually used to do things a set number of times. Each time the loop goes through it adds a specific value to a variable (usually 1 but sometimes more. It can also be a negative number effectively counting down). After the loop has gone through the number of times its supposed to it then moves on to the next chunk of code.
The Do loop runs until certain conditions are met. These conditions could be any number of things, just use your imagination.
The While loop runs while something is happening. It's similar to the Do loop in that it runs until a condition is met, but that condition is always "until *condition* stops". You will see "While 1" a lot, that simply says "while the program is running" (effectively). It actually means "While 1=1" which will never change. This is an infinite loop, a loop that will never stop on its own. If we want it to stop we have to stop it explicitly.
Now that you know what functions and loops are it's time to explain events in a bit more detail. Events are pieces of code that run when something specific happens. Your OS (operating system, windows linux mac etc) has events built-in that it executes all the time. As an example whenever your mouse is clicked an event is sent to the main OS telling it a button was clicked, where it was clicked, and what button it was. Sometimes we want to capture these events and have our own code executed as well as or sometimes instead of the main OS code. Sometimes the main OS event is just a notification, it tells everything that something happened and doesn't do anything else. If we make a program with a button but don't have any functions tied to it then an event will still be triggered but it will simply tell the OS and other programs a button was clicked. When we tie code into our controls all we're really doing is setting a specific event as the trigger for our code, the condition for it.
Well that's pretty much it for basic principles. This should get you started and at least able to do pseudo-code (stuff that looks like code but really isn't). Here's an example of some pseudo-code.
Code:
if *something happens* then *send an alert*

Writing Code​
Before we get into the actual code writing I want to discuss a few things. Most of them are just tips to make things easier and more readable, especially if you're not the only one working on it.
Naming Conventions
This is simply how you name things. Function names should be pretty obvious and easy to read. If a function reads hex data call it something like ReadHex or HexRead. Variable names should be just as obvious and should tell you what type of variable it is just by the name.
Arrays - start with a (aArray)
Strings - start with s (sString)
Integer - start with i (iInteger)
File - start with f(no floats) or fi(floats)(fFile, fiFile)
Pointers - start with p (pPointer)
Double - start with d (dDouble)
Edit Boxes - start with edt (edtEdit)
Text boxes/Inputs - start with txt (txtInput)
Buttons - start with btn (btnButton)
Sliders - start with sld (sldSlider)
Combo box(dropdown menu) - start with cmb (cbmCombo)
Menu - start with mnu (mnuMenu)
List boxes/TreeViews - start with lst (lstTreeview)
Checkboxes - start with chk (chkCheckbox)
Radio button - start with rdo (rdoRadio)
Labels - start with lbl (lblLabel)
Groups - start with grp (grpGroup)
This will make your code more readable to an extent, and if you break things apart properly that will make it even easier.
Readability:
You always want your code to be readable, if for no other reason than you don't want to forget what something does. If you are working with another coder you definitely want to have readable code, otherwise there will be a lot of time wasted trying to figure out what portions of code do when it would be obvious if it were more readable.
Comments are a good way to improve readability of code, as is breaking code into chunks. Breaking code up should have a negligible effect on speed, if any at all. Here's an example to illustrate my point.
bunched said:
Autoit:
Code:
$sData = Bin(Hex(Asc("a")))
C++:
Code:
binaryWriter->Write(binaryReader->ReadByte());
Click to expand...
Click to collapse
readable said:
Autoit:
Code:
$sData = Asc("a")
$sData = Hex($sData)
$sData = Bin($sData)
C++:
Code:
sByte = binaryReader->ReadByte();
binaryWriter->Write(sByte);
Click to expand...
Click to collapse
I know these examples aren't great but they do illustrate my point. In the first it's a bit jumbled and somewhat hard to understand what's going on immediately. In the readable version it's clear as to what is happening in the code and in what order. Order does play a key role in coding so it's important to always know what order things happen in. In the autoit example we are taking the ascii value of "a", converting that to hex, then converting that to binary. The example is fairly easy to read but there will be times when things are nested (get to that in a moment) in such a way that it's almost impossible to read. That's why you want to break the code apart, so as to avoid confusion for yourself and anyone else reading your code.
Nested Statements:
Nested statements are basically just statements within other statements. A for loop inside a while loop, a function calling another function (this one happens a lot), etc. More than likely you will use nested statements at some point. This is fine as long as you maintain readability. Always make sure you keep your indentations consistent, a nested statement should be indented one place more than the previous statement. If you have a statement that has 3 parts, 2 nested, there should be 2 indentations. This (broken record ) maintains readability and makes it simpler to find the portion of code you're looking for. Most compilers/editors do this for you but sometimes not, just make sure everything is there.
Writing Functions:
As I've said before you want your functions to do only one thing, and do it well. Sometimes it's a bit difficult to separate different portions of code into functions but it helps. If you just need part of the code later on it's much better to have it in its own function than to have to run through an entire other function to get to the part you need. This improves speed and efficiency. Take your time, plan out how you want things to flow, and if nothing else wing it. Try different ideas and see what works and what doesn't. I know there are others out there who do their best work when semi-conscious or fully asleep (yes I dream about coding sometimes -_-) but that allows you to think of solutions you normally never would. If you can't get past a roadblock try taking a nap or just plain sleeping. A fresh set of eyes will help with projects, sometimes you need to ask a new coder to look over it and sometimes you need a veteran. Since new coders don't know much yet they often only find obvious errors that we overlook such as an error in syntax or a typo. Veteran coders know a lot and they can help us think of new solutions as well as possibly tell us why what we try doesn't work. When you finally get a function working, look it over. See if there's a way to break it down into even smaller functions.
more soon

Tying Code and GUI Together​
Ok now that we have our code working it's time to make it look pretty. Some people can use a console fairly well,some can barely click a button lol. We want our programs to be as user-friendly as possible, thus we need a GUI. This should actually be the easiest part of the project since we already have our code. As I said before the code should be in functions so it's just a matter of tying those functions into events. Whenever a user does anything and I mean anything it triggers an event, be it clicking or moving a mouse, pressing a key, or sometimes even just sneezing on the screen (or maybe that's just me lol). We only need to capture certain events such as a button being clicked or a slider being moved usually so that's what I'll focus in terms of controls.
Designing the GUI
First thing we do is open up our favorite form designer. There are designers for most languages so if you don't have one just google, you're bound to find one. Design your GUI in this (place buttons, sliders, text boxes, labels, etc) then get the code for it. Make sure when you're designing your GUI anything that needs to be interacted with (buttons, sliders, etc) have an event set off when they're clicked/changed. Most form designers have an option to import the code directly into your editor/compiler so just do that if you can.
Integrating Functions and Events
Ok now that we have our code and our GUI code we can put the two together. Since all our important stuff is in functions and we can call it whenever we need all we need to do is put our function calls inside our event triggers. Here's an example in autoit of code that calls our custom function, called "HexEdit" when a button named "$btnChange" is clicked. Now it's named $btnChange but it will show Change on the button itself, don't get those confused it'll screw you up.
Code:
$nMsg = GUIGetMsg()
Switch $nMsg
Case $btnChange
HexEdit($data)
EndSwitch
$data is just a variable passed as a parameter to the function. Ok whose head just exploded, be honest. Raise your hand. Ok now go get a towel then talk to me after it grows back. For those of you still able to think all this code does is say "when a user clicks a button named $btnChange call the function HexEdit and send $data to that function."
Our function "HexEdit" should take the data it gets from $data and use that to do whatever it needs to do. Say it edits our gold, $data should be the value we want our gold at. We send $data (which has a value of, say, 10k) and in turn HexEdit() automatically edits our save file to give us 10k gold. Simple in principle yeah?
The most time-consuming portion of the GUI phase is designing the GUI. We all want our programs to look good so we'll probably spend a fair amount of time designing. I've found that doing a rough draft in the form designer then editing values in the code is a good way to make things look neat. I like to do things in increments of 5. If something has a value of 173 I'll make it 175, if it's 289 I'll make it 290, etc. Things line up well and it seems more professional, plus it's easier than trying to get it perfect in the form designer. Try to have an idea of how you want it to look before you start designing, that way you're not making it up and it looks even better. Really integration of the code and GUI is simple, once both portions are done. If you plan on adding features later you might want to add the appropriate controls to the editor and just disable them until their functions are working. It gives users a bit of a teaser of what's to come.

Code Examples​
Now most of these will be in AutoIt since it's my preferred language but I will post some code in other languages as well if I know the conversions off-hand. Most of these will be snippets (small pieces of code that do something specific).
For loop: *assuming you have an integer variable declared that's named iCount*
AutoIt
Code:
For $iCount = 1 to 6
*do something here*
Next
This loops the code 6 times, each time doing what's between "For" and Next. It also adds 1 to $iCount.
C++
Code:
for(iCount = 1, iCount = 6, iCount++){
*do something here*;
}
Same as above
While loop: *assuming you have an integer variable declared that's named iCount
AutoIt
Code:
While $iCount < 12
*do something*
WEnd
Checks if $iCount is less than 12 and if so executes
C++
Code:
While(iCount < 12){
*do something*;
}
Same as above
Do loop: *assuming you have an integer variable declared that's named iCount
Code:
Do
*do something*
Until $iCount = 48
Executes until $iCount equals 48
Open a file:
AutoIt
Code:
$fSave = FileOpen("*savegame*")
Creates a filehandle to a file that can be used with other File* functions and opens in read-only mode
C++
Code:
FILE * fFile;
fFile = fopen ("*savegame*","r");
Same as above
Read a file: *uses the filehandle created earlier*
Code:
$sFileData = FileRead($fFile)
Reads the file's contents into a variable named sFileData
Write to a file: *uses the filehadle created earlier*
Code:
FileWrite($fFile,$sData)
Writes the string $sData to the file, either appending it (adding it to the end) or replacing the file's entire contents depending on the mode used to open the file.
Open a file in binary mode: *since we're modders we'll need the hex of the file so this will help a lot*
Code:
$fFile = FileOpen("*savegame*",16)
Opens the file in binary read-only mode. The binary is represented as hex. This will give us the hex data.
Read one byte from an offset: *uses filehandle created earlier*
Code:
FileSetPos($fFile,Dec(*offset*))
$sOffsetData = FileRead($fFile,1)
Goes to the offset (converted from hex to decimal with Dec) and reads one byte. Number of bytes read can be changed by changing the "1".
Will add more as needed/as I think of them

More Code Examples:​
Since I'm working on a project with another member here that requires me learning C# I thought I'd post some of my practice code. It's all functional.
C#
Common Functions:
Code:
using System.Windows.Forms;
using System;
using System.IO;
using System.Threading;
using System.Collections.Generic;
namespace Common
{
public class CommonFunctions{
public static void MsgBox(string sMessage, string sCaption = "Error", MessageBoxButtons buttons = MessageBoxButtons.OK, MessageBoxIcon Icon = MessageBoxIcon.Exclamation, IWin32Window owner = null)
{
MessageBox.Show(owner, sMessage, sCaption, buttons, Icon);
}
public static void Test(params string[] sInput)
{
for (int i = 0; i < sInput.Length; i++)
{
Console.WriteLine(sInput[i]);
}
}
public static void Sleep(int iMilliseconds)
{
Thread.Sleep(iMilliseconds);
}
public static string StringStripCR(string sInput)
{
string sNewString = sInput.Replace(Convert.ToString(Convert.ToChar(10)), "");
sNewString = sNewString.Replace(Convert.ToString(Convert.ToChar(13)), "");
return sNewString;
}
public static string[] DriveGetDrive(string sType){
DriveInfo[] ListDrives = DriveInfo.GetDrives();
List<string> lList = new List<string>();
DriveType dType = new DriveType();
int iDriveNum = 0;
lList.Add(Convert.ToString(iDriveNum));
if((sType == "removable") || (sType == "Removable")){
dType = DriveType.Removable;
}
else if((sType == "network") || (sType == "Network")){
dType = DriveType.Network;
}
else if ((sType == "Fixed") || (sType == "fixed"))
{
dType = DriveType.Fixed;
}
else if ((sType == "CDRom") || (sType == "cdrom") || (sType == "CDrom"))
{
dType = DriveType.CDRom;
}
foreach (DriveInfo sDrive in ListDrives)
{
if(sDrive.DriveType.Equals(dType))
{
string sDriveString = Convert.ToString(sDrive);
lList.Add(sDriveString.Remove(sDriveString.Length - 1,1));//Add to RemovableDrive list
}
}
lList[0] = Convert.ToString(lList.Count - 1);
string[] aDrives = lList.ToArray();
return aDrives;
}
}
}
CWCheat Database Fixer:
Code:
using Common;
using System.IO;
using System;
public class MainRun:CommonFunctions
{
static void Main()
{
string path = "";
string[] aDrives = DriveGetDrive("removable");
int iMax = Convert.ToInt16(aDrives[0]);
for(int i = 2;i <= iMax; i++){
if (Directory.Exists(aDrives[i] + "\\seplugins\\"))
{
path = aDrives[i] + "\\seplugins\\cwcheat\\cheat.db";
}
}
if((path==""))
{
MsgBox("No database detected\n\nExiting...");
Environment.Exit(0);
}
string sFileContents = File.ReadAllText(path);
string sCleared = StringStripCR(sFileContents);
sCleared = sCleared.Replace("_", "\r\n_");
sCleared = sCleared.Remove(0, 1);
File.WriteAllText(path, sCleared);
}
}
Autoit
CWCheat Database Fixer:
Code:
#include <File.au3>
$path = ""
$drives = DriveGetDrive("removable")
for $i = 2 to $drives[0]
if FileExists($drives[$i] & "\seplugins") Then
$path = $drives[$i] & "\seplugins\cwcheat\cheat.db"
EndIf
Next
if $path = "" Then
MsgBox(48,"Error","No database detected." & @CRLF & @CRLF & "Exiting...")
Exit
EndIf
$file = FileOpen($path,0)
$data = StringReplace(StringReplace(StringStripCR(FileRead($file)),"_", @CRLF & "_"),@cr,"",1)
$file = FileOpen($path,2)
FileWrite($file,$data)
Now the two DB fixers work exactly the same in exactly the same way with exactly the same result. Oddly enough the c# version was slower on my system than the autoit version, but considerably smaller. It may just be something quirky with my system but I thought I'd let you know. Since they work the same it's easy to look at the code and "translate" between the two.

This was quoted from a buddy of mine.
Hipolipolopigus' timestamp='1295080083' post='7718 said:
Just thought I'd put this up;
Instead of doing a whole bunch of if else if else... You can "cheat"
Original;
Code:
if((sType == "removable") || (sType == "Removable")){
dType = DriveType.Removable;
}
else if((sType == "network") || (sType == "Network")){
dType = DriveType.Network;
}
else if ((sType == "Fixed") || (sType == "fixed"))
{
dType = DriveType.Fixed;
}
else if ((sType == "CDRom") || (sType == "cdrom") || (sType == "CDrom"))
{
dType = DriveType.CDRom;
}
using "switch" and "case";
Code:
switch (sType.ToLower())//use .ToLower() to handle the string as all lowercase
{
case "removable": dType = DriveType.Removeable; break;
case "network": dType = DriveTypeNetwork; break;
case "fixed": dType = DriveType.Fixed; break;
case "cdrom": dType = DriveType.CDRom; break;
default: throw new Exception("Invalid type!");
}
As you can see, it saves code space and looks tidier
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Click to expand...
Click to collapse

In case you guys were afraid feel free to ask any questions or make requests for examples here the worst that'll happen is I'll say "I don't know how to do that :/" and it'll allow someone who does know how know they need to post an example

Hi is this thread to mod an apk??
Sent from my GT-N7100 using xda premium

Kspalahyia said:
Hi is this thread to mod an apk??
Sent from my GT-N7100 using xda premium
Click to expand...
Click to collapse
cant you read the OP? 10 poster. use search button for modding apk.
@OP
this is what i have always wanted. i tried learning hex-editing on .gba modifying sites for games but was never able to do it. will get back at this guide after exams. Thanks no thanks button in OT forum

Just confirming... Must do this after my exams....
Sent from my GT-N7100 using xda premium

THIS program compiled successfully correctly but output is wrong ...
Can you help me??
#include<stdio.h>
#include<conio.h>
void main()
{ clrscr();
float a,b;
char d;
printf("enter two variables");
scanf("%f%f",&a,&b);
printf("enter operator");
scanf("%c",&d);
switch (d)
{
case '+' : printf("%f",a+b); break;
case '-' : printf ("%f",a-b); break;
case '/': printf ("%f",a/b); break;
case '*' : printf ("%f",a*b); break;
default : printf ("try again!!!");
}
getch();
}
Click to expand...
Click to collapse
wanna thank xda? here

Wowa I learned that thanks...
Sent from my GT-N7100 using xda premium

Related

How dare you accuse me of being a large black crow and then killing me! :x

heh now with firewire it init and all but it's writeprotected for some reason or so it claim odd via firewire chip and odd oxfort firewire/usb2 to ide chip in the case which one or both is yet to be decovered

now the past few years I talk to people around the world, instead of watching the nightly news

Don't laught ;-)
You Are My Sunshine
My only sunshine.
You make me happy
When skies are grey.
You'll never know, dear,
How much I love you.
Please don't take my sunshine away

atndall

shock absorber

date time level ssid file record volume
03/07/2004 05:36:39 full 3862419201 143 0 000015
13/07/2004 23:15:26 full 4099866113 81 49 000044
14/07/2004 05:18:03 full 4105436161 135 0 000062
14/07/2004 23:46:08 full 4122456321 127 42 000061
15/07/2004 05:28:03 full 4127707905 141 0 000063
15/07/2004 23:52:05 full 4144665857 135 138 000064
16/07/2004 05:37:03 full 4149964545 141 0 000065
17/07/2004 00:00:51 full 4166918913 146 54 000041
17/07/2004 05:24:23 full 4171888385 140 0 000066
19/07/2004 23:47:56 full 4233075969 128 51 000077
20/07/2004 05:23:11 full 4238225153 115 0 000050
20/07/2004 23:57:15 full 4255337217 140 112 000004
21/07/2004 05:25:59 full 4260386561 129 0 000076
22/07/2004 00:03:36 full 4277553153 153 61 000002
22/07/2004 05:27:42 full 4282531329 139 0 000049
22/07/2004 23:42:28 full 4379649 123 92 000093
23/07/2004 05:22:46 full 9606657 125 0 000003
23/07/2004 23:56:24 full 26712065 139 46 000008
24/07/2004 05:30:43 full 31847169 128 0 000067
26/07/2004 23:21:45 full 92535041 90 54 000011
27/07/2004 05:25:37 full 98124033 134 0 000010
28/07/2004 00:00:48 full 115253505 115 35 000012
28/07/2004 05:31:06 full 120326657 91 0 000052
28/07/2004 23:15:21 full 136673537 84 43 000042
29/07/2004 05:24:42 full 142346753 130 0 000070
29/07/2004 23:14:32 full 158779649

BIOS Type: Phoenix NoteBIOS 4.0 Release 6.0.

8/7/2004 Sent email - US - Statement fax request
4/8/2004 Sent email - US - Statement fax request

The contact popup window doesn't seem to do anything for me, it displays the contact details but when I click on the phone number, a white horizontal line

http://www.vnunet.be/datanews/news.asp?ids=20040824007

#007e50

3. Total Loss

I thought a shuttle was a retro heli ??? !!!!!

http://www.hitachigst.com

On Tuesday please enter the result of the backup in the following spreadsheet. It will be the monthly backup.

ETX3M

Teste e Grelha de Avaliação

010-00226-04

Microsoft Visual C++ 2005 Express Edition Beta

Hi, this is my first post. I'm sorry if this has been answered before but I've been searching for days and could not find any info regarding this. Is it possible to change the page pool of windows mobile 6 crossbow? and if it is possible, what is the hexadecimal address? I'm using orwell's crossbow version and i'm very pleased with it but i'd really like to know if it's possible to change the page pool and what is the hexadecimal address

80 views no replies?
cmon guys, i see 80 views on this post but no replies. am i the only one who wants to know this? i'm sure some of the great rom cookers out there have been able to find out what the hexadecimal address for changing the page pool of wm6 crossbow is...unless i'm mistaken and it's actually not possible....but again, the PDAviet versions have large amount of rams available so I'm pretty sure that it is possible.

146 views and growing
ok, with 146 views, it looks like i'm not the only one who wants to know this. There even might be others who are watching this thread. Please...does anyone know the answer? Faria?Risidoro?Kyphur?Molski?Johnnny? anyone? Or at least let me know if it's possible or not...

Correct me if im wrong but "FOR NOW" its not possible..

double_ofour said:
Correct me if im wrong but "FOR NOW" its not possible..
Click to expand...
Click to collapse
It's possible to change page pool on WM6 Crossbow now, you can use a hexeditor and open os.nb, search NKKD8, you will find two places, and at the near second place,you will find the modifying value!!!

are you reffering for a wizard device?

wow! i will try it as soon as i get home. if that's the correct hex address then email123 you're awesome! hope it works!

double_ofour said:
are you reffering for a wizard device?
Click to expand...
Click to collapse
yes, I am reffering for a wizard device, But I think it is also the same for the other type devices, I'll give a sample with picture when I'm back home!!!

really?.. i know how to in himalaya..
ill give it a try..

pp have been already changed.

double_ofour said:
really?.. i know how to in himalaya..
ill give it a try..
Click to expand...
Click to collapse
look the two picture below,the first is wm6chs which pagepool is 60 00(6MB),the second is Molski.Biz_AKU3.3_21911_8MB_Crossbow which pagepool is 80 00(8 MB).
When you search NKKD8 second time then search FF FF FF FF FF FF FF FF 9B 4F FF FF 64 B0 00 00 64 00 00 00 ?? ?? ?? ?? ?? ?? ** **, and ** ** is the modifying pagepool value.

If Possible?
If possible to change the page pool on the WM6 which setting would be the best, and stable, ...I think lots of people is wonder the same.

mun_rus..i saw in another thread a screenshot of the about portion of ur wm6 device. In the version tab, yours has about 51MB memory when mine is only 49.73MB. I know that this can only be done if the page pool has been changed...so what exactly is the page pool on ur wizard? and is it stable? also when I changed the page pool on molski's final edition 2.26 from 8mb to 6mb, that specific screen showed about 50+MB. If windows mobile 6 crossbow has a page pool of 6MB also, how come it's only showing 49.73MB on my device?

Thanks to the Professor in the follwowing link.
http://forum.xda-developers.com/showthread.php?p=1152849#post1152849
How to find the page pool offset on Hermes ROMs?
Take the Hex editor of your choice (I use radare) and open OS.nb.
Search the ASCI string "NKKD8", you'll find it to times, take the one more near to the end of the file.
Scroll down a bit until you find the HEXA string "64 00 00 00", page pool should be around there.
If anyone knows a better method please explain
Example using OS.nb from WM6 ROM for hermes
We find the second "NKKD8" at offset 0x3B6C90:
Code:
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
----------------+----------------------------------------+----------------.
00000000003B6C90 4E4B 4B44 3800 0000 0000 0005 0000 0000 |NKKD8...........|
00000000003B6CA0 00C8 FFFF 8039 2D80 4060 2880 B069 2880 |[email protected]`(..i(.|
00000000003B6CB0 B869 2880 AC69 2880 144A 0180 805D 2D80 |.i(..i(..J...]-.|
00000000003B6CC0 602A 2D80 1829 0080 0000 0000 0000 0000 |`*-..)..........|
Further down we can find this:
Code:
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
----------------+----------------------------------------+----------------.
00000000003B6F40 581D 0480 C41C 0480 BC1C 0480 00B0 0400 |X...............|
00000000003B6F50 FFFF FFFF FFFF FFFF 9B4F FFFF 64B0 0000 |.........O..d...|
[COLOR="Sienna"]00000000003B6F60 6400 0000 A85B 0480 0000 [b]6000[/b] 0000 0000 |d....[....`.....|[/COLOR]
00000000003B6F70 38E8 0180 C43C 0280 DC6B 0180 00B0 0380 |8....<...k......|
00000000003B6F80 882D 0280 FC2C 0280 D488 0480 5489 0480 |.-...,......T...|
So, we can see the page pool is at offset 0x3B6F6B and is set to 6 Mb.
The pagepool value is specified in HEXA, so for example:
Change "6000" to "4000" for a 4Mb paging pool
Change "6000" to "8000" for a 8Mb paging pool
Change "6000" to "C000" for a 16Mb paging pool
Finding the best page pool size
The page pool size is a compromise between memory available to programs and speed. On WM6 ROM:
With 4Mb page pool we get a Total Program Memory available of 50.68 Mb, and SPB Benchmark index 347.88.
With 6Mb page pool we get a Total Program Memory available of 48.68 Mb, and SPB Benchmark index 346.03.
With 8Mb page pool we get a Total Program Memory available of 46.67 Mb, and SPB Benchmark index 345.95.
With 12Mb page pool we get a Total Program Memory available of 42.66 Mb, and SPB Benchmark index 348.53.
The pagepool size is for the same OS and should be the same for the Wizard.

@joecruz
my pp is 4mb, and i moved some modules to another place so i could got more free memory

wow this works!! i went ahead and changed my page pool to 4MB and i now have a Total Program Memory available of 51.73MB with around 28MB free after a soft reset (i have loads of stuff installed!!). Thanks!!

Hexedit method.
Hi, I'm trying to edit the wm6 os file too with hexedit but i'm unable to find the it for wm6 on the wizard. Is anyone using hexedit like I am, to change the wm6 pool for the wizard that can point me or show me a pic of where it is?

i used XVI32, the hex editor application provided by Faria in his tutorial post "how To" Change Page-pool On A Htc Wizard Rom. Instead of looking for the NKKD8 (which i couldn't find), use the address that's on the screenshot provided by email123 which is 387540. Just make sure that the line matches the one in the screenshot which is FF FF FF FF FF FF FF FF 9B 4F FF FF 64 B0 00 00 64 00 00 00 A8 5B 04 80 00 00 60 00. Depending on your hex editor, it may take you down a line or 2 (meaning either an address or 2 below the one I mentioned). Then just change 60 (the second to the last set of digits on the line above) to 40 for 4MB page pool, save it and repack your 80040000.OS and that's it!

Just found out something which was not in the forums and thought to share it with all (found only one reference, but for different device - it had different location for the counter).
In case you want to change the counter of the file numbers that the camera will record with (i.e. IMAGE001.JPG, but you want IMAGE045.jpg), you need to edit your registry with a registry editor:
Go to HKCU\Software\HTC\Camera\5.04\Preferences edit the key "Values" as per the attached screenshot - the next number for the picture (in HEX format - use windows calc in advanced mode to convert the number to HEX) should be typed at position 68 HEX.
Next time you take a picture it will use the number you placed there.

Nice one, I've been looking out for a solution to this issue! I'd like to add that if you want to set the counter beyond 255, you also have to edit position 69 HEX. This way, "FF 00" on positions 68 and 69 translates to "255", whereas "00 01" translates to "256", "01 01" translates to "257", etc.
To change the video counter, you have to change position 70 HEX. Keep in mind that this is not the position right after 69; after 69 comes 6A, 6B, etc., before you arrive at position 70. This probably is obvious to most of you, but it is a mistake easily made.

OK, this is exactly what I've been looking for also, but as a person who understands little or nothing about hex I would appreciate some guidance as to what to input, and precisely
where.
I would like to reset my camera's counter to 300, so that the files go 300.jpg. 301.jpg etc etc. If one of you could help me out, I'd appreciate it.
I just would rather not screw it up
Thanks.

As mvc mentioned, you can use the Windows calculator to convert the desired (decimal) value to the corresponding hexidecimal value. In your case, "300" would translate to "12C" (which equals to "01 2C"), meaning you have to change position 68 HEX to "2C" and position 69 HEX to "01".
If you need a program capable of editing the registry, I recommend the freeware utility Task Manager (the program which is used in the above screenshot):
http://www.freewarepocketpc.net/ppc-download-task-manager.html
Good luck!

Prime Numbers and 2012 Danger Latitudes
-------------------------------------
Prime Numbers and Cryptology
-------------------------------------
Prime numbers are used in cryptology. Cryptology is the study of using secret writing.
When you buy something on the Internet with a credit card, two large prime numbers are used to send your card details to the online store to keep your credit card number safe and prevent other people from steeling your money.
-------------------------------------
Quran and Prime Numbers
-------------------------------------
Almighty God also used prime numbers to hide information behind the holy text of "The Quran" (Islam's book) which literally means "The Readable" despite being encrypted or encoded into cipher text.
-------------------------------------
The Key
-------------------------------------
Glory to God who built the first chapter of the Quran using prime numbers and named it Al-Fatihah not because it is the opening of the book but the opener or The Key to the Book.
This chapter (The Key) consists of 7 verses, 29 words, and 139 letters. All are prime numbers and their digit sums (7=7, 2+9=11 and 1+3+9=13) are primes too, and the sum of these sums (7+11+13=31) is yet another prime!
What's more, joining these numbers left-to-right 729139 and right-to-left 139297 also produces prime numbers!
-------------------------------------
The Message
-------------------------------------
Although the number of chapters (114) and the total number of verses (6236) are not prime numbers, if the Quran is considered to be two parts, a Key and a Message then the number of chapters and verses also follow this amazing pattern of prime numbers as follows:
Quran = Key + Message
114 = 1 + 113 chapters
6236 = 7 + 6229 verses
where 1, 113, 7, and 6229 are primes with their digit sums (1=1, 1+1+3=5, 7=7, 6+2+2+9=19) are primes too.
This new numbering system puts chapter The Iron (Al-Hadeed) in its correct position of #56 instead of #57 to match its atomic weight of 56.
It also puts chapter Oneness of Allah (Al-Ikhlaass) in #111 instead of #112 which is more aesthetically beautiful.
But above all, it reveals the quantities (or abundance ratios) of the chemical elements in the Universe as verses per chapter. So chapter #1 The Cow with its 286 verses tells us about the abundance ratio of Hydrogen, chapter #2 The Family of Umraan with its 200 verses tells us about the abundance ratio of Helium, and so on for all 113 chapters of The Message.
-------------------------------------
Quran and 2012
-------------------------------------
Quran chapter #55 (The Merciful) has 31 repetitions of:
“رَبِّكُمَا تُكَذِّبَانِ فَبِأَىِّ ءَالَآءِ”
“What other bounties of your God do you still deny?”
In addition to 31 being a prime number, the sum of the verse numbers:
13 + 16 + 18 + 21 + 23 + 25 + 28 + 30 + 32 + 34 + 36 + 38 + 40 + 42 + 45 + 47 + 49 + 51 + 53 + 55 + 57 + 59 + 61 + 63 + 65 + 67 + 69 + 71 + 73 + 75 + 77 = 1433 is also a prime number and its digit sum (1+4+3+3=11) is yet another prime!
But once you know that God Almighty made the chapter to have exactly 355 words and the number of days in the Islamic year is exactly the same 355 days, then this sum of 1433 could be a reference the Islamic year 1433AH (or 2012AD).
Every word in chapter #55 (The Merciful) maps to a day in the Islamic year 1433AH and because there are 31 repetitions of the above verse which consists of four Arabic words, then each repetition maps to four days.
-------------------------------------
2012 Events
-------------------------------------
Therefore, it is possibly that God All-knowing is warning us about 31 events to occur between 7 January 2012 and 7 November 2012 each lasting four days.
If these events are meteorite showers for example (Sijjeel Stones) then each event would leave a 4-fold trail along specific latitude as the Earth spins 4 times in 4 days.
That means, there would be 31 danger latitudes that people should avoid and God, The Merciful, is giving us these danger latitudes as the numbers of the repeated verse themselves:
13˚ 16˚ 18˚ 21˚ 23˚ 25˚ 28˚ 30˚ 32˚ 34˚ 36˚ 38˚ 40˚ 42˚ 45˚ 47˚ 49˚ 51˚ 53˚ 55˚ 57˚ 59˚ 61˚ 63˚ 65˚ 67˚ 69˚ 71˚ 73˚ 75˚ 77˚
If indeed the first event occurs at latitude 13˚, then all people must be evacuated from latitude 16˚within 11 days because there are 11 words to the next verse repetition and so on.
Full list of dates and latitudes can be found at "heliwave dot com".
-------------------------------------
And God knows best and controls all at real time.
Ali Adams
God > infinity

Aliaadams, I think you have a really bad latitude!
Mike

OP is uneducated and naive. Sorry, but it is true.

that adds up to being lost in space

Hi everyone, first of all sorry if this has been discussed, but couldn't find it... I've been looking for this stuff here at xda and at droidforums but couldn't find any work in progress on this, besides the Kexec patches.
I must say I haven't bought a Droid 4 yet, but I'm desperate to get a keyboard back since my n900 broke.
So,I've been looking for know bootloader unlocking methods, mostly because I hate locked stuff and had enough with the good old X10. Couldn't find anything, so I downloaded some random firmware update for the Droid 4. I downloaded 6.7.2-180_DR4-16_M2-37
Blur_Version.6.16.217.XT894.Verizon.en.US from here, and got my hex editor running and looking at mbm and mbmloader.bin
Then I found this on mbm.bin (which I assume is the second stage loader after the mbmloader) (512Kb file with a lot of FF padding at the end):
Code:
mot_sst_oem_lock_handler
detect_vol_key_press
vol key pressed
scroll vol down
display confirmation screen
vol key: send display command
display page %d
confirm vol down
cancel!
unlock!
unlock failed!
in lock handler
Lock/Unlock already executed
display agreement
in unlock handler
msg_len at handle_unlock_ui: %d %d
last_page %d:
In order to unlock the bootloader on your device, you must
read and accept the following legal terms. If you agree with
the terms, choose "I agree" which will create a binding legal
agreement between you and Motorola Mobility, Inc. and your
wireless carrier/retailer. If you do not agree with the
terms, or wish to abort, please choose "Cancel".
PROCEED WITH EXTREME CAUTION--LEGAL AGREEMENT
You have requested to unlock your device's bootloader.
Unlocking the bootloader allows access to administrative
privileges, including the ability to make modifications to the
device, not normally accessible to the end user. Unlocking
the bootloader allows you to make modifications to the
pre-loaded software, including modifying or even replacing the
entire operating system. Once you unlock the bootloader, you
will not be able to return the device to its original locked
bootloader state. MOTOROLA STRONGLY RECOMMENDS AGAINST
UNLOCKING THE BOOTLOADER AND/OR ALTERING A DEVICE'S SOFTWARE
OR OPERATING SYSTEM. Unlocking the bootloader and/or running
software or operating systems other than those supplied by
Motorola can cause your device to be unsafe, cause your device
to malfunction, render your device inoperable, and/or
otherwise permanently damage your device. Unlocking the
bootloader and/or modifying any software or operating system
voids your warranty.
By choosing "I Agree", You acknowledge, understand and agree
that:
(1) You are a software developer, and understand and assume
all risks associated with unlocking your device and/or
altering Your device's software or operating system, including
but not limited to those outlined herein; and
(2) You are waiving all rights and benefits under any warranty
supplied with the device or otherwise, which shall be rendered
void as a result; and
(3) Any data You have previously saved on this device will be
erased and unrecoverable; and
(4) You will not make or enable any changes to the device that
will impact its grant of equipment authorization, or any other
regulatory compliance. The equipment authorization grant is
based on the device's emission, modulation, and transmission
characteristics, including: power levels, operating
frequencies and bandwidths, specific absorption rate (SAR)
levels, duty-cycle, transmission modes (e.g., CDMA, GSM), and
intended method of using the device (e.g., how the device is
held or used in proximity to the body); a change to any of
these factors will invalidate such grant with respect to your
device. IT IS ILLEGAL TO OPERATE A TRANSMITTING DEVICE
WITHOUT A VALID GRANT; and
(5) Unlocking, and/or altering a device's software or
operating system may:
a) Disable your device's emergency features, including use for
Emergency Assistance, e.g., 911 or equivalent; and
b) Adversely affect the operation of the device, including
rendering the device, in whole or in part, inoperable, and/or
causing permanent damage to the device; and
c) Cause the device to overheat, exceed SAR values, exceed
safe volume settings, and otherwise be unsafe, including
creating the potential to cause bodily injury; and
d) Cause applications, software and other content previously
installed on the device or accessible by your device to be no
longer accessible, or to malfunction; and
e) Cause software upgrades to malfunction, be unavailable,
and/or render your device inoperable.
(6) You hereby release and hold harmless Motorola Mobility,
Inc., its affiliates, and the wireless carrier/retailer that
sold you the device and/or whose wireless service you utilize
("Wireless Carrier"), all of which are intended third party
beneficiaries of this legal agreement, and their respective
officers, employees, agents, successors and permitted assigns
("Released Parties"), from any liability whatsoever, including
all claims, suits, obligations, causes of action, liabilities,
costs, and damages (including without limitation injuries to
persons and damages to property, and products liability
claims) even if the Released Parties knew, or should have
known about the possibility of such damage. You further
acknowledge and agree that the foregoing release shall remain
in effect, regardless of whether you relock your device,
and/or reload the original, unmodified software or operating
system.
(7) You authorize Motorola and/or your Wireless Carrier to
disable your device and/or its connection to a wireless
network in the event such device is, in Motorola's or the
Wireless Carrier's sole determination, causing, or is likely
to cause, harm to Motorola, the Wireless Carrier, the wireless
network, or other subscribers on the wireless network.
The foregoing agreement shall supersede any conflicting terms
or conditions originally provided with this device. By
clicking "I Agree" I acknowledge and agree that I am creating
a binding legal agreement.
You are about to ** LOCK ** your device. Once locked, only the
latest authorized software image can be loaded onto the device.
IMPORTANT NOTE: Authorized images must be loaded BEFORE the
device is re-locked and any data you have previously saved will
be erased. You may obtain copies of such software from:
http://developer.motorola.com
Has anyone seen this or are working on it?
Edit: oh!, and I also found this:
Code:
s - %d
%s: failed to update utag (%d): %d
utag update failed
%s: failed to write updated utags: %d
utag write failed
%s: Unable to allocate response string!
out of memory
%s: unable to find utag (%d)
utag is not programmed[B]
fastboot oem lock disabled!
Device is already locked!
fastboot oem unlock disabled!
Device is already unlocked![/B]
-reset
PN: %s, RV: %d, Idx: %d, CG: %d
md5: %s
Edit again: It seems like version VRZ_XT894_6.5.1-167_DR4-1_M1-219_1FF_01 has also the same legal agreement inserted into the mbm...
Code:
000237b0 6b 5f 75 69 3a 20 25 64 20 25 64 0a 00 6c 61 73 |k_ui: %d %d..las|
000237c0 74 5f 70 61 67 65 20 25 64 3a 00 49 6e 20 6f 72 |t_page %d:.In or|
000237d0 64 65 72 20 74 6f 20 75 6e 6c 6f 63 6b 20 74 68 |der to unlock th|
000237e0 65 20 62 6f 6f 74 6c 6f 61 64 65 72 20 6f 6e 20 |e bootloader on |
000237f0 79 6f 75 72 20 64 65 76 69 63 65 2c 20 79 6f 75 |your device, you|
00023800 20 6d 75 73 74 00 72 65 61 64 20 61 6e 64 20 61 | must.read and a|
00023810 63 63 65 70 74 20 74 68 65 20 66 6f 6c 6c 6f 77 |ccept the follow|
00023820 69 6e 67 20 6c 65 67 61 6c 20 74 65 72 6d 73 2e |ing legal terms.|
00023830 20 20 49 66 20 79 6f 75 20 61 67 72 65 65 20 77 | If you agree w|
00023840 69 74 68 00 74 68 65 20 74 65 72 6d 73 2c 20 63 |ith.the terms, c|
00023850 68 6f 6f 73 65 20 22 49 20 61 67 72 65 65 22 20 |hoose "I agree" |
00023860 77 68 69 63 68 20 77 69 6c 6c 20 63 72 65 61 74 |which will creat|
00023870 65 20 61 20 62 69 6e 64 69 6e 67 20 6c 65 67 61 |e a binding lega|
00023880 6c 00 61 67 72 65 65 6d 65 6e 74 20 62 65 74 77 |l.agreement betw|
00023890 65 65 6e 20 79 6f 75 20 61 6e 64 20 4d 6f 74 6f |een you and Moto|
000238a0 72 6f 6c 61 20 4d 6f 62 69 6c 69 74 79 2c 20 49 |rola Mobility, I|
000238b0 6e 63 2e 20 61 6e 64 20 79 6f 75 72 00 77 69 72 |nc. and your.wir|
000238c0 65 6c 65 73 73 20 63 61 72 72 69 65 72 2f 72 65 |eless carrier/re|
000238d0 74 61 69 6c 65 72 2e 20 20 49 66 20 79 6f 75 20 |tailer. If you |
000238e0 64 6f 20 6e 6f 74 20 61 67 72 65 65 20 77 69 74 |do not agree wit|
000238f0 68 20 74 68 65 00 74 65 72 6d 73 2c 20 6f 72 20 |h the.terms, or |
00023900 77 69 73 68 20 74 6f 20 61 62 6f 72 74 2c 20 70 |wish to abort, p|
00023910 6c 65 61 73 65 20 63 68 6f 6f 73 65 20 22 43 61 |lease choose "Ca|
00023920 6e 63 65 6c 22 2e 20 00 50 52 4f 43 45 45 44 20 |ncel". .PROCEED |
00023930 57 49 54 48 20 45 58 54 52 45 4d 45 20 43 41 55 |WITH EXTREME CAU|
00023940 54 49 4f 4e 2d 2d 4c 45 47 41 4c 20 41 47 52 45 |TION--LEGAL AGRE|
00023950 45 4d 45 4e 54 00 59 6f 75 20 68 61 76 65 20 72 |EMENT.You have r|
00023960 65 71 75 65 73 74 65 64 20 74 6f 20 75 6e 6c 6f |equested to unlo|
00023970 63 6b 20 79 6f 75 72 20 64 65 76 69 63 65 27 73 |ck your device's|
00023980 20 62 6f 6f 74 6c 6f 61 64 65 72 2e 20 00 55 6e | bootloader. .Un|
00023990 6c 6f 63 6b 69 6e 67 20 74 68 65 20 62 6f 6f 74 |locking the boot|
000239a0 6c 6f 61 64 65 72 20 61 6c 6c 6f 77 73 20 61 63 |loader allows ac|
000239b0 63 65 73 73 20 74 6f 20 61 64 6d 69 6e 69 73 74 |cess to administ|
000239c0 72 61 74 69 76 65 00 70 72 69 76 69 6c 65 67 65 |rative.privilege|
000239d0 73 2c 20 69 6e 63 6c 75 64 69 6e 67 20 74 68 65 |s, including the|
000239e0 20 61 62 69 6c 69 74 79 20 74 6f 20 6d 61 6b 65 | ability to make|
000239f0 20 6d 6f 64 69 66 69 63 61 74 69 6f 6e 73 20 74 | modifications t|
00023a00 6f 20 74 68 65 00 64 65 76 69 63 65 2c 20 6e 6f |o the.device, no|
00023a10 74 20 6e 6f 72 6d 61 6c 6c 79 20 61 63 63 65 73 |t normally acces|
00023a20 73 69 62 6c 65 20 74 6f 20 74 68 65 20 65 6e 64 |sible to the end|
00023a30 20 75 73 65 72 2e 20 20 55 6e 6c 6f 63 6b 69 6e | user. Unlockin|
00023a40 67 00 74 68 65 20 62 6f 6f 74 6c 6f 61 64 65 72 |g.the bootloader|
[...]

This seems very exciting. What I do know is that the bootloader is encrypted. Idk if this well help bypass that.
Sent from my DROID4 using Tapatalk 2

Actually unlocking the bootloader isn't necessary with the kexec exploit. From my understanding, the current issues with the kexec builds are custom kernel issues that we would have even with an unlocked bootloader.
Of course, it would be an incredible feat if someone manages it (and I don't want to discourage anyone) but I think that is why nobody (else) is really working on cracking the Droid3/Bionic/Droid4/RAZR bootloaders.
Sent from my DROID4 using xda app-developers app

podspi said:
Actually unlocking the bootloader isn't necessary with the kexec exploit. From my understanding, the current issues with the kexec builds are custom kernel issues that we would have even with an unlocked bootloader.
Of course, it would be an incredible feat if someone manages it (and I don't want to discourage anyone) but I think that is why nobody (else) is really working on cracking the Droid3/Bionic/Droid4/RAZR bootloaders.
Sent from my DROID4 using xda app-developers app
Click to expand...
Click to collapse
I must say that the kexec builds are an incredible step forward. I can't remember right away what forum it was, I think it was one of the Galaxy forums where they had a thread dedicated to trying to unlock the Droid 4 bootloader.
It would be interesting to see something like that for Motorola devices.
Sent from my DROID4 using Tapatalk 2

lets just kidnap a motorola software engineer and see what happens then.....

podspi said:
Actually unlocking the bootloader isn't necessary with the kexec exploit. From my understanding, the current issues with the kexec builds are custom kernel issues that we would have even with an unlocked bootloader.
Of course, it would be an incredible feat if someone manages it (and I don't want to discourage anyone) but I think that is why nobody (else) is really working on cracking the Droid3/Bionic/Droid4/RAZR bootloaders.
Sent from my DROID4 using xda app-developers app
Click to expand...
Click to collapse
Well, I just bought a Droid 4 (Goodbye Galaxy s2) So I will be fighting this as soon as it comes home Not saying I'll be able to do anything useful, but I was just curious, given that it seems that the loader already has some sort of function that displays the disclaimer for bootloader unlocking and has both messages for unlocking and relocking the loader (and some procedure to reflash the system in the event of relocking). Don't know if it'll have a direct function, or is it something that needs to be done by sending the correct engineering certificate (thought that would particularly make no sense, since Motorola developers don't need any carrier agreement to work on their own phones), or some kind of patch...
If there's nothing more kexec will do it, but it's usually a mess to make a working kernel when you need to reinitialize all the hardware the first kernel already initialized, parse again all the boot arguments, deal with the first init process killing itself and the baseband going nuts because the smem gets bad... It would be fun to give it a try to get the real deal
I know Motorola has been doing quite a lot of nasty things with bootloader locking, that's why I don't understand why the SLA is inside the loader in the first place...
I'm looking at all the reverse engineering done for the Droid 1 & 2 at droid-developers.org, any advice on some more information or loaders for previous droid versions while I wait?

BL unlocking is disabled by eFuse.

Skrilax_CZ said:
BL unlocking is disabled by eFuse.
Click to expand...
Click to collapse
Are you talking about mbm itself or mbmloader?
My phone is stucked on customs, so I still can't look up anything on the phone itself, right now I'm just looking up information I can find on the internet, and don't have any _real life_ information to work with...
For what I can see so far, the boot process for this phone is more or less like this:
Code:
CPU RESET
|
|
OMAP Boot IROM
|
Device Boot select (SYSBOOT hardware switch through some resistors near the cpu)
|
Boot from NAND
|
|
MBMLoader (like secboot on qualcomm)
|
Signature Check for MBM.bin (well, and a lot more I guess)
|
MBM (3rd stage loader, like osbl for qualcomm phones)
|
Signature checks everywhere
|
Choose boot partition (boot/recovery)
|
Boot!
Question: MBMLoader has loads of certificates, but is OMAP's boot IROM checking a signature of MBMLoader before booting or just forcing the phone to boot from internal NAND through sys_boot switches?
I've dump a copy of MLO from a Galaxy Nexus and they have a very similar header, and both have certificates bundled in them...
Galaxy Nexus:
Code:
00000000 00 40 00 00 a0 59 00 00 00 00 00 00 00 00 00 00 |[email protected]|
00000010 00 00 00 00 4d 4c 4f 00 00 00 00 00 00 00 00 00 |....MLO.........|
00000020 00 0c 00 00 18 32 00 00 00 00 00 00 00 00 00 00 |.....2..........|
00000030 00 00 00 00 50 52 49 4d 41 50 50 00 00 00 00 00 |....PRIMAPP.....|
00000040 00 02 00 00 60 09 00 00 00 00 00 00 00 00 00 00 |....`...........|
00000050 00 00 00 00 4b 45 59 53 00 00 00 00 00 00 00 00 |....KEYS........|
00000060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 43 65 72 74 50 4b 5f 00 ff ff ff ff ff ff ff ff |CertPK_.........|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000230 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 |................|
00000240 00 01 00 00 01 00 01 00 a3 2c 01 a9 74 ef 79 d1 |.........,..t.y.|
00000250 3a 2e 37 8e 72 3a 7d f6 7a 5f 6f 4d 05 a9 e8 35 |:.7.r:}.z_oM...5|
00000260 c0 f7 47 f7 8d 9f bf f7 61 92 ff f4 27 0f 81 27 |..G.....a...'..'|
00000270 5a 73 ce 90 c7 5b f0 6d 76 c0 c9 90 b7 c2 1c d4 |Zs...[.mv.......|
00000280 80 5f 5f 8e 8e 62 ed 83 7e 72 81 09 1f a5 ad 3a |.__..b..~r.....:|
Motorola Droid 4:
Code:
00000000 00 40 00 00 dc 6a 00 00 00 00 00 00 00 00 00 00 |[email protected]|
00000010 00 00 00 00 4d 4c 4f 00 00 00 00 00 00 00 00 00 |....MLO.........|
00000020 00 02 00 00 60 09 00 00 00 00 00 00 00 00 00 00 |....`...........|
00000030 00 00 00 00 4b 45 59 53 00 00 00 00 00 00 00 00 |....KEYS........|
00000040 00 0c 00 00 c8 33 00 00 00 00 00 00 00 00 00 00 |.....3..........|
00000050 00 00 00 00 50 52 49 4d 41 50 50 00 00 00 00 00 |....PRIMAPP.....|
00000060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 43 65 72 74 50 4b 5f 00 00 00 00 00 00 00 00 00 |CertPK_.........|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000230 00 00 00 00 01 00 00 00 00 00 03 00 01 00 00 00 |................
I guess the real question would be... Could we replace MBMLoader with a compiled X-Loader (of course with all the modifications to let it boot on the xt894 hardware) and would it boot or is HS mode blocking that too?

i think the eFuse blocks it, now if we can figure out how to get around the eFuse, or somehow trigger another one, i wouldnt know though im not an engineer lol

I recently bricked a device and wanted to share some thoughts with you.
1) there are pieces on the hardware which allows it to only run signed code. When I tried to push the unsigned code to the device the device wouldn't start at all
2) if you delete your mbmloader you need to push uboot back to your device, the device I bricked did not allow writes of mbmloader, although others have tested and have had success, I wasn't able to do it. There might be some lock I activated along the way.
3) I am pretty sure these phones are locked from a very, very low level (there are 2 steps in getting a phone to boot even before mbmloader runs). I have a feeling when the signed code goes into the device it writes something to a chip to only allow it run signed code.
4) CDT.bin is what controls what secure version you are at. You can't downgrade CDT.bin, and there are a lot of checks in the mbmloader for cdt, I'm not sure how the 2 are related.
Sent from my XT894 running ICS

I meant that BL (MBM) on the Droid 4 is built with unlock feature, but it can be disabled if SBD_EN eFuse is blown (which it is).
OMAP processors, just like others, have standard secure boot feature (i.e the HW will boot only signed code, so you can't modify mbmloader ).
Don't you have kexec btw.?

podspi said:
Actually unlocking the bootloader isn't necessary with the kexec exploit. From my understanding, the current issues with the kexec builds are custom kernel issues that we would have even with an unlocked bootloader.
Of course, it would be an incredible feat if someone manages it (and I don't want to discourage anyone) but I think that is why nobody (else) is really working on cracking the Droid3/Bionic/Droid4/RAZR bootloaders.
Sent from my DROID4 using xda app-developers app
Click to expand...
Click to collapse
By any chance do you know if a custom kernel affords one the ability to make use of an alternative baseband? Perhaps a basedband loaded via safestrap?
Sent from my SGH-T839 using Tapatalk

blackstar1744 said:
By any chance do you know if a custom kernel affords one the ability to make use of an alternative baseband? Perhaps a basedband loaded via safestrap?
Sent from my SGH-T839 using Tapatalk
Click to expand...
Click to collapse
No.
The kernel runs on the application processor. The baseband runs on the radio processor, which is a completely separate, isolated system.

Sorry I am going to temporarily dumb down this thread with my question..lol...
I am still fairly new and am trying to figure out the difference between unlocking the bootloader and rooting...
I ask because I see people talking about not being able to unlock a bootloader, but this has been discussed before the Droid 4(which I just got from D3) came out with the "Flash counter 0/0". So I know that unlocking the bootloader does not mean being able to hack/reset the flash counter back to 0/0.
I know that people have been able to root the Droid 4 fairly easily and flash JB roms, so I assume that unlocking the bootloader does not mean rooting.
Thank you in advance for any info on this, and I am so looking forward to rooting my D4 but not going to until there is a sure hack to reset the flash counter..

richsapf said:
...I am still fairly new and am trying to figure out the difference between unlocking the bootloader and rooting...
Click to expand...
Click to collapse
Rooting lets you have "root" access to the system so you can change things in system and other protected folders.
Bootloader unlock lets you change the kernel. Without it you cannot fix kernel errors and must shoehorn roms onto stock kernel rather than one made for them.
EDIT: There is more to it than that but that is the basic idea.

Skrilax_CZ said:
I meant that BL (MBM) on the Droid 4 is built with unlock feature, but it can be disabled if SBD_EN eFuse is blown (which it is).
OMAP processors, just like others, have standard secure boot feature (i.e the HW will boot only signed code, so you can't modify mbmloader ).
Don't you have kexec btw.?
Click to expand...
Click to collapse
Hi, I just got my phone yesterday and I'm just started cleaning all the crap that comes bundled (omg this feels like Windows on an acer laptop...) I really didn't remember what it was like not having CM on a device
So, OMAP Boot Rom checks the signature of mbmloader, which checks signature of mbm. Then MBM checks signatures for boot image, recovery, system's build.prop, and preinstall/cdrom/webtop if it boots from a flash, am I right?
Then the only possible solutions would be:
a) Get some random motorola employee to get a hold of the private key used to sign mbmloader (or mlo, or x-loader or whatever they want to call it)
b) Desolder the cpu and get messy with the hardware to turn it back to a GP device (still not sure if eFuse is inside the IC or is it just connected through some solder point in the bga)
c) attempt to find some exploitable bug on mbmloader/mbm
d) just use Kexec and get rid of the rest
For the question about Kexec... I'll use it if I have no choice, but would like to avoid wasting all the space of /system/data/cache/preinstall/cdrom and dealing with all the problems Kexec brings when building a kernel (not to mention radio/dsp problems)...
Anyone knows if boot image is checked on every boot or only after flash like preinstall / cdrom? And any way to get dumps of the entire RAM? if I attempt a dd from /dev/mem I get 0 bytes read, and if I do a dd from /dev/kmem... the phone crashes and reboots...
Sorry for all the questions

The Old One said:
Rooting lets you have "root" access to the system so you can change things in system and other protected folders.
Bootloader unlock lets you change the kernel. Without it you cannot fix kernel errors and must shoehorn roms onto stock kernel rather than one made for them.
EDIT: There is more to it than that but that is the basic idea.
Click to expand...
Click to collapse
Thank you
I am still wondering about the flash counter. Is that still being worked on?

richsapf said:
Thank you
I am still wondering about the flash counter. Is that still being worked on?
Click to expand...
Click to collapse
If you're talking about the 'root check' that appears on recovery (qe 1/1)... it is there...

It is there..meaning that the Droid 4 can be rooted and the root counter can be reset back to 0/0, or something similar?

Help please
If someone has a Droid 4 and they want to root their phone, has there been a fix or hack or whatever it is called, to be able to reset the phone back to 0/0 on the root counter.
I ask because if I root, and the phone fails for ANY reason, I would like to be able to swap it out, while it is under warranty, without Verizon seeing that the phone has been rooted ie 0/1, and then they charge me for the phone.
The only two responses I have received for this question have been:
1- How the heck this this topic get in this thread,,,,, But no help on what thread this question SHOULD be in.
2- It is there,,,,,,,, What does that mean??? What is there? It is where?
Am I the only one who can not afford to fork out $500+
Can someone PLEASE PLEASE either tell me WHERE I should ask this question, and why is this not the correct forum, being that it is "Development".. OR direct me to where the fix/hack may be.
Is this an issue that nobody cares about? What am I not understanding here?
If someone could please head me to the correct forum/thread/site/city/planet/galaxy(I know which universe...whew..) I would so very much appreciate it.
I don't think I am asking a moronic question, but then again..
Thank you