Introducing XDA:DevCon – A Conference For Developers By Developers
XDA Developers Android and Mobile Development Forum
Forgot your password?
 
Post Reply+
Tip us?
 
-r0bin- 		Old
20th July 2011, 01:39 PM
(Last edited by -r0bin-; 22nd July 2011 at 11:38 AM.)
#1  
Senior Member - OP
Thanks Meter 512
Posts: 444
Join Date: Nov 2010
Default [DEV][TUTORIAL] How to intercept DEX calls with Haret
Guys,
In case you dont know yet how to reverse engineer WinMo and DEX calls, a little tutorial.

- What is DEX call?
It's a mecanism for inter-processor communication used mainly in WinMo devices.
Android devices uses RPC mainly, but WinMo uses DEX also, that's why some features of WinMo are not working on our Liberty kernel.
(remember, our phone uses ARM11 on linux and ARM9 with radio. we dont control the radio software. ARM9 handles many task such as GSM, DSP, video, JPEG, voice etc)

- How can I track them?
Using HarET. See here how to work with it for basic stuff:
http://htc-linux.org/wiki/index.php?..._Documentation

When your connection with HarET is working, here is how you intercept:
1st, setup the memory region to listen to
(note: the only address i want to monitor is 0xaccfc100 to fc120, but HarET crash when i do so. the only way for me is to listen to the whole SMEM starting at 0xacc00000)
Quote:
HaRET(3)# addlist mmutrace 0xaccf0000 0xc130
2nd, disable the most common IRQs of photon:
Quote:
HaRET(4)# ibit irqs 21 45 0 32 16 33 19 23 4 47
3nd, start listening for 5 seconds
Quote:
HaRET(5)# wirq 5
during those 5 seconds (can be more if you wish so), the goal is to trigger the action you want to monitor. (for example, headset plug / unplug)
you will get maaaaany output on the screen.

4th, open the log file haret created (on the same folder you launched it) and import this to excell (or text editor) and look for this line:
Quote:
000000: mmutrace 7a686510: e5832000(str) accfc100 0000011c (00000000)
0xaccfc100 is the memory address of DEX commands.
the data associated was 0x11c, which is composed of two things:
0x1c is the DEX id. see here: http://htc-linux.org/wiki/index.php?title=RaphaelDEX
0x100 means there is DATA associated to this DEX call.

if DATA is associated, you need to retrieve it at the good address: 0xaccfc120
the data is there (should be the next line):
Quote:
000000: mmutrace 7a68651c: e5813000(str) accfc120 00000001 (00000000)
To translate this into photon kernel code, you can do this:
Code:
#include "proc_comm_wince.h"
{
	struct msm_dex_command dex;
	dex.cmd=0x1c;
	dex.has_data=1;
	dex.data=0x1;
	msm_proc_comm_wince(&dex,0);
}
Unfortunately, sometimes the DEX call is not enough to activate the functionality.
sometimes you must also find the RPC call, or another trigger...
 
REPLY
The Following 5 Users Say Thank You to -r0bin- For This Useful Post: [ Click to Expand ]
 
15131331231 		Old
20th July 2011, 04:06 PM
#2  
Senior Member
Thanks Meter 20
Posts: 129
Join Date: Feb 2011
Location: China
Default thinks,r0bin
Thanks . Want to know more about this!
 
REPLY
 
Post Reply+
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

report this ad
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Go to top of page...