[DEV][TUTORIAL] How to intercept DEX calls with Haret
In case you dont know yet how to reverse engineer WinMo and DEX calls, a little tutorial.
- What is DEX call?
It's a mecanism for inter-processor communication used mainly in WinMo devices.
Android devices uses RPC mainly, but WinMo uses DEX also, that's why some features of WinMo are not working on our Liberty kernel.
(remember, our phone uses ARM11 on linux and ARM9 with radio. we dont control the radio software. ARM9 handles many task such as GSM, DSP, video, JPEG, voice etc)
- How can I track them?
Using HarET. See here how to work with it for basic stuff:
When your connection with HarET is working, here is how you intercept:
1st, setup the memory region to listen to
(note: the only address i want to monitor is 0xaccfc100 to fc120, but HarET crash when i do so. the only way for me is to listen to the whole SMEM starting at 0xacc00000)
HaRET(3)# addlist mmutrace 0xaccf0000 0xc130
2nd, disable the most common IRQs of photon:
HaRET(4)# ibit irqs 21 45 0 32 16 33 19 23 4 47
3nd, start listening for 5 seconds
during those 5 seconds (can be more if you wish so), the goal is to trigger the action you want to monitor. (for example, headset plug / unplug)
you will get maaaaany output on the screen.
4th, open the log file haret created (on the same folder you launched it) and import this to excell (or text editor) and look for this line:
000000: mmutrace 7a686510: e5832000(str) accfc100 0000011c (00000000)
0xaccfc100 is the memory address of DEX commands.
the data associated was 0x11c, which is composed of two things:
0x1c is the DEX id. see here: http://htc-linux.org/wiki/index.php?title=RaphaelDEX
0x100 means there is DATA associated to this DEX call.
if DATA is associated, you need to retrieve it at the good address: 0xaccfc120
the data is there (should be the next line):
000000: mmutrace 7a68651c: e5813000(str) accfc120 00000001 (00000000)
To translate this into photon kernel code, you can do this:
struct msm_dex_command dex;
Unfortunately, sometimes the DEX call is not enough to activate the functionality.
sometimes you must also find the RPC call, or another trigger...