Copying files out of ROM

nick.sturrock · 28th March 2003, 02:21 PM

Copying files out of ROM

Does anyone have or know of a utility for copying files out of ROM on the PocketPC so that I can look at them on my desktop? I know that the Grundle File Explorer utility can do this but I don't want to have to buy a copy when I'll probably only ever do this once.

If not, does anyone know of a utility to do a symbol-dump on an in-ROM file on the PPC? I just want to see what the full list of functions in the ccoreutl.dll library is, and it's not documented anywhere that I can find.

thanks,

nick.

itsme · 29th March 2003, 10:23 AM

all grundle file explorer allows you to do is filter the directory listing
to only display rom-files.

31st March 2003, 10:23 AM

Since the Files in ROM are speparated into parts (data sections, code sections, etc) they don't exist like on a normal file system. The splitting of the files is done for "XIP" (execute in place). Whenever you "launch" an executable or load a library only the "data sections" will be "copied" into RAM (each process will have it's own data section). The code sections will remain in ROM and executed there (so there is no RAM usage for ROM code).

If you wan't to copy files out of ROM you have to assemble the files back (first all code sections of all files are sotred in ROM and then all data sections will be stored compressed). Unfortunately there is no complete documentation of the ROM filesystem (it seems it's a kind of Object Store). So even you dump the ROM content (something like VirtualMem.... will do it) you will not be able to extract complete files.

UnKnOwN

itsme · 31st March 2003, 05:46 PM

here is microsoft's description of XIP
http://msdn.microsoft.com/library/de...ymgmtwince.asp

and this (winceemul41.exe )
http://www.microsoft.com/downloads/d...DisplayLang=en

contains most (if not all) of the source code to the wince.net kernel.
WINCE410\PUBLIC\COMMON\OAK\INC\romldr.h
contains definitions of all structures related to the rom-filesystem,

WINCE410\PRIVATE\WINCEOS\COREOS\NK\KERNEL
has files like 'loader.c' and 'resource.c' which show how the kernel
handles them.
...

I think these files should contain enough information to write a tool
to extract the files.

And I think the wince.Net code is quite similar to how it works
in wince.300 ( the interesting header files for
wince300 are not publicly available, but are in the
wince-platformbuilder)

W4XY · 1st April 2003, 08:29 AM

tool in progress

Quote:

Originally Posted by XDA developer Itsme

I think these files should contain enough information to write a tool
to extract the files.

And I think the wince.Net code is quite similar to how it works
in wince.300 ( the interesting header files for
wince300 are not publicly available, but are in the
wince-platformbuilder)

Actually I'm working on such a tool. It is about 50% done. I can currently extract most sections per file of all files from a ROM image file. I'm not sure if it is possible to recreate executables and dll's such that they function normally. But it should be fine to create definition files for DLL's and such. Also for reverse engineering it should be fine. Current problem I ran into is that I do not have public source for the compression used in PocketPC to compress data sections in the ROM.

1st April 2003, 08:42 AM

Not sure but it looks like a simple LZSS compression

UnKnOwN

W4XY · 1st April 2003, 08:46 AM

Quote:

Originally Posted by UnKnOwN

Not sure but it looks like a simple LZSS compression

UnKnOwN

I thought it might be called LZX, but I'm not much of a compression guru. I did find an open source cab-extractor that implements LZX and I could try that, but haven't gotten to it yet. Another option is to extract the binary code from the emulator and use that, but I find that that is getting messy.

1st April 2003, 08:51 AM

Just found something interesting in

WINCE410\PRIVATE\WINCEOS\COREOS\NK\KERNEL\compr2.c

WINCE provides two different functions to the KERNEL (binary and string (de)compression).

They both use the buildin CECompress() / CEDecompress() functions...

UnKnOwN

1st April 2003, 09:40 AM

OK, I thought CECompress/CEDecompress are available but...

so I post some details here now :twisted:

in coredll.dll there are four functions:

StringCompress, StringDecompress, BinaryCompress, BinaryDecompress

You can use them via GetProcAddress( hCoreDLL, TEXT("BinaryDecompress") );

Here are some function headers and defines for you:

#define CECOMPRESS_ALLZEROS 0
#define CECOMPRESS_FAILED 0xffffffffUL
#define CEDECOMPRESS_FAILED 0xffffffffUL

DWORD StringCompress( LPBYTE bufin, DWORD lenin, LPBYTE bufout, DWORD lenout );

DWORD StringDecompress( LPBYTE bufin, DWORD lenin, LPBYTE bufout, DWORD lenout );

DWORD BinaryCompress( LPBYTE bufin, DWORD lenin, LPBYTE bufout, DWORD lenout );

DWORD BinaryDecompress( LPBYTE bufin, DWORD lenin, LPBYTE bufout, DWORD lenout, DWORD skip );

The return value is the number of bytes written to the output buffer or one of the three defines.

UnKnOwN

W4XY · 1st April 2003, 10:07 AM

compress functions

The compress functions are the ones I was talking about getting out of the emulator code. Another options is to use a pocketpc application to copy the rom images out. The source code of the compression functions is not available, not even in the source code that M$ made available of the private wince parts.