[PROJECT] HaRET on WP7

Search This thread
By:
Advanced…
spavlin

spavlin

Senior Member
Dec 26, 2006
321
643
========================================
c13, Thread and Process ID Registers
========================================
The purpose of the Thread and Process ID Registers is to provide locations to store the IDs of software threads and processes for OS management purposes.

The Thread and Process ID Registers are:

three read/write registers banked for Secure and Nonsecure states:
user read/write Thread and Process ID Register
user read-only Thread and Process ID Register
privileged only Thread and Process ID Register.

accessible in different modes:

the user read/write Thread and Process ID Register is read/write in User and privileged modes the user read-only Thread and Process ID Register is read-only in User mode, and read/write in privileged modes the privileged only Thread and Process ID Register is only accessible in privileged modes, and is read/write.

To access the Thread and Process ID Registers, read or write CP15 with:
MRC p15, 0, <Rd>, c13, c0, 2 ; Read User read/write Thread and Process ID Register
MCR p15, 0, <Rd>, c13, c0, 2 ; Write User read/write Thread and Process ID Register
MRC p15, 0, <Rd>, c13, c0, 3 ; Read User read-only Thread and Process ID Register
MCR p15, 0, <Rd>, c13, c0, 3 ; Write User read-only Thread and Process ID Register
MRC p15, 0, <Rd>, c13, c0, 4 ; Read Privileged only Thread and Process ID Register
MCR p15, 0, <Rd>, c13, c0, 4 ; Write Privileged only Thread and Process ID Register
Reading or writing the Thread and Process ID Registers has no effect on the processor state or operation.
These registers provide OS support and must be managed by the OS.
You must clear the contents of all Thread and Process ID Registers on process switches to prevent data leaking from one process to another. This is important to ensure the security of secure data.

========================================
c13, FCSE PID Register
========================================
The c13, Context ID Register replaces the FCSE PID Register. Use of the FCSE PID Register is deprecated.
The FCSE PID Register is:
a read/write register banked for Secure and Nonsecure states
accessible in privileged modes only. Attempts to write to this register in secure privileged mode when CP15SDISABLE is HIGH result in an Undefined
Instruction exception, see Security Extensions write access disable.
An entry of Undefined in the table means that the access gives an Undefined Instruction exception when the coprocessor instruction is executed.

To access the FCSE PID Register, read or write CP15 with:
MRC p15, 0, <Rd>, c13, c0, 0 ; Read FCSE PID Register
MCR p15, 0, <Rd>, c13, c0, 0 ; Write FCSE PID Register
To change the ProcID and perform a fast context switch, write to the FCSE PID Register. You are not required to flush the contents of the TLB after the switch because the TLB still holds the valid address tags. Because a write to the FCSE PID Register causes a pipeline flush, the effect is immediate. The next executed
instruction is fetched with the new PID.

You must not rely on this behavior for future compatibility. An IMB must be executed between changing the ProcID and fetching from locations that are translated by the ProcID. Addresses issued by the processor in the range 0-32MB are translated by the ProcID. Address A becomes A + (ProcID x 32MB). The MMU uses this translated address, the MVA. Addresses above 32MB are not translated. The ProcID is a 7-bit field, enabling 128 x 32MB processes to be mapped.

If ProcID is 0, as it is on Reset, then there is a flat mapping between the processor and the MMU.

========================================
Security Extensions write access disable
========================================
The processor supports a primary input pin, CP15SDISABLE, to disable write access to the CP15 registers.
When the CP15SDISABLE input is set to 1, any attempt to write to the secure version of the banked register, NS-bit is 0, or any non-banked register, NS-state is 0 results in an Undefined Instruction exception.
Changes in the pin on an instruction boundary occur as quickly as practically possible after a change to this pin.
Software must perform a IMB after a change to this pin has occurred on the boundary of the macros to ensure that its effects are recognized on following instructions.
At reset, it is expected that this pin is set to logic 0 by the SoC hardware. Control of this pin is expected to remain within the SoC chip that implements the processor.
CP15 registers affected by CP15SDISABLE
Register Instruction
Control Register
MCR p15, 0, <Rd>, c1, c0, 0
Translation Table Base 0
MCR p15, 0, <Rd>, c2, c0, 0
Translation Table Control Register
MCR p15, 0, <Rd>, c2, c0, 2
Domain Access Control
MCR p15, 0, <Rd>, c3, c0, 0
Primary Region Remap
MCR p15, 0, <Rd>, c10, c2, 0
Normal Memory Region Remap
MCR p15, 0, <Rd>, c10, c2, 1
Vector Base
MCR p15, 0, <Rd>, c12, c0, 0
Monitor Base
MCR p15, 0, <Rd>, c12, c0, 1
FCSE MCR p15, 0, <Rd>, c13, c0, 0
Array operations
MCR p15, 0, <Rd>, c15, c0-15, 0-7
MRC p15, 0, <Rd>, c15, c0-15, 0-7
 
  • Like
Reactions: darxon
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
spavlin said:
========================================
c13, Thread and Process ID Registers
========================================
The purpose of the Thread and Process ID Registers is to provide locations to store the IDs of software threads and processes for OS management purposes.

...

MCR p15, 0, <Rd>, c15, c0-15, 0-7
MRC p15, 0, <Rd>, c15, c0-15, 0-7
Click to expand...
Click to collapse

Hi spavlin. From what IDE have you got your results? I am trying to make WP7 HaRET version under Visual Studio 2008, but much problems occured me. Are you using fully unlocked ROM? What version? Thanks. M7P
 
K

Kr3i0s

Senior Member
Jun 30, 2011
107
28
jessenic said:
Yes we are, I've fixed font sizes so all fit on the screen now
7nIPs.jpg

Though getting into kernel mode is another thing, I hope GDTD can find an answer to this. I don't know WinCE well, but drivers run in Kernel Mode, right? What if we turned HaRET into a driver that is controlled through a Silverlight app, much like the DFT BT File Transfer.

Edit: Found this in the PDF found in the post before:
Click to expand...
Click to collapse

jessenic, is it possible to pm me this version of haret that u compiled?

I have tried to complie from your source but getting this error

Compiling (armv4) src/mach/machines.cpp
make: /opt/mingw32ce/bin/arm-mingw32ce-g++: Command not found
make: *** [out/machines.o] Error 127

I am on Ubuntu 12.10 64bits
 
Last edited:
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
Jaxbot said:
I'm not sure the SMD driver exists on WP7, though. However, an implementation like that would work, and this project is fairly possible (excluding any other caveats), but I have no knowledge of CE kernel drivers, which is why I haven't attempted anything.
Click to expand...
Click to collapse

OK. I found any other materials from CE team. If I understand, OEM (I mean I not, but you know how to sign dll as OEM) driver can call ANY user callback in kernel mode. Then little signed OEM like driver can open big backdoor to kernel mode running, probably on custom ROMs only. Can you anybody exactly write here, what ALL problems defend to full WP7 HaRet function? Hi address memory allocation only? This thread is little mischmasched now, DFT thread (I love google Chinese translations in registration time) too, other web infos are unusable totally. Where is really updated WP7 HaRet source code place? Exists it for GCC only, or have you anybody MSVC project functioned? I found my last year attemp may function after any little UI changes. But, it is very old HaRet version. I mean I am not along, which have all native projects under VS2008 and want to have conzistency in here. If more people will do ACTIVE work here, we can make multiide source version and finish Linux/Android port to WP7 devices in near future.
 
Last edited:
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
VS2008 Version

There is VS 2008 HaRET 3.8 version. Something is commented (wrong) to be compillable/linkable. Use "Pocket PC 2003 Device" for VS debugging. Do not use emulator (VS crashes). I have no free time now (too much other works). Somebody can compare and repare this old corrupted version to newest GCC fork and make "Windows Mobile 6/6.5.3" linkable version. HaRET Default.txt script runs cca 20 second on my Phone before crash, it says "EXCEPTION Reading Coprocessor" repeatedly.

EDIT: Version for WM 6.5.3 DTK added. Use 'Windows Mobile 6.5.3 platform' for compiling and 'Windows Mobile 6.5.3 Device' and ultrashot's WMDC for debugging on REAL WP7 DEVICE. All Error, Status, Output is sended to device screen area and to VS2008 debug output windows too, when console is not connected to COM port. Last line tried is now:

memcpy (preloader, &linux_preloader,
(uint)&linux_preloader_end - (uint)&linux_preloader);

Output: Preloader physical/virtual address: fffffc00'

Is it the same problem, what have you in GCC compiled version (memory management is not allowed to physical addresses above 0x80000000)?


EDIT2: I am really not sure, if problem of my version works stopping is related to memory management. Can you try it in VS somebody experienced? VS TRACE Output stops in any magic place:
Output: memVirtToPhys: 609 finished'
NOT TRIED, JUST FINISHED. BUT NOTHING MORE! It seems another thread does something wrong.
The most often is before it:
Error: EXCEPTION reading coprocessor 15 register 2'
 

Attachments

  • HaRETWP7WM653VS2008.zip
    5.9 MB · Views: 87
Last edited:
  • Like
Reactions: pdaimatejam and BeenAndroidized
dcordes

dcordes

Retired Senior Recognized Developer
Nov 20, 2007
707
254
Kr3i0s said:
jessenic, is it possible to pm me this version of haret that u compiled?

I have tried to complie from your source but getting this error

Compiling (armv4) src/mach/machines.cpp
make: /opt/mingw32ce/bin/arm-mingw32ce-g++: Command not found
make: *** [out/machines.o] Error 127

I am on Ubuntu 12.10 64bits
Click to expand...
Click to collapse

Did you pass the environment vars correctly? It seems to be unable to locate the cross toolchain. Also make sure the toolchain works on your 64bit system. Double check with the howto linked on first page. Hope this helps.
 
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
Silverlight UI

Hi Friends.

HaRETWP7WPF.jpg


It is not a fake, but I need co-operation here. I am working on non-blocking WPF managed/unmanaged interface, able to write strings (or do any more complicated UI management) to WPF objects by unmanaged functions calling. Are you anybody able to change actual non-ui HaRET version to simple dll with defined entry points? I will share interface with UI-related callbacks next weak. I have got too old HaRET version in VS2008 vorking only, newest versions have too different assembler, system calls and linking management opposite to 0.3.8. I have no time to port it or to install linux/GCC on my totally full computer. M.


____________________________

A question:

Are you able anybody change certificates to be this feature working on WP7?

_______________________

Do you anybody know CodeSourcery in relation to WM projects compiling? I tried Python script and GCC/G++ for compiling newest HaRET from Visual Studio, but compiling from downloaded CodeSourcery version seems not to be for WM, but for ARM Linux. Is CEGCC Necessary? I read CodeSourcery may be usable to WM/CE ARM compiling along.
But, VS scripting seems interesant, with Native/Managed TRACE system etc. it can allove to have FULL hybrid (Managed+Native) projects in VS 2010 for Windows Phone only, include debugging.
 
Last edited:
  • Like
Reactions: pdaimatejam, CyanideIII, lsab4007 and 4 others
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
Is not this (and dependent the same author CE6/7 sources), what we need finally? Are you able anybody to sign it with a correspondent WP7 certificate? I mean little driver able to access processor(solved on link fully)/memory(need little add) hardware is better then rearranging all HaRet to driver etc.

If I understand good, we can:

1. To make "stream protocol driver" dll. This is the deepest driver level, enabling everytime kernel mode (second possibility is a "kernel part" of "device driver", I am not sure still, how to determine, which part is used for calling answer). This dll must export 6 strongly defined entry points.
2. To register "fake stream protocol".
3. To open "fake file" by "fake protocol" in our user mode application (or wrapper dll). This loads driver to memory, now we can call it's exported functions in the kernel mode.
4. To start kernel mode thread, communicating with application by synchronisation objects and (may be) able to call user callbacks in kernel mode (I am not sure, how can be params mapped between modes, but link above solves it).

I mean points 1..3 can be did by "normal" files and registry handling (see middle link of previous post). If not, we must use cab sender or WP7 kitchen to do points 1 and 2. May be Platform Builder is needed for point 1 (in link above it is wrote, we can use this nice feature), but I mean it is not needed, driver can be compiled as "normal" dll probably. May be "system ROM" bit could not be checked, then it can works simply on custom ROMs and with any certification hack on signed ROMs.

Will not bigger problem SD card filesystem? Have you got success with partition creating? I just go to replace my HTC7Pro SD card from 8GB class 2 to 32GB class 10, I will try to do some partitions management attempts.
 
Last edited:
  • Like
Reactions: BigJeff, CyanideIII, Kr3i0s and 4 others
K

Kr3i0s

Senior Member
Jun 30, 2011
107
28
Martin7Pro said:
Is not this (and dependent the same author CE6/7 sources), what we need finally? Are you able anybody to sign it with a correspondent WP7 certificate? I mean little driver able to access processor(solved on link fully)/memory(need little add) hardware is better then rearranging all HaRet to driver etc.............................................................
Click to expand...
Click to collapse

Its good to see someone still working on this project after the big boys seem to have given up. Keep it up Martin7Pro.

I wish i could be of any assistance but have no programming language skills. Hope to get haret running on WP7 someday.
 
J

Jaxbot

Inactive Recognized Developer
Mar 14, 2009
1,224
548
windowsphonehacker.com
Martin7Pro said:
Is not this (and dependent the same author CE6/7 sources), what we need finally? Are you able anybody to sign it with a correspondent WP7 certificate? I mean little driver able to access processor(solved on link fully)/memory(need little add) hardware is better then rearranging all HaRet to driver etc.

If I understand good, we can:

1. To make "stream protocol driver" dll. This is the deepest driver level, enabling everytime kernel mode (second possibility is a "kernel part" of "device driver", I am not sure still, how to determine, which part is used for calling answer). This dll must export 6 strongly defined entry points.
2. To register "fake stream protocol".
3. To open "fake file" by "fake protocol" in our user mode application (or wrapper dll). This loads driver to memory, now we can call it's exported functions in the kernel mode.
4. To start kernel mode thread, communicating with application by synchronisation objects and (may be) able to call user callbacks in kernel mode (I am not sure, how can be params mapped between modes, but link above solves it).

I mean points 1..3 can be did by "normal" files and registry handling (see middle link of previous post). If not, we must use cab sender or WP7 kitchen to do points 1 and 2. May be Platform Builder is needed for point 1 (in link above it is wrote, we can use this nice feature), but I mean it is not needed, driver can be compiled as "normal" dll probably. May be "system ROM" bit could not be checked, then it can works simply on custom ROMs and with any certification hack on signed ROMs.

Will not bigger problem SD card filesystem? Have you got success with partition creating? I just go to replace my HTC7Pro SD card from 8GB class 2 to 32GB class 10, I will try to do some partitions management attempts.
Click to expand...
Click to collapse

That looks exactly like what we need. I came across something similar to that a while back, but I was unable to actually use it for anything, as my limited C++ knowledge resulted in me having no idea how to compile CE drivers.

As far as drivers go, it should be possible with full unlocked devices to use unsigned CE modules, as I'm pretty sure this is what DFT bluetooth does. I could be totally wrong, though. It's been a while.

Props to you, though!
 
  • Like
Reactions: BigJeff
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
spavlin said:
http://msdn.microsoft.com/en-us/library/aa908734.aspx

UnlockPages
This function unlocks a specified range of pages in the virtual address space of a process, enabling the system to swap the pages out, if necessary. This function can be called only in kernel mode.

Syntax

BOOL UnlockPages(
LPVOID lpvAddress,
DWORD cbSize
);
Parameters
lpvAddress
[in] Address of the start of a region of committed pages that are to be unlocked.

cbSize
[in] Number of bytes to unlock.

Return Value
TRUE indicates success FALSE indicates failure. To get extended error information, call GetLastError.

Remarks
LockPages is referenced counted, so if the same thread does a LockPages twice, the second UnlockPages unlocks the pages.

Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows Embedded CE 6.0 and later

CeVirtualSharedAlloc

This function allocates read/write memory to the caller and read-only memory to other processes. This function is callable only in kernel mode.

Syntax

LPVOID CeVirtualSharedAlloc(
LPVOID lpvAddr,
DWORD cbSize,
DWORD fdwAction
);
Parameters
lpvAddr
[in] Starting address of the shared memory to be committed, or NULL if reserving shared memory.

cbSize
[in] Size, in bytes, of the memory reservation or allocation.

fdwAction
[in] Value that specifies the action.

This value must be a combination of MEM_RESERVE and MEM_COMMIT.

Value Description
MEM_COMMIT
Commits the memory specified by lpvAddr and cbSize, where lpvAddr must be an address previously reserved by CeVirtualSharedAlloc.
This value can also be NULL, which reserves and commits a region of size cbSize. This behaves like MEM_RESERVE|MEM_COMMIT.
MEM_RESERVE
Reserves a region in the shared read-only area. lpvAddr must be NULL.
Return Value
A pointer to the memory region that was reserved or committed indicates success. NULL indicates failure. To get extended error information, call GetLastError. If the caller is not fully trusted, the call fails with the error code ERROR_ACCESS_DENIED.

Remarks
You can free the memory region that was reserved or committed by CeVirtualSharedAlloc, using the VirtualFree function.

Freeing the memory allocated by CeVirtualSharedAlloc is similar to freeing memory allocated by the VirtualAlloc function.

Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows CE 5.0 and later

VirtualAllocCopyEx

This function reserves or commits a region of pages in the virtual address space of the specified destination process, hDstProc, and then dynamically creates an alias to the virtual memory given by the source process, hSrcProc, and the source address pAddr. Terminate the mapping by calling VirtualFreeEx. This function is callable only in kernel mode.

Syntax

LPVOID VirtualAllocCopyEx (
HANDLE hSrcProc,
HANDLE hDstProc,
LPVOID pAddr,
DWORD cbSize,
DWORD dwProtect
);
Parameters
hSrcProc
[in] Handle to the source process.

hDstProc
[in] Handle to the destination process.

pAddr
[in] Long pointer to the specified starting address in the source process, hSrcProc. This cannot be NULL.

cbSize
[in] Size in bytes of virtual allocation pointed to by pAddr in the hSrcProc process. This cannot be NULL.

dwProtect
[in] Type of access protection. If the pages are being committed, any one of a number of flags can be specified, along with the PAGE_GUARD and PAGE_NOCACHE, protection modifier flags.

For information about the possible flags for this parameter, see VirtualCopyEx.

Return Value
The base address of the allocated region of pages indicates success. NULL indicates failure. To get extended error information, call GetLastError.

Remarks
If you want to VirtualAllocCopy a physical or virtual buffer, if that buffer is not page-aligned then you will end up copying more data than you specified. If the start of the buffer is not page-aligned then you will also copy data before the start of the specified buffer, starting from the beginning of the page. If the end of the buffer is not page-aligned then you will also copy data after the end of the specified buffer, ending at the following page boundary.

This is a security issue if the copied buffer is ever passed to user mode. The user mode application will be able to access the surrounding data that is not part of the specified buffer. To protect the surrounding data, use a buffer that is page-aligned and an even multiple of pages in size. If that is not possible then passing the data to user mode puts it at risk.

For more information, see VirtualAllocEx and VirtualCopyEx.

Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows Embedded CE 6.0 and later

VirtualCopyEx

This function dynamically maps a virtual address to a physical address by creating a new page-table entry. Terminate the mapping by calling VirtualFree. This function is callable in kernel mode and in user mode, when the source and destination process handles are the active process.

Syntax

BOOL VirtualCopyEx(
HANDLE hDstProc,
LPVOID lpvDest,
HANDLE hSrcProc,
LPVOID lpvSrc,
DWORD cbSize,
DWORD fdwProtect
);
Parameters
hDstProc
[in] Handle to the destination process.

lpvDest
[in] Pointer to the destination memory, which must be reserved.

hSrcProc
[in] Handle to the source process.

lpvSrc
[in] Pointer to committed memory.

cbSize
[in] Size, in bytes, of the region. The allocated pages include all pages containing one or more bytes in the range from lpAddress to (lpAddress + cbSize). This means that a 2-byte range straddling a page boundary causes both pages to be included in the allocated region.

fdwProtect
[in] Type of access protection. If the pages are being committed, any one of a number of flags can be specified, along with the PAGE_GUARD and PAGE_NOCACHE, protection modifier flags. The following table shows the flags that can be specified.

For information about the available values for this parameter, see VirtualCopy.

Return Value
TRUE indicates success. FALSE indicates failure. To obtain extended error information, call GetLastError.

Remarks
This function is similar to VirtualCopy, except VirtualCopyEx requires handles to the source and destination process. For more information about this function, see VirtualCopy.

Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows Embedded CE 6.0 and later

VirtualSetAttributes

This function enables driver developers to change the per-page attributes for a range of virtual memory, which is usually copied from a physical location not known to the kernel. This function can be called only in kernel mode.

Syntax

BOOL VirtualSetAttributes(
LPVOID lpvAddress,
DWORD cbSize,
DWORD dwNewFlags,
DWORD dwMask,
LPDWORD lpdwOldFlags
);
Parameters
lpvAddress
[in] The start address of the virtual memory to be changed.

cbSize
[in] The length, in bytes, of the virtual memory to be changed.

dwNewFlags
[in] Specifies the new value of the bits to be set.

dwMask
[in] Specifies which bits are to be changed.

lpdwOldFlags
[in] If this parameter is not NULL, *lpdwOldFlags contains the original value of the page entry of the first page upon return.

Return Value
TRUE indicates success. FALSE indicates failure.

Remarks
The dwMask parameter specifies the bits to be changed. For example, if the original value is 0x00100010, dwMask is set to 0x30, and dwNewFlags is set to 0x030, the new value will be 0x00100030. The new value is calculated using the following formula:

newValue = (oldValue & ~dwMask)|(dwNewFlags & dwMask);
If dwMask is set to zero, it behaves like a query function. This means that nothing is changed, and the original page entry is returned through lpdwOldFlags.

Note:
Do not change the physical page number, which includes bits 10 through 31 for most CPUs. Otherwise, it causes unexpected system behavior.
The VirtualSetAttributes function changes the translation look-aside buffer (TLB) entry directly. The calling function should be aware of what CPU architecture it is running on and which attributes to change.

The VirtualSetAttributes function can be used on the x86 and XScale microprocessors to speed up the display buffer.

The VirtualSetAttributes function does not work on SHx processors.

Requirements
Header pkfuncs.h
Library coredll.lib
Windows Embedded CE Windows CE .NET 4.1 and later

---------- Post added at 09:52 PM ---------- Previous post was at 09:24 PM ----------

http://www.e-consystems.com/WindowsCE5vs6.asp
Click to expand...
Click to collapse

Hi spavlin. Have you got <pkfuncs.h> file for (any) WP7 device? I am working on kernel mode driver, but power functions etc. are OEM dependent. My first attemp (will enable physical memory access only) will use any little subset of pk functions designed inline in my own <pkfuncs.h>, but we need OEM originals probably for full device kernel access. M.
 
  • Like
Reactions: b12rtc and husam666
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
Still no success

I created and deployed driver, setted registry values, restarted phone and tried to load driver by "fake stream" demanding. Driver is not loaded. When I use the same demand for any other builtin driver, all is OK. I created driver without PB and OEM libraries, only with /DRIVER linker flag. Is it possible? How can I get dll with System and Kernel flags setted? I will clean project code and publish here.
 
  • Like
Reactions: b12rtc and pdaimatejam
U

ultrashot

Inactive Recognized Developer
May 26, 2009
1,478
2,046
St.Petersburg
Martin7Pro said:
I created and deployed driver, setted registry values, restarted phone and tried to load driver by "fake stream" demanding. Driver is not loaded. When I use the same demand for any other builtin driver, all is OK. I created driver without PB and OEM libraries, only with /DRIVER linker flag. Is it possible? How can I get dll with System and Kernel flags setted? I will clean project code and publish here.
Click to expand...
Click to collapse
You don't really need /DRIVER linker flag. Default DLL config is almost good, though you have to enable DEP support, set large address awareness and add WP7's coredll.lib to input static libs.
 
  • Like
Reactions: Martin7Pro, b12rtc and pdaimatejam
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
Kernel mode driver

ultrashot said:
You don't really need /DRIVER linker flag. Default DLL config is almost good, though you have to enable DEP support, set large address awareness and add WP7's coredll.lib to input static libs.
Click to expand...
Click to collapse
Hi ultrashot. Thanks for a help. I do not understand exactly. Can you see (and repair, if will you have a time) attached code (VS2008+WM6SDK used)? Does not expect any certificates too? Driver registration can be also wrong:

[HKEY_LOCAL_MACHINE\Drivers\BuiltIn\KMDriver]
"Order"=dword:00000004
"DeviceArrayIndex"=dword:00000002
"Flags"=dword:00000010
"IClass"=multi_sz:"{A32942B7-920C-486b-B0E6-92A702A99B35}"
"Prefix"="KMD"
"Dll"="KMDriver.dll"
"Index"=dword:1

This is based on IOCTL driver from post above, kernel mode callbacks are not finished now. Flags are setted to user mode now in registry settings (0x10), I am afraid to use kernel mode driver on unbackuped phone. After doing backup I will try "Flags"=0 and IOCTL/Physical memory functions calling.
I do not know, how to debug kernel or driver, there is simple diagnostic text file writing. By it KMD_Init is called from UDevice.exe, driver in user mode seems to be working. I forgot to add definition file to project settings, when cleaning code, this was all disfunction problem probably.

Output:

KMD_Init
pDriverContext->Instance 2
KMD_Init Success
KMD_Open
KMD_IoControl default, dwCode=1
KMD_IoControl default, dwCode=10303FF
KMD_IoControl default, dwCode=10303FF
KMD_Close
KMD_Open
KMD_IoControl default, dwCode=1
KMD_Close
KMD_Open
KMD_IoControl default, dwCode=1
KMD_Close

Do you know, who and why call XXX_IoControl function with dwCode=10303FF?
 
Last edited:
M

Martin7Pro

Senior Member
Oct 23, 2011
385
363
htc7pro.howto.cz
ultrashot said:
http://msdn.microsoft.com/ru-ru/library/ee478991.aspx
Click to expand...
Click to collapse
Thanks. This is probably OK now, I forgot close stream handle in older version of calling application before new one creating, Can I prevent it within the driver?

Do you thing it is safe to try this driver (newest source attached) in kernel mode? What will occcure, when driver crashes in XXX_Init function? Does not it cause phone brick (repeated restarts), when all kernel drivers are launched from NK.exe? I am not sure, if kernel exception does not call restart automatically. Is this behaviour dependent on registry values (I seen something related in registry editor, but I do not remember where)?

Can I use any dwCode values for my own operations, or all values are predefined as IOCTL_PSL_NOTIFY? I found this list only.

ultrashot said:
enable DEP support
Click to expand...
Click to collapse
How to do it, please? I could not find something related to WP/CE6, only desktop windows MSDN.

ultrashot said:
set large address awareness
Click to expand...
Click to collapse
The same issue. How to do it on WP application? Is Platform Builder needed? Or is it some compiler/linker switch in project?

ultrashot said:
add WP7's coredll.lib
Click to expand...
Click to collapse
May I use coredll7.lib from your OMXCDLL source? Is only one coredll.dll for both modes (I could not find kcoredll on my phone)? Or extract coredll.dll from Ansar's signed ROM and use impdef.exe or dumpbin.exe and lib.exe? Lib.exe seems not working on my computer for ARM compiled dlls. I designed project as WM6 dll. Will not any dupplications occure, when coredll.lib will be added?

Do you know, how to add extra partition to WP7 phone SD card?

EDIT: Attachment removed, actual source code is here.
 
Last edited:
You must log in or register to reply here.

Similar threads

Cotulla
[DFT][Updated!#3] HSPL / RSPL for HTC WP7 First Generation
Replies
1K
Views
785K
spideyngo
spideyngo
Heathcliff74
[CAB] Official WP7 Updates List up to WP 7.8 + ALL LANGUAGES complete + OEM updates
Replies
2K
Views
1M
M
mike_san
Heathcliff74
[GUIDE] INTEROP-UNLOCK - NEW unlocks for ALL SAMSUNG WP7 devices!!
Replies
2K
Views
687K
X
x.shayan.x
Cotulla
[DFT] HSPL for HTC WP7 Second Generation
Replies
615
Views
371K
W
wp7titan
L
Windows Phone 7 build 7.0.0.6077--for WP7 emulator only
Replies
455
Views
451K
M
moroelashea

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 80
    dcordes
    dcordes
    Hi
    * Please help keeping the noise level low: Don't ask for ETA (stuff will be anounced), use Thanks buttons to say thx, etc.
    * This will work on "fully unlocked" WP7 devices only and is not limited to specific phones
    thx, dcordes

     HaRET (Handhelds Reverse Engineering Tool) has been used on smartphones and PDAs with previous WinCE (Windows Mobile) versions to

    * boot the Linux kernel (=> use Linux based OS like Android)
    * obtain information about hardware and software (=> reverse engineering) in order to accordingly modify the Linux kernel (drivers).

    Famous HTC devices that are capable of running HaRET are the QSD8250 based HTC HD2 and a wide range of MSM7xxA based phones like the diamond, raphael and touch pro 2.

    WP7 is and will be shipped on many devices with quality hardware. In order to be able to run Linux on these, a novel aim is to investigate the use of HaRET on WP7 based devices. WP7 is known to posess several mechanisms to prevent this.

    A discussion about the problem has beend started on the official HaRET development mailing list by Jaxbot:
    http://lists.linuxtogo.org/pipermail/haret-devel/2012-January/000150.html
    You need to send a subscription mail in order to write to the list. The original creators of HaRET as well as many good developers with low level skills (from XDA: Cotulla, NetRipper, cr2) are subscribed to it but maybe not many of them have access to a WP7 device.

    HaRET source code repository with history:
    http://git.linuxtogo.org/?p=groups/haret/haret.git

    Documentation of the HaRET project (publicly accessible wiki):
    http://htc-linux.org/wiki/index.php?title=HaRET
    See http://htc-linux.org/wiki/index.php?title=HaRET/Documentation#Development for how to compile.

    We should discuss the technical possibilites and challenges (if any :cool:) about this project in this thread.

    Update: Lots of insight has been gained. Since progress is rapid, uptades are not listed here yet. Please read the full thread for now.
    View
    8
    M
    Martin7Pro
    Delay

    Sorry for delay. I have got unused phone from last HaRET using, then I made:

    1. Full internal memory cleaning.
    2. SD card changing to 32GB class 10 (I can recommend it for everybody). One screw was lying on the table after the repair and I do not know where it belongs :).
    3. Data restoring (big thanks to Ultrashot).
    4. Actualisations (unfortunately, Microsoft is lying again, the phone with 8860+8862 updates under LockScreen very quickly discharged too, all livetiles closing helps only). I hope we will have WM6, Ubuntu or RT on our WP7 devices in near future. My very old S80 devices knew how much more and lasted a week on a single charge.
    5. Finishing WP7 native FTP Client library, you are welcome for testing.

    Next weak I have very much work in a occupation, but I hope I will send to Jessenic much HaRET updates next weakend.
    View
    8
    M
    Martin7Pro
    VS

    Now I have got HaRET incremental version working under Visual Studio 2008. It is compiled by cygwin/make, deployed to device and started under debugger, all from VS IDE. All output (Warning, Information, Error) is redirected to VS Output window. For example now (instead MessageBox):
    ...
    KMD1: 0xD9456944 $device\KMD1 Drivers\BuiltIn\KMDriver $bus\KMD1
    ListRunningDrivers(KMD1:) returns HANDLE 0xD9456944
    Load module: toolhelp.dll
    WP7RunInKernelMode(kmodedll.dll, KGetProcInfo, 0x39F248, 1, 0x39F274, 576, 0x39F180, 198)
    DeviceIoControl returns 1
    Error: 'Haret is not running in 'system' mode. Major functionality will not be present.'
    Load module: WindowTreeUpdater.dll
    ...
    WP7VirtualAlloc, WP7VirtualFree, WP7VirtualCopy is used instead VirtualAlloc, VirtualFree, VirtualCopy. But, by error message, I mean a big part of cpu.cpp module must be tranfered to kmode_dll.cpp.

    PHP: 
    // Get Program Status Register value
static inline uint32 cpuGetPSR(void) {
    uint32 val;
    asm volatile("mrs %0, cpsr" : "=r" (val));
    return val;
}

unsigned long KcpuGetPSR(unsigned char * InStructurePointer,
		unsigned long InStructureLength, unsigned char * OutStructurePointer,
		unsigned long OutStructureLength) {

	TRACE_SAVE(L"KcpuGetPSR(0x%X, %d, 0x%X, %d)\n", InStructurePointer,
			InStructureLength, OutStructurePointer, OutStructureLength);

	if (OutStructurePointer && sizeof(uint32) == OutStructureLength) 
	{
		uint32 * pRes = (uint32 *) OutStructurePointer;

		*pRes = cpuGetPSR();

		TRACE_SAVE(L"cpuGetPSR() returns 0x%X\n", *pRes);

		return ERROR_SUCCESS;
	}
	return ERROR_INVALID_PARAMETER;
}

    After it:
    ...
    KMD1: 0xD9456944 $device\KMD1 Drivers\BuiltIn\KMDriver $bus\KMD1
    ListRunningDrivers(KMD1:) returns HANDLE 0xD9456944
    Load module: toolhelp.dll
    WP7RunInKernelMode(kmodedll.dll, KGetProcInfo, 0x21EF248, 1, 0x21EF274, 576, 0x21EF180, 198)
    DeviceIoControl returns 1
    WP7RunInKernelMode(kmodedll.dll, KcpuGetPSR, 0x21EF378, 1, 0x21EF374, 4, 0x21EF2AC, 198)
    DeviceIoControl returns 1
    Load module: WindowTreeUpdater.dll
    ...


    KGetProcInfo(0x21F1CE4, 1, 0x21F1F00, 576)
    pinfo filled, GetProcInfo returns ERROR_SUCCESS
    wVersion = 1
    szProcessCore = Snapdragon
    wCoreRevision = 0
    szProcessorName = QSD8250
    wProcessorRevision = 0
    szCatalogNumber =
    szVendor = QUALCOMM
    dwInstructionSet = 0
    dwClockSpeed = 998
    KcpuGetPSR(0x21F5CE4, 1, 0x21F5F00, 4)
    cpuGetPSR() returns 0x2000011F

    KMD_Open
    KMD_Open
    KMD_IoControl entry, dwCode=9
    KMD_IoControl WP7_DLL_CALL, dwCode=9
    Function kmodedll.dll::KGetProcInfo returns 0
    KMD_IoControl returned 1
    KMD_IoControl entry, dwCode=6
    KMD_IoControl IOCTL_WP7_ALLOC_ADDRESS, dwCode=6
    Function VirtualAllocEx(0x42,0x0,65536,0x2000,0x1) returns D97A0000
    KMD_IoControl returned 1
    KMD_IoControl entry, dwCode=8
    KMD_IoControl IOCTL_WP7_COPY_ADDRESS, dwCode=8
    Function VirtualCopy(0xD97A0000,0xAC0000,65536,0x604) returns 1
    KMD_IoControl returned 1
    KMD_IoControl entry, dwCode=6
    KMD_IoControl IOCTL_WP7_ALLOC_ADDRESS, dwCode=6
    Function VirtualAllocEx(0x42,0x0,65536,0x2000,0x1) returns D9EE0000
    KMD_IoControl returned 1
    KMD_IoControl entry, dwCode=8
    KMD_IoControl IOCTL_WP7_COPY_ADDRESS, dwCode=8
    Function VirtualCopy(0xD9EE0000,0xA90000,65536,0x604) returns 1
    KMD_IoControl returned 1
    KMD_IoControl entry, dwCode=6
    KMD_IoControl IOCTL_WP7_ALLOC_ADDRESS, dwCode=6
    Function VirtualAllocEx(0x42,0x0,65536,0x2000,0x1) returns DA020000
    KMD_IoControl returned 1
    KMD_IoControl entry, dwCode=8
    KMD_IoControl IOCTL_WP7_COPY_ADDRESS, dwCode=8
    Function VirtualCopy(0xDA020000,0xA91000,65536,0x604) returns 1
    KMD_IoControl returned 1
    KMD_IoControl entry, dwCode=9
    KMD_IoControl WP7_DLL_CALL, dwCode=9
    Function kmodedll.dll::KcpuGetPSR returns 0
    KMD_IoControl returned 1


    Function kmodedll.dll::KFunctionName returns 0 means SUCCESS (nonzero is Error code),
    in other attempts nonzero means OK (zero is FALSE or 0 bytes).

    Console works for me now:
    NLEDSET 0 1 // Start vibration
    NLEDSET 0 0 // Stop vibration
    But very much directives must be reimplemented to driver calling still.

    Better way, then functions redefining by one, will DEF_GETCPR and DEF_SETCPR macros adjustment to kernel driver using.

    I tried to port PocketPutty for WM to communicate on WP7 device. But, Putty.exe not goes to WinMain function. Do you know anybody, why entrypoint may not be called? It is probably by missing linked dll or function in WP7.

    I tried also to connect from Silverlight Telnet client to second device with HaRET and WiFi internet tethering running. But, message is "he remote host is actively refusing a connection" on related IP (192.168.33.1) and all ports (not only 9999). Do you know anybody, if Telnet is theoretically available by WiFi tethered connection?
    View
    8
    O_G
    O_G
    Thread Cleaned

    Please only post if you have something to contribute. Also please avoid posting thank you we have a "thanks" button for that.

    Stop with the ETA posts, it just annoys the good developers. Just be grateful for the work they do!​
    View
    8
    M
    Martin7Pro
    prahladvarda said:
    does this work with devices unlocked with wp7 root tools??if yes, i will be always ready to test it on my omnia w..

    Prahlad
    Click to expand...
    Click to collapse

    Yes, I have got HaRET last version running in the Kernel mode with full hardware and physical memory access too. Any unlock needed. But, my HTC7Pro needed hard reset after this version using to unbrick, then I mean it is too danger when you like your phone. Only one function was succesfully tested before HR - Vibration On/Off low-level switching. I have idea to make HaRET safe equivalent, but the way needs to finish my other related projects and I am too busy now. No C++ coder here wants my unfinished codes? Especially shell/batch interpreter with registry export/import/backup and new directives simply adding (may be used for own macro language definition too), pipes for easy interprocess comunication (unmanged/managed too), native WP7 installer with plugins system and low-level system scheduler projects are near of finishing. Any C++ student with free time can finish it all relatively quickly.
    View

New posts