[PROJECT] HaRET on WP7

dcordes said:

Thanks for this insight, minDark. may I ask how you found out about the missing dependencies?
It's not so nice that the kernel mode function is missing in WP7. How are we going to start the kernel without it?
I did as you proposed and compiled haret.exe without it. I just commented out lines containing setkmode. But I didn't change the ordinals stuff because I have no idea what that is.

no-kmode haret.exe with minDark's proposed kmode patch is attached. Any WP7 device owners welcome to test.

diff to current haret.git HEAD:

Code:

haret$ git diff
diff --git a/src/memory.cpp b/src/memory.cpp
index ccba659..53c0826 100644
--- a/src/memory.cpp
+++ b/src/memory.cpp
@@ -320,7 +320,7 @@ err:  VirtualFree (pmWindow, 0, MEM_RELEASE);
   if (slot >= PHYS_CACHE_COUNT)
   {
     // Go into supervisor mode
-    SetKMode (TRUE);
+//    SetKMode (TRUE);
     cli ();
     cpuFlushCache ();
 
@@ -333,7 +333,7 @@ err:  VirtualFree (pmWindow, 0, MEM_RELEASE);
 
     // Back to user mode
     sti ();
-    SetKMode (FALSE);
+//    SetKMode (FALSE);
   }
 
   // Move least recently used slot to front
@@ -354,12 +354,12 @@ void memPhysReset ()
   if (pmInited)
   {
     // Go into supervisor mode
-    SetKMode (TRUE);
+//    SetKMode (TRUE);
     cpuFlushCache ();
     // Restore the page table entries
     for (int i = 0; i < 16 * PHYS_CACHE_COUNT; i++)
       pmPT [i] = pmOldPT [i];
-    SetKMode (FALSE);
+//    SetKMode (FALSE);
 
     VirtualFree (pmL2PT, 0, MEM_RELEASE);
     VirtualFree (pmWindow, 0, MEM_RELEASE);
diff --git a/src/wince/output.cpp b/src/wince/output.cpp
index cc65d40..e4be7ed 100644
--- a/src/wince/output.cpp
+++ b/src/wince/output.cpp
@@ -276,9 +276,9 @@ prepThread()
     // All wince 3.0 and later machines are automatically in "kernel
     // mode".  We enable kernel mode by default to make older PDAs
     // (ce2.x) work.
-    Output("Setting KMode to true.");
-    int kmode = SetKMode(TRUE);
-    Output("Old KMode was %d", kmode);
+//    Output("Setting KMode to true.");
+//    int kmode = SetKMode(TRUE);
+//    Output("Old KMode was %d", kmode);
 }
 
 // Initialize the haret application.

Click to expand...

Click to collapse

No dice on this one, either. I'm trying to get crash logs from the device to see if we can get some better pointers.

Have deployed it to my HD7 , after opening the .exe the Vibration goes on for 10 sek. and closed the touchXplorer that's all

haret-nokmode.exe is not a valid Win32 application.I'm using 64bit win7. with Intrinsic custom rom HD7.

@dcordes: It's something wrong with your compiler, try to do static compile or use an older version of mingw gcc. Your recompiled version of haret still depends on libgcc_s_sjlj-1.dll and it's ok about SetKmode. About import table, you can use any Win32 PE file editor to find dependencies, i use CFF File explorer (written by Daniel Pistelli, windows only), this is a good tool because it has Net Framework support also and you can rebuild the import table. About functions ordinals, I do not think is so important.

dcordes said:

Many thanks.

Compiled haret.exe from same source as above (same diff) with cegcc-mingw32ce-0.55

Didn't look into import table => Win32 PE file editor yet. Hope there is one for Linux.

Can somebody test the attached exe?

(btw, I would test myself but currently HD2 is my day2day phone)

thx

Click to expand...

Click to collapse

Some progress

(Ignore the background, I use dll import to launch it, just because I have a lot of scratch code on there).

The GUI doesn't load, but the process stays running in the background.

dcordes said:

cool you could mess around with startup.txt a bit. I attached the files I used to create the experimental linload. the current startup.txt will try booting the zImage (it's hd2 'evo kernel' see above) but without the kmode I fear it won't get that far. You could try some other stuff though, e.g. touch earlyharetlog.txt again and see if you get the haretlog.txt out of it now. If that works you could try placing some commands in startup.txt

Click to expand...

Click to collapse

This gives me "Failed to lock 1341 pages (code 6)"

dcordes said:

cool you could mess around with startup.txt a bit. I attached the files I used to create the experimental linload. the current startup.txt will try booting the zImage (it's hd2 'evo kernel' see above) but without the kmode I fear it won't get that far. You could try some other stuff though, e.g. touch earlyharetlog.txt again and see if you get the haretlog.txt out of it now. If that works you could try placing some commands in startup.txt

Click to expand...

Click to collapse

Failed to lock 1341 pages (code 6)

and haRET is running not exit.

i made a haRET loader, to make more people can easy test.

copy new haRET.exe and kernel image start script to haRET folder of xap file.

then deploy haRET_Loader.xap to your device, run it and press the load haRET button,if any err there will be a MessageBox to show them.

dcordes said:

without the kmode I fear it won't get that far.

Click to expand...

Click to collapse

I found something interesting: http://xdaforums.com/showthread.php?t=1453343 with this we can take kernel permissions for haret and move the app to TCB room.
P.S: The latest recompiled version of haret seems to be ok.

===========================================
htcleo MACH_HTCLEO HTCLEO 2524
------------------------------------------
htcmozart MACH_HTCMOZART HTCMOZART 3544
------------------------------------------
htcgold MACH_HTCGOLD HTCGOLD 3545
===========================================

dcordes said:

Awesome, this sounds like what we need. I downloaded the .zip and to me it looks very complicated and I have no clue where to begin. Will this permanently give us kernel mode or will we insert the functions where setkmode was ?

Is the "cannot lock n pages" due to missing permission to access protected mem induced by lack of kmode when nokmode-haret tries to start kernel ?

Click to expand...

Click to collapse

I was under the impression that we wouldn't need to elevate privileges, as we're already running a native application on a rooted device (if it weren't rooted like this, we wouldn't be able to run it).
I may be wrong, though.

Not sure about the cannot lock n pages, though.

Oh, by the way. Since it's running, but we have no GUI... would it be possible to make it autostart the telnet server?

Ok,
I manage to install it to my hd7 but when i click Load haRET it says error Haret is not running in 'system' mode.Major functionality will not be present.

as for gui: you should call either windowtreeupdater or directly frame.dll

windowtreeupdater.dll way:
usage:

don't call UpdateWindowTree, it isn't needed.

frame.dll way is much more complicated since it requires to rewrite wndproc of all windows to treat WM_GESTURE messages as WM_LBUTTONDOWN/WM_LBUTTONUP.

htcutility-kernmem_2011-11-10

HTC MOZART NhatHoa-CustomRom V9 8107

===== HaRET pre-0.5.3-20120209_233258 =====
Finished initializing output
Loading dynamically bound functions
Function 'AllocPhysMem' in library 'coredll' at 0x4079e059
Function 'FreePhysMem' in library 'coredll' at 0x4079e089
Unable to load library 'gx'
Unable to load library 'gx'
Unable to load library 'gx'
Unable to load library 'gx'
Function 'LoadLibraryExW' in library 'coredll' at 0x407ca9f4
Function 'NLedSetDevice' in library 'coredll' at 0x407a7269
Function 'GetSystemPowerStatusEx2' in library 'coredll' at 0x4076d059
Function 'SleepTillTick' in library 'coredll' at 0x4079e0b5
Function 'CreateToolhelp32Snapshot' in library 'toolhelp' at 0x421a1079
Function 'CloseToolhelp32Snapshot' in library 'toolhelp' at 0x421a10b1
Function 'Process32First' in library 'toolhelp' at 0x421a1131
Function 'Process32Next' in library 'toolhelp' at 0x421a1179
Function 'Module32First' in library 'toolhelp' at 0x421a1299
Function 'Module32Next' in library 'toolhelp' at 0x421a12e9
Function 'Heap32ListFirst' in library 'toolhelp' at 0x421a1351
Function 'Heap32ListNext' in library 'toolhelp' at 0x421a13fd
Function 'Heap32First' in library 'toolhelp' at 0x421a148d
Function 'Heap32Next' in library 'toolhelp' at 0x421a1561
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'clkregim'
Detecting current machine
Trying to detect machine (Plat='SmartPhone' OEM='HTC')
Wince reports processor: core=Snapdragon name=QSD8250 cat= vend=QUALCOMM
Looking at machine Alpine
Looking at machine Apache
Looking at machine AximX50
Looking at machine AximX5
Looking at machine Beetles
Looking at machine Blueangel
Looking at machine Himalaya
Looking at machine Magician
Looking at machine Universal
Looking at machine H1910
Looking at machine H1940
Looking at machine RX1950
Looking at machine H2200
Looking at machine H3600b
Looking at machine H3700
Looking at machine H3800
Looking at machine H3900
Looking at machine H4000
Looking at machine H4300
Looking at machine H5000
Looking at machine H6340
Looking at machine HX2000
Looking at machine HX4700
Looking at machine Sable
Looking at machine Wizard
Looking at machine Hermes
Looking at machine Trinity
Looking at machine Athena
Looking at machine G500
Looking at machine Artemis
Looking at machine Herald
Looking at machine Prophet
Looking at machine RX3000
Looking at machine Treo700wx
Looking at machine Treo850w
Looking at machine Treo850e
Looking at machine e310
Looking at machine e740
Looking at machine Acer_n30
Looking at machine Mio_P550
Looking at machine Kaiser
Looking at machine Loox5xx
Looking at machine Loox400
Looking at machine MioA701
Looking at machine Wallaby
Looking at machine Raphael
Looking at machine SGH_i900
Looking at machine Leo
Looking at machine Topaz
Looking at machine Rhodium
Looking at machine Jornada9xx0
Looking at machine Acer_S200
Looking at machine M800
Looking at machine X800
Looking at machine DX900
Looking at machine X900
Looking at machine M900
Looking at machine Jornada820
Looking at machine H3100
Looking at machine H3600a
Looking at machine Tornado
Looking at machine Libra
Looking at machine E4430
Looking at machine Generic Intel PXA27x
Looking at machine Generic Intel PXA
Looking at machine Generic Intel StrongArm
Looking at machine Generic TI OMAP
Looking at machine Generic TI OMAP15xx
Looking at machine Generic Samsung s3c24xx
Looking at machine Generic Samsung s3c64xx
Looking at machine Generic MSM7xxxA
Looking at machine Generic MSM7xxx
Looking at machine Generic QSD8xxx
Looking at machine FreeScale i.MX21
Looking at machine Generic Atlas
Looking at machine Generic ARM 920t
Looking at machine Generic ARM 926
Looking at machine Generic ARM v6
Looking at machine Generic ARM v7
Looking at arch Generic Intel PXA27x
Exception on arch Generic Intel PXA27x detect
Looking at arch Generic Intel PXA
Exception on arch Generic Intel PXA detect
Looking at arch Generic Intel StrongArm
Looking at arch Generic TI OMAP
Looking at arch Generic TI OMAP15xx
Looking at arch Generic Samsung s3c24xx
Looking at arch Generic Samsung s3c64xx
Looking at arch Generic MSM7xxxA
Looking at arch Generic MSM7xxx
Looking at arch Generic QSD8xxx
Detecting ram size
WinCE reports memory size 520093696 (phys=498970624 store=-1)
Mapping mmu table
Exception on mmu table lookup
Unable to map in mmu table! Many functions will not work.
Build L1 reverse map
Exception on arm6 type lookup
Found 0 uncached and 0 cached L1 mappings (ignored 0).
Not registering command IGPIO
Not registering command WG|PIO
Not registering command GPLR
Not registering command GPDR
Not registering command GAFR
Not registering command GPIO
Not registering command GPIOST
Registering command LOADLIBRARYEX
Registering command NLEDSET
Not registering command TRACE
Not registering command TRACEMASK
Not registering command TRACE2
Not registering command TRACETYPE
Not registering command TRACE2TYPE
Not registering command TRACEFORWATCH
Not registering command INSN
Not registering command INSNREENABLE
Not registering command INSNREG1
Not registering command INSNREG2
Not registering command INSN2
Not registering command INSN2REENABLE
Not registering command INSN2REG1
Not registering command INSN2REG2
Registering command KILL
Registering command PS
Registering command LSMOD
Registering command ADDR2MOD
Not registering command AC97
Not registering command ATIDBG
Not registering command EIM
Not registering command GPIO
Not registering command WB|ANK
Not registering command GPLR
Not registering command GPDR
Not registering command GPPUD
Not registering command GPSDR
Not registering command GPSPUD
Not registering command GPIOS
Not registering command GPIOSOUT
Not registering command GPIOST
Not registering command MSMCLKKHZ
Initializing for machine 'Generic QSD8xxx'
HaRET(1)# set ramaddr 0x18800000
HaRET(2)# addlist irqs p2v(0xac000080) 0x100 32 0
HaRET(3)# addlist irqs p2v(0xac000084) 0 32 0
HaRET(1)# addlist gpios p2v(0xa9000800)
HaRET(2)# addlist gpios p2v(0xa9100c00)
HaRET(3)# addlist gpios p2v(0xa9000804)
HaRET(4)# addlist gpios p2v(0xa9000808)
HaRET(5)# addlist gpios p2v(0xa900080c)
HaRET(6)# addlist gpios p2v(0xa9000810)
HaRET(7)# addlist gpios p2v(0xa9000814)
HaRET(8)# addlist gpios p2v(0xa9000818)
HaRET(9)# addlist gpios p2v(0xa9000850)
HaRET(10)# addlist gpios p2v(0xa9100c20)
HaRET(11)# addlist gpios p2v(0xa9000854)
HaRET(12)# addlist gpios p2v(0xa9000858)
HaRET(13)# addlist gpios p2v(0xa900085c)
HaRET(14)# addlist gpios p2v(0xa9000860)
HaRET(15)# addlist gpios p2v(0xa9000864)
HaRET(16)# addlist gpios p2v(0xa900086c)
HaRET(17)# addlist gpios p2v(0xa9000820)
HaRET(18)# addlist gpios p2v(0xa9100c08)
HaRET(19)# addlist gpios p2v(0xa9000824)
HaRET(20)# addlist gpios p2v(0xa9000828)
HaRET(21)# addlist gpios p2v(0xa900082c)
HaRET(22)# addlist gpios p2v(0xa9000830)
HaRET(23)# addlist gpios p2v(0xa9000834)
HaRET(24)# addlist gpios p2v(0xa9000838)
Haret is not running in 'system' mode. Major functionality will not be present.
Exception on cpu id detect
Welcome, this is HaRET pre-0.5.3-20120209_233258 running on WindowsCE v7.10
Minimal virtual address: 0x10000, maximal virtual address: 0x7fffffff
Detected machine Generic QSD8xxx/QSD8xxx (Plat='SmartPhone' OEM='HTC')
CPU is ? running in user mode
Enter 'HELP' for a short command summary.

Running WSAStartup
Starting gui
In initdialog
Found machine Generic QSD8xxx
executing startup.txt
HaRET(1)# set mtype 3544
HaRET(3)# set ramaddr 0x11800000
HaRET(4)# set ramsize 0x1E400000
HaRET(5)# set kernelcrc 0
HaRET(6)# set fbduringboot 1
HaRET(7)# set forcefbduringboot 1
HaRET(8)# dump mmu
----- Virtual address map -----
Terminating haret due to unhandled exception (pc=000218e0)

Hey, just wanted to say that this looks awesome, and if you want anything using the HtcRoot project, let me know (I'm the guy who started it).

As for the error locking pages, I'm pretty sure that's a kernel-only API, yes. The version of CE on WP7 seems to work more like a desktop OS with regard to user/kernel split - that is, it uses hardware ring levels and by default all apps get loaded into a low-privilege ring and can't control things like the memory manager.

There are Linux kernels which are designed to work entirely in userspace of another OS, so that's a possibility. Another option would be to use the HtcUtility driver (assuming your ROMs have a working version; many don't) to make changes within kernel mode. Finally, you could write a driver (not *quite* as hard as it sounds, for an unlocked ROM) that does the KMode stuff for you (i.e. you use an IOCTL to tell it "Lock me these pages" and it does so).

It depends a bit on how many kernel APIs you need to call. The list of public kernel APIs is on MSDN, along with indicators of which can be called from usermode and which can't. You can also download the CE 6.0 or 7.0 source, including the kernel and pretty much all of the standard drivers, from Microsoft. WP7's kernel appears to be somewhere between the two, though, and is not available in source.

I may also take a break from working on the policy system to look at this; it sounds very interesting and would be a fun change. I've done a bit of kernel hacking on both CE and Linux (and NT. though I doubt that's relevant).