(c) 2004 Willem Jan Hengeveld A collection of tools to do many things to a windows CE device via Activesync/RAPI. These tools should work on most CE devices, tested on Ipaq, XDA-1, XDA-2. with PocketPC 2002 and PocketPC 2003. ( wince 3.0 and wince 4.2 ) ----------------------------------------------------------------------------- INTRO: pps - dumps active wince processes pdblist - dumps wince databases pdel - delete wince file pdir - list wince directory pmkdir - create wince directory pget - copy file from wince pkill - kill wince process pmemdump - copy memory block from wince psetmem - set RAM memory location in your device pmemmap - list available memory blocks on wince pput - copy file to wince pregutl - manipulate the wince registry regutl - manipulate the win32 registry prun - run program in wince dump - hexdump local file. pdebug - capture debugoutput of processes pdocread - raw read of m-systems DiskOnChip devices psdread - raw read from sd card in your device psdwrite - raw write to the sd card in your device pnewbmp - write new bootsplash bitmap to rom pnewbootloader - replace your bootloader psynctime - sync time with pc. .... experimental stuff: pgsmdump - attempt at memory dumper for gsm. pget2 - attempt at improvement of pget tlbdump - dumps virtual to physical memory mapping riltest - dumps all kinds of info from the phone via ril pcmon - attempt to talk 'rsupgrade'-protocol testpi - tool to find out what handles are open on your PPC tsttffs - tool to experiment with the trueffs API tstcpu - tool to measure cpu speed regbk - tool to dump registry to a file NOTE: The experimental tools may not work, or may even cause damage. - Use at your own risk, and after reading the source, and making sure you understand what they do!!! To build it both the embedded vc++ and 'desktop' vc++ compiler are needed. Some environment variables pointing to various sdks need to be set to the correct values in mk.bat and mkarm.bat to build it correctly. 'itsutils.dll' is automatically copied to the windows directory of your CE device when it is detected to be out of date. A compiled version is available at http://www.xs4all.nl/~itsme/download/itsutils.zip you can browse the source at http://viewcvs.xda-developers.com/cgi-bin/viewcvs.cgi/xdautils/ to compile, point the variables at the start of the mk.bat and mkarm.bat scripts to the right sdks. and run them. you need the following compilers/sdk's: - Microsoft Visual C++ ( version not important ) - Microsoft Embedded Visual C++ v3.0 - Platformbuilder v3.0 ----------------------------------------------------------------------------- USAGE: dump.exe This tool is not specifically meant for use with a windows CE device. I use it to make hexdumps of memory dumps. If you have for example a romimage saved to a file, and the first byte in the file maps to address 0x80000000 in the CE device, and you want to list the dwords starting at 0x80040000. You would type something like this: dump -b 0x80000000 -f romimage.bin -o 0x80040000 -4 -l 0x100 itsutils.dll This is the workhorse for some of these tools ( pdebug, pkill, pmemdump, pps ). It it implements a interface callable by 'CeRapiInvoke' to do various useful things for the world. You should copy this dll to the \Windows directory of your CE device. For instance using 'pput itsutils.dll \Windows' pdblist.exe This tool provides various ways of looking at the databases stored on your CE device. To get a list of all databases type 'pdblist -d', it lists the objectid, the database flags, the type of database, the nr of records, the size, the name, and the available indexes. Or if you know the name or id of the database you can list all records in this database by typing, 'pdblist -d pmailMsgClasses' ( ignore the error message, it does not mean anything ) or 'pdblist -d 0x1001568'. For each record it lists the record id, size, nr of fields, and the fields. For each field, it lists the field id, type, length, flags and value. To just list the contents of 1 record, you can type 'pdblist -r 0x0100156f' ( where 0100156f is the object id of the record ) you can also use this to list information about files. 'pdblist -r 0' will get you info on the root directory. pdebug.exe This tool attaches as a debugger to the specified process, and prints all debug output to the console. Unfortunately the only programs I can find which have debug output are my own. It may make your CE device become unstable. a reboot after using it will do no harm. pdel.exe This tool works as 'del' under DOS. you can specify multiple files, and optionally a current directory with '-d' where these file should be deleted from. for example 'pdel -d \temp tst1.txt tst2.txt' will delete \temp\tst1.txt and \temp\tst2.txt. you can also specify wildcards, or delete directories recursively. Sometimes the CE device gets in a state where it will not allow files to be deleted anymore, a reboot will usually fix this. pdir.exe Lists directories from your CE device. Specify '-r' to list them recursively. You can specify any number of paths with wildcards to list. Example: 'pdir \Temp \Windows' will list both the \temp and \windows directories. directories will be listed [bracketed]. pmkdir.exe Tool to create directories on your WinCE device. pget.exe Tool to copy files from your CE device to your local machine. you may use wildcards or multiple filenames to specify the source files. you may specify a directory for the target, if no target is specified it will default to the current directory. Example: 'pget \Windows\toolhelp.dll' will copy toolhelp.dll to the current directory. This tool currently does not allow you to copy certain ROM files. see 'dumprom' for that. pkill.exe Allows you to kill one or more processes on your CE device. If multiple processes exist with the same name, all will be killed. if result '2' is reported, this means kill successful, result '1' means process found, but unable to kill, '0' means process not found. pmemdump.exe Copies memory blocks to a local file, or just prints a hexdump on the console. you can specify the process context from which to read the memory. You can see the difference in context by dumping address 0x11000. for instance look at the difference between: pmemdump -p filesys.exe 0x11000 and pmemdump -p shell32.exe 0x11000 if no context is specified, memory is read from the perspective of the 'rapisrv.exe' process. You can use '-m' to read memory directly, bypassing ReadProcessMemory, this will crash when an invalid memory location is read. psetmem.exe this is the opposite of pmemdump, you can specify an offset and a list of bytes, words, or dwords to write to this location. this app does not write to flash memory, only to RAM. pmemmap.exe Produces a list of alternating 'readable' and 'unreadable' memory blocks. pps.exe Display a list of processes currently running on your device. It also lists memory usage, processor usage, and commandline for each process. With '-m' you can specify how long it has to measure to get an accurate cpu usage reading. you can also see detailed thread information with '-t' pput.exe Like pget, but the other way around. Copies files from your local machine to your CE device. pregutl.exe Allows you to inspect the registry of your CE device you can specify the hive to display ( hkcu, hkcr, hklm ) you can also import .reg files using this tool, delete keys, or modify values. regutl.exe The same functionality as pregutl.exe, but then for the desktop registry prun.exe allows you to start programs on your CE device from your desktop machine. for instance: prun cprog.exe -url tel:121 will start the phone application, and prompt you if you want to dial '121'. psdread.exe psdwrite.exe These can be used to do raw disk read/writes from the disk device in your CE device, or USB/pccard flashdisk reader. ( like an MMC/SD card ) it defaults to using disk 1. ( on the XDA-II / Himalaya the sd card is DSK3: ) you have to specify a linear offset from the start of the device. You can view all available disks with 'psdread -l' You can find the exact disk size of any device by specifying the '-t' option. This is because the size of Flashdisks is reported incorrectly by WindowsXP. local (to windows) disks should be specified by drive-letter. WARNING: the drive letter assignments are quite dynamic, a disk may return on a different letter after removing/ re-adding it. psdwrite does attempt to verify that you are not overwriting your harddisk, but still be sure to specify the correct drive. psdwrite/psdread can now also write/read partial sectors. pdocread.exe This tool can be used to read and list various parts of m-systems Disk On Chip devices. The -d, -p, and -h options can be used to select a specific disk device. Only specifying -d will open that device directly. Specifying -d and -p, will open the device using the storage manager, and then us the partition specified with -p. To circumvent a problem with truncated device names in some WinCE versions, you can also specify a known open device handle, using -h. Use "pdocread -l" to get a list of known devices, and open handles on your wince device. The -n, -w, and -o options are used to select what access method is to be used. -n 0 will read from the binary partition number 0. -w will use the standard disk api to access the device, -o will access the One-time-programmable area of your DOC. when no access method is specified, the 'normal' TFFS partition will be accessed. Be warned that the tffs API is not very stable, it causes device crashes, and on several devices it is only partially implemented. pnewbmp.exe you must specify a bmp file, as required by splitrom, and the romversion with '-3' or '-4', this determines the location where the bootsplash is written, for (most!!) 3.x roms this is at 81900000, for 4.x roms, and the chinese 3.x rom it is at 81ec0000. so be careful, you must first verify that the bootsplash is indeed at this location, otherwise you will overwrite essential data in your rom pnewbootloader.exe possibly the most dangerous tool in this collection, it allows you to overwrite the bootloader with something else. this tool depends on specific memory locations for certain roms. it does verify that it is talking to a known rom. it also does a very minimalisitc check if the file presented to it resembles a bootloader. psynctime.exe Tool to synchronize your PDA time with your desktop pc, you have it run automatically by adding this value to your PC registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect] "psynctime"="c:\\path-to\\psynctime.exe" this will also correct a problem that your current application loses focus when your cradle your device. preboot.exe Utility to reboot your device, while it is in it's cradle. ppostmsg.exe Utility to send messages to windows on your pocket pc device. tstril2.exe Ril Logger utility, to see what is going on with RIL. ----------------------------------------------------------------------------- COMPILING: You need the following tools installed: - cygwin - perl - boost 1.33.0 - microsoft embedded visual c++ compiler - microsoft visual c++ compiler - windows ce platform builder - pocketpc 2003 sdk update locak.make according to your needs. then type 'make' ----------------------------------------------------------------------------- FUTURE: pdblist: - should get a better interface, -DONE allow specific fields to be listed for all records - allow less verbose field display, f.i. column wise -DONE allow user to set/add field, values to a record -DONE add support for other database volumes itsutils: - create macro for method declaration - add seakable stream-interface to read-memory - add handle-scan -DONE add cmdline to processinfo - add socketinfo interface -DONE add version check -DONE add mechanism for tools to automatically update dll if nescesary pdel: -DONE add support for recursive delete. pget: - clean up code * DONE. - merged code with pput. -DONE change interface, to allow specification of rootdir, and multiple src files. -DONE think of convenient way of encoding both 'default to curdir' and 'other target file/dir' - support recursive downloading -DONE support wildcards pput: -DONE clean up code -DONE change interface, to allow specification of multiple source files - support recursive uploading -DONE support wildcards pps: -DONE add cmdline info - add openfiles info, ... pregdmp: - clean up code - make more efficient - allow change of registry OBSOLETE: replaced by pregutl pkill: -DONE clean up code prun: -DONE clean up code ptlbdump: - finish implementing it. pregdel: - finish implementing it. DONE: now called 'pregutl' .....add these tools: pmkdir - DONE prmdir Changelog 040318 -> 050119 * made hexdumping interface more universal among different tools * switched compiler from EVC3 to EVC4 * added tffsreader interface to itsutils.dll * itsutils logs to \storage on smartphones * added 'readphysicalmemory' -p option to pmemdump * pps now also works on smartphones * added more handle interpreters to 'testpi.cpp' * added cpu speed testing tool * added several requests and notifications to RilClass.cpp * dump can now also save a chunk of a file * more types of hexdump formatting. * pdblist now also supports volumes * added pdocread tool, to read from tffs / DOC chips * added new himalaya, and magician roms support to pnewbootloader * added option to pput, to take data from stdin. * pregutl now compiles both to wince and win32 tool * merged psdread and psdwrite tools