Hi friends.
There is very little information on commissioning native debugging in several different threads. I met with a variety of problems, I would like to summarize them and some followed up.
What can we do now (a huge thanks to Ultrashot):
- Debug managed application in VS2010.
- See trace output of unmanaged code in VS2008.
- See trace output of unmanaged dll in managed Output window VS2010, tutorial added here.
What I would like as soon as possible:
- Debug unmanaged code with full tracing, breakpoints, etc. working in VS2008.
As for the future:
- Debug combined code, ideally in one IDE (Can be VS2012 adapted?).
- Debug 3rd attached Processes.
Please write your experience with debugging, solving even the smallest problems, to many people it can help.
Sorry for my English!
First issue
I have 2 identical devices HTC7Pro. One of them had DFT ROM, Second Dynamics (Nr. 1 Ultrashot version).
First one works well with VS2008 native debugger. Debugger runs fast. Extracts from AtlTrace appear in the output. Only when the application is finished, debugger must be closed manually.
Second device worked well too, but two weeks ago stopped it. Native VS2008 debugger hangs totally, managed VS2010 debugger says "could not debug, screenlock occured". All remote tools stay worked.
Solution:
It is unbelievable, but this device probably lost two important registry sz values (empty string needed):
[HKEY_LOCAL_MACHINE\System\OOM\DoNotKillApps]
"\Application Data\Phone Tools\10.0\CoreCon\bin\ConmanClient3.exe"
"\Application Data\Phone Tools\10.0\CoreCon\bin\edm3.exe"
See http://forum.xda-developers.com/showthread.php?t=1336137#5, Ultrashot summarized all necessary unlock and debugging registry changes here.
May be this values was not present full time, but two weeks ago managed debugging worked well. Now this values adding soluted managed debugging problem.
Unmanaged problem was bigger. When PC debugger hanged and VS2008 killed by TaskManager, edm2.exe still runned on device. I tried many things with no succes. I flashed five other ROMS - no success! I used three PCs - no success (I installed totally new Windows 7, VS and SDK to one)! Then I was convinced it must be hardware dependent, first device works well on all PCs debuggers.
But yesterday I tried 1. to flash Dynamics2 ROM to problematic device, 2. to delete all edm*.exe files on one from PCs and replace by Ultrashot edm2p.exe only. Now I have next unbelievable behaviour of this device:
... Native debugger, which is quick on first device, there wait about 30s to start debugging (deploying is also slow) on second one.
... After pause debugger seems to work normally.
... Output (dlls loading) is showed, but AtlTrace output is not present! (from first device is showed).
... When I stop application on device, debugger correctly ends too. On first (better) device I must stop it manually.
Dynamics 2 ROM is almost pure on device.
Some words of caution: If you enable WiFi tethering, debugger (even WMDC) are brought together. If tethering is switched off, then WMDC connects fine, but debugger sometimes does not connect well (on both my devices). After WiFi tethering I have to restart device to have the debugger always well connected.
Small notes:
- It is pleasant to use WPConnect instead Zune, above mentioned registry control is needed.
- WMDC Launcher http://forum.xda-developers.com/showthread.php?t=1521763 adds more functionality than older native debugger http://forum.xda-developers.com/showthread.php?t=1429383 .
- Ultrashot told me native breakpoits worked in past, but he has no time to search, why they stopped working. Can you confirm somebody native breakpoints worked for you? We can compare our device and PC states, I never seen worked it on any my PCs-ROMs-Devices combination.
Update 1st issue:
On Second PC:
1st (better) device - debugger works (shows trace output) and sometimes stops automatically after application finishing too:
... There is 20s delay here
Load module: Pok4.exe
Load module: coredll.dll.0405.MUI
Load module: LPCRT.dll
Load module: RPCRT4LEGACY.dll
Load module: OLEAUT32.dll
Load module: ole32.dll
Load module: FPCRT.dll
Load module: coredll.dll
Toto je zacatek ... message from AtlTrace
Load module: AYGSHELL.dll
Load module: eventsnd.dll
Load module: waveapic.dll
Load module: ossvcs.dll
Load module: shlwapi.dll
Load module: phone.dll
Load module: shcore.dll
Load module: PACMANCLIENT.dll
Load module: EMCLIENT.dll
Load module: ZTrace.dll
Load module: ril.dll
The thread 0x1923000e has exited with code 16 (0x10).
... There I must stop PC debugger manually sometimes, or kill edm2p.exe on device, Pok4.xe is unkillable sometime. But sometimes debugger stops itself.
The program '[0x18DA000E] Pok4.exe' has exited with code 1067 (0x42b).
2nd (worse) device - debugger works, but does not show trace output and does not stop automatically after application finishing:
... There is 30s delay here (only first time, may be it is devivice debugger starting pause, debugger is not killed automatically)
Load module: Pok4.exe
Load module: coredll.dll.0405.MUI
Load module: RPCRT4LEGACY.dll
Load module: OLEAUT32.dll
Load module: ole32.dll
Load module: FPCRT.dll
Load module: coredll.dll
Load module: AYGSHELL.dll
Load module: ossvcs.dll
Load module: waveapic.dll
Load module: shlwapi.dll
Load module: shcore.dll
... There I must stop PC debugger manually everytime here
Do you somebody understand output difference? Application project, PC and VS is the same, device is changed (and WPConnect called) only.
LPCRT.dll miss in second output. This seems second device has no registered ATL COM proxy dll (I found something here http://cboard.cprogramming.com/cplu...-proxy-dll-difficulties-windows-ce-5-0-a.html). Do you understand COM somebody better then me?
Edit: After any minutes, WITHOUT any changing, second (worst) device begin better behaviour - debugger is closed corretly and immediatelly:
Load module: Pok4.exe
Load module: coredll.dll.0405.MUI
Load module: RPCRT4LEGACY.dll
Load module: OLEAUT32.dll
Load module: ole32.dll
Load module: FPCRT.dll
Load module: coredll.dll
Load module: AYGSHELL.dll
Load module: ossvcs.dll
Load module: waveapic.dll
Load module: shlwapi.dll
Load module: shcore.dll
The thread 0x1ae4034e has exited with code 0 (0x0).
The program '[0x1B1D036A] Pok4.exe' has exited with code 0 (0x0).
Now this behaviour is similar to my first PC yasterday. I do not understand it totally. On first device still AtlTrace works and thread has exited with code 16. There is debugger problem probably to handle application exception.
Application Pok4 contains this code only:
extern "C" int WINAPI _tWinMain(HINSTANCE /*hInstance*/, HINSTANCE /*hPrevInstance*/,
LPTSTR /*lpCmdLine*/, int nShowCmd)
{
ATLTRACE2(L"Toto je zacatek\n");
MessageBox(NULL, L"Po začátku", L"_tWinMain", MB_OK);
int i = 0;
return 0;
}
It looks like ATL COM proxy generates Trace output on first device, but it generates also undebuggable exception on it (EDIT: Probably not true, see next post!). But this behaviour is sometimes very random.
When I change ATLTRACE2 to OutputDebugString, behaviour of both devices is exactly the same as with ATLTRACE2..
I made the simpliest console application:
// Simple.cpp : Defines the entry point for the console application.
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
OutputDebugString(L"OutputDebugString\n");
::MessageBox(NULL, L"MessageBox", L"_tmain", MB_OK);
return 0;
}
First device debug output:
Load module: Simple.exe
Load module: coredll.dll.0405.MUI
Load module: coredll.dll
OutputDebugString
Load module: AYGSHELL.dll
Load module: ole32.dll
Load module: RPCRT4LEGACY.dll
Load module: LPCRT.dll
Load module: eventsnd.dll
Load module: waveapic.dll
Load module: OLEAUT32.dll
Load module: FPCRT.dll
Load module: ossvcs.dll
Load module: shlwapi.dll
Load module: phone.dll
Load module: shcore.dll
Load module: PACMANCLIENT.dll
Load module: EMCLIENT.dll
Load module: ZTrace.dll
Load module: ril.dll
The thread 0x1d4500be has exited with code 0 (0x0).
... I must close debugger manually here, no exception here (after debug manual stopping only - see next line). Visual Studio crashed here, when connection is manually killed (cable unplug etc.)!
The program '[0x1DE300B6] Simple.exe' has exited with code 1067 (0x42b).
Second device debug output:
... longer waiting here, if it is first debugger attempt
Load module: Simple.exe
Load module: coredll.dll.0405.MUI
Load module: coredll.dll
Load module: AYGSHELL.dll
Load module: ole32.dll
Load module: RPCRT4LEGACY.dll
Load module: ossvcs.dll
Load module: waveapic.dll
Load module: shlwapi.dll
Load module: OLEAUT32.dll
Load module: FPCRT.dll
Load module: shcore.dll
The thread 0x1e030036 has exited with code 0 (0x0).
The program '[0x1E730036] Pok5.exe' has exited with code 0 (0x0).
... Debugger stops immediatelly and succesfully here.
All above behaviour is stable, but everytime any (3-10) minutes after plugged device changing. This seems WMDC green state is not finish of reconnection, debugger issues need much more time to make stable connection.
VSDTeam: ""If desktop component finds that conmanclient.exe is not of the same version it tries to shut it down, bootstrap the device (copy the device side binaries to device and start them)." I mean similar behaviour is to debugger components. Can not be debugger starting delay dependent of killing, deploying (or timeout) of different debugging components version?
By web search there exists also other debugging delay causes:
... .Net PC-Application-Device difference.
... Definitions updating from web on every debug time.
... Any policy issues.
Delay occures mostly, when:
- change connection or device
- rebuild applicatin.
http://blogs.msdn.com/b/vsdteam/archive/2007/01/18/connectivity-issues-after-installing-sp1.aspx
I will try prepare debugging files from unupdated VS2008 and from SP1 and compare its behaviour. Also all pre- and post- steps from http://support.microsoft.com/kb/957912 may be usable. Even SP1 and updates I found also CE Compact 7 update, do you know anybody, if it is related and backward compatible? http://support.microsoft.com/kb/2483802
I mean breakpoints disfunction must be edm2 dependent, but any other issues (missing core features, policy) can have influence to problem.
I gradually installed Visual Studio 2008 Service Pack 1, VS2008-PatchRemovalTool, Remote debugger installation for Visual Studio 2008 Service Pack 1, KB957912, KB2483802.
Ultrashot distributed edm2p.exe seems equal to armv4i\edm2.exe installed as part of KB2483802 update, but breakpoints problem is not fixed still. I tried all another (unpatched) edm2.exe arm4vi versions, but this one is able to communicate with destkop debugger only, still with mistakes.
Notes:
- IsDebuggerPresent() returns true.
- The same programm without MessageBox ends succesfully, debugger stops immediately itself on both devices.
TRACE from Native Dll to VS 2010 managed Output window
Hi guys. So it is done ... TRACE, which writes from native dll to the Output window in Visual Studio 2010. It's a dreadful job, maybe it is unnecessarily synchronized. I guess it could be done somehow and standard way, bat I solved it enough on their own, when Microsoft does it right. It's dirty, but it works. The picture follow the red text. The principle will be published cleaned up a little.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Martin7Pro said:
Hi guys. So it is done ... TRACE, which writes from native dll to the Output window in Visual Studio 2010. It's a dreadful job, maybe it is unnecessarily synchronized. I guess it could be done somehow and standard way, bat I solved it enough on their own, when Microsoft does it right. It's dirty, but it works. The picture follow the red text. The principle will be published cleaned up a little.
Click to expand...
Click to collapse
EDIT:
It is finished now. See tutorial here.
Interesting issue, urgent question (for ultrashot probably)
Hi friends. I have got partial solution of my mysterious issue:
My DFT ROM HTC7PPro device works with native VS2008 debugger on all computers. TRACE output is shown, breakpoints do not works, debugger must be stopped manually.
My second, Dynamics ROM HTC7Pro device did not work with native VS2008 debugger on one computer. On second computer application was launched under debugger, but TRACE output was not showen. Debugger stops automatically, when application is exited.
I found next:
On first device edm2p.exe is launched, then debugger works on all machines (without breakpoints only).
On second device edm2.exe is deployed every time from computer and launched to make debugging. When is installed VS2010 together with VS2008, edm2.exe is deployed from VS2010 debugger subdirectory! Difference between computers was in edm2.exe missing in VS2010 subdirectory. I soluted issue by next way: I renamed ultrashot's patched debugger edm2p.exe to edm2.exe and copied to VS2010 debugger Armv4i subdirectory. Now debugging is working (without breakpoints).
Questions:
1. Why two ConManClient2.exe instances run on my Dynamics device everytime after debugger connecting?
2. Why edm2.exe is deployed instead using patched edm2p.exe one from device, when WMDC.xap is installed the same on both devices?
3. Why is patching needed (called CMCCDLL.dll implements any missed COREDLL.dll API) to be TRACE output working?
4. Can not be patched also another API part to be breakpoints working?
5. Why debugger connected to Dynamics stops automatically after debugged appplication is closed, but debugger connected to DFT one not?
Martin7Pro said:
Hi friends. I have got partial solution of my mysterious issue:
My DFT ROM HTC7PPro device works with native VS2008 debugger on all computers. TRACE output is shown, breakpoints do not works, debugger must be stopped manually.
My second, Dynamics ROM HTC7Pro device did not work with native VS2008 debugger on one computer. On second computer application was launched under debugger, but TRACE output was not showen. Debugger stops automatically, when application is exited.
I found next:
On first device edm2p.exe is launched, then debugger works on all machines (without breakpoints only).
On second device edm2.exe is deployed every time from computer and launched to make debugging. When is installed VS2010 together with VS2008, edm2.exe is deployed from VS2010 debugger subdirectory! Difference between computers was in edm2.exe missing in VS2010 subdirectory. I soluted issue by next way: I renamed ultrashot's patched debugger edm2p.exe to edm2.exe and copied to VS2010 debugger Armv4i subdirectory. Now debugging is working (without breakpoints).
Questions:
1. Why two ConManClient2.exe instances run on my Dynamics device everytime after debugger connecting?
2. Why edm2.exe is deployed instead using patched edm2p.exe one from device, when WMDC.xap is installed the same on both devices?
3. Why is patching needed (called CMCCDLL.dll implements any missed COREDLL.dll API) to be TRACE output working?
4. Can not be patched also another API part to be breakpoints working?
5. Why debugger connected to Dynamics stops automatically after debugged appplication is closed, but debugger connected to DFT one not?
Click to expand...
Click to collapse
I don't like your question-based post style.
Also, DFT and Dynamics comparison isn't really valid considering first rom's build date, i.e. newest binaries don't even work on older ROMs.
ultrashot said:
I don't like your question-based post style.
Also, DFT and Dynamics comparison isn't really valid considering first rom's build date, i.e. newest binaries don't even work on older ROMs.
Click to expand...
Click to collapse
I understand. But, debugging on very old DFT V3 (with your WMDC installed) works better then on much newer Dynamics V2.
Martin7Pro said:
I understand. But, debugging on very old DFT V3 (with your WMDC installed) works better then on much newer Dynamics V2.
Click to expand...
Click to collapse
My answer is still valid
ultrashot said:
My answer is still valid
Click to expand...
Click to collapse
I do not want to disturb you by PM, then I write questions here. May be somebody will able to answer them. Native development without working debugging is very slow and much projects stay due it now. Especially HaRET is very wanted now by community, but probably unfinishable in usable time without online heap tracing etc. For now it is total blackbox, every added low-level functionality increases more and more strange behaviour, danger for devices. Tracelogging not helps me much.
There is log from EDM2:
...
Config key HKLM\SOFTWARE\Microsoft\VSD\Debugger not present
INFO10: DeviceDebugProcess::LoadConfiguration: Config values: CopyWriteOn:00, CopyWriteROM:00, CopyWriteEXE:00, CopyWriteDLL:00
...
This may be cause of disfunctioned breakpoints. Full log is attached. Can you anybody corecon/debugging experienced explain it and help to make debugging working. All projects participated by me (HaRET WP7, Console WP7, MortScript WP7, FTP Client, WMWCEWECLauncherWP7 etc.) are dependent of good debugging possibility.
Martin7Pro said:
There is log from EDM2:
...
Config key HKLM\SOFTWARE\Microsoft\VSD\Debugger not present
INFO10: DeviceDebugProcess::LoadConfiguration: Config values: CopyWriteOn:00, CopyWriteROM:00, CopyWriteEXE:00, CopyWriteDLL:00
...
This may be cause of disfunctioned breakpoints. Full log is attached. Can you anybody corecon/debugging experienced explain it and help to make debugging working. All projects participated by me (HaRET WP7, Console WP7, MortScript WP7, FTP Client, WMWCEWECLauncherWP7 etc.) are dependent of good debugging possibility.
Click to expand...
Click to collapse
I tried to create CopyWriteOn etc. values in registry key above and fill to 1, but I am not sure of result.
When breakpoint setting debugger edm2 crashed in function CE_CopyWrite.
Attached log is after returning to 0. Sometimes occured EXCEPTION:80000003 (HW breakpoint), but not accepted by debugger.
Related
let me start a thread where you all can drop your shared homebrew app's.
For homebrew app's we first need to unlock:
iridium21 said:
As people may know, Chevron have removed their unlocker download for WP7 so I thought I'd archive it and make it available for everyone here still:
http://www.megaupload.com/?d=Q1T7WQMK
EDIT: Thanks to Cendaryn we also have the required security certificate - the easiest way (thanks to Talys) to install the cert and unlock your WP7 is to do as follows:
1. Unzip file, and attach chevronwp7.cer (see below for file) to an e-mail to yourself
2. Open email in WP7
3. Tap attachment once, turns it into a shield, tap it again, goes to install certificate screen with white letters on black screen
4. Click install at the bottom
5. Make sure registry is modified:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsPhone\ProxyPorts]“DeviceReg”=dword:000069C5
I think the WP7 developer tools from MS does this, but you can add it in manually (it's a 32bit DWORD)
6. Plug in phone and leave Zune running
7. Run chevronwp7.exe, click both checkboxes
8. Click unlock
Excellent video tutorial here thanks to Jaxbot
[Edit 8th Dec 2010]
Worried that Microsoft has relocked your phone? They haven't, look here
Hope this helps someone.
Click to expand...
Click to collapse
Or unlock using a modded version by hounsell .
hounsell said:
Been able to remove the sideload limit, I was able to install 11 apps by my count, though I'd appreciate a third-party confirmation to be honest.
http://thounsell.co.uk/2010/12/chevronwp7-now-without-the-sideload-limit/
Click to expand...
Click to collapse
After unlocking we want some custom ringtones ofcourse:
ShadowLegion said:
I didnt see a thread so i just thought i would let people who did already know that ChevronWP7 released their Custom Ringtone Manager Today
you can Find It Here http://www.chevronwp7.com/
download: http://walshie.me/ChevronWP7.RingtoneInstaller.zip
Source code:http://blog.walshie.me/2010/12/source-code-to-the-chevronwp7-ringtone-editor/
Click to expand...
Click to collapse
Lets look at the file system:
hounsell said:
FileBrowser
Source
Still very basic, not the most stable either, but at least you can browse the Windows folder, and read text files.
I'll probably put more effort in once I've got further with my SevenIRC App.
Click to expand...
Click to collapse
We need a .reg viewer to:
(nico) said:
I've managed to create a basic Registry Viewer, readonly for the moment.
For now, I didn't manage to get access to root path, so the first 2 levels are hardcoded.
Download it here: (link removed, see below)
Edit:
Updated version here: http://bit.ly/ed1Sz1
and a direct link:http://www.xda-developers.ch/download/?a=d&i=4227279264
Click to expand...
Click to collapse
And to get this all on the phone a nice way:
tom_codon said:
Hi all !
For all devices unlocked with ChevronWP7 Unlocker , we're can easy install custom ringtones or applications .XAP format via Application Deployment , but everytimes need open start menu --> Application Deployment then browser .xap to tool for install take too much times and almost make some in us crazy
That why i decided to write Tom XAP installer , basicly Tom XAP installer and Application Deployment are the same ( Alow install custom .xap to device and emulator windows phone 7 ) But Tom XAP installer a lot convenience , it's alow you install .xap with double click to file or simple just right click --> install xap
How to :
Download exe and put it somewhere in PC, run it , it will automatic add registry path of application and add menu , icon to .XAP files
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Then just close it and now double click to custom ringtones , or any .xap format files , the Tom XAP installer will automatic open and give you some details ( App name , Version , Author , Size , Description of XAP ) then select where you will install xap ( device or emulator )
Press Install and wait it finish.
Notices :
1. Tom XAP installer Requires .NET 4.0 Framework and Windows Phone 7 SDK
2. If you install xap to device
- Please make sure your device was unlocked with ChevronWP7 Unlocker ( Here is guide how to unlock )
- Make sure your device was connected with PC and Zune lauched
- Make sure your device not in sleep mode
3. If you move Tom XAP installer.exe to other location in PC , you should run it again one time for registry again location of application
4. If you don't like this software , just run Tom XAP installer.exe and uncheck " Enable Tom XAP installer" it will uninstall all registry of Tom XAP installer in your PC
Download: http://forum.xda-developers.com/attachment.php?attachmentid=456249&d=1291493842
Cheers !
Tom
Click to expand...
Click to collapse
Man I need a webserver on my phone.
davux said:
I've extended jmorrill's code to include the Winsock functions to listen. The example proves that one may listen on port 80.
One problem with this library right now is that it is IPv4 only. I tried to make things generic but that was quite hard, I'm also really not very familiar with native Winsock anyway.
dl.dropbox.com/u/12359/PhoneNetworkingSample_with_listen.zip
[edit] and here's a really simple (and really hacked together - you've been warned) webserver!
dl.dropbox.com/u/12359/wp7_webserver.zip
The code is definitely *preview quality* - I pulled it together just now because I don't think I'll be able to work on this for a few days, so it'd be a starting point but I'm sure it's buggy.
Click to expand...
Click to collapse
davux said:
I've enhanced my Webserver sample to support reading from the device (where allowed), as well as reading/writing IsolatedStorage
//dl.dropbox.com/u/12359/WP7Homebrew_Webserver.zip
The XAP is located in the Webserver project.
I am not finished, there are several issues:
- I have not implemented support for getting the local endpoint, so you need to know your phones IP address
- There is a bug somewhere that causes a problem when uploading larger files.
- There is no UI
- No authentication!
To access the webserver, open the app on your phone (it will disable the idle timer and run behind the lock screen)
//phone_ip/IsolatedStorage
//phone_ip/Windows
IsolatedStorage is a special case (virtual directory that uses the SDK IsolatedStore APIs), the filesystem is mounted at the root of the webserver. Note that if you navigate to //phone_ip/, you will not see anything, as we are not able to list the contents of the root directory.
I am working to create a real socket library that mimics System.Net/.Sockets, and System.IO for file access. TcpClient and TcpListener are in a mostly functional state already.
I'll add in registry and other capabilities once those two components are stable.
Most of the code came from jmorrill.
Click to expand...
Click to collapse
I'm thinking we could do with somewhere to place an open-source collection of homebrew apps.
Also, with the Chevron WP7 unlocker, you might want to include the version with the sideload limit removed
hounsell said:
I'm thinking we could do with somewhere to place an open-source collection of homebrew apps.
Also, with the Chevron WP7 unlocker, you might want to include the version with the sideload limit removed
Click to expand...
Click to collapse
good idea do you have some ideas
can you gif me the link of the unlocker you modded ?
The regviewer zip file contained projects not possible to open in VS2008 or VS2010. Could you check this?
ajhvdb said:
The regviewer zip file contained projects not possible to open in VS2008 or VS2010. Could you check this?
Click to expand...
Click to collapse
I will ask the maker of the regviewer.
What to you mean by not possible ?
The source contains multiple project:
- COM: Visual Studio 2008 C++ project using Windows Mobile 6 SDK
- Native : Visual Studio 2010 Solution containing the .Net / COM interface
- Registry Viewer: Visual studio 2010 Project containing the registry viewer app and also referencing Native project.
Everything works on my machine. You may need to fixe path to make it works on yours.
(nico) said:
What to you mean by not possible ?
The source contains multiple project:
- COM: Visual Studio 2008 C++ project using Windows Mobile 6 SDK
- Native : Visual Studio 2010 Solution containing the .Net / COM interface
- Registry Viewer: Visual studio 2010 Project containing the registry viewer app and also referencing Native project.
Everything works on my machine. You may need to fixe path to make it works on yours.
Click to expand...
Click to collapse
Sorry, most of the time when i rebuild a project all files are relative to the project, the references are not of course and i need to set the correct path. Could you give me a hint?
I download the 002 file. In this there is a native.zip. I unzipped it and got 2 folders:
1. COM
Renamed it to COM2008 and opened this in VS2008, did a rebuild. below is the output.
1>Compiling resources...
1>Microsoft (R) Windows (R) Resource Compiler Version 6.1.6723.1
1>Copyright (C) Microsoft Corporation. All rights reserved.
1>Linking...
1> Creating library Windows Mobile 6 Professional SDK (ARMV4I)\Release/Native.lib and object Windows Mobile 6 Professional SDK (ARMV4I)\Release/Native.exp
1>Performing Post-Build Event...
1> 1 file(s) copied.
1>The system cannot find the path specified.
1> 0 file(s) copied.
1>The system cannot find the path specified.
1> 0 file(s) copied.
1>The system cannot find the path specified.
1> 0 file(s) copied.
1>Project : error PRJ0019: A tool returned an error code from "Performing Post-Build Event..."
1>Build log was saved at "file://e:\_PROJECT\WP7\_Source\_Homebrew\RegistryViewer002\Native\Native\COM2008\Native\Windows Mobile 6 Professional SDK (ARMV4I)\Release\BuildLog.htm"
1>Native - 1 error(s), 0 warning(s)
Im not sure where to find this "path".
2. Nativelibrary
In the post build event of the COM project, I copy the output file to several projects of mine. Just remove post build events and copy the file manually to your own project.
(nico) said:
In the post build event of the COM project, I copy the output file to several projects of mine. Just remove post build events and copy the file manually to your own project.
Click to expand...
Click to collapse
Yup, it's working now.
In the registry viewer I only needed to change the project folder to the nativelibrary.
ceesheim, thanks..excellent
Updated the first post with a newer/better webserver
Title says it all - it is a debugger for native apps.
How to use it?
Prerequisites:
You should have VS2008 and Windows Mobile 6 Pro SDK installed.
If you also have VS2010 + WP7SDK, most likely you won't be able to use debugger in VS2008. To fix this issue copy attached edm2.exe to C:\Program Files (x86)\Microsoft Visual Studio 10.0\SmartDevices\Debugger\target\wce400\armv4i (probably without x86 postfix in Program Files path)
(Just to note - this edm2.exe isn't "special for ce7". It works on WM6 device too)
You should have full unlock on your phone (not dev unlock! not interop unlock!)
What's then?
Sideload NativeDebugger.xap to phone
Run it, wait until ip list appears.
In VS2008: Tools->Options. Then change ip to 127.0.0.1. Screenshot:
Enjoy.
Limitations
You have to run xap after every soft reset
If you create UI, debugger "forgets" to detect app closing. However, breakpoints still work and debug log is still being received.
What else can this xap do?
Native debugging, as it was already mentioned
You can use almost all CE Remote Tools.
Limitations: CERemoteSpy can't setup a window hook (thanks MS for abandoning slot-based virtual memory system)
Process Viewer can't get list of processes
Screenshots:
P.S. If you want to compile native exe, don't forget to generate new coredll.lib
nice work, ultrashot
good work buddy
I'm a little confused here, what's the difference between 'full unlock' and 'interop unlock'
Briefcase said:
I'm a little confused here, what's the difference between 'full unlock' and 'interop unlock'
Click to expand...
Click to collapse
Read
Great!
Now can say bye-bye to a log file of debug!
ultrashot said:
Read
Click to expand...
Click to collapse
So basically it requires a custom ROM (read: HTC Only)?
ZeBond said:
So basically it requires a custom ROM (read: HTC Only)?
Click to expand...
Click to collapse
for now - yes.
The best app here. I am going to search old SDKs.
Hey @ultrashot, nice work man! Any chance you can see whether this can be used with the HtcRoot project (see my sig)? It would help a ton to be able to do debugging, both for improving HtcRoot and developing apps based on it, but I'm still using a stock ROM (and want to make HtcRoot usable for stock ROMs).
I'm not sure why the debugger doesn't work normally, but if it's some kind of permissions issue than HtcRoot should work around that quite well. It does require a working HtcUtility.dll driver, which not all custom ROMs have, by the way.
After hour of trying - I started Zune synchronisation and after it - "Connectin success".
Zoom in - OK.
Remote Spy - OK.
Remote Registry Editor - OK!!! (I will have 1/10 of work sometime)
Remote Heap Walker - OK.
Remote File Viewer - OK and very quick.
Remote Process Viewer - Nothing.
Thanks very much. I must repair process viewer and to learn debugging techniques on WM. M.
Martin7Pro said:
I must repair process viewer and to learn debugging techniques on WM.
Click to expand...
Click to collapse
It isn't supposed to work. I haven't tried to investigate why ms transport exe doesn't work.
GoodDayToDie said:
Hey @ultrashot, nice work man! Any chance you can see whether this can be used with the HtcRoot project (see my sig)? It would help a ton to be able to do debugging, both for improving HtcRoot and developing apps based on it, but I'm still using a stock ROM (and want to make HtcRoot usable for stock ROMs).
I'm not sure why the debugger doesn't work normally, but if it's some kind of permissions issue than HtcRoot should work around that quite well. It does require a working HtcUtility.dll driver, which not all custom ROMs have, by the way.
Click to expand...
Click to collapse
Hi. What's required:
1) ability to put files to \Windows\.
2) ability to load unsigned native code (because cmccdll.dll is a self-made coredll.dll wrapper; other files are signed by ms). That could be problematic even with tcb permissions
3) probably some policies should be changed.
1) Full read/write access to the whole filesystem - not a problem.
2) Developer-unlocked devices are allowed to do this, at least for DLLs. If they weren't, none of our native homebrew code would function (it's all unsigned). Not sure about EXEs though.
3) I think I can do this with the permissions I have - Heathcliff74 has mentioned mdifying the policies on his phone during WP7 Root Tools development - but I'd need to know which ones and what modifications are needed.
Hi guys. I want to discover my HTC7Pro hardware keyboard low level management to be able to customize any applications (my prepared filemanager etc.) to keyboard-only management, use smile key as ctrl etc. But, I could not use debugger correctly. Do you know, how I can see call stack and how can I step running processes? I can pause them, but I see everytime this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Thanks, M.
GoodDayToDie said:
1) Full read/write access to the whole filesystem - not a problem.
2) Developer-unlocked devices are allowed to do this, at least for DLLs. If they weren't, none of our native homebrew code would function (it's all unsigned). Not sure about EXEs though.
3) I think I can do this with the permissions I have - Heathcliff74 has mentioned mdifying the policies on his phone during WP7 Root Tools development - but I'd need to know which ones and what modifications are needed.
Click to expand...
Click to collapse
2) yes, but it can be different for fully native exes (haven't checked further though).
3) the minimum required policies should be like those for built-in edm3.exe, ConManClient3.exe. The only difference is (again) absence of valid digital sign and it may prevent lvmod's authorization.
//Wondering if lvmod can be replaced (better to say, shadowed) without reflashing.
Martin7Pro said:
Hi guys. I want to discover my HTC7Pro hardware keyboard low level management to be able to customize any applications (my prepared filemanager etc.) to keyboard-only management, use smile key as ctrl etc. But, I could not use debugger correctly. Do you know, how I can see call stack and how can I step running processes? I can pause them, but I see everytime this:
Thanks, M.
Click to expand...
Click to collapse
I would rather say it isn't a good task for VS2008. It is meant to debug your libs/exes, not someone else's.
IDA always rocks but its wce debugger is currently not working, thanks to absent activesync connection.
ultrashot said:
I would rather say it isn't a good task for VS2008. It is meant to debug your libs/exes, not someone else's.
IDA always rocks but its wce debugger is currently not working, thanks to absent activesync connection.
Click to expand...
Click to collapse
Thanks for answer. Then I want to try debug my own applications. I foung your older post http://forum.xda-developers.com/showthread.php?t=1336137, which enables debugger using on custom ROMs, it is working good for me in WS 2010 Express. Then question: May I have opened VS 2010 Express with managed part + VS 2008 Professional with unmanaged part of any hybrid application to be able to debug it? How can I do it, when it is one application and process attaching does not work? Or those will two different process in one application, runnable independent? Or is possible to use VS 2008 for WP7 C# debugging? I am apologioze for probably basic questions. I am experienced C programmer, but totally new in mobile programming. M.
May I have opened VS 2010 Express with managed part + VS 2008 Professional with unmanaged part of any hybrid application to be able to debug it?
Click to expand...
Click to collapse
no, only managed part could be debugged (though, you can test your native library via native exe, but that's another story)
process attaching does not work
Click to expand...
Click to collapse
It was never working even in WM
Or those will two different process in one application, runnable independent?
Click to expand...
Click to collapse
both native and managed code run in the same taskhost context.
Or is possible to use VS 2008 for WP7 C# debugging?
Click to expand...
Click to collapse
no.
Thanks. I must learn more. If I understand, I can debug Silverlight, XNA and managed part of hybrid applications only in VS 2010 (unmanaged part debugging is impossible), native appplications in VS 2008 only.
Is normal to see more then one device in Registry viewer? I see today everytime only mobile, but now also desktop. On debugger launcher I have three different CoreCon IPs immediately now. Could not it be any attack from internet?
Is normal to see more then one device in Registry viewer?
Click to expand...
Click to collapse
Normal.
On debugger launcher I have three different CoreCon IPs immediately now.
Click to expand...
Click to collapse
that's because you can connect via different connection types. (such as wifi for example - btw, it is also possible, but you have to adjust ip every time)
Could not it be any attack from internet?
Click to expand...
Click to collapse
no.
This is amazing.
Thank you ultrashot.
As we know, MS prohibits using most of standard Win32 API in Windows Store applications. Obviously there are lots of ways to overcome this limit and to call any API you like, if you are not going to publish your app on Windows Store. And here is one of them.
Idea is really simple and rather old (lots of viruses use it): search for kernel32.dll base in memory, then parse its exports for LoadLibraryA and GetProcAddress, call them - and get profit.
Writing here so this post can be indexed by google.
Partial code:
Code:
void DoThings()
{
char *Tmp=(char*)GetTickCount64;
Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);
while(Tmp)
{
__try
{
if(Tmp[0]=='M' && Tmp[1]=='Z')
break;
} __except(EXCEPTION_EXECUTE_HANDLER)
{
}
Tmp-=0x1000;
}
if(Tmp==0)
return;
LoadLibraryA=(t_LLA*)PeGetProcAddressA(Tmp,"LoadLibraryA");
GetProcAddressA=(t_GPA*)PeGetProcAddressA(Tmp,"GetProcAddress");
CreateProcessA=(t_CPA*)PeGetProcAddressA(Tmp,"CreateProcessA");
HMODULE hUser=LoadLibraryA("user32.dll");
MessageBoxA=(t_MBA*)GetProcAddressA(hUser,"MessageBoxA");
MessageBoxA(0,"A native MessageBox!","Test",MB_OK);
STARTUPINFO si;
memset(&si,0,sizeof(si));
si.cb=sizeof(si);
PROCESS_INFORMATION pi;
CreateProcessA("c:\\Windows\\system32\\cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi);
}
Complete project is attached. It contains sources and compiled appx files for side-loading.
Code compiles fine for x86/x64 and ARM, tested on x86/x64. Can someone test it on ARM? Ability to sideload metro apps is required.
The application should output a MessageBox, then execute cmd.exe.
A note: Windows Store application runs in a sandbox and as a limited account, so most of API returns "access denied". You can check this in a launched CMD - it displays "access denied" even on a "dir" command because normally "modern ui" apps don't have even read access to c:\.
To overcome this - add "all application packages" full control to the directories/objects you like (for example to c:\).
Works perfectly on my Windows 8 x64 Tablet :good:... its not ARM based though ...
Can i use this to run a non-store app?
Here is the catch, I have managed to get the installed (not the installation) file from a kind member here on XDA. But when I paste the folder in:
C:\Program Files\WindowsApps\Microsoft.ZuneMusic_1.0.927.0_x64__8wekyb3d8bbwe
The app isnt seen on the metro UI?
Any way to start a scanner of some sorts so that I can see the app in Metro.../?
THanx a ton!
Plz feel free to laugh a little at my noobish question...im stil learning..
Works perfectly on my surface RT!
but type dir in CMD returns "access denied".
There are no code signature checks from the command prompt that you launch.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Code:
#include <iostream>
void main()
{
std::cout << "Hello RT World!\n";
}
Compiled as an exe with info in http://stackoverflow.com/questions/...op-programs-be-built-using-visual-studio-2012
Open properties of your disk c:, go to the security tab and add "ALL APPLICATION PACKAGES" == full control. In this cage "dir" command would work, and your apps would be able to access whole filesystem.
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
Simplestas said:
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
Click to expand...
Click to collapse
Unless the dll is loading with a restricted security policy (such as through a Metro app) it is checked, yes.
Excellent work on the 'App1' technique of starting a cmd prompt from a modern app, and the fact it can run other unsigned cmd line apps.
Note that the cmd prompt still runs in the modern app container and probably has lots of restrictions
And also it only runs when the modern app is running and effectively freezes when the modern app goes into the background and suspends
Don't seem to be able to run win32 gui apps from the cmd prompt it starts -- they start but immediately terminate, presumably because the full win32 stuff cant initialise in a modern app container.
But can tum gui win32 api's, like the create dialog one, from the App1 modern app
Luckily we can also test, investigate and debug this on an intel Windows 8 system (dual monitor is best) when trying to work out what is going on, and then test on ARM after that.
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.
@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.
GoodDayToDie said:
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.
@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.
Click to expand...
Click to collapse
Great seeing you again!
Anyways, I determined from some work with the VS Remote Debugger that the integrity checks are enforced in ZwCreateUserProcess. But, I bet LoadLibrary has its integrity checks in user-mode, since it normally doesn't access any functions using a call-gate to the kernel on Windows 7, which would mean we can modify it to allow us to load unsigned DLL's.
However, with this vulnerability, I had a different. What about allowing a native application to open, such as Notepad, and before it reaches the entrypoint, remotely injecting a different application to be ran (this would involve some sort of custom LoadLibrary + CreateRemoteThread pair of functions)? With the VS Debugger, you can already attach to any native process in user-mode and modify running code, data, and even the context (e.g. registers and similar data).
That suggestion is possible, and for trivial operations (i.e. replacing some strings in a program, or causing it to take one branch instead of another) people have already done so. Doing a wholesale replacement would be tricky, but should be possible (perhaps aided with WinDBG scripts or similar).
GoodDayToDie said:
Doing a wholesale replacement would be tricky
Click to expand...
Click to collapse
Not so tricky, I've already made a prototype on desktop Win8. Just make an ARM DLL that implements a PE loader using only 2 WinAPI functions - LoadLibrary (used only to get kernel32 handle) and GetProcAddress. Inject that DLL code and data sections via debugger, fixup relocs (you can minimize their amount in your "loader DLL" by not using global variables, placing all code into one file, not using CRT at all, and so on, ARM makes it easy to create position-independent code), and call your injected code via debugger passing it the address of LoadLibrary and GetProcAddress as parameters. Your code than would do what you wish - load and execute an unsigned DLL that you specify.
With this trick you can load EXE files too, as all ARM EXEs contain relocs by default.
But this way is too inconvenient to the end-user, so should be avoided. I really think that MS left enough holes for us to "unlock" unsigned apps on retail WinRT devices.
I'm already thinking on buying an Asus tablet with 3G (instead of waiting for a better device that I wish), so after NY holidays I'll join your game
Ah, that's a much more clever approach than actually trying to load the full program using the debugger itself... if it works. LoadLibrary triggers the same signature check that CreateProcess does (or rather, the system calls that they do will perform that check; if it was user-mode we could bypass it with the debugger). Your method may work, but since the desktop doesn't have the signature check anyhow, prototyping it there doesn't actually mean it will work on RT. Try it out and let us know how it goes, and if it works, posting your source would be awesome!
GoodDayToDie said:
Ah, that's a much more clever approach than actually trying to load the full program using the debugger itself... if it works. LoadLibrary triggers the same signature check that CreateProcess does (or rather, the system calls that they do will perform that check; if it was user-mode we could bypass it with the debugger). Your method may work, but since the desktop doesn't have the signature check anyhow, prototyping it there doesn't actually mean it will work on RT. Try it out and let us know how it goes, and if it works, posting your source would be awesome!
Click to expand...
Click to collapse
He doesn't mean making a prototype and importing from kernel32.dll. He means manually mapping the PE file, then using either CreateRemoteThread or modifying the context of a thread already launched to run it once it's in the memory address of another process. It's basically DLL injection with our own implementation of LoadLibrary. It would work because LoadLibrary doesn't use any system calls except to map memory (and mapping memory doesn't have integrity checks of any sort, and it shouldn't be design -- e.g. VirtualAlloc).
A bigger problem I thought of is automating this. I took a quick peek with Wireshark at my remote debugging session and saw HTTP with what appeared to be a proprietary protocol. In order to automate this from another computer (or any mobile device for that matter), we would need to reverse engineer the protocol. Or, an alternative would be to hook into Visual Studio once the debugging session is launched (maybe just a nice VS plugin would work?).
mamaich said:
Code:
void DoThings()
{
char *Tmp=(char*)GetTickCount64;
Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);
while(Tmp)
{
__try
{
if(Tmp[0]=='M' && Tmp[1]=='Z')
break;
} __except(EXCEPTION_EXECUTE_HANDLER)
{
}
Tmp-=0x1000;
}
if(Tmp==0)
return;
Click to expand...
Click to collapse
I was looking through the provided sample -- wouldn't our own GetModuleHandleA implementation be a better way of doing this? I'm just thinking should the alignment be changed in kernel32.dll it may be better to have something like this:
Code:
522 if (!name)
523 {
524 ret = NtCurrentTeb()->Peb->ImageBaseAddress;
525 }
526 else if (flags & GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS)
527 {
528 void *dummy;
529 if (!(ret = RtlPcToFileHeader( (void *)name, &dummy ))) status = STATUS_DLL_NOT_FOUND;
530 }
Source: http://source.winehq.org/source/dlls/kernel32/module.c#L504
Grabbing the Peb (NtCurrentTeb()->Peb) would involve pulling from the FS register at offset 0x30. Implementing this on ARM could be trickier, as I'm not sure of the inline assembly or availability of intrinsics (not to mention, it would be stored somewhere else than the FS register).
Now, for the PC, it appears __readfsdword is available as an intrinsic, so this *should* work on x86 installations of Windows 8.
mamaich said:
Not so tricky, I've already made a prototype on desktop Win8. Just make an ARM DLL that implements a PE loader using only 2 WinAPI functions - LoadLibrary (used only to get kernel32 handle) and GetProcAddress. Inject that DLL code and data sections via debu
Click to expand...
Click to collapse
I think this approach (of injecting own loader as far as understand) has such problem(even if implemented & automated)
Loaded exe can have own dependant dlls(any complicated-usefull proj has) that it cant load because of signing checks (and even more problems if it uses dynamic loading of own dlls and getprocaddress)
Or do i miss somth in your idea?
Will I be able to read/write to a parallel port using this method? Do the limited store apps have sufficient permissions to do that? Writing to a parallel port requires calling
Code:
hndleLPT = CreateFile("LPT1",(GENERIC_READ | GENERIC_WRITE), 0, 0, OPEN_EXISTING, 0, 0);
. Will this succeed?
Will I be able to successfully load this: http://www.highrez.co.uk/Downloads/InpOut32/default.htm ?
---------- Post added at 03:01 PM ---------- Previous post was at 02:11 PM ----------
This looks like an improved method to get the base address:
http://tedwvc.wordpress.com/2013/07/19/finding-the-kernel32-dll-module-handle-in-a-windows-store-app-using-approved-apis/
You should be able to do that using CreateFile2, which is permitted in Store apps already (no need to use the rest of the Win32 API). As for the permissions, I don't know, but it will probably work.
I mean, assuming your computer *has* an LPT port. I haven't seen one of those in a while...
how about the other way round? can a desktop app have access to the full windows 8 api (including those reserved for win store apps only)?
Hi Friends.
I did some attempts to make working WP7 FTP(+HTTP) library. It may allow to endpoint applications to list, upload and download ANY files (include binaries etc.) from FTP or HTTP servers.
The simpliest way is to use web service. I have got working one, but based on closed code hacked, then it is possible for my internal use only, not for public presentation. Second problem is web services unstability.
Second way is native code, allowed by RootProject or custom ROM. First I tried MFC Internet+FTP classes. But WinInet functions are disabled or not present in WP7 core (or I do not know only, how to allowe them).
Then I have got public multiplatform source FTPClient library, based on native sockets management, and did (very small) changes in it to be usable at unlocked WP7. Library is working now. But, only simple native test application is finished and I have no free time now.
If you somebody want to participate, write here or send me PM. I will send FTP account to site, containing full source code and FTP test subsite too.
It is needed:
1. To repair SIZE command. On some servers library gets code 550 SIZE is not allowed in ASCII mode (library changes mode in download time only).
2. To make better, WM/WP consistent interface.
3. To make managed wrapper (we will do it to w.i.n.c.o's wNativeCom library and as Phone Commander plugin, but WP7DllImport wrapper is needed too).
4. To make automatical tests or to test all functions manually.
5. To refactorize all project by used code opensource licence.
Martin7Pro said:
Second way is native code, allowed by RootProject or custom ROM. First I tried MFC Internet+FTP classes. But WinInet functions are disabled or not present in WP7 core (or I do not know only, how to allowe them).
Click to expand...
Click to collapse
WININET is working and internally used by MS apps.
ultrashot said:
WININET is working and internally used by MS apps.
Click to expand...
Click to collapse
Thanks for info. I thought that it must be used. But, when I use WinInet CE6 API, I have got error "This function is not supported on this system". What I must do to use InternetConnect() etc? Thanks, M.
Martin7Pro said:
Thanks for info. I thinked it must be used. But, when I use WinInet CE6 API, I have got error "This function is not supported on this system". What I must do to use InternetConnect() etc? Thanks, M.
Click to expand...
Click to collapse
I don't know what you use and from where do you get this error - it mustn't happen if you use APIs directly.
ultrashot said:
I don't know what you use and from where do you get this error - it mustn't happen if you use APIs directly
Click to expand...
Click to collapse
Code:
HINTERNET hInternetConnect;
HINTERNET hOpen = InternetOpen (L"FTP",
INTERNET_OPEN_TYPE_PRECONFIG,
NULL, NULL, 0); /// This function works OK.
if ( !hOpen )
{
AfxMessageBox(L"Failed to open WinInet");
}
else
{
hInternetConnect =
InternetConnect(hOpen,
m_URL,
INTERNET_DEFAULT_FTP_PORT,
m_Username,
m_Password,
INTERNET_SERVICE_FTP,
INTERNET_FLAG_PASSIVE,
0); /// This function returns error.
if( hInternetConnect ){
AfxMessageBox(L"Internet Connect succeded");
/*
if(FtpGetFile(hInternetConnect, m_Filename_Remote, m_Filename_Local, 0, 0, FTP_TRANSFER_TYPE_BINARY, 0))
{
}
else{
AfxMessageBox(L"Get File Failed");
return false;
}
*/
InternetCloseHandle(hInternetConnect);
}
else
{
CString csError = ErrorString(GetLastError());
TRACE(csError);
AfxMessageBox(csError);
return false;
}
InternetCloseHandle(hOpen);
}
returns:
This function is not supported on this system. Error code : 78
And another, bigger problem:
When I uncomment FtpGetFile part, application is compiled and deployed OK. But after starting it does nothing, it does not want to start totally. I do not understand, how can the unused portion of the code affect the behavior of the application starts.
Socket library does not do anything similar.
Microsoft!!!
http://support.microsoft.com/kb/2735592
But patch is developed for ARM >=5 only and licensed to PB customers.
Finished - test binaries
Hi friends. There are binaries for testing. Predefined values download nice picture from our Czech glamour atelier to your "Storage card" device directory, but you can try much other servers, directories and accounts. All directory contents may be downloaded to your :Storage card" directory, no selecting is possible in example. I mean there will problems after firewalls etc., post your feedback. WinInet really does not work on WP7 for FTP servers, there is used little changed class from D. J. Bernstein and codeproject. If anybody know, how to export STL templates from dll, help me. Use "Exit" button for appclosing instead WP7 usual "Esc".
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Edit: There is actual version (without licencing conflict probably).
Managed wrapper will be added later (by wNativeCom probably). XAP istallable example for non-developers in deeper future.
Code is totally thread unsafe, after validation I will use http://forum.xda-developers.com/showthread.php?t=2208647 for it.
You can try unfinished Silverlight version:
http://wp7ftp.howto.cz/XDA/FTPClientExample.xap ... will be updated. EDIT: Xap 1.1 version is available from April 5th.
http://wp7ftp.howto.cz/XDA/FtpClientLibrary.dll ... this native library is needed in your device "\Windows\" directory (download and transport it to place). EDIT: If it not works on any device, try to delete \Windows\FtpClientLibrary.dll and install xap 1.1 version only.
Preliminary results:
1. Native FTP library works well.
2. Managed/Native callbacks synchronisation works well. (Thanks to MS idiots I must code all desktop like functionality again). There is a most important part for mechanism studying.
3. Silwerlight for WP7 is the most stupid and bugged Microsoft feature.
Simple app description:
Type Host, User, Pass and Remote (dir) values. You can stay predefined for testing. Tap to "Connect". You can see result in scrollable block on the bottom. If unsuccess, check your internet connection and typed strings, try again. If success, tap to second empty line under "Remote" (thanks to normal multiselectbox WP7 absention). Check wanted file names and tap do bottom cross (is it normal in ListPicker to have two crosses???). Tap to "Download". It is all. You can tap to "Disc.", change remote path or server values and tap to "Connect" again. First empty line under "Remote" contains remote directories list, but I am too busy to finish any logical directory tracing with bugged and unlogical Silverlight Toolkit features.
Known bug: Edit: Solved in 1.1 version. If deadlock occures still (unavailable FTP response), app restart (or phone reboot) helps you. Do you know anybody, if SL TextBox has limited capacity and how to bind string list to ListPicker?
Attention: "Connect" again after successfull previous connect and without disconnect = possible memory leaking!
Note: It is FTP. Must wait for all directives any seconds. If unsuccess, try the same again. This is normal FTP beahiour by mobile connection.
If anybody want, libraries are opensource and you can download them from the same FTP, which is used as predefined example values, or equal http http://wp7ftp.howto.cz/XDA/. You all have full FTP access, do not change anything important, upload relevant patches only! Managed part (Visual Studio 2010 for WP) is usable along by FTPClientUIDebugManagedWrappers.sln solution. I want to add FTP as plugin to Phone Commander only, I mean two-pane UI is the best solution of the FTP client. But, standalone FTP client can be usable too, when somebody Silverlight experienced will repair listControls behaviour there (all n/m callbacks are prepared, UI finishing is necessary only). Download only is finished in native library, upload will repaired in next versions.
Version 1.3
Uploaded FTPClient v 1.3 (the newest version is allways on http://wp7ftp.howto.cz/XDA/FTPClientExample.xap) solves ListPicker issues. Instead Remote Directories ListPicker is used totally wrong, but functioning global strings listbox, I am too busy to solve SL toolkit bugs now.
Known bug: Native library losts connection sometime and does not inform main application about it. You will see empty directories list from non-empty directories in this case. Application (or sometime device) reset helps you.
Known restriction: Server must be typed by name alias, not by IP address. I do not know why still, it will probably repaired in future versions.
Version 1.4
V 1.4:
Repaired file unselect after directory changing.
Showed "./././.." instead ".." as "Up" directory for better tapping.
Response TextBox content is rounded to 1000 characters. Is it a known TextBox bug to show any first characters only?
PwnAir
WiFi monitor mode & AirCrack
ONLY for Galaxy S1 with any compatible ROM
"STABLE" RELEASE /* YOUR WARRANTY IS NOW VOID */
05/2014 [NEW] 1.03 TARGET-SCAN (airodump-ng) is now part of PwnAir Lite!
06/2014 [NEW] 1.05/1.06 Signal strength indication is now reported in TARGET-SCAN
07/2014 [NEW] 1.07 The app will try again if you fail to give superuser rights at first launch. Tested with several ROMs.
11/2014 [NEW] PwnAir Pro is now free! No ads. No trackers added.
PwnAir is a package (kernel + app) that will turn your Galaxy S1 phone into a WiFi cracking device.
* Enable WiFi monitor mode, like bcmon did
* Recover WEP and WPA-PSK keys, through AirCrack
* Capture WiFi traffic, through AirCrack too
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I couldn't resist to put this reference to the Watch Dogs game.
What a better timing to launch PwnAir than Watch Dogs game release ? (PwnAir is not sponsored by Ubisoft, btw!)
What's new is that PwnAir intends to:
* port bcmon to recent ROMs/kernels. As you may have noticed, bcmon won't run on recent ROMs, except if you've built it yourself. That's normal.
* bring a new graphical user interface to bcmon app (LOAD)
* bring a new graphical user interface to airodump-ng (TARGET-SCAN)
* [Pro only] bring a new graphical user interface for the main AirCrack-ng command-line tools (TARGET-LOG, ATTACK, CRACK) with terminal scrolling optimizations
[more screenshots]
PRE-REQUISITES
* Your phone is a Galaxy S1 (galaxysmtd, GT-I9000). It is NOT going to work on S2/S3/S4, or any other phones that are using anything else than the Aries kernel, and especially anything else than a Broadcom 4329 WiFi chipset.
* You are using a KitKat ROM* (or you swear to do a kernel/NANDROID backup in case you're unsure). PwnAir Kernel has been tested on CyanogenMod v11 (best supported snapshot: cm-11-20140504-SNAPSHOT-M6-galaxysmtd.zip), CyanFox 2.0.2 (dead download link) and C-RoM v7.1.
* You have a custom recovery installed, like CWM or TWRP. I recommend CWM Philz Touch (philz_touch_6.19.3-galaxysmtd.img).
* You are not afraid of loosing your phone warranty and/or data, making your phone bootloop until you get to reflash it, and all those funny stuff that kernel/ROM flashers surprisingly enjoy.
*About KitKat ROM compatibility: To be more exact, you need a ROM compatible with CyanogenMod 11 kernel (a.k.a. Aries stable/cm11.0, this version is the KitKat release), which is generally the case of KitKat ROMs. It is possible that older non-KitKat ROM work also. There should be no reason your ROM is not compatible with PwnAir kernel, if you use a fairly recent ROM (ie. KitKat, i.e. 4.4) without strong kernel customizations. The risk as for any kernel is that some peripherals may not work or that the phone may bootloop until reflashed. On Linux/Android, the approach of flashing a full kernel is safer than forcing a Wi-Fi driver to load into an unknown kernel. For the compatibility paranoïds, you can use the indicated CyanogenMod ROM snapshot.
INSTALL INSTRUCTIONS
Download PwnAir Kernel zip file
Open PwnAir kernel zip archive with 7zip or similar zip tool
Download the monitor mode firmware: fw_bcm4329.bcmon.bin
Copy fw_bcm4329.bcmon.bin into the system/vendor/firmware folder of the PwnAir kernel zip file
Save the zip file
Transfer the zip file to your sdcard
Reboot your phone in Recovery Mode (from the menu, or power off and power on with Volume Up + Home + Power)
Do a NANDROID backup or at least a quicker kernel backup
Flash the zip file from recovery mode
Reboot your phone
MONITOR MODE ACTIVATION & WHAT'S NEXT
The PwnAir Lite app has been installed during the process. Open it and "Load Monitor Mode".
First option, "Mode monitor" appears. -- You're happy.
So then, go to the target tab and launch a scan to see access points and clients ("stations") traffic.
Additional functions are part of the (free) Pro App or can be used with free Command Line Interface tools : Wireless Tools (mandatory) + Aircrack (see "sources" section, check "bin" folders).
Second option, an error message appears or you're stuck into a bootloop.
If an error message appears...
1. Post the error message here.
2. Connect your phone in USB debugging mode
3. Post the output of
Code:
adb shell su -c dmesg
4. Don't pay me a beer, I don't deserve it
If the error message when trying to flash is "This package is for "galaxys,galaxysmtd,GT-I9000,GT-I9000M,GT-I9000T" devices; this is a "". Status 7.", then you need to install CWM Philz Touch (philz_touch_6.19.3-galaxysmtd.img), which is a CWM Advanced Recovery, and try again to install PwnAir from Recovery Mode.
To install Philz Touch, go to Download Mode (not Recovery Mode) and run from your computer:
Code:
heimdall flash --KERNEL philz_touch_6.19.3-galaxysmtd.img
If you're stuck into a bootloop or frozen boot -- Don't cry, you're not alone, that happens.
First of all, remove the battery and reboot. Still in trouble?
Sometimes Often, CWM isn't working properly so re-flash the PwnAir kernel with Heimdall.
Connect your phone USB cable to your PC, put your phone in Download Mode (long press Volume Down + Home + Power), extract boot.img from the zip file and run from your PC command prompt:
Code:
heimdall flash --KERNEL boot.img
You can do this with ODIN if you prefer.
Still in trouble, again?
From Download Mode, flash your working ROM/Kernel boot.img the same way as described just before.
Or from Recovery Mode, restore your NANDROID backup or flash another working kernel or ROM.
DOWNLOADS :laugh: DOWNLOADS!
pwnair-no-firmware.zip: PwnAir Kernel+App flashable zip - Mirror: XDA Download - FIRMWARE NOT INCLUDED, GET FIRMWARE FROM THE LINK BELOW AND CHECK INSTALL INSTRUCTIONS!
fw_bcm4329.bcmon.bin: Bcmon monitor mode firmware for Broadcom 4329 WiFi chipset
[OPTIONAL] PwnAir Pro App For FREE, an easy-to-use graphical interface that implements Aircrack automated scan/attack/cracking tools on WEP and WPA networks (WPA: includes the 10k most commonly used password dictionnary). You can also download it from this thread Download section but in this case you need to install it manually (adb install or whatever).
KNOWN ISSUES
Unload was supposed to bring my normal WiFi back, not "kill" all the WiFi drivers! dmesg log will show some info about memory usage. From what I understand, the WiFi driver, especially the "normal" one (Mode: managed), is asking the kernel to reserve too much memory aligned space to store the wifi interface class. And the kernel, as a result of time and driver load/unload, is too much fragmented to satisfy this request. That's the strange way the Linux kernel works. So you just need to realign your kernel memory. So just "Reboot".
EDIT: NIK510 reported that clicking the Unload button and then running iwconfig eth0 power off and iwconfig eth0 power on in a terminal can bring your normal WiFi back without rebooting. Try your luck!
Having airodump-ng (SCAN) launched for a long time may cause the phone to freeze or reboot Well, for this, I've no idea. You know my answer: "Reboot". The hard way if necessary.
LIMITATIONS
PwnAir Lite App is limited to loading the monitor mode and scanning for networks. Get the (free) Pro version for attacks and cracking. Otherwise, if you like typing command-lines with MAC addresses on your touch phone, here's the deal: AirCrack is open source GNU GPL. That means you can get the CLI sources of the Android port directly on my repo and compile it or get the CLI binaries.
PwnAir is not compatible with Aircrack-ng-GUI, Reaver-WPS-GUI apps or any "normal" WiFi app. Either use the PwnAir Pro app or the free Wireless Tools binaries + Aircrack CLI binaries (see "sources" section). Try your luck with "Unload" but the only clean way to get your normal WiFi back is just to reboot your phone.
Not all possible WiFi attacks are implemented. Attack of hidden SSID, client attack (Caffe Latte) and client MAC spoofing need to be manually (CLI) performed. Get the aircrack-ng CLI tools from my repo if you want to perform such attacks. Like other client attacks, Hirte Attack is not implemented and it's possible that the driver doesn't support it anyway: Get a Caffe Latte instead, it's quite the same.
Q&A
Q: Can I use a custom dictionnary for WPA-PSK cracking?
A: Yes. See Tips about WPA dictionnary attacks
Q: Can I use Reaver command line or Reaver for Android (RfA) with this app?
A: Yes and no. There is no evidence that bcmon bcm4329 firmware (the one on Google Code or the one bundled with the bcmon app) can actually perform reaver-based attacks. If you managed to do it, contact me and I'll update the app with a RfA launch script.[/post]
SOURCES, CREDITS, BUILD INSTRUCTIONS, PRIVACY POLICY, SUPPORT...
[PWNED SOURCES]
I have ported all the CLI tools to Android/Aries/CM11:
AirCrack-ng suite for Android
Wireless Tools for Android
GNU Macchanger for Android
Airpcap Android static library for Aries (this recent version is needed for reaver-wps to work)
Reaver-WPS for Android (UNTESTED)
PwnAir Kernel (CM11 stable Aries with dual standard/bcmon WiFi drivers)
[UNPWNED SOURCES / CREDITS]
Adapted from Bcmon work
Android Terminal Emulator
Android Bootstrap
Java Installer's execpty
[BUILD INSTRUCTIONS FOR ADVENTUROUS USERS]
CLI executables: Use Cyanogenmod build system, check instructions in Android.mk and Aircrack for Android README file.
Detailed kernel build instructions/porting to other devices with broadcom 4329 chipset: check this post. In addition, to have the CLI executables bundled during the build: Use Cyanogenmod build system, copy manifest from build dir of PwnAir Kernel (bcmon_aries) repo to cyanogenmod .repo/local_manifests/, copy config file in kernel/samsung/aries/arch/arm/configs, init the repo, breakfast galaxysmtd and build (check my wiki section "How to (edit and) build an officially supported kernel?" on CM integrated kernel building wiki page for kernel building).
[PRIVACY POLICY]
This app doesn't leak your private information. The code doesn't use any ads or tracker libraries. Root permissions are only used to provide the described functionalities.
Note that if you are downloading through the Google Play Store, general statistics are collected by Google (number of installs, user country, crash log, etc.): refer to Play Store privacy policy. As seens from the Android Developer Console and not from Google eyes, there's nothing like private data, even the crash logs look like this: java.lang.NullPointerException at a.a.a.r.run(Unknown Source). (nothing more and in this case it needs to be un-ProGuard-ed).
On you side, by using this app, you agree not to use it to leak private information without consent.
[SUPPORT]
Support is done in this thread preferably. If you don't have posting rights, send me a PM.
Bug reports and feature requests are also managed in this thread: see the tabs in the XDA DevDB dark bar above this post.
If you like the Pro app, please leave a comment on the Play Store page.
It's not a good idea to use Play Store contact link, I don't check it often.
Issues clearly specific to CLI tools source code (except Reaver) can be raised as GitHub issues.
XDA:DevDB Information
[GALAXYSMTD][KERNEL]+[APP] [PRO FREE] PwnAir WiFi monitor mode, Kernel for the Samsung GT-I9000 Galaxy S
Contributors
n01ce
Source Code: https://github.com/kriswebdev/bcmon_aries
Kernel Special Features: wifi monitor mode, cm11
Version Information
Status: Stable
Current Stable Version: 1.07
Stable Release Date: 2014-06-22
Beta Release Date: 2014-05-30
Created 2014-05-22
Last Updated 2016-01-23
Anyone tried this?
Hello!
After installing normal mode is ok, but after enabling monitor mode Wi-Fi doesn't work (nothing). Normal is identified as wlan0, and monitor is eth0. Modules loads, but sometimes we must enable/disable again, because dhd isn't loaded.
Best regards.
devloz said:
Hello!
After installing normal mode is ok, but after enabling monitor mode Wi-Fi doesn't work (nothing). Normal is identified as wlan0, and monitor is eth0. Modules loads, but sometimes we must enable/disable again, because dhd isn't loaded.
Best regards.
Click to expand...
Click to collapse
Hello devloz,
Do you see "Mode: Monitor" in eth0 when enabling monitor mode ?
If not, please run "adb shell su -c dmesg" from your PC or "su -c dmesg" from your phone and paste the output here for debug purposes.
If yes, it works. It is normal that standard Wi-Fi apps don't work in monitor mode. Monitor mode is a special Wi-Fi mode made to run CLI tools such as aircrack or airodump (you'll also need iwpriv and iwconfig installed in /system/bin or in the same directory). Apps such as the browser app and general apps won't work (i.e. have network/Internet connectivity) in monitor mode. Also, apps such as Aircrack-ng-GUI, reaver-GUI are not supported and won't work also because they are too closely related to bcmon app, and PwnAir is not bcmon, it's more bare-metal. Please use the CLI Tools (or the Pro App).
It is a known issue that you can't return to normal mode without rebooting the phone (see "Known issues" section in first post).
Hope it helps. Keep me informed.
Thank you for sharing your work!
Unfortunately I run into this stack overflow exception when trying to "Load monitor mode":
E/AndroidRuntime( 1061): FATAL EXCEPTION: AsyncTask #1
E/AndroidRuntime( 1061): Process: com.air.pwnair, PID: 1061
E/AndroidRuntime( 1061): java.lang.RuntimeException: An error occured while exec
uting doInBackground()
E/AndroidRuntime( 1061): at android.os.AsyncTask$3.done(AsyncTask.java:30
0)
E/AndroidRuntime( 1061): at java.util.concurrent.FutureTask.finishComplet
ion(FutureTask.java:355)
E/AndroidRuntime( 1061): at java.util.concurrent.FutureTask.setException(
FutureTask.java:222)
E/AndroidRuntime( 1061): at java.util.concurrent.FutureTask.run(FutureTas
k.java:242)
E/AndroidRuntime( 1061): at android.os.AsyncTask$SerialExecutor$1.run(Asy
ncTask.java:231)
E/AndroidRuntime( 1061): at java.util.concurrent.ThreadPoolExecutor.runWo
rker(ThreadPoolExecutor.java:1112)
E/AndroidRuntime( 1061): at java.util.concurrent.ThreadPoolExecutor$Worke
r.run(ThreadPoolExecutor.java:587)
E/AndroidRuntime( 1061): at java.lang.Thread.run(Thread.java:841)
E/AndroidRuntime( 1061): Caused by: java.lang.StackOverflowError
E/AndroidRuntime( 1061): at java.lang.AbstractStringBuilder.<init>(Abstra
ctStringBuilder.java:89)
E/AndroidRuntime( 1061): at java.lang.StringBuilder.<init>(StringBuilder.
java:95)
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
etsRecursive(AirCrack.java:285)
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
etsRecursive(AirCrack.java:305)
.......hundred lines later.....
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
etsRecursive(AirCrack.java:305)
E/AndroidRuntime( 1061): at com.air.airpwner.AirCrack$AsyncAssets.copyAss
ets
W/ActivityManager( 482): Force finishing activity com.air.pwnair/com.air.airp
wner.AirCrack
Click to expand...
Click to collapse
thmy said:
Thank you for sharing your work!
Unfortunately I run into this stack overflow exception when trying to "Load monitor mode":
Click to expand...
Click to collapse
Hello thmy,
Thanks for the logcat, I'm going to investigate. By the time, to skip this error, you can extract the "assets" folder from the PwnAir Lite apk file and copy its content (especially the "xbin" folder) to your device /data/data/com.air.pwnrlite/ folder.
Regards,
n01ce
n01ce said:
Hello thmy,
Thanks for the logcat, I'm going to investigate. By the time, to skip this error, you can extract the "assets" folder from the PwnAir Lite apk file and copy its content (especially the "xbin" folder) to your device /data/data/com.air.aircrack/ folder.
Regards,
n01ce
Click to expand...
Click to collapse
Not sure what exactly is causing this error but I've reworked the copyAssetsRecursive function.
Please try with the new Lite or Pro version (same links as before). For Lite version: Reflash the kernel or get the apk from the zip file and install it.
By the way, SCAN (airodump-ng GUI) is now included in the Lite version, except for logging.
Hi n01ce,
I already tried to copy the binaries by myself and I was successfully able to activate the promiscuous mode and to capture wifi traffic (without the graphical interface though).
I havent tested a lot, but it seemed to work properly - I am really impressed!
I'll retry your new GUI next time.
Cheers,
thmy
Bump
Sent from my GT-I9000 using Tapatalk
Hello n01ce i want to thank you for this great app of pwnair already that I will buy the vercion pro and it works well in my galaxy s jejej i9000 can i ask you one question you will be able to make an app for the galaxy s2 i9100 since i also have this s2 galaxy you will be able to do this app for that galaxy ?? The driver is not working and not communicating with my insurance i can donate to you thanks again
legionpr said:
Hello n01ce i want to thank you for this great app of pwnair already that I will buy the vercion pro and it works well in my galaxy s jejej i9000 can i ask you one question you will be able to make an app for the galaxy s2 i9100 since i also have this s2 galaxy you will be able to do this app for that galaxy ?? The driver is not working and not communicating with my insurance i can donate to you thanks again
Click to expand...
Click to collapse
Hi legionpr,
Thanks for your feedback.
Regarding Galaxy S2, the bcmon app should work, along with AircrackGUI app.
If it fails, try this.
The graphical interface of AircrackGUI is not as intuitive as PwnAir but it should do the job, and kernel flashing is not needed (that's because the S2 uses a broadcom 4330 chipset, and the phone official driver can be tricked easily).
I don't own a Galaxy S2 so I can't port PwnAir to this device without remote help (some files to put on the device and some commands to launch. If someone is interrested, PM me).
Regards,
n01ce
n01ce said:
Hi legionpr,
Thanks for your feedback.
Regarding Galaxy S2, the bcmon app should work, along with AircrackGUI app.
If it fails, try this.
The graphical interface of AircrackGUI is not as intuitive as PwnAir but it should do the job, and kernel flashing is not needed (that's because the S2 uses a broadcom 4330 chipset, and the phone official driver can be tricked easily).
I don't own a Galaxy S2 so I can't port PwnAir to this device without remote help (some files to put on the device and some commands to launch. If someone is interrested, PM me).
Regards,
n01ce
Click to expand...
Click to collapse
Hello friend n01ce thank you for answering my question hehe and if your app is large and successful as it can remove a passward of wep with the hidden SSID and i worked at 100 thanks i try with the galaxy s2 with the files that you said but cannot take the pass but with your app pwnairpro i function but if you want to you can testiar my galaxy s2 since I have several devices here I look forward to your reply thanks
Hi all,
is there any chance at all that there will be a adaption of the great:
[APP][ROOT][WiFi] Reaver-GUI for Android
I think when bcmon works with Aircrack on a galaxysmtd it should work with reaver as well?
handyflo said:
Hi all,
is there any chance at all that there will be a adaption of the great:
[APP][ROOT][WiFi] Reaver-GUI for Android
I think when bcmon works with Aircrack on a galaxysmtd it should work with reaver as well?
Click to expand...
Click to collapse
Hello handyflo,
PwnAir is currently not compatible with RfA but we're working on it.
You can still use the command line tool Reaver-WPS for Android (UNTESTED). reaver-wash is working properly to find WPS-enabled networks, but I've not managed to successfully hack a network with reaver. Someone also tested it previously without success. I still don't know if I met all the pre-requisites (PIN-code based WPS router with good signal strength) or if there's a firmware issue preventing reaver attacks. But it would be interessting to have more people testing reaver command line tool due to these pre-requisites.
Potential causes for incompatibility between PwnAir and Reaver-GUI are:
RfA needs a special bcmon activation => this will change (see below)
bcmon bcm4329 firmware may not support reaver => I still don't have sufficient proofs that Reaver ever worked on galaxysmtd with bcmon firmware
The Airpcap library bundled with PwnAir may not be compatible with reaver => we can still use bcmon LD_LIBRARY_PATH to get one that is supposed to work
First potential issue (RfA monitor mode activation)
I've talked with RfA app developer, SOEDI, two weeks ago about our app compatibility and here's his answer:
SOEDI said:
(...) RfA scans active in managed-mode.
When you start the attack, then RfA starts to load the bcmon stuff and activates monitor mode.
The commands are:
Code:
su
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools
[I]ReaverCommands[/I]
RfA tries to identify the interface. It searches for "wlan0" and "eth0".
However, the next update of RfA will support custom startup commands and custom interfaces.
This will make RfA independent from bcmon and compatible to your app
Click to expand...
Click to collapse
Still, I don't see why it would not work, eventually because of libfake_driver preloading but that's strange.
I think I've already tried using reaver command line tools bundled with bcmon but without better success too.
Second potential issue (bcmon bcm4329 firmware compatibility):
I've only seen one report of reaver-GUI that seemed to work on galaxy S Advance:
nitinknsl said:
guys successfully installed both apk's but having hard time finding wps enabeled networks
i found wps enabeled network but then rfa shows monitor mode activision failed , but when i run monitor mode from bcmon it's running fine !
using galaxy s advance
Click to expand...
Click to collapse
Still it's not clear if he actually manged to hack a network.
I really start to doubt that reaver ever worked on Galaxy S1 due to bcmon bcm4329 firmware potential incompatibility with this tool. From a post named "Injection support for BCM4329" on Bcmon blog:
Ruby Feinstein said:
Radiotap - we don't handle radiotap on packet injection. 'aireplay-ng' works fine with it but tools like 'reaver' seem to require it.
(...) reaver - NOT WORKING
It seems like reaver injects packets with radiotap header.
Click to expand...
Click to collapse
There's no evidence in the following posts with newer firmware updates that this issue was solved. Maybe it was, maybe not.
One point to notice: PwnAir is not using the firmware from the bcmmon apk package, but the firmware from the bcmon source dir, due to driver issues. Maybe it has evolved in the apk and not the source. That's somethign to investigate.
Last potential issue (Airpcap library compatibility):
I don't get different results on reaver and wash comand line tools by using PwnAir or bcmon Airpcap library. So there's limited probability that's really an issue.
Hi n01ce,
thanks for your detailed response.
Good to see that you are making progress to investigate the use of reaver on a galaxysmtd.
Very interesting was this ansfer from SOEDI:
This will make RfA independent from bcmon and compatible to your app
Click to expand...
Click to collapse
Is there anything we (this community) can support you on something? I think a lot of guys using a galaxysmtd with CM11 ROM and may provide you with some testing results or similar?
handyflo said:
Is there anything we (this community) can support you on something? I think a lot of guys using a galaxysmtd with CM11 ROM and may provide you with some testing results or similar?
Click to expand...
Click to collapse
What I need is an actual proof that reaver (either command-line or GUI) works on bcm4329 phones (Galaxy S1, Nexus One, Evo 4G...).
The next question will be how it works (bcmon app, self-compiled kernel, CLI or GUI reaver, wifi access point model...).
To do proper testing and to ensure bcmon support, this would mean for the testers to go back to CyanogenMod 7 and install bcmon apk + Reaver for Android.
Testing is done the following way with bcmon on CyanogenMod 7:
Code:
su
LD_LIBRARY_PATH=/data/data/com.bcmon.bcmon/files/libs
LD_PRELOAD=/data/data/com.bcmon.bcmon/files/libs/libfake_driver.so sh
cd /data/data/com.bcmon.bcmon/files/tools
wash -i eth0
reaver -i eth0 -b ENTER_BSSID_HERE
I also don't exclude that I've just not been able to test it successfully due to the networks I've tested. So some tests even with PwnAir might be interresting.
Testing is done the following way with PwnAir after enabling monitor mode in PwnAir:
Code:
su
cd /data/data/com.air.pwnrlite/xbin
reaver-wash -i eth0
reaver -i eth0 -b ENTER_BSSID_HERE
During my tests, reaver was always stuck at:
Code:
[+] Waiting for beacon from <BSSID>
DEBUG external/reaver-wps/80211.c (229): Red AP beacon
DEBUG external/reaver-wps/80211.c (235): deauthenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (241): authenticate() done
DEBUG external/reaver-wps/80211.c (245): end while associate_recv_loop()
(...)
[!] WARNING: Failed to associate with <BSSID> (ESSID: <ESSID>)
Tips about WPA dictionnary attacks
Since I have received several quesitons about WPA dictionnaries, I post a few general tips here:
There is about 5% chance to crack a WPA key since WPA keys are minimum 8 charaters long and there are no known statistical attacks for WPA. If the key is not in the dicitonnary, it will fail.
It would take a year to brute force a WPA key with 8 lowercase alphabetic characters (check this brute-force calculator and pyrit performance chart), using GPU cracking with a good video card. So a dictionnary is needed.
PwnAir Pro supports custom dictionnaries. This will be used instead of the app default 10k dictionnary.
Name your custom dictionnary "/sdcard/aircrack/dict.lst" (this is indeed internal storage, not the external SD card). When you are over with the custom dictionnary, remove it to return to the 10k dictionnary.
But for better cracking performances, it's better to use a computer video card to do GPU cracking (instead of the limited phone CPU), with software like pyrit or oclHashCat. Aircack on galaxy S1 can crack about 120 keys/seconds, whereas pyrit can crack 20 000 k/s with a good standard video card.
There are some sites specialized in WPA cracking where you upload the handshake and they provide the computing resources; but generally you'll have to pay and you have no guarantee of success.
Regarding the dictionnaries, it's generally better to use dictionnaries in local language, especially people and place names. There are some links to dictionnaries here. Don't trust the wordlists with sevral GB of data: that's generally purely randomly generated sequences of less than 8 characters, it's useless. It's good to generate your own dictionnaries with wordlist generators like John The Ripper, Crunch, CUPP, RSMangler, AWLG... There are some good articles on the net on the science of password selection. You'll learn that the best wordlist are specific to each attackee and based on words very specific to the attackee (names, places, SSID, activity, passions...) eventually mixed with eg. the current year, some numbers and basic special characters.
Otherwise, there are also some others ways to get a WPA key with social engineering, like creating a fake Wi-Fi hotspot and ask for the user credentials; but this is not the purpose of PwnAir.
Where is airmon-ng ? Cause i can't find this one on your github.
devloz said:
Where is airmon-ng ? Cause i can't find this one on your github.
Click to expand...
Click to collapse
Airmon-ng is a tool, or to be more specific a Linux shell script, that enables and disables WiFi monitor mode.
It contains a set of tests to determine the chipset type and then, if it knows about this chipset, it will run the command that will activate monitor mode for this particular chipset.
But airmon-ng is not needed as the PwnAir app already does that ("Load" tab).
Moreover, airmon-ng is not compatible with Android for two reasons:
- It's a shell script, built for Linux. To be able to run it on Android, it needs busybox tricks. And it is highly possible that much of the code will throw errors when run on Android.
- It's not made to activate PwnAir monitor mode.
It's located in Aicrack-ng source scripts folder but for the above reasons, it has not been ported to Android.
If you absolutely want to activate PwnAir kernel monitor mode through CLI instead of the App, there's a PwnAir tool called "bcm" in /data/data/com.air.pwnrlite/xbin ==> "./bcm load".