BSQUARE POWER HANDHELD PASSWORD HELP!!URGENT

and i've been spending some time on disassembling how the password protection works for the bsquare. it is quite elusive, to find the part where it actually checks for master password.. but not giving up of course interesting points are gwes.exe, docbin.dll, gsmmanager.dll, now trying to go after a syscall

see the files at: http://hpcmonex.net/roms/Bsq_ROM_dump.zip

really nice cmonex...!!! continue it thanks for all (and at the moment especially at this work on phh) your work!

actually, it would be quite easy to patch out it so that it accepts any password or not even ask, but, then we must find a way to reflash the thing. (also find a way to recompress the modified OS image but i think i have just found out how - needs to be tested out of course, will do that soon)

so, if i'm right it lets you go into at least one of the bootloader modes (there are many!) without a password.. trying from memory - i disassembled the bsquare bootloaders quite some time ago (might do it again to find new information), so, try pressing and holding u and d keys (standing for "usb download" ) on your keyboard while resetting. it should tell you it is trying to download over usb. can you do this without entering a password? (i'd assume so because this is before booting the OS.)


oh, also there are more keyboard shortcuts to enter other modes of the bootloader. the problem is, it would take so long to try all combinations (all of them consist of pressing two keys) on the keyboard.. so i tried to read them from the disassembly in the keyboard reading routine but i'd need to see the full wiring of the keyboard..if anyone ever disassembled a bsquare phh keyboard let me know

Edited by cmonex 2007-10-23 5:20 PM

ok i will try... say me how and give me the modified image i cant use it without your work... so... i try it! and it would be nice if you say me how to create such an image... i would do a custom image (for example german language) in de future

scops. please reread my last post, about the keyboard.

i can do the image but first we need to find out exactly how to flash it, the U+D isnt the perfect way to do it, ...and of course just to be sure, i'd like you to see if it attempts to start the download without any problems regarding the password (i haven't seen mention of the password in bootloader disasm yet, though)

and i'll need to test if the program for compressing actually works

so not abandoning the other route either (finding the code for the master password, if we get lucky it is simple)


p.s.: i read the U+D from keyboard routine disassembly but i shouldve just guessed it, so maybe thats a way too. and yes i'll help you make a custom rom if we sort this out

Edited by cmonex 2007-10-23 5:29 PM

thanks

did you try U+D?

i can try it at home this night. do i need to connect it to the powercable or just place it in the docking station?

Hi! when I come home on friday I'll try, too! There is one thing I had noticed in the past: something like a registry entry HKLM\inot\BootVars\MasterKeysInRegistry , may it be what we are looking for?

you don't have to connect AC, no need for docking station either, just want to see if that key combination writes anything on your display.

perazz: there is indeed such a value but i don't know what it is.

here is a full registry export with a password enabled



Attachments
----------------
bsqfull.zip (60KB - 12 downloads)

hmmm u+b+reset (5 or 10 secs) doesn't do anything here
maybe it needs a flashing app at the other side

hmm an idea: could it be possible to place an app on a sd that autostarts and writes a userpasswort? (for example 0000)

Edited by scops 2007-10-25 2:06 AM

cmonex: do you think is there any way to grab the registry from the password-locked phh? it would be very easy to compare them, indeed!

The password applet starts when windows CE has booted, so - if there is any utility that can grab it - there should be only to put it in a /2577 folder on a sd card, I think...

and then it is also possible to reset the passwort (or deactivate the login) or set it to 0000.

all we need is someone with vc++ for hpc (if someone can tell me how to get it i will write a programm für the /2577 folder)

perazz: no idea how you'd grab the registry without entering your password, if you could do that, it would be easy to find a way to circumvent the protection anyway..

2577 is not enabled for many hpc's, nor for the bsquare

i have evc++ otherwise, that is ok

as for U+D, it works here with password enabled and without entering the password - but this was just a test, there must be a better way to flash a rom image. still please see just in case your bootloader is different? keep and hold "u" and "d" buttons (ignore the password dialog, where this will be typing in), press reset just like you wanted to do a soft reset and hold them for a bit more..

Edited by cmonex 2007-10-25 6:26 AM