BSQUARE POWER HANDHELD PASSWORD HELP!!URGENT

OK, thanks let me know if you find anything.

Our latest research report

Hello , sorry a long time no message,

On cryptography, as only a few of the IMEI and password, no progress yet

Therefore, only through the anti-ROM compilation of documents (Disassembly)to find the breakthrough point,
thank you for your ROM documents.
and thank CHINAMAO in hi-pda forum, he and I together in research, and discovered an important BUG.

the password dialog box is GWES.exe loading operation, called COREDLL.DLL libraries.
COREDLL has CHECKPASSWORD GETPASSWORD SETPASSWORD relatedfunctions.
GWES.exe is a key systems process for the GDI, and other related support,
and a separate loading keyboard, touch screen, mouse-driven, other drivers
have DEVICE.exe loading.

At present my personal views:
GWES operation will be state of password is seemly to be used in the GETPASSWORDSTATUS COREDLL function, password in the ROM somewhere, of course, is a hidden region. If has password, password function will be called, and will be focusing password input box. COREDLL those in the password function has several key Jump, it is obviously necessary for dynamic can know that the anti-Jump to address in what may be password , may also be master password algorithm. ROM addresses that may actually like, may also be in RAM, a special stack. In the system can not directly read hidden ROM region, debug mode can be read by BOOTLOADER should also can view a lot of things, that is, to a dynamic debugging.

As I am not a professional in the anti-compilation (only very relevant aspects like research), error is inevitable, only made reference to

Important BUG: GWES operation will be focusing password input box.
But click LOGIN about a thousand times, the password box will be closed, but
did not release the importation of focus.
In other words, not under the conditions of the resumption of (can be turned
off), click LOGIN about 1,000 times, we can enter into the system, but Keyboard can be used with the keyboard only.

It was also found that many BUG, after all, the company did not have the system up and just.

And I welcome the exchange of
(sorry poor english)

Edited by leonwx 2007-12-25 3:56 AM

And we need a tool that can read ram 0xf000a000 to 0xf00fffff address to sd bin, not ROM. If designated any address the better,but not use keyboard.

ah i'm trying to understand your english.. so you just need to press enter in the password box 1000 times then you can use keypresses but the login box is still in the foreground except it is not the active window any more? please confirm does this work for anyone else?

anyway some parts of your post did not make sense, sorry. what did you mean by dynamic debugging from bootloader?! there is no such thing.

unless you meant KITL, the bsquare's kernel seems to have KITL enabled but i'm not 100% sure. it certainly has a lot more KITL functions compiled in than the nec 900c for example (that device has it disabled for sure). but that's not bootloader, that's kernel.
KITL would be a nice idea because you can download files before loading gwes, but i don't know how you establish the connection for the bsquare (if it is enabled at all). if you can't do it over usb then it'll be very hard without a debug board. maybe you could hack the cradle to have serial port though? that'd be a interesting try, i know other PDA cradles have serial connection hidden inside (for example eten p300).

i am sorry to disappoint you but 0xf000a000 to 0xf00fffff are not ordinary ram addresses. they are invalid addresses in the memory system setup, and this is intentionally so. this is how windows ce does system calls. when some code attempts to access these addresses (usually coredll) it is trapped into kernel and the kernel will dispatch the api call.

as i mentioned above i was after a syscall myself, i forget which one, but probably this getpassword/checkpassword thing.
BTW the password itself is stored in the DOC, see docbin.dll.

Edited by cmonex 2007-12-25 1:01 PM

oh, i'm trying to understand your english too.haha!
you just try to click LOGIN about 1,000 times,I do not know how to express.
click LOGIN about 1,000 times, we can enter the ce.net system, but Keyboard can not be used
the input focus was locked on password box.
dynamic debugging from bootloader---I mean the bsquare connect PC and use EVC or PB to debug.
it must be in the another bootloader mode (may be U+D reset)
the Functions of coredll.dll

.text:03F92210 ; Exported entry 182. CheckPassword
.text:03F92210
.text:03F92210 ; *************** S U B R O U T I N E
.text:03F92210
.text:03F92210
.text:03F92210 EXPORT CheckPassword
.text:03F92210 CheckPassword
.text:03F92210
.text:03F92210 var_4 = -4
.text:03F92210
.text:03F92210 STR LR, [SP,#var_4]! ;
.text:03F92214 LDR R1, =0xF000AF8C ;
.text:03F92218 MOV LR, PC ;
.text:03F9221C BX R1 ;
.text:03F92220 LDMFD SP!, {LR} ;
.text:03F92224 BX LR
.text:03F92224
.text:03F92224 ; End of function CheckPassword
.text:03F92224
.text:03F92224 ;
.text:03F92228 dword_3F92228 DCD 0xF000AF8C

.text:03F9222C ; Exported entry 238. SetPassword
.text:03F9222C
.text:03F9222C ; *************** S U B R O U T I N E
.text:03F9222C
.text:03F9222C
.text:03F9222C EXPORT SetPassword
.text:03F9222C SetPassword
.text:03F9222C
.text:03F9222C var_4 = -4
.text:03F9222C
.text:03F9222C STR LR, [SP,#var_4]!
.text:03F92230 LDR R2, =0xF000AF88
.text:03F92234 MOV LR, PC
.text:03F92238 BX R2
.text:03F9223C LDMFD SP!, {LR}
.text:03F92240 BX LR
.text:03F92240
.text:03F92240 ; End of function SetPassword
.text:03F92240
.text:03F92240 ;
.text:03F92244 dword_3F92244 DCD 0xF000AF88

.text:03F92248 ; Exported entry 239. GetPasswordActive
.text:03F92248
.text:03F92248 ; *************** S U B R O U T I N E
.text:03F92248
.text:03F92248
.text:03F92248 EXPORT GetPasswordActive
.text:03F92248 GetPasswordActive
.text:03F92248
.text:03F92248 var_4 = -4
.text:03F92248
.text:03F92248 STR LR, [SP,#var_4]!
.text:03F9224C LDR R0, =0xF000AEE4
.text:03F92250 MOV LR, PC
.text:03F92254 BX R0
.text:03F92258 AND R0, R0, #1
.text:03F9225C LDMFD SP!, {LR}
.text:03F92260 BX LR
.text:03F92260
.text:03F92260 ; End of function GetPasswordActive
.text:03F92260
.text:03F92260 ;
.text:03F92264 dword_3F92264 DCD 0xF000AEE4

.text:03F92268 ; Exported entry 240. SetPasswordActive
.text:03F92268
.text:03F92268 ; *************** S U B R O U T I N E
.text:03F92268
.text:03F92268
.text:03F92268 EXPORT SetPasswordActive
.text:03F92268 SetPasswordActive
.text:03F92268 STMFD SP!, {R4,R5,LR}
.text:03F9226C MOV R4, R0
.text:03F92270 MOV R5, R1
.text:03F92274 LDR R0, =0xF000AEE4
.text:03F92278 MOV LR, PC
.text:03F9227C BX R0
.text:03F92280 CMP R4, #0
.text:03F92284 LDR R3, =0xF000AEE8
.text:03F92288 ORR R2, R0, #1
.text:03F9228C BICEQ R2, R0, #1
.text:03F92290 MOV R1, R5
.text:03F92294 MOV R0, R2
.text:03F92298 MOV LR, PC
.text:03F9229C BX R3
.text:03F922A0 LDMFD SP!, {R4,R5,LR}
.text:03F922A4 BX LR
.text:03F922A4
.text:03F922A4 ; End of function SetPasswordActive
.text:03F922A4
.text:03F922A4 ;
.text:03F922A8 dword_3F922A8 DCD 0xF000AEE8

.text:03F922AC dword_3F922AC DCD 0xF000AEE4

.text:03F922B0 ; Exported entry 1537. SetPasswordStatus
.text:03F922B0
.text:03F922B0 ; *************** S U B R O U T I N E
.text:03F922B0
.text:03F922B0
.text:03F922B0 EXPORT SetPasswordStatus
.text:03F922B0 SetPasswordStatus
.text:03F922B0
.text:03F922B0 var_4 = -4
.text:03F922B0
.text:03F922B0 STR LR, [SP,#var_4]!
.text:03F922B4 LDR R2, =0xF000AEE8
.text:03F922B8 MOV LR, PC
.text:03F922BC BX R2
.text:03F922C0 LDMFD SP!, {LR}
.text:03F922C4 BX LR
.text:03F922C4
.text:03F922C4 ; End of function SetPasswordStatus
.text:03F922C4
.text:03F922C4 ;
.text:03F922C8 dword_3F922C8 DCD 0xF000AEE8

.text:03F922CC ; Exported entry 1538. GetPasswordStatus
.text:03F922CC
.text:03F922CC ; *************** S U B R O U T I N E
.text:03F922CC
.text:03F922CC
.text:03F922CC EXPORT GetPasswordStatus
.text:03F922CC GetPasswordStatus
.text:03F922CC
.text:03F922CC var_4 = -4
.text:03F922CC
.text:03F922CC STR LR, [SP,#var_4]!
.text:03F922D0 LDR R0, =0xF000AEE4
.text:03F922D4 MOV LR, PC
.text:03F922D8 BX R0
.text:03F922DC LDMFD SP!, {LR}
.text:03F922E0 BX LR
.text:03F922E0
.text:03F922E0 ; End of function GetPasswordStatus
.text:03F922E0
.text:03F922E0 ;
.text:03F922E4 dword_3F922E4 DCD 0xF000AEE4 ;



the Functions of docbin.dll

.text:018B2088 ; Exported entry 6. BINGetPasswordObj
.text:018B2088
.text:018B2088 ; *************** S U B R O U T I N E
.text:018B2088
.text:018B2088
.text:018B2088 EXPORT BINGetPasswordObj
.text:018B2088 BINGetPasswordObj
.text:018B2088 STMFD SP!, {R4-R7,LR}
.text:018B208C MOV R7, R0
.text:018B2090 CMP R7, #0
.text:018B2094 BEQ loc_18B20DC
.text:018B2094
.text:018B2098 LDR R0, =BINGetState
.text:018B209C LDR R1, =BINClearState
.text:018B20A0 LDR R2, =loc_18B2048
.text:018B20A4 LDR R3, =loc_18B2070
.text:018B20A8 LDR R4, =loc_18B2060
.text:018B20AC LDR R5, =loc_18B2028
.text:018B20B0 LDR R6, =loc_18B2008
.text:018B20B4 STR R0, [R7,#8]
.text:018B20B8 STR R1, [R7,#0xC]
.text:018B20BC STR R2, [R7,#0x10]
.text:018B20C0 STR R3, [R7,#0x14]
.text:018B20C4 STR R4, [R7,#0x18]
.text:018B20C8 STR R5, [R7,#0x1C]
.text:018B20CC STR R6, [R7,#0x20]
.text:018B20D0 MOV R0, #1
.text:018B20D4 LDMFD SP!, {R4-R7,LR}
.text:018B20D8 BX LR

.text:018B20DC loc_18B20DC
.text:018B20DC MOV R0, #0
.text:018B20E0 LDMFD SP!, {R4-R7,LR}
.text:018B20E4 BX LR
.text:018B20E4
.text:018B20E4 ; End of function BINGetPasswordObj


.text:018B1FB4 ; Exported entry 7. BINGetState
.text:018B1FB4
.text:018B1FB4 ; *************** S U B R O U T I N E
.text:018B1FB4
.text:018B1FB4
.text:018B1FB4 EXPORT BINGetState
.text:018B1FB4 BINGetState ;
.text:018B1FB4
.text:018B1FB4 var_4= -4
.text:018B1FB4
.text:018B1FB4 STR LR, [SP,#var_4]!
.text:018B1FB8 SUB SP, SP, #4
.text:018B1FBC MOV R0, #0
.text:018B1FC0 LDR R2, =sub_18B2104
.text:018B1FC4 STR R0, [SP,#4+var_4]
.text:018B1FC8 ADD R1, SP, #4+var_4
.text:018B1FCC MOV R0, #0
.text:018B1FD0 BL BINReadData
.text:018B1FD0
.text:018B1FD4 LDR R0, [SP,#4+var_4]
.text:018B1FD8 ADD SP, SP, #4
.text:018B1FDC LDMFD SP!, {LR}
.text:018B1FE0 BX LR
.text:018B1FE0
.text:018B1FE0 ; End of function BINGetState
.text:018B1FE0
.text:018B1FE0 ; -------------------------------------------------------------------------
.text:018B1FE4 off_18B1FE4 DCD sub_18B2104 ;

.text:018B1FE8 ; Exported entry 1. BINClearState
.text:018B1FE8
.text:018B1FE8 ; *************** S U B R O U T I N E
.text:018B1FE8
.text:018B1FE8
.text:018B1FE8 EXPORT BINClearState
.text:018B1FE8 BINClearState
.text:018B1FE8
.text:018B1FE8 var_4 = -4
.text:018B1FE8
.text:018B1FE8 STR LR, [SP,#var_4]!
.text:018B1FEC LDR R2, =sub_18B21A0
.text:018B1FF0 MOV R1, R0
.text:018B1FF4 MOV R0, #0
.text:018B1FF8 BL BINWriteData
.text:018B1FF8
.text:018B1FFC LDMFD SP!, {LR}
.text:018B2000 BX LR
.text:018B2000
.text:018B2000 ; End of function BINClearState
.text:018B2000
.text:018B2000 ; -------------------------------------------------------------------------
.text:018B2004 off_18B2004 DCD sub_18B21A0 ;
.text:018B2008 ; -------------------------------------------------------------------------
.text:018B2008
.text:018B2008 loc_18B2008 ;
.text:018B2008 STR LR, [SP,#-4]!
.text:018B200C LDR R2, =sub_18B224C
.text:018B2010 MOV R1, R0
.text:018B2014 MOV R0, #0
.text:018B2018 BL BINWriteData
.text:018B2018
.text:018B201C LDMFD SP!, {LR}
.text:018B2020 BX LR
.text:018B2020
.text:018B2020 ; -------------------------------------------------------------------------
.text:018B2024 off_18B2024 DCD sub_18B224C ;
.text:018B2028 ; -------------------------------------------------------------------------
.text:018B2028
.text:018B2028 loc_18B2028 ;
.text:018B2028 STR LR, [SP,#-4]!
.text:018B202C LDR R2, =sub_18B21E4
.text:018B2030 MOV R1, R0
.text:018B2034 MOV R0, #0
.text:018B2038 BL BINReadData
.text:018B2038
.text:018B203C LDMFD SP!, {LR}
.text:018B2040 BX LR
.text:018B2040
.text:018B2040 ; -------------------------------------------------------------------------
.text:018B2044 off_18B2044 DCD sub_18B21E4 ;
.text:018B2048 ;
.text:018B2048
.text:018B2048 loc_18B2048 ;
.text:018B2048 STR LR, [SP,#-4]!
.text:018B204C LDR R2, =sub_18B22D0
.text:018B2050 BL BINReadData
.text:018B2050
.text:018B2054 LDMFD SP!, {LR}
.text:018B2058 BX LR
.text:018B2058
.text:018B2058 ;
.text:018B205C off_18B205C DCD sub_18B22D0 ;
.text:018B2060 ;
.text:018B2060
.text:018B2060 loc_18B2060 ;
.text:018B2060 STR LR, [SP,#-4]!
.text:018B2064 BL LocalFree
.text:018B2064
.text:018B2068 LDMFD SP!, {LR}
.text:018B206C BX LR
.text:018B206C
.text:018B2070 ;
.text:018B2070
.text:018B2070 loc_18B2070 ;
.text:018B2070 STR LR, [SP,#-4]!
.text:018B2074 LDR R2, =sub_18B23B0
.text:018B2078 BL BINWriteData
.text:018B2078
.text:018B207C LDMFD SP!, {LR}
.text:018B2080 BX LR


..................


Edited by leonwx 2007-12-26 4:12 AM

OK please someone else with a passworded bsquare try the 1000 clicks method, because i don't have any of my bsquare's with me (not at home for a few weeks).

leonwx, i don't see why the need to copypaste these lines, useless. anyone can download the bsquare image (dumped into files) from my site and run a disassembler on them: http://hpcmonex.net/roms/Bsq_ROM_dump.zip

and anyway useless code, we can see these are only stubs in coredll for the syscall dispatching.
i.e.
.text:03F92214 LDR R1, =0xF000AF8C ;
.text:03F92218 MOV LR, PC ;
.text:03F9221C BX R1 ;

...is a good example of that.

the BINGetPasswordObj is an important function though, note the pointers that are loaded there, they are then used in gwes, and that helps identify some parts.

Edited by cmonex 2007-12-26 9:02 AM

Hi mate, i have the same problem. Have you figured out what to do or have received help? Hope you can share with me your solution as I am at my wits end on what to do.

please read the posts... sigh.

try this:



Edited by cmonex 2007-12-26 10:45 PM

ye,I have download ,and was disassembling.
Rom document has the master pasword algorithm Probably,and I want to find .
I think Anti-static compilation is not enough ,mabe need Dynamic anti-compilation


Edited by leonwx 2007-12-27 12:21 AM

there are only two wince debuggers i know of, IDA and EVC. with that, you cannot debug gwes.exe sadly. especially not on ce.net 4.1. also you cannot debug the kernel traps (those 0xF00xxxx addresses)

Edited by cmonex 2007-12-27 12:31 AM

you cannot debug gwes.exe sadly?? what do you mean?
you mean we can not Dynamic anti-compilation ?

IDA debug gwes.exe ,
some functions

sub_975CC ; CODE XREF: sub_66DF8+98p
.text:000975CC
.text:000975CC var_1C = -0x1C
.text:000975CC var_18 = -0x18
.text:000975CC var_14 = -0x14
.text:000975CC
.text:000975CC STMFD SP!, {R4-R6,LR}
.text:000975D0 SUB SP, SP, #0xC
.text:000975D4 MOV R1, R0
.text:000975D8 LDR R0, =unk_C3FDC
.text:000975DC MOV R6, #0
.text:000975E0 STR R6, [SP,#0x1C+var_14]
.text:000975E4 STR R1, [R0]
.text:000975E8 MOV R0, #0
.text:000975EC MOV R4, R6
.text:000975F0 BL CheckPassword
.text:000975F0
.text:000975F4 MOV R5, #1
.text:000975F8 CMP R0, #0
.text:000975FC BNE loc_97610
.text:000975FC
.text:00097600 LDR R0, =dword_11B30
.text:00097604 BL CheckPassword
.text:00097604
.text:00097608 CMP R0, #0
.text:0009760C BEQ loc_97614
.text:0009760C
.text:00097610
.text:00097610 loc_97610 ; CODE XREF: sub_975CC+30j
.text:00097610 MOV R4, R5
.text:00097610
.text:00097614
.text:00097614 loc_97614 ; CODE XREF: sub_975CC+40j
.text:00097614 BL sub_967C0
.text:00097614
.text:00097618 CMP R0, #0
.text:0009761C BNE loc_97668
.text:0009761C
.text:00097620 BL sub_96908
.text:00097620
.text:00097624 CMP R0, #0
.text:00097628 LDREQ R0, =s_ErrorCouldNot
.text:0009762C BLEQ NKDbgPrintfW
.text:0009762C
.text:00097630 CMP R4, #0
.text:00097634 BNE loc_97660
.text:00097634
.text:00097638 LDR R0, =s_Initalizepass
.text:0009763C BL NKDbgPrintfW
.text:0009763C
.text:00097640 MOV R0, #0x3040
.text:00097644 MOV R3, #0
.text:00097648 MOV R2, #0
.text:0009764C MOV R1, #0
.text:00097650 ORR R0, R0, #0x3E
.text:00097654 STR R6, [SP,#0x1C+var_18]
.text:00097658 STR R6, [SP,#0x1C+var_1C]
.text:0009765C BL KernelIoControl
.text:0009765C
.text:00097660
.text:00097660 loc_97660 ; CODE XREF: sub_975CC+68j
.text:00097660 ; sub_975CC+ACj
.text:00097660 MOV R0, R6
.text:00097664 B loc_976BC
.text:00097664
.text:00097668 ; ---------------------------------------------------------------------------
.text:00097668
.text:00097668 loc_97668 ; CODE XREF: sub_975CC+50j
.text:00097668 BL sub_969E8
.text:00097668
.text:0009766C CMP R0, #0
.text:00097670 BEQ loc_9767C
.text:00097670
.text:00097674 CMP R4, #0
.text:00097678 BNE loc_97660
.text:00097678
.text:0009767C
.text:0009767C loc_9767C ; CODE XREF: sub_975CC+A4j
.text:0009767C ADD R0, SP, #0x1C+var_14
.text:00097680 BL sub_96AFC
.text:00097680
.text:00097684 CMP R0, #0
.text:00097688 MOVEQ R0, R5
.text:0009768C STREQ R0, [SP,#0x1C+var_14]
.text:00097690 LDRNE R0, [SP,#0x1C+var_14]
.text:00097694 CMP R0, #0
.text:00097698 BNE loc_976BC
.text:00097698
.text:0009769C BL GetPasswordStatus
.text:0009769C
.text:000976A0 TST R0, #1
.text:000976A4 BEQ loc_976B8
.text:000976A4
.text:000976A8 BL GetPasswordStatus
.text:000976A8
.text:000976AC TST R0, #2
.text:000976B0 MOV R0, R6
.text:000976B4 BEQ loc_976BC
.text:000976B4
.text:000976B8
.text:000976B8 loc_976B8 ; CODE XREF: sub_975CC+D8j
.text:000976B8 MOV R0, R5
.text:000976B8
.text:000976BC
.text:000976BC loc_976BC ; CODE XREF: sub_975CC+98j
.text:000976BC ; sub_975CC+CCj
.text:000976BC ; sub_975CC+E8j
.text:000976BC ADD SP, SP, #0xC
.text:000976C0 LDMFD SP!, {R4-R6,LR}
.text:000976C4 BX LR
.text:000976C4
.text:000976C4 ; End of function sub_975CC
.text:000976C4
.text:000976C4 ; ---------------------------------------------------------------------------
.text:000976C8 off_976C8 DCD s_Initalizepass ; DATA XREF: sub_975CC+6Cr
.text:000976C8 ; "InitalizePasswordStatus: Call to reset "...
.text:000976CC off_976CC DCD s_ErrorCouldNot ; DATA XREF: sub_975CC+5Cr
.text:000976CC ; "ERROR: Could not intalize the NV passwo"...
.text:000976D0 off_976D0 DCD dword_11B30 ; DATA XREF: sub_975CC+34r
.text:000976D4 off_976D4 DCD unk_C3FDC ; DATA XREF: sub_975CC+Cr
.text:000976D8
.text:000976D8 ; *************** S U B R O U T I N E ***************************************
.text:000976D8
.text:000976D8
.text:000976D8 sub_976D8 ; CODE XREF: sub_66DF8+D0p
.text:000976D8
.text:000976D8 var_4 = -4
.text:000976D8
.text:000976D8 STR LR, [SP,#var_4]!
.text:000976DC MOV R0, #0
.text:000976E0 BL CheckPassword
.text:000976E0
.text:000976E4 CMP R0, #0
.text:000976E8 BNE loc_976FC
.text:000976E8
.text:000976EC LDR R0, =dword_11B30
.text:000976F0 BL CheckPassword
.text:000976F0
.text:000976F4 CMP R0, #0
.text:000976F8 BEQ loc_97724
.text:000976F8
.text:000976FC
.text:000976FC loc_976FC ; CODE XREF: sub_976D8+10j
.text:000976FC LDR R1, byte_9772C
.text:00097700 MOV R0, #0
.text:00097704 BL SetPassword
.text:00097704
.text:00097708 CMP R0, #0
.text:0009770C LDREQ R1, byte_9772C
.text:00097710 LDREQ R0, =dword_11B30
.text:00097714 BLEQ SetPassword
.text:00097714
.text:00097718 LDR R1, byte_9772C
.text:0009771C MOV R0, #3
.text:00097720 BL SetPasswordStatus
.text:00097720
.text:00097724
.text:00097724 loc_97724 ; CODE XREF: sub_976D8+20j
.text:00097724 LDMFD SP!, {LR}
.text:00097728 BX LR
.text:00097728
.text:00097728 ; End of function sub_976D8
.text:00097728
.text:00097728 ; ---------------------------------------------------------------------------
.text:0009772C byte_9772C DCB 0x20 ; DATA XREF: sub_976D8:loc_976FCr
.text:0009772C ; sub_976D8+34r
.text:0009772C ; sub_976D8+40r
.text:0009772D DCB 0xF1 ; ?
.text:0009772E DCB 0xB
.text:0009772F DCB 0
.text:00097730 off_97730 DCD dword_11B30 ; DATA XREF: sub_976D8+14r
.text:00097730 ; sub_976D8+38r
.text:00097734
.text:00097734 ; *************** S U B R O U T I N E ***************************************
.text:00097734
.text:00097734
.text:00097734 sub_97734 ; CODE XREF: sub_977BC+58p
.text:00097734
.text:00097734 var_10 = -0x10
.text:00097734
.text:00097734 STMFD SP!, {R4,R5,LR}
.text:00097738 SUB SP, SP, #4
.text:0009773C LDR R5, =unk_BF134
.text:00097740 LDR R0, [R5]
.text:00097744 CMP R0, #0
.text:00097748 BEQ loc_97794
.text:00097748
.text:0009774C LDR R4, =unk_C3FDC
.text:00097750 MOV R2, #5
.text:00097754 MOV R1, #0x6D
.text:00097758 LDR R0, [R4]
.text:0009775C BL FindResourceW
.text:0009775C
.text:00097760 MOV R1, R0
.text:00097764 LDR R0, [R4]
.text:00097768 BL LoadResource
.text:00097768
.text:0009776C MOV R1, #0x154
.text:00097770 STR R1, [SP,#0x10+var_10]
.text:00097774 MOV R1, R0
.text:00097778 LDR R3, =sub_9751C
.text:0009777C LDR R0, [R4]
.text:00097780 MOV R2, #0
.text:00097784 BL DialogBoxIndirectParamW
.text:00097784
.text:00097788 LDR R3, [R5]
.text:0009778C CMP R3, #0
.text:00097790 BNE loc_9779C
.text:00097790
.text:00097794
.text:00097794 loc_97794 ; CODE XREF: sub_97734+14j
.text:00097794 MOV R0, #1
.text:00097798 B loc_977A0
.text:00097798
.text:0009779C ; ---------------------------------------------------------------------------
.text:0009779C
.text:0009779C loc_9779C ; CODE XREF: sub_97734+5Cj
.text:0009779C MOV R0, #0
.text:0009779C
.text:000977A0
.text:000977A0 loc_977A0 ; CODE XREF: sub_97734+64j
.text:000977A0 STR R0, [R5]
.text:000977A4 ADD SP, SP, #4
.text:000977A8 LDMFD SP!, {R4,R5,LR}
.text:000977AC BX LR
.text:000977AC
.text:000977AC ; End of function sub_97734
.text:000977AC
.text:000977AC ; ---------------------------------------------------------------------------
.text:000977B0 off_977B0 DCD sub_9751C ; DATA XREF: sub_97734+44r
.text:000977B4 off_977B4 DCD unk_C3FDC ; DATA XREF: sub_97734+18r
.text:000977B8 off_977B8 DCD unk_BF134 ; DATA XREF: sub_97734+8r
.text:000977BC
.text:000977BC ; *************** S U B R O U T I N E ***************************************
.text:000977BC
.text:000977BC
.text:000977BC sub_977BC ; CODE XREF: sub_66D10+38p
.text:000977BC
.text:000977BC var_14 = -0x14
.text:000977BC
.text:000977BC STMFD SP!, {R4-R6,LR} ; ?????
.text:000977C0 SUB SP, SP, #4
.text:000977C4 MOV R6, R0
.text:000977C8 BL CheckPassword
.text:000977C8
.text:000977CC MOV R5, R0
.text:000977D0 MOV R0, R6
.text:000977D4 BL sub_96920
.text:000977D4
.text:000977D8 MOVS R4, R0
.text:000977DC BEQ loc_97810
.text:000977DC
.text:000977E0 MOV R0, R6
.text:000977E4 BL sub_974D0
.text:000977E4
.text:000977E8 CMP R5, #0
.text:000977EC BNE loc_97810
.text:000977EC
.text:000977F0 LDR R0, =s_WqZrD
.text:000977F4 BL CheckPassword
.text:000977F4
.text:000977F8 MOVS R5, R0
.text:000977FC BEQ loc_97810
.text:000977FC
.text:00097800 LDR R0, =s_WqZrD
.text:00097804 MOV R1, R6
.text:00097808 BL SetPassword
.text:00097808
.text:0009780C MOV R5, R0
.text:0009780C
.text:00097810
.text:00097810 loc_97810 ; CODE XREF: sub_977BC+20j
.text:00097810 ; sub_977BC+30j
.text:00097810 ; sub_977BC+40j
.text:00097810 TEQ R5, R4
.text:00097814 BLNE sub_97734
.text:00097814
.text:00097818 CMP R4, #0
.text:0009781C BNE loc_9787C
.text:0009781C
.text:00097820 CMP R5, #0
.text:00097824 BNE loc_9787C
.text:00097824
.text:00097828 MOV R0, R6
.text:0009782C MOV R5, #0
.text:00097830 BL sub_96BAC
.text:00097830
.text:00097834 CMP R0, #0
.text:00097838 BEQ loc_97884
.text:00097838
.text:0009783C BL sub_96908
.text:0009783C
.text:00097840 LDR R1, =dword_11B30
.text:00097844 LDR R0, =s_WqZrD
.text:00097848 BL SetPassword
.text:00097848
.text:0009784C CMP R0, #0
.text:00097850 BNE loc_97870
.text:00097850
.text:00097854 LDR R1, =dword_11B30
.text:00097858 MOV R0, R1
.text:0009785C BL SetPassword
.text:0009785C
.text:00097860 CMP R0, #0
.text:00097864 LDREQ R1, =dword_11B30
.text:00097868 MOVEQ R0, #0
.text:0009786C BLEQ SetPassword
.text:0009786C
.text:00097870
.text:00097870 loc_97870 ; CODE XREF: sub_977BC+94j
.text:00097870 LDR R1, =dword_11B30
.text:00097874 MOV R0, #0
.text:00097878 BL SetPasswordStatus
.text:00097878
.text:0009787C
.text:0009787C loc_9787C ; CODE XREF: sub_977BC+60j
.text:0009787C ; sub_977BC+68j
.text:0009787C MOV R5, #1
.text:00097880 B loc_978C0
.text:00097880
.text:00097884 ; ---------------------------------------------------------------------------
.text:00097884
.text:00097884 loc_97884 ; CODE XREF: sub_977BC+7Cj
.text:00097884 LDR R4, =unk_C3FDC
.text:00097888 MOV R2, #5
.text:0009788C MOV R1, #0x6D
.text:00097890 LDR R0, [R4]
.text:00097894 BL FindResourceW
.text:00097894
.text:00097898 MOV R1, R0
.text:0009789C LDR R0, [R4]
.text:000978A0 BL LoadResource
.text:000978A0
.text:000978A4 MOV R1, #0x160
.text:000978A8 STR R1, [SP,#0x14+var_14]
.text:000978AC MOV R1, R0
.text:000978B0 LDR R3, =sub_9751C
.text:000978B4 LDR R0, [R4]
.text:000978B8 MOV R2, #0
.text:000978BC BL DialogBoxIndirectParamW
.text:000978BC
.text:000978C0
.text:000978C0 loc_978C0 ; CODE XREF: sub_977BC+C4j
.text:000978C0 MOV R0, R5
.text:000978C4 ADD SP, SP, #4
.text:000978C8 LDMFD SP!, {R4-R6,LR} ;
.text:000978CC BX LR
.text:000978CC
.text:000978CC ; End of function sub_977BC


Edited by leonwx 2007-12-27 1:37 AM

Need click LOGIN 1108 times.




I check all combinations of two letters and reset. The Results are:

U+D : Usb Download

R+O : ROm
R+S : ReSet
R+B : ReBoot

C+B : Cool Boot

G+K : Update Flash (may be from SD card). Very interesing combination.


Edited by anrus 2007-12-27 7:28 AM

You must have a lot of time on your hands.

thank-you

as CE Geek said... you must have a lot of time on your hands, thanks for spending that on this

do you have a bsquare with forgotten password too?

can you tell me...what do the following combinations do:

R+O
G+K

and how does R+S differ from R+B?

exactly what happens after you click 1108 times? your english seems to be understandable enough

we can enter the ce.net system, but Keyboard can not be used
the input focus was locked on password box.
(I think it is clearly,into system bu not use Keyboard )