in Reversing

Porting AutoMapa 6 to SIMPad

About two years ago I bought a Siemens SIMPad tablet. It is an old ARM-based 8,4″ touchscreen device with Windows CE 4.1 on board. It’s not a secret that I get it to play around with – I like vintage hardware like this.

Unfortunately Siemens was never released WinCE 4.2 for his product, last of the 4.x line system which is required for many programs. There is pack of dlls for SIMPad to run some of them (google for simpad fake dlls), also there is program changing PE headers which modify minimum system version required to run. But many programs still cant run. One of them was AutoMapa (for navigation).

I’ve started to investigate what’s the reason – I’ve googled for information. It found out that AutoMapa (wce42Am.exe) is compiled for ARMv5 instruction set with some additional instructions called Thumb mode and SIMPad CPU – StrongARM has only implemented ARMv4 (without Thumb mode). Without sources – sounds impossible. But it is not.

Continuing my investigation I discovered that AutoMapa never gets into Thumb mode – it run in default ARM mode all the time. It do however uses one new instruction:

BX Rx         (hex: 1xFFF2E1)

Rx is one of the registers (R0 – R15). This instruction is described as branch and exchange. It is unconditional branch to the address from Rx register. If bit 0 of the Rx is set, CPU enters in Thumb mode and starts to process instructions in Thumb instruction set from given address. But, as I mentioned before – AutoMapa never goes into Thumb mode, bit 0 of this register is always cleared. We could replace this instruction with some ARMv4 equivalent which could not change execution mode but just jump into location through register. In ARMv4 we have:

MOV PC, Rx    (hex: 0xF0A0E1)

Which moves value from Rx register into program counter. Both instructions are 4-bytes long so I just replaced every occurrence in code section of PE file. I’ve done it by WinHEX replace options because there was too much hit to made it by hand (almost 2000 replaces). In standard ARM mode every instruction is 4-bytes long and must be located at addresses divisible by 4 so if we check only dwords located at proper addresses there is only a little chance to modify something which is not an instruction.

Next thing to do is to modify PE headers. I’ve changed Machine Code entry (offset 0x10C) from “ARM Thumb” (0x01C2) to “ARM” (0x01C0). Required WinCE version is held in Major and Minor Subsystem Version – I’ve changed Minor (offset 0x152) from 20 to 10 (from 4.20 to 4.10).

After replacing file on SIMPad – AutoMapa started up without any trouble. Maybe a little slow, but usable. But it works! Without any crash or error. Unfortunately I have no longer any SIMPad device to take photo, but I start thinking of getting one 🙂

Write a Comment