The Samsung i300 is a PalmOS based Palm Phone. While it doesn't have the features found in some other PalmPhones (the Treo for example), I prefer the form factor and grafitti area over the alternatives.

Samsung has as of yet not released an SDK. This makes some of the cool features unavailable to developers: for example, the ability to remove the graffiti area like the PhoneApp does, or the ability to dial the phone like the date book.

I have taken it upon myself to reverse engieer the i300. As of now, I've provided open source examples of how to enlarge the screen to use the entire area by removing the graffiti area and a phone dialer function for use in other applications.

Other things that I've discovered include: getting the current unit's phone number, triggering the ringer, and blinking the LED. I have opted not to release source code to these things because PDAapps uses similar techniques in their applications.... (though in my opinion, their techniques aren't as good as the ones I've demonstrated.

Basis for Hacking the i300

Hacking the i300 is a pretty elaborate process. Here's how I do it:

• First I identify a database that I'd like to examine. For example the phExtn database. In the phExtn database, there is a "exte" resource with resource ID 0. This resource looks to contain some executable code...
• I use FILEZ to beam the database that I'm interested to my desktop PC. Then, I use PRC2BIN to split it into its component resources. Finally, I take the resource that I want to disassemble and using a utility like PilotDis.
• Now I look for debug symbols. Debug symbols are like little text flags that you can read to identify functions in the assembly code:

  00000267   [...] 		DC.B	'WinSetExtendedWindow'

  Debug Symbols are located below the function that they mark. So, after finding a debug symbol of interest, scroll up in the assembly to find the beginning of the next function. Usually this is below the previous debug symbol. Functions usually start with a LINK instruction as well. You'll find the start of this function here:

  0000016c   [...]	L6      LINK	A6,#-4

• Then the hard part... you've gotta figure out how the function works, what parameters it takes, and what its return value is. This is done by reading the assembly. Sorry, no short cuts here. In this case, I use this function prototype:

  void WinSetExtendedWindow(char truefalse);

• Now you need to make a function pointer to your function... convert your prototype to a function pointer:

  void (*funcp)(char);

• Before calling your function pointer, you need to point it to something. You see the start of the function was at an offset 0x16C from the start of the resource. So, use the standard resource functions to get a pointer to the extn resource. I'm not going to go over this here. Lets just say that you've got a pointer to the resource in a pointer called "ptr_to_resource"...

  funcp = ptr_to_resource + 0x16C;

• Now that you're function pointers all pointing the right way, you can run it:

  (*func)(1);

• If you're lucky, and you're pointing to a valid function, then you haven't crashed and you've actually executed a function that does something useful.