i300 Hacking

Basics of Hacking the i300

Hacking the i300 is a pretty elaborate process. Here’s how I do it:

  • First I identify a database that I’d like to examine. For example the phExtn database. In the phExtn database, there is a “exte” resource with resource ID 0. This resource looks to contain some executable code…
  • I use FILEZ to beam the database that I’m interested to my desktop PC. Then, I use PRC2BIN to split it into its component resources. Finally, I take the resource that I want to disassemble and using a utility like PilotDis.
  • Now I look for debug symbols. Debug symbols are like little text flags that you can read to identify functions in the assembly code: 
    00000267   [...] 		DC.B	'WinSetExtendedWindow'

    Debug Symbols are located below the function that they mark. So, after finding a debug symbol of interest, scroll up in the assembly to find the beginning of the next function. Usually this is below the previous debug symbol. Functions usually start with a LINK instruction as well. You’ll find the start of this function here:

    0000016c   [...]	L6      LINK	A6,#-4
  • Then the hard part… you’ve gotta figure out how the function works, what parameters it takes, and what its return value is. This is done by reading the assembly. Sorry, no short cuts here. In this case, I use this function prototype: 
    void WinSetExtendedWindow(char truefalse);
  • Now you need to make a function pointer to your function… convert your prototype to a function pointer: 
    void (*funcp)(char);
  • Before calling your function pointer, you need to point it to something. You see the start of the function was at an offset 0x16C from the start of the resource. So, use the standard resource functions to get a pointer to the extn resource. I’m not going to go over this here. Lets just say that you’ve got a pointer to the resource in a pointer called “ptr_to_resource”… 
    funcp = ptr_to_resource + 0x16C;
  • Now that you’re function pointers all pointing the right way, you can run it: 
    (*func)(1);
  • If you’re lucky, and you’re pointing to a valid function, then you haven’t crashed and you’ve actually executed a function that does something useful.

For the whole code, get the full example here.

Downloads

  • i300demo-src.zip Source code that shows how to enlarge the application area to the full screen by hiding the graffiti area. This is now deprecated! See PhExLib below
  • phexlib-10.zip a header file and small source code file which uses a jump table to access the phone extension functions. This method is better than the absolute offset method used in the i300demo above. Also, this method is apparently compatible with the i330. As always, no promises.
  • i300dialdemo-src.zip Source code that shows how to dial the phone from within your own application. This is also apparently compatible with the i330.