HaRET stands for "Handheld Reverse-Engineering Tool". In other words it is a tool that may help you better understand the inner construction of your handheld even without disassembling it and looking under the cover.
Of course, HaRET is software, and has limits imposed by this, but I hope, due to source code availability, that you can add functions that suit your needs if there isn't already one that fits your requirements.
HaRET runs under Windows CE (AKA PocketPC aka Windows XP mobile) since many PDAs sold without Linux preinstalled (alas, there are still several :) have this Operating (?) System (?) installed instead. Thus you can use HaRET to find out how to adapt Linux kernel so that it works properly on your PDA.
Last but not least, HaRET is a very dangerous tool. The author doesn't take any responsability for any damage caused by this program. Basically it means: BACKUP ALL YOUR DATA which is not a bad idea in any case, though.
HaRET is good for anybody who wants to know better the inner workings of his PDA, but was primarily designed to help people to port Linux to new PDAs.
But this doesn't mean you can't use it for anything else - for example, for porting Windows XP Server 2003 to WinCE-based PDAs :-) - the Linux-specific part is quite small and can be ignored.
Before using this tool, though, it is a neat idea to refresh your ARM architecture knowledge, and some reading of Intel docs (if you're hacking an Xscale) would help a lot too. Basically the literature you'll need is (in decreasing importance order):
All registered trademarks are registered trademarks of their owners, blah-blah et al, you know.
HaRET has a built-in scripting language, and everything else revolves around this. Upon startup HaRET launches a file called "startup.txt" (if it exists), located in the same directory where the executable was copied to. Then it displays a simple dialog box where you command for further actions.
The dialog contains a script launcher field, a status bar and a log
window. It also has a
"Listen for network connection" button.
That's all you see after the launch, but imagine all the power sleeping
behind that! :-)
Currently HaRET supports only TCP/IP connections, but it's relatively easy
to adapt it in order to use any other connection method such as RS-232
or IrDA (either raw or IrCOMM). So when you tap the big
"Listen for network connection" button
(it is big so that you can press it even with a finger :) it opens the
port 9999 on the PDA and listens for incoming connections. To use this you
must have a TCP/IP connection to your PDA. If you don't have one yet,
After you connect (for example, with
telnet 192.168.131.201 9999)
you get an, um, let's call it a command line :) Now you can type 'help' to get
a list of all available commands (with a short descriprion) and read them all,
but I'd say better read the docs first and then use the help just for
Now you better enable logging in your telnet client, so that you'll get a full log of what you were doing and what you got (in the case your PDA locks up :) You can use the "haret" script included in the docs/ directory for use with the regular telnet command (for which I haven't found how to enable logging).
The command language of HaRET is simple. It is not a match to Perl or Python but it does the job, and that's what it was written for. It could have a complex grammar written in Bison but it doesn't. It could benefit even from a parser written in Flex but it doesn't either. Take it or leave it, or - better - rewrite it if you don't like it :)
In the following we'll use some notations, so let's describe them here first (it's not sophisticated computer theory, but who knows, maybe you want to know).
So, [P|V]DUMP denotes either PDUMP or VDUMP, [P|V]F[B|H|W] denotes either of PFB, PFH, PFW, VFB, VFH, VFW. That's all.
Script interpreter reads input line by line (doesn't matter, from a file, or from network, or - in some future version - from IrDA or from RS-232 interface). Every line is expected to be either a comment, or a empty line (which are, naturally, ignored) or a command.
The first word in a command line is, naturally again, the command itself. Any command name can be shortened to minimal unambiguous length, e.g. you can use 'p' for 'priint' but not 'v' for 'vdump' since it conflicts with the 'vd' command ('vdu' is fine, though).
After command you put a number of arguments. The arguments can be either of string or numeric type. It is better to enclose string arguments in quote -- either single or double -- because otherwise the parser will stop parsing the string at first non-alphanumeric character.
Numeric arguments can be complex expressions. You can use any of the following arithmetic operators (in ascending priority order):
Numbers can be given in standard C notation (e.g. 123 for decimal, 0x12 for hexadecimal, 0777 for octal). Expression evaluator stops as soon at first character that it doesn't understand, so usually writing garbage at the end of line is fine :-)
There are also a number of predefined variables and functions that can be
freely used in expressions; you can get a full list of builtin variables by
HELP VARS command.
You also can define your own variables; they are created the first time
you assign something to them (with the
SET command). Then you
can use them as normal variables in expressions. Currently only integer
variables are supported.
To use the value of a built-in variables and functions, use them in
expressions like in high-level languages like Pascal:
print "%x" VRAM+0x10 or
set x cp(15,2)+0xa00.
To set a value of a function that supports it (e.g. is a R/W function),
use the SET command like here:
SET CP(15,2) 0xa0010000 or
set PMW 0x14042000 0xffffffff.
And here's a list of all available commands:
HELP DUMPcommand, here is the description of currently available dumpers:
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER ------------------+-------------------+-------------------+------------------ 0 I 1 0 FE | 21 I 1 0 | 42 I 1 1 | 63 O 0 3 1 I 1 2 | 22 O 0 0 | 43 O 1 2 | 64 I 1 0 ...The meaning of columns:
pfh vram 240*320 0x0099
Here is a example HaRET script so that you can get a feeling of what is it and how it works.
# Display some greeting message print "Welcome to Handheld Reverse Engineering Tool!" print "Some basic info about your PDA:" print "MMU L1 descriptor table address is %08x" MMU print "Video RAM address is %08x" VRAM print "Current Process ID is %d" PID print "CPU identification register (p15 r0) is %08x" CP (15, 0) # Fill top ten scan lines (the run bar) with some color vfh VRAM 240*10 0x0099
When connected to HaRET through network it expects to find on the other end
a standard TELNET client, such that it understand a couple of basic commands
from TELNET protocol: disable local echo and disable line-at-once mode.
Thus you can't effectively use programs such as
nc to connect
to HaRET since it doesn't support these commands.
In exchange, HaRET allows to nicely interactively edit entered lines. The following keys are defined and work for now:
Unfortunately, the TELNET daemon emulator on PDA side doesn't support yet
XON/XOFF characters (for this it would be required the input to be handled
by a separate thread), thus you can't press
while, say, doing a large memory dump. However, you can enable telnet logging
and then look in the log file if you think you missed something (without even
interrupting the sessin - in a different terminal).
For now there is just one author, but I would be glad to get code contributions to the project.