Difference between revisions of "Private: implementing esg"

From NMSL
Line 1: Line 1:
 +
===Crack Nokia S60 OS to see all system files===
 +
N92: S60 3rd edition (crack successfully)
 +
 +
N96: S60 3rd edition with FP2 (not yet)
 +
 +
  Steps: (all files are available on network shared drive, under  students\yliu\testbed\s60crack )
 +
  1) Install X-plore: this tool is a powerful file browser and can help us view all the system files and hidden files.
 +
  2) Install HelloCarbide.sisx : this tool can be used to temporarily disable the root certificate on the cell phone
 +
  3) Upload installServer.exe and CProfDriver_SISX.ldd to the C:\sys\ on cell phone : this is to replace root certificate and gain system access
 +
  4) Install CapsOn,sisx and CapsOff.sis : the switch to control the cracking.
 +
 +
On N92, now we have full control of all the files.  On N96, we can access all files except system protected files (C:\sys  and C:\private).
 +
 +
 +
===DVB-H related info found on N92===
 +
C:\dvbh.ini  (N92 only has a C drive)
 +
 +
  ScheduleItemRemovalInterval=7
 +
  AutoScanNwTimeRetryDelay=5
 +
  ESGRootPort=9214
 +
  IpdcNumberOfLogFiles=3
 +
  IpdcLogFile=ipdc.txt
 +
  IpdcLogDir=ipdc
 +
  IpdcLogLevel=1
 +
  IpdcLogLevelRDebug=9
 +
  IpdcLoggingEnabled=1
 +
  NifFwdToStackInterval=500
 +
  NifReadInterval=500
 +
  SocketRecvBufSize=800000
 +
  TerminalMaximumBandwidth=500000
 +
  RequiredDiskFreeSpacePercentage=5
 +
  AllowUsageTracking=1
 +
  SignalScanFreqLow=472000000
 +
  SignalScanFreqHigh=702000000
 +
  SignalScanBW=8000000
 +
  SignalScanType=1
 +
  AutoScanEnabled=1
 +
  AutoScanStartDelayAfterBoot=5
 +
  AutoScanInterval=10800
 +
  AutoScanPreferredPlatformId=-1
 +
  AutoScanPlatformSetRetryDelay=120
 +
  PlatformSetUniversalTimeout=60
 +
  ScanUniversalTimeout=600
 +
  NetworkTimeUpdateUniversalTimeout=35
 +
  BootUniversalTimeout=20
 +
  InactivityPowerOffTime=300
 +
  ER4BootImageFile=z:\spi_boot.img
 +
  ER4SWImageFile=z:\enginer4.img
 +
  ER4AntennaSetup=z:\ER4AntennaSetup.dat
 +
  ER4SetPlatformRetryTimeout=25000
 +
  ER4SetPlatformRetryCount=10
 +
  ESGMgrUpdTime=120
 +
  ESGMgrUpdTimeAfterErr=10
 +
  ESGMgrUpdInterval=180
 +
  ESGMgrUpdRestartCount=3
 +
  ESGMgrRxInitTime=30
 +
  ESGMgrRxPeriodChkTime=20
 +
  ESGMgrUpdateEnabled=1
 +
  ESGMgrFCastRestartCount=3
 +
  ESGMgrUpkeepCleaningDelay=20160
 +
  ESGMgrCarouselDeltaStartTimeInHours=48
 +
  UsageTrackerRetryInterval=1
 +
  UsageTrackerRetryCounts=5
 +
  ECRenewalTime=1800000000
 +
  ECRenewalOffset=1
 +
  ECRemovalTimeInHours=48
 +
  AutoScanPlatformSetRetries=1
 +
  NwTimeUpdateRetries=2
 +
  PowerOffDelayAfterNwDiscovery=3
 +
  ReplayBuffer=30
 +
  UsageTrackerDbUpperLimit=1000000
 +
  DRMClockUpdateInterval=30
 +
 +
 +
===Error message found on N96===
 +
 +
Based on N92 dvbh.ini config file, I guess on N96, DVBH.img is either  ER4BootImageFile=z:\spi_boot.img
 +
or  ER4SWImageFile=z:\enginer4.img  on N92.  And it sounds more like the complete image, not just the boot image.
 +
 +
And even though N96's dvbh.ini file is short, it seems like some parameters still follows the N92's example, for example
 +
the log files on N96 matched with N92's config file 
 +
 +
  IpdcNumberOfLogFiles=3
 +
  IpdcLogFile=ipdc.txt
 +
  IpdcLogDir=ipdc
 +
  IpdcLogLevel=1
 +
  IpdcLogLevelRDebug=9
 +
  IpdcLoggingEnabled=1
 +
 +
In DVBH.img we find the following readable error message:
 +
  PSI_Processor  PSI_patpmt  PSI_nitint
 +
 +
  ThreadX API error: The event group is already created. Threadx API error: Invalid event group pointer. The pointer is NULL. System timer thread obj\dvbh\dtv1000_dbg
 +
   
 +
 +
As the above error message happens after the PSI/SI info section, It is the next step--ESG Bootstrap on Cell phone that cause the above error lines. The cell phone tried to receive something and the application crashed.  So on N96 the Subsystem ESG Manage did not get anything and leads to timeout.
 +
 
 +
 
=== TS files for various ESG versions available on-line (Mon Oct 13 09:30:11 PDT 2008) ===
 
=== TS files for various ESG versions available on-line (Mon Oct 13 09:30:11 PDT 2008) ===
  

Revision as of 11:56, 17 October 2008

Crack Nokia S60 OS to see all system files

N92: S60 3rd edition (crack successfully)

N96: S60 3rd edition with FP2 (not yet)

 Steps: (all files are available on network shared drive, under  students\yliu\testbed\s60crack )
 1) Install X-plore: this tool is a powerful file browser and can help us view all the system files and hidden files.
 2) Install HelloCarbide.sisx : this tool can be used to temporarily disable the root certificate on the cell phone
 3) Upload installServer.exe and CProfDriver_SISX.ldd to the C:\sys\ on cell phone : this is to replace root certificate and gain system access
 4) Install CapsOn,sisx and CapsOff.sis : the switch to control the cracking.

On N92, now we have full control of all the files. On N96, we can access all files except system protected files (C:\sys and C:\private).


DVB-H related info found on N92

C:\dvbh.ini (N92 only has a C drive)

 ScheduleItemRemovalInterval=7
 AutoScanNwTimeRetryDelay=5
 ESGRootPort=9214
 IpdcNumberOfLogFiles=3
 IpdcLogFile=ipdc.txt
 IpdcLogDir=ipdc
 IpdcLogLevel=1
 IpdcLogLevelRDebug=9
 IpdcLoggingEnabled=1 
 NifFwdToStackInterval=500
 NifReadInterval=500
 SocketRecvBufSize=800000
 TerminalMaximumBandwidth=500000
 RequiredDiskFreeSpacePercentage=5
 AllowUsageTracking=1
 SignalScanFreqLow=472000000
 SignalScanFreqHigh=702000000
 SignalScanBW=8000000
 SignalScanType=1
 AutoScanEnabled=1
 AutoScanStartDelayAfterBoot=5
 AutoScanInterval=10800
 AutoScanPreferredPlatformId=-1
 AutoScanPlatformSetRetryDelay=120
 PlatformSetUniversalTimeout=60
 ScanUniversalTimeout=600
 NetworkTimeUpdateUniversalTimeout=35
 BootUniversalTimeout=20
 InactivityPowerOffTime=300
 ER4BootImageFile=z:\spi_boot.img
 ER4SWImageFile=z:\enginer4.img
 ER4AntennaSetup=z:\ER4AntennaSetup.dat
 ER4SetPlatformRetryTimeout=25000
 ER4SetPlatformRetryCount=10
 ESGMgrUpdTime=120
 ESGMgrUpdTimeAfterErr=10
 ESGMgrUpdInterval=180
 ESGMgrUpdRestartCount=3
 ESGMgrRxInitTime=30
 ESGMgrRxPeriodChkTime=20
 ESGMgrUpdateEnabled=1
 ESGMgrFCastRestartCount=3
 ESGMgrUpkeepCleaningDelay=20160
 ESGMgrCarouselDeltaStartTimeInHours=48
 UsageTrackerRetryInterval=1
 UsageTrackerRetryCounts=5
 ECRenewalTime=1800000000
 ECRenewalOffset=1
 ECRemovalTimeInHours=48
 AutoScanPlatformSetRetries=1
 NwTimeUpdateRetries=2
 PowerOffDelayAfterNwDiscovery=3
 ReplayBuffer=30
 UsageTrackerDbUpperLimit=1000000
 DRMClockUpdateInterval=30


Error message found on N96

Based on N92 dvbh.ini config file, I guess on N96, DVBH.img is either ER4BootImageFile=z:\spi_boot.img or ER4SWImageFile=z:\enginer4.img on N92. And it sounds more like the complete image, not just the boot image.

And even though N96's dvbh.ini file is short, it seems like some parameters still follows the N92's example, for example the log files on N96 matched with N92's config file

 IpdcNumberOfLogFiles=3
 IpdcLogFile=ipdc.txt
 IpdcLogDir=ipdc
 IpdcLogLevel=1
 IpdcLogLevelRDebug=9
 IpdcLoggingEnabled=1 

In DVBH.img we find the following readable error message:

 PSI_Processor   PSI_patpmt  PSI_nitint
 ThreadX API error: The event group is already created. Threadx API error: Invalid event group pointer. The pointer is NULL. System timer thread obj\dvbh\dtv1000_dbg
   

As the above error message happens after the PSI/SI info section, It is the next step--ESG Bootstrap on Cell phone that cause the above error lines. The cell phone tried to receive something and the application crashed. So on N96 the Subsystem ESG Manage did not get anything and leads to timeout.


TS files for various ESG versions available on-line (Mon Oct 13 09:30:11 PDT 2008)

There is a recent DVB-H trial that adopts multiple ESG versions. A final report can be found at here. In this trial, two types of Nokia ESG platforms are used: OAI and OMA BCAST. They also made some ts files available on an ftp site (see pp.18 in the above report).

To reverse engineer the requirements of Nokia's OMA BCAST ESG implementation, we can download and analyze the ts files of Nokia BCAST platform. We can use the channel parameters listed in the report to identify the right ts stream.

To debug buffer overflow problems (Sun Oct 5 14:57:03 PDT 2008)

There have been quite a few nasty buffer overflow bugs in dataaggregator and timeslicer, which cannot be easily found by reviewing the code. To trace the problem, we may use the memory checking feature of the valgrind tool. Valgrind can be installed through apt-get.

To use it, compile your code with CC flags: -g and -O0. Then run the timeslicer (for example) as follows:

valgrind --leak-check=yes ./timeslicer -n 1024 -g 8 -b 8 -d 400 -c 3 -o qpsk -p esgbt:/tmp/fatcapsesgbt:0x555 -p esg:/tmp/fatcapsesg:0x666 -p prog1:/tmp/fatcapsinput1:0x771 -p prog2:/tmp/fatcapsinput2:0x772 -p prog3:/tmp/fatcapsinput3:0x773 -p prog4:/tmp/fatcapsinput4:0x774 -p prog5:/tmp/fatcapsinput5:0x775 -p prog6:/tmp/fatcapsinput6:0x776 -p prog7:/tmp/fatcapsinput7:0x777 -p prog8:/tmp/fatcapsinput8:0x778 -f /tmp/fatcapsfifo

The output of valgrind is descriptive, see their webpage for details.

DVBH related files on N96 (Wed Oct 1 19:39:06 PDT 2008)

There are a few DVB-H related files in the N96 ROM (z:\) and flash (c:\):

z:\dvbhsetup.dat
z:\DVBH.img
z:\System\data\dvbh\dvbh.ini   <--- readable
c:\System\data\esg
c:\System\data\ipdc
c:\logs\ipdc                             <--- readable 

Some error files from N96 (Wed Oct 1 17:26:50 PDT 2008)

The log indicates that the esg receiver fails to receive some file. Unfortunately, we cannot be sure which stage did it fail. Little can be done beyond this point without Nokia's supports, e.g., putting the logger into development/verbose mode.

Therefore, I decided to put N96 aside until we get some supports from Nokia.

2008/10/01	2:15:01	
2008/10/01	2:15:01	
2008/10/01	2:15:01	------- Subsystem DVBH Manager error -------
2008/10/01	2:15:01	Emitting module: c\cdvbhmgrinactivityobserver.cpp line: 231
2008/10/01	2:15:01	Error code:      -2497
2008/10/01	2:15:01	Description:     Cutting_power_in_NoPlatform_state_due_to_inactivity
2008/10/01	2:15:01	Additional info: (none)
2008/10/01	2:20:30	
2008/10/01	2:20:30	
2008/10/01	2:20:30	------- Subsystem ESG Manager error -------
2008/10/01	2:20:30	Emitting module: \common\src\cesgfilereceiver.cpp line: 548
2008/10/01	2:20:30	Error code:      0
2008/10/01	2:20:30	Description:     TimerTimeout NoBlocksReceived
2008/10/01	2:20:30	Additional info: (none)
2008/10/01	2:25:30	

Comments from Mr. Hanel, who is an engineer at Decontis (the company who makes dvbSAM)

Nokia is a special case. It is correct that Nokia moves from its own proprietary OAI ESG toward OMA BCAST ESG, but the transport streams created with Nokia ESG server I saw so far in the near past were not fully compatible yet with OMA BCAST. So handhelds from vendors != Nokia have problems with broadcasts where Nokia ESG is inside. And the other way is often also blocked - Nokia handhelds mostly could not receive ESGs provided by ESG servers from other vendors. Mostly only the combination Nokia ESG server + Nokia handheld worked properly. Of course, this behavior may change with every new software version Nokia releases for its handhelds. Since nobody except Nokia itself knows what's going on within their handhelds, finding the problem could be difficult. Could be that your ESG is fully compliant to the standard and nevertheless the Nokia handheld cannot handle it. I'd recommend to update the N96 firmware to the latest version and to try at least one more DVB-H handheld, e.g. a recent one from LG or Samsung.