note: the stuff in my source tree is the most up to date, usually contains lots of new features, which I have not yet released in a source + binary package.
A collection of tools to do many things to a windows CE device via Activesync/RAPI.
These tools should work on most CE devices, tested on Ipaq, XDA(Wallaby), XDA-II(Himalaya), XDA-IIs(Blueangel), MDA Compact(Magician), i-mate SP3, i-mate SP3i, Yakumo P300, MPx200, Voq, Mitac Mio, Mitac Megas. with PocketPC 2002, PocketPC 2003, Windows Mobile 2003, Windows Mobile 2003 Second Edition, Smartphone 2002, Smartphone 2003, smartphone 2005, windows mobile 2005. wm6, wm6.5 ( wince 3.0 and wince 4.2 and wince 5.0 )
NOTE: i am waiting until i get my hands on a wm7 phone, on which i don't expect itsutils to work without major modifications

these are:

pps        - dumps active wince processes
pdblist    - dumps wince databases
pdel       - delete wince file
pdir       - list wince directory
pmkdir     - create wince directory
pget       - copy file from wince
pkill      - kill wince process
preboot    - reboot wince device
ppostmsg   - send/post windows msgs to wince windows
pmemdump   - copy memory block from wince
psetmem    - set RAM memory location in your device
pmemmap    - list available memory blocks on wince
pput       - copy file to wince
pregutl    - manipulate the wince registry
prun       - run program in wince
dump       - hexdump local file.
pdebug     - capture debugoutput of processes
pdocread    - raw read from disk-on-chip in your device
pdocwrite    - raw write from disk-on-chip in your device
psdread    - raw read from sd card in your device
psdwrite   - raw write to the sd card in your device
pnewbmp    - write new bootsplash bitmap to rom
pnewbootloader - replace your bootloader
prapi      - interface to wince provisioning config api
psynctime  - sync time with pc.

NOTE: sdread, sdwrite, postmsg, memdump, setmem and regutl are similar tools, but operate on your pc, instead of a remote device.

.... experimental stuff:
pgsmdump   - attempt at memory dumper for gsm.
pget2      - attempt at improvement of pget
tlbdump    - dumps virtual to physical memory mapping
riltest    - dumps all kinds of info from the phone via ril
pcmon      - attempt to talk 'rsupgrade'-protocol
testpi     - tool to find out what handles are open on your PPC
tsttffs    - tool to experiment with the trueffs API
NOTE: The experimental tools may not work, or may even cause damage. Use at your own risk, and after reading the source, and making sure you understand what they do!!!

some are vaguely based on the sample code in the pocketpc sdk.

you can leave comments with this blog article, or mail me

download

you can download the binaries here or here
or browse the source here
there is also a page on these tools at this wiki
more recent binary releases : ( newest first )

older versions

building

to compile it you need visual studio 2005, with the windows mobile 6 SDK. and also header files from the wince3, wince4 and wince5 platformbuilders. and cygwin, with probably at least these packages installed: bash, perl, make.

to build: type 'make' in the itsutils directory, it will then build 'src', 'dll', apihook, rilhook, some stuff from 'leds'

note: not all make versions released by cygwin work, v3.80 crashes with an internal error, v3.81 has broken dos path support. a working version can be found here

you may have to modify local-vc8-armv4.mak to fit to your local setup

of the platformbuilder, only the header files are used, no need to buy the complete product. the preview edition provided for free by microsoft is sufficient.

building very old versions

these old build methods are no longer supported
note1: very old versions of itsutils used evc3 to build
note2: very old versions of itsutils used a batchfile, instead of makefile to build

INTRO

 pps dumps active wince processes
 pdblist dumps wince databases
 pdel delete wince file
 pdir list wince directory
 pmkdir create wince directory
 pget copy file from wince
 pkill kill wince process
 pmemdump copy memory block from wince
 psetmem set RAM memory location in your device
 pmemmap list available memory blocks on wince
 pput copy file to wince
 pregdmp dump wince registry
 pregutl manipulate the wince registry
 regutl manipulate the win32 registry
 prun run program in wince
 dump hexdump local file.
 pdebug capture debugoutput of processes
 pdocread raw read of m-systems DiskOnChip devices
 psdread raw read from sd card in your device
 psdwrite raw write to the sd card in your device
 pnewbmp flash new bootsplash to device
 pnewbootloader flash new bootloader to device
 psynctime sync time with pc.

experimental tools

 pgsmdump attempt at memory dumper for gsm.
 pget2 attempt at improvement of pget
 tlbdump dumps virtual to physical memory mapping
 riltest dumps all kinds of info from the phone via ril
 pcmon attempt to talk 'rsupgrade'-protocol
 testpi tool to find out what handles are open on your PPC
 tsttffs tool to experiment with the trueffs API
 tstcpu tool to measure cpu speed
 regbk tool to dump registry to a file
 prapi tool upload certificate, or set regkeys via the provisioning api
NOTE: The experimental tools may not work, or may even cause damage.
  • Use at your own risk, and after reading the source, and making sure you understand what they do!!!

    'itsutils.dll' is automatically copied to the windows directory of your CE device when it is detected to be out of date.


    USAGE

    dump.exe

    This tool is not specifically meant for use with a windows CE device. I use it to make hexdumps of memory dumps.

    If you have for example a romimage saved to a file, and the first byte in the file maps to address 0x80000000 in the CE device, and you want to list the dwords starting at 0x80040000. You would type something like this:

    dump -b 0x80000000 -f romimage.bin -o 0x80040000 -4 -l 0x100
    
  • using the -md5, -sha1, -sha256, -crc or -sum options, you can use dump.exe to calculate the checksum, crc or hash of a specific region of a file.
  • you can also use dump.exe to extract a specific region of a file, and save it to another file by specifying a second filename on the commandline.

    itsutils.dll

    This is the workhorse for some of these tools ( pdebug, pkill, pmemdump, pps ). It it implements a interface callable by 'CeRapiInvoke' to do various useful things for the world. You should copy this dll to the \Windows directory of your CE device.

    For instance using 'pput itsutils.dll \Windows'

    pdblist.exe

    This tool provides various ways of looking at the databases stored on your CE device. To get a list of all databases type 'pdblist -d', it lists the objectid, the database flags, the type of database, the nr of records, the size, the name, and the available indexes. Or if you know the name or id of the database you can list all records in this database by typing, 'pdblist -d pmailMsgClasses' ( ignore the error message, it does not mean anything ) or 'pdblist -d 0x1001568'. For each record it lists the record id, size, nr of fields, and the fields. For each field, it lists the field id, type, length, flags and value. To just list the contents of 1 record, you can type 'pdblist -r 0x0100156f' ( where 0100156f is the object id of the record ) you can also use this to list information about files. 'pdblist -r 0' will get you info on the root directory.

    NOTE: this tool no longer works properly with windows mobile 2005. microsoft change the database API on the device. but did not update the activesync api to access databases.

    pdebug.exe

    This tool attaches as a debugger to the specified process, and prints all debug output to the console. Unfortunately the only programs I can find which have debug output are my own. It may make your CE device become unstable. a reboot after using it will do no harm.

    pdel.exe

    This tool works as 'del' under DOS. you can specify multiple files, and optionally a current directory with '-d' where these file should be deleted from. for example 'pdel -d \temp tst1.txt tst2.txt' will delete \temp\tst1.txt and \temp\tst2.txt.

    you can also specify wildcards, or delete directories recursively. Sometimes the CE device gets in a state where it will not allow files to be deleted anymore, a reboot will usually fix this.

    pdir.exe

    Lists directories from your CE device. Specify '-r' to list them recursively. You can specify any number of paths with wildcards to list. Example: 'pdir \Temp \Windows' will list both the \temp and \windows directories. directories will be listed [bracketed].

    you can specify device language independent paths using variables like %CSIDL_STARTUP%. to get a complete list of supported variables, type

    pdir -l
    

    pmkdir.exe

    Tool to create directories on your WinCE device.
    pmkdir also supports %CSIDL style variables.

    pget.exe

    Tool to copy files from your CE device to your local machine. you may use wildcards or multiple filenames to specify the source files. you may specify a directory for the target, if no target is specified it will default to the current directory. Example: 'pget \Windows\toolhelp.dll' will copy toolhelp.dll to the current directory.
  • This tool currently does not allow you to copy certain ROM files. see 'dumprom' for that.
  • pget also supports %CSIDL style variables.
  • you can recursively copy all copyable files using pget -r

    pkill.exe

    Allows you to kill one or more processes on your CE device. If multiple processes exist with the same name, all will be killed. if result '2' is reported, this means kill successful, result '1' means process found, but unable to kill, '0' means process not found.

    pmemdump.exe

    Copies memory blocks to a local file, or just prints a hexdump on the console. you can specify the process context from which to read the memory. You can see the difference in context by dumping address 0x11000. for instance look at the difference between:
    pmemdump -n filesys.exe 0x11000
    
    and
    pmemdump -n shell32.exe 0x11000
    
    if no context is specified, memory is read from the perspective of the 'rapisrv.exe' process. You can use '-m' to read memory directly, bypassing ReadProcessMemory, this will crash when an invalid memory location is read.
  • you can specify physical memory offsets using the -p option
  • to get a rough overview of what you is in memory you can use the step -s option:
    pmemdump 0x80000000 0x02000000 -s 0x10000
    
    will list 16 bytes every 64k.
  • pmemdump options are almost the same as dump.exe options

    memdump.exe is the same tool, but then to access your local desktop pc memory.

    psetmem.exe

    this is the opposite of pmemdump, you can specify an offset and a list of bytes, words, or dwords to write to this location. this app does not write to flash memory, only to RAM.

    setmem.exe is the same tool, but then to access your local desktop pc memory.

    pmemmap.exe

    tool to inspect the pagetables or section tables. you can also use it to create a 'hardcopy' of a specific section.

    pps.exe

    Display a list of processes currently running on your device. It also lists memory usage, processor usage, and commandline for each process.
  • With '-s' you can specify how long it has to measure to get an accurate cpu usage reading.
  • you can also see detailed thread information with '-t'
  • '-m' will list all modules currently loaded in the device.

    pput.exe

    Like pget, but the other way around. Copies files from your local machine to your CE device. this is actually the same tool, just called with a different name.
  • using '-c', pput copies data from its stdin to the device file, this is useful for instance to create .lnk files like this:
    printf "#yourprogram.exe"|pput -c \windows\startup\yourpgm.lnk
    

    pregutl.exe

    Allows you to inspect or modify the registry of your CE device you can specify the hive to display ( hkcu, hkcr, hklm ) you can also import .reg files using this tool, delete keys, or modify values.
    this tool is a complete rewrite of the now obsolete pregdmp
    now there is also regutl.exe with the same functionality, but for desktop pc registry.

    prun.exe

    allows you to start programs on your CE device from your desktop machine. for instance:
    prun cprog.exe -url tel:121
    
    will start the phone application, and prompt you if you want to dial '121'.

    psdread.exe

    psdwrite.exe

    These can be used to do raw disk read/writes from the disk device in your CE device, or USB/pccard flashdisk reader. ( like an MMC/SD card ) it defaults to using disk 1. ( on the XDA-II / Himalaya the sd card is DSK3: ) you have to specify a linear offset from the start of the device.

    You can view all available disks with 'psdread -l' You can find the exact disk size of any device by specifying the '-t' option. This is because the size of Flashdisks is reported incorrectly by WindowsXP.

    local (to windows) disks should be specified by drive-letter. WARNING: the drive letter assignments are quite dynamic, a disk may return on a different letter after removing/ re-adding it. psdwrite does attempt to verify that you are not overwriting your harddisk, but still be sure to specify the correct drive.

    psdwrite/psdread can now also write/read partial sectors.

    pdocread.exe

    This tool can be used to read and list various parts of m-systems Disk On Chip devices. The -d, -p, and -h options can be used to select a specific disk device. Only specifying -d will open that device directly. Specifying -d and -p, will open the device using the storage manager, and then us the partition specified with -p. To circumvent a problem with truncated device names in some WinCE versions, you can also specify a known open device handle, using -h.

    Use "pdocread -l" to get a list of known devices, and open handles on your wince device.

    The -n, -w, and -o options are used to select what access method is to be used. -n 0 will read from the binary partition number 0. -w will use the standard disk api to access the device, -o will access the One-time-programmable area of your DOC. when no access method is specified, the 'normal' TFFS partition will be accessed.

    Be warned that the tffs API is not very stable, it causes device crashes, and on several devices it is only partially implemented.

    binary partition sectorsizes

    the sector size can be different for each sector in binary partitions, to find out how the layout of these sectors, you can use this cmd.exe command:
    for %i in (0 1 2 3 4 5 6 7 8 9 a b c d e f) do (
      pdocread -n 1 -b 0x1000 -G 0x400000 0x%i000 0x400000 x
    )
    
    it will try to read a very large block from each sector, and output errors, indicating how many bytes were actually read.

    to read the bootloader on a G4 htc device, you would need to specify -b 0x20000, while on a G3 device you would need to specify -b 0x8000.
    or to read the bootsplash on a G4 device you would need to do this:

    pdocread -n 1 -G 0x30000 -b 0x10000 0xF0000 0x30000 bdk1-f-splash.nb
    

    pdocwrite.exe

    This tool can write Disk On Chip partitions.

    The -u PASSWD option can be used to temporarily unlock a locked diskonchip device, useful for instance for writing the himalaya extended rom, which has password "aYaLaMiH"

    other options are identical to those of pdocread.

    pnewbmp.exe

    you must specify a bmp file, as required by splitrom, and the romversion with '-3' or '-4', this determines the location where the bootsplash is written, for (most!!) 3.x roms this is at 81900000, for 4.x roms, and the chinese 3.x rom it is at 81ec0000.
    so be careful, you must first verify that the bootsplash is indeed at this location, otherwise you will overwrite essential data in your rom

    pnewbootloader.exe

    possibly the most dangerous tool in this collection, it allows you to overwrite the bootloader with something else. this tool depends on specific memory locations for certain roms. it does verify that it is talking to a known rom. it also does a very minimalisitc check if the file presented to it resembles a bootloader.

    big warning: be sure to use a real bootloader image when updating your bootloader,
    !!!!! the CLoader_usb.nb and CLoader_serial.nb files are NOT bootloaders. !!!!! this tool can be used to flash any rom area on wallaby, himalaya and magician. be very careful, and aware of what you are doing. I do not provide services to fix ruined devices.

    psynctime.exe

    Tool to synchronize your PDA time with your desktop pc, you have it run automatically by adding this value to your PC registry:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect]
    "psynctime"="c:\\path-to\\psynctime.exe"

    this will also correct a problem that your current application loses focus when your cradle your device.

    preboot.exe

    tool to remotely reboot your device, while it is cradled.

    ppostmsg.exe

    Utility to send messages to windows on your pocket pc device.

    postmsg.exe does the same, but then for your desktop pc.

    tstril2.exe

    Ril Logger utility, to see what is going on with RIL.

    prapi.exe

    this tool talks to the device using the CeProcessConfig API.
  • you can set/get/delete registry keys using repectively: '-s', '-q', and '-d'
  • you can upload certificates using '-c'
  • you can download certificates using '-q -c'
  • you can set/get policy settings using '-p' or '-q -p'

    FUTURE

    pdblist

    itsutils

    pdel

    pget

    pput

    pps

    pregdmp

    pkill

    prun

    ptlbdump

    planned tools

    Changelog

    Changelog

    040318 -> 050119

    050119 -> 050628

    050628 -> 070323

    ... TODO: have to write up a summary for this some time

    070323 -> 070705

    070705 -> 080602

    080602 -> 080730

    080730 -> 080731

    080731 -> 080731-2

    080731-2 -> 080923

    080923 -> 090331

    major new features: --- updated plumbing:

    some wince ( on device ) tools

    090331 -> 090515

    090515 -> 091117

    091117 -> 100222

    100222 -> 100324

    100324 -> 111201

    Note, that when running on a smartphone, you have to sign itsutils.dll
    another thing to note, is that itsutils.dll requires toolhelp.dll, which is installed on most devices, but if it is not, you can find it with the compactframework sdk, or pocketpc sdk, or here

    create:
    makecert -n "CN=key-common-name-minimum-32-chars" -sv "privkey.pvk" "pubkeycert.cer"
    note that this must not be a selfsigned certificate.
    it is however not a problem if the CA's certificate is not on the device.
    sign:
    signcode -v privkey.pvk -spc pubkeycert.cer itsutils.dll
    upload certificate to device: - since version 20090515 not nescesary anymore
    prapi.exe -c pubkeycert.cer
    it may also be nescesary to change the policy using prapi:
    prapi -p 4097 1
    for more details on codesigning, see:
  • smartphone-certificates
  • smartphone-policies