Database Info

[INFO] Cat NOVA What´s inside ?

Hello
this bad sunday i tried to open my brandnew Cat Nova Android Tablet.
It´s sold actually by Hugendubel and Weltbild.
It´s actual an cheap Android Tablet with Android 2.3
CPU is a TCC8033
it should have 1,2 Ghz but actual it seems to be only a 1 Ghz CPU.
Good site for Infos is http://androtab.info/
You could root it using the [APP]SuperOneClick v2.1.1for example. There is a little trick, found by a member of the http://www.android-hilfe.de Forum
DU musst aber wenn er bei Step 6 stehen bleibt einfach usb abziehen, USB Debug ausmachen..kurz connecten...dann wieder abziehen und wieder USB Debug an und reinstecken.
Click to expand...
Click to collapse
after step 6 you need to unplug usb / turn off usb debugging / reconnect hte usb for a short time / unplug usb again / turn ON usb debugging again / plug in usb again an let the SuperOneClick tool do the Rest.
This method worked fine for me.
To open the Cat Nova:
1. remove any connections ( power, usb headphone, etc. )
2. remove sd-card ( if there is one inside )
3. carefully remove the rubber band that goes around the tablet. It is fixed from the inside on the underside left and right from the connectors. Don´t pull it out here !!!
4. start removing it by carefully pull it out for example on the upper edge.
Remove it around the whole table and let it hang on the bottom.
5. now you will see the screws which are around the tablet.
6. Pick up a little screwdriver an carefully remove the screws.
In my case there are 11 Screws.
7. Now begin to carefully open the backside of the tablet beginning at the top.
8. Be careful not to lose the Volume control wipe ( a little damn plastic part sitting inside only been hold by a little nothing )
Be also careful not to break anything on the bottom of the tablet
9. Voila Now the tablet should be open.
Be careful if you remove any of the shielded Tape as you may rip of any flat cable !
On the inside: EM86_V3 printed on the PCB
some unused connectors an pads
seems like there is a place for a mini pci connector and a
sim connector
unused 10 pin connector
See more on the pictures please
Looking for CWM Recovery to flash an alternative ROM like CyanogenMod 7
So Long, and Thanks for All the Fish
fgoeber

Pictures Part 2
Pictures Part 2

Pictures Part 3
Pictures Part 3

[INFO] CAt Nova / Rooting / USB Driver Problem ? Here is the solution
If you are having trouble to find the right USB driver here is a solution that worked for me:
Pick the official android_winusb.inf which is included in the official
Google Android SDK: developer.android.com/sdk/win-usb.html
Open the android_winusb.inf an add the following lines:
%SingleAdbInterface% = USB_Install, USB\VID_18D1&PID_DEED
%CompositeAdbInterface% = USB_Install, USB\VID_18D1&PID_DEED&MI_01
Click to expand...
Click to collapse
in the
;Google NexusOne
Click to expand...
Click to collapse
Section.
Save the file an pick it when windows ask´s for it.
Now the Driver should be installed without any Problems so you could use SuperOneClick.
Only tested under WinXP / 32-Bit Version.
So long and thanks for all the fish
fgoeber

Here are some more Information about the tablet:
Manufacturing by Emdoor
digi.emdoor.com/EN/BFangan/Detials.aspx?id=137&menuid=0203020201
digi.emdoor.com/upfile/Flash/2011/10/20111020201423.pdf // Page 8
So long and thanks for all the fish
fgoeber

Is there any Option to install a custom ROM?
Sent from my X10i using XDA App

Hi fgoeber,
nice pics. So do you have a list of all components. I'm very intressted in the camera-sensors. So do you know the name of the manufacturer ?
thx, uli

Hi
I have bought what I think is much the same tablet as the Cat Nova but with the difference that mine has internal 3g phone included as well:
aliexpress.com/store/701252/211239486-507494256/8-Android-2-3-Telechips-8803-Cortex-A8-1GHz-EM770-3G-Phone-Call-6-Point-Capacitive.html
So it is an Emdoor EM86 as listed in this thread.
I have noted that on the the cat nova homepage there is information about some FW updates:
tablet.cat-sound.com/index.php/support/nova-update
I am a bit curios to try and installing their latest update to see if it would work on my tablet but I am a bit unsure if the hardware difference would cause my 3G phone stop working. Also I am not sure if the Cat Nova updates only support german language... It seems like the Cat Nova team are planning future updates to ICS which is good news.
Or is there someone out there whos managed to install a custom ROM - I am having some problems with a nervous g-sensor and it would be nice to get rid of that problem.

I feel guilty here, and I am posting off topic, if this annoys someone I will delete this post (given this forum allows me to). I am a developer and one of my customers said that my game doesn't work on the Nova - as this is the only thread I have found posted by someone with intelligence, can you indulge me a minute or 2 and see if you can run: -
Edit: I cannot post outside links so please do an Android Market search for Solitaire 3D by Jonathan Barton.
Again sorry for the hijack, and if it is inappropriate I will delete it.
Thanks for your consideration
Jonathan

jawfin said:
I feel guilty here, and I am posting off topic, if this annoys someone I will delete this post (given this forum allows me to). I am a developer and one of my customers said that my game doesn't work on the Nova - as this is the only thread I have found posted by someone with intelligence, can you indulge me a minute or 2 and see if you can run: -
Edit: I cannot post outside links so please do an Android Market search for Solitaire 3D by Jonathan Barton.
Again sorry for the hijack, and if it is inappropriate I will delete it.
Thanks for your consideration
Jonathan
Click to expand...
Click to collapse
Hi Jonathan
I made a quick test of your app on my tablet Emdoor EM86, which from a hardware point of view I would say is identical to the cat nova, and it seems to work. The animations all seem to work. The only problem I could see is that part of the left most part of the screen is missing - a small part of the left most pile of cards is not shown on the screen.

I really appreciate you taking the time to check it for me. The chap said: -
leider kann ich das spiel weder auf meinem htc noch auf meinem cat nova spielen wegen der bildgrösse die gerade mal 1/3 des bildschirm füllt
bitte um abhilfe
danke
Which Google tells me means: -
Unfortunately I can not play on my htc still on my cat nova play because of the image size just 1 / 3 of the screen fills
ask for remedial
thank you
I thought he may have a custom resolution, but he says its 800x600 - which works fine in the emulator. I guess I don't have a solution for him then, which is sad because I do like to solve the issues. I guess with the bits of the deck cut off it's still playable for you though, so his issue is something else again.
Again, thanks for taking the time, and apologies to everyone else
Edit: re-reading that German is he saying it's not working on a HTC but it does work on the tablet? Nevermind though, its possible he isn't running my latest version which I believe sorted those issues!

Info....
Edit: re-reading that German is he saying it's not working on a HTC but it does work on the tablet? Nevermind though, its possible he isn't running my latest version which I believe sorted those issues!
Click to expand...
Click to collapse
No, he said it's not working on both of his devices, one is a HTC the other one is the tablet. It seems to me that the screen resolution is too high for the game as he said that only 1/3 of screen is used be the application?
Are you using a fixed resolution?
I will also try it this evening, I'm using a HTC Desire HD.
Please don't ask me which screen resolution I am current using.... LOL
Best regards,
Harry

Ok thanks.
I am really beginning to feel bad about this obvious hijack - can an admin/moderator please split this thread from my first post?
The app does run for all resolutions which I can test in the emulator, from 320x480 to 720x1280. It handles wide-screen well, but, it needs minor tweaking for 600x800 as that is so square like - I took widescreen into account but not squares! I have done a fix to handle that, but its not released yet. This work is rather complex in that I am rendering the game using the OpenGL engine and 3D perspective co-ordinates with the origin at the center of the screen, but the on touch events are 2D Cartesian co-ordinates from the top left corner. There is significant math in there for calculating both how far down the Z axis I render my objects to fit the screen neatly, and reading and converting the touches as to resolve what card was selected.
Hopefully my next version 2.3, should deal with all resolutions cleanly.
Again thanks for taking your time to look at this for me. Professionally I write accounting software, and have done for 15 years, it is unthinkable on my part to have a bug which I cannot fix / work-around (bugs in accounting software don't go down so well for some reason!)
Cheers Jonathan

Hi friends,
any have problems with orientation of the g sensor of it tablet? have problems with car games. and other games using g sensor. i check this trhied http://forum.xda-developers.com/showthread.php?t=803242&page=7
but no see the file Ak8973Prms.txt in /data/misc only see a file name calibration _set.txt and values x:0 y:0 z:0 now i test the g sensor with Jhonson Bubble level and really the g sensor its inverted. any idea?
Model:number; EM86_TD_BT_PHONE 20111208
Android Version: 2.3.3
Kernel version; 2.6.35.7

someone has managed to replace the way the partitions are mounted
check this post pls http://forum.xda-developers.com/showthread.php?t=1389454

Custom Rom
darthvader85 said:
Is there any Option to install a custom ROM?
Sent from my X10i using XDA App
Click to expand...
Click to collapse
Yes, it is possible.
at android-hilfe.de there exist a "custom rom", which is at least based on the latest official (but not released) ROM and has some minor bugfixes
not a big thing like CM, but it is a good start at all.
at least, with this ROM the latest Version of all Angry-Birds are playable, which seems to be a problem with the Original ROM.
[sorry, can't post a direct link to the thread due to restrictions here. Take a look at the Cat Nova Section, you will find it]

Battery
What kind of battery is in it? If i wanted to replace it with a better one? And the cameras as well?
Chris

Can I install CWM on Cat Nova?

SBK/SbCalc Tool

I have been searching these forum for awhile on how to create a similar tool like "SbCalc". I'm from the microsoft kin forums on here and have just been trying to keep some kind of progress going as far as unlocking the phone. (That forum doesn't get a lot of attention so things have been slow for awhile.)
Anyways,the phone has a tegra 1 chip and is capable of running nvflash...but need to figure out the sbk to get into the partitions.This website goes into some detail about the SBK but not sure if it applies every phone including non android ones:
http://projects.pappkartong.se/a500/
To generate the SBK from the UID (assumign UID is a hexadecimal string)
Discard any leading 0x in the UID
Split the UID into four 4 character strings
For each part, take the ascii values and multiply with 100 raised to the position.
e.g. "89AB" => 56*100**3 + 57*100**2 + 65*100**2 + 66*100**0 = 56576566.
xor
If using a little-endian architecture, swap the byte order
Print the key
Would this be the right way to convert the key for nvflash? This phone doesnt haven a uid besides what i could find through QPST:
meid
esn 800CE99D
usb guid
s/n E00301720
s/n b37c03ac-0f16-47c2-a972-fcfe12a33080
meid dec
meid hex
Not really any 15-16 keys that i could find yet that would run in Sbcalc.Not really sure where to go from here and don't want this project to die out.Hopefully someone can help me out or maybe check out the kin forums and see if they can help.thanks
http://forum.xda-developers.com/forumdisplay.php?f=674

Things like this are very difficult when the manufacturer has completely given up on it and the user base is very small. Good luck!

[Q] About EMF - magnetic field and radiation detector

There are lots of apps that claim to detect magnetic fields (other calls ghost detector or metal detector)
How reliable or how much you can rely on the above applications?
Can it really measure any magnetic field / radiation ?
If so - what kind of fields can it measure?
Else - is it a bullshiat?
I want to buy a device that measure radiation low&high frequencies and also rely as much as it can - such as Cornet ED65/78..
There is any recommendations for something you can trust but not expensive?

Technically speaking, mobile phones are designed to detect electromagnetic wave (Usually radio frequencies). But usually smartphones have additional sensors such as a magnetometer, mainly to detect direction and point locations.
So some apps exploit this feature, but they're pretty much not that accurate due to interference and background noise, so pretty much not that reliable for scientific use per say.
Here is a good article that shed the light on the subject.
Unfortunately I'm not an expert in the "Applied Physics" field so I can't help you much in your search for a good EMF meter! But I know someone who knows someone who knows.

-
silv3rfox said:
Technically speaking, mobile phones are designed to detect electromagnetic wave (Usually radio frequencies). But usually smartphones have additional sensors such as a magnetometer, mainly to detect direction and point locations.
So some apps exploit this feature, but they're pretty much not that accurate due to interference and background noise, so pretty much not that reliable for scientific use per say.
Here is a good article that shed the light on the subject.
Unfortunately I'm not an expert in the "Applied Physics" field so I can't help you much in your search for a good EMF meter! But I know someone who knows someone who knows.
Click to expand...
Click to collapse
Thanks for the reply and the links! :good:
I search for mainly low freq - electrical devices at home, the "recommended" radiation is ~2mG so it need to be a bit sensitive/accurate. Also I don't want to spent a lot of money on this device that most of the time will be into the drawer..
I've found some of these measurer, hope to get some recommendation or focus on one [or other non on the list] of them:
1. EMF ELF Magnetic Field Meter = 30Hz~300Hz ~70.27$
2. TENMARS TM-191 30Hz~300Hz ~75$
3. EMF ELF Magnetic Field Meter = 30Hz~300Hz ~75.33$
4. Cornet ED25G = 100Mhz-3Ghz - 108.9$
5. Cornet ED65 = 100MHz-6GHz - 139.9$
6. TM-195 Tenmars 3 Axis 50MHz ~ 3.5GHz 149$
7. 3-Axis Gaussmeter EMF ELF = 30 ~ 2000 Hz - 155.9$

[GUIDE] Reversing of insertions for ARM-based mobile phones

Author: Apriorit (Research and Reverse Engineering Team)
Permanent link: www(dot)apriorit(dot)com/dev-blog/76-reversing-of-mobile-phones-insertions
Once we faced the need to investigate how Samsung cellular phones work; we required some information from them, which is not documented (and will never be, for sure). So this article is about interesting points our reverser had met while working with Samsung cellular phones firmware.
Reversing of Insertions for ARM-based Mobile Phones
I have managed to research insertions of all Samsung' generations, including CDMA (except for the smartphones only). In every Samsung phone the ARM-compatible processor with a set of ARM7TDMI commands is used. Insertions are built on the basis of three OS: RTCX, RTK, Nucleus, and compiled on different compilers. I have seen insertions compiled on ADS (SDT) and IAR.
On forums people call Samsung's generations in different way: somebody divides them into Gumi/Suvon (2 cities in Korea), others give code names - "Sysol", "Agere", "VLSI", "Conexant" and "Ancient". I have come to a conclusion that it's more correctly to divide them according to the phone processor.
Processor Models
OM6357 (aka Sysol) E100, E700, E720, E800, E820, S50x, X100, X460, X60x
M46 (aka Conexant) A100, A110, A200, A300, A400, M100, T208
SkyWorks (aka Conexant) C100, C108, C110, P510, P518
ONE-C (aka VLSI) R2XX, Nxxx, Txxx(except for T208)
Trident (aka Agere) Dxxx, Qxxx, Sxxx(except for S50x), Vxxx, C200, E105, E310, E400, E600, E710, E810, X105, X400, X42x, X450 etc.
MSMxxxx all CDMA
Hope, I haven't made any mistakes in this list. )
According to the list, insertions within the same generation are very similar and, to be honest, sometimes they are twins at all (with extremely slight changes). For example, in X100 there are obvious traces of E100/E700/X600 - why then there is a code for working with the second display, camera and IRDA, which it didn't have in a whole life?
Naturally, OS is the same for the whole generation:
OM6357 - RTK
M46 - RTCX OSE
SkyWorks - RTCX OSE
ONE-C - RTK
Trident - Nucleus
MSMxxxx - don't know exactly, it might be any OS from Qualcomm. It's just clear that they are collected to ADS/SDT.
If you are going to investigate the low level, then SDK from corresponding OS will be to the point. Another helpful thing is the symbolical information, which can be met in some insertions archives. Sometimes you can come across the insertions with .lst, .sym, .map, .out files, containing the information, extremely useful in researches. In particular, such files occur in almost all C100, S500 insertions. When talking about the other models, the situation is worse and you have to content yourself with symbols signatures, made for insertion of the same generation. For example, for M46 I have managed to find just one insertion with symbols and it was from A110. But signatures made from it perfectly lie down on A200, A300 etc.
Interpretation of the symbolical information
MAP format
.map files contain the information on modules included in the insertion and look like
Code:
Base Size Type RO? Name
0 20 CODE RO AAA_vectors from object file obj/isr.o
20 38e8 CODE RO C$$code from object file../../src/t9latin.o
3908 30 CODE RO C$$code from object file obj/mmi_date.o
3938 5a4 CODE RO C$$code from object file hw_slow.o
3edc 874 CODE RO C$$code from object file rtkgo.o
etc.
where
Base - displacement in an insertion file.
Size - length.
Type - region type.
RO? - region access type.
Name - original file name, part of which was included in the insertion
How all this can be interpreted? For example, this way: starting with displacement 20, there is a block of the code (CODE) 38e8 length - it's an access to Read Only block. The fact that block has CODE attribute is far from being means that the WHOLE area is filled with a code. Actually, it is a code plus data, just as if the block has DATA type it does not mean that it is necessary to make it all by data in IDA.
Without the names/symbols file this information can be used only for determination of insertion code size (i.e. to not get into the graphics). Therefore, we will better examine SYM format.
SYM Format
.sym files are the mines of information. They look like:
Code:
Symbol Table
AAA_vectors$$Base 000000
AAA_vectors$$Limit 000020
VectorMap$$Base 1006a3c
VectorMap$$Limit 1006a60
isr$$Base 12774c
isr$$Limit 127bb0
gl_MaskIT 1000078
Rtk_RegionCount 100564c
rtk_WorthItSched 10056a0
Rtk11_Schedule 11f5c8
etc.
It is a little bit easier here, because the name-address correspondence exists. But as for the addresses, there are some secrets - a set of names exists, containing $ sign and having the special status. Symbols with $$Base at the end indicate the beginning of virtual address space area, $$Limit indicates the end. I.e. here we have the information on segments. It is possible to make a memory map of these segments and see how the parts of binary code are being thrown to different addresses. Building memory map should be started with such symbols:
Code:
Image$$RO$$Base 000000
Image$$RO$$Limit 1afef4
Image$$RW$$Base 1000000
Image$$RW$$Limit 107dad4
Image$$ZI$$Base 1006a60
Image$$ZI$$Limit 107dad4
RO - Read Only, indicates code addresses.
RW - Read/Write i.e. it is RAM.
ZI - Zero Initialized. RAM, which is being stuffed with zero values when mobile phone is turned on.
Thus segments can be easily created on these addresses. Now we look further:
Code:
AAA_vectors$$Base 000000
AAA_vectors$$Limit 000020
C$$code$$Base 000020
C$$code$$Limit 127310
C$$code$$__call_via$$Base 127310
C$$code$$__call_via$$Limit 127320
Example$$Base 127320
Example$$Limit 127324
HAL_boot$$Base 127324
HAL_boot$$Limit 12735c
RtkCode$$Base 12735c
RtkCode$$Limit 127408
SysSupportCode$$Base 127408
SysSupportCode$$Limit 12744c
boot$$Base 12744c
boot$$Limit 127654
clib$$Base 127654
clib$$Limit 12774c
isr$$Base 12774c
isr$$Limit 127bb0
C$$constdata$$Base 127bb0
C$$constdata$$Limit 1afef4
C$$data$$Base 1000000
C$$data$$Limit 1005a38
Stacks$$Base 1005a38
Stacks$$Limit 1006a3c
VectorMap$$Base 1006a3c
VectorMap$$Limit 1006a60
C$$zidata$$Base 1006a60
C$$zidata$$Limit 107dad4
In this interesting way they go one after another. If you wish, it is possible to divide them into segments to corresponding addresses, but this is merely a logic division. Moreover, in .sym file these lines are scattered badly. And more sooner or later a question appears: why the code size is 1afef4, if length of insertion file is 1b6950? Where to put the rest 6a60 byte? We look again on the initial memory map:
Code:
Image$$RW$$Base 1000000
Image$$RW$$Limit 107dad4
Image$$ZI$$Base 1006a60
Image$$ZI$$Limit 107dad4
RAM ends on 107dad4 address, block 1006a60-107dad4 is zero initialized, hence there is a question: what does initialize the 1000000-1006a60 block, which size is exactly 6a60? Absolutely right, those odd bytes. If analyse the OS start code, then in the RAM initialization procedure you will find the same copying.
In the newer insertions there is a chance to come across the next inscriptions:
Code:
Load$$IRAM$$Base 639a74
Image$$IRAM$$Base 2010000
Image$$IRAM$$Length 0015a4
They should be understood this way: data of 15a4 length are being loaded from 639a74 file displacement to the 2010000 address.
We continue the analysis of symbols with the $ sign:
x$litpool$ - Literal Pool, pieces of the data from functions. At the end of many functions indexes, lines, constants are placed, and x$litpool$ specifies the beginning of such constants.
x$litpool_e$ - Literal Pool end.
$T is merely for debugger. Indicates the addresses where the PC register change take place. So, at these addresses transition commands BL/BEQ/B/BX etc. are placed.
$$- addresses where there is a change of ARM/THUMB state.
There are also C$$code symbols, but I haven't found what it is.
Other names without $ sign are the names for constants and functions. They can be freely used.
If the archive with an insertion contains both MAP and SYM, it is an ideal variant - when you set a name taken from SYM it is possible to check up whether it lays in the code area by using data from MAP. If yes, we may freely indicate it as code not being afraid, that code/data will be determined in IDA incorrectly.
LST Format
It's a real paradise for a reverser, in these files lays all at once. They consist of five parts:
Image Symbol Table - symbols... their meaning I have not understood yet
Local Symbols - everything is clear from the name
Global Symbols - .sym file analogue.
Memory Map of the image - memory map! All at once!
Image component sizes - .map file analogue
The information is so detailed, that even the processor mode for each function is specified.
OUT Format
Have met it only in the Nucleus-based insertions. Here can be tlink.out and tsymb.out files:
tsymb.out - ordinary SYM
think.out - MAP file to which almost useless linker information is added.
Now when we are armed with the symbolical information we can load the insertion in IDA.
What to do if there are no symbols at all
"When there is no toothbrush at hand..." Yes, we take IDA, emulating debuggerand brains in the hands. IDA is "must have". The emulating debugger for ARM, called Trace32, can be taken here.
First of all, we load the insertion in IDA to 0 address. I.e. the whole insertion is being loaded to default addresses. Then look what is on 0 address.
Code:
BOOT:00000000 B ResetHandler
BOOT:00000004 B loc_3B4
BOOT:00000008 B loc_410
BOOT:0000000C B loc_42C
BOOT:00000010 B loc_488
etc.
The code in any case begins with 0 address. In all Samsungs and, as I guess, not only in Samsungs an insertion begins with the interruption vectors. These are eight B commands in ARM state, i.e. 8 vectors. 0 address is a vector of null interruption or insertion start/restart. This zero interruption simply starts the mobile phone and thus handler leads to the system loader:
Code:
BOOT:00000048 ResetHandler; CODE XREF: BOOT:loc_0 _ j
BOOT:00000048 MRS R0,CPSR
BOOT:0000004C BIC R0,R0,#0x1F
BOOT:00000050 ORR R0,R0,#0x13
BOOT:00000054 ORR R0,R0,#0xC0
BOOT:00000058 MSR CPSR_cxsf,R0
BOOT:0000005C LDR R3,=(InitialHWConfig+1)
BOOT:00000060 MOV LR,PC
BOOT:00000064 BX R3
If the jump from zero address goes to the non-existent address it means that the rest part of the code is mapped to some other addresses. It's easy to determine to which exactly. For example, we have such beginning:
Code:
BOOT:00000000 B 0x4003CE
And there is no code on the 4003CE address. We look on 3CE displacement and see an ARM-code. It means the rest part of insertion is displaced on 0x400000. So we have to copy piece of insertion with interruption handlers, load them to zero address and then load an insertion from 400000 address. Now our code is in the right place. We go further. It is necessary to find out where are the RAM and area of input/output ports. The ports are usually either in the end (addresses from about e0000000 and higher) or in the beginning of the memory (up to 0x200000), depending on where the insertion is being loaded. There can be several RAM areas. First of all, we see ports initialization:
Code:
BOOT:00000588 MOV R1,#1
BOOT:0000058A LDR R0,=0xE0006000
BOOT:0000058C LSL R1,R1,#0x1B
BOOT:0000058E STR R1,[R0]
BOOT:00000590 STR R1,[R0,#0x10]
BOOT:00000592 STR R1,[R0,#0x20]
BOOT:00000594 LDR R1,=loc_20102
BOOT:00000596 LDR R0,=0xE0003040
BOOT:00000598 STR R1,[R0, #4]
BOOT:0000059A LDR R1,=0x20003
BOOT:0000059C STR R1,[R0, #8]
BOOT:0000059E LDR R0,=0xE0003000
BOOT:000005A0 MOV R1,#0xC
BOOT:000005A2 STR R1,[R0,#0x24]
I.e. since around E0000000 there is an area of input/output ports. Its size doesn't exceed the size of segment and therefore it's possible to create a segment of 0x10000 size. Now we go further. In any insertion there are RAM area which is initialized by zero values and the area which is filled by initial settings which are taken from an insertion. We are looking for copy cycles, so we need the debugger.
Here we see copying:
Code:
BOOT:000000D4 LDR R0,=0x63B018
BOOT:000000D8 LDR R1,=0x1000000
BOOT:000000DC LDR R3,=0x1045B38
BOOT:000000E0 CMP R1,R3
BOOT:000000E4 BEQ loc_F8
BOOT:000000E8
BOOT:000000E8 loc_E8; CODE XREF: BOOT:000000F4 _ j
BOOT:000000E8 CMP R1,R3
BOOT:000000EC LDRCC R2,[R0],#4
BOOT:000000F0 STRCC R2,[R1],#4
BOOT:000000F4 BCC loc_E8
The block is being copied from 63B018 address to 1000000 address of insertion. The length is 45B38.
This is the first RAM area. Now we look for the second one, whose zero initialization should be nearby:
Code:
BOOT:000000F8 LDR R1,=0x11ED9E4
BOOT:000000FC MOV R2,#0
BOOT:00000100 CMP R3,R1
BOOT:00000104
BOOT:00000104 loc_104; BOOT:00000108 _ j
BOOT:00000104
BOOT:00000104 STRCC R2,[R3],#4
BOOT:00000108 BCC loc_100
Indeed, there is a stuffing with zero values in the area from 1045B38 to 11ED9E4, so here we have the second part. If there are any areas, then there will certainly be zero or copy initialization. Other memory pieces can be found only analytically, but we have got the basis already.
The further research depends on the presence of symbols/signatures. If yes, then everything comes to looking for the necessary function in the names list. What to do if not? First of all, it is necessary to determine approximate code bounds and, if possible, to find functions in the code. The most primitive and effective way is to search for a push command with which 60 % of insertion code begins. Insertion code usually consists of Thumb code on 90 %, so we should look for B5 byte (push) and try to define it as the code in IDA. Insertion code usually takes less than 50 % of the whole size, the rest part is for graphics and language resources. Else I can say that very often at the end of the code there are copyrights lines, a kind of "Samsung corp. 199x-200x ARM ADS 1.2".
Some code has been revealed, around 20% were harmed by IDA itself, because it often can't cope with THUMB/ARM transition. And now we have to take anything left lying around loose, i.e. what had been left by programmers. And what they had left? Trace and Assert. And any trace and assert doesn't go without sprintf/printf. We have to find it. It's easy - we should just look for the "%s" line. We need that which obviously contains a pattern of the error message. With xref we find where this line is used and it will be exactly sprintf, followed by Trace or Assert. Now, with basing on the error messages, we can name the functions. I.e. walking with xref to the Trace/Assert function, we can find output of more than half of mistakes. Further functions naming is possible by searching the following words:
Code:
Bad
Fail
Incorrect
Invalid
Error
Memory
File
Null
No
Critical
Abnormal
etc.
This way we will find some more error output functions. Thus we will gradually gain the information, not being based on anything except for the insertion.

Crazy PPG data

Hi,
Does anybody know how to interpret the data coming from the Watch 2's PPG sensor (not heart rate, but the raw PPG values themselves)? For reference, PPG data is usually 1-2 traces (for red and/or green wavelengths), centered at 0 with a range of +/-1000, depending on the presentation (sometimes capillary blood volume, sometimes blood pressure).
The raw PPG data coming from the Watch 2, however, has a crazy format: each reading is a length-16 array of floats; the first, second and fourth values (indices 0, 1, and 3) are either numeric or NaNs; the third value (index 2) is always numeric; the remaining 12 values are always 0.0. To make things weirder, the ranges of the numeric values are very small, and centered around ~10^-40.
That said, the third value (index 2) does provide something that is recognizable as a PPG trace when plotted. But we can't figure out what the other values represent, why some of them are often NaN and others are always 0, and why the value range is so small and centered around 10^-40 (roughly).
If anybody has more experience with the raw PPG readings from this device, any thoughts would be appreciated. I reached out to Texas Instruments (makers of the AFE4405 PPG board used in the Watch 2) and they said they had no idea -- the crazy data is a Huawei thing, not TI.
Many thanks,
Erik

Any progress?
I'm working on it and I found a similar situation. I wonder how do you know the PPG sensor integrated is AFE4405. I have browsed the instruction page for AFE4405 on the official TI website, but I found no valuable information. Do you have any progress these days? Thanks a lot!!
erisinger said:
Hi,
Does anybody know how to interpret the data coming from the Watch 2's PPG sensor (not heart rate, but the raw PPG values themselves)? For reference, PPG data is usually 1-2 traces (for red and/or green wavelengths), centered at 0 with a range of +/-1000, depending on the presentation (sometimes capillary blood volume, sometimes blood pressure).
The raw PPG data coming from the Watch 2, however, has a crazy format: each reading is a length-16 array of floats; the first, second and fourth values (indices 0, 1, and 3) are either numeric or NaNs; the third value (index 2) is always numeric; the remaining 12 values are always 0.0. To make things weirder, the ranges of the numeric values are very small, and centered around ~10^-40.
That said, the third value (index 2) does provide something that is recognizable as a PPG trace when plotted. But we can't figure out what the other values represent, why some of them are often NaN and others are always 0, and why the value range is so small and centered around 10^-40 (roughly).
If anybody has more experience with the raw PPG readings from this device, any thoughts would be appreciated. I reached out to Texas Instruments (makers of the AFE4405 PPG board used in the Watch 2) and they said they had no idea -- the crazy data is a Huawei thing, not TI.
Many thanks,
Erik
Click to expand...
Click to collapse

Same situation as above
Hello! I'm facing the same situation too. I was looking into the Float array of this sensor and I've got same values. So we should figure it out a way to represent this data in a PPG chart...
Any ideas?
I will let you know if I find something useful.
Kind regards,
Angel
erisinger said:
Hi,
Does anybody know how to interpret the data coming from the Watch 2's PPG sensor (not heart rate, but the raw PPG values themselves)? For reference, PPG data is usually 1-2 traces (for red and/or green wavelengths), centered at 0 with a range of +/-1000, depending on the presentation (sometimes capillary blood volume, sometimes blood pressure).
The raw PPG data coming from the Watch 2, however, has a crazy format: each reading is a length-16 array of floats; the first, second and fourth values (indices 0, 1, and 3) are either numeric or NaNs; the third value (index 2) is always numeric; the remaining 12 values are always 0.0. To make things weirder, the ranges of the numeric values are very small, and centered around ~10^-40.
That said, the third value (index 2) does provide something that is recognizable as a PPG trace when plotted. But we can't figure out what the other values represent, why some of them are often NaN and others are always 0, and why the value range is so small and centered around 10^-40 (roughly).
If anybody has more experience with the raw PPG readings from this device, any thoughts would be appreciated. I reached out to Texas Instruments (makers of the AFE4405 PPG board used in the Watch 2) and they said they had no idea -- the crazy data is a Huawei thing, not TI.
Many thanks,
Erik
Click to expand...
Click to collapse

Conclusion
angelrc96 said:
Hello! I'm facing the same situation too. I was looking into the Float array of this sensor and I've got same values. So we should figure it out a way to represent this data in a PPG chart...
Any ideas?
I will let you know if I find something useful.
Kind regards,
Angel
Click to expand...
Click to collapse
We eventually gave up on the device for various reasons, but we did get in touch with a research team at Oxford who had published some work using the HW2's PPG sensor. They reached the same conclusion that we had: only the third trace is useful, the rest is basically noise. They had a little bit more information about what the traces represented (one turns out to be infrared, which is used to detect when the sensor is being worn), but nothing that fundamentally cleared up the odd data format.
In short, if you need PPG from the device, index 2 in each float array will give useful data. Consider the rest noise.
If you come up with anything better I'd be interested to know.
Best,
Erik

Sensor
mauriceluo69 said:
I'm working on it and I found a similar situation. I wonder how do you know the PPG sensor integrated is AFE4405. I have browsed the instruction page for AFE4405 on the official TI website, but I found no valuable information. Do you have any progress these days? Thanks a lot!!
Click to expand...
Click to collapse
If you Google around there's a way to force a dump of various specs on the watch. If you do that, you get a reference to the AFE4405. See my reply below, but in short the third trace is meaningful, the rest can be considered noise.
Best,
Erik

erisinger said:
We eventually gave up on the device for various reasons, but we did get in touch with a research team at Oxford who had published some work using the HW2's PPG sensor. They reached the same conclusion that we had: only the third trace is useful, the rest is basically noise. They had a little bit more information about what the traces represented (one turns out to be infrared, which is used to detect when the sensor is being worn), but nothing that fundamentally cleared up the odd data format.
In short, if you need PPG from the device, index 2 in each float array will give useful data. Consider the rest noise.
If you come up with anything better I'd be interested to know.
Best,
Erik
Click to expand...
Click to collapse
Perfect. Thank you so much for your answer. Sincerely, Angel

erisinger said:
We eventually gave up on the device for various reasons, but we did get in touch with a research team at Oxford who had published some work using the HW2's PPG sensor. They reached the same conclusion that we had: only the third trace is useful, the rest is basically noise. They had a little bit more information about what the traces represented (one turns out to be infrared, which is used to detect when the sensor is being worn), but nothing that fundamentally cleared up the odd data format.
In short, if you need PPG from the device, index 2 in each float array will give useful data. Consider the rest noise.
If you come up with anything better I'd be interested to know.
Best,
Erik
Click to expand...
Click to collapse
Hi Erik,
Thanks for providing the information. It is really helpful. We also want to use some smartwatch to get the raw PPG data. As you said, you gave up the Huawei Watch 2. Would you please give me some information about what device you choose now?
Thanks very much,
Ruixuan

TTworld said:
Hi Erik,
Thanks for providing the information. It is really helpful. We also want to use some smartwatch to get the raw PPG data. As you said, you gave up the Huawei Watch 2. Would you please give me some information about what device you choose now?
Thanks very much,
Ruixuan
Click to expand...
Click to collapse
Hi Ruixuan,
We ended up going with the MotionSense HRV (https://md2k.org/software/how-to/supported-sensors.html) built by Ohio State University. I'm not sure what the availability is like outside of academic research circles, but you could reach out to MD2K for more information.
Best,
Erik

erisinger said:
Hi Ruixuan,
We ended up going with the MotionSense HRV built by Ohio State University. I'm not sure what the availability is like outside of academic research circles, but you could reach out to MD2K for more information.
Best,
Erik
Click to expand...
Click to collapse
Hi Erik
Thanks very much. We are also in research. We may dig further into the Android Watch a bit, since it has great flexibility.
Regards,
Ruixuan

Help please!
Hey! I am also working on a Huawei Smart watch, and facing the same concerns as you. My values are in the range 10^-40s, and none of the event indices seem to give values that, when plotted resemble a PPG. Here is what I am trying, is this the index 2 that you have mentioned? Any guidance welcome!
if (event.sensor.getType() == 65537 &&
event.values.length > 0){
Float instant_HR = event.values[2]);