Can anyone suggest a way for me to cross-compile binaries for QNX 6.2, on armle? (specifically, ARM9)
I& #39;ve tried looking at the official methods and it doesn& #39;t look like there& #39;s really a way to get this setup without spending lots of money (and I& #39;m not even sure that would work)
                    
                                    
                    I& #39;ve tried looking at the official methods and it doesn& #39;t look like there& #39;s really a way to get this setup without spending lots of money (and I& #39;m not even sure that would work)
                        
                        
                        and the problem with googling things like "GCC FOR QNX" is that it gives me options like running GCC on QNX, which is great, except I don& #39;t have a working QNX 6.2 arm machine I could run GCC on... except the one I& #39;m compiling for.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        so I want to compile elsewhere, and then move the binaries over.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        and I can get a 30-day evaluation copy of QNX... but they& #39;re gonna give me QNX 7.0 which isn& #39;t the version I need, plus I don& #39;t have an arm9 system to run it on. 
(and I& #39;m not sure if I even could run QNX 7.0 X86 and crosscompile to armle)
                    
                                    
                    (and I& #39;m not sure if I even could run QNX 7.0 X86 and crosscompile to armle)
                        
                        
                        there is an openQNX project, but it& #39;s not exactly gonna help because step one in compiling it is "install QNX 6.4.0" https://github.com/vocho/openqnx ">https://github.com/vocho/ope...
                        
                                                
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I did find a download on their site of the QNX Dev Platform 6.5.0 for x86 which I figured might be close enough to try getting started, but it demands a license key and won& #39;t take my license key (probably because it& #39;s QNX 7.0 only?)
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        although if I tell it to run off the CD instead of installing... I& #39;m at a desktop in about 4 seconds.
QNX is pretty neat.
                    
                                    
                    
                    
                                    
                    QNX is pretty neat.
                        
                        
                        ok so there& #39;s a QNX Software Center which lets you manage installations, so hopefully it& #39;ll help me get to the point of getting a license key for 6.2 (or 6.5)
amusingly, it& #39;s written in java, and built on top of Eclipse.
                    
                                    
                    amusingly, it& #39;s written in java, and built on top of Eclipse.
                        
                        
                        nope, it just lets me install QNX 7.0 SDK. I don& #39;t think 7.0 QNX binaries are backwards compatible... but I don& #39;t know! so maybe I should do that anyway.
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        the official download site has lots of potentially interesting sections like this, the SDK for 6.4...
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        but clicking them says "OK ENTER YOUR SERIAL NUMBER AND PASSWORD" which obviously I don& #39;t have. 
So that& #39;s not an option.
                    
                                    
                    So that& #39;s not an option.
                        
                        
                        so I& #39;ve got the QNX 7.0 SDK installed and it includes a lot of armle binaries, so let& #39;s try copying one of those over and seeing if they run...
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        nope.
weird error, but I& #39;m guessing it& #39;s just mis-identified because QNX 6.2 doesn& #39;t know how to run a QNX 7.0 binary
                    
                                    
                    weird error, but I& #39;m guessing it& #39;s just mis-identified because QNX 6.2 doesn& #39;t know how to run a QNX 7.0 binary
                        
                        
                        so it turns out an ISO of the 6.3.2 SDK is on the internet archive... let& #39;s see if I can install this.
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        and it appears they both de-metadata (they& #39;re named by their hash!) and encrypt the files inside the installer, so I can& #39;t just yoink out a binary or two
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        although the hashes don& #39;t match the files as-is: so I think they& #39;re accessed by the hash of the unencrypted file. huh.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I& #39;m not saying I& #39;m trying to bypass the serial check, but it does some amusing things:
first of all, there& #39;s valid serials that were leaked on the openqnx forum, but they& #39;re all expired now.
So just set your windows clock back, right?
                    
                                    
                    first of all, there& #39;s valid serials that were leaked on the openqnx forum, but they& #39;re all expired now.
So just set your windows clock back, right?
                        
                        
                        except... it doesn& #39;t work.
So, see, it doesn& #39;t actually check your windows clock: it checks your BIOS clock.
Sneaky!
So you set the BIOS clock back, and... it doesn& #39;t work.
                    
                                    
                    So, see, it doesn& #39;t actually check your windows clock: it checks your BIOS clock.
Sneaky!
So you set the BIOS clock back, and... it doesn& #39;t work.
                        
                        
                        because it turns out it also looks through your hard drive (presumably like C:\ and C:\Windows) and if it sees any files with a last-modified date later than your BIOS date, it uses that date instead.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        but that means to get it working you& #39;d need to install an OS fresh on a machine which had had the clock set back prior to installation, to ensure there were no late-dated-files on the drive.
And who would go to all that effort just to run an old SDK installer?
                    
                                    
                    And who would go to all that effort just to run an old SDK installer?
                        
                        
                        why yes, windows XP, it& #39;s definitely 2004, I turned off virtualbox& #39;s time sync, I set the BIOS back using a DOS boot disk, and I definitely don& #39;t have a network connection
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        ahh, dang it. this is service pack 3, which has some files from 2008. 
REINSTALL TIME
                    
                                    
                    REINSTALL TIME
                        
                        
                        SP2 was 2004, so it should be fine.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        And yes, I could probably do this faster by writing a script to search the hard drive and change all the timestamps, but reinstalling XP is mostly automated and the non-automated parts I can do in my sleep.
So just doing a reinstall may be "slower" but takes less Foone-CPU-time
                    
                                    
                    So just doing a reinstall may be "slower" but takes less Foone-CPU-time
                        
                        
                        so I can be doing other things while it reinstalls.
like eating a burrito
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    like eating a burrito
                        
                        
                        gonna boot a livecd, mount the windows partition, and recursively search for later-than-2004 files.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I just said fuck it and changed every file on the partition to have a modification time of 4:20 am June 23, 2004
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        annoyingly, linux (somehow) loaded the correct time instead of the wrong one I stuffed into the BIOS, so then when I rebooted back into windows, it was 2020 again, and now all my work on fixing dates has been undone
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        OK I got it working by applying Tech Support Action  #1: turn it off and on again
and Tech Support Action #2:
Do Action #1 again
and we& #39;re back to fixing the file times
                    
                                    
                    
                    
                                    
                    and Tech Support Action #2:
Do Action #1 again
and we& #39;re back to fixing the file times
                        
                        
                        apparently it doesn& #39;t check creation times.
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        ok! we have an armle target for qnx 6.3.2.
Let& #39;s grab a binary out of /usr/bin and see if it runs on the remote...
                    
                                    
                    Let& #39;s grab a binary out of /usr/bin and see if it runs on the remote...
                        
                        
                        although I have no network and no virtualbox extensions... how do I get files off the VM?
floppy disks, of course. Virtual ones, but that& #39;s still floppy disks!
                    
                                    
                    
                    
                                    
                    floppy disks, of course. Virtual ones, but that& #39;s still floppy disks!
                        
                        
                        so they& #39;re both armle-qnx 6.3.2, so I bet the ones for the harmony remote had to be compiled with special options, because the armle target binaries are for a newer arm/different ARM than the remote uses.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        or I could try installing the Board Support Package for the Freescale i.MX21. This may just give me the right binaries I need.
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        setting up the BSP didn& #39;t really help, so I& #39;m looking into compiler options again.
It& #39;s using... GCC 2.95.3? good lord. fortunately that& #39;s the oldest one they have on the GCC docs page...
                    
                                    
                    It& #39;s using... GCC 2.95.3? good lord. fortunately that& #39;s the oldest one they have on the GCC docs page...
                        
                        
                        ok, so, back to the hardware thread: the CPU is specifically a ARM926EJ-S. 
So I need to make sure GCC is targeting that.
                    
                                    
                    So I need to make sure GCC is targeting that.
                        
                        
                        That should be compatible with arm9tdmi, but nope, I& #39;m getting a Memory Fault when I try to run it. 
maybe it& #39;s using the wrong ABI?
                    
                                    
                    maybe it& #39;s using the wrong ABI?
                        
                        
                        so it turns out it doesn& #39;t just have GCC 2.95.3, it also has GCC 3.3.5, it just defaults to 2.95.3
I don& #39;t know why.
ANYWAY, let& #39;s see if gcc 3.3.5 can give us better control over what is being generated
                    
                                    
                    I don& #39;t know why.
ANYWAY, let& #39;s see if gcc 3.3.5 can give us better control over what is being generated
                        
                        
                        compiling for arm920 gives me illegal instructions.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        same for arm920t
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        OK SO helloworld6 (which does nothing but return with exit status 7) errors out at ip=00100418.
Let& #39;s load it into Ghidra and see what 00100418 is .
                    
                                    
                    
                    
                                    
                    Let& #39;s load it into Ghidra and see what 00100418 is .
                        
                        
                        so if we go over to a command that definitely works, like the "hao" binary off the remote, we& #39;ll see that it starts with... cpy. 
encoded in exactly the same way.
THE FUCK!?
                    
                                    
                    encoded in exactly the same way.
THE FUCK!?
                        
                        
                        so all I can guess then is that the binary isn& #39;t getting loaded properly: the first command of _start isn& #39;t actually THERE, it& #39;s something else or gibberish.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        my kingdom for gdb!
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        although I was assuming I don& #39;t have gdb, someone in a private message pointed out that QNX doesn& #39;t have a native gdb interface, instead it uses "qconn" to present a remote interface for a GDB running on another system
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Naturally this remote wouldn& #39;t ship with qconn, though, that& #39;d just be silly...
OH MY GOD IT DOES
                    
                                    
                    OH MY GOD IT DOES
                        
                        
                        now I just gotta figure out how to get my VM to talk to the remote.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        well it& #39;s talking to the remote, but failing to load some kind of file. I suspect this is a path issue, since it seems to be using cygwin... I bet it& #39;s trying to give it a full path (starting with C:\) and cygwin doesn& #39;t like it
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        yeah, it& #39;s confirming it connected properly.
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        and if I run the debugged executable from the command line... it still works.
... did I just have to compile for debug? is that all this was? release mode doesn& #39;t work?
                    
                                    
                    ... did I just have to compile for debug? is that all this was? release mode doesn& #39;t work?
                        
                        
                        ok, no, it& #39;s not that simple.
Because if I compile the program for debug, I end up with a
14,597 byte Hello World program that doesn& #39;t work, it throws a memory fault.
but if I run the remote-debug option, it copies over a 14,611 byte binary THAT DOES.
                    
                                    
                    Because if I compile the program for debug, I end up with a
14,597 byte Hello World program that doesn& #39;t work, it throws a memory fault.
but if I run the remote-debug option, it copies over a 14,611 byte binary THAT DOES.
                        
                        
                        this is the download page.
Something about this way of downloading a binary causes it to be a slightly different file that works
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    Something about this way of downloading a binary causes it to be a slightly different file that works
                        
                        
                        My fucking FTP client wasn& #39;t detecting these as binary files for some ungodly reason (IT& #39;S SUPPOSED TO!) and was transferring them in text mode, so it was converting them to and from unix line endings
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        ugh which means all those precompiled programs I was trying to run way back when?
they probably DO work, just my fucking FTP client was corrupting them
                    
                                    
                    
                    
                                    
                    they probably DO work, just my fucking FTP client was corrupting them
                        
                        
                        the moral of the story is that life is a lot easier when you& #39;re not a big fucking idiot
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        ok, so, what next? 
obviously everyone wants doom, but I& #39;m not sure this thing is even running photon, the QNX windowing system. it might be doing raw framebuffer stuff
                    
                                    
                    obviously everyone wants doom, but I& #39;m not sure this thing is even running photon, the QNX windowing system. it might be doing raw framebuffer stuff
                        
                        
                        which& #39;d mean the existing QNX-DOOM port wouldn& #39;t work.
so we& #39;d have to write a new one, one that targets the framebuffer.
that can be done. Time to investigate and see how we can draw to the screen.
                    
                                    
                    so we& #39;d have to write a new one, one that targets the framebuffer.
that can be done. Time to investigate and see how we can draw to the screen.
                        
                        
                        so if we go look in /etc/system/config, we can see there& #39;s a bunch of config files, for keymaps and "GF"s, and display.conf.
display.conf lists links to all these conf files...
                    
                                    
                    display.conf lists links to all these conf files...
                        
                        
                        which look like this.
All these displays seem to be 320x240, or 240x320.
Great for doom, actually, since it& #39;s native resolution is 320x200.
                    
                                    
                    All these displays seem to be 320x240, or 240x320.
Great for doom, actually, since it& #39;s native resolution is 320x200.
                        
                        
                        But which one of these configurations are we using?
The cradle for this device said it& #39;s vodka. So hopefully that& #39;s right, and we can narrow it down to vodka, but there& #39;s two vodkas:
gf_vodka_innoxlux.conf
gf_vodka_wintek.conf
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    The cradle for this device said it& #39;s vodka. So hopefully that& #39;s right, and we can narrow it down to vodka, but there& #39;s two vodkas:
gf_vodka_innoxlux.conf
gf_vodka_wintek.conf
                        
                        
                        lots of info in here.
Although the interesting part is the vbase and vsize... that sounds like this thing is just memory-mapped.
                    
                                    
                    Although the interesting part is the vbase and vsize... that sounds like this thing is just memory-mapped.
                        
                        
                        vbase of 0xC3C00000 makes since, that& #39;s in the upper 1gb of memory space (and this thing only has 32mb? 64mb?)
and vsize is 0x96000... does that make sense?
                    
                                    
                    and vsize is 0x96000... does that make sense?
                        
                        
                        well, the resolution is 320x240, or 76,800 pixels.
0x96000 is 614400, or exactly 8 times that.
                    
                                    
                    0x96000 is 614400, or exactly 8 times that.
                        
                        
                        8 bytes per pixel doesn& #39;t make a lot of sense, though. 
Maybe it& #39;s incompletely decoded, or it has multiple pages, or something similar?
                    
                                    
                    Maybe it& #39;s incompletely decoded, or it has multiple pages, or something similar?
                        
                        
                        this stuff also says it& #39;s used to configure how the IMX21 talks to the display... maybe we don& #39;t need to talk to the display, maybe we need to talk to the IMX21.
time to find a datasheet
                    
                                    
                    time to find a datasheet
                        
                        
                        also while I& #39;ve got this thing working, I should figure out how to image the flash chip (while running from it)
I did a manual FTP backup of all the files earlier, but that just includes the filesystem, and kinda misses out on some parts
plus it& #39;s corrupt
                    
                                    
                    I did a manual FTP backup of all the files earlier, but that just includes the filesystem, and kinda misses out on some parts
plus it& #39;s corrupt
                        
                        
                        also, shout out to that conf file for having "Reverse Verdtical Scan"
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        I just noticed there& #39;s a libasound .so.2 in /usr/flashlite/lib so possibly it does have some actual sound support? 
with good ol& #39; ALSA!
                    
                                    
                    with good ol& #39; ALSA!
                        
                        
                        there& #39;s also the io-audio tool/driver. 
which seems to be way too complicated to just be a beeper
                    
                                    
                    which seems to be way too complicated to just be a beeper
                        
                        
                        ahh, ok: it& #39;s not running photon, but it is running io-display, which is the QNX Graphics Framework server.
So if I want to draw things on screen, I can use the libgf library, or opengl es.
                    
                                    
                    So if I want to draw things on screen, I can use the libgf library, or opengl es.
                        
                        
                        and now I& #39;ve crashed the network stack.
wooo!
                    
                                    
                    wooo!
                        
                        
                        I also gotta figure out how to control whether the LCD is on or off, because apparently that& #39;s not automatic. it& #39;s handled from INSIDE the main flash file... although knowing this stupid thing, it& #39;s probably activated by making an HTTP request to some http endpoint
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        and I killed the network stack AGAIN
DAMN IT LOGITECH YOU HAVE A MEMORY LEAK IN YOUR FTP SERVER.
ON THE REMOTE
SHUT UP
                    
                                    
                    DAMN IT LOGITECH YOU HAVE A MEMORY LEAK IN YOUR FTP SERVER.
ON THE REMOTE
SHUT UP
                        
                        
                        huh. so my QNX 6.3.2 SDK doesn& #39;t seem to have the headers for using libgf.
that& #39;s weird. I& #39;m pretty sure it was used then... but maybe I& #39;m misreading fragmentary docs and there isn& #39;t any libgf for QNX 6.3.2?
                    
                                    
                    that& #39;s weird. I& #39;m pretty sure it was used then... but maybe I& #39;m misreading fragmentary docs and there isn& #39;t any libgf for QNX 6.3.2?
                        
                        
                        basically what I& #39;m saying is 
tfw no gf.h
                    
                                    
                    tfw no gf.h
                        
                        
                        wait, no, libgf .so is on the fucking remote! so it definitely does use libgf.
SO WHERE ARE THE HEADERS
                    
                                    
                    SO WHERE ARE THE HEADERS
                        
                        
                        oh sweet banana flavored jesus, you have to buy a separate license to use libgf, which is discontinued and not supported anymore
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        because I need the "Advanced Graphics TDK" to be allowed to DRAW TO THE FUCKING SCREEN
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        ok so what if I cheat a bunch.
I have the dynamic library, the .so: with that, I can probably generate the matching .lib
but what about the headers? well... I can get some of that by cheating in a different way, the docs:
                    
                                    
                    I have the dynamic library, the .so: with that, I can probably generate the matching .lib
but what about the headers? well... I can get some of that by cheating in a different way, the docs:
                        
                        
                        alternatively, I could kill the Graphics Framework service and write to the LCD myself. might be easier *shrug*
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        so your remote is in power saving mode, and you push a key. how does it wake up?
WELL SOME LUA CODE MAKES HTTP REQUESTS TO THE WEBSERVER, TO START...
                    
                                    
                    WELL SOME LUA CODE MAKES HTTP REQUESTS TO THE WEBSERVER, TO START...
                        
                        
                        the nice thing about this design is that if you want to find out if your remote is muted, you can just plug in the USB cable and wget the settings API
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        because obviously when you push a button it should have to make an HTTP request and then parse some XML to know if it should beep
NO WONDER THIS FUCKER NEEDS A 233MHZ CPU
                    
                                    
                    NO WONDER THIS FUCKER NEEDS A 233MHZ CPU
                        
                        
                        there& #39;s also some sort of other messaging system going on, handled by sys_srv
it seems to be listening for some kind of message, and then responding to them by turning them into lua calls which turns them into HTTP requests
                    
                                    
                    it seems to be listening for some kind of message, and then responding to them by turning them into lua calls which turns them into HTTP requests
                        
                        
                        because god forbid we be consistently overdesigned, no, it makes more sense to have several of them all working differently
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        seems it involves sending UDP packets to port 1600, which get turned into lua through shared memory, and then HTTP
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        so if I want to find out how you encode a packet to tell it to turn the backlight on, I could reverse engineer this binary and these three libraries... 
or I could just kill the sys_srv process and then run my own program listening on port 1600 that dumps what messages it gets.
                    
                                    
                    or I could just kill the sys_srv process and then run my own program listening on port 1600 that dumps what messages it gets.
                        
                        
                        someone& #39;s probably compiled netcat for qnx, right?
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I& #39;m pretty sure (from looking at the Lua stuff) that the answer is "it sends XML packets around", though.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        OK, I& #39;ve got control over the backlight/LCD-on now.
I basically took the SysService.lua file and hacked out a lot of the functionality until it just turns the lights on, or off.
                    
                                    
                    I basically took the SysService.lua file and hacked out a lot of the functionality until it just turns the lights on, or off.
                        
                        
                        And ten minutes later, the screen is still on.
Interesting. Apparently my way of doing a FUCK YOU, FORCE ON disables the auto-sleep timer.
                    
                                    
                    
                    
                                    
                    Interesting. Apparently my way of doing a FUCK YOU, FORCE ON disables the auto-sleep timer.
                        
                        
                        and my control-the-display scripts still work when io-display is dead. that& #39;s good.
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                
                 
                         Read on Twitter
Read on Twitter 
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                                     
                                    