Tuesday, March 31, 2009

Releases: Thumb Dumb Disassembler & Calculator.searchBundle

Last few weeks I've diverted myself from iKeyEx to the 3.0 VFDecrypt key. The result? Of course it's failure, otherwise you'll see the key on theiphonewiki right now.

But a nice by-product is the "Thumb Dumb Disassembler". For iPhone reverse engineering, if the code is compiled to ARM then ravel-arm can be used to give very useful information. However, if it is compiled to Thumb then ravel can't handle the code correctly. It will treat the code as ARM and output garbage. Sadly, unlike otool, there is no force-Thumb mode in ravel so we can't do much.

When nobody can save you, you have to save yourself. Therefore I've written a disassembler specially for Thumb mode. This disassembler can extract useful data and perform numerical arithmetic linearly (ignoring all branches). I term this Dumb Disassembler as it doesn't perform branch analysis nor symbolic arithmetic. A Smart Disassembler will do both and the result in decompiler-quality output.

The Thumb Dumb Disassembler can be downloaded in thumb-ddis.zip. Unlike other networkpx projects, Thumb Dumb Disassembler is released in GPLv3.

(Sidetrack: What about the VFDecrypt key? In pre-3.0 asr there is a specific __DATA,__restore section to store the key. In post-3.0 asr this is computed in run time using the SHA-1 and SHA-256 keys of the CPU identifier (s5l8900x) and the content of the whole ramdisk. And then I got a 64-char incorrect password from it. There is another way to extract the key: run the asr, put a break point at 0x00011836, and retrieve the CFString at r0. On my device both the 2.2.1 and 3.0 asr Bus-errored me when I try to actually run them.)




Now, let's talk about something not so technical. One of the new customer features in iPhoneOS 3.0 is the Spotlight. But one essential component missing from the Mac OS X Spotlight is the calculator.

When the SDK was just released, some developers noticed the directories /System/Library/SearchBundles/*.searchBundle and it does mean Spotlight is extensible right? Indeed it is.

After disassembling the 2 searchBundles in it, I have a rough idea of how these bundles work. So with minimum effort, I've created this Calculator.searchBundle:

Because 3.0 is not jailbroken yet, only the Simulator version exists. If you have the SDK, you can now download Calculator.searchBundle.zip to test the bundle. The source code is also provided (under BSD license) so you can code up your own.

Note that the 3.0 SDK is not finalized so the code shown here may not work in June.

Saturday, March 21, 2009

3.0 Keyboard Changes


  • The keyboard will now transit (by fading & resizing) between landscape and portrait mode, i.e. the keyboard no longer hides when the orientation is changed (at least in Notes)

  • Emoji got landscape mode

  • Accent view and popup view got less shadows -- I don't like this.

  • When disabling an internal keyboard that was active, the OS no longer reset the whole keyboard list. This means fewer steps to replace internal keyboards by iKeyEx ones. ^_^


I've uploaded a gallery of the extra keyboards and interesting features in 3.0


Some points worth noticing:


  • Even though Arabic and Hebrew are RTL languages Apple doesn't bother to reverse the direction of the delete key. Probably they think it is not very confusing.

  • In Zhuyin, after you entered a consonant in the normal plane, it will automatically switch to the Shift plane for the vowels.

  • In Greek, the final sigma is automatically detected, so you don't see a final sigma on the keyboard.

  • I don't know if they're still using a standard keyboard (i.e. simple subclass of UIKeyboardLayoutRoman) for Thai and Zhuyin as the position of keys in normal plane and Shift plane are distinct. This cannot be done in 2.x at all.

  • Also I don't know if the accents view becoming multi-row is internal or not.


Now excuse me trying to JB the 3.0 and extract the framework binaries...

Wednesday, March 18, 2009

New Keyboards in 3.0:

Arabic,
Hebrew,
Malay,
Thai,
Chinese (Traditional) (Zhuyin 注音)

Still no Chajei 倉頡 :(

Nice job on Copy and Paste Apple,

But I hate shake to undo :p Nor does all the UIAlertViews for push notification.

Tuesday, March 17, 2009

iKeyEx & 5-Row QWERTY 0.1-9b (Beta) Released

First of all, about the versioning schemes -- From now on all beta versions (those I put in the project download page and my private beta Repo) will have an odd revision, and the public versions will have an even revision (those you see in BigBoss). Therefore, the following beta versions will be called 0.1-9c, -9d, etc., and the release version will be 0.1-10.

iKeyEx



So back to iKeyEx. What's new in 0.1-9b has actually been highlighted in the last post. I'll go to the detail and implementation of each feature now.

More than 10 variants


Prior to 0.1-9b the number of variants supported must be less than 10 because if there's more the buttons will leak off the screen and become useless. In 0.1-9b the system will automatically reduce the size of each button to try to allow more keys to be shown.



The upper limit is now pushed to 12. Larger than 12 the variants list will start to act weirdly.

Variants Labeling



Following layout.plist, the variants can also be "labeled", i.e. the text shown on the button can be different from what will actually be typed. This is done by declaring an array instead of a string, e.g.
M = (M, ("Dear all,\n\n\n\nBest Regards,\nMe", Mail))

will create a Mail button on the list of variants, and when selected, will generate the "Dear all, ..." text.

Splitting of Landscape and Portrait Mode


The type of UIKeyboardLayoutCLass key has been generalized. As a result, not only code can have separate layouts in landscape and portrait mode, the other two methods (layout.plist and referred) can be split too.

The syntax is simple:
UIKeyboardLayoutClass = {
Portrait = "abc.plist";
Landscape = "xyz.plist";
};


Keyboard Mode Jumping



An extra feature in iKeyEx -- you can now hold down the International button (the Globe) for more than 1 second, then release it to get a list of keyboards enabled.

Click on an item to go directly to that keyboard.
Note: This feature is not available in the Emoji keyboard. 3rd-party IMEs not based on iKeyEx cannot be identified.

Note: In 0.1-9c you don't even need to release the button -- just keep pressing it and the keyboard list will show automatically. But in 0.1-9b you still need to lift your finger.


Email Diagnosis Info




The last, and the most important feature in this upgrade is the Email Diagnosis Info button in Settings -> iKeyEx -> Troubleshooting. I've got lots of crash reports but the SSH process is pretty troublesome for most users. Therefore I've created this button to simplify the process. The files attached are:

  • Recent crashes related to iKeyEx (i.e. /User/Library/Logs/CrashReporter/*.plist which have the substring "iKeyEx.dylib␣␣" in the file)

  • The list of installed Cydia packages (i.e. dpkg -l)

  • syslog (/var/log/syslog)

  • .GlobalPreferences.plist for the list of enabled keyboards (/User/Library/Preferences/.GlobalPreferences.plist)

  • com.apple.Preferences.plist for the active keyboard (/User/Library/Preferences/com.apple.Preferences.plist)

  • The content of /User/Library/Keyboard/ and /Library/iKeyEx/Keyboards/


This also serves as a demonstration on how to send email without leaving the application, and how to attach files and data to the message.

etc.


There are some minor tweaks in this version, including:

  • The /Library/iKeyEx/ folder is now a symlink to /var/stash/iKeyEx.XXXXXX/ to free up precious space in the / partition.

  • An "InputManagers" folder is created besides "Keyboards" folder. Eventually in 0.2 the input managers will be split from keyboard layouts and allowed to mashed up, but now this is just an empty placeholder.

  • All keyboards with name starting with __ are reserved for internal use now.



5-Row QWERTY Keyboard


5-Row QWERTY is also updated, but it is basically a bug-fix update. The ChangeLog has already summarized the changes.

Saturday, March 14, 2009

One week of inactivity?

The networkpx project was inactive for the whole week. Why? If you see the last post you should know I was trying to implement a screen video capturer. Eventually it's a miserable failure. The problem is lack of RAM -- the capturing program uses too many resources and caused a kernel panic. So I have eventually got rid of the idea. Instead, a viable solution would be capturing through the USB cable with the MobileDevice (private) framework. I don't know MobileDevice, so let's put it aside.

So what now? I'm upgrading iKeyEx to the next minor version 0.1-10. Features included or expected to include are:
  • Squeezing the variants when there's more than 10 of them, so Vietnamese accents can be shown properly (implemented)
  • Allow disassociating portrait and landscape mode in layout.plist
  • "Email diagnosis info", which automatically sends all the crash log to me by mail. I create this because many issue reporters failed to give me the info I really needed :( so let's automate it.
  • Long press the globe to select a keyboard to jump to.
  • Labels for variants.


This will not be the last version of the 0.1 line because there are still numerous crash reports floating around. The "Email diagnosis info" will be the key feature that allows more accurate crash data collection. Then hopefully 0.1-11 will be the last of 0.1-*.

(if you're a (non-SDK) developer and wants to implement similar feature, you can look into src/MailCrashLog.m and src/UIKit3/UIMailComposeView.m of the SVN trunk now.)

Tuesday, March 10, 2009

iPhone Screen Video Capturing



(Yes, I know the colors are all wrong, and the time sequence is strange, but these are very easy to fix.)


(The video is blurred solely because of conversion.)

Saturday, March 7, 2009

To move folders in / to /var/stash/

Add this line to preinst:


if [[ $1 == install ]]; then
/usr/libexec/cydia/move.sh <FULLPATH-YOU-WANT-TO-MOVE-FROM>
...
fi;


But it seems no way to clean it up.

Tuesday, March 3, 2009

Arbitrary HTML in Google Code wiki

Google Code supports a limited subset of HTML in Wiki. In particular, <input/> cannot be used. Because of this, the early version of CopyingTextFromSafari uses the traditional "go to a link and bookmark it" mechanism to add the bookmarklet.

Then today I realized that I could use HTML in Google Gadgets. So I can just
  • Put all HTML in an XML file and upload the file to SVN.
  • Insert a <wiki:gadget/> with URL to the wiki page.


I've immediately changed CopyingTextFromSafari, and also added a Donate button to the front page after figuring this out.

One slight note is that the HTML you use will live inside an iframe.

0.1-8

I've sent iKeyEx and 5-Row QWERTY (which isn't 5-Row nor QWERTY anymore :p) 0.1-8 to BigBoss. Yes this time is real.

iKeyEx 0.1-8 fixes a critical crash on pre-2.2 firmwares. Users of pre-2.2 users should upgrade to iKeyEx 0.1-8 (or just upgrade to firmware 2.2.1!). Hopefully all crashes will be solved soon so that I can end the 0.1-* chronology.

5-Row QWERTY 0.1-8 adds a lot of customizations. Pretty much of these have been covered on iClarified.

Sunday, March 1, 2009

Issue 67

iKeyEx 0.1-6 crashes some machines. This is a known problem, a very critical problem, but I did not know how to reproduce it. Fortunately, a proper bug report finally appear as issue 67 and I got to know what has happened. Turns out it's a firmware issue. In ≥2.2 there is a message named

-[UIKeyboardSublayout setIsShiftKeyPlaneChooser:]

which does not present on ≤2.1. In Objective-C, any unrecognized messages will cause an exception to be raised. Since I did not setup any exception handlers, the result is obvious -- crash.

There is another piece of message that is new in 2.2:

+[UIHardware _playSystemSound:]

These 2 should make hClipboard and iKeyEx-derived keyboards unusable in ≤2.1.

I should have caught these when I claimed issue 7 is solved. But why not? This is pretty much an issue of how Objective-C work.

Issue 7 was filed because I found that the linker for 2.0 and 2.1 emitted errors. All external C and C++ functions must be processed by the linker, and if something is missing (even if the header file said it was there), we can immediately know. But Objective-C is different. Objective-C dispatches message implementation dynamically. That's why Category and method swizzling works. But this flexibility means no compile-time check can be done. And the runtime check causes crashes.

What I've done immediately after recognizing the root cause of issue 67 is to build the API diff table. This allows developers to easily see what's new and what's missing during firmware transition, and determine whether a respondsToSelector: call is worth it.

Meanwhile, iKeyEx v0.1-8 fixing the 2 calls has been uploaded to Google code as well.

<Post deprecated>

The problem is fixed. Install hClipboard as you wish :)

The "latest" version of hClipboard seems to be mispackaged. While it is shown as 0.1-5, the content is actually 0.0-1, the initial buggy version.

I don't know what happened. I haven't sent any new packages to any repositories after Feb 19th.

Please do not "upgrade" to this version, because you are in fact downgrading.

If you have unfortunately "upgraded", you can remove that package, then install 0.1-5 from http://code.google.com/p/networkpx/downloads/detail?name=hk.kennytm.hClipboard-0.1-5.deb.