The story of one "very Chinese" phone

The path from “unholy from networks” and “pair Bluetooth” to a human phone

We all do stupid things. We often face situations where what we have in our hands is not at all what we hoped to get. Sometimes, the desire to save allows us to acquire completely unthinkable things.

Miser pays twice...

So it was with me, when about two years ago I saw a smartphone with gps, usb-host, two cameras and other buns for ridiculous money on the next Chinese website. At that moment, the very phrase “Chinese phone” should have stopped me, but I already entered the password from PayPal and soon this “charm” fell into my hands ...



I felt that I had deceived the system, because I have in my hands “a phone with all the bells and whistles”, albeit a little Chinese, but for a penny.

')

The plastic had the smell of a “burnt monkey” and the overall build quality left something to be desired, but the main “bonuses” were hidden in another. A card was inserted into the phone, and finally the phone was turned on.



Could not please such menu items as “Bluetooth”, “Const. T.f ”,“ Nepr.k. With. ”And other abbreviations, the true values ​​of which could be found only by pictures. In addition, already in the third-level menu area (and the developers did not disdain and nesting the menu up to the 9th level) the pictures disappeared (not counting the “valuable” menu item numbers in red) and the process understanding disappeared with them (which makes the menu “ incl. UI editsii ”can be guessed for a long time). Immediately, I note that the phone had the opportunity to choose a language and that the English version is much better than the Russian version, that the entire translation is stored in a txt file that could be edited and get rid of even a part of this deformity. If desired, one could even redraw some pictures (for example, those on which JPEG artifacts were particularly clearly visible), which were a bunch of files (about 200) in the “\ Windows \” folder. It was not a specific menu item and not a specific part of the interface. The thing was in the lasting feeling that I had done a great folly by paying money for IT . I will cite a few more examples so that my delight at that moment is better understood:







In defense of the phone, I can add that even when something didn’t work for him, he did it so ridiculously that it was difficult to be angry with him. For example, when there was an error connecting to the WiFi network, it gave out “unsuccessfully sodininiyat”. How can you be angry at an item that is trying very hard to “successfully approach”?



When I finished inspecting all the charms of design and translation, the first call was made from the other phone to check the connection ... The telephone rang and the first dial tone rang out, but the engineering miracle from under heaven was treacherously silent. A second followed the first beep, and a third followed it ... And only then did the Chinese phone realize that they were ringing it and displayed the next eerie window. It should be noted that for all the time of my attempts to get adequate response time from the Chinese phone (namely, from the Chinese program), this was one of the best indicators. There were situations when between the first reaction of Chinese products and the message of the second phone “the subscriber does not respond” took only 2-3 seconds.



It was already a more serious cause for concern (than appearance), although at that moment I still indulged myself with the hope that it was just a communication problem, that this phone was “not warmed up,” and many more thoughts to justify that stupidity was the very fact of purchase.



My salvation could be a “more recent” firmware for the phone, in which developers could already fix many problems. To my surprise, the well-known search engine immediately issued the site and the manufacturer's forum. In truth, I did not expect not only that they have their own website, but especially that there will be new firmware! From there, the latest firmware version was successfully received, but this did not change anything. It became clear one thing: if this problem is not fixed, it means either it is just me, or it is a hardware problem and you can’t do anything with it, or the curved hands of the developers do not allow them to react normally to a message from the modem. In the absence of other options, all hope was for the last option, and I decided to try to write my own version of the user interface for a very Chinese phone ...



At first, it was necessary to turn off the horror that I admired from the moment the phone was turned on. For this, the phone was connected to a computer, and Windows CE Remote Process Viewer was launched.







The process had the proud name “PhoneUI.exe”, worked in 18 threads and loaded a small army of libraries. At that moment I was only interested in one thing - what is the reason for such a difference between dialing and notification, and for this you had to try to “communicate” with the modem. Later it turned out that in the phone the modem was “roaming” and even the native PhoneUI.exe tried to connect to the modem on the principle “can you modem?” In the following order: “GSM1:”, “VCP1:”, “VCP2:”, “VCP3 : ”,“ COM1: ”,“ COM3: ”.



In a hurry, he sketched a small program that connected to the modem, sent a command, and waited for a response. The program was launched on the phone, but the modem did not respond - the program got to the stage of reading the response from the modem. I will not bore you with the description of how I searched for the same modem in the system, how I searched the registry using Windows CE Remote Registry Editor (which had at least a small efficiency factor, since I removed PhoneUI.exe from the startup). When I got tired of searching, I took up the disassembler and started picking PhoneUI.exe in order to quickly make sure that the standard bundle of Windows API functions is used: CreateFile / WriteFile / ReadFile / CloseHandle. The fact that the program contained debug information did not surprise me much and it turned out to be very useful:







To make sure that the Chinese did not invent a special way of communicating with the modem, I launched a search for “AT +”. The first coincidence was “% xAT + CGATT = 1 \ r”. Data transfer to the modem was done by calling the Windows API WriteFile function, which was predictable, but I was a little surprised that my program did not work.







Later it turned out that it was a program branch that runs only in a “special case” and that this method of sending commands to the modem is too casual for the creative developers of this device. Again, I miss a few days of “unsuccessful stopping” in different places of the phone and going through all the possible parameters and combinations of settings. Having reached another frenzy from the fact that PhoneUI.exe successfully communicates with the modem, and my program cannot get an answer to one command, I decided to take up disassembling more seriously and not limit myself to searching for the first AT command I got.



At that moment, considering that the phone was worth the money and I already spent a lot of time on it, I realized that it was cheaper to buy a new iPhone, but now it was a matter of principle.



Repeated search showed that AT commands are sent in two ways - the first has already been described above, the second through a call to the DeviceIoControl function. Those. instead of WriteFile, DeviceIoControl is used to transfer data to the modem. Breakpoint was put on her call, and the scheme of transfer of commands to the modem soon became clear.







It also became known that an additional call to DeviceIoControl after CreateFile is needed to activate the modem. After several hours of pulling out the necessary values ​​from PhoneUI.exe, the following became clear:

1. The modem is usually located on “GSM1:”. I use the word “usually”, because if the phone is connected to the computer at the moment of switching on or it just became boring for him, the modem migrates to “VCP1:”, “VCP2:” and further along the chain.
2. After CreateFile, you must call DeviceIoControl with the code 0xf00d226c and without additional parameters.
3. To send data to the modem, DeviceIoControl with the code 0xf00d2268 is used, the parameter is a fixed-length string (1032 bytes) from which the first 4 bytes are HANDLE received after calling CreateFile, 1024 bytes are the string containing AT command (s), and the last 4 bytes - the length of the string. After item (2), you can use WriteFile, but it works once every other time, so I did not use it.
4. For reading, as usual, use ReadFile.

To my joy, the modem understood the basic set of AT commands and had its own additional set of commands that were successfully “hooked” from PhoneUI.exe.



Then came a whole epic with the control of speakers, vibration and other elements of the phone, writing your own simple graphical interface, where everything was not without adventures, but that was another story of a “very Chinese” phone. For those who are interested, here are some screenshots of what was done as a result (nothing special, just a shell to view the status and control the phone and turn on / off the main devices):







Returning to the thought from the beginning of the article - before making a purchase, it was necessary to think carefully. The phone did not justify the necessary time (and therefore money) costs, although it is impossible to ignore the experience gained and a lot of positive emotions when we read the translation of the standard interface. I can say for sure that buying this phone is nonsense, but now, knowing how cheap this circus cost, I can say that I don’t regret the purchase.



The phone could even go away as “very Chinese phone”:

Thanks to those who made this miracle.