July 29, 2004 (technical)
PDD Day 1
Briefly, an analysis of the pdd (palm data dump) from a Palm (From here on called palm) Vx running Palm OS 3.5.3 (ID: 10GK12D067AM-J) to a MS Windows XP SP1 platform (from here on called the desktop).
PDD version 1.11 was used for this test.
Process - 040729 - 8.15pm
Hard reset the palm by holding down the on/off button and using a paperclip to press the reset button on the back.
Realigned the screen.
Installed Palm's HotSync manager version 4.1.0 on the desktop.
Synced the palm with the desktop (This is after successfully creating the "christian" user in the hotsync manager program - this processed required the palm to be reset - which was followed by a complete hard reset - same as above)
Opened the Palm Desktop software (version 4.1.4) on the desktop, and proceeded to create a memo:
Container ship 7KU arriving 8pm december 12 2004 costing per unit $500
(This memo was filed under Personal)
Proceeded to create a new contact:
Last Name: Wolski
First Name: Pete
Company:
Title:
Contact info
Work: 0401234567
Email: wolksi@hotmail.com
The contact was filed under Personal
Closed down the Palm Desktop - and performed another sync between the palm and the desktop.
I then verified the memo and the contact on the palm device.
On the desktop, a folder "pdd" was created - the pdd.exe was copied to this folder.
Using windows cmd.exe - i changed to the pdd directory "cd pdd".
On the palm, i modifed the settings so the device would not power down during data acquisition - this was done by going to "preferences" then "general" and ticking the "Stay on in Cradle" option.
Output from pdd was stored in a file called 040729.out - the command executed was:
pdd of=040729.out
Initially an "Error opening COM1" occured - after quiting the HotSync Manager and retyping the command the desktop reported that I should "Enter console debug mode [(shortcut) .. 2]" - this is to enter the palm into console mode - which allows backdoor access to a lot of the palms functions, usually used for debugging code on palms.
On the palm i used the stylus to draw the shortcut symbol, 2 dots and then finally a 2
The desktop then reported "pdd process beginning." This acquisition process went from 8.31:25pm til 9.13:50pm. After successfully finishing the palm reported:
Resetting Palm OS device.
pdd successful. Exiting.
The resulting output file, 040729.out, which was 8,388,608 byte had the following md5sum bce4942d9cd6cd37b7103adedf0c902f
To allow further tests, required me to re-align the stylus by entering into the preferences - digitisor menu - and then i had to also re-do the Shortcut . . 2 - on the input to allow the console mode.
To test whether the reset performed by pdd did in fact modify the RAM I performed the command again - pdd had the following output after writing 7,989,760 bytes of the file to 040729-2.out
pdd process beginning.
CRC-16 Checksum invalid.
Trying immediately again a 3rd time. (Because the 2nd run failed - the console mode was already activated - and therefore did not have to be manually started)
The third run completed successfully, including a soft-reset of the palm, and the file, 040729-3.out, which was 8,388,608 bytes created the following MD5 hash ba1b607dcb90486823caa0c22f4d60db
The hash of 040729.out and 040729-3.out are different, which would imply that some of the image was in fact modified between the end of the pdd acquisition and the beginning of the 3rd run of acquisition. Possible causes of modification to the palms system:
- Some sort of errors recording during the failed 2nd run
- The soft-reset automatically performed by PDD at the end of a successful acquisition
- Because of me having to manually re-align the stylus on the palm after the 1st successful acquisition (without performing this step - it's not possible to put the palm into the console mode - as this can only be enabled via graffiti on the palm)
Next steps?
- Try and perform 2 acquisitions one after the other - without a failed attempt, and see if the steps in the middle can be minimised? (possibly without having to re-align the stylus?)
- Attempt a pdd acquisition of the ROM
- Explore the code of pdd - to see if the soft-reset can be disabled
- If not, attempt to use PDA Seizure
- Begin analysis of the images.