Notice: Undefined index: If-Modified-Since in /var/www/net/gaast/winterm/main.php on line 27
WYSE Winterm hacking - plans.html


So, it's probably clear by now that our main plan is to get these things to run Linux instead of WinCE. What can we do when we reach that point? Well, we can think about that later. The CPU must be capable of playing ogg/mp3 files, so maybe it'd be a nice network-streamer. Or maybe we can install PCMCIA wireless network cards and use them as bloated access points. Or as X-terminals. Or maybe we can even use rdesktop for Linux to get more recent RDP support.

But we're not quite there yet, of course. We don't even know if it's indeed possible to run Linux on these. But it's worth trying, right?

Try to change things in the firmware

First of all, we downloaded firmware upgrade/addon images from WYSE to see if they make any sense. Well, they did. The file format was quite easy to reverse-engineer, actually. There's a tool available for download on this site to read them. Here you can see part of a file listing of such an image:

Offset    Length    Cksum?    Flags   Flags     Number    Filename
000025ad  00040000  8f7a922d  010000  00010000  3b8e63ea  mid_code
000425ad  00000014  fdfc0bfb  010000  00020000  3b8e63ea  k
000425c1  00000108  8c3a3502  010000  00020000  3b8e63ea  params.ini
000426c9  0037aef3  dfab5bf8  010000  00020000  3b8e63ea  nk.bin
003bd5bd  00003b86  296e59d9  010000  00020000  3b8e63ea  poweron.bmp
003c1145  00000c4e  670d652f  010000  00020000  3b8e63ea  io.sys
003c1d95  000010e1  7a83e7db  010000  00020000  3b8e63ea
003c2e79  00000f57  0845510b  010000  00020000  3b8e63ea
003c8b49  0000002a  a0d3414f  010000  00020000  3b8e63ea  autoexec.bat

When you look at this you'd get the impression that this x86 version of WinCE is more like MS-DOS than you'd expect. Well, we're not sure if those DOS-files are really used. Maybe they're just things left from some debugging environment?

The mid_code file seems to be a special file that, amongst other things, contains a VGA BIOS. Maybe this file is flashed at some special place instead of as a separate file. nk.bin might look familiar to people who worked with Windows CE before, as far as we understand it's an archive with all the Windows CE system files. (There's a little extract-tool for those files available too.) The k file is still a little mystery for us, it seems to be there in every file, even in addons.

Obviously, the first thing we tried when we figured out this file format is to insert a different version of poweron.bmp. This gave us a very nice checksum error, so we can now be sure that the field marked as "Checksum?" is indeed a checksum.

Figuring out how the checksum is calculated wasn't too hard though. It's far from an MD5, and also not quite like CRC32. In short it's the sum of all 32-bit integers (little-endian) subtracted from some magic integer. Besides these per-file checksums, there's also one checksum of the whole archive at the end of the file.

After figuring out the checksum algorithm, we managed to insert a new poweron picture, see the picture. :-) Although just replacing the poweron picture might not look like a big deal, it wasn't that trivial and we certainly consider it a milestone.

After all, if we can replace a bitmap file, it should be possible to replace or add executable files too. But first we'll have to figure out how to make suitable executables for this target. It might be x86-compatible and even Windows, but WinCE does seem to be pretty different from the usual Win32 systems. We hope to be able to use MinGW to generate WinCE/x86 executables, first thing to write will probably be "Hello World".

What's next?

This is where the hacking starts. We're planning to try to write, after Hello World and maybe some other experiments, a Linux bootloader for WinCE. Obviously we never did that before, so it's not exactly going to be easy. But we guess it should be doable. As long as the program will run as Administrator, shouldn't we be able to do anything we want? The XBox-Linux people probably did the same thing with their non-modchip hack.

Of course a WinCE-based bootloader wouldn't be the best solution. Booting directly into Linux would be a lot better. But also, it'd probably be a lot harder. This way Windows will initialize the hardware for us, and we can use it while it's still running to download the kernel and initrd-images. And of course we're less likely to break things when we leave the firmware core alone.

But as soon as Linux runs from WinCE and get more familiar with the hardware, we can try to make this a native Linux box!