Screen rotation animation library reverse-engineered

[Guest zemrwhite2]

Hello all,

This is AnimationLib2.

For non-french users, "Torsion" is usually the last one in the list (except "Aléatoire" == "random"). "Rideau" (curtain) and "Sans animation" (no animation) have been added to the control panel.

Two little videos in the archive that demonstrates those two new effects :

demo.zip

1/ What is it ?

It is a DLL which acts as a layer between MotionSensor.exe (rotation control panel) / zylonite_lcd.dll (display driver) and AnimationLib.dll, which contains the implementations of the various effects.

It provides new choices in control panel, in addition with built-in effects, a crappy "curtain" one, and another, more useful, "no animation".

2/ Why such a useless thing ?

I don't use automatic screen rotation, but that was bugging me for more than a year not to have the choice to disable it.

So I reverse-engineered the data structures and arguments, and succeeded to create my own animations.

I decided to release it because I think there is a market here :-) I just read a post about something like that :-)

3/ Does it work well ?

Yes and no.

I will make a software developer answer : 'it works on my i900'. But I guess it will on yours too :-)

I have only tested it with WM 6.5.3 (28205) with DXID1 OEM. I have not used it much, essentially only to test the code :-)

But I think it will work, it just a matter of OEM part / AnimationLib.dll, which has not changed much since my first XHHG4.

From times to times, the animation stays locked on the last one "no animation". I don't know why, and I don't want to debug anymore. Without any solution to debug into device.exe space, it is a real pain in the ass.

Sometimes the driver does not provide the final picture when expected. I don't know if it's just my i900, but the standard animations suffer from this sometimes too, whatever the ROM.

While coding, I encountered a bug where the screen stays black / phone seems frozen locked after a soft-reset. It was not. I use a remote control software and eveything was OK there, even the display. I just had to push the power button to make the phone sleep, push again and tada.

I have not been able to reproduce the problem, once it happened, it never came back until next soft reset.

But now I don't have it anymore. Who knows, I think my code was writing too far in memory or something.

In rotation animation selection control panel, there is a scroll bar in the combo list. This can be solved by editing MotionSensor.exe dialog resource #135 with any resource editor, but it is already correctly sized for landscape, so...

4/ Is it easy to setup ?

*No*. Check the topic description :-)

I tried to sign the dll, the cab, generate new certificates, etc... the dll is not trusted by the system. It is loaded very early at system startup by a device driver, I am not an expert but I think I need more than the SampleUnpriv or a self-signed certificate.

The only ways I found to make the driver load the dll are :

a. cook the dll. The problem is it cannot be updated.

b. cook a ROM with a patched CertMod.dll (CertVerify).

No need to say which method I used while coding :-)

There might be another way but I know nothing about it.

5/ Setup

Cook (method 4.a) or copy (4. :) the dll in \windows.

MotionSensor.exe / zylonite_lcd.dll know the name of the library to load thanks to HKEY_LOCAL_MACHINE\Software\TecAce\RotateAnimation Library value.

So modify the value with "\Windows\AnimationLib2.dll" and soft reset (the driver does not relase the library).

The name that appears in control panel depends on the value "AltNameNoAnim" under HKEY_LOCAL_MACHINE\Software\TecAce.

If it is not defined, you will get the french hard-coded value, "Sans animation" :-)

Don't be fooled if you see new names in control panel, that does not mean that the driver has been able to load it :-(

New animations default names are in french, but can be overriden by creating the values "AltNameCurtains" and "AltNameNoAnim".

6/ How does this all this bulls**t work ?

AnimationLib.dll exports 4 symbols :

QueryAnimationInformation

InitAnimationEffect

DrawStep

DeinitAnimationEffect

The first is used by the control panel applet (MotionSensor.exe) to get the names of available animations, and by the driver (but only in random mode).

When the phone is rotated, the driver (zylonite_lcd.dll) calls in sequence the three other symbols.

First, InitAnimationEffect with a structure containing requested animation index. InitAnimationEffect returns a pointer to an instance of an animation object.

Then, the driver calls DrawStep (and provides the previous pointer as argument) until DrawStep returns 0 (but not only and I don't know what).

Finally, DeinitAnimationEffect is called. The animation object instance is destroyed.

If anything goes wrong, the default animation is used. It is built right in the driver. That is why you cannot just remove AnimationLib.

For other details, read the code, it is pretty well documented.

For debugging DLL loading, I used "perfman" with default options, logging at bootup, translated the result with readlog.exe. Sadly, the first one is frequently ripped from custom ROMs, and the second one is part

of platform builder. You'll have to dig 1000s of cabs to find it.

PerfMan told me several things :

<Animation> Cannot load library \windows\AnimationLib2.dll for reason -2146893818

That means NTE_BAD_SIGNATURE, and right above, there was a trace from CertVerify telling the lib was not trusted:

CertVerify: \windows\AnimationLib2.dll trust = 0

This is my ugly patch for CertVerify :

02 50 A0 E3 MOV R5, #2

05 00 A0 E1 MOV R0, R5

1E FF 2F E1 BX LR

See http://msdn.microsoft.com/en-us/library/aa925236.aspx for explanations about the #2.

Now the disclaimer:

I do not accept any responsibility for damages resulting from the use of this dll or this source code. It is provided as is, use or modify at your own risk, etc...

NoAnimation debug/release builds. It includes a crappy "curtain" effect, and "no animation".

AnimationLib2.bin.20010109.0129.zip

It would have been cool to just build a loader, an animation factory etc... If you agree, here are the sources, not completely clean, but pretty well document I think. (VS2008 project)

AnimationLib2.src.20010109.0129.zip

patched CertMod.dll\S000 from 28205 build. Using this on any other version cannot work. Don't try it.

certmod.dll_28205_patched_CertVerify.zip

Sorry, no cab, since it is impossible to install by just copying the file (AFAIK).

I do not intend to work anymore on this project, do what you want with the files.

If you :

- know a way for the dll to be exchanged without patched OS <-------

- modify this library,

- find the effort ridiculous because there is a simple registry key to modify to get the same result,

please post a comment :-)

--- edit1:updated topic description

Edited January 9, 2010 by zemrwhite2

[Guest SilverPony2001]

This would be awesome to get cooked into a ROM. +1 for "no animation"

[Guest maczen]

This would be awesome to get cooked into a ROM. +1 for "no animation"

+1

Thanks for for the good work!

[Guest nig3d]

+1

Thanks for for the good work!

No animation and I will re-enable the automatic rotation!

[Guest zemrwhite2]

Hello,

It seems that this library has no success at all, just a few downloads. On my favorite french forum, noone has even answered to my post !

It is not I wish everyone to use it and applaud and post here how it changed their lives :) , but because it cannot be easily installed / removed (AFAIK), I suspect almost no one will ever try it B)

May be it came 12 months late ?

[Guest bigfoune]

peut tu expliquer en francais j ai tenter de traduire mais c'est pas ca merci

[Guest zemrwhite2]

peut tu expliquer en francais j ai tenter de traduire mais c'est pas ca merci

Salut,

Un compatriote :)

Par respect pour le forum qui est anglophone, ne m'en veut pas, mais je ne vais pas trop m'étendre.

C'est une lib qui se pose entre le pilote d'affichage et AnimationLib.dll. Cette dernière contient les animations de rotation d'écran. Ma lib ajoute deux nouvelles animations en plus des existantes, la plus intéressante étant à mon avis celle qui ne fait pas d'animation, le basculement est quasi instantané. Regarde les vidéos du premier post pour te rendre compte. Puis j'explique les problèmes d'installation, que comme c'est chargé super tôt au démarrage, le système refuse de charger la lib, malgré les certificats tout ça. Deux solutions : mettre la lib en ROM, ou tourner avec un OS patché.

Ensuite c'est des détails techniques, et si tu veux vraiment en savoir plus, envoie-moi plutôt un MP, ou va sur pdaphoneaddict.com, dans la section omnia/ROM patches.

[Guest joža]

this is great really... but because of nature of this kinda mods it scares people to try... believe me, i'd like to have it more than enything, but, cooking own rom just for that thing :/

so, when main ROM cooks start using it, it will be also more visible to others and shure more appreciated

and don't worry, you can never be too late. we all appreciate your work very much, and i think the bigger part of us knows what kinda work is reverse engineering, and how much effort does it require B)

cya :)

[Guest lioryte]

Tested, working, cooked in and ready to go with my next ROM release... :)

[Guest zemrwhite2]

and don't worry, you can never be too late. we all appreciate your work very much, and i think the bigger part of us knows what kinda work is reverse engineering, and how much effort does it require ;)

Thank you for your warm message :) R-E is kind of addictive, when I finish a project, I always feel a bit depressed after all the excitation B)

Tested, working, cooked in and ready to go with my next ROM release... ;)

This is great !

[Guest s300pmu1]

If it were available as a .cab installer it would be very popular.

Right now, only the brave souls risk flashing the firmware on the device.

[Guest Freddie_Miles]

If it were available as a .cab installer it would be very popular.

Right now, only the brave souls risk flashing the firmware on the device.

I cooked this into my rom yesterday and I have to say, it works amazingly well.

[Guest zemrwhite2]

Hello,

It would be great if someone finds a clean way to authorize this library as non-ROM.

I think it's possible, but I tried my best with all those certificates things and did not succeed.

For now, I can't search more, working on something completely different, and running my omnia with my certmod.dll hacked ROM (it's bad).

[Guest s300pmu1]

It would be great if someone finds a clean way to authorize this library as non-ROM.

I think it's possible, but I tried my best with all those certificates things and did not succeed.

Maybe someone could ask the guys who made the "proper" battery driver which shows charge state with 1% increments - they did manage to get it in the system somehow, after all.

[Guest maczen]

Now I had tried it and it's works perfect! :)

[Guest Lyncexx]

nice work ;]

i was trying to find out how to do that but i gave up early ;]

[Guest theraf90]

is anyone capable of creating a matrix effect for the rotation animation?

[Guest zemrwhite2]

Hello,

Good to see it works on other people's phones :)

Maybe someone could ask the guys who made the "proper" battery driver which shows charge state with 1% increments - they did manage to get it in the system somehow, after all.

Like I said, I already tried to sign it B)

I previously played with camera, accsensor drivers (hooked calls to those drivers with a signed library) with no problem.

AnimationLib is "LoadLibrary-ed" by the display driver, this is a bit different from those other cases. And zylonite_lcd.dll is itself not signed, I believe it just loads because it is in ROM.

is anyone capable of creating a matrix effect for the rotation animation?

This is a great idea !

Is there some developer around able / willing to create this effect ?

I now think it would have been cool to perform the same thing as MitsShow.dll (I think it is the component that displays the .gif and plays the .wav at startup/shutdown).