Hacking a Mesada GPS Unit

mesada_gps_unit Purpose
A few weeks ago, I’ve received a Windows CE GPS unit (the Mesada s3c2440/043BSC) from MM, to perform a customization on the Bluetooth functionality. The purpose of this customization was adding the Headset profile, so that this device would be able to send audio to a Bluetooth headset.
This functionality is achieved on the Pocket PC platform by the Audio Gateway.

First impression
After unpacking the device, the first thing I did was to turn it on: a simple, fingerfriendly interface was what I’ve first seen. Some basic functionality for opening a GPS application (not included), a photo viewer, a video player, music, settings dialogs, and a Bluetooth Interface.
capture001
It has no built in GPS Navigation software, but it seems to run well with iGO.
Installing a GPS Software on it is easy, the settings panel allows the user to chose the navigation software exe file, from the SDCard or the internal storage via a file browser.

The Hardware
This unit comes with a 400MHz Samsung processor S3C2440-40, that does a pretty good job in terms of speed.
Memory: 64MB
Storage flash capacity: 1GB
OS: WINCE 5.0
Screen: 4.3″ (480×272)
Battery: 1100mAh Lithium
GPS Chipset: MSTAR SiRF Star III
Bluetooth Chipset: CSR BC03 chipset
Power consumption: 1.5W
A complete list of features is available here:
gpsspecs

ActiveSync

Trying to connect the unit to my PC was successful, ActiveSync icon turned green, and I was able to explore the files on the mobile device.
files

A few software tests

I’ve also tried to use the remote tools from Visual Studio 2005, and those also worked: Remote registry editor, Remote Process Viewer were able to connect to the GPS using “Windows CE 5.0 Device” Platform. Nice.

I had a simple Pocket PC exe file around, compiled for Pocket PC 2003. So I hit Control+F5 in Visual Studio 2005, and surprise, the file was uploaded to the GPS, and executed successfully! Great stuff. I’ve tried a windowed app next, and it failed. So this means I need a different SDK. I found the WinCE 5.0 SDK here. After I’ve installed it, I got the new platform available inside Visual Studio 2005. So I created a new Hello World simple application, setting the target to this new platform (STANDARDSDK_500).

sdk

You can download the source codes for this first project here:
firstwce
Have a look at this result:
capture002

BTW, this device has a screen resolution of 480×272 pixels.

Some Bluetooth tests

Ok so this project is all about bluetooth. Here are some of the things I’ve checked on this GPS, and the results:
There is no BTD.DLL nor other BT – named dll in the Windows folder on this GPS
There is no HKLM\SOFTWARE\Microsoft\Bluetooth key!
Trying to use BthGetMode / BthSetMode from bthutil.lib failed, as this lib was not found inside the WCE SDK.
All these mean that using Bluetooth on this device will be a lot different then using the standard MS BT Stack. Bad news.

Ok, let’s Hack it!

This device offers the headset profile. You can use a Pocket PC with Bluetooth and Phone, to find the GPS as a Headset device.
So you can use it as a Bluetooth Handfree/Headset unit. It even claims to support Wireless Stereo profile, but I wasn’t able to use this one.
OK, so in a way or another this device has a lot of the Bluetooth functionality that I require.
Just to be clearly understood, what I need to do is to make this device capable of re-routing audio to an external carkit.
So it must be able to detect an external Bluetooth Device offering the Headset profile. while this device can itself work as a headset device,
it cannot (at least with the current software) detect external headsets.
For this task I need minimum control over the BT Module: Start/Stop the bluetooth hardware, search for devices in range,
and SCO connections for handling the audio data. Also an audio driver is required, to redirect all audio packets though the SCO connection.

Lets see what can be done with the internal BT functionality. This is the internal Bluetooth application:
capture004

While this is on, a new process appears in the process list MobileRemotor.exe . And one of it’s modules looks very interesting! It’s bthadapter.dll .
And the dll’s path is: \Mesada\$MSD$\App\BTHADAPTER.dll .

bthadapter

Almost certain, this dll contains lots of useful functions. The problem is that there is no Mesada folder on this GPS. Must be a hidden partition, as seen on other several devices (many from HTC, running Windows Mobile).
Ok, using Total Commander’s wincefs.wfx I can see the GPS folder structure below \\\WinCE Device\ . Changing this to \\\WinCE Device\Mesada and hitting enter, shows the hidden folder. Evrika!
mesada

Sweet, here is the content:
mesadafiles

And right there is the important bthadapter. To be able to copy it,
I need to kill the MobileRemotor.exe. Easy, from Remote process viewer. Now that I have this Dll, I can open it with IDA, here’s a list with the exports:
exports

Ok this looks very good. The complete list is here
bthadapter
I’ll try to use them from an external app. BTW, here are some more interesting links for this:
GPS Forum
Mesada website
SDK.zip (This seems to be a firmware update)
Explorer Mod
mesada gps gui

Next thing to do is to use bthadapter.dll for a simple Bluetooth app on this GPS Unit. But that’s another story.

Related Post

This article has 16 Comments

  1. Hello,
    Very interesting article. I’m also trying to use bthadapter.dll to communicate with Mesada throught bluetooth, but big problem for me are function parameters. Load library and get function address is not a problem, but what about with these params ? Do You have any docs for it or any success with Init it (Init and turn bluetooth ON) ? If yes, can You give any clues 🙂
    Thanks,

  2. Thanks!

    You would need the header file for the CBthAdapter class.
    Unfortunately I have no other documentation besides my findings.
    If I get more time for this, I might take another look at it.

    Radu

  3. thanks for this manual.
    Please, tell me – how to use bluetooth interface for connect this Mesada device to phone via bluetooth for using GPRS internet.

  4. Using this DLL no. It only provides SendData, and no GetData nor anything similar for bilateral communication.

    However it is possible to directly connect to the Bluetooth chip using a serial/uart connection and implement a basic HCI stack. On top of that a simple L2cap communication protocol can be easily implemented.

  5. Ok for me that makes little sense since I’ve never programmed hci stack or l2cap comm protocol. I tried finding sdk software to get me started here : http://www.palowireless.com/Bluetooth/devtools.asp and here : http://www.thewirelessdirectory.com/Bluetooth-Software/Bluetooth-Applications.htm BUT none of these websites links work…all of them go to pages that have been removed from internet??

    Do you have any sample code I can see? Is this done in C# or VB.NET? Will it work on Windows CE 5.0? I would be willing to even pay you to do this for me if you’re interested…

  6. Mike, I’m not saying it is easy, I’m saying it can be done and presenting the options.

    However unless it is an important project, is not worth the effort.

    C# and VB.net would work, but for developing a bt stack you should be considering C++.

    I might be able to help you but it depends on what you want to invest in this. My email is radu.motisan@gmail.com

  7. Hy,
    I have chinese GPS http://www.dealextreme.com/details.dx/sku.33231
    And I formated integrated flash (nand flash). Now when I restart, it presents the car picture, fill the green bar, but stop on it. Is it possible to restore windows CE (or nand flash contents, firmware). I am looking in internet mesada firmware, but I can`t find.
    More info:
    when I connecting to PC, nothing happening (I cant` see nand flash and external micro SD contents), only I can charge battery.
    There is discusion, RickBR has the same problem:
    http://www.dealextreme.com/forums/Default.dx/sku.33231~threadid.593550
    Can you help me to restore windows CE?
    Thnak you.

  8. How exactly did you manage to format that partition?

    Try a hard-reset, by pressing and holding the reset pin for a few seconds. It should restore all the files from the ROM memory.

  9. First I used cedesktop appliaction and go to windows ce control panel. There was application “partition manager” or “disk management” (I don`t remember exactly). I launched this tool and press button “format”. That all.
    I have $MSD$ content from same device, there are a few files, but in this picture http://teksoftco.com/home/radu/mesada/images/mesadafiles.jpg there are many files.
    I have tried these files (firmware) write to microSD card:
    http://www.igreen.com.hk/download/gps/DG_G43xxNB_v2.rar
    and startup device with this SD card. Result- there were two lines like “background program OK” and background was changed.

  10. Hi, I cannot understand the way you can add your website in my rss readers. Have you been able to Assist me, remember to …)

  11. Hi. I study a couple of of your other posts and wanted to understand if you would be interested in exchanging blogroll links?

  12. Interesting article. I have smilar problem with a different unit (WinCE 6 MIPSII). I have a bluetooth project but no *bt*.dll at windows folder. All bluetooth logic seems to be made by an executable, that sends and receive messages via coredlll SendMessage (WndProc).

    I’d like to start a bluetooth SPP server attatched to a COM port on the GPS unit.

    I know that this article is very old, but I almost giving up. 🙁

  13. Hi MArcos,

    Well.. not only the article is old, but also the hardware.

    It might make sense to work on a platform more up to date instead.

Leave a Reply