This is my analysis of the second mini PCI-E on the AAO 250D. The bold marked lines are connected.
Conclusion

The 3G card is a peseudo USB device just using a mini PCI-E bus like there is in the EEE as well. The other lines connected are most likely the ones connected to the SIM card holder as they match the pinout.

31 and 33 are possibly connected, I guess they are but it’s very hard to see even with a extreme magnifier.

Diagram

iDeneb 10.5.6

Burn disc image, and use external DVD-Rom (thumbdrive might also work) Press F12 at boot, and select the media you’re using to install OSX. Hit enter on the darwin bootscreen and wait patiently while the installer loads (this might take up to 10 minutes). Select your language of choice and press [continue] to go the next screen.

open the disk utility from the top menu, select the partition where you want to install, and format the drive as Mac OS extended (journaled) when you’re done, quit the disk utility and press [continue].

Select the disk you just erased and press [continue] Click [Customize] and select these from the list:

ACPI Kext 10.5.6 | Ps2 Fix mouse | Apple Azalia Audio | ICHx Fixed | Kernel 9.5.0 Voodoo | Attansic L1 | Atheros AR5007 | CPUs=1-fix | Battery Manager | Intel GMA 950 | OSX86 tools

you can also choose language packs and applications as you like.

when selected, click [install], skip disc check if you’re in a hurry. let the installer do it’s job, restart. Hit space at the darwin loader and type in “-f”, and hit [Enter]

once booted, you will need the GMA950.pkg to get 1024*600 resolution. you can get this from:http://www.insanelymac.com/forum/index.php?s=&showtopic=180005&view=findpost&p=1230300 (you will need to register an account)
just install the file, and open OSX86tools and repair permissions (this might take a while), i’d also recommend you enable Quartz.

What doesn’t work: Webcam, Microphone, Sleep/hibernate, Lan/Wlan.

Boots in under 40 seconds on a stock D250 with 1GB ram.

Kalyway 10.5.2

Tried this disc and failed basicly on first startup, AppleAirPort.kext had to be removed from single user mode of the thumb drives install system. Install worked but never relaly booted with vanilla kernel install. Discontinued.

Retails Disc

Now trying this method for the similar D150. Might work, bit Vanilla kernel is not bootable correctly somehow. Stops (cpus=1 -v) on a early boot stage while “Jettisonging Kernel Linker”)

(http://www.hackint0sh.org/forum/f200/71102.htm)

xXx 10.5.6 final v2

Works well, Graphics for GMA950 works well, ISO has a kext for this prepatched (ID: 0x27ae)

Added kext:

• Install Chameleon 2, it’s much nicer
• VoodooPS2 installed (/Extras)
• AppleCPUPMDisabler (/Extras=
• System “hung” a bit on mouse move -> IO802 kext was buggy, removed it and works. Kext seemed to attemp in a endless loop to load a Atheros driver. (Might be the new Atheros ethernet, whcih causes this, not wifi card)
• Battery just needed AppleACPIBatteryManager.kext found on googlecode
• Sleep does not work -> investigation running
• Vanilla Kernel still not booting with proper params
• No Sound yet

Hardware mods and additions:

• Bought a Kingston Bluetooth Micro thing with OSX drivers and put it into a usb port.
• Will replace the wifi module once the new one arrives, this Altheros crap is not worth the trouble of writing or patching drivers for it.

If you want to debug Plesk, i.e. with gdb, be aware that Paralells made many efforts to prevent you from doing so. A pain for everyone who has to deal with strange and stupid Segmentation Faults or what to fix Plesk for this r another reason. I was thinging IONCube was enough (which is still easy to break) but hey, let’s start debugging Plesk internals first.

Parallels used a similar trick to Apple with iTunes which involved ptrace() calls in masses. The trick is to set a breapoint in gdb on it to prevent it from execing.

(gdb) break ptrace

is good enough :) Ok, if you now break into a ptrace(), just go type “return” and “cont” and everything will run fine.

If you need more comprehensive infos on how ptrace() works as a anti debuger meassure, read this page:http://steike.com/code/debugging-itunes-with-gdb/

It is a fairly interesting read.

Intro

This is kinda easy to do, please be careful. I am not responsible for any damage caused. Fell free to use the discussion page of this article to leave a comment or ad linsk to your created boot splash logos on the bottom of this page.

Any addition is welcome.

Howto

1.) Create a JPG, BMP or PCX in a sane size with Photoshop or any other good image program. I used CS3. Export it for Web, uncheck Progressive and optimization stuff, put quality to 100%.

2.) Get WINFLASH from Insyde. It is kidna easy to find n the net. For those who are lazy, I put a link to rapidshare on the bottom. This tool is freeware and available form multiple vendor sites, so safe to distribute.

3.) Edit platform.ini file to look like the following:

;The file is Insydeflash utility configuration file

[Version]
Version=00
;Insydeflash utility will display the value at top 

[FDFile]
FileName=
BackupName=current.fd

;FileName    -> Utility always load this file.
;BackupName  -> Utility will backup current BIOS to the file.

[UpdateBlock]
PatchFv=0
FileName=intel.fv
FileOffset=0
FlashSize=0
PhysicalAddress=FFF00000
FvID=945PL-A
IDErrorAction=1

;If user set PatchFv to 1, utility will go update mode.
;If user only need to update some blocks in file, please enter file offset and size
;in here. If flash size is 0, utility will update all binary in file.
;If flag in Platform_Check section is 1, utility will compare FvID with current
;platform ID. When ID comparison failed, user choose result by IDErrorAction.
;1 mean show error message box, 2 mean close utility and reboot/shutdown. 

[Platform_Check]
flag=0
PlatformName=
;This flag is the switch of comparing bios project id with rom file project id.
;When flag is 1, utility will check project id.If id doesn't match, utility will
;close the application. When flag is 0, utility won't check project id.
;PlatformName ->check platform name by .INI

[AC_Adapter]
flag=1
BatteryCheck=0
BatteryBound=20
;This flag is the switch of checking AC. When flag is 1, utility will check AC. If no AC
;plug in, utility will display warnning message. When flag is 0, utility won't check AC. 

[Bios_Version_Check]
flag=0

;This flag is the switch of checking Bios Version. When flag is 1, utility will
;check Bios Version. If rom file Version is older than Bios, utility will display warnning
;message and close application. When flag is 0, utility won't check rom file version. 

[ForceFlash]
ALL=1
BB_PEI=0
CPU_Microcode=0
Variable=0
DXE=0
EC=0
Password=0
OEM_NVS=0
Logo=0
Type#09=0
Type#08=0

;ALL  1 -> Flash all ROM part. 0 -> Resverd all protect areas.
;BB_PEI, CPU_Microcode, Variable...
;1 -> Force flash these area if BIOS report them are protected areas.
;0 -> Protect these area if BIOS report them are protected areas. 

[FlashComplete]
Action=0
Dialog=0
Counter=15

;Action  0 -> Do nothing, 1 -> Shut down, 2 -> Reboot
;Dialog  0 -> Do not display dialog, 1 -> Display dialog,
;        2 -> Display dialog and wait several seconds.
;If user need to reboot or shut down automaticlly in several seconds,
;user can set counter be a integer.

[UI]
Confirm=1
Silent=0
DisplayID=1
InsydeInfo=1
VersionInfo=1
GroupInfo=1
ConfirmInfo=0
OnFlashingBeep=0
OnFlashingBeepDelayTime=800
DisableMouseAndKeyboardInput=0
BeforeFlashDelayTime=0
ProgramStartToWrongMessageBox=0
GetFDFileButton=0

;Confirm 1 - > Display confirm dialog, 0 -> Do not display confirm dialog
;Silent 1 -> Silent mode, hide main dialog, 0 -> Normal mode
;DisplayID 1 -> Display BIOS ID, 0 -> Do not display BIOS ID
;InsydeInfo 1 -> Display Insyde copyright information and URL, 0 -> Do not display it
;VersionInfo 1 -> Display BIOS version, 0 -> Do not display BIOS version
;GroupInfo 1 -> Display group box, Do not display group box
;ConfirmInfo 1-> Display version and date information in confirm dialog
;OnFlashingBeep 1-> Beep on flashing, 0 ->Do not beep on flashing
;OnFlashingBeepDelayTime -> set BEEP delay time(Milliseconds)
;DisableMouseAndKeyboardInput 1-> Hook mouse and keyboard without "CTRL+ALT+DEL", 0 ->Do not Hook mouse and keyboard.
;BeforeFlashDelayTime ->If user need to delay begin flashing in several seconds, user can set delay time be a integer.
;ProgramStartToWrongMessageBox 1-> Display a wrong message box,0-> Do not display a wrong box
;GetFDFileButton 1-> Display FD file browse box, 0-> Do not display FD file browse box

[Logo]
PatchLogo=0
FileName=
GUID=

[Others]
ClearCMOS=0
FlashDevice=0
DisableCompare=0
ErrorRetry=0
;FlashDevice 0 -> default, 1 -> SPI flash part, 2 -> Non-SPI flash part.
;DisableCompare 0 -> Compare binary, 1 -> Do not compare binary, flash directly in write ROM mode.
;ErrorRetry 0-> Do not retry if found flash error. 1 -> Try to flash again if write or verify error.

[Option]
Flag=2

;Flag 0-> Auto-flash mode.
;Flag 1-> User option mode, including option, start, exit buttons.
;Flag 2-> User flash mode, including start, exit buttons.

[ApplicatonFlash]
Flag=0
Model=

;Some specific platforms need to flash by application. Only support 32bit Windows.
;Flag 1-> Flash by application
;Flag 0-> Flash by BIOS
;Model is the name of the platform.

[ReturnErrorCode]
FileNotFound=3
ErrorBeforeFlash=4

[UpdateEC]
Flag=0

;0 -> Not flash EC by BIOS.
;1 -> Flash by BIOS now.
;2 -> Flash by BIOS after windows shutdown.

[Region]
BIOS=0
GbE=0
ME=0
DESC=0

[Log_file]
Flag=1
FileName=InsydeFlash.Log

;0 -> Not create log file
;1 -> create log file

[ReturnCodeDefinition]
RETURN_SUCCESSFUL=0
RETURN_MODEL_CHECK_FAIL=259
RETURN_USER_CONFIRM_CANCEL=1602
RETURN_AC_NOT_CONNECT=1602
RETURN_LOAD_DRIVER_FAIL=1602
RETURN_NEED_REBOOT=3010
RETURN_USER_EXIT=1602

4.) Put latest update FD in the same folder

5.) Flash your AAO once and reboot

6.) now put your JPG (or use the sample below) to the WINFLASH fodler and edit following lines:

[Logo]
PatchLogo=1
FileName=hax_splash.jpg
GUID=

and

[ForceFlash]
ALL=1
BB_PEI=0
CPU_Microcode=0
Variable=0
DXE=0
EC=0
Password=0
OEM_NVS=0
Logo=1
Type#09=0
Type#08=0

If you don’t have a logo yet, use the test one I made.

7.) start flashing, it won’t show you a new revision beeing installed, but thats ok.

8.) Check the log if everyhting was ok

9.) reboot and enjoy your logo

Stuff

WINFLASH - http://rapidshare.com/files/232508398/Winflash.zip

Sample Bootlogo - http://rapidshare.com/files/232508822/hax_splash.jpg.zip

Credits & Copyright

Hack was done by myself (sam[at]hackint0sh.org)

• Aspire One is a trademark of Acer.
• WINFLASH is (C) by InsydeSW Taiwan, maker of InsydeH2O

I did some research on the NDS Videoguard Cipher protection and came to the conclusion it is kinda secure, unless, someone would be able to get the algorithm of the card and catch the EMM with infos for the update and decrypt them.

The algo used on the card seems to end up in a md5 sum which is used as a key, hw it exactly works, well, thats the question of all.

Interesting read, and only value resource I found so far is: http://colibri.de.ms/

He seems like the only lonesome cowboy these days, bothering to publish some kind of this stuff in such a quality form. Stay away from PayTV pirate boards. Most forums are flooded with nobish freaks, who only interest is getting free PayTV, but where is the fun? Once it works, it’s uninteresting anyhow.

Current methoods involved to get around this still secure technique is something people call cardsharing, which means sharing the keys calculated from the card via some kind of private p2p darknet. Tools used for this is a further development of card2d called card3d which has this functionality.

To dump EMM and EMC packets from PayTv, use a dbox2 or similar and card2d you get from your linux. Source for it is available from tuxlinux site (check out the cvs trunk, you will find it).

I will continue this file on my list once my new dbox2 arrives so I can dump a bit.

This is important info, it was found originally here: http://wiki.eeeuser.com/windowsxpusb

I can confirm this is working pretty well. If you have a SATA AAO, make sure you use either a self made disk with SATA drivers or catch a ISO which contains them. SATA generic work fine.

Create USB Stick from Windows:

1.You will need a special tool to copy the Installationfiles and making the USB-stick/SD card bootable. Get it here: http://wiki.eeeuser.com/_media/usb_multiboot_10.zip

2.Unpack to any folder. THE PATH TO YOUR FOLDER MUST BE SIMPLE AND WITHOUT SPACES! (ex. c:\usb_multiboot_10)

3.Insert USBstick / SD card.

3.1.ALL DATA ON YOUR STICK WILL BE ERASED! Please back up before running USB_MultiBoot_10.cmd!

4.Run USB_MultiBoot_10.cmd. follow text description.

5.Format utility will apear. Choose NTFS for >=4Gb usb flash and FAT16 for other, Start format, Close after finishing.

5.1. diamondsw: Using the “HP format” option works fine for any capacity, and you can use FAT32 without problems (I used a 4GB stick). This can be useful as more systems can read FAT32 than NTFS.

5.2. NOTE: If you are doing this from a Vista machine, you may need to run PeToUSB.exe as adminstrator in order for this program to recognize the jump drive. (Right click PeToUSB.exe > Properties > Compatibility > “Run this program as an administrator” checked.)

6.Set options 1 and 2. Set option 0 only if you want to use USB HDD instead of a USB stick/ SD card.

7.Do not touch other options if you have no idea about it.

8.Choose 3 after setting all other options. It will create the image and write it to the USB stick as well as making the USBstick / SD card bootable.

9.Answer Yes to all questions that come up (these vary depending on options selected).

10.When it finishes copying, remove your usb stick and insert it in the EeePC to install XP.

11.When you turn on the Eee, hold down “Esc” to choose the boot device and select the USB stick/ SD card. You'll need to do this at each reboot until XP is fully installed and you've logged in.

12.Choose Text installation at first time and GUI INSTALLATION AFTER REBOOT TWICE! - ( Choose step 1 to start installing, after reboot choose step two, after continued install press step 2 AGAIN to log into XP - As soon as you arrive at the Windows XP Desktop you can safely remove the USBStick / SD card.

12.1.If you get hal.dll not found errors, read carefully the last two last bullets!

IMPORTANT! DO NOT REMOVE USB STICK UNTIL YOU'LL SEE XP's LOGIN SCREEN!

Here some GDB tricks for our fellow code ninjas ;)

Get the args of a call

b *0xCALLOFFSET

than you can:

p $esp p $esp+4

etc. + 4 for each arg.

You will get a memory adress so directly do

x/x $esp x/x $esp+4

etc. after that you can do a:

x/fs 0x0806ffff

or

x/8fx 0x0806ffff

or similar to extract your stuff from memory.

Did you ever need something to make your girlfriend busy while hacking around on something else? Get a PSP.

With a tool battery, a so called pandora battery, you can get it into service mode and flash a custom firmware which allows you to do lot of funky stuff with it, including playing cso/iso and homebrews.

I heard someone said this battery became public after some dude found a real tool battery from Sony in his PSP after he got it back. Duh! First copies of it were sold extremly expensive on eBay, before the chinese figured how to make them ;)

Works for most PSP Slim & lite, like the one I got, except the 3000 modells, but I never seen any of these arund local stores here.

How it works (done on a Mac)

Things you need:

• get Pandora Battery from a retailer (or build one from another battery, but buying is most of the time the cheaper solution), it costs about 19Eur/25$
• get a Memory Stick Pro Duo (be sure its Pro, not just Do), it should cost from 10-20Eur/15-25$ depending on size.
• install XP to VMware Fusion
• get Rain’s UltraLite MMS Maker for 5.00 M33-4/DCv8 (google for it like “name rapidshare.com” and you will find)
• Sony Original Firmware 5.00

How to do:

• Fire up windows and follow the steps in the Readme of Rain’s Utility
• connect the PSP into VMware
• make stick
• load the tool battery: put in cable, start to usale system, pullout original battery and put in tool battery. Than wait for it to load fully.
• pull out tool battery
• insert the sticky you made with Rain’s Toolkit (BEFORE inserting tool battery)
• start PSP with tool battery, like insert it
• follow instructions on screen

So now you are done. You can put ISOs in your ISO folder on the card, horray.

Hint: If nothing comes up on your screen, but your lights blink, you got one of these rare devices which show nothing, try pressing X and wait for it t reboot. Google for this error, you will find posts of people in various places with the same problem.

For the geeks, here are the pics of the D250 mainboard and sideboard in highres:

http://www.flickr.com/photos/38175080@N03/sets/72157617808621423/

Get the kingsized ones via “download original size” button in flickr.

What you need

• get some cutings from pig crest NO other like veal or something, must be pig. The piece should be nearly free of fat and sinews and aroudn 1 cm high.
• get a egg, flour and breadcrumb powder (see below)
• a pan
• oil (sunflower works perfect, -NO- olive oil!

You can do breadcrump powder yourself: get a old bread or something which got hard and rasp it to tiny powder

Let’s cook!

• before you do anything, put it on a towel and remove any wetness from it
• than hit on it with a pan multiple times so it gets thinner, something like 0,5cm. A common mistake is to use a hammer with spikes. This will damage the meat and make it dry while cooking, use something really even to hit it thin.
• put the pan back on the cooker on high heat and put the oil in the pan to heat it up
• crack the egg and put everything in a bowl
• mix the egg stuff in the bowl together with a fork or somthing
• put some salt and pepper on cuttings
• put the dryed cuttings in flour  so its covered with a coat of flour
• than drag it through a mix of the egg stuff in the bowl (needs to be covered with egg entirely after)
• drag it through the breadcrumb powder till its gluing on it all over
• put it in a pan you heated with oil
• let it get golden brown from both sides
• now serve either with a little peace of lemon, sauce or/and french fries

This reciepe is 100% guaranteed to taste if done proper, happy food hax0ring!