Develop Bugs

Windows Phone 7 - The "Genuine Windows Phone" certificate

This is a new feature for WP7. An API will be provided for external services to validate that a call is coming from a Genuine Windows Phone. This will be accomplished by a requirement that every phone have a unique certificate applied during manufacturing process (similar to an IMEI, but more than a simple number, an actual .cer)
The certificate is to be stored in the "Device Provisioning Partition" during the manufacturing process and is to be destroyed upon completion of manufacturing. Any time a reflash occurs, a new certificate is to be issued.
This represents a significant change from the existing paradigm as your phone will be instantly uniquely identifiable through this method.

Bump for visibility

Is that going to make flashing custom ROMs an issue?

i think it gonna make flashing difficult..
if you flashed with custom, your WP7 would not be taken as genuine hehehe like Windows 7 lol

maharz said:
i think it gonna make flashing difficult..
if you flashed with custom, your WP7 would not be taken as genuine hehehe like Windows 7 lol
Click to expand...
Click to collapse
lol then you have to mod your bios.

On the bright side, we may have fewer reasons to flash custom ROMs on WP7. What are our current reasons for flashing?
1. We need new OS versions on our devices when OEMs don't provide that. Well, this is supposed to be taken care of by centralized update mechanisms for all devices. WP7 will also support partial updates where you don't have to change everything but rather update certain components. Also, firmware files should be replaceable - otherwise OS updates wouldn't work. We'll be less dependant on HTC or whomever.
2. We need components from other devices (newer versions of Manila etc.). Well, these won't exist anymore.
3. We want light ROMs. WP7 will need things added, not removed, for the most part, and crapware will be very limited.

vangrieg said:
On the bright side, we may have fewer reasons to flash custom ROMs on WP7. What are our current reasons for flashing?
1. We need new OS versions on our devices when OEMs don't provide that. Well, this is supposed to be taken care of by centralized update mechanisms for all devices. WP7 will also support partial updates where you don't have to change everything but rather update certain components. Also, firmware files should be replaceable - otherwise OS updates wouldn't work. We'll be less dependant on HTC or whomever.
2. We need components from other devices (newer versions of Manila etc.). Well, these won't exist anymore.
3. We want light ROMs. WP7 will need things added, not removed, for the most part, and crapware will be very limited.
Click to expand...
Click to collapse
Very true. With the OTA MS updates and such it will make life easier for updating the OS.

That could also bring a pitfall - hacking attempts that once worked get blocked.

Da_G said:
This is a new feature for WP7. An API will be provided for external services to validate that a call is coming from a Genuine Windows Phone. This will be accomplished by a requirement that every phone have a unique certificate applied during manufacturing process (similar to an IMEI, but more than a simple number, an actual .cer)
The certificate is to be stored in the "Device Provisioning Partition" during the manufacturing process and is to be destroyed upon completion of manufacturing. Any time a reflash occurs, a new certificate is to be issued.
This represents a significant change from the existing paradigm as your phone will be instantly uniquely identifiable through this method.
Click to expand...
Click to collapse
1. Project Echelon, lol.
2. End of dev'n'hacking, lol.
(now, remove both lol's)
M$ REALLY thinks it may compete with iphone(and apple stupidity), can you believe...

The "uniquely identifiable phone" feature is probably the major reason for this. Face it, outside of these forums, how many "non-genuine" WM builds are there?
What this provides is a token-pair for secure message encryption and a single point of origin/destination for all those notifications.
Thank you for the information, Da_G.

So it seems this will also affect us being able to port a WM7 ROM to another mobile?

So this means evry phone has a unique certificate

They will look for a way around that. For instance...who's to say microsoft are even implementing the certificate etc on prototypes...that would be darn impractical since there's so much chopping and changing in this developer stage, and do we know the servers are up and running? We should cross this bridge when we/Da_G come to it, and look for a bypass if not.
I do not think this money will be wasted if we dont port it to HD2, the fact is I will be the first to donate when pre-orders for the first HTC WP7 handset is outed so that Da_G can use his tools for that too. The JTAG test point will be useful to the community and I know Da_G will use it for the community...actually there's very little personal stuff he could do, and I doubt he would anyways, since all the uses will be of benefit to the community.
We should definitely start look at alternatives to the marketplace now, like Cydia. I'm not sure how the guy's doing it, whether he has servers etc, whether we could use them for multitasking/social networking or other uses. Depends how far microsoft go. Anyways, we all know that if m$ close it down and we cant jailbreak etc, then the community will have to migrate to android.

if i understand the situtation. If every phone is uniquely identifyable it means that imei may be part of cert calculations which means update code would have to be able to generate a cert or request a cert from the update server.
But if the phone checks the certs validity reverse engineering the check could help us fake cert files
EDIT:
after reading on rom deployment it seems that it cert files would need to be faked in order to port to other phones and updates will also involve trickery of its own
Unless somone does something even more awesome

Contact from Kin Developers

About 2 weeks ago, I took johnkussack's advice (I think it was him) and went to LinkedIn to try t be friends with anyone who came up on the search for "kin phone". In the invite email, I just said that I noticed they worked on the Kin phones and would like to ask them a few questions on how one could write to the phone. I have had 3 responses in the last 2 days.
Guy1: didn't know because he worked on the UI for the Kin Studio
Guy2: kindly told me he couldn't release an unauthorized build and that he would be breaking the law by doing so.
Guy3: This guy worked on the phone for over a year. He first told me I was breaking the DCMA by hacking/reverse engineering Kin, regardless of intent. Then he said this important thing:
"You are absolutely right in assuming that the device is locked; in fact, it has a hardware lock that is common to many such devices. When the devices roll of the manufacturing line the programming fuses are blown (literally) preventing any further programming of the device. This is all handled by hardware so unless you find a flaw with that you are out of luck."
So if this is true (sounds like it is), the "dream" is over. Hopefully there is some way that someone out there can find.
If I get more responses, I will post them here. Don't ask me to go back to these three who already replied and asked them more questions, I think I made some of them mad.

Hmmmm... I don't know whether or not the KIN models will accept OTA updates so that's a good question to ask. If OTA updates are possible then it's inherently possible to change the software. I wonder...

Yes, it was me the one who said about "linkedin".
But i also said "in one word NDA". You should known even before ask that the signed NDA are also legal contracts, so i prevented before asking them.
On the DCMA, yes.. on the USA. Outside the big country, the legal question is different and may not operate with that law. (if ever). If they provide a normal (legal?) way to unbrick my factory mode here, or to use the phone options, then i wait for the cost for it.
And everyone knew that hardware was not the way, just at the moment where first flash attempt failed. "Dream" is doable by software, if anything is to be done.
What i don't get is why to ask for rom rom roooooms, where we need drivers drivers driveeeeers... or sdk's. We won't get it anyway from MS, but no flashing means a rom is futile, non useful,crap pack of bytes.

But i also said "in one word NDA". You should known even before ask that the signed NDA are also legal contracts, so i prevented before asking them.
Click to expand...
Click to collapse
I figured I just take a shot in the dark; hope for the best and expect the worst. Since the phone and suuport from MS was discontinued, maybe the NDAs would be voided.
And everyone knew that hardware was not the way, just at the moment where first flash attempt failed. "Dream" is doable by software, if anything is to be done.
Click to expand...
Click to collapse
Good to know you still think there's a way.
What i don't get is why to ask for rom rom roooooms, where we need drivers drivers driveeeeers... or sdk's. We won't get it anyway from MS, but no flashing means a rom is futile, non useful,crap pack of bytes.
Click to expand...
Click to collapse
I just asked if "there is a way to get around the write lock". Had I known ahead of time to ask about drivers or SDKs, I would have put that in the msg.

I strongly believe that we could operate with the device,softwarewise. there is proof that the kin NAND memory (for now on, called "Storage" as label) is writeable. Not sure on the Rom part.
Of course, i mean.. just use it as a normal writable storage memory.
I posted how it could be done and would do it myself but, again, i bricked my phone, and available ones (through bidding sites) are so expensive to buy another one just for this (+ $150). Don't see a way to get it internationally again.
And even doing it, i'm not sure about what could be done just writing on the storage mem....

If the fuse byte is burn't should not it have prevented you from bricking?

kintwouser said:
If the fuse byte is burn't should not it have prevented you from bricking?
Click to expand...
Click to collapse
Nvitem bricked, not flashing bricked. You can succesfully write to the NVItems memory. But i guess it's just configuration memory and not the one "fused".

I just want to mention that jailbreaking a phone is NOT illegal in the United States! Geohot hacked the iphone... Apple went after him... Apple lost.
Also blowing the programming fuses seems a little fishy to me actually. No other phone does that. The majority of other phones have been flashed. I just think it would be pretty odd for a company to do that so that they no longer could update it. I am not sure I believe him. If this really was true... then why wouldn't Apple or Sony be doing it? This also doesn't make sense since Microsoft actually originally intended on putting WP7 on this as well as allowing apps for it. Check this article out:
http://www.intomobile.com/2010/05/12/kin-windows-phone-7-a-lot-closer-than-we-thought/

you must understand, its not possible to blow fuses in the hardware, it would be a top news story if they were able to keep the OS running in complience with the flash memory without it crashing. Obviously that was a lie to discourage us, and i dont even think that was a real kin developer, because microsoft clearly stated that all kin developers would be moved to WP7 or another programming section. And it doesnt matter if its legal or not to jailbrake phones, if we are porting a new OS, we wouldnt have modified the original OS, which is what jailbraking means. Most likely the OS is hidden deep in the flash memory with a write - protection. If you think its saying access denied because they said the fuses were blown, its wrong. They must just have a password or code that needs to be sent continuasly to the phone to access files. If the fuses were blown, then nothing would be able to be accessed by zune, because it would be impossible to reach the memory.

soninja8 said:
Most likely the OS is hidden deep in the flash memory with a write - protection. If you think its saying access denied because they said the fuses were blown, its wrong. They must just have a password or code that needs to be sent continuasly to the phone to access files. If the fuses were blown, then nothing would be able to be accessed by zune, because it would be impossible to reach the memory.
Click to expand...
Click to collapse
Not my expertise field, but this mobiles can (and in fact they do) have several memories, storing the OS in the ROM memory and all the data on the NAND memory (our "8gb" storage).
Zune software has protocols to query for available storages (requiring its label/id) and is allowed to write/read to it. If you dare to click on update version (at least in the 1st version I tried) it expressed that the option was not "available" to that device without web requesting data, apparently.
So.. in the nand flash we may only have the equivalent of a SD Card. And my last wince PDA showed that as /Storage too, apart from main wince ROM.

You can format the nand memory using win explorer if in fact it is the 8gig storage. I did this and it deleted all pics,albums etc. It was interesting to note that we cannot copy or view these pics without an access error but it does let me delete them.
I just wan't to be able to get my pics off this piece of crap without emailing them.

I posted it once. You are able to:
- Query storage properties (label, size, id,...)
- Query storage folders
- Query folder files.
- Query tracks / albums / playlist / images / anyZuneSupportedFile
- Delete * file (whatever)
- Format the storage
You are "unable" to:
- Upload (create) a file into the device
- Download a file from the device.
MTP protocol tools allows you to do so, from command line (not quite sure if they are available on Win32 OS's), but... fails to operate with this device when it comes to the "unavailable" operations.

I am curious as to which former developers you contacted?
I was doing some research and noticed that Microsoft acquired the company Danger, Inc. After Microsoft purchased them, the former president of Danger went to develop Android (later acquired by Google). One thing I read was that most of Dangers employees left after being purchased by Microsoft. Apparently these people don't like Microsoft all that much! I also looked into it a little more and found one of the founders of Danger who had a twitter account. Of course all of his tweets were via a "KIN". Thought that was interesting. It seems to me that these former Danger employees would be interested in helping out if they don't hold to high of an esteem for the big "M".

seems like this is your first "inside the move" trying-to-hack/reverse a thing, so i will say:
people involved doesnt wanna risk through legal issues, even if they were pissed off, just for "some kids" to have a driver or rom. NDA are strong there, and they could either sign them or leave (if leaving, they don't have the interesting things).
At most you would get bad-mood or good-luck comments, and ocassionaly (very uncommon), leaks (wont happen here).

yeah, they purchased danger for an amazing 500 million dollars, which they later developed the kin with it, they were planning to put windows phone 7 on it, but they were to behind and released it with the old windows CE, then the former developer moved to work on a free source OS, later called android. Google wanted to get android while it was cheap, so they bought that company, and made the old developer as 2nd engineer.

Maybe not worth yet, but we should get more *info* about the SBL mode (aka "Ms Pink Bootstrap), as coinflipper said that it was the way to flash OS or parts (like radio's).
I have been trying even OMA wap WBXML bootstrap examples with it, but as we dont know if our phone is standard, it's like looking for a water drop in the sea of possibilities.
We do not need a guide on how to do something, but what-to-do with it.

Maybe, JUST MAYBE, we could design a program like bitpim. I am a mac user and when I used bitpim with my enV touch, I used to edit all sorts of files. Examples would be phone info, server info etc. We could make a program like that to get the info. I know programming may be hard, but its worth a shot. I hate the OS on this phone, ESPECIALLY WHEN YOU PIN APPS! THEY LOOK HORRIBLE

Kinuser1 said:
Maybe, JUST MAYBE, we could design a program like bitpim. I am a mac user and when I used bitpim with my enV touch, I used to edit all sorts of files.
Click to expand...
Click to collapse
We can't. If we have not the protocols or the supported phone features (protocols, drivers, documentation,...) you cannot guess it and put it into visual basic (or Xcode) and then by *magic*get the program you want.

i will admit that i know very little about protocols and drivers but i would like to point out that bitpim is open source, and that the code can be found here ->
http-//sourceforge.net/scm/?type=svn&group_id=75211 (change "-" to ":")
i seem to recall bitpim already having limited support for the kin, but perhaps with a little research and a little code tweaking we can find ways to improve it? i'm not sure how feasable it is as i have very little experience with programming for phones/usb devices, but it's just a thought.

slimeq said:
i will admit that i know very little about protocols and drivers but i would like to point out that bitpim is open source, and that the code can be found here ->
http-//sourceforge.net/scm/?type=svn&group_id=75211 (change "-" to ":")
i seem to recall bitpim already having limited support for the kin, but perhaps with a little research and a little code tweaking we can find ways to improve it? i'm not sure how feasable it is as i have very little experience with programming for phones/usb devices, but it's just a thought.
Click to expand...
Click to collapse
We can't. If we have not the protocols or the supported phone features (protocols, drivers, documentation,...) you cannot guess it and put it into visual basic (or Xcode) and then by *magic*get the program you want.
Click to expand...
Click to collapse
The above applies to any software you want. Unless you magically found documentation or files (like OP), there's no way to. So f#cked.
The thing is always the same, tweaking tweaking... what to tweak, huh?

[IDEA] Why we don't update chevron?

Do you have a locked phone with Nodo?
So, at this moment your chances are:
Restore the phone to previous version (from Zune)
If your device is LG, you can use the integrated registry editor to unlock it
Buy a developer account subscription
What if your country is not supported by the Marketplace to buy a developer account subscription?
Well, you can ask someone to unlock your phone via remote desktop with their account, then apply any relock prevention
You can use Yallapps unlocking service
I was thinking on update chevron for nodo. There is no marketplace in my country to test and check what is the token used by the developer unlocker application from the phone tools.
Recently I discovered yallaapps (where everyone can register and unlock their phones). It is very unfair compared to the standard marketplace rules (you can upload only free apps, and like 3-4 every 80 dollars).
Anyone here have a yallaapps account to share? (via remote-ethernet usb for example) and unlock my phone to check what is the token, and test if microsoft did something to avoid chevron.cer, etc... I can work some nights trying to get an updated unlocker for us.
Comments?

I've thought about this too. But I have an unlocked Omnia 7 now, with NoDo. And I'm kinda afraid to test for locking/unlocking, because it might lock my phone, while not being able to unlock again. Only a restore of backup or reflash firmware would possibly fix that, but I too busy to risk that now. If it wasn't for that I would've tried a couple of things.
With registry access we can set the value of HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\PortalUrlProd to anything we like. Set it to something like this: http://www.wp7unlock.com. That site does not exist, but that doesn't matter. Note that I mention "http" and not "https" to make it easier. Then add this url to the hosts-file on your computer. Open a http-server on port 80 which logs all http-requests. Now run ChevronWP7 unlocker and try to lock / unlock. Note: Don't try this if your device is upgraded to NoDo and unlocked, and you wish to keep it like that. You can grab the exact request. That is the first step. But this may already lock your device, if you got it unlocked. You need an unlocked device in the first place to edit the registry. If you got the exact http-request that is sent by the NoDo-device, you can manually try to send it to the original url: https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010. Now grab the response. That will be the second step. Having the request and response may already provide very useful information and help us further.
I think the chance of getting your device re-locked is small. But only someone who is doesn't matter restoring a backup or older firmware in order to re-unlock should try this. If someone feels like testing this, we may get a start on unlocking NoDo.
Ciao,
Heathcliff74

I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.

Another possibility is to hide a registry editor in some app and submit it to the marketplace. But soon or later they will notice the trick.
Pretty convenient the LG devices with their integrated registry editor...

The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.

GoodDayToDie said:
The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.
Click to expand...
Click to collapse
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?

hounsell said:
I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.
Click to expand...
Click to collapse
Ok.. Think with me please.. I am by no means a HTTP or SSL expert, but I know a little bit about it. So please correct me if I'm wrong.
HTTPS is HTTP over SSL. SSL does a handshake for encryption keys. Any HttpListener will support this. And SSL with mutual authentication will also do a certificate check. Tom, if what you said is true, then we should install a genuine certificate for developerservices.windowsphone.com. I'm sure some devs have one laying around for us to use. The phone will accept it, because a certified authority has issued it. That would solve things at the end of the WP7 device.
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74

eried said:
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?
Click to expand...
Click to collapse
I'm guessing now. But I think the capabilities are stored somewhere. And if you didn't have the Interop-capability when you installed the app, you will still not be able to load a COM-dll later on. Also, I don't think you will be able to call LoadLibrary on a file in the IsolatedStorage.
And in my WP7 Root Tools, there are NO Samsung dll's. Only my own code. Both native and managed dll's are written 100% by me. No copyrighted dll's from another party in my code. I explicitly avoided that, because my app will never be banned for that reason. I think Julien Schapman's Windows Phone Device Manager does ship the HTC dll's (not 100% sure about that though). I think he might have a problem with that if he ever want to sell his product.
Ciao,
Heathcliff74

Heathcliff74 said:
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74
Click to expand...
Click to collapse
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.

Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices or was that just another way to get xaps to work instead of resigning them? Could it be used if not?

I did a bit of reading up on SSL and certificates. I'm still not sure about alot of things, but this is what I get from it:
SSL sets up a secure transport layer by exchanging encryption-keys. And it also supports client-authentication and server-authentication. Authentication can take place by letting one party send its certificate and let the other verify it. For a client this usually means that the issuing party sent a generated certificate against which it can be authenticated. A server is authenticated by its certificate. The certificate needs to be verified. The verification is done by checking the certification-path. The issuers must be trusted by the verifying device. I'm not sure, but I don't think it is normally necessary to install a certificate when you genuine unlock your device. If it is necessary, then that means that the unlock server from Microsoft does client-authentication too. But that is not important when we want to spoof that server with a http-server on our localhost (like ChevronWP7), because we can just skip the client-authentication. We simply don't care about that.
(nico) said:
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.
Click to expand...
Click to collapse
I think the unlocking software on the WP7 device probably does something like this (pseudo-code):
Code:
if (!SecureConnection.Server.IsTrusted())
{
LockDevice();
return;
}
If the server is not trusted, the unlock will fail. So Chevron has its own built-in http-server. With its own certificate. Except that certificate is normally not trusted by the WP7 device, because that certificate is not signed/issued by one of the Certified Authorities that is known by the device. So in order to let the IsTrusted() succeed, a certificate must be installed on the device first. That certificate adds the signing authority (self-signed by Chevron) to the trusted authorities.
Now in NoDo, if Tom is right, Microsoft changed it into something like this:
Code:
if (!SecureConnection.Server.IsTrustedByCertifiedAutority())
{
LockDevice();
return;
}
That means, that it does not only verify if it is trusted, but the top of the certification-path must be a Certified Authority. In this case a self-signed certificate is not accepted anymore.
I have access to the certificate-stores on my Samsung Omnia 7. But for that the device needs to be unlocked. So, that is not useful for unlocking devices. And that exploit only works on Samsung devices.
Now that I understand this better, I see that my previous proposal won't work. But it gives me something to think about. Got to get a way around that.
lucasryan said:
Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices. Was that a cert that just allowed us to use those apps to work on other devices just like we do now by resigning a xap to work from another brand, or is it a cert that might could be used?
Click to expand...
Click to collapse
That was some developer-certificate from the WinMo 6.5 SDK or something. It didn't really do anything other than invalidating the signature, which in combination with removal of the DRM file in the XAP would remove the DRM-protection. It works even better to simply remove the certificate from the file. The certificate was simply to replace the valid certificate with an invalid one. The certificate from xboxmod is not of any use here.
Ciao,
Heathcliff74

ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.

Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)

lucasryan said:
ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.
Click to expand...
Click to collapse
No. These are the best kept secrets in the industry. When those key leak a lot of DRM is compromised. And in most systems certificates, once compromised, can be revoked (through updates that are pushed or pulled). The ChevronWP7 guys did a brilliant job in finding the loophole in the server-authentication. I think Microsoft has closed that one now. But maybe there's another loophole in the unlocking system.
There might also be other attack-vectors. If we can get XML-provisioning working from outside the device we can set the registry-values to unlock the device. Maybe OTA Provisioning can be done with WP7 devices.
Another possibility for XML provisioning can be found in this dll:
Code:
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0\v4 .0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0.dll
You can open it in Reflector. There's a class called DevicePackageClass. It has a method called ProvisionDeviceXML(). So I tried using it, but when I instantiate the DevicePackageClass it gives me an error:
Retrieving the COM class factory for component with CLSID {E987B9DE-8471-11DB-96A9-00E08161165F} failed due to the following error: 80040154 Class not registered (REGDB_E_CLASSNOTREG)
The class is actually a wrapper for a COM class. So I looked it up in the registry. It seemed to be found in this dll:
Code:
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\dip.dll (VSD Device Integration Package)
But is actually part of Visual Studio 2008, not Visual Studio 2010. The dip.dll is not installed with Visual Studio 2010. So I figured I might have a better chance with this dll:
Code:
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0.dll
But it gives me the same error. I also tried to register dip.dll with regsvr32. The registration worked, but the error was still the same. I even tried to access dip.dll directly, but I still couldn't create the COM class DevicePackageClass ("Can't create object").
So if we can somehow instantiate that class we might get XML provisioning working and unlock the device directly in the registry. Needs more research.
Ciao,
Heathcliff74

eried said:
Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)
Click to expand...
Click to collapse
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.

Heathcliff74 said:
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.
Click to expand...
Click to collapse
My idea was not an app for the marketplace but a desktop app like Chevron

eried said:
My idea was not an app for the marketplace but a desktop app like Chevron
Click to expand...
Click to collapse
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.

Heathcliff74 said:
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.
Click to expand...
Click to collapse
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile

eried said:
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile
Click to expand...
Click to collapse
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.

Heathcliff74 said:
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.
Click to expand...
Click to collapse
Nobody likes a locked device.
But I do understand the Microsoft posture about this.

Latest HTC radio drivers disables ability to edit the registry

I can still sidle load and my phone is still interop unlocked but neither my registry editor nor my advanced configuration editor work. Way to go HTC and MS, pat your selves on the back. I pay $99 dollars a year to have my phone unlocked and to develop apps but I can't even develop useful apps because APIs and restrictions, I can't customize my phone with out hacks, nothing! And to top it all off the phone has very limited functionality. What is MS thinking? I'm seriously thinking about jumping ship after being a loyal Windows Mobile supporter from the very begging. It use to make me sick to think about how flooded the market is with Android phones and now I know why. I can't even come on here and vent my frustrations or voice my opinions without someone getting offended or warned like I'm some child. Granted that all phones have their fails but not as many as this phone, I wish Windows Mobile was still around, imagine a world with no having to have an Windows live account or no complicated Zune, imagine just being able to do what you want or need to do without any limitations or restrictions. Imagine being able to laugh at Android and iPhone users. I honestly don't see Windows Phone 8 being any better at all. Say what you want, lash out at me with your fan boy comments, report me to your MOD but no matter what you say or do at this rate WP will fail.

what is the radio driver version , is it 5.71??
well u cant blame anyone, WP7 is more secure than IOS.
thats a good thing right?

The purpose of paying $99 per year is to develop applications and publish them to the app store.
Being able to sideload for anything other than testing was just a side benefit.
If all you wanted was to side load apps, the ChevRon utility would have been a much better deal. One time fee verses yearly and 10% the cost.
Surprised that the radio drivers are to blame. Unless there was a flaw in them that was being exploited to make the editor.
It is pretty annoying that you can't directly programatically alter the registry.
But, I believe the provisioning methods still work. Just write a C# app that will provision a file. Then have the app generate an xml provisioning string to alter the registry and apply it.
There are ways to read the registry doing the same thing.
I can probably find a link in the Windows Phone 7 development section on how to do this.
I will update with a link if I find something.
Link for an HTC ProvXML importer and Reg to Prov XML convertor: http://forum.xda-developers.com/showthread.php?t=907169&highlight=registry
Try searching that forum for ProvXML. There probably are examples. Serach is temporarily disabled. It always around this time of day for about 20 to 30 minutes.

I was afraid of this. The HTC driver updates may have been to v2 and that breaks the interop-unlock ability (such as allowing ACT and Reg Editors to run). This is known and mentioned by Heathcliff.

Magpir said:
what is the radio driver version , is it 5.71??
well u cant blame anyone, WP7 is more secure than IOS.
thats a good thing right?
Click to expand...
Click to collapse
They just fixed an exploit.
Of course it's good to have your own device unlocked, but if Microsoft or HTC wanted you to modify the registry they would have released that feature natively.
For example LG has a native application to do this on their Windows Phones.
I interop unlocked my girlfriend's Optimus 7 the next day she got it in 1-2 mins.

what has the radio got to do with this?
will downgrading radio help then?

I know, it's my fault for being stupid and accepting the update, it's a little faster but I noticed it drains my battery much quicker and it disabled my reg exploits. to be honest I thought it was the keyboard fix but the keyboard seems to be getting worse. Microsoft is not what it use to be, Steve Jobs was right, MS is not original and always steal Apples ideas, why if the thing that made WM better is what is diving Androids success. I went to the T-Mobile store and was tempted to switch but walked out and have not decided yet but I just give up on WP this year if MS doesn't stop being so Communist like.

JVH3 said:
The purpose of paying $99 per year is to develop applications and publish them to the app store.
Being able to sideload for anything other than testing was just a side benefit.
If all you wanted was to side load apps, the ChevRon utility would have been a much better deal. One time fee verses yearly and 10% the cost.
Surprised that the radio drivers are to blame. Unless there was a flaw in them that was being exploited to make the editor.
It is pretty annoying that you can't directly programatically alter the registry.
But, I believe the provisioning methods still work. Just write a C# app that will provision a file. Then have the app generate an xml provisioning string to alter the registry and apply it.
There are ways to read the registry doing the same thing.
I can probably find a link in the Windows Phone 7 development section on how to do this.
I will update with a link if I find something.
Link for an HTC ProvXML importer and Reg to Prov XML convertor: http://forum.xda-developers.com/showthread.php?t=907169&highlight=registry
Try searching that forum for ProvXML. There probably are examples. Serach is temporarily disabled. It always around this time of day for about 20 to 30 minutes.
Click to expand...
Click to collapse
Unfortunately I don't know how to work with ProvXML's. I will check out your link, thanks. do you by any chance know how to change the dark background color back to black using this method?

So you mean to tell me that Windows Phone is actually more secure than the iPhone? God all mighty!! I seriously hope Windows 8 is not as lame as Windows Phone.

sinister1 said:
Unfortunately I don't know how to work with ProvXML's. I will check out your link, thanks. do you by any chance know how to change the dark background color back to black using this method?
Click to expand...
Click to collapse
I just read the thread you sent me and it says that the new drivers also disable this method too.

To the OP, they also fixed a problem, If you ran connection setup with your phone in CDMA mode, it would kill 3G and the only real way to get it back was to hard reset the phone. It also broke those apps too.
To note, I manually installed 8107(last weekend, 3 days before vzw's release) and it did break Advanced Config (could not add more colors but, only had 3-4 extra onces) but, I am still able to sideload as I need. So, I'm not sure if it was the firmware that broke it...

I don't know what the big deal is with MS not letting us to simply personalize our phones? I mean really what is wrong with changing a notification tone, background color or tile color? If they really don't want anyone hacking the phone then simply give us those options. In every update instead of giving us simple features and options that we want all they do is secure the damn phone down even more It's almost like Microsoft wants to fail. Who wants to pay for a phone that is dictated to the point to where you can't even do that? As much as I hate to admit it; Android is coming up more and more when I think about my options.

sinister1 said:
I don't know what the big deal is with MS not letting us to simply personalize our phones? I mean really what is wrong with changing a notification tone, background color or tile color? If they really don't want anyone hacking the phone then simply give us those options. In every update instead of giving us simple features and options that we want all they do is secure the damn phone down even more It's almost like Microsoft wants to fail. Who wants to pay for a phone that is dictated to the point to where you can't even do that? As much as I hate to admit it; Android is coming up more and more when I think about my options.
Click to expand...
Click to collapse
I guess it really comes down to what you can do. Opening up the phone, opens it to hack software to run. So, it opens a world of phones with pirated software on it with nothing MS can do it about it. Not everyone will go this route but, there are people who will not buy anything, and that kills the marketplace and vendors who will add to the marketplace.
As I always say, Pirates will always Pirate, block them and they'll find another way around it. BUT with blocking it makes honest people have a harder time to use their devices or software.
I personally just want to customize my phone and use all the home brew apps but, sad to say they will try to block the honest people just to attempt to stop the pirates...
Back to the subject on hand...
So, Connection setup no longer works (I get a Invalid sim if I go to GSM mode or in CDMA mode, Carrer is not in the database), is it possable to get a older version to sideload that would enable registry edits again ?

DavidinCT said:
I guess it really comes down to what you can do. Opening up the phone, opens it to hack software to run. So, it opens a world of phones with pirated software on it with nothing MS can do it about it. Not everyone will go this route but, there are people who will not buy anything, and that kills the marketplace and vendors who will add to the marketplace.
As I always say, Pirates will always Pirate, block them and they'll find another way around it. BUT with blocking it makes honest people have a harder time to use their devices or software.
I personally just want to customize my phone and use all the home brew apps but, sad to say they will try to block the honest people just to attempt to stop the pirates...
Back to the subject on hand...
So, Connection setup no longer works (I get a Invalid sim if I go to GSM mode or in CDMA mode, Carrer is not in the database), is it possable to get a older version to sideload that would enable registry edits again ?
Click to expand...
Click to collapse
I had that problem before, I had to toggle airplane mode and WIFI back and forth until it took.

DavidinCT said:
I guess it really comes down to what you can do. Opening up the phone, opens it to hack software to run. So, it opens a world of phones with pirated software on it with nothing MS can do it about it. Not everyone will go this route but, there are people who will not buy anything, and that kills the marketplace and vendors who will add to the marketplace.
As I always say, Pirates will always Pirate, block them and they'll find another way around it. BUT with blocking it makes honest people have a harder time to use their devices or software.
I personally just want to customize my phone and use all the home brew apps but, sad to say they will try to block the honest people just to attempt to stop the pirates...
Back to the subject on hand...
So, Connection setup no longer works (I get a Invalid sim if I go to GSM mode or in CDMA mode, Carrer is not in the database), is it possable to get a older version to sideload that would enable registry edits again ?
Click to expand...
Click to collapse
The registry being locked down is less to do with piracy than control.
Code for the Windows Phone 7 was not a complete rewrite of the OS. They did reuse much of the old Windows Phone 6.5. They might have reviewed each piece and modified most, but they did reuse code. If they give you or developers control of the registry, then the entire device could be put into a state that would make nothing work. Or worse, your phone could be made to do just about anything in the background without your knowledge.
It's one thing to not allow programmers to access it. It's another to stop users from doing it intentionally. Any user doing it themself, knows the risks. And you can always reset the phone.
This latest lockdown might spur more interest in creating custom ROMs. Not sure if it is even possible yet for things like the Titan 2 and the new Nokia phones. But, this is the site to find out or find people doing it.

Your right I don't think it's possible at least not for the Trophy or CDMA phones at the moment, I guess we are just stuck at the state of sucks. Either way MS isn't making any money with their strategy at all the hold like 1% of the market; if it weren't for their PC sales they would have already went under.

sinister1 said:
Your right I don't think it's possible at least not for the Trophy or CDMA phones at the moment, I guess we are just stuck at the state of sucks. Either way MS isn't making any money with their strategy at all the hold like 1% of the market; if it weren't for their PC sales they would have already went under.
Click to expand...
Click to collapse
Microsoft has alot more products as well. SQL Server, Visual Studio (professionals don't use the express versions), Exchange Server, Office, XBox 360, msdn subscriptions, Skype, etc.
Microsoft makes money on all HTC and Samsung Android sales. Somewhere between $10 to $15 for each Samsung Android Phone and somewhere around $5 to $10 for HTC Android phone from patent licensing.
So, every Android sold helps Microsoft. Hopefully they use those dollars to improve Windows Phone 7.
This is actually the real reason that Microsoft can afford to deliver things a little late and still be OK.
They have a ton of cash flowing in all the time and the competition financially supports them.
I'm guessing that there is still a way using provisioning to affect the registry. When exchange servers push policies down, I thought they did that through provisioning. If exchange can do this, then there should be another way as well.
It's also how custom ringtones were created prior to Mango. It would create a xap to create a program that would write a ringtone file using provisioning. Something similar should be doable for the registry. Doing it this way would require you to use a computer to deploy the changes, but you should be able to make them.

Thaks guys for your feed back and support. If anyone knows a way that I can change my background back to default #FF00000 black now that the registry option is gone; please let me know, I will dontae becuse I have lookd at some Android phones and to be honest they are always pluged in and charging and the only other opption is the iPhone

Hmm.. was about to update and then cancelled it when I read this. Does it add tethering? but since it still lets us sideload... I kind of want to update, I don't do any registry stuff and i can always hard reset to interop unlock again right?

slick13 said:
Hmm.. was about to update and then cancelled it when I read this. Does it add tethering? but since it still lets us sideload... I kind of want to update, I don't do any registry stuff and i can always hard reset to interop unlock again right?
Click to expand...
Click to collapse
No it actually does nothing other that updates your radio's firmware and blocks exploits, worth less update unless you travel out of the country. This was lame on HTC and Verizon's part. I hate Verizon, MS should just stop doing business with them.

Audit my code please

Short version: I programmed a Windows 8 Oauth app. I didn't know where to post this, but it's mostly done in javascript and HTML so I figured this forum might be best. If others have time, I'd really appreciate it if someone would audit my code. Due to the nature of the amount my request, I thought it would be best to post a link to the GitHub repo. If this is wrong, please correct me.
GitHub: https://github.com/mepis/Windows8OauthAuthenticator
Long Version: I use 2-step for a lot of my accounts. The problem is, I'm lazy. I don't feel like getting up to get my phone after I set it down at night. I wanted a metro Oauth app for Windows 8. I looked on the store, but didn't recognize any of the developers. Due to the nature of Oauth, I choose to err on the side of caution and not use the apps. I'm not saying that other devs aren't well intentioned and good devs. I'm just saying that it's a better idea in the name of security that I not use the apps if I can't verify anything. So I decided to write my own.
That leaves another issue though. Due to the nature of Oauth, the token device shouldn't be on the same device you're putting passwords in. I'm choosing to ignore this a bit. I do recognize that tokens shouldn't be stored in plain text though in the Windows storage space. Instead, I push and pull the token from the Windows Credential Manager and the password vault.
I was thinking of running the tokens, labels, and account names through an AES algorithm and then storing that information in the credential manager. This would require a user password on opening the app though. I'm not sure I want to go that route yet, though it would be easily implemented later on.
The mission of this app is simple. I want to offer an Oauth app that is open source and able to be audited by the general public. I want others to have access to a free tool that they can trust and review. I will never charge for this app nor ask for donations. It's also posted under the GNU version 3 license.
At some point, I am thinking about porting this app to Windows Phone.
I'm very much a amateur developer though. I was hoping that others could audit my app, offer suggestions, and point out mistakes. I very much appreciate any help or time that any person is willing to offer.

While you may well get some takers, and some of them might even know what they're doing, you realize you're asking for something that is usually done by people who do this stuff professionally for hundreds of dollars per hour, right? It's like writing up a legal contract and posting it online and saying "do you think this will hold up in court?"
OK, training to be a security engineer doesn't take as long as training to be a lawyer. But there's *more* lawyers than there are security engineers, and our time is very much in demand (yes, I'm a security engineer; no, I will not audit your code for free unless I expect to have a use for it personally).
I'm not even sure what you mean by "OAuth app". OAuth is a standardized protocol (v2.0, RFC 6749, is more accurately described as a framework) for delegated authentication. For example, you've seen how a lot of web sites let you sign in using your Facebook account? That's because they use Facebook as an OAuth provider. The website delegates the responsibility of authenticating users to Facebook, which is handy for them because they don't have to handle passwords and so forth, handy for the user because many users already have FB accounts, and handy for FB because they gain information about what kinds of sites you visit and can use that to target ads. It also has downsides, of course; the OAuth client (web site) has to trust that FB knows what they're doing and to remain available, the user gives FB info they might not want FB to have and also ends up essentially re-using passwords across sites (a bad idea), and FB bears the cost and responsibility of managing all those logins.
Now, to make any authentication scheme (including but not limited to OAuth) stronger, you can multi-factor authentication (sometimes called two-factor auth or 2FA). The most common way of doing that is using Time-based One Time Password (TOTP, standardized as RFC 6238) security tokens, either in small hardware devices or in mobile apps. Is that what this is supposed to be? Because... that has nothing to do with OAuth.
I have a hard time imagining a situation in which I'd use a TOTP generator written by somebody who didn't know the difference between TOTP and OAuth.

Well, your response thus far has been excellent (I'm not being sarcastic). I need to read more about Oauth then. I must have my definitions and understanding a bit confused.
In actuality, to phrase it better, the application would be a TOTP app then - like Google Authenticator. I used Javascript provided by Google for the TOTP generation. The app itself is rather simple. My biggest concern though is the safety of the tokens. I used Windows Credential Manager to store the tokens on the device. I couldn't find much information about the security of Windows Credential Manager though. That's my biggest concern.
Other than that, thanks for the information. I'm going to do some more reading.

For what it's worth (and without having read your code), it sounds like you're doing OK; TOTP generators are not complex by themselves, and usually the only threat to them is in the secret storage (which you're addressing). Of course, most of them offer things like QR code scanning (as a way to load secrets more easily) and I don't know if you have anything like that or whether there are any security pitfalls there.