Related
The result of probably more than 100 hours of solo hackery: a working COM DLL for allowing any application to elevate itself to SYSTEM (root) permissions.
What you need:
An interop-unlocked HTC phone. Sorry second-gen and Arrive users.
A working HtcUtility driver. It's possible some HTC update at some point crippled this. It works for me; if it doesn't work for you let me know what updates you have.
What it does:
Allows changing the security token of any application to give that app unrestricted permissions. At this point, you can call any user-mode API, perform any operation, with full access.
It also allows you to read or write any value from memory, even kernel memory (this is how it modifes the security token).
What it can be used for:
Darn near anything. If it can be done while the phone is booted, you can do it.
What it can't be used for:
Modifying the ROM - the R and O stand for "read only" and they mean it.
Interop-unlocking a phone - it requires interop-unlock to get root in the first place.
How to use it:
In your app, include the HtcRoot.dll library.
Include the code from DriverAccessTest.cs in the test app (defines the COM API and enables using it).
Call the OpenHtcUtility function (will throw an exception if your device is incompatible).
Call the MakeMeRoot function (can also throw exceptions).
(OPTIONAL) Call the ReturnZeroIfRoot function to make sure your app is elevated (does not throw exceptions, will return an error code if you get one).
Do stuff with SYSTEM permissions (probably using another COM DLL, such as for registry or filesystem access).
Call the RestoreToken function (failure to do this *might* cause a kernel memory leak).
Call the CloseHtcUtility function (OS will probably handle this if program just exits).
What you can do right now:
Try the test app. It should pop up a series of messge boxes. Hopefully none of them say anything like "FAILURE".
Report any bugs or failures you discover.
Build things with this library, and publish them!
Breakdown of the download:
There are two folders in the ZIP, one for the Visual Studio 2010 C#/Silverlight XAP project, and one for the Visual Studio 2008 C++/COM DLL project.
The test XAP is in the HtcUtilityTest\bin\Debug folder.
The native (COM) DLL is also available in that folder, or under its own project.
If you want to mess with this, I'm going to assume you are already familiar with hybrid native/managed development for WP7. If not, Heathcliff74 has posted an excellent tutorial on this forum.
Special thanks to:
Heathcliff74 for the hybrid app tutorial and interop unlock info.
Paul_Hammons for the links and info about HtcUtility, the driver that makes this possible. Thread: http://forum.xda-developers.com/showthread.php?t=1434793
Supported devices / firmware versions / ROMs
All HTC devices (if interop-unlocked and with the right firmware numbers) should be compatible.
Some custom ROMs work, some do not. This will depend on the version of the firmware that the ROM's HtcUtility driver is taken from.
I believe I compiled the test app as Mango-only, but the native library doesn't care at all.
Compatible:
Stock ROMs with compatible firmware for HD7, Trophy, Mozart
HD2 (BttF [XBmod-Yuki] v2 SP1)
Not compatible:
Firmware version 2250.21.51004.401 or newer
Verizon Trophy firmware version 2305.13.20104.605 or newer
DFT ROM with build 8107, Firmware 5.10.401
Arrive (except on pre-Mango), Titan, Radar, Titan 2 (no interop-unlock)
Others are untested or results are incomplete.
Goals and future work:
Support more devices:
* Try and add support for newer firmware.
* Help ROM cookers ensure the library is supported.
* Look for similar openings in other OEM libraries.
Future-proofing:
* Allow installation of a mod to support this capability after known updates.
* Resilience against possible future updates.
* Allow users with incompatible devices to downgrade (possibly to NoDo), install the mod, and be able to use the phone after upgrading.
Improve the library:
* Fix some memory leaks.
* Clean up the code - remove dead code and improve comments.
* Allow reading/writing more than 4 bytes at a time from managed code.
* Add APIs to elevate other processes (by name or ID) to SYSTEM.
Develop homebrew around the library:
* Support accessing common APIs (filesystem, etc.).
* Resurrect the Advanced Explorer app, perhaps (registry and filesystem).
* Support native app launching on stock ROMs.
Also reserved
Reserved for OP #2
It does not work on HTC 7 Mozart (HTC Europe):
Error to Write the value 1337 to test address - System.Runtime.InteropServices.COMException (0x8007001F): A device attached to the system is not functioning
Click to expand...
Click to collapse
OS: 7.10.7740.16
Firmware: 2250.21.51101.401
Radio: 5.71.09.02a_22.51.50.21U
Boot: 5.11.2250.1(133487)
Please include the full error message or a description of what went wrong.
Failure on fully updated devices is unfortunately possible - my phone is (intentionally) a few updates behind. I'm looking into ways to make it work anyhow (either sending an older CAB update to roll back, or using the root acess to create an unlocker/root-enabler that survives subsequent updates). I'm going to look into how the full-unlock ROMs differ from standard ROMs, and see if I can do the same thing in running software.
Does it works with custom roms?
If the custom ROM has a working HtcUtility driver, then yes. My goal is to unlock the kind of capabilities normally restricted to custom ROMs on stock firmware, though.
@bleh815: Thanks for the report. That's frustrating; it looks like it is capable of doing read but not write. Write might just be restricted in what addresses is allowed, or it might be disabled entirely (the driver gives the same error code for every problem that I've encountered so far). Time to figure out
A) what update causes the problem (I'm on 2250.21.30102.531, HD7, stock ROM)
B) what restrictions that update introduces
C) how to work around those resrtictions (possibly by downgrading and then using root access to add something that will still work after upgrade).
GoodDayToDie said:
A) what update causes the problem (I'm on 2250.21.30102.531, HD7, stock ROM)
Click to expand...
Click to collapse
I've just downgraded a mozart of mine back to stock NoDo (TMOB-DE) to find out which OEM update breaks (actually fixes) it.
Cool, thanks! It's one of the post-Mango HTC updates; a Microsoft update wouldn't have modified an HTC driver, and my phone has all the pre-Mango HTC updates but it still works.
.
..........
Hi, at first it says "SUCCESS!", then it says "Trying to open a file gives error 1260" and then it says "Now opening a file gives error 0" and finally "Finally, opening a file gives error 1260".
System informations:
OS=7.10.7720.68
Firmwareversion=2250.21.12200.162
Radio=5.68.09.05a_22.50.50.21U
Bootloader=4.6.2250.0(129185)
HTC 7 Trophy.
That is *exactly* the sequence of messages it is supposed to give!!
In particular, the messages I need to see are the "SUCCESS" (the rest is potentially interesting info, but not very important) and then the "Now opening a file gives error 0".
The "SUCCESS" means that a sequence of read/write tests succeeded.
The "Now... error 0" means that the process has been elevated to full permissions.
The "Finally... error 1260" means that the security token was successfully restored at the end, so it was unable to open the file again. This is the expected and correct behavior.
I don't recognize your Firmware Version number; I'm guessing it's specific to your phone. What method did you use to upgrade to Mango?
how do i install it?
Tried on interop-unlocked HTC Surround, not working Tested any call in VS debug mode - no luck at all.
I can confirm that it works with any OS version, from 7004 to 8107.79
On a HTC 7 Mozart (TMOB-DE) it works with firmware 2250.21.13201.111 (Stock NoDo ROM) but the hole gets fixed with 2250.21.51101.111 (1st Post-Mango HTC Update).
You guys are gods taking programming to a hole new level!
I wish to see ms take you all more serious and not let wp7 fail like minmo6.5 did!
I wish I could get on your level!
I realy need some help lerning basic silverlight my self!
But I have read how hybrid working ant this is just fantastic!
conradulations on all your developments so far you guys are truly amazing!
Oh, that code, beautiful reading that!
Thanks for sharing this learnfull code!
I'd like to try it on my Verizon HTC Trophy, I would love to get file access back....
I downloaded the package and I even have VS 2010 installed but beyond that I have no idea as I am not a programmer.
Can someone post a compiled XAP for us to try to see if our phone works with it or not ?
Or some step by step VS 201 directions to try would also be helpful.
@Ttblondey: *FACEPALM* The path to the test XAP is given in the opening post. You install the XAP on your phone using any XAP deployment tool. It requires that your phone be interop-unlocked; Heathcliff74 has a nice long thread about that. The app is called called HtcUtilityTest. Run it, and report the results. If you want to actually *use* the DLL, the instructions for doing that are given too but you need to write some code.
@sensboston: PLEASE give a more complete report! Success and error messages, at the least. Also, your phone version info. Thanks!
@bleh815: THANK YOU! I mean, it's a little annoying to know how far back this was fixed ("First post-Mango HTC update" means the one that was included *with* Mango for most people, or the one after that?) but good to know. Now, to look at exactly what they changed...
@jackrabbit72380: Thanks man! As for working with it yourself, like I mention below, I'm planning to provide a universal homebrew library that people can easily use to do whatever they want.
@fiinix: You're welcome! Honestly, I didn't expect anybody to call my mess of debug-commented and mildly hacky C++ "beautiful" but that hack itself *is* pretty awesome. My only concern with using it is the risk of a context switch causing the wrong app's token to get overwritten, and I should probably look into that, but I think it's OK for the moment. There are bigger fish to fry.
In the meantime, it should open up a huge list of capabilities for tools like your DllImport project. I'm currently considering reviving Advanced Explorer (like TouchXplorer + Registry Editor, but open source; was never ported to Mango though) using the root access instead of using ComFileRW and the provxml driver. Let me know what you want to do with it!
One other thing I'd like to add is the ability to easily elevate *another* process; it's not hard to do but I haven't written it yet. This could be handy for apps where we don't have the source code (for example, elevate Schaps registry editor, which uses low-privilege native code for browsing, so it can read *all* registry locations instead of just some of them).
@DavidinCT: Well, running the test app is easy, just install the XAP. It just runs a battery of tests though, it doesn't actually *do* anything useful. To get filesystem access, you'll need to write some native code (which means using Visual Studio 2008 and the CE/Smart Device plug-in, see Heathcliff74's toturial on the subject). Basically, you would first use this DLL (accessed via COM, you can look at my own C# code for how to do that) to opent he driver handle and elevate the process to root. You could then write your own COM DLL that uses the standard Win32 filesystem APIs (CreateFile, etc. - all are documented on MSDN) and exposes those APIs, or the results of them, to managed code via COM. Then, back in your phone app (the one that called into my HtcRoot DLL) you can call into your own DLL to access the file system.
If that's too big a leap, don't worry. I plan to release a general-purpose high-privilege homebrew DLL that exposes some of the most-used functionality (filesystem, registry, provxml, and other things by request), is easily extensible (possibly using something like the DllImport project, where you just specify the function you want to call and the DLL it's located in right from C#), and that will be a lot easier to hack with. You'll still need to know C# and basic Silverlight, but it'll be a lot easier (and hopefully useful without knowing any C++ or COM).
GoodDayToDie, you are amazing, always keeping me interested!
When starting the test xap, I get the below, it then goes into the "Page Name" and that's it.
Device Info here, running a FullUnlock DFT Rom by a Chinese dev from the DFT Forum.
Nonetheless, top work on getting this started and can't wait to keep reading about the progress!
XeKToReX
Is there a list of the mandatory APK's that the Desire must have ??
I'm playing with various ROM's to try and find one I like, and the nearest so far is the RSK Special EDition. With the Aroma installer I can get rid of some of the undwanted rubbish, but that still leaves 130 odd APK's autoloaded from the sd-ext/apps folder.
Now some are well named and easy to understand .. but many others are complete guesswork as to what they do and if they are required ...
I have found lists of required APK's on the site, for example for the Samsung, but not for the Desire.
Google searching doesn't help, so can anyone here ??
Many thanks
E
just freeze them with titanium backup or another app and if anything works fine (testfor a few days) you can remove them
Tapatalked with my HTC Desire
Interesting idea .. I'll try that ..
Hopefuly it will use the name of the APK rather than the app name ?? as they seem to be quite different sometimes !!
Dear All,
Hello,
Its my first time here....so i want to say thanks to the admin & kudos to all who have been contributing so much .......
I am an android user and have been using couple of devices such as HTC, Sony and now back to HTC.
I have recently bought HTC ONE X, slightly used. The details are:
Android Version: 4.1.1
HTC Sense version: 4+
Software number: BinDroid XTC One X V9.0.0
HTC SDK API level: 4.63
HTC Extension version: HTCExtension_Sense45_1
Its a rooted device.
The problem is:
there is an app called "Black Facebook" version 2.0. I have tried to reset the phone but this application is still there. Now the application is working OK. but when i try to update the FACEBOOK (the regular facebook) from Google Play, it downloads the full file but in the end says "remove the previous version and install again". Now there is no option to "uninstall" it in the App, only disable & Force Stop. I have tried to delete it from file manager but it gives error and says the file cannot be deleted. I have also tried to rename it, but it still says "cannot rename file".
I also read different posts on internet which says that this is a SPAM, or something. Also, I cannot find this application i.e. "Black Facebook" anywhere on Google Play.
I am a little worried. Please can someone help on how to remove this thing from my cell.
Rgds,
[email protected] said:
Dear All,
Hello,
Its my first time here....so i want to say thanks to the admin & kudos to all who have been contributing so much .......
I am an android user and have been using couple of devices such as HTC, Sony and now back to HTC.
I have recently bought HTC ONE X, slightly used. The details are:
Android Version: 4.1.1
HTC Sense version: 4+
Software number: BinDroid XTC One X V9.0.0
HTC SDK API level: 4.63
HTC Extension version: HTCExtension_Sense45_1
Its a rooted device.
The problem is:
there is an app called "Black Facebook" version 2.0. I have tried to reset the phone but this application is still there. Now the application is working OK. but when i try to update the FACEBOOK (the regular facebook) from Google Play, it downloads the full file but in the end says "remove the previous version and install again". Now there is no option to "uninstall" it in the App, only disable & Force Stop. I have tried to delete it from file manager but it gives error and says the file cannot be deleted. I have also tried to rename it, but it still says "cannot rename file".
I also read different posts on internet which says that this is a SPAM, or something. Also, I cannot find this application i.e. "Black Facebook" anywhere on Google Play.
I am a little worried. Please can someone help on how to remove this thing from my cell.
Rgds,
Click to expand...
Click to collapse
Hy,
Install Titanium Backup from the market, from Backup/Restore tab click the app you want to uninstall.
ROM Toolbox could also do this, if you have either ROM Toolbox or TiBackup then follow the above instructions
Its under app management in ROM Toolbox.
Both apps will do the job, I use Rom Toolbox Pro (Paid Version) great app and great developers to support.
maxilick said:
Both apps will do the job, I use Rom Toolbox Pro (Paid Version) great app and great developers to support.
Click to expand...
Click to collapse
Same, removes the need for about 10+ other apps.
I got the Pro Also, quality app and dev.
Thanks.....Titanium Backup worked
Dear All,
Thanks to each one of you. The Titanium Backup worked.......but I had a rough time regardless.....
When I deleted Black Facebook, all the links, like social feeds etc did not show Facebook links, & when I tried to download FB from Play, it gave an error as "incompatible version".....i thought i was doomed .....but then I did the data reset for my phone, after which I was able to install fresh Facebook...............................
Thanks once again.......
Rgds,
Hello everybody,
Warning: The following paragraphs (may) contain grammar errors. Please make yourself a LOL if you find one. -- A just-passed-exam Englsih learner from China.
I want to remove all the crap wares integrated in the system(stock ROM) that is modified from Desire 600 for ChinaUnicom. That's also why my phone is called 606w.
I've searched some Chinese phone forums. It is said that the system kernel of 606w stock ROM is somehow protected and that these crap apps cannot be removed even if you are an root user. Some guy posted a tool for deleting them, as an recovery like windows PE stuff on PC. But I don't really want to install another recovery. Some other guy, interestingly, wrote "It's more efficient than deleting them by using adb" in the same thread.
So I want to know if it is possible to delete them under the kernel protection and how to do it. It's better if I don't need to unlock the bootloader.
Oh, by the way, another doubt: how to change my power on and off animation. The ChinaUnicom icon really sucks. Could someone upload the original Desire 600 version, either one in Chinese or English is appreciated!
Thanks in advance.
xdauserame said:
...
Oh, by the way, another doubt: how to change my power on and off animation. The ChinaUnicom icon really sucks. Could someone upload the original Desire 600 version, either one in Chinese or English is appreciated!
...
Click to expand...
Click to collapse
By the way will 606w work on 600 ROM?
I also have 606w my main problem is that some of the applications crashes after I enable encryption!!!
E.g. Google Earth - crashes
Chrom (after update crashes, wthout update works)
Flash player (sama as Chrom, afyter update crashes, without update works).
etc.
Does any one know why the apps crash without any notification to the user?
cyklon said:
By the way will 606w work on 600 ROM?
I also have 606w my main problem is that some of the applications crashes after I enable encryption!!!
E.g. Google Earth - crashes
Chrom (after update crashes, wthout update works)
Flash player (sama as Chrom, afyter update crashes, without update works).
etc.
Does any one know why the apps crash without any notification to the user?
Click to expand...
Click to collapse
What do you mean "enable encrytion"?
I just installed google service via GMS installer. Let google play handle the update stuff.
By "enable encrytion" I mean enabling the option Settings -> Storage -> Phone storage encryption.
Does any one has the same problem?
After fiddling with my 606w for a week, I'm going slightly mad. The boot animation of the stock rom is intrusive, and the chinese apps and settings are just plain annoying.
I've succesfully loaded spawns 600 images on my 606w, and on the custom roms, all of the chinese crap is gone. However, I now have no gps. I've use fastergps to set the ntp, used clocksync to set the clock. The device just doesn't see any sattelites.
I noticed a difference in the gps settings. On the stock 606w rom, the is an extra setting to enable disable agps, which is absent in the 600 roms. I guess that behind the scenes the 600 and 606 are a little more different than they appear.
If any of the xda gurus have any tips on getting gps to work, that would be greatly appreciated.
GPS not working on Htc Desire International Verison 1.16.401.3
I just noticed that my GPS does not work on my htc desire 606W from Hong Kong... please any one has a solution? or anyone can send me a link for an International Official stock ROM or RUU for this htc desire 606w ?
thanks.
Hello,
I'm looking for TeamViewer's QuickSupport (QS) Add-on for HTC devices. Unforunately I can't access Google Play to download it (to see it for yourself, look for com.teamviewer.quicksupport.addon.htc)
Does anyone know where else I can find it from a reliable source, not a random site that might have repackaged it?
Or, could someone who has the APK file tell me who signed theirs, and then I can determine if the copy I downloaded from a shady site is legitimate?
Or, someone with the APK file could post its size in bytes, and I could use that to verify the one I downloaded,
Or, does anyone know if the Samsung version will work on HTC phones? I can get the Samsung version directly from TeamViewer's website (but not the HTC version).
For those wondering what exactly this is: I have the main TeamViewer QuickSupport app installed. It does not include screen-sharing; to do that, I need the add-on. Also, for the record, TeamViewer support says the addon is available only in Europe.
Many thanks in advance!
P.S. I posted this question in another forum, but it got zero responses and is now on the fifth page. That forum was general Android Q&A and dev, so I thought an HTC forum might be a better choice. I'm new to XDA-Developers; I hope it's ok to re-post someplace else.
For anyone who encounters this situation in the future, here is my experience. The short version: I couldn't confirm the APK I downloaded was the authentic HTC add-on, but I installed it, it works, and I see no signs of malware (though malware still could be there).
---------
Here's the long version:
NOTE: To make any of the links below work, you'll need to remove the extra space I inserted. The forum software won't let me post links.
The phone
- HTC
- Model: Remix (Verizon's version of fthe Mini 2), though I doubt the model matters much
- Android v4.4.2, as provided by HTC
- Not rooted
1) I tried the QS Add-on for Samsung (even though I'm using an HTC phone), which I could download directly from TeamViewer.com (see link below). It installed, App Manager saw it, but TeamViewer QuickSupport (TVQS) did not utilize it.
Link to the Samsung add-on at teamviewer.com:
download.teamviewer. com/download/QuickSupport_Add-On_Samsung.apk
TVQS's Advanced screen still displayed the option to download and install the add-on (which requires a Google Play account AFAICT)
I saw these messages in TVQS's log (accessible via the Advanced screen). I could have overlooked other messages:
I/RcAddonInfo.isAddonInstalled(): name not found
I/MainActivity.onCreate(): installable addon found and not installed
The Samsung add-on's version number was 8.x; TVQS's is 10.x and the HTC add-on's is 9.x, so perhaps it's a simple version incompatibility.
2) I downloaded the APK for QS Add-on for HTC, but from a website which gave me no idea of its integrity (i.e., maybe it was repackaged with malware). Here are two sources I found, which appeared to be the same file:
oppo.apk. vc/Android/App/com.teamviewer.quicksupport.addon.htc
apk4fun.m5f. net/download-sv1/com.teamviewer.quicksupport.addon.htc.html
3) I tried to verify the APK's integrity by comparing it to the one from Google Play. I didn't have the Google Play APK, so I used the information on the webpage.
Google Play link: play.google. com/store/apps/details?id=com.teamviewer.quicksupport.addon.htc
The version numbers (9.0.2045) and release dates (26 Aug 2014) were the same at Google and at the websites of the APK downloads.
Google Play website reported size: 128K; Downloaded APK size: 128K (131,252 bytes)
4) I tried to verify the APK's integrity by looking at the cert used to sign it. I didn't see any red flags, but nothing confirmed HTC as the signer:
The cert (in all APK's, AFAIK) is found here: /meta-inf/cert.rsa
I didn't have a tool to view the cert info, so I opened the file in a hex editor and extracted these strings:
TW1
Taoyuan1
Android1
android @htc.com
HTC is headquartered in Taoyuan, Taiwan, so there is nothing suspicious in those strings, but they certainly don't confirm authenticity. I don't think they would be hard to spoof.
For comparison, I did the same with the Samsung add-on. They match the questionable HTC APK in that the phone manufacturer and not TeamViewer signed that APK; on the other hand the Samsung signature mentions Samsung by name while the questionable HTC APK does not mention HTC.
KR1
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Cert1
android.os @samsung.com
* FWIW I also found this in TVQS's log, I think from its startup routine (to be clear, the following is for the TVQS app and not for any add-on AFAICT). The APK for the TVQS is signed by TeamViewer; perhaps this is HTC's signature for the Android distribution? Then where is HTC mentioned? If it's Google's signature, why is the location HTC's headquarters (Taoyuan, Taiwan)?
CN = Android
OU = Android
O = Android
L = Taoyuan
ST = Taoyuan
C = TW
5) Not seeing any red flags and not having other options, I installed the questionable HTC APK. It works fine and I see no signs of malware, though certainly malware could be hidden or the signs might not have appeared (I installed it only a few hours ago).
Search Google, many sites with the APK file (QS Add-On: HTC APK). I have installed, it works.