XboxLive - Windows Phone 7 Development and Hacking

Anyone realized Cotulla/DFT implentation of WP7 on HD2 without properly secured Device Provisioning Partition etc (bypassing) and bypassing live activation - fact we are all running hd2's on live - that... all this... well: it is BIG:
Ultimately means we have now the ability to create (and sideload and modifiy reg etc in this particular way leading) an app running on an unsecured XboxLive which means LIVE is theoretically up for the taking RIGHT NOW ANYWAY.
One could make an executable, xna-xap, or app-of-whatever-nature which could then be sideloaded and moved into XboxLive runtime/game runtime and cause increase in MICROSOFT-POINT$? etc.
Involved here is billions - a lottttttttttt of $.
This is probably the number one reason for all the security on Xbox-1/360. THIS IS IT - what is the most highly held fear of (xbox/live/apphub divisions etc) the good old evil empire that is Microsoft. Anyone got any thoughts on this? I am not saying do it but the thought is there as an observation and I know for sure IT CAN AND WILL BE DONE.

Related

Windows Phone 7 - The "Genuine Windows Phone" certificate

This is a new feature for WP7. An API will be provided for external services to validate that a call is coming from a Genuine Windows Phone. This will be accomplished by a requirement that every phone have a unique certificate applied during manufacturing process (similar to an IMEI, but more than a simple number, an actual .cer)
The certificate is to be stored in the "Device Provisioning Partition" during the manufacturing process and is to be destroyed upon completion of manufacturing. Any time a reflash occurs, a new certificate is to be issued.
This represents a significant change from the existing paradigm as your phone will be instantly uniquely identifiable through this method.
Bump for visibility
Is that going to make flashing custom ROMs an issue?
i think it gonna make flashing difficult..
if you flashed with custom, your WP7 would not be taken as genuine hehehe like Windows 7 lol
maharz said:
i think it gonna make flashing difficult..
if you flashed with custom, your WP7 would not be taken as genuine hehehe like Windows 7 lol
Click to expand...
Click to collapse
lol then you have to mod your bios.
On the bright side, we may have fewer reasons to flash custom ROMs on WP7. What are our current reasons for flashing?
1. We need new OS versions on our devices when OEMs don't provide that. Well, this is supposed to be taken care of by centralized update mechanisms for all devices. WP7 will also support partial updates where you don't have to change everything but rather update certain components. Also, firmware files should be replaceable - otherwise OS updates wouldn't work. We'll be less dependant on HTC or whomever.
2. We need components from other devices (newer versions of Manila etc.). Well, these won't exist anymore.
3. We want light ROMs. WP7 will need things added, not removed, for the most part, and crapware will be very limited.
vangrieg said:
On the bright side, we may have fewer reasons to flash custom ROMs on WP7. What are our current reasons for flashing?
1. We need new OS versions on our devices when OEMs don't provide that. Well, this is supposed to be taken care of by centralized update mechanisms for all devices. WP7 will also support partial updates where you don't have to change everything but rather update certain components. Also, firmware files should be replaceable - otherwise OS updates wouldn't work. We'll be less dependant on HTC or whomever.
2. We need components from other devices (newer versions of Manila etc.). Well, these won't exist anymore.
3. We want light ROMs. WP7 will need things added, not removed, for the most part, and crapware will be very limited.
Click to expand...
Click to collapse
Very true. With the OTA MS updates and such it will make life easier for updating the OS.
That could also bring a pitfall - hacking attempts that once worked get blocked.
Da_G said:
This is a new feature for WP7. An API will be provided for external services to validate that a call is coming from a Genuine Windows Phone. This will be accomplished by a requirement that every phone have a unique certificate applied during manufacturing process (similar to an IMEI, but more than a simple number, an actual .cer)
The certificate is to be stored in the "Device Provisioning Partition" during the manufacturing process and is to be destroyed upon completion of manufacturing. Any time a reflash occurs, a new certificate is to be issued.
This represents a significant change from the existing paradigm as your phone will be instantly uniquely identifiable through this method.
Click to expand...
Click to collapse
1. Project Echelon, lol.
2. End of dev'n'hacking, lol.
(now, remove both lol's)
M$ REALLY thinks it may compete with iphone(and apple stupidity), can you believe...
The "uniquely identifiable phone" feature is probably the major reason for this. Face it, outside of these forums, how many "non-genuine" WM builds are there?
What this provides is a token-pair for secure message encryption and a single point of origin/destination for all those notifications.
Thank you for the information, Da_G.
So it seems this will also affect us being able to port a WM7 ROM to another mobile?
So this means evry phone has a unique certificate
They will look for a way around that. For instance...who's to say microsoft are even implementing the certificate etc on prototypes...that would be darn impractical since there's so much chopping and changing in this developer stage, and do we know the servers are up and running? We should cross this bridge when we/Da_G come to it, and look for a bypass if not.
I do not think this money will be wasted if we dont port it to HD2, the fact is I will be the first to donate when pre-orders for the first HTC WP7 handset is outed so that Da_G can use his tools for that too. The JTAG test point will be useful to the community and I know Da_G will use it for the community...actually there's very little personal stuff he could do, and I doubt he would anyways, since all the uses will be of benefit to the community.
We should definitely start look at alternatives to the marketplace now, like Cydia. I'm not sure how the guy's doing it, whether he has servers etc, whether we could use them for multitasking/social networking or other uses. Depends how far microsoft go. Anyways, we all know that if m$ close it down and we cant jailbreak etc, then the community will have to migrate to android.
if i understand the situtation. If every phone is uniquely identifyable it means that imei may be part of cert calculations which means update code would have to be able to generate a cert or request a cert from the update server.
But if the phone checks the certs validity reverse engineering the check could help us fake cert files
EDIT:
after reading on rom deployment it seems that it cert files would need to be faked in order to port to other phones and updates will also involve trickery of its own
Unless somone does something even more awesome

[Q] Windows phone 7 - Can you use it as a lock down device.

I'm trying to find out how to lock down a WM7 so that It Is only able to use its basic functions phone, camera, gps but blocks access to the to certain sites and the downloading of certain apps (i.e. games).
Would I be looking at a creating Custom Rom or is there another way to control what the phone can have access to.
Any Ideas or help would be appreciated.
K
at present there is no capability to perform this.
Well, who do you want to lock it down for?
You won't be able to download apps without a Live ID, so if your kids don't have it, they'll have pretty locked down devices.
kaisersolo said:
I'm trying to find out how to lock down a WM7 so that It Is only able to use its basic functions phone, camera, gps but blocks access to the to certain sites and the downloading of certain apps (i.e. games).
Would I be looking at a creating Custom Rom or is there another way to control what the phone can have access to.
Any Ideas or help would be appreciated.
K
Click to expand...
Click to collapse
I think it is not possible at the moment.
Desktop Windows has only had effective parental controls since Vista (2007). (There were relatively ineffective third party ones before.) Windows CE 6 (2006) only supports basic controls: http://msdn.microsoft.com/en-us/library/ee499001.aspx. And WP7 is built on CE6. Although WP7 is heavily controlled by its own mechanisms, so it could be added.
Management of controls was connected to Windows Live with Windows 7. This system could be added to phones, but it's all fairly new and there are other things to do first.
Thanks for the response guys
From what has been said it seems that this not really possible.
We are currently looking at what devices we need to acquire, and we need devices that can be locked down (Don't ask me why - management decision, probably related to data usage costs) so that user can only use it for work related tasks.
So OUT go things like gaming and social networking,
And IN are normal phone tasks's calling, texting, email, camera and the ability to sync to the cloud aslo, gps navigation.
We are looking at the WP7 phones because of Sharepoint as we have a lot of development planned that way and would like the ability to access that information remotely via a device.
Does anyone know of another way to achieve this or do I have to delve deeper Into the inner workings Wp7. Or failing that look at at different hardware/software.
Regards
K
MS should eventually update WP7 to be compatible with all the Exchange Activesync security policies which will give you the capability to achieve what you want. Additionally they have said they will add features so that enterprises will have the ability to lock down devices as they choose so if you are using Exchange already you may want to wait and see what MS produces. And you could always contact MS and see if they will let your company know what is coming down the road so you can decide whether to wait or not.
efjay said:
MS should eventually update WP7 to be compatible with all the Exchange Activesync security policies which will give you the capability to achieve what you want. Additionally they have said they will add features so that enterprises will have the ability to lock down devices as they choose so if you are using Exchange already you may want to wait and see what MS produces. And you could always contact MS and see if they will let your company know what is coming down the road so you can decide whether to wait or not.
Click to expand...
Click to collapse
efjay Or anyone - Where at MS should I enquire about this, is there a email address for these type of enquires.
kaisersolo said:
efjay Or anyone - Where at MS should I enquire about this, is there a email address for these type of enquires.
Click to expand...
Click to collapse
to lockdown marketplace (disable totally) you simply have to mod "LKG_Tuner_Config.xml"
and there would def be a reg mod to disable facebook
maybe this (I am looking for more
Code:
[HKEY_CURRENT_USER\Software\Microsoft\Facebook\{A27A1782-535E-8F2D-9B81-4B6BA08FC179}]
"AccountState"=dword:3
[HKEY_LOCAL_MACHINE\Software\Microsoft\Facebook\[email protected]\Auth]
"State"=dword:[B][U]1[/U][/B]
[HKEY_CURRENT_USER\Software\Microsoft\GameFoundation]
"XboxLiveEnabledFlags"=dword:3
after you did that you can relock the phone and off you go
ceesheim said:
to lockdown marketplace (disable totally) you simply have to mod "LKG_Tuner_Config.xml"
and there would def be a reg mod to disable facebook
maybe this (I am looking for more
Code:
[HKEY_CURRENT_USER\Software\Microsoft\Facebook\{A27A1782-535E-8F2D-9B81-4B6BA08FC179}]
"AccountState"=dword:3
[HKEY_LOCAL_MACHINE\Software\Microsoft\Facebook\[email protected]\Auth]
"State"=dword:[B][U]1[/U][/B]
[HKEY_CURRENT_USER\Software\Microsoft\GameFoundation]
"XboxLiveEnabledFlags"=dword:3
after you did that you can relock the phone and off you go
Click to expand...
Click to collapse
Sorry I'm New to this
To change the registry would you have to unlock the Phone?
Can you confirm that You can unlock and lock a WP7 Phone?
What are the implication of doing this ?

Contact from Kin Developers

About 2 weeks ago, I took johnkussack's advice (I think it was him) and went to LinkedIn to try t be friends with anyone who came up on the search for "kin phone". In the invite email, I just said that I noticed they worked on the Kin phones and would like to ask them a few questions on how one could write to the phone. I have had 3 responses in the last 2 days.
Guy1: didn't know because he worked on the UI for the Kin Studio
Guy2: kindly told me he couldn't release an unauthorized build and that he would be breaking the law by doing so.
Guy3: This guy worked on the phone for over a year. He first told me I was breaking the DCMA by hacking/reverse engineering Kin, regardless of intent. Then he said this important thing:
"You are absolutely right in assuming that the device is locked; in fact, it has a hardware lock that is common to many such devices. When the devices roll of the manufacturing line the programming fuses are blown (literally) preventing any further programming of the device. This is all handled by hardware so unless you find a flaw with that you are out of luck."
So if this is true (sounds like it is), the "dream" is over. Hopefully there is some way that someone out there can find.
If I get more responses, I will post them here. Don't ask me to go back to these three who already replied and asked them more questions, I think I made some of them mad.
Hmmmm... I don't know whether or not the KIN models will accept OTA updates so that's a good question to ask. If OTA updates are possible then it's inherently possible to change the software. I wonder...
Yes, it was me the one who said about "linkedin".
But i also said "in one word NDA". You should known even before ask that the signed NDA are also legal contracts, so i prevented before asking them.
On the DCMA, yes.. on the USA. Outside the big country, the legal question is different and may not operate with that law. (if ever). If they provide a normal (legal?) way to unbrick my factory mode here, or to use the phone options, then i wait for the cost for it.
And everyone knew that hardware was not the way, just at the moment where first flash attempt failed. "Dream" is doable by software, if anything is to be done.
What i don't get is why to ask for rom rom roooooms, where we need drivers drivers driveeeeers... or sdk's. We won't get it anyway from MS, but no flashing means a rom is futile, non useful,crap pack of bytes.
But i also said "in one word NDA". You should known even before ask that the signed NDA are also legal contracts, so i prevented before asking them.
Click to expand...
Click to collapse
I figured I just take a shot in the dark; hope for the best and expect the worst. Since the phone and suuport from MS was discontinued, maybe the NDAs would be voided.
And everyone knew that hardware was not the way, just at the moment where first flash attempt failed. "Dream" is doable by software, if anything is to be done.
Click to expand...
Click to collapse
Good to know you still think there's a way.
What i don't get is why to ask for rom rom roooooms, where we need drivers drivers driveeeeers... or sdk's. We won't get it anyway from MS, but no flashing means a rom is futile, non useful,crap pack of bytes.
Click to expand...
Click to collapse
I just asked if "there is a way to get around the write lock". Had I known ahead of time to ask about drivers or SDKs, I would have put that in the msg.
I strongly believe that we could operate with the device,softwarewise. there is proof that the kin NAND memory (for now on, called "Storage" as label) is writeable. Not sure on the Rom part.
Of course, i mean.. just use it as a normal writable storage memory.
I posted how it could be done and would do it myself but, again, i bricked my phone, and available ones (through bidding sites) are so expensive to buy another one just for this (+ $150). Don't see a way to get it internationally again.
And even doing it, i'm not sure about what could be done just writing on the storage mem....
If the fuse byte is burn't should not it have prevented you from bricking?
kintwouser said:
If the fuse byte is burn't should not it have prevented you from bricking?
Click to expand...
Click to collapse
Nvitem bricked, not flashing bricked. You can succesfully write to the NVItems memory. But i guess it's just configuration memory and not the one "fused".
I just want to mention that jailbreaking a phone is NOT illegal in the United States! Geohot hacked the iphone... Apple went after him... Apple lost.
Also blowing the programming fuses seems a little fishy to me actually. No other phone does that. The majority of other phones have been flashed. I just think it would be pretty odd for a company to do that so that they no longer could update it. I am not sure I believe him. If this really was true... then why wouldn't Apple or Sony be doing it? This also doesn't make sense since Microsoft actually originally intended on putting WP7 on this as well as allowing apps for it. Check this article out:
http://www.intomobile.com/2010/05/12/kin-windows-phone-7-a-lot-closer-than-we-thought/
you must understand, its not possible to blow fuses in the hardware, it would be a top news story if they were able to keep the OS running in complience with the flash memory without it crashing. Obviously that was a lie to discourage us, and i dont even think that was a real kin developer, because microsoft clearly stated that all kin developers would be moved to WP7 or another programming section. And it doesnt matter if its legal or not to jailbrake phones, if we are porting a new OS, we wouldnt have modified the original OS, which is what jailbraking means. Most likely the OS is hidden deep in the flash memory with a write - protection. If you think its saying access denied because they said the fuses were blown, its wrong. They must just have a password or code that needs to be sent continuasly to the phone to access files. If the fuses were blown, then nothing would be able to be accessed by zune, because it would be impossible to reach the memory.
soninja8 said:
Most likely the OS is hidden deep in the flash memory with a write - protection. If you think its saying access denied because they said the fuses were blown, its wrong. They must just have a password or code that needs to be sent continuasly to the phone to access files. If the fuses were blown, then nothing would be able to be accessed by zune, because it would be impossible to reach the memory.
Click to expand...
Click to collapse
Not my expertise field, but this mobiles can (and in fact they do) have several memories, storing the OS in the ROM memory and all the data on the NAND memory (our "8gb" storage).
Zune software has protocols to query for available storages (requiring its label/id) and is allowed to write/read to it. If you dare to click on update version (at least in the 1st version I tried) it expressed that the option was not "available" to that device without web requesting data, apparently.
So.. in the nand flash we may only have the equivalent of a SD Card. And my last wince PDA showed that as /Storage too, apart from main wince ROM.
You can format the nand memory using win explorer if in fact it is the 8gig storage. I did this and it deleted all pics,albums etc. It was interesting to note that we cannot copy or view these pics without an access error but it does let me delete them.
I just wan't to be able to get my pics off this piece of crap without emailing them.
I posted it once. You are able to:
- Query storage properties (label, size, id,...)
- Query storage folders
- Query folder files.
- Query tracks / albums / playlist / images / anyZuneSupportedFile
- Delete * file (whatever)
- Format the storage
You are "unable" to:
- Upload (create) a file into the device
- Download a file from the device.
MTP protocol tools allows you to do so, from command line (not quite sure if they are available on Win32 OS's), but... fails to operate with this device when it comes to the "unavailable" operations.
I am curious as to which former developers you contacted?
I was doing some research and noticed that Microsoft acquired the company Danger, Inc. After Microsoft purchased them, the former president of Danger went to develop Android (later acquired by Google). One thing I read was that most of Dangers employees left after being purchased by Microsoft. Apparently these people don't like Microsoft all that much! I also looked into it a little more and found one of the founders of Danger who had a twitter account. Of course all of his tweets were via a "KIN". Thought that was interesting. It seems to me that these former Danger employees would be interested in helping out if they don't hold to high of an esteem for the big "M".
seems like this is your first "inside the move" trying-to-hack/reverse a thing, so i will say:
people involved doesnt wanna risk through legal issues, even if they were pissed off, just for "some kids" to have a driver or rom. NDA are strong there, and they could either sign them or leave (if leaving, they don't have the interesting things).
At most you would get bad-mood or good-luck comments, and ocassionaly (very uncommon), leaks (wont happen here).
yeah, they purchased danger for an amazing 500 million dollars, which they later developed the kin with it, they were planning to put windows phone 7 on it, but they were to behind and released it with the old windows CE, then the former developer moved to work on a free source OS, later called android. Google wanted to get android while it was cheap, so they bought that company, and made the old developer as 2nd engineer.
Maybe not worth yet, but we should get more *info* about the SBL mode (aka "Ms Pink Bootstrap), as coinflipper said that it was the way to flash OS or parts (like radio's).
I have been trying even OMA wap WBXML bootstrap examples with it, but as we dont know if our phone is standard, it's like looking for a water drop in the sea of possibilities.
We do not need a guide on how to do something, but what-to-do with it.
Maybe, JUST MAYBE, we could design a program like bitpim. I am a mac user and when I used bitpim with my enV touch, I used to edit all sorts of files. Examples would be phone info, server info etc. We could make a program like that to get the info. I know programming may be hard, but its worth a shot. I hate the OS on this phone, ESPECIALLY WHEN YOU PIN APPS! THEY LOOK HORRIBLE
Kinuser1 said:
Maybe, JUST MAYBE, we could design a program like bitpim. I am a mac user and when I used bitpim with my enV touch, I used to edit all sorts of files.
Click to expand...
Click to collapse
We can't. If we have not the protocols or the supported phone features (protocols, drivers, documentation,...) you cannot guess it and put it into visual basic (or Xcode) and then by *magic*get the program you want.
i will admit that i know very little about protocols and drivers but i would like to point out that bitpim is open source, and that the code can be found here ->
http-//sourceforge.net/scm/?type=svn&group_id=75211 (change "-" to ":")
i seem to recall bitpim already having limited support for the kin, but perhaps with a little research and a little code tweaking we can find ways to improve it? i'm not sure how feasable it is as i have very little experience with programming for phones/usb devices, but it's just a thought.
slimeq said:
i will admit that i know very little about protocols and drivers but i would like to point out that bitpim is open source, and that the code can be found here ->
http-//sourceforge.net/scm/?type=svn&group_id=75211 (change "-" to ":")
i seem to recall bitpim already having limited support for the kin, but perhaps with a little research and a little code tweaking we can find ways to improve it? i'm not sure how feasable it is as i have very little experience with programming for phones/usb devices, but it's just a thought.
Click to expand...
Click to collapse
We can't. If we have not the protocols or the supported phone features (protocols, drivers, documentation,...) you cannot guess it and put it into visual basic (or Xcode) and then by *magic*get the program you want.
Click to expand...
Click to collapse
The above applies to any software you want. Unless you magically found documentation or files (like OP), there's no way to. So f#cked.
The thing is always the same, tweaking tweaking... what to tweak, huh?

HTCutility.dll used for direct access to TCB chamber

As it is known that HTCUtility.dll will provide complete, unrestricted access to the TCB chamber on HTC devices, can this be used to unlock (at any level) the OS?
I have not heard anyone speaking of it and exists on my HTC Arrive. Seems to be a bypass for unrestricted access to anything within HTC devices.
I am looking at it myself, but thought I would share.
See details here...
http://labs.mwrinfosecurity.com/files/Advisories/mwri_htc-htcutility-kernmem_2011-11-10.pdf
Your link is down
very interesting but you link is down so please fix it so I can take a look. I too have a HTC arrive and have been working on an unlock.
Don't know what happened to the link.
Here is the link to the google docs version.
https://docs.google.com/viewer?a=v&...1C1HkN&sig=AHIEtbTwK-r8RyAyFmt1ai119m7EVAqsNA
-Paul
This looks promising, I'd like to know if what's written there is true ...
The paper is a couple months old, so it *could* have been patched by HTC... but hey, it also might not have been! This bears investigation post-haste.
It's easy enough to use this to execute some arbitrary code at high permissions, which is certainly useful as-is (do things like unrestricted registry and filesystem access). The real potential of it, though, is to turn off the security restrictions for specific apps. Essentially, get the benefits of a "fully unlocked" ROM but on a stock ROM, and only for the apps you specify.
One thing to note here: this is still going to require an interop-unlocked phone. It's opening a handle to a driver, and just like everything else that does so, it needs ID_CAP_INTEROPSERVICES. This is great news for owners of interop-unlocked/unlockabe phones (since this makes interop-unlock useful again) but probably doesn't help on 2nd-gen phones or on the Arrive (unless you want to roll back to NoDo, in which case this can probably be used to make an interop-unlock that works on Mango, though it wouldn't be easy).
I hope some one gets this working for the Arrive ASAP
Oh this was talked about a while back. It was patched back in NODO
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
GoodDayToDie said:
I'll try it out in any case, and report back.
Click to expand...
Click to collapse
Thank you
GoodDayToDie said:
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
Click to expand...
Click to collapse
Yeah I think it was mentioned here on XDA and it was believed to already have been patched.
I think by "patch" they mean that Interop was restricted as of Mango, thereby securing this exploit, in Mango. But for those that are Interop unlocked, this should still grant full access to everything else.
Just my observations. I have an Arrive and am not Interop unlocked yet, so I can't test it.
Looking at the hand-free provisioning to see if I can find a way to leverage that....
-Paul
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
All the information looks like it is in the advisory. KDataStruct is what you want. That is equivalent to the PEB in Windows CE.
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
Can you confirm this works only on already Interop Unlocked device ?
Thx for your efforts.
Could htclv.dll be helpful in setting security on an app? It supports the following functions:
LVModInitialize LVModUninitialize LVModAuthenticateFile LVModRouting LVModAuthorize LVModGetPageHashData LVModCloseAuthenticationHandle LVModGetHash LVModProvisionSecurityForApplication LVModDeprovisionSecurityForApplication LVModGetSignerCertificateThumbprint LVModSetDeveloperUnlockState LVModAuthorizeVolatileCertificate LVModGetDeveloperUnlockState
In particular the "Deprovision Security for App" and "Get/set DeveloperUnlock" or maybe "Authorize Volatile Certificate"....
Or maybe htcpl.dll which seems to be the HTC policy engine interface. Supports:
GetFunctionTable PolicyCloseHandle PolicyEngineInit PolicyRuleAbortTransaction PolicyRuleAddRawData PolicyRuleBeginTransaction PolicyRuleBuildRawData PolicyRuleCommit PolicyRuleCommitTransaction PolicyRuleCreate PolicyRuleDelete PolicyRuleFindFirst PolicyRuleFindNext PolicyRuleGetInfo PolicyRuleOpen PolicyRuleParseRawData PolicyRuleReadRawData
These all look good to modify the security policies on HTC, assuming Interop-Unlocked.
-Paul
@dragonide: Confirmed, this requires interop-unlock since the very first step is opening a handle to a driver.
@Paul_Hammons: The LVMod functions look quite interesting indeed. Where are you getting these functions from (straight out of the DLLs, or some doc somewhere, or decompiled code, or...?), are they user or kernel entry points, and what permissions do they require? The ability to modify app security doesn't do as much good if you already have to be high-privileged to call it, though it might simplify my current goal.
@n0psl3d: Cool, I'll get to work on it.
@n0psl3d: KDataStruct contains kernel information, but I'm pretty sure what I need is in a PROCESS struct (such as is pointed to by pCurPrc). The problem is, I can't find any documentation for that struct. I'm searching online but so far coming up empty. CE doesn't seem to use PEBs or TEBs as I've seen them on NT (not terribly surprising, but annoying).
EDIT: I'm downloading the Embedded CE toolkit, which comes with source code. It'll take a while but hopefully that will have what I need.
OK, digging through the CE source I've found some interesting things. No idea if this will work yet; it'll be exciting just to make it compile.
PROCESS struct -> hTok (handle to a Token) -> phd (PHDATA, pointer to the handle data) -> pvObj (PVOID to the actual object, which is probably a TOKENINFO) -> psi (pointer to ADBI_SECURITY_INFO) -> contains the actual ACLs and privileges, and can be created from an account ID.
Probably the easiest option is to find a relatively high-privilege process and clone its token or some such. Token re-use (if I increment the reference count, this should work) may be easier. Modifying an existing token might also be doable.
Anyhow, I'm not going to have this finished tonight, but it'll get there. For those wondering wht you can do with this, it basically breaks you out of the sandbox entirely. You can call any function, access any resource, etc. that is available to a userland process (executing in kernel mode is also possible but trickier). Practically speaking, this makes all the other high-privilege COM DLLs useless - instead of ComFileRW, just use the file IO methods (anywhere you want), instead of DMXMLCOM just call ConfigProvXml directly. Even things like launching native EXEs directly should become possible (run those Opera ports on a stock ROM, for example).
I'm sorry, I still don't know what any of that means. But it sounds good! I wish I knew how to do this kind of stuff. Thanks for all of your work!

Latest HTC radio drivers disables ability to edit the registry

I can still sidle load and my phone is still interop unlocked but neither my registry editor nor my advanced configuration editor work. Way to go HTC and MS, pat your selves on the back. I pay $99 dollars a year to have my phone unlocked and to develop apps but I can't even develop useful apps because APIs and restrictions, I can't customize my phone with out hacks, nothing! And to top it all off the phone has very limited functionality. What is MS thinking? I'm seriously thinking about jumping ship after being a loyal Windows Mobile supporter from the very begging. It use to make me sick to think about how flooded the market is with Android phones and now I know why. I can't even come on here and vent my frustrations or voice my opinions without someone getting offended or warned like I'm some child. Granted that all phones have their fails but not as many as this phone, I wish Windows Mobile was still around, imagine a world with no having to have an Windows live account or no complicated Zune, imagine just being able to do what you want or need to do without any limitations or restrictions. Imagine being able to laugh at Android and iPhone users. I honestly don't see Windows Phone 8 being any better at all. Say what you want, lash out at me with your fan boy comments, report me to your MOD but no matter what you say or do at this rate WP will fail.
what is the radio driver version , is it 5.71??
well u cant blame anyone, WP7 is more secure than IOS.
thats a good thing right?
The purpose of paying $99 per year is to develop applications and publish them to the app store.
Being able to sideload for anything other than testing was just a side benefit.
If all you wanted was to side load apps, the ChevRon utility would have been a much better deal. One time fee verses yearly and 10% the cost.
Surprised that the radio drivers are to blame. Unless there was a flaw in them that was being exploited to make the editor.
It is pretty annoying that you can't directly programatically alter the registry.
But, I believe the provisioning methods still work. Just write a C# app that will provision a file. Then have the app generate an xml provisioning string to alter the registry and apply it.
There are ways to read the registry doing the same thing.
I can probably find a link in the Windows Phone 7 development section on how to do this.
I will update with a link if I find something.
Link for an HTC ProvXML importer and Reg to Prov XML convertor: http://forum.xda-developers.com/showthread.php?t=907169&highlight=registry
Try searching that forum for ProvXML. There probably are examples. Serach is temporarily disabled. It always around this time of day for about 20 to 30 minutes.
I was afraid of this. The HTC driver updates may have been to v2 and that breaks the interop-unlock ability (such as allowing ACT and Reg Editors to run). This is known and mentioned by Heathcliff.
Magpir said:
what is the radio driver version , is it 5.71??
well u cant blame anyone, WP7 is more secure than IOS.
thats a good thing right?
Click to expand...
Click to collapse
They just fixed an exploit.
Of course it's good to have your own device unlocked, but if Microsoft or HTC wanted you to modify the registry they would have released that feature natively.
For example LG has a native application to do this on their Windows Phones.
I interop unlocked my girlfriend's Optimus 7 the next day she got it in 1-2 mins.
what has the radio got to do with this?
will downgrading radio help then?
I know, it's my fault for being stupid and accepting the update, it's a little faster but I noticed it drains my battery much quicker and it disabled my reg exploits. to be honest I thought it was the keyboard fix but the keyboard seems to be getting worse. Microsoft is not what it use to be, Steve Jobs was right, MS is not original and always steal Apples ideas, why if the thing that made WM better is what is diving Androids success. I went to the T-Mobile store and was tempted to switch but walked out and have not decided yet but I just give up on WP this year if MS doesn't stop being so Communist like.
JVH3 said:
The purpose of paying $99 per year is to develop applications and publish them to the app store.
Being able to sideload for anything other than testing was just a side benefit.
If all you wanted was to side load apps, the ChevRon utility would have been a much better deal. One time fee verses yearly and 10% the cost.
Surprised that the radio drivers are to blame. Unless there was a flaw in them that was being exploited to make the editor.
It is pretty annoying that you can't directly programatically alter the registry.
But, I believe the provisioning methods still work. Just write a C# app that will provision a file. Then have the app generate an xml provisioning string to alter the registry and apply it.
There are ways to read the registry doing the same thing.
I can probably find a link in the Windows Phone 7 development section on how to do this.
I will update with a link if I find something.
Link for an HTC ProvXML importer and Reg to Prov XML convertor: http://forum.xda-developers.com/showthread.php?t=907169&highlight=registry
Try searching that forum for ProvXML. There probably are examples. Serach is temporarily disabled. It always around this time of day for about 20 to 30 minutes.
Click to expand...
Click to collapse
Unfortunately I don't know how to work with ProvXML's. I will check out your link, thanks. do you by any chance know how to change the dark background color back to black using this method?
So you mean to tell me that Windows Phone is actually more secure than the iPhone? God all mighty!! I seriously hope Windows 8 is not as lame as Windows Phone.
sinister1 said:
Unfortunately I don't know how to work with ProvXML's. I will check out your link, thanks. do you by any chance know how to change the dark background color back to black using this method?
Click to expand...
Click to collapse
I just read the thread you sent me and it says that the new drivers also disable this method too.
To the OP, they also fixed a problem, If you ran connection setup with your phone in CDMA mode, it would kill 3G and the only real way to get it back was to hard reset the phone. It also broke those apps too.
To note, I manually installed 8107(last weekend, 3 days before vzw's release) and it did break Advanced Config (could not add more colors but, only had 3-4 extra onces) but, I am still able to sideload as I need. So, I'm not sure if it was the firmware that broke it...
I don't know what the big deal is with MS not letting us to simply personalize our phones? I mean really what is wrong with changing a notification tone, background color or tile color? If they really don't want anyone hacking the phone then simply give us those options. In every update instead of giving us simple features and options that we want all they do is secure the damn phone down even more It's almost like Microsoft wants to fail. Who wants to pay for a phone that is dictated to the point to where you can't even do that? As much as I hate to admit it; Android is coming up more and more when I think about my options.
sinister1 said:
I don't know what the big deal is with MS not letting us to simply personalize our phones? I mean really what is wrong with changing a notification tone, background color or tile color? If they really don't want anyone hacking the phone then simply give us those options. In every update instead of giving us simple features and options that we want all they do is secure the damn phone down even more It's almost like Microsoft wants to fail. Who wants to pay for a phone that is dictated to the point to where you can't even do that? As much as I hate to admit it; Android is coming up more and more when I think about my options.
Click to expand...
Click to collapse
I guess it really comes down to what you can do. Opening up the phone, opens it to hack software to run. So, it opens a world of phones with pirated software on it with nothing MS can do it about it. Not everyone will go this route but, there are people who will not buy anything, and that kills the marketplace and vendors who will add to the marketplace.
As I always say, Pirates will always Pirate, block them and they'll find another way around it. BUT with blocking it makes honest people have a harder time to use their devices or software.
I personally just want to customize my phone and use all the home brew apps but, sad to say they will try to block the honest people just to attempt to stop the pirates...
Back to the subject on hand...
So, Connection setup no longer works (I get a Invalid sim if I go to GSM mode or in CDMA mode, Carrer is not in the database), is it possable to get a older version to sideload that would enable registry edits again ?
DavidinCT said:
I guess it really comes down to what you can do. Opening up the phone, opens it to hack software to run. So, it opens a world of phones with pirated software on it with nothing MS can do it about it. Not everyone will go this route but, there are people who will not buy anything, and that kills the marketplace and vendors who will add to the marketplace.
As I always say, Pirates will always Pirate, block them and they'll find another way around it. BUT with blocking it makes honest people have a harder time to use their devices or software.
I personally just want to customize my phone and use all the home brew apps but, sad to say they will try to block the honest people just to attempt to stop the pirates...
Back to the subject on hand...
So, Connection setup no longer works (I get a Invalid sim if I go to GSM mode or in CDMA mode, Carrer is not in the database), is it possable to get a older version to sideload that would enable registry edits again ?
Click to expand...
Click to collapse
I had that problem before, I had to toggle airplane mode and WIFI back and forth until it took.
DavidinCT said:
I guess it really comes down to what you can do. Opening up the phone, opens it to hack software to run. So, it opens a world of phones with pirated software on it with nothing MS can do it about it. Not everyone will go this route but, there are people who will not buy anything, and that kills the marketplace and vendors who will add to the marketplace.
As I always say, Pirates will always Pirate, block them and they'll find another way around it. BUT with blocking it makes honest people have a harder time to use their devices or software.
I personally just want to customize my phone and use all the home brew apps but, sad to say they will try to block the honest people just to attempt to stop the pirates...
Back to the subject on hand...
So, Connection setup no longer works (I get a Invalid sim if I go to GSM mode or in CDMA mode, Carrer is not in the database), is it possable to get a older version to sideload that would enable registry edits again ?
Click to expand...
Click to collapse
The registry being locked down is less to do with piracy than control.
Code for the Windows Phone 7 was not a complete rewrite of the OS. They did reuse much of the old Windows Phone 6.5. They might have reviewed each piece and modified most, but they did reuse code. If they give you or developers control of the registry, then the entire device could be put into a state that would make nothing work. Or worse, your phone could be made to do just about anything in the background without your knowledge.
It's one thing to not allow programmers to access it. It's another to stop users from doing it intentionally. Any user doing it themself, knows the risks. And you can always reset the phone.
This latest lockdown might spur more interest in creating custom ROMs. Not sure if it is even possible yet for things like the Titan 2 and the new Nokia phones. But, this is the site to find out or find people doing it.
Your right I don't think it's possible at least not for the Trophy or CDMA phones at the moment, I guess we are just stuck at the state of sucks. Either way MS isn't making any money with their strategy at all the hold like 1% of the market; if it weren't for their PC sales they would have already went under.
sinister1 said:
Your right I don't think it's possible at least not for the Trophy or CDMA phones at the moment, I guess we are just stuck at the state of sucks. Either way MS isn't making any money with their strategy at all the hold like 1% of the market; if it weren't for their PC sales they would have already went under.
Click to expand...
Click to collapse
Microsoft has alot more products as well. SQL Server, Visual Studio (professionals don't use the express versions), Exchange Server, Office, XBox 360, msdn subscriptions, Skype, etc.
Microsoft makes money on all HTC and Samsung Android sales. Somewhere between $10 to $15 for each Samsung Android Phone and somewhere around $5 to $10 for HTC Android phone from patent licensing.
So, every Android sold helps Microsoft. Hopefully they use those dollars to improve Windows Phone 7.
This is actually the real reason that Microsoft can afford to deliver things a little late and still be OK.
They have a ton of cash flowing in all the time and the competition financially supports them.
I'm guessing that there is still a way using provisioning to affect the registry. When exchange servers push policies down, I thought they did that through provisioning. If exchange can do this, then there should be another way as well.
It's also how custom ringtones were created prior to Mango. It would create a xap to create a program that would write a ringtone file using provisioning. Something similar should be doable for the registry. Doing it this way would require you to use a computer to deploy the changes, but you should be able to make them.
Thaks guys for your feed back and support. If anyone knows a way that I can change my background back to default #FF00000 black now that the registry option is gone; please let me know, I will dontae becuse I have lookd at some Android phones and to be honest they are always pluged in and charging and the only other opption is the iPhone
Hmm.. was about to update and then cancelled it when I read this. Does it add tethering? but since it still lets us sideload... I kind of want to update, I don't do any registry stuff and i can always hard reset to interop unlock again right?
slick13 said:
Hmm.. was about to update and then cancelled it when I read this. Does it add tethering? but since it still lets us sideload... I kind of want to update, I don't do any registry stuff and i can always hard reset to interop unlock again right?
Click to expand...
Click to collapse
No it actually does nothing other that updates your radio's firmware and blocks exploits, worth less update unless you travel out of the country. This was lame on HTC and Verizon's part. I hate Verizon, MS should just stop doing business with them.

Categories

Resources