Do you have a locked phone with Nodo?
So, at this moment your chances are:
Restore the phone to previous version (from Zune)
If your device is LG, you can use the integrated registry editor to unlock it
Buy a developer account subscription
What if your country is not supported by the Marketplace to buy a developer account subscription?
Well, you can ask someone to unlock your phone via remote desktop with their account, then apply any relock prevention
You can use Yallapps unlocking service
I was thinking on update chevron for nodo. There is no marketplace in my country to test and check what is the token used by the developer unlocker application from the phone tools.
Recently I discovered yallaapps (where everyone can register and unlock their phones). It is very unfair compared to the standard marketplace rules (you can upload only free apps, and like 3-4 every 80 dollars).
Anyone here have a yallaapps account to share? (via remote-ethernet usb for example) and unlock my phone to check what is the token, and test if microsoft did something to avoid chevron.cer, etc... I can work some nights trying to get an updated unlocker for us.
Comments?
I've thought about this too. But I have an unlocked Omnia 7 now, with NoDo. And I'm kinda afraid to test for locking/unlocking, because it might lock my phone, while not being able to unlock again. Only a restore of backup or reflash firmware would possibly fix that, but I too busy to risk that now. If it wasn't for that I would've tried a couple of things.
With registry access we can set the value of HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\PortalUrlProd to anything we like. Set it to something like this: http://www.wp7unlock.com. That site does not exist, but that doesn't matter. Note that I mention "http" and not "https" to make it easier. Then add this url to the hosts-file on your computer. Open a http-server on port 80 which logs all http-requests. Now run ChevronWP7 unlocker and try to lock / unlock. Note: Don't try this if your device is upgraded to NoDo and unlocked, and you wish to keep it like that. You can grab the exact request. That is the first step. But this may already lock your device, if you got it unlocked. You need an unlocked device in the first place to edit the registry. If you got the exact http-request that is sent by the NoDo-device, you can manually try to send it to the original url: https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010. Now grab the response. That will be the second step. Having the request and response may already provide very useful information and help us further.
I think the chance of getting your device re-locked is small. But only someone who is doesn't matter restoring a backup or older firmware in order to re-unlock should try this. If someone feels like testing this, we may get a start on unlocking NoDo.
Ciao,
Heathcliff74
I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.
Another possibility is to hide a registry editor in some app and submit it to the marketplace. But soon or later they will notice the trick.
Pretty convenient the LG devices with their integrated registry editor...
The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.
GoodDayToDie said:
The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.
Click to expand...
Click to collapse
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?
hounsell said:
I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.
Click to expand...
Click to collapse
Ok.. Think with me please.. I am by no means a HTTP or SSL expert, but I know a little bit about it. So please correct me if I'm wrong.
HTTPS is HTTP over SSL. SSL does a handshake for encryption keys. Any HttpListener will support this. And SSL with mutual authentication will also do a certificate check. Tom, if what you said is true, then we should install a genuine certificate for developerservices.windowsphone.com. I'm sure some devs have one laying around for us to use. The phone will accept it, because a certified authority has issued it. That would solve things at the end of the WP7 device.
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74
eried said:
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?
Click to expand...
Click to collapse
I'm guessing now. But I think the capabilities are stored somewhere. And if you didn't have the Interop-capability when you installed the app, you will still not be able to load a COM-dll later on. Also, I don't think you will be able to call LoadLibrary on a file in the IsolatedStorage.
And in my WP7 Root Tools, there are NO Samsung dll's. Only my own code. Both native and managed dll's are written 100% by me. No copyrighted dll's from another party in my code. I explicitly avoided that, because my app will never be banned for that reason. I think Julien Schapman's Windows Phone Device Manager does ship the HTC dll's (not 100% sure about that though). I think he might have a problem with that if he ever want to sell his product.
Ciao,
Heathcliff74
Heathcliff74 said:
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74
Click to expand...
Click to collapse
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.
Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices or was that just another way to get xaps to work instead of resigning them? Could it be used if not?
I did a bit of reading up on SSL and certificates. I'm still not sure about alot of things, but this is what I get from it:
SSL sets up a secure transport layer by exchanging encryption-keys. And it also supports client-authentication and server-authentication. Authentication can take place by letting one party send its certificate and let the other verify it. For a client this usually means that the issuing party sent a generated certificate against which it can be authenticated. A server is authenticated by its certificate. The certificate needs to be verified. The verification is done by checking the certification-path. The issuers must be trusted by the verifying device. I'm not sure, but I don't think it is normally necessary to install a certificate when you genuine unlock your device. If it is necessary, then that means that the unlock server from Microsoft does client-authentication too. But that is not important when we want to spoof that server with a http-server on our localhost (like ChevronWP7), because we can just skip the client-authentication. We simply don't care about that.
(nico) said:
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.
Click to expand...
Click to collapse
I think the unlocking software on the WP7 device probably does something like this (pseudo-code):
Code:
if (!SecureConnection.Server.IsTrusted())
{
LockDevice();
return;
}
If the server is not trusted, the unlock will fail. So Chevron has its own built-in http-server. With its own certificate. Except that certificate is normally not trusted by the WP7 device, because that certificate is not signed/issued by one of the Certified Authorities that is known by the device. So in order to let the IsTrusted() succeed, a certificate must be installed on the device first. That certificate adds the signing authority (self-signed by Chevron) to the trusted authorities.
Now in NoDo, if Tom is right, Microsoft changed it into something like this:
Code:
if (!SecureConnection.Server.IsTrustedByCertifiedAutority())
{
LockDevice();
return;
}
That means, that it does not only verify if it is trusted, but the top of the certification-path must be a Certified Authority. In this case a self-signed certificate is not accepted anymore.
I have access to the certificate-stores on my Samsung Omnia 7. But for that the device needs to be unlocked. So, that is not useful for unlocking devices. And that exploit only works on Samsung devices.
Now that I understand this better, I see that my previous proposal won't work. But it gives me something to think about. Got to get a way around that.
lucasryan said:
Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices. Was that a cert that just allowed us to use those apps to work on other devices just like we do now by resigning a xap to work from another brand, or is it a cert that might could be used?
Click to expand...
Click to collapse
That was some developer-certificate from the WinMo 6.5 SDK or something. It didn't really do anything other than invalidating the signature, which in combination with removal of the DRM file in the XAP would remove the DRM-protection. It works even better to simply remove the certificate from the file. The certificate was simply to replace the valid certificate with an invalid one. The certificate from xboxmod is not of any use here.
Ciao,
Heathcliff74
ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.
Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)
lucasryan said:
ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.
Click to expand...
Click to collapse
No. These are the best kept secrets in the industry. When those key leak a lot of DRM is compromised. And in most systems certificates, once compromised, can be revoked (through updates that are pushed or pulled). The ChevronWP7 guys did a brilliant job in finding the loophole in the server-authentication. I think Microsoft has closed that one now. But maybe there's another loophole in the unlocking system.
There might also be other attack-vectors. If we can get XML-provisioning working from outside the device we can set the registry-values to unlock the device. Maybe OTA Provisioning can be done with WP7 devices.
Another possibility for XML provisioning can be found in this dll:
Code:
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0\v4 .0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0.dll
You can open it in Reflector. There's a class called DevicePackageClass. It has a method called ProvisionDeviceXML(). So I tried using it, but when I instantiate the DevicePackageClass it gives me an error:
Retrieving the COM class factory for component with CLSID {E987B9DE-8471-11DB-96A9-00E08161165F} failed due to the following error: 80040154 Class not registered (REGDB_E_CLASSNOTREG)
The class is actually a wrapper for a COM class. So I looked it up in the registry. It seemed to be found in this dll:
Code:
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\dip.dll (VSD Device Integration Package)
But is actually part of Visual Studio 2008, not Visual Studio 2010. The dip.dll is not installed with Visual Studio 2010. So I figured I might have a better chance with this dll:
Code:
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0.dll
But it gives me the same error. I also tried to register dip.dll with regsvr32. The registration worked, but the error was still the same. I even tried to access dip.dll directly, but I still couldn't create the COM class DevicePackageClass ("Can't create object").
So if we can somehow instantiate that class we might get XML provisioning working and unlock the device directly in the registry. Needs more research.
Ciao,
Heathcliff74
eried said:
Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)
Click to expand...
Click to collapse
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.
Heathcliff74 said:
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.
Click to expand...
Click to collapse
My idea was not an app for the marketplace but a desktop app like Chevron
eried said:
My idea was not an app for the marketplace but a desktop app like Chevron
Click to expand...
Click to collapse
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.
Heathcliff74 said:
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.
Click to expand...
Click to collapse
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile
eried said:
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile
Click to expand...
Click to collapse
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.
Heathcliff74 said:
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.
Click to expand...
Click to collapse
Nobody likes a locked device.
But I do understand the Microsoft posture about this.
Related
Good evening folks,
I am considering buying the HTC Touch Pro2 when it is released in the USA on Tmobile. I would like to understand what hacking (security testing) tools are available on the Windows Mobile Platform. I am a security professional and have the desire to perform penetration testing from the HTC Touch Pro2.
It seems the MetaSploit framework is not available. I like to work with the command prompt, is the command prompt accessible on the HTC Touch Pro2? I've read some info about being able to mount ISOs or run emulators. Is there WiFi hacking software such as Kismet available?
Does anyone know what hacking tools are available for this platform?
Thank you!
Anyone have any ideas?
It doesn't run real windows, you can't get a command prompt. You'd be better off with a real machine.
There's a couple companies out there that sell WM devices for pentesting, but they are all provided with the hardware since they are focused on wifi and I don't believe the standard WM stuff lets you put it into promiscuous mode.
You'd probably be better off with an android device so you can just compile whatever you want.
MSFT products have never been suitable for comp-sec professionals.
You're better off connecting to a *nix box using either PocketPuTTY or using a webbrowser to connect to a remote server running metasploit.
Check out VxUtil, it gives you DNS, reverse DNS, port scan, ping, finger & so on. Pocket Putty is a good free SSH client, also does port forwarding.
OpenVPN works as well if that takes your fancy. Lots of security tools are available, they are just a bit obscure. I don't think nmap is around though.
thanks for the reply
Our company actually just released a new product (called Security Tools) that lets you ping, traceroute, do a WHOIS lookup, and even do port testing on your Windows Mobile phones. The port testing can even send clear text commands to a port such as 'GET / HTTP/1.0' to verify that it is a HTTP service listening on that port. The traceroute is also able to visually show the trace (if it's public IP address) on a map so you can kind of get a visual representation of where your traffic is going. Please feel free to try our one week free trial which lets you use the application for a week without limitations, so you can make sure everything works as you want before you buy.
You can visit the original post here at xda over at this thread:
http://forum.xda-developers.com/showthread.php?t=550473
or you can visit the website for the product at:
http://www.securenetworksystems.com/SecurityTools/
Punkster812:
I downloaded "security tool" , installed, got a license - and it was already expired...
Also, your company name is "secure network systems" and your web-pages are hosed in Microsoft IIS, and based on aspx .....seriously, if you wish to appear as a security company, you cannot use that crap.
the program with won't work because you serve old license, but one thing is clear; the icon is of very low resolution, and looks bad on WM6.5 or TouchFlo menu.
And: the long Device-ID is there only to annoy your customers, no pir8 would ever be bothered by it, so you may as well stick to 6 characters alphanumeric code +-+++...
AlCapone said:
Punkster812:
I downloaded "security tool" , installed, got a license - and it was already expired...
Also, your company name is "secure network systems" and your web-pages are hosed in Microsoft IIS, and based on aspx .....seriously, if you wish to appear as a security company, you cannot use that crap.
the program with won't work because you serve old license, but one thing is clear; the icon is of very low resolution, and looks bad on WM6.5 or TouchFlo menu.
And: the long Device-ID is there only to annoy your customers, no pir8 would ever be bothered by it, so you may as well stick to 6 characters alphanumeric code +-+++...
Click to expand...
Click to collapse
I am sorry that you had troubles with the trial download, if you PM me with your Device ID I can get you one. We are aware of the low resolution, but rather than focusing on a pretty icon, we worked hard on a functional program. The long Device ID is not to annoy customers, it is actual a very secure method that we use and if you are able to break it, I would be very impressed; I know it's long but it's to protect our intellectual property and no other licensing method existed that prevent piracy like this does. We know ever method is breakable, but this accomplished our goal of restricting to the pirates that are going to steal software no matter what.
As far as the server... you are using a Microsoft product as well for you phone. We very rarely use Asp.net through our site, in fact it's only for license generation and to set up an order, but doesn't actually handle purchases. So the site is secure and I am confused on why you think our site is so insecure. I love Linux and Apache as much as the next network administrator. 4 out of 5 of my personal pc's run Linux with one set up with Apache for my personal site, but for our business needs, we went with IIS.
Again I am sorry that it didn't work for you, I will double check to see if it's still properly generating license, and remember, the trial starts from when you download the license, not run the application with the license.
regarding IIS: http://www.internetnews.com/securit...Microsoft+Rushes+to+Patch+FTP+Hole+in+IIS.htm
This finally got some attention, it was in fact being exploited for years, over several versions.
Hosting software on vulnerable servers gives an opportunity for hackers to easily repack your CAB with spyware/dialer, and you can guess the rest. - such CABs must be inspected for each download.
Regrading long serial number, it only makes a brute force attack harder, at best, which is usually not the method used. You can as well trunk it to a 6-7 char/alphanumeric number, and it will work the same, but annoy people less.
Remember you are at a forum where people often reflash, and entering long serials each time (if cannot be exported from registry) - is boring, and a motivation to workaround.
I can't remember what it's called, but there is a CAIN port for Windows Mobile.
Fmstrat said:
I can't remember what it's called, but there is a CAIN port for Windows Mobile.
Click to expand...
Click to collapse
you are right; - it's simply "Cain for PPC:"
http://www.oxid.it/downloads/Cain_setup_PPC.ARM.exe
and yes, it's far away from the "real" Cain.
AlCapone said:
regarding IIS: http://www.internetnews.com/securit...Microsoft+Rushes+to+Patch+FTP+Hole+in+IIS.htm
This finally got some attention, it was in fact being exploited for years, over several versions.
Hosting software on vulnerable servers gives an opportunity for hackers to easily repack your CAB with spyware/dialer, and you can guess the rest. - such CABs must be inspected for each download.
Regrading long serial number, it only makes a brute force attack harder, at best, which is usually not the method used. You can as well trunk it to a 6-7 char/alphanumeric number, and it will work the same, but annoy people less.
Remember you are at a forum where people often reflash, and entering long serials each time (if cannot be exported from registry) - is boring, and a motivation to workaround.
Click to expand...
Click to collapse
Thanks for the link, I looked into and we are not vulnerable against the attack and never have been due to the attacks requirements (http://blogs.technet.com/srd/archive/2009/09/01/new-vulnerability-in-iis5-and-iis6.aspx). As far as brute forcing, without going into to much details, would be extremely difficult to do as it uses standards proven encryption algorithms. The extremely long serial that you are talking about is a unique ID for your phone. We know it's long and are always looking for ways to improve the licensing we use. The license is a file and not something that you key in, you copy to the installation directory; so you can keep a copy in your email, on your computer, flash drive, where ever for back up purposes in case you need to reload the app.
As far as reflashing, that is a very valid point. I am not 100% sure, but I believe reflashing should not hurt the license, which would hopefully mean you wouldn't have to enter your device id again. But if any one could confirm this, that would be appreciated. We know a lot of the people here are very advanced and know more about their phones then most the people at service providers or even the phone manufactures themselves sometimes, which is why we enjoy releasing our products here for testing before we release them to the public. In the little time that Security Tools has been up we have received some constructive feedback on what could be improved.
Punkster812 said:
As far as brute forcing, without going into to much details, would be extremely difficult to do as it uses standards proven encryption algorithms.
Click to expand...
Click to collapse
Right, that's why I said long numbers would be good for only that, once the calculation/verification routine is extracted for a keygen, it's no more job whatever the result is 6 or 50 digits long.
- Therefore, you might save your customers from all the boring entry, because no keygen /(or crack) will be more difficult by having more digits.
At the moment I'm working on an app called "WP7 Root Tools". I got the registry editor almost finished, but I am also going to add a File Explorer, Certificate Stores and maybe more. When the registry editor is working I will release the first alplha-version. As the title of the app implies, the tool uses root privileges to perform queries and transactions. I let the tools parasitize other processes to get the code executed in the TCB chamber of the device. I have this working stable now on my Samsung Omnia 7. Unfortunately I have to use a little bit of device-specific API's to do this. And I have to make quite a detour to make it work, which has a negative impact on the performance.
So the ultimate goal is that, in the end, this will work with other, more direct API's, which work on all devices. During my research I found some possiblities that need more investagation. I already decided that I will first concentrate on getting this working with my Samsung device, so that I have at least the tools to do further research. But I thought I'd drop some of my findings here that may lead to better device-support and better performance for future-versions of the tools.
There are many ways that may lead to executing code with elevated or root privileges. But in this post I want to concentrate on XML provisioning. A lot of info can be queried and configured through these API's. I have tried to call the native OS functions for XML provisioning. The function you need to call is: DMProcessConfigXML(). And it is declared in: Cfgmgrapi.h. If you call this function it returns errorcode: 0x4ec (or 0x800704ec), which means "Access disabled by policy". If you use a native COM dll and you forget to add ID_CAP_INTEROPSERVICES to the WMAppManifest.xml, you will get the same errorcode when calling a native function through the COM-interop. So when I get the same errorcode when calling DMProcessConfigXML() this may suggest, that I might be missing a capability in the WMAppManifest.xml.
In another thread on this forum some undocumented capabilities were discussed. One of them was ID_CAP_WAP. Since OMA Client Provisioning is also call WAP-Provisioning, I thought that might be the missing capability. I was not able to add the capability from within Visual Studio, because the capability is missing from the corresponding xsd's so it will give an validation error on building the project. But I could add it manually after the project was build. When I deploy it to the device, using the Application Deployment tool, it would return "Access is denied". I thought it might be an invalid capability, but when I changed the capability to ID_CAP_XXXXXX that would return "Install failed. Fix the capabilities." which is the real error message for an invalid. That implies that ID_CAP_WAP is in fact an existing capability, but I'm just not allowed to use it. When I would be able to use it, I would probably have access to the function DMProcessConfigXML(). That part of the app would be impesonated into higher chambers.
So the big question is what is keeping me from using the ID_CAP_WAP? Why am I not allowed to use it? I tried to attach a debugger to XapDeploy.exe, but it does not throw any exceptions at all. The errorcode is generated in the phone. Getting this fixed will give a big boost to getting closer to root access on all devices. Any help or insight on this will be appreciated.
Heathcliff74
I sent some tweets to da_g, chris, chevron, julien schapman, and a few other devs to let them know this is going on...I'll try tom hounsell too he may know a bit more about this
I'm notifying notebookgrail too because he has been doing some work with dell venue pro devices
Good luck
At a wild guess, it's probably looking for a signature. Using signed code for trusted functions is the kind of thing MS likes to do. :-/
All that said, if you have ProvXML working on Samsung, I would *love* to take a look at it. I'm maintaining a cross-platform Homebrew library. Currently I have at least partial ProvisionXML on HTC and LG, but none on Samsung. I don't have a Samsung device to test with, which is making it hard to try things out...
ID_CAP_WAP isn't a capability you can assign yourself. A higher up has to assign it to you.
<!-- Account loaded from: W:\WINCEROOT\temp\oakcopy28570\Release\x86\XDE\Policy\cb659c75-eac9-4db7-afd8-055632acf233.policy.xml(292,2) -->
<Account Id="S-1-5-112-0-0X71-0X49445F4341505F574150" Description="Autogenerated group for capability ID_CAP_WAP" FriendlyName="ID_CAP_WAProvides access to WAP API" Type="Group">
<!-- MemberOfGroup loaded from: W:\WINCEROOT\temp\oakcopy28570\Release\x86\XDE\Policy\cb659c75-eac9-4db7-afd8-055632acf233.policy.xml(293,2) -->
<MemberOfGroup GroupAccountId="S-1-5-112-0-0X71" />
Click to expand...
Click to collapse
(BasePolicy.xml)
domineus said:
I sent some tweets
Click to expand...
Click to collapse
Thanks.
GoodDayToDie said:
All that said, if you have ProvXML working on Samsung, I would *love* to take a look at it.
Click to expand...
Click to collapse
Well, the whole ProvXml stuff will become irrelevant, when I finish the tools. Because ProvXml is not really user-friendly and my tools will provide that functionality in a user-friendly fashion. So at this moment I want to concentrate on finishing the first alpha-version. Later on, I will probably clean-up the code and release it. But it's quite complex, because I added async multithreading to keep it all smooth.
WithinRafael said:
ID_CAP_WAP isn't a capability you can assign yourself. A higher up has to assign it to you.
Click to expand...
Click to collapse
Thanks for this info. But what I read from this is that you just need to be able to impersonate. Has anyone tried CeImpersonateToken() with this SID?
Abstraction of the ProvXml capabilities is awesome, assuming that we can fully use them and/or extend them if needed. It's useful for a ton of stuff. I've written a small amount of abstraction for registry writes and such, but having the full functionality exposed through a clean API would be fantastic.
Ok, this may sound a little stupid but please bear with me....
I'm a student, so I have a ".edu" email address which allowed me to sign up for a free dev account.
Although I'm on a Mac I'm downloading parallels desktop so I can get zune software.
From what I understood from reading these forums...I can use the dev tools and unlock my device with Zune?
Is this essentially the same as using Chevron unlocker?
I can't use Chevron Unlocker because I have a HTC Arrive that has the NoDo update already applied...but if I use the above methods, it would be the same...no?
Yes, as far as I am aware.
I am also a student in the uk with an .ac.uk email
I have signed up and my account is started being activated today, will let you know! I am on NoDo too
I also have a .edu account, so this means I can sign up as a developer and get the official unlock code? Would I actually have to do any developing for them to keep my account open?
I don't have NoDo yet but will want to unlock it once it's available (AT&T branded Focus).
This would be interesting because it say's I can have up to 3 registered devices under my Dev Account.
I personally just created it so I could unlock my NoDo Arrive, but I might actually try at creating some apps...I wonder if it's really that hard
its a little more complicated than what it first seems, but nothing too hard.
Sign up through dreamspark, that gets you your account.
To dev unlock the phone you use the windows phone tools that you get through dreamspark, but it wont let you unlock it untill you have activated your developer account through geotrust
To do this on a student account you have to submit and application to microsoft first. I just created a basic dice roller, there are guides on the internet for how to make this app, it only took me two hours to do using the guide, and 1 day after submitting the app to microsoft I got an email from geotrust asking me to validate my account.
To validate you need to fill in the form with a photocopy of your driver licence or passport and email/fax it to them, they then tell microsoft all is good, and your account is activated
But yeh, if your a student, then its definetly worth doing, because you will effectively be "jailbroken" but in a completely legit microsoft are happy way.
The major problem with an actual developer unlock, is there is a limit on the number of applications you can side-load at the same time - 3 for student accounts, 10 for individual/corporate accounts, if I remember correctly. Makes it difficult to use them for homebrew - I know I had more than 10 homebrew applications together.
loomx said:
its a little more complicated than what it first seems, but nothing too hard.
Sign up through dreamspark, that gets you your account.
To dev unlock the phone you use the windows phone tools that you get through dreamspark, but it wont let you unlock it untill you have activated your developer account through geotrust
To do this on a student account you have to submit and application to microsoft first. I just created a basic dice roller, there are guides on the internet for how to make this app, it only took me two hours to do using the guide, and 1 day after submitting the app to microsoft I got an email from geotrust asking me to validate my account.
To validate you need to fill in the form with a photocopy of your driver licence or passport and email/fax it to them, they then tell microsoft all is good, and your account is activated
But yeh, if your a student, then its definetly worth doing, because you will effectively be "jailbroken" but in a completely legit microsoft are happy way.
Click to expand...
Click to collapse
So if we have a student developer account we have to create an app first? Exactly what guide did you use?
I have "ZERO" coding experience, even though I do dabble in web development...is it hard to do? I'm not asking someone to hold my hand, just point me in the general direction.
Isn't there a "hack" available on these forums that allows you to "sideload" more than the limits?
I mean essentially a person could use the free Dev Account to unlock their device, then use the registry hack (available on these forums) to allow more than the limit for sideloading....
...or am I missing something?
Yup there is a hack somewhere, I might give it ago, but TBH, im happy to install the reg editor do the edits and unistall it, then do the same for ringtones and unistall it and so on, and just keep 3 that I really need.
After a bit of googling, it seems it might be even simpler...
You still need to have the Dev tools download from dreamspark, but someone posted that all you need to do is this...
Create a new project.
Build the project.
Look in the bin directory that was created.
Find the .xap.
Then submit that
loomx said:
Yup there is a hack somewhere, I might give it ago, but TBH, im happy to install the reg editor do the edits and unistall it, then do the same for ringtones and unistall it and so on, and just keep 3 that I really need.
After a bit of googling, it seems it might be even simpler...
You still need to have the Dev tools download from dreamspark, but someone posted that all you need to do is this...
Create a new project.
Build the project.
Look in the bin directory that was created.
Find the .xap.
Then submit that
Click to expand...
Click to collapse
So even though it's a "shell" app (empty app) and it would get rejected by AppHub...all that really matters is that you submit something for GeoTrust to send you the verification email???
I'm interested in this aswell. I've just updated to nodo.
I'm currently studying computer science at uni and tempted to do a WP7 app for my final year or in my spare time.
Developer Unlock is the same thing as what Chevron does.
For students that are interested, Microsoft provides the Dreamspark program where they give students access to free software, development tools and WP7 developer registration
ducylowycz said:
So even though it's a "shell" app (empty app) and it would get rejected by AppHub...all that really matters is that you submit something for GeoTrust to send you the verification email???
Click to expand...
Click to collapse
Exactly. That's all you need. Once you submit it you'll just get an email from "GeoTrust" (Hotmail marked it as spam), and then you'll be on your way.
If you like in a country were Marketplace isn't available yet it complicates things a bit.
Even if you get a student account tied to your swedish live-account(like I did) you can't access the Marketplace. But you can still submit apps and get them published with that account!
The only solution here is to get a UK/USA live-account and then jailbreak your phone.
So when NoDo gets released I have to choose between running my own apps or run apps from the Marketplace.
The live account on your phone, doesnt have to match the live account of your developer account as far as I am aware.
My phone is now Dev unlocked and on No-Do.
If you install advance config,it can make it so you can sideload as many apps as you want
Do you think there should be a tut for doing this?
I was thinking of creating one because, as of now, this is the only option to "unlock" our devices.
Ok...I have everything installed but when I "build" the app and submit it to Apphub, it just gives me an exception out of range error...
Any insight?
ducylowycz said:
Do you think there should be a tut for doing this?
I was thinking of creating one because, as of now, this is the only option to "unlock" our devices.
Click to expand...
Click to collapse
It's pretty simple - register your student email with dreamspark
submit an app (doesn't even have to work) to get geotrust to start the identity process
when you verify your identity wait 2 business day
You now have the option to have 3 devices that can be unlocked
For the respective device, go and edit the registry to increase the app loading limit to unlimited (student has I think 3) and you're done
Legit chevron. unlocked device for sideloading. I'll be getting my brother to do it for his phone as well as his school too! Although I can see an impending rape of this...
It's also pretty profitable...
my country is not in the list box, singapore is the closest one, im from indonesia, any suggestion?
domineus said:
It's pretty simple - register your student email with dreamspark
submit an app (doesn't even have to work) to get geotrust to start the identity process
when you verify your identity wait 2 business day
You now have the option to have 3 devices that can be unlocked
For the respective device, go and edit the registry to increase the app loading limit to unlimited (student has I think 3) and you're done
Legit chevron. unlocked device for sideloading. I'll be getting my brother to do it for his phone as well as his school too! Although I can see an impending rape of this...
It's also pretty profitable...
Click to expand...
Click to collapse
I just spent 2 hours to figure out the tools and built a quote of the day app. Just submitted it. Will wait for Geotrust to contact me.
Well although many might abuse it, it will expose students to the platform. MS has really good tools. I am not a computer major, but I managed to build an app in 2 hours. I am quite exited about my app..and I will definitely read more about the tools and try few more things.
PS: now I need to buy a windows phone device :-D
As I briefly posted on my blog Monday, Mango will no longer support the deployment of XAPs containing the ID_CAP_INTEROPSERVICES flag. This means you won't be able to deploy your web servers, root tools, and other assorted unsupported hackery.
With our sanctioned, dirt cheap unlock service around the corner, trying to jailbreak NoDo (without upgrade hacks) is a waste of time. I believe the ROI on time spent on hacking this interop limitation is much greater.
This limitation is implemented in PacmanInstaller.exe (on the phone); it scans the manifest for the flag and bails with HRESULT 0x81030120.
As Mango FFUs haven't been released yet, I haven't tested upgrade path 'hacks'; worse, this behavior doesn't appear to be reproducible in the emulator limiting current testing to those w/ Mango phones. (That should change in the next few weeks, hopefully.)
I'm interested to see what ideas you guys have!
How does Microsoft even explain this? What's the point in allowing your unlock officially and then blocking the very functionality we unlock devices for?
Maybe this is a temporary problem?
As far as Microsoft is concerned the new Unlock variant is for people who want to develop for their devices but without intention to publish the results to the Marketplace, e.g. people who want to play around with things.
If you're a Nokia Dev today you get the unlock for free - allowing people to access undocumented APIs is not what Microsoft wants to happen but more to make people experiment with the platform and then perhaps publish their work to Marketplace later on - but that would not be able to happen if those experiments used COM-Interop which is not allowed on the Marketplace.
Well, this way, from an end user perspective, unlocking is useful only for piracy. Getting sideloading without extended capabilities is a weird proposition.
Re hacking Mango, I guess people need to get it on their phones somehow to begin with.
In the other thread I requested that everyone who upgrades makes a wireshark log and post it here, so we can tear it apart. I also left some instductions there.
Plz also let know if apps with native code survive the upgrade and if the chevron unlock with prevent relock survives the update.
Ciao,
Heathcliff74
mfw i already found out a possible solution how to bypass this.
>NoDo needed before Mango.
No trolling. Also, cant say it here on xda, then the Microsofties will pick it up and block...
>Trusted people i can tell, sry.
Thanks for sharing this secret, but up to this moment, Ansar way (flashing stock ROM, then using advanced configuration utility to avoid relocking) is the only effective way.
One could write an application for NoDo, for example a ChevronWP7 Homebrew Enabler, that uses native APIs to modify manifests of homebrew applications found on the phone. Then upgrade to Mango.
There are lots of upgrade scenarios but we have to remember -- new phones will only ship with Mango.
yeah lets tell rafael and his ms homies how the people here try to hack mango, so that he can tell ms to fix it before mango released to everyone.
I hope you wont tell a thing in the public @ fiinix, jaxbox, heathcliff
diboze said:
rafael and his ms homies
Click to expand...
Click to collapse
Really? Rafael informs us of an important issue that we should try resolving, and your response is "OMG he's in bed with Microsoft let's ostracize him"? That saddens me.
@arktronic: please...you cant be this naive...
I won't dignify that with a response.
Oh wait...
There seems to be a way ... for current NoDo users. It is similar to what happened going from original 7008 to NoDo ... in terms of unlocking. I will stop there.
I'm curious, is the ID_CAP_INTEROPSERVICES merely a flag that the xap contains native code, or does the executive actually forbid the application from running native code unless the flag's present?
i.e. could we modify the xap to remove this flag, but still run the native code app on the phone?
elyl said:
I'm curious, is the ID_CAP_INTEROPSERVICES merely a flag that the xap contains native code, or does the executive actually forbid the application from running native code unless the flag's present?
i.e. could we modify the xap to remove this flag, but still run the native code app on the phone?
Click to expand...
Click to collapse
The flag must be present.
diboze said:
yeah lets tell rafael and his ms homies how the people here try to hack mango, so that he can tell ms to fix it before mango released to everyone.
I hope you wont tell a thing in the public @ fiinix, jaxbox, heathcliff
Click to expand...
Click to collapse
You're an idiot.
Here are some things to consider then:
Can something be done to the XAPs to allow the flag? Signing? Other XML file modifications that, in turn, would allow the flag to be used?
Can something be done to the system? A registry change perhaps?
Have any new flags been added to Mango that might also allow low-level system access?
It seems more complicated that just the flag.
Homebrew apps or resigned apps (like Scansearch, or HTC apps) won't run, but official manufacturer apps (Scansearch on LG, HTC apps on HTC) run fine.
So it seems to depends on some certificate.
Also, installing an apps then upgrade to Mango keeps the app on the phone, but it won't allow you to launch it (no error, just launch and quit).
(nico) said:
It seems more complicated that just the flag.
Homebrew apps or resigned apps (like Scansearch, or HTC apps) won't run, but official manufacturer apps (Scansearch on LG, HTC apps on HTC) run fine.
So it seems to depends on some certificate.
Also, installing an apps then upgrade to Mango keeps the app on the phone, but it won't allow you to launch it (no error, just launch and quit).
Click to expand...
Click to collapse
Ah, thanks for testing that. So that means installing an application then upgrading won't be as easy as it sounded.
One test would be to sign a XAP and place your root certificate in the CA store (with Heath's toolset).
diboze said:
yeah lets tell rafael and his ms homies how the people here try to hack mango, so that he can tell ms to fix it before mango released to everyone.
I hope you wont tell a thing in the public @ fiinix, jaxbox, heathcliff
Click to expand...
Click to collapse
I too hope everyone will be a selfish bastard and will never get anything done.
Arktronic said:
Here are some things to consider then:
Can something be done to the XAPs to allow the flag? Signing? Other XML file modifications that, in turn, would allow the flag to be used?
Can something be done to the system? A registry change perhaps?
Have any new flags been added to Mango that might also allow low-level system access?
Click to expand...
Click to collapse
I'm trying some things with the package manager. I haven't got anything yet, but I got some ideas I yet have to try. I'm working on flagging an app as "not being sideloaded".
(nico) said:
It seems more complicated that just the flag.
Homebrew apps or resigned apps (like Scansearch, or HTC apps) won't run, but official manufacturer apps (Scansearch on LG, HTC apps on HTC) run fine.
So it seems to depends on some certificate.
Also, installing an apps then upgrade to Mango keeps the app on the phone, but it won't allow you to launch it (no error, just launch and quit).
Click to expand...
Click to collapse
Ok. So it looks like the package-manager doesn't allow the interop-flag for apps with a full install-cycle through side-loading. The flag is probably allowed for upgrades and marketplace-installs (including DRM licenses). And the PolicyEngine (runtime system) requires the dll's to be signed properly or else it will deny interop to native code.
WithinRafael said:
Ah, thanks for testing that. So that means installing an application then upgrading won't be as easy as it sounded.
One test would be to sign a XAP and place your root certificate in the CA store (with Heath's toolset).
Click to expand...
Click to collapse
Please refer to the opening post of this thread. For the purpose of code-signing the certificates in the "Code Integrity" store are used. The certificates in that store would probably need a signing-root in the CA store. The means that you have to create a certificate that has the properties of a "Code Integrity" certificate AND the properties of a "CA" certificate and then add this cert to both "Code Integrity" and "CA" stores. Then use the private key to sign all the dll's.
If you look at the certs in the "Code Integrity" store, then all, except the one used for LPC singing have this:
Key Usage: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3), Unknown Key Usage (1.3.6.1.4.1.311.10.3.14)
If you look at the certs in the CA store, then you see that they all have:
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
That means that you have to create a cert with:
Key Usage: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3), Unknown Key Usage (1.3.6.1.4.1.311.10.3.14)
Than add this to "Code Integrity" and "CA".
You have to create the cert with OpenSSL. You can't create such a cert with Visual Studio tools.
I already created such a cert. I will create a new version of the WP7 Root Tools and sign the dll's with this cert. And I will make an option to install/uninstall the public cert in "Code Intergrity" and "CA". I advise everyone who wants to try this to first make a backup! Then, when you have this version of the WP7 Root Tools installed and you used it to install the certificates too, then you should try to upgrade to Mango and see if the WP7 Root Tools are still working.
I will let you know when I got this new version of the WP7 Root Tools ready.
Ciao,
Heathlciff74
As it is known that HTCUtility.dll will provide complete, unrestricted access to the TCB chamber on HTC devices, can this be used to unlock (at any level) the OS?
I have not heard anyone speaking of it and exists on my HTC Arrive. Seems to be a bypass for unrestricted access to anything within HTC devices.
I am looking at it myself, but thought I would share.
See details here...
http://labs.mwrinfosecurity.com/files/Advisories/mwri_htc-htcutility-kernmem_2011-11-10.pdf
Your link is down
very interesting but you link is down so please fix it so I can take a look. I too have a HTC arrive and have been working on an unlock.
Don't know what happened to the link.
Here is the link to the google docs version.
https://docs.google.com/viewer?a=v&...1C1HkN&sig=AHIEtbTwK-r8RyAyFmt1ai119m7EVAqsNA
-Paul
This looks promising, I'd like to know if what's written there is true ...
The paper is a couple months old, so it *could* have been patched by HTC... but hey, it also might not have been! This bears investigation post-haste.
It's easy enough to use this to execute some arbitrary code at high permissions, which is certainly useful as-is (do things like unrestricted registry and filesystem access). The real potential of it, though, is to turn off the security restrictions for specific apps. Essentially, get the benefits of a "fully unlocked" ROM but on a stock ROM, and only for the apps you specify.
One thing to note here: this is still going to require an interop-unlocked phone. It's opening a handle to a driver, and just like everything else that does so, it needs ID_CAP_INTEROPSERVICES. This is great news for owners of interop-unlocked/unlockabe phones (since this makes interop-unlock useful again) but probably doesn't help on 2nd-gen phones or on the Arrive (unless you want to roll back to NoDo, in which case this can probably be used to make an interop-unlock that works on Mango, though it wouldn't be easy).
I hope some one gets this working for the Arrive ASAP
Oh this was talked about a while back. It was patched back in NODO
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
GoodDayToDie said:
I'll try it out in any case, and report back.
Click to expand...
Click to collapse
Thank you
GoodDayToDie said:
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
Click to expand...
Click to collapse
Yeah I think it was mentioned here on XDA and it was believed to already have been patched.
I think by "patch" they mean that Interop was restricted as of Mango, thereby securing this exploit, in Mango. But for those that are Interop unlocked, this should still grant full access to everything else.
Just my observations. I have an Arrive and am not Interop unlocked yet, so I can't test it.
Looking at the hand-free provisioning to see if I can find a way to leverage that....
-Paul
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
All the information looks like it is in the advisory. KDataStruct is what you want. That is equivalent to the PEB in Windows CE.
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
Can you confirm this works only on already Interop Unlocked device ?
Thx for your efforts.
Could htclv.dll be helpful in setting security on an app? It supports the following functions:
LVModInitialize LVModUninitialize LVModAuthenticateFile LVModRouting LVModAuthorize LVModGetPageHashData LVModCloseAuthenticationHandle LVModGetHash LVModProvisionSecurityForApplication LVModDeprovisionSecurityForApplication LVModGetSignerCertificateThumbprint LVModSetDeveloperUnlockState LVModAuthorizeVolatileCertificate LVModGetDeveloperUnlockState
In particular the "Deprovision Security for App" and "Get/set DeveloperUnlock" or maybe "Authorize Volatile Certificate"....
Or maybe htcpl.dll which seems to be the HTC policy engine interface. Supports:
GetFunctionTable PolicyCloseHandle PolicyEngineInit PolicyRuleAbortTransaction PolicyRuleAddRawData PolicyRuleBeginTransaction PolicyRuleBuildRawData PolicyRuleCommit PolicyRuleCommitTransaction PolicyRuleCreate PolicyRuleDelete PolicyRuleFindFirst PolicyRuleFindNext PolicyRuleGetInfo PolicyRuleOpen PolicyRuleParseRawData PolicyRuleReadRawData
These all look good to modify the security policies on HTC, assuming Interop-Unlocked.
-Paul
@dragonide: Confirmed, this requires interop-unlock since the very first step is opening a handle to a driver.
@Paul_Hammons: The LVMod functions look quite interesting indeed. Where are you getting these functions from (straight out of the DLLs, or some doc somewhere, or decompiled code, or...?), are they user or kernel entry points, and what permissions do they require? The ability to modify app security doesn't do as much good if you already have to be high-privileged to call it, though it might simplify my current goal.
@n0psl3d: Cool, I'll get to work on it.
@n0psl3d: KDataStruct contains kernel information, but I'm pretty sure what I need is in a PROCESS struct (such as is pointed to by pCurPrc). The problem is, I can't find any documentation for that struct. I'm searching online but so far coming up empty. CE doesn't seem to use PEBs or TEBs as I've seen them on NT (not terribly surprising, but annoying).
EDIT: I'm downloading the Embedded CE toolkit, which comes with source code. It'll take a while but hopefully that will have what I need.
OK, digging through the CE source I've found some interesting things. No idea if this will work yet; it'll be exciting just to make it compile.
PROCESS struct -> hTok (handle to a Token) -> phd (PHDATA, pointer to the handle data) -> pvObj (PVOID to the actual object, which is probably a TOKENINFO) -> psi (pointer to ADBI_SECURITY_INFO) -> contains the actual ACLs and privileges, and can be created from an account ID.
Probably the easiest option is to find a relatively high-privilege process and clone its token or some such. Token re-use (if I increment the reference count, this should work) may be easier. Modifying an existing token might also be doable.
Anyhow, I'm not going to have this finished tonight, but it'll get there. For those wondering wht you can do with this, it basically breaks you out of the sandbox entirely. You can call any function, access any resource, etc. that is available to a userland process (executing in kernel mode is also possible but trickier). Practically speaking, this makes all the other high-privilege COM DLLs useless - instead of ComFileRW, just use the file IO methods (anywhere you want), instead of DMXMLCOM just call ConfigProvXml directly. Even things like launching native EXEs directly should become possible (run those Opera ports on a stock ROM, for example).
I'm sorry, I still don't know what any of that means. But it sounds good! I wish I knew how to do this kind of stuff. Thanks for all of your work!