Related
I'm stumped on how to do this...
I'm trying to call an external program (python CE) in my vb.net program to run a script. I'm using the following code and it works just fine... EXCEPT that it opens python.exe in the foreground, processes my script in an open window and closes it. I want the whole process to be invisible to the user. Python CE does not have a (working) console-less function, so I need to try to do it using .NET.
I can't figure it out!
Code:
Dim scriptfile As String
Dim pyProcess As New Process()
scriptfile = """\default.pyw"" ""1"" ""2"""
pyProcess.StartInfo.FileName = "\Program Files\Python25\python.exe"
pyProcess.StartInfo.Arguments = scriptfile
pyProcess.StartInfo.UseShellExecute = False
pyProcess.Start()
As you can see the UseShellExecute property set to false does nothing. Should I maybe try running this in a separate thread??
Here you have an example of how it should look like
Code:
Public Sub HTCRomTool(ByVal localeID As String)
Dim process As New Process
process.StartInfo.Arguments = (" /buildrom "".\FLASH\ferom.htcrtproj"" "".\FLASH\RUU_Signed_" & localeID & ".nbh""")
process.StartInfo.FileName = (Me.ToolsFolder & "\htcrt.exe")
process.StartInfo.CreateNoWindow = True
process.Start
Do While Not process.HasExited
Thread.Sleep(100)
Loop
process.Close
process.Dispose
End Sub
That you need to add your references and arguments
I appreciate it! and will try it out ASAP
CreateNoWindow does not show up as a member of system.diagnostics.process.StartInfo...
I'm using NET CF 3.5 and VS2008 refuses to accept that line.
The next example, the NET CF 3.5 and VS2008
Code:
Dim p As New Process()
p.UseShellExecute = True
p.StartInfo.FileName = "C:\Windows\Notepad.exe"
p.StartInfo.Verb = "runas"
p.Start()
And See This - Open NetCF
nokser said:
The next example, the NET CF 3.5 and VS2008
Code:
Dim p As New Process()
p.UseShellExecute = True
p.StartInfo.FileName = "C:\Windows\Notepad.exe"
p.StartInfo.Verb = "runas"
p.Start()
Click to expand...
Click to collapse
I appreciate the help, but that doesn't stop pythonCE from launching in its own window. I'm going to reinstall the SDKs just in case I screwed something up a while ago... other than that, I'll have to think on it.
OpenNetCF is interesting but the newest version (2.X) doesn't have the Process namespace anymore. They took it out with the advent of NET CF 2.0. I might try their deprecated version though (1.4)
For anyone else that is interested in this thread, I figured out a solution.
PythonCE does work on WM6.5 and the switch to run without a console/window opening is /nopcceshell.
HOWEVER, this won't work on the emulator that's part of VS2008 when you're debugging your software! If you use your own device on ActiveSync and debug your program on your physical device, it actually works. I'm running WM6.5.4 (I think).
There's no special code needed to run this in VB.NET... just start a process and pass "/nopcceshell" as the first argument. Then you can put your script name (needs full path) and any other arguments afterwards.
Oh man this was killing me.... SOLVED!
Hi there,
I'm having a big issue, when trying to remove an XElement from an XML file created in IsolatedStorage.
--------------------------------------------------------------------------------------------
Code to CREATE the XML file
Dim File_to_Create As String = "Tracks.xml"
Dim file As XDocument = <?xml version="1.0" encoding="UTF-8"?>
<dataroot xmlnsd="urn:schemas-microsoft-comfficedata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="Cartridges.xsd" generated="2010-11-23T14:26:55">
<Carts>
<CART_NAME>First</CART_NAME>
<CART_COLOR>White</CART_COLOR>
</Carts>
<Carts>
<CART_NAME>Second</CART_NAME>
<CART_COLOR>Black</CART_COLOR>
</Carts>
</dataroot>
Dim isoStore As IsolatedStorageFile = IsolatedStorageFile.GetUserStoreForApplication()
Try
If isoStore.FileExists(File_to_Create) Then
MessageBox.Show(File_to_Create + " TRUE")
Else
MessageBox.Show(File_to_Create + " FALSE")
Dim oStream As New IsolatedStorageFileStream(File_to_Create, FileMode.Create, isoStore)
Dim writer As New StreamWriter(oStream)
writer.WriteLine(file)
writer.Close()
MessageBox.Show("OK")
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
Finally
'open selected file
Dim isoStream As IsolatedStorageFileStream
isoStream = New IsolatedStorageFileStream(File_to_Create, System.IO.FileMode.Open, System.IO.FileAccess.Read, isoStore)
Dim XML_File As XDocument = XDocument.Load(isoStream)
Dim Cart_Query As System.Collections.IEnumerable = From query In XML_File.Descendants("Carts") Order By _
CStr(query.Element("CART_NAME")) Descending, CStr(query.Element("CART_NAME"))
Select New Class_Cartridge_Data With {.Cart_Name = CStr(query.Element("CART_NAME")), _
.Cart_Color = CStr(query.Element("CART_COLOR"))}
Me.ListBox_Cartridges.ItemsSource = Cart_Query
isoStore.Dispose()
isoStream.Close()
End Try
--------------------------------------------------------------------------------------------
Code to ADD / EDIT XElement
Dim File_to_Create As String = "Tracks.xml"
Dim XML_IsolatedStorage = IsolatedStorageFile.GetUserStoreForApplication()
' Check that the file exists if not create it
If Not (XML_IsolatedStorage.FileExists(File_to_Create)) Then
Return
End If
Dim XML_StreamReader As New StreamReader(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Read))
Dim XML_Document As XDocument = XDocument.Parse(XML_StreamReader.ReadToEnd())
XML_StreamReader.Close()
' Update the element if it exist or create it if it doesn't
Dim XML_XElement As XElement = XML_Document.Descendants("Carts").Where(Function(c) c.Element("CART_NAME").Value.Equals("First")).FirstOrDefault()
If XML_XElement IsNot Nothing Then
XML_XElement.SetElementValue("CART_NAME", "Third")
Else
' Add new
Dim newProgress As New XElement("Cartridges", New XElement("CART_NAME", "Fourth"), New XElement("CART_COLOR", "Blue"))
Dim rootNode As XElement = XML_Document.Root
rootNode.Add(newProgress)
End If
Using XML_StreamWriter As New StreamWriter(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Write))
XML_StreamWriter.Write(XML_Document.ToString())
XML_StreamWriter.Close()
End Using
--------------------------------------------------------------------------------------------
Now my issue and request for some help!
If I use
XML_XElement.Remove
then the following exception is raised whenever I try to "refresh" the bounded ListBox
System.Xml.XmlException was unhandled
LineNumber=37
LinePosition=12
Message=Data at the root level is invalid. Line 37, position 12.
SourceUri=""
StackTrace:
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(Int32 res, String resString, String[] args)
at System.Xml.XmlTextReaderImpl.Throw(Int32 res, String resString)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.Linq.XContainer.ReadContentFrom(XmlReader r)
at System.Xml.Linq.XContainer.ReadContentFrom(XmlReader r, LoadOptions o)
at System.Xml.Linq.XDocument.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XDocument.Load(Stream stream, LoadOptions options)
at System.Xml.Linq.XDocument.Load(Stream stream)
at ListBox_Data_from_XML_LINQ.MainPage.Button_Create_XML_Click(Object sender, RoutedEventArgs e)
at System.Windows.Controls.Primitives.ButtonBase.OnClick()
at System.Windows.Controls.Button.OnClick()
at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)
at System.Windows.Controls.Control.OnMouseLeftButtonUp(Control ctrl, EventArgs e)
at MS.Internal.JoltHelper.FireEvent(IntPtr unmanagedObj, IntPtr unmanagedObjArgs, Int32 argsTypeIndex, String eventName)
InnerException:
--------------------------------------------------------------------------------------------
In short, I can add or edit, but cannot DELETE an XElement...
Any ideas?
Thanks in advance!
Can you post the code you are using for XElement.Remove and use code tags so the formatting is right. Its the # button on the post toolbar.
Ren13B said:
Can you post the code you are using for XElement.Remove and use code tags so the formatting is right. Its the # button on the post toolbar.
Click to expand...
Click to collapse
Well, I did nothing special, just the XML_Element.remove, instead of adding a new xelement.
Then the error raises whenever I try to reopen the XML file.
My point is, how can I delete an specific xelement?
As far as I know, the following code should work
Code:
Dim XML_XElement As XElement = XML_Document.Descendants("Carts").Where(Function(c ) c.Element("CART_NAME").Value.Equals("First")).Firs tOrDefault()
If XML_XElement IsNot Nothing Then
XML_XElement.SetElementValue("CART_NAME", "Third")
Else
' remove the selected record
XML_XElement.Remove
End If
Honestly I don't know if the foregoing code is correct or if the issue is related to how WP7 handles the removal thus corrupting the original file.
Please let me know if you need anything else.
Any help is very appreciated!
PS: Thanks for the other replies, helped a lot!
Here's how I did it in c#. My xml file is very different than yours so the query will be different but the important parts are where you load and close the file streams and then write.
Code:
//Get users private store info
IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForApplication();
IsolatedStorageFileStream isoStream;
//open selected file
isoStream = new IsolatedStorageFileStream(list, System.IO.FileMode.Open, System.IO.FileAccess.Read, isoStore);
XDocument xml = XDocument.Load(isoStream);
isoStream.Close();
//Find section
XElement sectionElement = xml.Descendants("section").Where(c => c.Attribute("name").Value.Equals(groupn)).FirstOrDefault();
//Find item and remove it
sectionElement.Elements("setting").Where(c => c.Attribute("name").Value.Equals(litem)).FirstOrDefault().Remove();
isoStream.Close(); //Seems unnecessary but it's needed.
//Write xml file
isoStream = new IsolatedStorageFileStream(list, FileMode.Create, FileAccess.Write, isoStore);
xml.Save(isoStream);
isoStream.Close();
Thanks again for your help, greatly appreciated.
However I'm still getting the same error.
Sorry for asking, but are you getting any errors when deleting in WP7 ?
My knowledge on XML is extremely new and I'm sure that I'm making some mistakes somewhere...
But so far, I cannot get past the same exception.
Seems that the XML gots "corrupted" after the delete operation.
On the other hand, if is not too much to ask for, using my current code, how will handle the delete of the selected record?
Thanks!
I have no problem at all removing elements in c#. I don't have vb support even installed right now. If you think it's a bug you should post on the forums at http://forums.create.msdn.com/forums/98.aspx
Ren13B said:
I have no problem at all removing elements in c#. I don't have vb support even installed right now. If you think it's a bug you should post on the forums at http://forums.create.msdn.com/forums/98.aspx
Click to expand...
Click to collapse
Problem is my country is not listed so I cannot register...
Here is the C# version of my current code for adding/editing
Code:
public static void ADD_XML_Record()
{
string File_to_Create = "Tracks.xml";
var XML_IsolatedStorage = IsolatedStorageFile.GetUserStoreForApplication();
// Check that the file exists if not create it
if (! (XML_IsolatedStorage.FileExists(File_to_Create)))
{
return;
}
StreamReader XML_StreamReader = new StreamReader(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Read));
XDocument XML_Document = XDocument.Parse(XML_StreamReader.ReadToEnd());
XML_StreamReader.Close();
// Update the element if it exist or create it if it doesn't
XElement XML_XElement = XML_Document.Descendants("Carts").Where((c) => c.Element["CART_NAME"].Value.Equals("dd")).FirstOrDefault();
if (XML_XElement != null)
{
XML_XElement.SetElementValue("CART_NAME", "bbbbb");
}
else
{
// Add new
XElement newProgress = new XElement("Carts", new XElement("CART_NAME", "dd"), new XElement("CART_COLOR", "ff"));
XElement rootNode = XML_Document.Root;
rootNode.Add(newProgress);
}
using (StreamWriter XML_StreamWriter = new StreamWriter(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Write)))
{
XML_StreamWriter.Write(XML_Document.ToString());
XML_StreamWriter.Close();
}
}
I tried your code but I'm having a bad time making it to work.
If not a big deal, please could you tell me how to modify it ?
I mean, if a record is found, instead of editing, to remove it?
Honestly I'm stuck and any help is more than apprecisted!
Ren13B said:
I have no problem at all removing elements in c#. I don't have vb support even installed right now. If you think it's a bug you should post on the forums at http://forums.create.msdn.com/forums/98.aspx
Click to expand...
Click to collapse
Ren,
Just to say thank you for your last code. I made a little mod and now it works ok!
Thanks a lot for helping me out!
[2012/06/03] IMPORTANT UPDATE HERE
Hi hackers,
This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.
The goal is to run native homebrew executables on WP7
This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.
The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.
First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity
After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:
Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)
So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.
I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.
I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).
I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.
So why is this not working?
Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:
Code:
Microsoft Mobile Device Privileged PCA - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group
I should find a way to add a policy with my certificate in it. Any ideas?
Ciao,
Heathcliff74
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Flow WP7 said:
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Click to expand...
Click to collapse
That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.
I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.
Thanks!
Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).
taskhost.c (276 KB) in attachments.
edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")
Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
a7 = sub_178E7(v10);
if ( a7 >= 0 )
{
a7 = sub_180A5(v7, v7 + 64);
if ( a7 >= 0 )
{
a7 = ThemeInitialize(v7 + 136);
if ( a7 >= 0 )
{
v11 = sub_1862B(v13, v7);
EnableHostAutoDehydration(v11 == 3);
v16 = 0;
a7 = InitializeEmClientEx(&a2, 0, &v16);
if ( a7 >= 0 )
{
a7 = RegisterPausedHostCallback(sub_19D0D, 0);
if ( a7 >= 0 )
{
a7 = RegisterResumingHostCallback(sub_19D31, 0);
if ( a7 >= 0 )
{
if ( v11 != 3
|| (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
&& (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
{
a7 = RegisterExitHostCallback(sub_19D55, 0);
if ( a7 >= 0 )
a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
}
}
}
}
}
}
}
}
UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
int v4; // [sp+0h] [bp-38h]@1
char Dst; // [sp+4h] [bp-34h]@1
int v6; // [sp+8h] [bp-30h]@1
int v7; // [sp+Ch] [bp-2Ch]@1
int v8; // [sp+18h] [bp-20h]@1
int v9; // [sp+28h] [bp-10h]@1
v4 = 0;
memset(&Dst, 0, 0x34u);
v8 = a3;
v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
v7 = (int)L"FMMain";
v9 = 2;
RunApplication(&v4);
return dword_12034;
}
C++ converted
Code:
UIXApplicationInfo app;
app { ... }
RunApplication(&app);
struct UIXApplicationInfo
{
int UNK_v4 = 0;
char Dst = {0};
char* uixFile;
char* uixEntryPoint;
int UNK_v8;
int UNK_v9 = 2;
}
Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).
___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App -->
<characteristic type="AppInstall">
<nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
athompson said:
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
Click to expand...
Click to collapse
Hello "co-founder of native code on WP7"
I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.
Ciao,
Heathcliff74
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
fiinix said:
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
Click to expand...
Click to collapse
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Heathcliff74 said:
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
fiinix said:
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
Click to expand...
Click to collapse
I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.
Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit
Ciao,
Heathcliff74
Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..
edit:
*Research
"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."
Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___
"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."
Source: http://www.spinics.net/lists/arm-kernel/msg58813.html
As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4
ARMv7 >> ARMv6 compatibility, not more.
_
Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!
__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame
EXPORT start
start
var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4
MOV R12, SP
STMFD SP!, {R4-R7,R11,R12,LR}
ADD R11, SP, #0x1C
SUB SP, SP, #4
MOV R4, R3
MOV R5, R2
MOV R6, R1
MOV R7, R0
.
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
fiinix said:
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
Click to expand...
Click to collapse
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
athompson said:
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
Click to expand...
Click to collapse
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
fiinix said:
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
Click to expand...
Click to collapse
First use Andim's WP7 Rom Tools to extract the rommodules. Remember to always dump a folder, not a single file.
Then use Denomitor's version of Recmod and follow the instructions in the post. That works most of the time.
Going forward
Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"
/QRarch7 is the ARMv7.
edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb
, feels soo good:
main.exe is there.
IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.
Code:
; Input MD5 : B50E8D8395DE7CA2419464DC3CE0BC74
; File Name : C:\Users\Steven\Desktop\burn\main.exe
; Format : Portable executable for ARMI (PE)
; Imagebase : 10000
; Section 1. (virtual address 00001000)
; Virtual size : 00000018 ( 24.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; Processor : ARM
; Target assembler: Generic assembler for ARM
; Byte sex : Little endian
; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32
EXPORT start
start
var_4= -4
SUB SP, SP, #4
MOV R3, #1
STR R3, [SP,#4+var_4]
LDR R0, [SP,#4+var_4]
ADD SP, SP, #4
BX LR
; End of function start
Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
return 1;
}
PE Explorer (main.exe):
Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI
**** so CLOSE!
Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.
Method:
WP7Process p = device.LaunchEXE(@"main.exe", "");
main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.
WP7Process p = device.LaunchEXE(@"ExeX.exe", "");
ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.
There IS different things going on! Something is missing, but what
edit:
Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.
edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:
Risky-mode.Activate();
Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);
"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"
<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>
<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>
edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.
edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.
edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):
Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)
How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.
(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574
edit 6:
Yep, loads of edits, just for you.
Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE
How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
.Where(x => x.Name.LocalName == "Rule")
.Where(x => x.Attributes("ResourceIri").Count() > 0)
.Where(x =>
{
var r = x.Attribute("ResourceIri").Value;
return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
})
.Select(x =>
{
var v = x.Attribute("ResourceIri").Value;
var l = v.LastIndexOf('/');
return v.Substring(l + 1);
})
.Distinct()
.OrderBy(x => x)
.ToArray();
edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
Wow, this truly was a big step today
Done hacking today.
"After a day, there comes another day"
@fiinix,
You did a lot of testing. Good job, man.
A few comments:
0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.
The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.
Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.
I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.
According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol
"Sent from my fingers on my phone", don't expect way too long text
XxXPachaXxX said:
Excuse my ignorance...I'm a noob...This hack may also work on LG devices?
Click to expand...
Click to collapse
At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us
Ciao,
Heathcliff74
Hello all, Sorry for the dumb question but i'm pretty new to VB.Net CF.
I'm working on a little program that exports settings from the registry and then writes to the SD card for XDA_UC to import when a new rom installed. I'm currently struggling with the error checking code. I want it to be able to tell if there was an issue updating an already existing file with new settings but i can't seem to find a way to do it. I have managed to get it to check the file was written but this only works the first time. After that it always reports a success if the file is present in the expected location.
I've pated what i have below. I appreciate all and any thoughts you may have.
Code:
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Private[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Sub[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] BTIdent_Click([/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]ByVal[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] sender [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] System.Object, [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]ByVal[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] e [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] System.EventArgs) [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Handles[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] BTIdent.Click[/SIZE]
[SIZE=2][COLOR=#008000][SIZE=2][COLOR=#008000]'Setup The variables so we can have them ready to write the .reg file[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Dim[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] BTIdentity [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]String[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] = Registry.GetValue([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"HKEY_LOCAL_MACHINE\Software\WIDCOMM\BTConfig\General"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2], [/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"DeviceName"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2], 0)[/SIZE]
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Dim[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] sw [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] IO.StreamWriter = IO.File.CreateText([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"\Storage Card\BT_Ident.reg"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2])[/SIZE]
[SIZE=2][COLOR=#008000][SIZE=2][COLOR=#008000]'Format and then write the reg file to disk[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2]sw.WriteLine([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"Windows Registry Editor Version 5.00"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2])[/SIZE]
[SIZE=2]sw.WriteLine()[/SIZE]
[SIZE=2]sw.WriteLine([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"[HKEY_LOCAL_MACHINE\Software\WIDCOMM\BTConfig\General]"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2])[/SIZE]
[SIZE=2]sw.WriteLine([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"""DeviceName""="""[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] + BTIdentity.ToString + [/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]""""[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2])[/SIZE]
[SIZE=2]sw.Flush()[/SIZE]
[SIZE=2]sw.Close()[/SIZE]
[SIZE=2][COLOR=#008000][SIZE=2][COLOR=#008000]'Check that the file wrote successfully (this needs work becuase it will always report "operation successful" once the file has been written once[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]If[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] File.Exists([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"\Storage Card\XDA_UC\BT_Ident.reg"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2]) [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Then[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2]MessageBox.Show([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"Operation Complete."[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2])[/SIZE]
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Else[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2]MessageBox.Show([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"Operation Failed."[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2])[/SIZE]
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]End[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]If[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]End[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Sub[/COLOR][/SIZE][/COLOR][/SIZE]
[/COLOR][/SIZE][/COLOR][/SIZE]
You could use FileSystemInfo properties of the file to make sure it was actually updated.
Code:
Dim fsi As FileSystemInfo = New FileInfo("\Storage Card\XDA_UC\BT_Ident.reg")
This will reveal the FileSystemInfo properties of the file, as defined here:
http://msdn.microsoft.com/en-us/library/system.io.filesysteminfo_members(v=VS.71).aspx
LastWriteTime is the last time the file was written to. If it wasn't within the last few seconds then the update has failed.
I've got to a point in my project where i actually need to look at doing this so thanks for taking the time to post.
this i what i've come up with so far
Code:
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]If [/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2]File.Exists([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"\Storage Card\XDA_UC\VolumeTest.reg"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2]) [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Then[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Dim[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] fsi [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]As[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] FileSystemInfo = [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]New[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] FileInfo([/SIZE][SIZE=2][COLOR=#a31515][SIZE=2][COLOR=#a31515]"\Storage Card\XDA_UC\volumetest.reg"[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2])[/SIZE]
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]If[/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2] fsi.LastWriteTime = DateAndTime.Now [/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Then[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2]OpComplete()[/SIZE]
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]Else[/COLOR][/SIZE]
[/COLOR][/SIZE][SIZE=2]OpFailed()[/SIZE]
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]End [/COLOR][/SIZE][/COLOR][/SIZE][SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]If[/COLOR][/SIZE][/COLOR][/SIZE]
[SIZE=2][COLOR=#0000ff][SIZE=2][COLOR=#0000ff]End If[/COLOR][/SIZE][/COLOR][/SIZE]
It should work but i would like to say dateandtime.now +/- say 5 seconds and i'm having trouble figuring that part out.
Any ideas?
This should do the trick.....
Code:
Dim Seconds5 As New TimeSpan(0,0,5)
If File.Exists("\Storage Card\XDA_UC\VolumeTest.reg") Then
Dim fsi As FileSystemInfo = New FileInfo("\Storage Card\XDA_UC\volumetest.reg")
If (DateAndTime.Now - fsi.LastWriteTime) < Seconds5 Then
OpComplete()
Else
OpFailed()
End If
End If
Alternatively, drop line 1 and put it straight into the compare, as that what the compiler will do anyway, when you switch it to a 'Release' build.
Code:
If File.Exists("\Storage Card\XDA_UC\VolumeTest.reg") Then
Dim fsi As FileSystemInfo = New FileInfo("\Storage Card\XDA_UC\volumetest.reg")
If (DateAndTime.Now - fsi.LastWriteTime) < New TimeSpan(0,0,5) Then
OpComplete()
Else
OpFailed()
End If
End If
Cool, thanks. I really do appreciate you taking the time to help.
Sup..
So did some quick playing around today, trying to figure out where installed applications and their data is stored. Well, it didn't really take long, as I found \Application Data\Microsoft\PackageManager, containing pacman.edb and pacman.edb (as well as matching .snt files with 0 bytes).
If you're not already aware, the package manager stores the manifest data in it, which means any changes to the manifest do not take place unless the application is reinstalled, in which the package manager updates the database.
By manipulating this data, a lot of really neat things can happen. To my current knowledge, this includes:
-Hiding applications from the start list
-Enabling applications to resume on launch, rather than "replace" the previous entity
-Change icons, name, etc
-Manipulate application Tasks
-Better understand how the DRM and capabilities work
-etc etc
So here's what I know so far, and here's where I'm stuck. I have pacman.edb and pacman2.edb. The first file contains mostly system info, stuff I don't really recognize. The second file contains all the applications on the device, both system and user installed. This also lists all their tokens, capabilities, modes, flags, etc. But here's the issue: These files use some variation of CEDB, the Windows CE version of the EDB format.
Reading EDB is enough of a pain already, because not a lot of information is available on it. There are *some* CEDB tools out there, but they all seem to rely on old (WM2003) formats.
If I was good at reading bytes and figuring this kind of stuff out, I'd get to work, but that's never been my forté. If anyone has some useful info, knowledge I'm missing, or is really good with reading hex dumps, do share
Attached are the two files from my device. I realize they probably contain a great deal of info, but for the sake of trying to crack open this mess, I figured the embarrassment of publicly announcing that I have "Brostache" installed was well worth the potential benefits
Any info, pointers, etc, will be much appreciated by Windows Phone users alike, if we can get this figured out
Wow, lots of potential here. Among other things, I suspect that the interop-locked behavior is determined by a setting in here somewhere (after all, OEM apps with ID_CAP_INTEROPSERVICES work just fine even on an interop-locked Mango phone).
This also might allow the creation of custom "hubs" of apps, or at the very least the ability to invoke other apps from within an app (already possible with built-in apps but not yet with third-party).
GoodDayToDie said:
This also might allow the creation of custom "hubs" of apps, or at the very least the ability to invoke other apps from within an app (already possible with built-in apps but not yet with third-party).
Click to expand...
Click to collapse
That's been possible since.. June? May? Just use fiinix's DllImport library and execute the GUID. It's what my folders application uses.
I stand corrected, then. I've seen several apps that can invoke built-in apps but none that could invoke third-party.
Just providing with some information.
You are probably searching for those dll's:
- \SYS\CommsPlatform\unistore.dll
Code:
Resource data (not dll exports):
EDB_ReadRecordPropsWithPrimaryId
EDB_CeWriteRecordProps
EDB_CeReadRecordPropsEx
EDB_SeekAndReadRecordProps
EDB_CeDeleteRecord
EDB_CeOpenStream
-\SYS\CoreOS\coredll.dll
Code:
HANDLE CeOpenDatabase(PCEOID poid, LPWSTR lpszName, CEPROPID propid, DWORD dwFlags, HWND hwndNotify)
HANDLE CeOpenDatabaseEx(PCEGUID pguid, PCEOID poid, LPWSTR lpszName, CEPROPID propid, DWORD dwFlags, CENOTIFYREQUEST *pReq)
HANDLE CeOpenDatabaseEx2(PCEGUID pguid, PCEOID poid, LPWSTR lpszName, SORTORDERSPECEX *pSort, DWORD dwFlags, CENOTIFYREQUEST *pReq)
BOOL CeMountDBVol(PCEGUID pguid, LPWSTR lpszVol, DWORD dwFlags)
BOOL CeUnmountDBVol(PCEGUID pguid)
BOOL CeDeleteRecord(HANDLE hDatabase, CEOID oidRecord)
HANDLE CeFindFirstDatabaseEx(PCEGUID pguid, DWORD dwClassID)
BOOL CeGetDBInformationByHandle(HANDLE hDbase, LPBY_HANDLE_DB_INFORMATION lpDBInfo)
- CeOpenDatabase
fiinix said:
Just providing with some information.
You are probably searching for those dll's:
- \SYS\CommsPlatform\unistore.dll
Code:
Resource data (not dll exports):
EDB_ReadRecordPropsWithPrimaryId
EDB_CeWriteRecordProps
EDB_CeReadRecordPropsEx
EDB_SeekAndReadRecordProps
EDB_CeDeleteRecord
EDB_CeOpenStream
-\SYS\CoreOS\coredll.dll
Code:
HANDLE CeOpenDatabase(PCEOID poid, LPWSTR lpszName, CEPROPID propid, DWORD dwFlags, HWND hwndNotify)
HANDLE CeOpenDatabaseEx(PCEGUID pguid, PCEOID poid, LPWSTR lpszName, CEPROPID propid, DWORD dwFlags, CENOTIFYREQUEST *pReq)
HANDLE CeOpenDatabaseEx2(PCEGUID pguid, PCEOID poid, LPWSTR lpszName, SORTORDERSPECEX *pSort, DWORD dwFlags, CENOTIFYREQUEST *pReq)
BOOL CeMountDBVol(PCEGUID pguid, LPWSTR lpszVol, DWORD dwFlags)
BOOL CeUnmountDBVol(PCEGUID pguid)
BOOL CeDeleteRecord(HANDLE hDatabase, CEOID oidRecord)
HANDLE CeFindFirstDatabaseEx(PCEGUID pguid, DWORD dwClassID)
BOOL CeGetDBInformationByHandle(HANDLE hDbase, LPBY_HANDLE_DB_INFORMATION lpDBInfo)
- CeOpenDatabase
Click to expand...
Click to collapse
Ah, nice find! Any chance of running these DLLs on my desktop? I know the emulator is x86, but not sure about how marshal calls would work on an emulator module..
GoodDayToDie said:
I stand corrected, then. I've seen several apps that can invoke built-in apps but none that could invoke third-party.
Click to expand...
Click to collapse
Phone.Search.SearchFor("OMG how is this even possible :O");
-- Phone.AppLauncher.LaunchBuiltInApplication(AppLauncher.Apps.SearchHome, "SearchResults?QueryString=" + value);
---- LaunchApplication(GuidFromApp(app), value);
------ internalLaunch(guid, task);
[
var args = string.Format("app://{0}/{1}", guid.ToString("D").ToUpper(), task ?? "");
var re = DllImportCaller.lib.StringCall("aygshell", "SHLaunchSessionByUri", args);
]
The glorious "SHLaunchSessionByUri" allows us to start anything with any application guid.
Phone.AppLauncher.LaunchApplication("{8dc5214e-88fa-4c2d-a379-2cd74fe24b72}", "_default");
- To start DllImport Project from within DllImport Project
---------- Post added at 02:17 PM ---------- Previous post was at 02:08 PM ----------
Jaxbot said:
Ah, nice find! Any chance of running these DLLs on my desktop? I know the emulator is x86, but not sure about how marshal calls would work on an emulator module..
Click to expand...
Click to collapse
http://www.koders.com/csharp/fid0E5D18C95EDCC856BA4CB706535EC9933250BD56.aspx?s=usb
Code:
[PreserveSig]
IntPtr CeOpenDatabaseEx(
ref Guid pceguid,
ref int poid,
[In, MarshalAs(UnmanagedType.LPWStr)] string lpszName,
int propid,
[In] int dwFlags,
ref IntPtr /*CENOTIFYREQUEST*/ pReq);
This is the C# signature.
To be able to execute it, a c++ COM+ must make the call due c# cant do it alone.
fiinix said:
Phone.Search.SearchFor("OMG how is this even possible :O");
-- Phone.AppLauncher.LaunchBuiltInApplication(AppLauncher.Apps.SearchHome, "SearchResults?QueryString=" + value);
---- LaunchApplication(GuidFromApp(app), value);
------ internalLaunch(guid, task);
[
var args = string.Format("app://{0}/{1}", guid.ToString("D").ToUpper(), task ?? "");
var re = DllImportCaller.lib.StringCall("aygshell", "SHLaunchSessionByUri", args);
]
The glorious "SHLaunchSessionByUri" allows us to start anything with any application guid.
Phone.AppLauncher.LaunchApplication("{8dc5214e-88fa-4c2d-a379-2cd74fe24b72}", "_default");
- To start DllImport Project from within DllImport Project
---------- Post added at 02:17 PM ---------- Previous post was at 02:08 PM ----------
http://www.koders.com/csharp/fid0E5D18C95EDCC856BA4CB706535EC9933250BD56.aspx?s=usb
Code:
[PreserveSig]
IntPtr CeOpenDatabaseEx(
ref Guid pceguid,
ref int poid,
[In, MarshalAs(UnmanagedType.LPWStr)] string lpszName,
int propid,
[In] int dwFlags,
ref IntPtr /*CENOTIFYREQUEST*/ pReq);
This is the C# signature.
To be able to execute it, a c++ COM+ must make the call due c# cant do it alone.
Click to expand...
Click to collapse
Not even C# on my desktop, eh? hmm...
Jaxbot said:
Not even C# on my desktop, eh? hmm...
Click to expand...
Click to collapse
Heh, NOPE, needs and can only be executed from WP7
fiinix said:
Heh, NOPE, needs and can only be executed from WP7
Click to expand...
Click to collapse
Well, at least direct support suddenly became less of an issue =p But, won't we need higher privileges to go snooping around system databases?
Direct edit [blocked, umad?].
Edit on external placed EDB [ok]
<Macro Id="ELEVATED_RIGHTS_RESOURCE_GROUP_NAME" Description="Elevated Rights Resource Group SID" Value="S-1-5-112-0-0X14" />
You will need "Elevated Rights" to edit the file (when located @ /PACKAGEMANAGER/*)
- Editing from /Applications/Install/{GUID}/Install/ (you are OK)
- (Solution) Edit => override system file (maybe possible?)
"PACMAN.EDB" block policy
Code:
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/FILESYS/PRIMARY/APPLICATION%20DATA/MICROSOFT/PACKAGEMANAGER/PACMAN.EDB" SpeakerAccountId="S-1-5-112-0-0-1" Description="Allow all in Standard Rights Chamber to access the Package Manager database ">
<Authorize>
<Match AccountId="S-1-5-112-0-0X14" AuthorizationIds="FILE_ALL_ACCESS, FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, FILE_LIST_DIRECTORY" />
<Match AccountId="S-1-5-112-0-0X23" AuthorizationIds="FILE_GENERIC_READ, FILE_READ_ATTRIBUTES, FILE_LIST_DIRECTORY" />
</Authorize>
<Stop>
<Match AccountId="S-1-5-112-0-0XFF" />
</Stop>
</Rule>
edit:
<Macro Id="STANDARD_RIGHTS_RESOURCE_GROUP_NAME" Description="Standard Rights Resource Group SID" Value="S-1-5-112-0-0X23" />
"Standard Rights" for enumerating the installed info.
fiinix said:
Direct edit [blocked, umad?].
Edit on external placed EDB [ok]
<Macro Id="ELEVATED_RIGHTS_RESOURCE_GROUP_NAME" Description="Elevated Rights Resource Group SID" Value="S-1-5-112-0-0X14" />
You will need "Elevated Rights" to edit the file (when located @ /PACKAGEMANAGER/*)
- Editing from /Applications/Install/{GUID}/Install/ (you are OK)
- (Solution) Edit => override system file (maybe possible?)
"PACMAN.EDB" block policy
Code:
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/FILESYS/PRIMARY/APPLICATION%20DATA/MICROSOFT/PACKAGEMANAGER/PACMAN.EDB" SpeakerAccountId="S-1-5-112-0-0-1" Description="Allow all in Standard Rights Chamber to access the Package Manager database ">
<Authorize>
<Match AccountId="S-1-5-112-0-0X14" AuthorizationIds="FILE_ALL_ACCESS, FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, FILE_LIST_DIRECTORY" />
<Match AccountId="S-1-5-112-0-0X23" AuthorizationIds="FILE_GENERIC_READ, FILE_READ_ATTRIBUTES, FILE_LIST_DIRECTORY" />
</Authorize>
<Stop>
<Match AccountId="S-1-5-112-0-0XFF" />
</Stop>
</Rule>
edit:
<Macro Id="STANDARD_RIGHTS_RESOURCE_GROUP_NAME" Description="Standard Rights Resource Group SID" Value="S-1-5-112-0-0X23" />
"Standard Rights" for enumerating the installed info.
Click to expand...
Click to collapse
Ok, got a plan then =P If I have time today, I'll try and create a C# program to read edb files, and place my pacman files in the Install directory. My C++ is rusty though, so if you have time to waste, feel free to beat me to it
Not sure if im doing it right
- First time working with CE databases (Using google)
[Testing] Ill just check the error codes if success.
CEOID poid;
CeOpenDatabase(&poid, L"pacman.edb", 0,CEDB_AUTOINCREMENT, 0);
CEOIDINFO * info = (CEOIDINFO*)malloc(sizeof(CEOIDINFO));
ZeroMemory(info, sizeof(CEOIDINFO));
CeOidGetInfo(poid, info);
edit:
Making some progress:
- returned: ERROR_FILE_NOT_FOUND
MSDN: CeMountDBVol is obselete => use CeMountDBVolEx (above returned -1 (CeOpenDatabase))
Help code (Ce lib): http://nah6.com/~itsme/cvs-xdadevtools/itsutils/dll/PoomInterface.cpp
Current code:
Code:
typedef BOOL (*FN_CeMountDBVolEx)( PCEGUID pGuid, LPWSTR lpwszDBVol, CEVOLUMEOPTIONS* pOptions, DWORD dwFlags);
STDMETHODIMP CMangoClass::DatabaseTestWork()
{
FN_CeMountDBVolEx CeMountDBVolEx = (FN_CeMountDBVolEx)GetProcAddress(LoadLibrary(L"coredll.dll"), L"CeMountDBVolEx");
LPWSTR str = TEXT("pacman.edb"); // => ERROR_FILE_NOT_FOUND (different path needed)
CEGUID _mvolguid;
memset(&_mvolguid, 0, sizeof(CEGUID));
BOOL ok = CeMountDBVolEx(&_mvolguid, str, NULL,OPEN_EXISTING);
return ok;
}
edit 2:
Aw! FFS!
Changed to: TEXT("\\Applications\\Install\\8DC5214E-88FA-4C2D-A379-2CD74FE24B72\\Install\\pacman.edb");
- ERROR_ACCESS_DENIED
Maybe needs to be located in isolation storage or \Data\
edit 3:
WOAH
- NO_ERROR
TEXT("\\Applications\\Data\\8DC5214E-88FA-4C2D-A379-2CD74FE24B72\\Data\\IsolatedStore\\pacman.edb");
I could expect this due the WRITE+READ under \Install\ is policy blocked, where \IsolatedStore\ is full access (sandbox: "this-app")
edit 4:
What im currently able doing:
Code:
var db = "\\Applications\\Data\\8DC5214E-88FA-4C2D-A379-2CD74FE24B72\\Data\\IsolatedStore\\pacman.edb";
bool suc;
int guidAddr = DllImportCaller.lib.EDB_Mount(db, out suc);
if (!suc)
{
var erra = (WinError)DllImportCaller.lib.GetLastError7();
}
else
{
var sessionHandle = DllImportCaller.lib.EDB_OpenMounted(db, guidAddr);
//Currently trying to get this one working (erra: INVALID_PARAMETER) => Probably "SORTORDERSPECEX"
var erra = (WinError)DllImportCaller.lib.GetLastError7();
}
edit 5:
The db handles mounted (within pacman):
805306371,
805306369,
805306383,
805306381,
805306373
Code:
var first = DllImportCaller.lib.EDB_FindFirstDB(guidAddr);
var dbHandles = new List<int>();
int dbHandle;
var erraA = (WinError)DllImportCaller.lib.GetLastError7();
while ((dbHandle = DllImportCaller.lib.EDB_FindNextDB(first, guidAddr)) != 0)
{
dbHandles.Add(dbHandle);
var erra = (WinError)DllImportCaller.lib.GetLastError7();
}
var sortDuplicate = dbHandles.Distinct().ToArray();
Hey! I was working on that a while ago. But I'm too busy with other things, so I put it on hold. Good luck!
http://forum.xda-developers.com/showthread.php?p=15205597#post15205597
Ciao,
Heathcliff74
Heathcliff74 said:
Hey! I was working on that a while ago. But I'm too busy with other things, so I put it on hold. Good luck!
http://forum.xda-developers.com/showthread.php?p=15205597#post15205597
Ciao,
Heathcliff74
Click to expand...
Click to collapse
Could you send the C++ code for that?
I have come a long way, but it would speed up more
fiinix said:
Could you send the C++ code for that?
I have come a long way, but it would speed up more
Click to expand...
Click to collapse
Pwoo. I really got to look for that. Not sure I still have this. I will look for it tomorrow.
"Because i can"-moment: Attachment
Mom, look, i extracted the tables lol
Well, it works fast extracting the table names
Guys, this is awesome, and fantastic job whipping it up so fast - I'll try and step in when I can.
If you can edit the database file, it's quite possible we'll be able to replace it using the XAP exploit. No guarantee of course - the installer may take a lock on the DB file before unpacking the XAP, in which case the unpack would fail.
Of course, you'd need to not overwrite the database or your installed apps (and quite possibly the built-in ones) would probably stop working. I wonder if the phone would load a pacman3.edb if you put it in the right folder...