Samsung Wave custom firmware - Bada Software and Hacking General

Are there any tutorials on how to make custom firmware for the Samsung Wave line of devices? Specifically, a custom firmware that does not signature check applications?

There isn't any tutorial as there isn't such a firmware at the moment. Try reading more posts than You write as it's getting silly - You ask lots of obvious questions without a definite purpose. It's not getting us anywhere. Maybe you should stop 'teaching others know their ****' and actually do something? Google for Mencken's Law.

Original Samsung JB6 is without Sig Check of Apps... this is the oldest FW leaked for S8500 (Wave)...
There are no mandatory RSA 1024 Certificats in JB6...
nearly all system files unsigned... because no BluetoothAppControl.so.htb or sig files...
"Problem".
I am not able to flash this Firmware with Multiloader nor with JTAG Hardware.
Because boot_loader.mbn is NOT encrypted...
For JTAG I'm not able to manipulate correct "Boot Image", because my brain to small...
Read here:
http://forum.xda-developers.com/showpost.php?p=13785413&postcount=64
http://forum.xda-developers.com/showthread.php?t=912728
Best Regards

adfree said:
"Problem".
I am not able to flash this Firmware with Multiloader nor with JTAG Hardware.
Because boot_loader.mbn is NOT encrypted...
For JTAG I'm not able to manipulate correct "Boot Image", because my brain to small...
Click to expand...
Click to collapse
I don't think encryption is the problem here. The algorithm (korean SEED) is already known and we can go both ways - decrypt and encrypt with any key (key for encryption is in plaintext in the description block being last 1024 bytes of the file. What we rather should worry about are the version signatures (with 512 bit RSA keys) also in the same block. The solution I see is loading a crafted file using some Bada 1.0/1.2 bootloader patched in the memory (the shadowed image) to ignore signature. We can do the patching through FOTA. As you have the JTAG we can experiment with that some time next week.

If I'm correct, an RSA key with a 512-bit modulus is easy to crack by modern computing standards.

There is a slight difference between feasibility and reasonable time to achieve that.
If you have enough resources then the modulus is: BF1834F775B9861F13E15BA3E01F91CED970B76F2E9D5767EC39C5C1DAD7A8AF9F2A60F131E1D3715E15FDE4B07AC04BF5FC148D95BFF180E9F675D6211F76F1
exponent: 010001

Thank you. And to be clear, that is the public key used by the bootloader to verify the operating system correct?
Sent from my DROID2 GLOBAL using XDA App

Yes, it's used to validate signatures on bootloader and apps (nucleus kernel and bada).
Each bootloader stage seems to have additional layer of security (some form of signature - 128 bytes at the end of each bootloader, includes some time variable/random data for "signing" as it's different for different releases of same version), but it's yet to be figured out .

As for factoring the 512-bit modulus (scroll down to the part about TI calculators):
http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml

This is why I said "If you have enough resources" as myself I'm not interested in waiting months for results, haven't got PS3, FPGA cluster or even several hundred PCs. Years back I thought about using public pay-phones network (tens of thousands of units with some RISC uC and FPGA) for distributed computation (back then with a phreaking crew we had such a possibility) like some symmetric and asymmetric cryptography keys brute-forcing and factorizing, but it's all gone now. Some sat-tv conditional access guys had some distributed factorization projects as well, but I never tracked what happened with that.
To make long story short, I know it's all possible with this modulus length, but I'm interested in doing it. If you or anybody have access to computing power (a large grid, cluster, cray or other supercomputer) then I'd be happy to see the results.

I have enough time to run my PC(s) day and night... weeks, months...
Maybe we should for "Brain training"... start with lower RSA...
I've never seen FREE Software for testing... only theory to use Graphiccards like NVIDIA...
Maybe someone is willing to offer Software for noobs like me to compute RSA Keys between RSA "30" and RSA "100"... to understand dreams and reality...
We could make some funny Thread. Who fastest generate "private Key", if public Key is given...
Again, only as lesson. So maximum RSA 100...
Example... with answer...
Code:
P = 0375BA25E7B805
Q = 03B4498980CEAB
Exp1 = 033842E45590F5
Exp2 = 02DCCB06EAF6C9
Coeff = 034F5F18D35B33
Priv Exp = 8A7ED170D08D37ACBC8920D1
Publ Exp = 010001
Modulus = 0CD0F3C2312AED609B775BF157
So the Question would be...
pub key = 0CD0F3C2312AED609B775BF157
Exponent 010001
Please give as private Exponent aka private Key...
Answer:
8A7ED170D08D37ACBC8920D1

adfree said:
I have enough time to run my PC(s) day and night... weeks, months...
Maybe we should for "Brain training"... start with lower RSA...
I've never seen FREE Software for testing... only theory to use Graphiccards like NVIDIA...
Maybe someone is willing to offer Software for noobs like me to compute RSA Keys between RSA "30" and RSA "100"... to understand dreams and reality...
We could make some funny Thread. Who fastest generate "private Key", if public Key is given...
Again, only as lesson. So maximum RSA 100...
Example... with answer...
Code:
P = 0375BA25E7B805
Q = 03B4498980CEAB
Exp1 = 033842E45590F5
Exp2 = 02DCCB06EAF6C9
Coeff = 034F5F18D35B33
Priv Exp = 8A7ED170D08D37ACBC8920D1
Publ Exp = 010001
Modulus = 0CD0F3C2312AED609B775BF157
So the Question would be...
pub key = 0CD0F3C2312AED609B775BF157
Exponent 010001
Please give as private Exponent aka private Key...
Answer:
8A7ED170D08D37ACBC8920D1
Click to expand...
Click to collapse
Great piece of software, if you run Windows, is xca. I've used it to make 8192-bit RSA keys. It is very simplistic, and I consider it a god send after trying to use OpenSSL via the command line.
Edit: I don't know if it will save the factors of the modulus, but I know that OpenSSL will. Anyway, give it a try.
Edit: Sorry, I didn't realize that you meant factoring RSA keys (I forgot about that). xca will generate them for you, though. Unfortunately, there is no (known) classical algorithm that can factor numbers in polynomial time. Shor's algorithm can do it in polynomial time, but only with a quantum computer.
Edit: The 512-bit key could be factored using a distributed effort. (See this: http://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy) Time shares could also be rented on a supercomputer.

Code:
BF1834F775B9861F13E15BA3E01F91CED970B76F2E9D5767EC 39C5C1DAD7A8AF9F2A60F131E1D3715E15FDE4B07AC04BF5FC 148D95BFF180E9F675D6211F76F1
is approximately 2.0238493722395799×10^155. To factor a number you only need to test every number from 1 to the floor of the square root of said number. In this case, every number from 1 to about 4.49872134×10^77.

Master Melab said:
Code:
BF1834F775B9861F13E15BA3E01F91CED970B76F2E9D5767EC 39C5C1DAD7A8AF9F2A60F131E1D3715E15FDE4B07AC04BF5FC 148D95BFF180E9F675D6211F76F1
is approximately 2.0238493722395799×10^155. To factor a number you only need to test every number from 1 to the floor of the square root of said number. In this case, every number from 1 to about 4.49872134×10^77.
Click to expand...
Click to collapse
:/
Oh, come on, it is only comparable to the number of atoms in the universe...
The naive fraction algorithm does not make sense for large numbers - rather some specialized variants of Number Field Sieve, where you don't need to test every number

I was only laying out the fundamentals/basics.

Master Melab said:
To factor a number you only need to test every number from 1 to the floor of the square root of said number.
Click to expand...
Click to collapse
Master Melab said:
I was only laying out the fundamentals/basics.
Click to expand...
Click to collapse
The fundamental is you don't need to test every number.

Related

[DISCUSSION][SOLVED] G2 Rooting #2

Seriously, actual technical discussion this time.
Continued from the other thread:
READ THIS FIRST:
ace42588 said:
If the phrase "I don't know if anyone has tried this..." appears in your post, stop. Read both threads. Reconsider your post. Your post should no longer have that phrase and wont waste space.
If the phrase "I don't know, but..." appears in your post, stop. Find out. The interwebz is amazingly useful for learning things. Reconsider your post. Your post should no long have that phrase and you will sound knowledgable and educated.
If you don't have any idea how an exploit is supposed to work, please don't suggest it. Look it up. If it sounds applicable to the G2, proceed to share.
Click to expand...
Click to collapse
What we know now:
- The eMMC supports setting a range of blocks temporarily or permanently read-only. That seems to be the case for the bootloader, /system and recovery.
(From the datasheet: Specific segments of the iNAND may be permanently, power-on or temporarily write protected. Segment size can be programmed via the EXT_CSD register.)
- The reason we can write to /system using "temproot" is that it is getting cached by linux. (Write-through, so the card is accepting and discarding writes but we are seeing the cached version only.) Flushing the cache removes all changes from system and upsets the kernel.
- Because no changes are making it to the actual flash, rebooting removes all updates. It is not being magically reflashed.
- It is not a rootkit. It is the OPPOSITE of a rootkit. Rooting it is much much more like a rootkit. Seriously.
- OTA isn't an answer. It isn't even helpful. The way it works: update.zip is downladed, and the key checked. saved to /cache, and an update script is written. it reboots to recovery. recovery checks the keys again, then runs the script to install it. there's no exploitable action there. It doesn't unlock the emmc, etc.
The eMMC security standard (pdf) and specifically, the parts applying to write protection
And the SanDisk part manual/datasheet
Some pieces of the current state are accessible from fastboot, or by mounting debugfs.
Status Blocks:
CSD and decode
Decode of EXT_CSD (via "fastboot oem get_ext_csd_emmc")
EXT_CSD (raw) while the phone is running
Some notes concerning the above
Useful flags in the security standard, specifically relating to temporarily and permanently write protecting regions of flash.
CMD29 is clear write protect. Hmmmm...
Or we might permanently writeprotect it. Or permanently -block- write protection.
Can a kernel module just reset the WP blocks? maybe (more info here) and the value should be "d00f00320f5903fffffffde0124040c8"
If we have to reset the controller, here is how
Examinations of the cache behavior, rmt_storage, etc.
If you have other updates, stick the links in the replies. Also, there is a wiki being set up.
Currently (10/9) we're looking at either resetting the part (and then reconfiguring it to get it out of boot mode - page 38 in the spec) or chewing up the bootloader.
Alternate approach by lbcoder - apply the leaked engineering bootloader as an update, convincing the system via misc that it has already passed signature validation:
Kinda unrelated, but here is HTC's response to their gpl violation. And finally, here is their possibly-accidental source code release.
Edit: What I posted is now in the above post. Just trying to help. I have faith in you guys to get root.
CHANGELOG:
- 10-08 18:32 wiki link fixed
- 10-08 22:07 added the cache examinations
- 10-09 13:45 added the disclaimer and the currently-trying
- 10-13 10:11 add CSD decode
- 10-14 09:37 add kernel source
mrozzeh said:
rmt_storage was basically just proof to me that there was a write-back issue in place.
Part of the bootloader's preboot sequence is a call to mpu_emmc_protection(I believe that is what its called off the top of my head), followed by a call that sets up the physical nand protection that we're already used to. Setting superCID or S-OFF would disable those calls, which would kill the ramfs and allow physical access.
Click to expand...
Click to collapse
Ah, ok this makes sense to me. Basically you are changing the time of the attack to earlier on in the life-cycle. I agree that disabling write-protection while the phone is operational (after boot) could be problematic (because we seem to have cached writes).
So what you're suggesting is that we turn off protection earlier on (in the bootloader)?
Oh by the way, there's no point writing that value (that I mentioned earlier) to the CSD register since those bits are RO.
vi5in said:
Ah, ok this makes sense to me. Basically you are changing the time of the attack to earlier on in the life-cycle. I agree that disabling write-protection while the phone is operational (after boot) could be problematic (because we seem to have cached writes).
So what you're suggesting is that we turn off protection earlier on (in the bootloader)?
Click to expand...
Click to collapse
It may be that it can't be turned off at all once it is turned on (eg if we can't get the chip back into a sane state after a reset), so it is possible that the only time we can turn it off (or rather, not turn it on) is bootloader.
The cached writes issue is easy to deal with - there is no reason to ever remount it read/write, so there are no cached writes pending. (There is a red herring from earlier - htc didn't set it up read/write, that is a side-effect of a typo in the 'root' script from the directions thread. The last line attempts to put it back to read-only, but fails because it uses android mount instead of busybox mount.)
The wiki link is broken.
Maqr said:
The wiki link is broken.
Click to expand...
Click to collapse
Wiki is now here.
Now im not a dev by any means.
let me see if i have this right:there is a read only file that contains the "primary" android system files and we cant modify that and it gets re applied everytime the phone is restarted.henchforth makeing the phone unrootable. now logically speaking the area had to at one point been writable, and has since been locked by a command, of which we cant find. and the mmc has a little todo with the whole process. so its safe to say that it might be one of the "key" components. just looking at the design of the phone and with what looks like a back cover sensor on the lower of the hinges on the back cover. Now the command to read the read only part of the phone is looking like what we have to get too to change where it is looking for the sys info to allow us perm root. i have a g2 and am excited on the amount of skill comming to gether to get this done.
Always willing to donate for a good cause, let me know if we need to get a pot going to buy someone a G2 like JesusFrekee.
Maybe HTC wants to force use inside the G2 so we void warranties. Jtag adapter, or a hardware related jumper/mod.
Someones gonna need a G2 bought by the community that they are not going to mind tearing apart
jeagoss has already torn one apart and JTAGed it and has been poking around
Sorry to dig up old info from the other thread, but I couldn't help but notice a few things here:
Disconn3ct said:
Where do you think the ramfs is coming from, as opposed to a write-through cache? It certainly behaves like a cache. (Not disagreeing that it gets set early. And if we can't get the bootloader, replacing recovery might be enough - it has to be r/w when starting recovery for OTAs to work, so the bootloader can behave 'as designed'.)
rmt_storage_client_txt (and the source)
this post shows changes disappearing after a cache flush (easily verifiable) and memory use going up as data is 'written'.
changes disappear "randomly" over time - ramdisk maintains data.
Where is the info that got you thinking rmt_storage creates a ramdisk? I saw something about that a couple days (and dozens of pages) back, but it didn't pan out. Did we miss something?
Click to expand...
Click to collapse
I think there is an interaction between rmt_storage and the actions of the radio/mmc interfering with the temp root. rmt_storage is certainly being used as a proxy to communicate with the storage in some way. Not as a ram-disk, but as an overlay to the visible partitions that are on lock-down. Your observations of free memory being clobbered by big writes to protected partitions could very well be linux caching the writes - because there's simply nothing better to do with that memory at that moment in time. However, as rmt_storage continues to communicate with other parts of the system, the trigger to flush cache as it sees fit may very well be sent through the RPC mechanism. It does not exactly explain the cache flush scenario, unless rmt_storage sends a message to clear all volatile blocks at that time. Any way you slice it, rmt_storage has a lot to do with the overlay, and probably nothing to do with the lockout.
mrozzeh said:
rmt_storage was basically just proof to me that there was a write-back issue in place.
Part of the bootloader's preboot sequence is a call to mpu_emmc_protection(I believe that is what its called off the top of my head), followed by a call that sets up the physical nand protection that we're already used to. Setting superCID or S-OFF would disable those calls, which would kill the ramfs and allow physical access.
Click to expand...
Click to collapse
This makes sense to me. Coming from a N1, I did the locked bootloader root via SDcard trick a few months back. This explains why HTC has blocked adb from communicating with the device while in recovery mode. The same trick would presumably work if they left it open.
So....
It seems we have some evidence that the lock happens during the early stage of the boot sequence. From here, it is likely that rmt_storage plays a role in how the overlay/cache/whatever is reverting writes over a period of time. But it does not appear to have anything to do with the security lock-out.
With no recovery vector to exploit, this leaves us with few options. I would put my money on exploiting the pre-boot process (possibly with a race condition exploit similar to what we have seen with other recent HTC devices) and either preventing the partitions from being write protected *or* disabling the security outright. I have yet to see any evidence that we can disable the write lock from userspace *or* kernelspace - only speculation.
Re-read rmt_storage_client.txt - it seems likely that this is what we are observing with the rooted units degrading over time. rmt_storage sends RPC calls, stuff happens, filesystem overlay changes disappear. Once the kernel is up, this is *the only* interface to restricted parts of the storage system.
Based on the rmt_storage_client.txt you linked, rmt_storage provides storage access to the radio / modem processor via RPC since it doesn't have any direct way to access emmc, rmt_storage doesn't sound like it's doing anything for the application (the one android runs on, we root, etc) processor.
It's not impossible that it might somehow be exploitable in some fashion but I glanced through the code and nothing jumped out at me as doing anything interesting.
HamNCheese said:
This explains why HTC has blocked adb from communicating with the device while in recovery mode.
Click to expand...
Click to collapse
But wait- don't you remember the part when T-Mobile said that the inability to save changes is a mere side effect of HTC's security measure intended only to prevent "key operating software from becoming corrupted and rendering the device inoperable"?
And their 90-120 day delays are totally "within the requirements of the open source community", no matter what the GPL might say.
I'll keep looking here.
W
biosehnsucht said:
Based on the rmt_storage_client.txt you linked, rmt_storage provides storage access to the radio / modem processor via RPC since it doesn't have any direct way to access emmc, rmt_storage doesn't sound like it's doing anything for the application (the one android runs on, we root, etc) processor.
It's not impossible that it might somehow be exploitable in some fashion but I glanced through the code and nothing jumped out at me as doing anything interesting.
Click to expand...
Click to collapse
My understanding is that the eMMC is abstracted since it is not yet directly supported by linux. Therefore, the radio would be the next logical choice for accessing it.
rmt_storage = remote storage. Keep in mind that we're dealing with a new SOC - it's perfectly reasonable to assume it has the ability to access eMMC on its own. RPC via rmt_storage is a likely suspect. It would also explain where the missing space went.
You have it backwards. Read the beginning of the rmt_storage doc. The radio can't access it so it makes rpc calls to linux so that linux can handle read/write for it. It is well documented. Seriously people. Stop guessing and do a little reading..
Subbed for updates. I'm not good at this stuff. So I'm reading trying to learn.
Sent from my T-Mobile G2 using XDA App
HamNCheese said:
My understanding is that the eMMC is abstracted since it is not yet directly supported by linux. Therefore, the radio would be the next logical choice for accessing it.
rmt_storage = remote storage. Keep in mind that we're dealing with a new SOC - it's perfectly reasonable to assume it has the ability to access eMMC on its own. RPC via rmt_storage is a likely suspect. It would also explain where the missing space went.
Click to expand...
Click to collapse
the emmc is very directly supported by linux.
the radio does not have the ability to talk to the controller, that is why its storage must be proxied through one of its mailboxes to the kernel, and then to the userspace client.
i don't believe it's related to our root issues.
I own a Droid X and I hope you guys have more success with the G2 than the X community has had unlocking our bootloader. In the long run though, the manufacturers will win the battle of locking devices. The answer to this problem is really to stop buying locked devices. Not much chance of that happening either. A pretty depressing picture for the time being and short term future.
burpootus said:
I own a Droid X and I hope you guys have more success with the G2 than the X community has had unlocking our bootloader. In the long run though, the manufacturers will win the battle of locking devices. The answer to this problem is really to stop buying locked devices. Not much chance of that happening either. A pretty depressing picture for the time being and short term future.
Click to expand...
Click to collapse
Its truly my belief that they do these things to prevent having to fix peoples rooted phones... android, with its open market and cross-hardware nature, are already a big risk for manufacturers but fortunately they have given it a shot (and we have rewarded that)
If you were truly passionate about having an unlocked phone, vote with your dollar and buy a dev phone like the new nexus one dev phone.
Otherwise.. pay less and work for root.
Sent from my T-Mobile G2 using XDA App
Hah web2go is 'key operating software' ? I call BS
VValdo said:
But wait- don't you remember the part when T-Mobile said that the inability to save changes is a mere side effect of HTC's security measure intended only to prevent "key operating software from becoming corrupted and rendering the device inoperable"?
And their 90-120 day delays are totally "within the requirements of the open source community", no matter what the GPL might say.
I'll keep looking here.
W
Click to expand...
Click to collapse
Sent from my T-Mobile G2 using XDA App

CheckBox state presrving/restoring

Hi there,
Does anyone out there how to preserve/restore the transient state of a CheckBox and/or Radio button?
So far, I'm using the following code, working for textbox
Code:
Public Sub PreserveState_TextBox(ByVal TB As TextBox)
Dim buffer As String = String.Empty
If True = PhoneApplicationService.Current.State.ContainsKey(TB.Name) Then
buffer = TryCast(PhoneApplicationService.Current.State(TB.Name), String)
If Not String.IsNullOrEmpty(buffer) Then
TB.Text = buffer
End If
End If
End Sub
Public Sub RestoreState_TextBox(ByVal TB As TextBox)
If True = PhoneApplicationService.Current.State.ContainsKey(TB.Name) Then
PhoneApplicationService.Current.State.Remove(TB.Name)
End If
PhoneApplicationService.Current.State.Add(TB.Name, TB.Text)
End Sub
it possible to modify the above code to work for Checkbox and/or Radiobutton?
If not, any ideas?
So far, I've been trying the sample "Tombstoning" sample code from Microsoft without any luck...
Thanks in advance!
Hi,
I'm not a VB developer, but storing the state of a checkbox is not much different from storing any other primitive type. What you could do is have a bool variable "isCbChecked" and store that bool state in your PhoneApplicationService.State.
Code:
PhoneApplicationService.Current.State.Add("isCbChecked", myCheckbox.IsChecked)
Then, when you're restoring your app, simply do
Code:
myCheckbox.IsChecked = (bool)PhoneApplicationService.Current.State.ContainsKey("isCbChecked");
keyboardP said:
Hi,
I'm not a VB developer, but storing the state of a checkbox is not much different from storing any other primitive type. What you could do is have a bool variable "isCbChecked" and store that bool state in your PhoneApplicationService.State.
Code:
PhoneApplicationService.Current.State.Add("isCbChecked", myCheckbox.IsChecked)
Then, when you're restoring your app, simply do
Code:
myCheckbox.IsChecked = (bool)PhoneApplicationService.Current.State.ContainsKey("isCbChecked");
Click to expand...
Click to collapse
Thanks a lot for your fast reply.
Can I ask for additional help on how to make your statements into generic procedures, at least to take them to something similar to what I posted?
Don't care if it's in C#
Thanks in advance!
GFR_2009 said:
Thanks a lot for your fast reply.
Can I ask for additional help on how to make your statements into generic procedures, at least to take them to something similar to what I posted?
Don't care if it's in C#
Thanks in advance!
Click to expand...
Click to collapse
Off the top of my head, something like this should work (C# code).
Code:
public static T RestoreState<T>(string key)
{
if (PhoneApplicationService.Current.State.ContainsKey(key))
{
return (T)PhoneApplicationService.Current.State[key];
}
return null;
}
'T' is the type that will be used. In C# 'T' is a special character denoting the generic type, not something I just used
So in the code above, the return type is 'T' and when using RestoreState, it will be 'RestoreState<Textbox>("TB.Name");'. The value of 'TB.Name' will be searched within the dictionary and, if it's found, it will cast that object as 'T' (Textbox) and return it, otherwise it will return null.
Hi,
So far, I did the following and while no error is raised, nothing happens...
Code:
Public Function Backup(ByVal token As String, ByVal value As Object) As Boolean
If Nothing Is value Then
Return False
End If
Dim store = PhoneApplicationService.Current.State
If store.ContainsKey(token) Then
store(token) = value
Else
store.Add(token, value)
End If
Return True
End Function
Public Function Restore(Of T)(ByVal token As String) As T
Dim store = PhoneApplicationService.Current.State
If Not store.ContainsKey(token) Then
Return Nothing
End If
Return CType(store(token), T)
End Function
I call them as follows
Code:
Backup(Me.CheckBox_1.Name, Me.CheckBox_1)
Restore(Of CheckBox)(Me.CheckBox_1.Name)
Don't where is the error, maybe you could take a look and help me out.
Any help is much appreciated!
Where are you calling the Backup and Restore functions? Since your doing page specific things, you could do it in the OnNavigatedFrom and OnNavigatedTo methods, respectively.
keyboardP said:
Where are you calling the Backup and Restore functions? Since your doing page specific things, you could do it in the OnNavigatedFrom and OnNavigatedTo methods, respectively.
Click to expand...
Click to collapse
Hi,
I'm calling them in the OnNavigatedTo and OnNavigatedFrom methods, as you pointed out
Unfortunately, nothing happens at all!
Thanks!
Hi,
As far as I can tell, there's nothing wrong with your saving/loading code. When you call
"Restore(Of CheckBox)(Me.CheckBox_1.Name)", is that returning a bool? You need to assign that bool to the checkbox:
Code:
myCheckbox.IsChecked = Restore(Of CheckBox)(Me.CheckBox_1.Name);
Also, all variables are reset when the page loads, so make sure you have set "myCheckbox.IsChecked" anywhere else on the page that could be called when the page loads.
Please, check the converted code of the above functions, to C#
Code:
public bool Backup(string token, object value)
{
if (null == value)
{
return false;
}
var store = PhoneApplicationService.Current.State;
if (store.ContainsKey(token))
{
store(token) = value;
}
else
{
store.Add(token, value);
}
return true;
}
public T Restore<T>(string token)
{
var store = PhoneApplicationService.Current.State;
if (! (store.ContainsKey(token)))
{
return default(T);
}
return (T)(store(token));
}
Do you think they are OK?
How should I call them ?
Clearly, the restore does not returns a boolean...
Honestly, I'm lost now!
Hope this helps to find the culprit.
It seems okay to me. You'll have to do some debugging. Set a breakpoint inside the Backup and Restore methods. Step through each line and make sure it's going to the line you expect it to and that the value being set is the correct one.
I haven't seen the tombstoning sample from MSDN, but can you get that to work? If so, is the generic method causing the problem? Or can you not get it to work at all?
Hi,
Sorry for the delay in getting back, but I was trying different codes and at least I found the cause.
Code:
Me.NavigationService.Navigate(New Uri("/PivotPage1.xaml?Name=" & "John", UriKind.Relative))
[B]Me.NavigationService.GoBack[/B]()
Me.NavigationService.Navigate(New Uri("/PivotPage1.xaml", UriKind.Relative))
Everything works fine, and the Checkbox state is saved/restored (in the Pivot Page) if I GO BACK using the GoBack hardware button or Me.NavigationService.GoBack
But, the state's dictionary entry is lost or ignored if I go back with the Navigate service (lines 1 and 3)...
Problem is that I need to get back with the query string...
The query string contains a value taken in the SelectedItem event of PAGE2's ListBox, and automatically once retrieved must go back.
I didn't know until know, that NavigationService.Navigate creates a new page instance or something like that in the backstack...
Any sugestions are welcomed!
Hi,
There are various methods you can use depending on the app's architecture. For example, you could have a 'shared' class that contains a shared field that holds the SelectedItem value. When the user selects the item, set the shared field's value and then when you go back, you can get the value from the shared field.
keyboardP said:
Hi,
There are various methods you can use depending on the app's architecture. For example, you could have a 'shared' class that contains a shared field that holds the SelectedItem value. When the user selects the item, set the shared field's value and then when you go back, you can get the value from the shared field.
Click to expand...
Click to collapse
So, no other way to cope with the navigation service?
It's a strange behaviour for sure...
Will try your ideas.
Thanks a lot for your reply!
GFR_2009 said:
So, no other way to cope with the navigation service?
It's a strange behaviour for sure...
Will try your ideas.
Thanks a lot for your reply!
Click to expand...
Click to collapse
There are other ways. For example, instead of using the PhoneApplicationService to store the tombstoning information, you could put it in a querystring for page 2. Then, in page 2, you could add the information from the previous page to a querystring AND the information of the selected item to the querystring. Navigate to page 1, with the querystring that contains information on what was there before and what the user selected. Tombstoning is there for when the user presses the hardware search button, home button, a phone call arrives etc.. It's not there for the navigation of the app. That's where querystrings, shared variables, binary serialization etc... come into play.
The concept of the navigation service is similar to a website. For example, when you submit something and then go back, it might still be there in the page state. However, if you submit something and then reload the previous page by typing it in the address bar, it becomes a completely new page as no state is stored.
keyboardP said:
There are other ways. For example, instead of using the PhoneApplicationService to store the tombstoning information, you could put it in a querystring for page 2. Then, in page 2, you could add the information from the previous page to a querystring AND the information of the selected item to the querystring. Navigate to page 1, with the querystring that contains information on what was there before and what the user selected. Tombstoning is there for when the user presses the hardware search button, home button, a phone call arrives etc.. It's not there for the navigation of the app. That's where querystrings, shared variables, binary serialization etc... come into play.
The concept of the navigation service is similar to a website. For example, when you submit something and then go back, it might still be there in the page state. However, if you submit something and then reload the previous page by typing it in the address bar, it becomes a completely new page as no state is stored.
Click to expand...
Click to collapse
Hi,
Will try your suggested approach, and thanks a lot for the last explanation on how the darn thing works.
Thanks again!
GFR_2009 said:
Hi,
Will try your suggested approach, and thanks a lot for the last explanation on how the darn thing works.
Thanks again!
Click to expand...
Click to collapse
You're welcome . It's one of those things that take a bit of time to understand, but starts to make sense. You might be interested in a free WP7 development ebook by Charles Petzold.
keyboardP said:
You're welcome . It's one of those things that take a bit of time to understand, but starts to make sense. You might be interested in a free WP7 development ebook by Charles Petzold.
Click to expand...
Click to collapse
I already have the book, but will need a deeper reading
So far, I've been testing your idea of using global classes and works ok.
Thanks a lot for being so cooperative, it's much appreciated!
GFR_2009 said:
I already have the book, but will need a deeper reading
So far, I've been testing your idea of using global classes and works ok.
Thanks a lot for being so cooperative, it's much appreciated!
Click to expand...
Click to collapse
No worries! If programming was super easy everyone would be doing it
keyboardP said:
No worries! If programming was super easy everyone would be doing it
Click to expand...
Click to collapse
Never said better!

[Q] Disassembling ChevronWP7

I have been using ChevronWP7 for more than a month now and I was always wondering how does it work?
I tried to follow the obfuscated code in Reflector but it's really a mess and needs a lot of time and effort to follow the code's logic.
Aside from the code part, it seems that it changes the hosts file under C:\Windows\System32\drivers\etc to something like this
192.168.2.13 developerservices.windowsphone.com
172.26.68.53 developerservices.windowsphone.com
192.168.1.20 developerservices.windowsphone.com
So if anyone is working (has worked) on this, it would be great if you guys share your findings with the community here.
Thank you.
EDIT:
I am not sure if you guys have already seen the Windows Phone Developer Registration program that comes with the SDK or not (I didn't!!! for 3 months), but ChevronWP7 is just that program without the live services authentication! it is that simple, and you can see the source code with reflector
Basically the app does the flowing:
it uses a TcpClient to communicate with the phone over port 27077
PHP:
this.client = new TcpClient();
this.client.SendTimeout = 2000;
this.client.ReceiveTimeout = 2000;
this.client.LingerState.Enabled = true;
this.client.LingerState.LingerTime = 0;
this.client.NoDelay = true;
this.client.Connect("127.0.0.1", 27077);
To check the status of the phone:
it sends this byte array
PHP:
byte[] buffer = new byte[4];
buffer[0] = 16;
buffer[1] = 1;
this.commandData = buffer;
To Unlock the phone :
it sends this byte array
PHP:
List<byte> list = new List<byte>();
ASCIIEncoding encoding = new ASCIIEncoding();
ushort num = (ushort)(((authToken.Length + 3) + 2) + 3);
list.AddRange(new byte[] { 16, 3 });
list.AddRange(BitConverter.GetBytes(num));
list.Add(1);
list.AddRange(BitConverter.GetBytes((ushort)authToken.Length));
list.AddRange(encoding.GetBytes(authToken));
list.Add(2);
list.AddRange(BitConverter.GetBytes((ushort)2));
ushort num2 = isInt ? ((ushort)0) : ((ushort)1);
list.AddRange(BitConverter.GetBytes(num2));
[COLOR="red"]this.commandData[/COLOR] = list.ToArray();
An http server is made to listen for any requests that come from the phone (which were redirected in the system\hosts file to 127.0.0.1) and returns as a response :
PHP:
<ResponseOfRegisteredDeviceStatus xmlns="Microsoft.WindowsMobile.Service.Marketplace" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><ResponseCode>0x00000000</ResponseCode>
<ResponseMessage i:nil="true"/>
<Entity xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.WindowsMobile.Service.Marketplace.BLLDevPortal.Entities">
<a:DaysLeft>365</a:DaysLeft>
<a:AppsAllowed>10</a:AppsAllowed>
</Entity>
</ResponseOfRegisteredDeviceStatus>
The number <a:AppsAllowed> is the number of allowed apps, discussed here in the changed version without the side limit.
To lock the phone :
PHP:
internal LockCommand(string authToken)
{
List<byte> list = new List<byte>();
ASCIIEncoding encoding = new ASCIIEncoding();
ushort num = (ushort) (authToken.Length + 3);
list.AddRange(new byte[] { 16, 2 });
list.AddRange(BitConverter.GetBytes(num));
list.Add(1);
list.AddRange(BitConverter.GetBytes((ushort) authToken.Length));
list.AddRange(encoding.GetBytes(authToken));
this.commandData = list.ToArray();
}
Doesn't matter, next update will nullify it.
First of all, ChevronWP7 is a cool utility, but I don't understand why did they obfuscate the ripped M$ code. Yes the device communication part which is obfuscated it ripped from the Deployment Developer Tool.
Generally speaking this is what ChevronWP7 does:
- Rewrites the host file to redirect the developerservices.windowsphone.com address to localhost
- Bring up a HTTP server with it's own certificate to support HTTPS
- For the query during unlock operation the HTTP server sends back a baked in answer as a result of a successful unlock.
ChevronWP7 does exactly what the deployment tool do, but bypassing the windows live login.
Thanks,
Attila
WithinRafael said:
Doesn't matter, next update will nullify it.
Click to expand...
Click to collapse
How do you know that?
Anyways, I am also checking inside Chevron utility.
To unlock your phone, they send this:
Code:
10032200011A00436F6F6B69653A20486920436861726C6965204B696E64656C210202000100
Code:
.."....Cookie: Hi Charlie Kindel!.....
As a networkStream using this TcpClient:
Code:
chevronTCPClient.SendTimeout = 0x1388;
chevronTCPClient.ReceiveTimeout = 0x1388;
chevronTCPClient.LingerState.Enabled = true;
chevronTCPClient.LingerState.LingerTime = 0x1388;
chevronTCPClient.NoDelay = true;
chevronTCPClient.Connect("127.0.0.1", 0x69c5);
To relock the phone, the data is very similar, its shorter:
Code:
10021D00011A00436F6F6B69653A20486920436861726C6965204B696E64656C21
Also with the joke to Charlie Kindel.
Late to the party, guys
Google Cache because I must get my site up again sometime soon.
hounsell said:
Late to the party, guys
Google Cache because I must get my site up again sometime soon.
Click to expand...
Click to collapse
Meh, you edited a string
As Raf says, this won't work with the first update.
I thought the CheveronWP7 people were talking to Microsoft about allowing sideloading without the need to hack the phone.
Or was that just some BS from Microsoft to get the CheveronWP7 people to shut down their tool?
jfwfreo said:
was that just some BS from Microsoft to get the CheveronWP7 people to shut down their tool?
Click to expand...
Click to collapse
Probably.
Someone will always find a way though. This is the same dance jailbreakers go through with Apple.
FYI "WithinRafael" + "walshieau" + Long Zheng = ChevronWP7 people.
I am not sure if you guys have already seen the Windows Phone Developer Registration program that comes with the SDK or not (I didn't!!! for 3 months), but ChevronWP7 is just that program without the live services authentication! it is that simple, and you can see the whole source code with reflector.
I'm kinda unimpressed now
martani said:
I am not sure if you guys have already seen the Windows Phone Developer Registration program that comes with the SDK or not (I didn't!!! for 3 months), but ChevronWP7 is just that program without the live services authentication! it is that simple, and you can see the whole source code with reflector.
I'm kinda unimpressed now
Click to expand...
Click to collapse
Huh? Have you actually seen the code in reflector?
walshieau said:
Huh? Have you actually seen the code in reflector?
Click to expand...
Click to collapse
Well, when I was looking at Chevron's code, I was kinda skeptic on how the hell did these guys knew the series of bytes to send to the device to unlock, it doesn't make sense. (I even thought that MS would have a hand in this for advertisement stuff )
But well, now with Windows Phone Developer Registration under Reflector, everything is clear
martani said:
Well, when I was looking at Chevron's code, I was kinda skeptic on how the hell did these guys knew the series of bytes to send to the device to unlock, it doesn't make sense. (I even thought that MS would have a hand in this for advertisement stuff )
But well, now with Windows Phone Developer Registration under Reflector, everything is clear
Click to expand...
Click to collapse
Dude, it isn't that simple.
walshieau said:
Dude, it isn't that simple.
Click to expand...
Click to collapse
Can you elaborate more what's complicated besides the commands sent to the phone (that were already on the MS app)?
Redirecting a faked answer to the phone over an http server is not the hardest thing ever I think!
walshieau said:
Dude, it isn't that simple.
Click to expand...
Click to collapse
Martani is right. I am impressed to see the official unlocking tool. Chevron tool look so unimportant now! This isn't a hack or a "jailbreak", MS let us to do this very nice!
WithinRafael said:
Doesn't matter, next update will nullify it.
Click to expand...
Click to collapse
the next update won't nullify it.
I love how everyone is questioning the guys that wrote the tool and the ones that have actually spoken to the MS folks. Classic.
martani said:
Can you elaborate more what's complicated besides the commands sent to the phone (that were already on the MS app)?
Redirecting a faked answer to the phone over an http server is not the hardest thing ever I think!
Click to expand...
Click to collapse
Just because something is obvious when you reverse engineer it doesn't mean it wasn't hard.
RustyGrom said:
I love how everyone is questioning the guys that wrote the tool and the ones that have actually spoken to the MS folks. Classic.
Click to expand...
Click to collapse
i have to agree with rusty ..... give them their credit instead of trying to tear them down just to boost your own ego... theres room for everyone and their homebrews... no need to knock any of them... everyone that has contributed has done a great job...
i mean knocking these guys is like knocking henry ford just because someone figured out how he made the cars and thought they could do it themselves...
its easy to tear something down and figure out what makes it tick, but to make it from scratch with no instructions.... walshie ,long, and raphael ... i applaud your efforts and appreciate what you gave us.... THANK YOU!
im just saying...
martani said:
I am not sure if you guys have already seen the Windows Phone Developer Registration program that comes with the SDK or not (I didn't!!! for 3 months), but ChevronWP7 is just that program without the live services authentication! it is that simple, and you can see the whole source code with reflector.
I'm kinda unimpressed now
Click to expand...
Click to collapse
ChevronWP7 isn't a re-badged version of the official Microsoft tool; I should know. I have the code. To suggest otherwise is quite a slap in the face. You're presenting only a small piece of the puzzle here. For example, you conveniently skip over the reverse engineering effort required to get the response XML.
Of course the command pieces of the code looks the same -- it's a protocol.

Changing Registries

I want to do the following:
xboxmod said:
Google
Code:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="Google"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\Google]
"URL"="http://www.google.com/m?hl=en&gl=us&client=ms-hms-tmobile-us&q={searchTerms}"
Click to expand...
Click to collapse
I installed Registry Editor from TouchXperience on my Samsung Omnia 7. I went to:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
And changed DefaultScope's value to "Google" (without the quote obviously). For:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\Google]
I need to create a new key and name it Google in SearchScopes, right?
I tried to do that, but Registry Viewer could not create the new key. I tried multiple times, but it wouldn't work. I get the following error:
Unable to create registry key "Google".
I also accidentally created a new value called "a" but when I try deleting it, I get a similar error. I get the following error:
Unable to delete registry value "a".
TouchXperience registry editor uses the COMRilClient.dll from Samsung to get access to the registry on Samsung devices. This dll only allows read/write of dword and string values. It does not allow to create/delete keys and it does not allow to delete values. It is also restricted to keys that have permissions for Elevated Privileges. It has no access to key that need TCB permissions.
At the moment I am working on "WP7 Root Tools" which allows you to read and write to the entire registry. At the moment I am using a little part of the Samsung drivers, so for now it is only suitable for Samsung devices. I will try to make it work for all devices in time. With a work-around I have access to the phone with TCB privileges.
I have been working on it for quite a time now and I am close to releasing an alpha version. It has been delayed, because last month my grandpa died and now my mother is on Intensive Care because she had an aneurism and needed brain surgery. She is recovering in very little steps and I pray she will be fully recovered after rehabilitation.
So I am not fully committed to hacking at this moment, but I promise it won't be very long before I can release a working alpha version.
Thanks for the info, though does that mean I can't even remove the "a" value that I accidentally added?
I'm sorry to hear about your family situation. I hope your mother fully recovers sooner than later.
Chaoticaa said:
Thanks for the info, though does that mean I can't even remove the "a" value that I accidentally added?
Click to expand...
Click to collapse
Yes, that's right. But it probably won't do any harm. So don't bother.
Chaoticaa said:
I'm sorry to hear about your family situation. I hope your mother fully recovers sooner than later.
Click to expand...
Click to collapse
Thanks.
Heathcliff74 said:
But it probably won't do any harm. So don't bother.
Click to expand...
Click to collapse
Yeah, it doesn't even make sense for it to have any affect unless something is looking for that value name in my registry. I'm just a neat-freak that hates that extra accidental value a lot more than the fact that I can't do what I was trying to accomplish.
Chaoticaa said:
Yeah, it doesn't even make sense for it to have any affect unless something is looking for that value name in my registry. I'm just a neat-freak that hates that extra accidental value a lot more than the fact that I can't do what I was trying to accomplish.
Click to expand...
Click to collapse
You could always hard-reset your phone
Hahaha not that bothered by it.

[Q] recognize letters in my app

hello,
I'm programming a WP7-App, i have a letter (for example the "A").
How can i recognize the input and match the correct character ?
sorry for my bad english
You can cast chars to ints.
see: http://www.asciitable.com/
In the table in that link, note that 'A' corresponds to a decimal number 65. When you cast your char 'A' to an int, it will turn into 65.
Similarly, (int)'a' is 97. And 'a' - ch, where ch = 'b', is equal to -1. Doing subtraction of chars automatically converts to integers. Casting the whole string to lowercase and then checking (currentChar - 'a' < 26) is a great way to check if you're looking at an alphabetic character (a through z).
Thanks for the answer...
the "A" is only an example caracter.
in the real world example i use japanese caracters.
the user shall be paint the correct caracter in my app, like this on the picture...
CB.NET said:
Thanks for the answer...
the "A" is only an example caracter.
in the real world example i use japanese caracters.
the user shall be paint the correct caracter in my app, like this on the picture...
Click to expand...
Click to collapse
That will be an insanely difficult task. Actually this in general takes years of study in order to accomplish
Handwriting recognition is one of the hardest things to accomplish.
If you do want to give it a shot, my suggestion:
Crop and rescale the images, and than determine patterns for each letter, thus an A can be build from 3 linear formules, check if the drawing matches this structure. You can than compute the derivatives of the drawings and from those derivatives cross check them with a database to determine which letter it is.
But this is extremely difficult, we tried to read digits in a sudoku puzzle which was already quite a difficult task to accomplish (and we tried to reference it against a database with images, as well as checking several characteristic points in a figure etc) this went OK with printed letters, but with handwritten it was a disaster. Not trying to discourage you, maybe there are libraries out there which you can use, but I would reconsider what you are trying to accomplish and determine an approach for yourself.
CB.NET said:
Thanks for the answer...
the "A" is only an example caracter.
in the real world example i use japanese caracters.
the user shall be paint the correct caracter in my app, like this on the picture...
Click to expand...
Click to collapse
I highly recommend making a class of "Cases" this way if it detects "A" it uses the "A" case select opposed to making a ton of "if" and "else" statements.
Better yet... You always could use an if/else statement or have an array of listed recognized items...
Here is something that might help: http://joshsmithonwpf.wordpress.com/2007/06/12/searching-for-items-in-a-listbox.

Categories

Resources