Mmm at last, the thing was discovered, and just experimentation is needed, so we can test the syncing (Cheack Thread Page 3).
Old post text:
Code:
Mmm as I am far from a selfish guy, and have been asked about this, i think that i will share in an independent thread for anyone to see.
Note that this comes from my own ideas, not tested as i cannot use MTP protocol anymore.
[SIZE="5"]Responsability Disclaimer[/SIZE]
This may be agains DCMA or laws about reversing in your country. It's not probably being that way as is a development to interoperate with an unsupported OS (linux) and its one of the exceptions, but i'm not responsable for any liability you can have or imagine.
[SIZE="5"]What is this for?[/SIZE]
This is the procedure to follow before thinking in hacking the phone itself, trying to get to write and read files from the device.
It could faild and serve to no purpose or be gold, depending on the success of the tests.
In the best case, this will lead to the reading and writing of files at will to the device storage.
[SIZE="5"]USB protocol Pre-Knowledge (fast)[/SIZE]
I know you dont wanna know about it, and i am far from an expert but i must just express that USB devices support two operations:
[B]Bulk Transfers[/B] -> Big chunks of data, used mostly for the common data transfers up to 512Bytes per transmission (at a max/time).
[B]Interrupt Transfers[/B] -> Short chunks of data, used for changing settings on the device or short burst of information.
For your personal knowledge, MTP protocol instructions are bunch of hex codes and [U]they use bulk transfers for all of the MTP instructions[/U].
[SIZE="5"]Required items - Gathering[/SIZE]
- Working Kin
- Windows OS as host OS
- USB sniffer / monitor (I like Usblyzer, has trial for 30 days)
- CPU with virtualization capabilities (google how to check)
- Vmware
- Mac OSX image dvd (Snow leopard)
- Software & registration from MacSpace for Kin Media Sync
[SIZE="5"]Procedure[/SIZE]
- Unplug the kin & close all zune software opened.
- Install OSX in an vmware machine
- Install and setup Kin Media sync for mac
- Kill the process that launches zune when you plug the device ("ZuneLauncher.exe")
- Plug the kin now. Use a port where no other device is, so try to put it not together with other usb device like mouse/keyboard which could send packets and confuse the capture.
- Install and setup usb sniffer for windows.
--- Set it to sniff/capture at the USB port where the kin is (it's a tree view structure, so easy to see where to put the check). [U]Dont do it at the left of the KIN device!!![/U] do it on the bus/port as you will disconnect the kin later. Press start capture.
--- Open the zune software and visually check that the sniffer is capturing data (eeeeeeeeeeeeaaaaaaasssssyyyyyyy as it appears there). If it doesnt, you'r doing it wrong, probably cause the port/bus issue.
--- Close zune
--- Reset the capturing (stop, dont save, start).
- Open the virtual machine if it isnt.
- In the virtual machine you should have Kin Media Sync installed, which autolaunches if you have plugged the phone (virtually).
- In the virtual machine window bottom right (vmware border) you will see an item with usb icon. Hover over it and see if the tooltip says KIN. If there are more, look for the right one. Right-Click on it and pick "Connect (Disconnect from host".
- Hopefully, the usb sniffer on Windows would turn mad and begin capturing data, while Kin Media Sync is opening on the OSX virtual machine.
- I cant remember if it does put the label "Connected" at the Kin (you should remember that window from the Zune syncing :P). If it does, close Kin Media Sync and stop the capture on the windows usb sniffer. Else, do a sync before closing (doesnt matter what).
- Save the captured log as a file (in my case, Usblyzer file).
[SIZE="5"]Yeah, but why this is better than other software?[/SIZE]
Other users (and myself) have tried software that uses the MTP software which has some success on getting info from the device but fail when it comes to do reading or writing to the device.
I guess it's probably because the rest of the protocol, the private part that microsoft uses (MTPz) has some control values through the usb that turn on/off device properties, among ones is the one to write/read files.
My first idea was to understand this through the Zune software, but as i said many times, it uses DRM (Janus) to protect the songs (sigh!) and the mtp specification varies if using DRM protection, so i can never find out a way to solve it, without hacking the Zune software cryptography itself (not my intention at all) or became an old man finding how to bypass it. In any case, the Zune software does a RSA challenge-response handshake to the kin before calling to MTP-OpenSession, i can assure that, so its out of reach.
On the other hand Kin Media Studio for the OSX has no official DRM and it can just do easy syncing, so it's pretty much obvious for a dev guy (i am, haha) that its an easiest way to replicate. So i tried to go that way and i was correct, so it just does normal operations through usb and control interrupts.
The problem is that the native sniffers from OSX only capture 16 bytes of data through the usb bus, so messages over that cipher were not reachable for me at the moment. I contacted apple USB master guys about getting a bigger limit, and the resumed answer was something (just much more politely) like: "you'r screwed & stuck with 16 bytes".
So the only approach is to emulate Kin Media Sync in an OSX virtual machine under a windows os machine for the best sniffer software. Another bad point for the fruit logo machines.... (and i'm an owner... imagine a hater!). Here is why I stopped, as my normal working device (laptop) is kinda old and has no VMX/virtualization support, so i couldnt setup the virtual machine for OSX, stopping all the needed setup.
[SIZE="5"]From sniffed data to magic[/SIZE]
At this point, comes the complicate part. Understanding & testing the packets sent to the device to make things work. This is the part where i was going to operate with a new device or my current one if it wasnt bricked/stuck.
The problem appears with this structure (what is on the logged sniffed session):
- Plug the device
- Device <-> OS Handshake (Interrupt/Bulk transfers possible)
- Kin media sync queries (Interrupt transfers)
- Kin media write/read enable (Interrupt transfers)
- Kin media MTP Open session (Bulk transfer)
- Kin media MTP GetStorageInfo (Bulk transfer)
..... more MTP xxxxx (bulk transfer)
- Kin media MTP Close session (bulk transfer)
- Kin media write/read disable (Interrupt transfers)
- Kin media bye bye sync queries (Interrupt transfers)
(if unplugged, the ones below)
- Device <-> OS Goodbye (Interrupt/Bulk transfers possible)
- UnPlug the device
As some of you may realize, normal MTP software used didnt make the "read/write enable" cause the kin is not a standard device. So they fail. Once some person identifies which of this interrupt values make the kin "Connected" window shown and also enables it to be writable, profit comes.
So to test this and later make it published, you need a program to communicate with the device itself and do what some of you called "send hex codes to the kin" (which technically is "bulk and interrupt transfering values to the kin")
There seems to be none, so i code one from scratch and could polish it a bit and giveaway as a Netbeans C++ proyect.
I had some success and it works ok as i reused it(almost all the code) to operate my G15 on linux, iluminating keys and using the LCD pixels.
[SIZE="5"]This can brick my device?[/SIZE]
The short answer to this is NO. The long answer is no again, but cannot be sure of what happens enabling the the device settings while testing. It may become frozen and need to be restarted for example.
During the few test i made, mine refused to operate within my usb program and it was autosolved by libmtp-tools, which did a protocol reboot and it just work as is without doing nothing.
Anyway, i was aware that it was better than getting stuck with the phone "as is".
mmm All being said above, i just leave space for you guys to think what you wanna do with the info and questions that may appear.
Thanks but Hardware Virtualization came up as a no on my laptop.
I hope someone else tries.
I know I know I have to change my username as there are many similar and it gets confusing.
Thanks for taking the time for all the above text
I had a quick read-over what you put, but haven't looked at everything in detail. My wife had a baby yesterday morning, so I'm finding myself rather busy as of late.
Anyway, I'm more than happy to run some tests. Here's what I have access to right now (at home), with much more available when I get back to work in two weeks:
XPS m1530 laptop running x86 Windows 7 (dual-boot to Ubuntu 10.10 running as the Joli OS front). No Hardware Virtualization available for this system, though it can run VMWare for 32-bit Windows OS's.
Macbook Pro (Intel 64-bit archetecture) running 10.6.7 Snow Leopard. Can set up virtual machines if needed, using VMWare, but I'm not sure if that's necessary or not.
Powerbook G4 (PPC) running 10.5.x (latest 10.5 build). Can't run virtual machines, but can be used if another source is helpful to trace.
My personal KIN TWOm running the M OS build. Can technically be reverted back to the TWO (non-M) OS, but I'd rather not lose everything as it's my working phone.
My wife's TWOm, not activated. I can probably play with this more, as she isn't ready to use it yet, but I'd be in trouble if I bricked it.
At work, I have access to a number of different computers and OS's, as needed. I don't think this would be necessary, but they are still there.
John, can I ask where you're at? I've gotten the notion that you're not in the US, as you've said you don't have access to a CDMA network. Is there any way we can get your phone to a US Verizon store for assistance?
klamation said:
Macbook Pro (Intel 64-bit archetecture) running 10.6.7 Snow Leopard. Can set up virtual machines if needed, using VMWare, but I'm not sure if that's necessary or not.
Click to expand...
Click to collapse
This has hardware capabilities (VMX feature), but you should have to install XP (or 7) through bootcamp and then install the OSX there, as the host must be windows. Anyway, you'r "lucky" as 64 bit machines can get up to 32 bytes from the usb bus, so 2x my limitation (not enough but more).
klamation said:
John, can I ask where you're at? I've gotten the notion that you're not in the US, as you've said you don't have access to a CDMA network. Is there any way we can get your phone to a US Verizon store for assistance?
Click to expand...
Click to collapse
I'm from Europe, so most phone network is common GSM with some 3G implementations. I didn bought the phone from verizon, so have no relation to them and hence, no way to give them the phone expecting a working return (why should they in any case?).
johnkussack said:
This has hardware capabilities (VMX feature), but you should have to install XP (or 7) through bootcamp and then install the OSX there, as the host must be windows. Anyway, you'r "lucky" as 64 bit machines can get up to 32 bytes from the usb bus, so 2x my limitation (not enough but more).
Click to expand...
Click to collapse
After I read the details of what you want to do, I thought the same thing. I have 64-bit Windows 7 set up on a bootcamp partition (I actually use VMware Fusion to run it, most of the time, but can natively boot into it, if I need). I have never been successful at setting up an OSX VM though, as it's not officially supported. If you have any reference on how to do it, I'm all ears. I'll do more research into it after posting this.
johnkussack said:
I'm from Europe, so most phone network is common GSM with some 3G implementations. I didn bought the phone from verizon, so have no relation to them and hence, no way to give them the phone expecting a working return (why should they in any case?).
Click to expand...
Click to collapse
Considering the phone is less than a year old, it should still be under warranty. I know I've taken phones into their stores before and had them reimage them. I should try that with the KIN to see if they can do it (if the stores actually have the ability to reimage a KIN phone, indicating they have a ROM of it)
I could assist, I have a tri-boot of vista, 7, and OS X.
I doubt that there is a 128 bit processor emulator, let alone the OS...so wouldn't a solution be to use the same technique ,but "freeze" the process to collect data being transferred?
When I mean freezing, I mean slowing the USB data transfer speeds (using hardware underclocking, on the computer and/or phone)
@klamation
http://www.redmondpie.com/how-to-install-os-x-snow-leopard-in-vmware-windows-7-9140301/
Also, it could be a hackintosh image, i guess. At least if it is able to install the kin media sync software...
awesome71717 said:
...
Click to expand...
Click to collapse
i didnt understand anything beyond the 1st line.
there is no need to slow anything as it was a OSX kernel limitation thing, period.
John,
Why do we need 64bit vmx capability to capture messages when the Zune Software is successfully messaging with 32 bit on windows machines? Obviously I am missing something important.
Dave
kintwouser said:
....Dave
Click to expand...
Click to collapse
You'r missing a more detailed reading of the first post.
Quoteing myself:
My first idea was to understand this through the Zune software, but as i said many times, it uses DRM (Janus) to protect the songs (sigh!) and the mtp specification varies if using DRM protection, so i can never find out a way to solve it, without hacking the Zune software cryptography itself (not my intention at all) or became an old man finding how to bypass it. In any case, the Zune software does a RSA challenge-response handshake to the kin before calling to MTP-OpenSession, i can assure that, so its out of reach.
Click to expand...
Click to collapse
John, I was talking about halting the processor of the phone to allow the cache of data to be recorded and cleared. Once cleared, the processor will resume and the cycle can be repeated until the data is fully collected.
Anyway, has anyone found a jtag port on the board?
awesome71717 said:
John, I was talking about halting the processor of the phone to allow the cache of data to be recorded and cleared. Once cleared, the processor will resume and the cycle can be repeated until the data is fully collected.
Anyway, has anyone found a jtag port on the board?
Click to expand...
Click to collapse
I guess that it would be feasible in a parallel universe. And not mentioning that it's a host os "problem" (st#### OSx), not the phone fault.
Also please posting random ideas without thinking about what you say. A jtag? really?
And in the random case where you can plug one JTag cable/homemade adapter.... how the hell will you use it? with what program? with what known hardware specific schematics?
We cannot handle a USB writing... forget about other access...
Trying to start up Mac OSX 10.6 on a dell 630 laptop but keep getting a cpu has been disabled by the guest operating system error. Maybe I can get a newer copy of MAC that will work.
@ kintwouser
If you are having problems, look for kexts oriented around vmware or your own hardware if you're using hardware acceleration.
@John
Ah. Well then I'll just hop into my Delorean that I modified to travel to alternate dimensions, rather than just through time.
Ok ok I'll try to resist irking you any further.
I just reread the Kin Media Sync to asure it, and you can install it over a 10.5.6 Osx which is the labeled "Leopard" (as is), so i guess easier to get.
Maybe a little hackintosh image would do the same thing, as we dont really need compatibility... as long as the Media Sync works i wouldnt care about having audio on the virtual machine, or networking.. whatever.
On my own plain of existance, i tried to follow the url i posted and went till 95% of the installation, but Virtual machine didnt keep installing, so i had to turn the pc (was about 3 hours). I guess i will try with another different image or my official leopard dvd's.
It's kinda weird in my case, using a macbook with windows to vitualize a OSX... haha.
I've been trying to install SL for about 30 hrs now with no success. I've tried three different versions. VMware 7 is OK here but ACPI errors keeps disabling the CPU during osx install. I have edited the vmx file to no avail. Some suggested that I need kext files but I can't install them if osx isn't installed. I'll keep trying as it is a quest now.
don't know if i am breaking the agreements of this forum since i didn't read it (ala the latest south park episode) but here:
http://tehparadox.com/forum/f51/snow-leopard-10-6-6-vmware-hackintosh-newbies-1973493/
No editing needed. You just need to get VMware Workstation from the official site and use that custom vmware osx image. I have tested it and it works. Now if only I had the phone I could really do some testing.
zero2duo said:
don't know if i am breaking the agreements of this forum since i didn't read it (ala the latest south park episode) but here:
http://tehparadox.com/forum/f51/snow-leopard-10-6-6-vmware-hackintosh-newbies-1973493/
No editing needed. You just need to get VMware Workstation from the official site and use that custom vmware osx image. I have tested it and it works. Now if only I had the phone I could really do some testing.
Click to expand...
Click to collapse
Great find, i'm downloading it atm. Well, i think they could have chosen a (mega)better site but's ok. Queued downloads.
I will try the "installation" in my bootcamped windows XP plus vmware and then kin media sync.... Now I need a phone too, heehehehehe.
John,
I got a 10.6.7 VM running on my Win7 bootcamp partition. I followed the steps you mentioned and was able to capture some USB sniff/trace logs of browsing the device and copying a file. (inexperience during the initial sync missed the bulk of the sync).
You can find the file at www.kyleandelin.com/KIN - let me know if this helps or if you need something more?
Phew, i saw a little pack of problems hahaha (unexpected!)
While i stopped doing this, there was a new version released (2.0) and its format is not readable with 1.6 (version i have).
Installing 2.0 didnt solved the issue, as it says that was captured with a 64 bitOS version and it's not compatible with 32 bits version..... The 2.0 is the first one that included the support for 64 bits.
Man, this is all against us haha.
So... possible solutions:
- Install v1.6. May not work on 64bit os
- Install v2.0 as 32 bit verison. May not work on 64 bits or may be autoinstalled and set to 64bits.
So... what to do from here:
Please, confirm my theory before going further.
- Perform a capture from unplug state (needs to be from start). Must include the plugin till kin shows the connected status.
- Stop the capture session.
- Check the captured data in usblyzer.
- Look for the first "Request" column with "Bulk or Interrupt transfer" value.
--- If there is no suck column in all the capture session, the whole process is futile (no MTP protocol would have been transfered) and we should rethink our options.
--- If there is, please check that its column "Raw data" contains at least "10 00 00 00 01 00 02 10 ... " or a very close value.
If i'm right, and the column matches, it means that usblyzer has successfully captured the mtpz OpenSession request. Also, if it was that way, the "magic" instructions would be the before it.
If there are more than 1 and it's not the first one, please check for it .
I am finally gonna get a new (working) device, so i think that things are going to be a bit fun in some time.....
This time, just MTP, no Qualcomm random options testing.. (hahahahaha)
Hi, I was wondering if anybody had compiled any information on MTPZ in regards to its usage on Windows Phone 7. Based on preliminary review of the Mac OS X Connector application, the authentication process for MTPZ + Zune is at least somewhat different for MTPZ + WP7.
I've essentially reverse engineered the Zune variety of the MTPZ protocol (which you can read about if you head over to my blog), and I was planning to look into MTPZ on Windows Phone since that might have a larger target audience, but I was hoping to gather some information first:
How is MTPZ used on WP7? Is it what allows one to move files back and forth to the device? In addition, what is an MTPZ session with a Windows Phone device like? Is it just MTPZ authentication operations initially followed by regular MTP (as is the case for Zune devices), or are there MTPZ operations used throughout a session?
What does the Zune software allow you to do with Windows Phone devices? I don't have one of my own.
Has anybody captured a USB/MTP session of the Zune software's communication with a Windows Phone device?
Also just for when/if I begin looking into the protocol:
Do the WP7 emulator images include MTPZ implementations?
Would it somehow be possible to use the emulator image to simulate an actual USB Windows Phone device?
Thanks so much for any information.
Sounds like a great project! I can't answer all your questions right now, but a few of them certainly...
MTPZ allows syncing media files (music, video, picture) to and from WP7. I believe it is also used for changing certain phone settings. In this way, it is very similar to Zune players.
I believe MTPZ is also involved in both the official dev-unlock procedure (the Microsoft developer registration tool requires that Zune be running and have connected with the phone) and app deployment (same restriction). I'm not sure about those - it miht be something else that Zune does - but it seems likely.
There are some other possibilities of things you might do with access to the phone (check it for update availability, wipe the phone, configure WiFi sync, rename it, etc.) It also might be possible to change other settings not visible int he GUI, or to access information that is normally hidden (one awesome possibility would be the encryption key used for the backups, though that's a long shot).
Honestly, just finding a way to run the WiFi sync on-demand would be brilliant. Another very cool option would be to directly modify the artist background images and such on the phone.
As for the emulator, it does support app deployment, but I think that's the only thing from the above list that is supported on it. I don't know how much, if any, of MTPZ is implemented in it. It's probably worth trying (it's free, after all) and considering that it's a VM, it's entirely possible that it does use a virtual USB connection (or some other link that you can tap).
Good luck!
Thanks for the reply.
Okay, so MTPZ is at least used for syncing the media files and all that? That's good to know, do you know if those are transferred via regular MTP commands?
Ah, based on the information there about requiring the Zune software running and connected, I'd also venture to say that it's likely, especially considering the plethora of MTPZ and other non-standard MTP opcodes, like "MTPZ_OPCODE_MARKETPLACE_SET_CREDENTIALS".
So it definitely seems that MTPZ was amended to include a bunch of WP7-specific operations, contrary to the handshake-only operations that comprised MTPZ for the Zune.
If the emulator supports app deployment, and that seems to require an MTPZ connection (and therefore the MTPZ authentication), so I think it would be fair to say that I would at least be able to debug a live authentication session. That being said, I'm still unsure of how I would go about using the emulator image to imitate a real, physical WP7 device connected over USB (much the same way that ISO disc images can be used to imitate physical discs) so that the Zune/Mac Connector software believes it is connected to a device. Hopefully somebody can shed some light on if that's possible and how to go about it.
Currently I'm doing a static analysis of the Mac OS X Windows Phone 7 Connector application to get some preliminary notes on the authentication process.
KBHomes said:
Hi, I was wondering if anybody had compiled any information on MTPZ in regards to its usage on Windows Phone 7. Based on preliminary review of the Mac OS X Connector application, the authentication process for MTPZ + Zune is at least somewhat different for MTPZ + WP7.
I've essentially reverse engineered the Zune variety of the MTPZ protocol (which you can read about if you head over to my blog), and I was planning to look into MTPZ on Windows Phone since that might have a larger target audience, but I was hoping to gather some information first:
How is MTPZ used on WP7? Is it what allows one to move files back and forth to the device? In addition, what is an MTPZ session with a Windows Phone device like? Is it just MTPZ authentication operations initially followed by regular MTP (as is the case for Zune devices), or are there MTPZ operations used throughout a session?
What does the Zune software allow you to do with Windows Phone devices? I don't have one of my own.
Has anybody captured a USB/MTP session of the Zune software's communication with a Windows Phone device?
Also just for when/if I begin looking into the protocol:
Do the WP7 emulator images include MTPZ implementations?
Would it somehow be possible to use the emulator image to simulate an actual USB Windows Phone device?
Thanks so much for any information.
Click to expand...
Click to collapse
Hi, there were some work on MTPz done by biktor_gj, donpromillo and me on the Nokia Lumia 800 Full Unlock thread (discussion started around page 76, tryouts around page 78-80).
So far, we know that Zune performs operating system backup and restore, send applications and software updates (cab and xaps) and flash updates (FFUs).
donpromillo and biktor_gj have sniffed USB traffic for the backup process.
Thanks for your work on MTPz reverse-engineering!