[Q] How to add my app to mpap_HTC_MASD_01.provxml? - Windows Phone 7 Development and Hacking

in mpap_HTC_MASD_01.provxml is:
for sample:
<wap-provisioningdoc>
<characteristic type="AppInstall">
<characteristic type="{5edbdbbc-2ab2-df11-8a2f-00237de2db9e}">
<parm name="InstallInfo" value="/windows/HTC_ConnectionSetup.xap;/windows/HTC_ConnectionSetup_License.xml;{c8a5044a-c22e-4d79-94ea-8f2c7e84c84b};{004fdf1d-8e10-4306-897b-3acc46c3002b}"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
now how to add my app(for sample HTC Compass) in this file for my cooked rom?
please help me my friends

please help me my friends
help me pro's

<characteristic type="{ProductID}">
<parm name="InstallInfo" value="AppAdress;AppLicenseAdress;{Idontknow};{Idontknow}"/>
Please help me

It may only work for marketplace-signed apps (i.e. ones with licenses). Of course, the phone has code to install an unsigned application - I just don't know how to invoke it using XML provisioning.
Out of curiosity, what are you plannning to use this for?

As far as I know there is no documentation for installing unsigned xap´s via provxml.
I has to be possible because DFT team has enabled this feature in its HTC custom roms.
So what you can do is writing a pm to mwang or Cotulla, maybe they can help you...

ok tnx
now not the other way to add my app in my rom for auto install?

Hey could you post the answer? Also where is the liscence.xml and the two last id's found?

Related

Extended Rom does not start

hi,
I have try a ExtRom to provide with HTC ExtRom builder.
Unfortunately do not start Rom, therefore I wanted to ask whether me someone help can the cause to find.
A How ton of which I in the XDA Dev. Himalaya forum did not find helps me unfortunately.
In the ExtRom are the following files:
Autostart.exe
Cinfig.txt
3G_Dialer.cab
Htc_default.tsk
cusTSK.exe
MSFT_Logo.bmp
SetHSDPA.exe
contents of Config.txt:
SHOW: \Extended_ROM\MSFT_Logo.bmp
LOCK: Enabled
Hide: Enabled
EXEC: \Extended_ROM\SetHSDPA.exe /Enable
EXEC: \Extended_ROM\cusTSK.exe \Extended_ROM\Htc_default.tsk
CAB: \Extended_ROM\3G_Dialer.cab
LOCK: Disabled
RST: Reset
the appropriate Registry entry looks in such a way:
[HKEY_LOCAL_MACHINE\Comm]
"AutoRunType"=dword:00000000
"BootCount"=dword:00000001
"AutoRunCFG"="\\Extended_ROM\\config.txt"
"AutoRun"="\\Extended_ROM\\autorun.exe"
Where does the error lie?
Did I forget something?
What has to be still considered?
I thank for each assistance.
with friendly greet
Starbase64
normally all the info you need should be in mxipupdate_zzPIED_101.provxml in \Windows and edit that before cooking.
i.e.
<characteristic type="FileOperation">
<characteristic type="%CE4%\CheckAutoRun.lnk" translation="install">
<characteristic type="Copy">
<parm name="Source" value="\Windows\CheckAutoRun.lnk" translation="install"/>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="Registry">
<characteristic type="HKLM\Comm" >
<parm name="AutoRunCFG" value="\windows\Config.txt" datatype="string" />
<parm name="AutoRun" value="\windows\AutoRun.exe" datatype="string" />
<parm name="EnableNewMailAccount" value="0" datatype="integer" />
</characteristic>
</characteristic>
<characteristic type="Registry">
<characteristic type="HKLM\Software\Microsoft\Welcome" translation="filesystem" >
<parm name="Disable" datatype="integer" value="188" />
</characteristic>
</characteristic>
dan1967 said:
normally all the info you need should be in mxipupdate_zzPIED_101.provxml in \Windows and edit that before cooking.
i.e.
<characteristic type="FileOperation">
<characteristic type="%CE4%\CheckAutoRun.lnk" translation="install">
<characteristic type="Copy">
<parm name="Source" value="\Windows\CheckAutoRun.lnk" translation="install"/>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="Registry">
<characteristic type="HKLM\Comm" >
<parm name="AutoRunCFG" value="\windows\Config.txt" datatype="string" />
<parm name="AutoRun" value="\windows\AutoRun.exe" datatype="string" />
<parm name="EnableNewMailAccount" value="0" datatype="integer" />
</characteristic>
</characteristic>
<characteristic type="Registry">
<characteristic type="HKLM\Software\Microsoft\Welcome" translation="filesystem" >
<parm name="Disable" datatype="integer" value="188" />
</characteristic>
</characteristic>
Click to expand...
Click to collapse
Contents of my (mxipupdate_zzPIED_101.provxml) file are identical to this.
But do not start it.
wfg
S64
try to put this config.txt in dump and recook.
cheers
dan
just a though - I don't have my laptop in front of me - but you need a link in your starup folder to launch it on first boot. After first boot, it will remove the link. You might peek at the PreConfig packages to get an idea about setting up the link in the initflashfile.txt - as well as the other files needed.
I hope that the will point you in the right direction anyway.
I do not think it will work like that. The startup is triggered by that provxml file and it reaches for config.txt or preconfig.txt (or not!). You need at least one of them in dump and inside it you made the call for the config.txt on ext_rom.
I have struggled with it a lot in the past and really did not find another way. It might exist but I do not know it.
I have everything on ext_rom and therefore I depend heavily on it launching after HR.
cheers,
dan
goto OEM---->OEMOPERATORS folder and make sure your "Preconfig.txt" file has this "EXEC:\Extended_ROM\autorun.exe" line right after the "Hide:Enabled" line, save, build OS and flash, see if that works!
I have all refer to converted, but does not start
wfg
S64
Cinfig.txt is a typo here only?
here is the my config.txt
SHOW: \Extended_ROM\MSFT_Logo.bmp
LOCK: Enabled
Hide: Enabled
EXEC: \Extended_ROM\autorun.exe
CFG: \Extended_ROM\Config.txt
EXEC: \Extended_ROM\SetHSDPA.exe /Enable
EXEC: \Extended_ROM\cusTSK.exe \Windows\Htc_default.tsk
CAB: \Extended_ROM\3G_Dialer.cab
LOCK: Disabled
RST: Reset
EXEC: \Extended_ROM\autorun.exe should be discarded
dan1967 said:
EXEC: \Extended_ROM\autorun.exe should be discarded
Click to expand...
Click to collapse
It does not function, all the same whether with or without this entry.
wfg
S64
if the 3 files, provxml and 2 config.txt files are right, than I am sorry to say but I am out of solutions for you.
dan
second thought,
if you use the os version that uses the additional ext_rom space (as i see in your sig) I think your ext_rom is out (overwritten) and the discussion here is useless, but I have no idea as I haven't tried myself these roms .
"new registry tweaks
- beam disabled
- show Band, PIN2, Time Zones, TTY Pages
- enable DTMF support
- enable EDGE Icon
- set Bluetooth name HTC_TyTN
- set Bit pool to 64
- disable ExtRom"
I put on now a OEMOperators Package.
Property me copied from of another Rom, works very well.
I would like to thank you micht for your assistance and pieces of advice.
wfg
S64

UC Compliance

Cookers, how about some UC compliant ROMS? To me, this system addresses one of the key issues in flashing a new setup. Seems like a no brainer...why so few takers?
Thanks for your work!
Can anyone list compliant ROMs?
UC Compliant
Wilberry lists itself as UC compliant. When I flashed it, it did attempt to load the fils in the sdconfig.txt listing but, it did not load anything. I am not sure what the problem was and my bad was that I never pointed it out to them.
Z
I'd never heard of UC Compliance until now, but after reading up about it I think it's a great idea and hope more ROM chefs start adding it.
If you're like I was and had no idea what it is, then I've assembled the relevant links below for you:
For Users:
Rom Flashing Junkies: User Customisation is here!
XDA-Wiki - Auto Run
For Chefs:
ROM Chefs: SDAutoRun gives customization to everybody!
Now that you've read those and know about it.. make sure you let your favourite chef's know that UC support is important to you!
I'm using Wildberry myself, so I could've taken advantage of this - but I've been using a modified Sashimi setup instead to configure my roms after install.
How is your day to day stability and bug status on Wildberry?
Radix999 said:
I'd never heard of UC Compliance until now, but after reading up about it I think it's a great idea and hope more ROM chefs start adding it.
If you're like I was and had no idea what it is, then I've assembled the relevant links below for you:
For Users:
Rom Flashing Junkies: User Customisation is here!
XDA-Wiki - Auto Run
For Chefs:
ROM Chefs: SDAutoRun gives customization to everybody!
Now that you've read those and know about it.. make sure you let your favourite chef's know that UC support is important to you!
I'm using Wildberry myself, so I could've taken advantage of this - but I've been using a modified Sashimi setup instead to configure my roms after install.
Click to expand...
Click to collapse
I don't believe UC works properly on Diamonds because of Internal Storage. See here.
Sashimi works fine and can now even be cooked in to a ROM providing Sashimi Compliance (SC). For more info see here.
TraderJack said:
I don't believe UC works properly on Diamonds because of Internal Storage. See here.
Click to expand...
Click to collapse
Sure, its working pretty here in my ROMz..
Unchained said:
Sure, its working pretty here in my ROMz..
Click to expand...
Click to collapse
Are you renaming your device's Internal Storage to "Storage Card" in order to get it to work?
DrewVS said:
How is your day to day stability and bug status on Wildberry?
Click to expand...
Click to collapse
I've had Wildberry on for a few weeks now (since it first came out) and the only bug I've encountered is that I can't pick a wallpaper for TF3D (comes up with a blank selection when I choose it, no matter what directory I pick).
Other than that it's been rock solid stable, very fast, and runs sweet.
TraderJack said:
Are you renaming your device's Internal Storage to "Storage Card" in order to get it to work?
Click to expand...
Click to collapse
I noticed the Wildberry rom does that. That's probably why they're able to claim UC compliance.
Why arent we convincing more ROM cookers to do this? It saves hours of setup, and as such is more valuable than any other feature that I can think of. Why the resistance to adopt?
No.. Its still Internal Storage called..
That is a very trivial issue that has long since been addressed. Several ROMs work just fine with it.
Unchained said:
No.. Its still Internal Storage called..
Click to expand...
Click to collapse
In OEMDRIVERS/LANG/ there are values for the Storage Card name.
These need to be changed to Internal Storage (there's no SD slot anyway)
These are the values the SDAutorun reads and needs.
I got UC running just fine.
Code:
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\PCMCIA]
"Name"="PCMCIA/Compact Flash Device"
"Folder"="Internal Storage"
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\SDMemory]
"Name"="SD Memory Card"
"Folder"="Internal Storage"
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\moviNAND]
"Folder"="Internal Storage"
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\MMC]
"Name"="MMC Card"
"Folder"="Internal Storage"
NL
Code:
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\PCMCIA]
"Name"="PCMCIA/Compact Flash Device"
"Folder"="Intern geheugen"
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\SDMemory]
"Name"="SD Memory Card"
"Folder"="Intern geheugen"
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\moviNAND]
"Folder"="Intern geheugen"
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\MMC]
"Name"="MMC Card"
"Folder"="Intern Geheugen"
Check these Values in the Rom using Registry editor.
If they are off that explains why UC ain't working.
The thing is that there are a few of these values in the Top of the RGu files.
But further down they are there again, and they all need to be changed.
I haven't flashed their ROM so i can't say what they are doing or if it's working.
But these are the values and the way it should be.
(i requested to SLEUTH, maker of UC To let SDAutorun first check for the name [HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\SDMemory]
"Name"="SD Memory Card", for Localized ROM versions, half a year ago, so the solution is in the first 5 pages of the UC cooks thread)
That's why it doesn't look at the NAND Flash name.
This should help get more UC supported ROM's out
UC is easy
I do it this way:
At first - registry tweak in the cooked ROM:
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\moviNAND]
"Folder"="Storage"
"AutoPart"=dword:00000001
"AutoFormat"=dword:00000001
"Name"="moviNAND Card"
After - provxml file (it starts later, return "Internal Storage" name) Also, you can put in it another tweaks. Start TF3D, disable security etc. My full listing:
<wap-provisioningdoc>
<characteristic type="Registry">
<characteristic type="HKLM\System\StorageManager\Profiles\moviNAND" translation="filesystem">
<parm name="Folder" datatype="string" value="Internal Storage"/>
<parm name="AutoPart" datatype="integer" value="1"/>
<parm name="AutoFormat" datatype="integer" value="1"/>
<parm name="Name" datatype="string" value="moviNAND Card"/>
</characteristic>
<characteristic type="HKLM\Software\OEM">
<parm name="ROMVersion" value="1.93.Light" datatype="string"/>
</characteristic>
<characteristic type="HKLM\Software\Microsoft\Today\Items\TouchFLO 3D" translation="filesystem" >
<parm name="Enabled" datatype="integer" value="1"/>
<parm name="DLL" datatype="string" value="ManilaToday.dll" />
<parm name="Ordered" datatype="integer" value="0" />
<parm name="Selectability" datatype="integer" value="2" />
<parm name="Type" datatype="integer" value="4" />
</characteristic>
<characteristic type="HKCU\Software\HTC\Manila" translation="filesystem" >
<parm name="AutoLaunchToday" datatype="integer" value="1" />
<parm name="EnableLandscape" datatype="string" value="true"/>
</characteristic>
<characteristic type="HKLM\Software\HTC\AdvancedNetwork" translation="filesystem">
<parm name="SupportHSUPA" datatype="integer" value="1"/>
</characteristic>
</characteristic>
<characteristic type="SecurityPolicy">
<parm name="4123" value="1" />
<parm name="4119" value="144" />
<parm name="4101" value="16" />
<parm name="4102" value="1" />
<parm name="4122" value="1" />
<parm name="2" value="0" />
<parm name="4120" value="16" />
<parm name="4103" value="64" />
<parm name="4097" value="1" />
</characteristic>
</wap-provisioningdoc>
and put the all steps in the one "txt-config" file.
I use config_operator.txt ONLY, other config "txt" are absent):
LOCK:Enabled
EXEC:\Windows\AutoShortcut.exe
XML: \Windows\RemoveArrtibMMS_0409.xml
XML: \Windows\finish.provxml ;(file, which return to "Internal Storage")
CFG: \Storage\sdconfig.txt ;(!!!!!!!!)
LOCKisabled
RST: Reset
That's all.
Example of the sdconfig.txt:
CAB: \Storage\Install\Opera_2392WWE.CAB
CAB: \Storage\Install\GMaps.CAB
CAB: \Storage\Install\SoftMaker Office.cab
XML: \Storage\Install\provider.xml
Finish.
Yeah but if the settings are cooked in correctly you don''t need to work around
I have also posted cleaned up OEMProvxml files that replace the regular ones with extra certificates and security settings.
Noonski said:
Yeah but if the settings are cooked in correctly you don''t need to work around
I have also posted cleaned up OEMProvxml files that replace the regular ones with extra certificates and security settings.
Click to expand...
Click to collapse
It' just example, but it works
Return to "Internal Storage" is more useful, then change it in oem modules or somewhere.
UC capable in Diamond
http://forum.xda-developers.com/showpost.php?p=2815602&postcount=222
UC capable is possible in Diamond. You only have to use my modified SDAutoRun.exe.
El Parra
#################
SDAutoRun Diamond compatible
Thanks Sleuth255 !!!!!!!
Well, I detected SDAutoRun fails in diamond. After a lot of tests I found Diamond uses the registry key 'mobiNAND' and SDAutoRun uses 'SDMemory'. Then I edited the .exe with a hex editor and modified the string in it. In my tests this tool has been working really well and I think it should works in any Diamond language ROM. I'm using and Spanish ROM ;-)
http://www.megaupload.com/?d=SUYMR923
NOTE: This version is for DIAMOND or devices with internal storage ONLY
Regards to everybody.
#################
Patched sdautorun? Interesting, thanks!
Will try.
I actually using the unpatched version (SdAutoRun V2.0) with the moviNand storage name changed to "Storage Card" in the SDConfig.txt I use
CAB: \Internal Storage\Cabs\MyCab.cab
instead of
CAB: \Cabs\MyCab.cab
Noonski trick of renaming the rgu entries helped here

Delete this thread, please

I want to specify my own connection settings in the ext rom by replacing or editing a particular file. I just extracted _setup.xml from pp_tmhr_connection_settings.cab that was in the Ext Rom, and have no idea how to read it. I know it specifies all (or most) of the connectino settings for my device, and I can figure out the xml tags and what not, but don't know how to edit or decifer the actual data specified.... as shown below. Someone please help me.
<wap-provisioningdoc>
<nocharacteristic type="CM_ProxyEntries"/>
<!-- Default Connection for Internet -->
−
<characteristic type="CM_ProxyEntries">
−
<characteristic type="HTTP-{0811B893-9F40-4130-80EF-B0C9E0A6FEFA}"> ---->I don't understand this string of characters<----
<parm name="SrcId" value="{0811B893-9F40-4130-80EF-B0C9E0A6FEFA}"/>
<parm name="DestId" value="{436EF144-B4FB-4863-A041-8F905A62C572}"/>
<parm name="Proxy" value="new-inet:1159"/> ---->I don't understand this either<----
<parm name="Type" value="0"/>
<parm name="Enable" value="1"/>
</characteristic>
Click to expand...
Click to collapse

Can't create a CAB with certain files

Hi,
I tried various CAB generator, and everytime I tell it to install a certain file it fails. The CAB can't be installed. It's an executable ment to be run on a PocketPC so I don't understand why it can't be installed through a CAB file.
I tried UPX-ing the file, that failes also.
Is there a way to debug this problem? Or does anyone know why this file gives me these problems? Any help is welcome, I'm out of ideas...
Attached is the file, it's a TSR (ripped from a Via Michelin installation) that detects if AC power is connected or disconnected.
TIA,
Cheers,
/Cacti
Can you attach the cab you are installing?
<characteristic-error type="Extract">
Hi,
I picked up this project again, but still haven't a solution yet.
The setup.log of the installation looks like this:
Code:
<wap-provisioningdoc>
<characteristic type="Install">
<parm name="InstallPhase" value="install"/>
<parm name="AppName" value="Le Cactus CU-S400 Emulator"/>
<parm name="NumDirs" value="1"/>
<parm name="NumFiles" value="1"/>
<parm name="NumRegKeys" value="0"/>
<parm name="NumRegVals" value="0"/>
<parm name="NumShortcuts" value="0"/>
</characteristic>
<characteristic type="FileOperation">
<characteristic type="\Program Files\Temp" translation="install">
<characteristic type="MakeDir"/>
<characteristic type="CarKitMode Detect Helper.exe" translation="install">
[B]<characteristic-error type="Extract"><parm name="Source" value="CARKIT~1.001"/>[/B]
[B] </characteristic-error>[/B]</characteristic>
</characteristic>
</characteristic>
<characteristic type="Registry">
</characteristic>
</wap-provisioningdoc>
Even with this specific error (characteristic-error type="Extract") google doesn't seem to offer an anwser.
I tried looking for other solutions, like self extrecting executables but they alle seem to only work for PC's not for pocket PC's, of need licenses for distribution.
Anyone know the answer to the Extract error, of know of a free PPC SFX creator?
TIA,
Cheers,
/Cacti

WP7 Provxml capabilities Summary

Hi
For now provision xml are the only way to write in all the registry entries on HTC Device,
But this kind of files have the ability to do a lot more.
-The following list shows some of the various capabilities of provxml files.
To Deploy Provxml you have 2 choices for now:
HTC-ProvXml-Deployer
Advanced config 1.1.0.1(sometime doesn't work!!)
-Write Registry key & value
This example Write a key (Registry\HKLM\System\Accessibility), including the associated values and subkeys.
Code:
[COLOR="blue"]<wap-provisioningdoc>
<characteristic type="Registry">
<characteristic type="HKLM\System\Accessibility">
<parm name="CompactMode" value="1" datatype="integer" />
<parm name="TTY" value="0" datatype="integer" />
<parm name="telecoil_UI" value="0" datatype="integer" />
<parm name="telecoil" value="0" datatype="integer" />
</characteristic>
</characteristic>
</wap-provisioningdoc>[/COLOR]
-Delete Registry key
This example delete the key (Registry\HKLM\Software\Microsoft\Test), including the associated values and subkeys.
Code:
[COLOR="blue"]<wap-provisioningdoc>
<characteristic type="Registry">
<nocharacteristic
type="HKLM\Software\Microsoft\Test"/>
</characteristic>
</wap-provisioningdoc>[/COLOR]
-Delete Registry Value
This example delete a value (TestValue) from a registry key (Registry\HKLM\Software\Microsoft\Test)
Code:
[COLOR="blue"]<wap-provisioningdoc>
<characteristic type="Registry">
<characteristic type="HKLM\Software\Microsoft\Test">
<noparm name="TestValue" />
</characteristic>
</characteristic>
</wap-provisioningdoc>[/COLOR]
-Create Folder
This example create a folder (test) into windows folder (\windows\Test\)
Code:
[COLOR="blue"]<wap-provisioningdoc>
<characteristic type="FileOperation">
<characteristic type="\Windows\test" translation="install">
<characteristic type="MakeDir" />
</characteristic>
</characteristic>
</wap-provisioningdoc>[/COLOR]
-Copy File & Change file Attributes
This example copy a file (test.png) from my ringtones folder to windows folder (\windows\Test.png) & ChangeAttributes
R Read-only
A Archive
S System
H Hidden
Code:
[COLOR="blue"]<wap-provisioningdoc>
<characteristic type="FileOperation">
<characteristic type="\Windows\" translation="install">
<characteristic type="MakeDir" />
<characteristic type="test.png" translation="install">
<characteristic type="Copy">
<parm name="Source" value="\My Documents\My Ringtones\test.png" translation="install" />
<parm name="RemoveAttributes" value="RH" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>[/COLOR]
-Set Wifi settings
This example show how to preconfigure your wifi network
Code:
[COLOR="Blue"]<wap-provisioningdoc>
<characteristic type="CM_WiFiEntries">
<characteristic type="My_SSID"> (do not change this value and delete this comment)
<parm name="DestID" value="{A1182988-0D73-439e-87AD-2A5B369F808B}"/>
</characteristic>
</characteristic>
<characteristic type="Wi-Fi">
<characteristic type="access-point">
<characteristic type="YourSSID to insert">
<parm name="DestId" value="{A1182988-0D73-439e-87AD-2A5B369F808B}"/>
<parm name="Encryption" value="0"/>
<parm name="Authentication" value="0"/>
<parm name="hidden" value="1"/>
<parm name="KeyProvided" value="0"/>
<parm name="NetworkKey" value="yourPWD to insert"/>
<parm name="KeyIndex" value="1"/>
<parm name="Use8021x" value="0"/>
</characteristic>
</characteristic>
</characteristic>[/COLOR]
-Add Favorite
This example add 2 favorites in IE
Code:
[COLOR="Blue"]<wap-provisioningdoc>
<characteristic type="BrowserFavorite">
<characteristic type="Favorite1">
<parm name="URL" value="http://www.Favorite1.com/" />
</characteristic>
<characteristic type="Favorite2">
<parm name="URL" value="http://www.Favorite2.com" />
</characteristic>
</characteristic>
</wap-provisioningdoc>[/COLOR]
-set timezone
Code:
[COLOR="Blue"]<wap-provisioningdoc>
<characteristic type="Clock">
<parm name="TimeZone" value="1200"/>
</characteristic>
</wap-provisioningdoc>[/COLOR]
Please submit provxml method you have and I will update this post.
thanks​
Good job!
Thxx a lot to u!!:d
Well, Xml Provisioning has A LOT more possibilities. You can also query registry keys and values, install xap's, filesystem-access, etc. The problem is that the OEM apps do not let us process the return-data. It is processed internally.
The Xml Provisioning functions call this api internally: DMProcessConfigXml. Examples are here and here. If you google, you will find a lot more.
If we have full access to Xml Provisioning and also to the return-data, we have root-access to the device!
DMProcessConfigXml is documented on MSDN. But it is not documented as part of the Windows Phone 7 SDK. However, the api is present on Windows Phone 7. The Windows Mobile 6 SDK has a header file for that function, which can be used.
I wrote a native COM-wrapper for that function and a managed wrapper to call COM. But unfortunately the calls return errorcode 0x800704ec: "Blocked by policy"
I attach a test-app to show what I got now. Keep in mind that this uses native api's. It does not use OEM-drivers or anything.
I'm now trying to get my code called by code that is already elevated. I got some ideas, but it is tricky. So bear with me.
Nice workk Heathcliff74
i've also try to query key without success for now.
have you try to change registry policies maybe this can help!
some test are needed.
i like the way your app work very good job.
there is apppreinstaller.exe in windows folder with ability to install xap from provxml
when you launch it ,this run masd.provxml and deploy oem xap.
i'm looking how this work.
If Oem like connection setup have full access maybe we can patch the dll to allow query!
tell me what you think
xboxmod said:
Nice workk Heathcliff74
i've also try to query key without success for now.
have you try to change registry policies maybe this can help!
some test are needed.
i like the way your app work very good job.
there is apppreinstaller.exe in windows folder with ability to install xap from provxml
when you launch it ,this run masd.provxml and deploy oem xap.
i'm looking how this work.
If Oem like connection setup have full access maybe we can patch the dll to allow query!
tell me what you think
Click to expand...
Click to collapse
Hi XBOXMOD,
I'm pretty sure this has not anything to do with registry permissions. In my example I query a registry key that can be queried using the standard native registry functions without any elevated privileges. So I guess these keys are not protected. I assume that the call to DMProcessConfigXml fails because it checks the signature of the code that invokes that function. Therefore I also don't think that patching the OEM apps is going to work. When the code is patched, the signatures are not valid anymore.
I'm trying to figure out which exact signatures are verified and which signatures are responsible for the elevated privileges to call DMProcessConfigXml. When I know that I could maybe figure out a way to get my native custom code being called by elevated code.
xboxmod said:
Hi
For now provision xml are the only way to write in all the registry entries on HTC Device,
But this kind of files have the ability to do a lot more.
​
Click to expand...
Click to collapse
So why the "Samsung" in the title?
Is there a way to make this work on Samsung devices other than having the file to exist on the Windows folder (which is not possible yet?) ?​
martani said:
So why the "Samsung" in the title?
Is there a way to make this work on Samsung devices other than having the file to exist on the Windows folder (which is not possible yet?) ?
Click to expand...
Click to collapse
I hoped my code (see xap in previous post) would be able to run provxml on all devices. I have a Samsung myself. The code I use there does not use any oem code, so that would not be the problem. I did not expect the calls would be blocked by policies. But it seems there are signatures being verified. I'm working on that (also see previous post).
Heathcliff74 said:
I hoped my code (see xap in previous post) would be able to run provxml on all devices. I have a Samsung myself. The code I use there does not use any oem code, so that would not be the problem. I did not expect the calls would be blocked by policies. But it seems there are signatures being verified. I'm working on that (also see previous post).
Click to expand...
Click to collapse
Well, I hope you get this to work soon, since the code is obfuscated!
martani said:
Well, I hope you get this to work soon, since the code is obfuscated!
Click to expand...
Click to collapse
LOL! That is my code. I obfuscated it.
Heathcliff74
where is stored provxml run by your tool?
is there a way to run my provxml with it?
xboxmod said:
Heathcliff74
where is stored provxml run by your tool?
is there a way to run my provxml with it?
Click to expand...
Click to collapse
Well he has some *obfuscated* provxml strings that get run on the app startup, I am not sure if they are safe or not
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
xboxmod said:
Heathcliff74
where is stored provxml run by your tool?
is there a way to run my provxml with it?
Click to expand...
Click to collapse
At this moment I have the xml's hard-coded in the app. If you post your xml, I will make a version with your xml. But I'm 99% sure it will return the same errorcode, because that error tells me that I'm simply not allowed to execute any xml with the privileges I got now.
I obfuscated my code, because I got a lot of work in that. It's not that I don't want to share at all, but I share only on a need-to-know-base. If anyone wants it, the PM me.
In the xap, there is a "native.dll", which contains the native code that calls DMProcessConfigXml and provides a COM interface. The other dll is the managed silverlight code (obfuscated), that calls on that COM interface.
martani said:
Well he has some *obfuscated* provxml strings that get run on the app startup, I am not sure if they are safe or not
Click to expand...
Click to collapse
Those are simply the xml's you see when you run the app. They are safe. I run 3 xml's. One for reading a regkey, one for writing a regvalue (harmless) and one that tries to install the preinstalled xap of the diagnose app. They all fail with a security error.
Heathcliff74 said:
Those are simply the xml's you see when you run the app. They are safe. I run 3 xml's. One for reading a regkey, one for writing a regvalue (harmless) and one that tries to install the preinstalled xap of the diagnose app. They all fail with a security error.
Click to expand...
Click to collapse
so if i understand for now you app can't deploy provxml even if it's an allowed part of registry?
When i said patch dll of oem apps to allow query.
i talk about htc connection setup because this oem have full registry & file system access using provxml, all command below have been test and work.
xboxmod said:
so if i understand for now you app can't deploy provxml even if it's an allowed part of registry?
Click to expand...
Click to collapse
That is correct. I wanted to make a tool that could use Xml Provisioning for all devices. And I also wanted to use the return-data (for querying registry and other services). So I didn't want to use OEM apps or drivers. I use native code to call the api directly. But apparently you need to be elevated (signed code) to do that. Trying to work around that right now.
xboxmod said:
When i said patch dll of oem apps to allow query.
i talk about htc connection setup because this oem have full registry & file system access using provxml, all command below have been test and work.
Click to expand...
Click to collapse
I guess that is not going to work, because then the signatures will not be valid anymore and you won't get the necessary elevated permissions, as you have now (with unpatched code). Try it. Change a few dummy bytes and see if it still works.
Heathcliff74 said:
I guess that is not going to work, because then the signatures will not be valid anymore and you won't get the necessary elevated permissions, as you have now (with unpatched code). Try it. Change a few dummy bytes and see if it still works.
Click to expand...
Click to collapse
i have already patch htc connection setup dll and it always run with elevated permissions.
My provxml deployer is just an edited version of htc connection.
And it keep his permissions.
the system always believe this is an allowed app.
Oups sorry double post!!
xboxmod said:
i have already patch htc connection setup dll and it always run with elevated permissions.
My provxml deployer is just an edited version of htc connection.
And it keep his permissions.
the system always believe this is an allowed app.
Click to expand...
Click to collapse
Frankly, I haven't seen any of your provxml apps, because they are all htc-specific. I know provxml is extremely useful, bus since I have a Samsung, your app is useless for me. And that's why I was looking for a way to get full access to Xml Provisioning, but I did not expect to get limited privileges.
If you're able to patch the app, then you must probably be using an app that uses oem-specific driver-communication. Because there is a security-hole in there. I already discovered that a while ago (see here, here and here).
If that is correct, then the driver is calling the actual Xml Provisioning and the driver is properly signed for that. The driver is exposing an unsecured interface. The driver itself can't be patched (or you will loose the necessary privileges, since the driver is doing the Xml Provisioning). But the code that is calling the driver can be patched without any problems.
Whether you can use the driver for querying system-information (registry, filesystem, etc) depends whether you are able to get the return-data from the Xml Provisioning. Is the return-data processed by the driver or by the app? If it is processed by the driver, then you can't access it. If it is processed by the app, you can access it when you patch the app.
didnt think anyone was still working on a proper jailbreak, but I would be really interested in hearing what people are trying to get elevated permissions.
indiekiduk said:
didnt think anyone was still working on a proper jailbreak, but I would be really interested in hearing what people are trying to get elevated permissions.
Click to expand...
Click to collapse
I made some real good progress last night. I found some real interresting api's and I got some goodies working already. I need to do a lot more testing to see what is possible. I got good confidence I can get root-access (TCB) with this. Can't say for sure quite yet. Will keep you posted!

Categories

Resources