Develop Bugs

State of WP7 Homebrew - D3D11, Filesystem, Sockets, etc

Hey guys,
There has been a lot of great strides here in learning more about this WP7 and what it's capabilities are! I'm very excited about what everyone is doing!
I'm sure a lot of you have been doing your own tinkering and was hoping to combine some efforts and maybe eventually come up with a solid SDK for home brew applications.
Here is where I'm at with my exploration:
With the COM bridge and Visual Studio 2008 one can develop a native ARM COM DLL to talk to native code from Silverlight.
I believe the ComBridge.RegisterComDll does not really register the COM class in the system registry. I believe the runtime simply caches the clsid and filename and creates the class when the runtime is looking to instantiate the ComImport COM class.
We are able to use wince's win32 API to make operating system calls from the C++ code.
There does not seem to be any security restrictions that I have come across in using the operating system from native code. I will note that without the NETWORKING caps in the manifest, DNS would only resolve cached addresses, but the rest of the sockets worked fine. I do not believe this to be a security measure, but more of a missing initialization method I am not aware of.
We can return other COM interfaces created in our native code and talk to it by implementing the COM interop interfaces in C# ( InterfaceType(ComInterfaceType.InterfaceIsIUnknown))
Currently I have written a sockets library here: dl[dot]dropbox[dot][c][o][m]/u/4165054/PhoneNetworkingSample[dot]zip
I also have the workings of a file system library that I have not completed yet. I realize there is some OEM lib out there that does FS access, but I believe it to be important to homebrew that we make our own.
I recently have been looking into Direct3D 11 API support for the phone. I have successfully created a D3D11 device and passed it back to .NET code where I was able to execute some methods on it. A lot of work needs to be done here. First the device is almost useless if we cannot render to something. I believe I have been able to create a window, but not been able to actually show it. My next method of attack will be to find the hwnd Silverlight is rendering to, hook its WndProc and do our own rendering here.
If anyone else has any information on their hacking, please let us know! You can contact me on this board or on twitter [at-sign]jmorrill.
-Jer

Great work! I will definitely have a look at the sockets source code. This should open up a lot of possibilities for app developers
Sent from my HTC HD2 using XDA App

jmorrill said:
Hey guys,
[*]We are able to use wince's win32 API to make operating system calls from the C++ code.
[*]There does not seem to be any security restrictions that I have come across in using the operating system from native code. I will note that without the NETWORKING caps in the manifest, DNS would only resolve cached addresses, but the rest of the sockets worked fine. I do not believe this to be a security measure, but more of a missing initialization method I am not aware of.
[/LIST]
Click to expand...
Click to collapse
There definitely are security restrictions applied to the native code. This is what I think. Our applications are deployed in the Least Privilidged chamber (LPC) which has dynamic capabilities by the ones we specify when the application is deployed.
<Macro Id="LEAST_PRIVILEGE_CHAMBER_GROUP_NAME" Description="Least Privilege Chamber Group" Value="S-1-5-112-0-0X80" />
and are members of the:
<Account Id="S-1-5-112-0-0X70" Description="All public capability accounts are members of this group" FriendlyName="Public capabilities group" Type="Group" />
There are certain win32 API calls which are allowed but anything which could be used to compromise the OS is only allowed to be called from the TCB chamber.
<Macro Id="SYSTEM_CHAMBER_GROUP_NAME" Description="TCB Chamber Group" Value="S-1-5-112-0-0X00" />
<Macro Id="SYSTEM_USER_NAME" Description="TCB user SID" Value="S-1-5-112-0-0-1" />
For example, loading nativeinstallerhost.exe:
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/LOADERVERIFIER/ACCOUNT/(+)/ACCOUNT_CAN_LAUNCH/NONE/NONE/PRIMARY/WINDOWS/NATIVEINSTALLERHOST.EXE" SpeakerAcc ountId="S-1-5-112-0-0-1" Description="Only TCB can launch into this chamber">
I am guessing the LOADVERIFIER is doing this using the code signing certificates. If you check your apps they will be signed with a LPC certificate but if you look ones included in the ROM then they have TCB signing.
I can't see anything that would prevent you from doing socket stuff in the security policy (as you have found). However, it looks like you need:
<Macro Id="ELEVATED_RIGHTS_RESOURCE_GROUP_NAME" Description="Elevated Rights Resource Group SID" Value="S-1-5-112-0-0X14" />
To use raw sockets:
<Rule PriorityCategoryId="PRIORITY_STANDARD" ResourceIri="/RESOURCES/GLOBAL/WINSOCK/RAWSOCKET" SpeakerAccountId="S-1-5-112-0-0-1" Description="Acess to Winsock Ra w sockets">
<Authorize>
<!-- Match loaded from:
<Match AccountId="S-1-5-112-0-0X14" AuthorizationIds="GENERIC_ALL" />
</Authorize>
Would be useful to confirm that this is the case and that this policy is actually being applied

Yep, that reflects the same behavior in Windows on the desktop. Normal socket use is okay, raw requires admin.

Do we have a tutorial on how to create native COM classes?

Also, this url explains why you cannot copy/read some files from the \Windows directory, but can LoadLibrary on them (which is how I load d3d11.dll).
blogs.msdn.com/b/windowsmobile/archive/2007/12/29/why-can-t-i-copy-programs-out-of-windows.aspx
Sorry no tutorial on making COM objects. But basically just create a new smart device mfc dll in VS2008, then add a new ATL class to the project. I modified the COM interface/classes to inherit from IUnknown vs. IDispatch.
I guess I misspoke about the security restrictions. Really what I'm looking for, is to have about the same level of access to the device as any Windows Mobile application has, which is enough to suite most of my needs personally.

Ok, I've just created a native dll and call it from Silverlight.
Once you know what type of project to create it's quite easy. The longest part was to reinstall Visual Studio 2008.
Quick question: how do you handle passing string between native and managed? I have several ways in mid but they all seems very complicated.

(nico) said:
Ok, I've just created a native dll and call it from Silverlight.
Once you know what type of project to create it's quite easy. The longest part was to reinstall Visual Studio 2008.
Quick question: how do you handle passing string between native and managed? I have several ways in mid but they all seems very complicated.
Click to expand...
Click to collapse
Depends. Sometimes you can get away with StringBuilder. Or you can do a string outgument, and create the wchar_t in native code.

What I've done so far is creating wchar_t in native code, return an IntPtr to managed code, use Microsoft.Phone.InteropServices.Marshal.PtrToStringUni to get a string and then call a custom native method to delete my wchar_t array (didn't find a release method).
Seems a lot of work just to get a string...

(nico) said:
What I've done so far is creating wchar_t in native code, return an IntPtr to managed code, use Microsoft.Phone.InteropServices.Marshal.PtrToStringUni to get a string and then call a custom native method to delete my wchar_t array (didn't find a release method).
Seems a lot of work just to get a string...
Click to expand...
Click to collapse
Just stick it in a function, and be done with it. That way you only have to do it once. Don't worry about efficiency; unless it is in a tight loop, the string conversion isn't going to slow you down noticeably.

BTW, I got registry working and started working on a registry viewer.
However, I got access denied when trying to browser most of the node.
For example I can browse HKLM\System\State but not HKLM\System.

(nico) said:
What I've done so far is creating wchar_t in native code, return an IntPtr to managed code, use Microsoft.Phone.InteropServices.Marshal.PtrToStringUni to get a string and then call a custom native method to delete my wchar_t array (didn't find a release method).
Seems a lot of work just to get a string...
Click to expand...
Click to collapse
That isn't necessary at all. Simply define your managed class/interface with the MarshalAs attribute on your params. .NET will take care of the rest.
For example:
HRESULT MyFunction([in] LPWSTR param)
Would translate to:
UInt32 MyFunction(
[MarshalAs(UnmanagedType.LPWStr)]
[In] String param);

Thanks Rafael.
This is nice! How do I do the opposite? I need to create a string in unmanaged and use it from managed code Do I just have to use [out] instead of [in] in your example?
This is much simpler that my method

(nico) said:
Thanks Rafael.
This is nice! How do I do the opposite? I need to create a string in unmanaged and use it from managed code Do I just have to use [out] instead of [in] in your example?
Click to expand...
Click to collapse
Yep, it should match the direction indicated in your COM library's IDL. It basically just drives how Marshaller handles copying of memory, pinning, etc.

You guys are smarter the me at this, obviously, but is there a site where you share your code? because i'm smart enough to use existing code and make something happen..

jmorrill said:
I recently have been looking into Direct3D 11 API support for the phone. I have successfully created a D3D11 device and passed it back to .NET code where I was able to execute some methods on it. A lot of work needs to be done here. First the device is almost useless if we cannot render to something. I believe I have been able to create a window, but not been able to actually show it. My next method of attack will be to find the hwnd Silverlight is rendering to, hook its WndProc and do our own rendering here.
Click to expand...
Click to collapse
Have you checked out ZuneBoards? They've done some work in this area already with their OpenZDK, which looks similar to what we may need to do. Their method of breaking out of the CLI virtual machine is different than ours, but a lot of what they've done is what we want to do, too.

One thing that doesn't work are the typical WinCE graphics functions:
GetDC(NULL) ;
GetDesktopWindow();
LineTo();
GetClientRect();
That is they work, but the root window is empty! 0 wide and 0 tall. The drawing engine (unsurprisingly) is elsewhere.

ajhvdb said:
You guys are smarter the me at this, obviously, but is there a site where you share your code? because i'm smart enough to use existing code and make something happen..
Click to expand...
Click to collapse
Have you gotten anything to compile yet?
Check this one out: http://dl.dropbox.com/u/4165054/PhoneNetworkingSample.zip
And see if you can get it to compile (I would make it an attachment in this post but it's jmmorril's code). I've been using Visual Studio 2008 and the WinCE 6 refresh to compile the com dll: http://www.microsoft.com/downloads/...3A-A651-4745-88EF-3D48091A390B&displaylang=en
Then I copy the com dll over to my visual studio 2010 Windows Phone project, ready to be used. There are probably better ways, but you need to find out at least some way of doing it.

I've managed to create a basic Registry Viewer, readonly for the moment.
For now, I didn't manage to get access to root path, so the first 2 levels are hardcoded.
Download it here: (link removed, see below)
Edit:
Updated version here: http://bit.ly/eEZ0Uf

(nico) said:
I've managed to create a basic Registry Viewer, readonly for the moment.
For now, I didn't manage to get access to root path, so the first 2 levels are hardcoded.
Download it here: http://bit.ly/hOWLnI
Click to expand...
Click to collapse
wow man nice work , could you also make a file explorer ?
edit: here is a direct link http://www.xda-developers.ch/download/?a=d&i=7061084002

[q] xml-rpc & wp7.

In my search to find out a good way (or any way) to post comments on a wordpress article using C# on windowsphone, someone suggested looking into XML-RPC.
Ive done a search & it looks like the right lines, but I have no idea how to actually use it.
Anyone fancy giving me a little example or some sort of push in the right direction about how I can use XML-RPC in my WP7 app.

cris_rowlands said:
In my search to find out a good way (or any way) to post comments on a wordpress article using C# on windowsphone, someone suggested looking into XML-RPC.
Ive done a search & it looks like the right lines, but I have no idea how to actually use it.
Anyone fancy giving me a little example or some sort of push in the right direction about how I can use XML-RPC in my WP7 app.
Click to expand...
Click to collapse
XML-RPC is just reading/writing XML. You could easily just use the built-in Xml classes to build your XML, then use the WebClient to post/receive it from the server. You can use the spec from here to see what XML needs to be generated:
http://www.xmlrpc.com/spec
I don't know of any complete libraries for Windows Phone 7 right now, but you can check this out to get you started:
http://xml-rpc.net/

I've used this silverlight lib called xmlrpc-silverlight. It can be found on google code.
It works perfectly on wp7.
Best regards,
Mateusz

emfor said:
I've used this silverlight lib called xmlrpc-silverlight. It can be found on google code.
It works perfectly on wp7.
Best regards,
Mateusz
Click to expand...
Click to collapse
This will come in handy for one of my projects also, thanks for this!

emfor said:
I've used this silverlight lib called xmlrpc-silverlight. It can be found on google code.
It works perfectly on wp7.
Best regards,
Mateusz
Click to expand...
Click to collapse
Thanks
I found this here: http://code.google.com/p/xmlrpc-silverlight/
But it doesnt seem to have any downloads or code to actually use
Dont suppose you have a copy of it still?

I have too few posts... On the page, go to "Source" tab, than "Browse" and in the "trunk" folder there is file XmlRpc.cs - that's it!
Best regards,
Mateusz

thank you thank you thank you
Found it! Now Im gonna play with it a bit & see if I can get this working ;D

Well, Ive played with it a bit & I think I understand some of it, but I really have never used XML-RPC before & cant get it to work
Any chance you could give me a hint as to how I could post a comment to (for example) this page: http://www.1800pocketpc.com/2011/02/03/fireworks-an-amazing-free-app-for-windows-phone-7.html
Its just a random post from the site Im creating the app for.
On the wordpress page about XML-RPC it says this:
wp.newComment
Create new comment.
If you want to send anonymous comments, leave the second and third parameter blank.
Parameters
■ int blog_id
■ string username
■ string password
■ int post_id
■ struct comment ■ int comment_parent
■ string content
■ string author
■ string author_url
■ string author_email
Return Values
■ int comment_id
Click to expand...
Click to collapse
Sadly Im not quite sure what to do with that. Plus I havent a clue what the "blog_id" or "post_id" would be :/
Ive been coding for 4 years & I still feel like a total newbie half the time >_<

I think something like that shoud work:
Code:
XmlRpcService service = new XmlRpcService("Url_to_the_service");
XmlRpcRequest req = new XmlRpcRequest(service, "wp.NewComment", new object[] {
1,
"UserName",
"Pass",
1,
?,
1,
...
});
req.XmlRpcCallCompleteHandler
+= new XmlRpcCallComplete(req_XmlRpcCallCompleteHandler);
req.Execute(null);
generally this should work. There is an struct element, so you should implement this struct in C# and pass it there...
I don't know WP so i can't help with parameters meaninig...
Good luck!
Best regards,
Mateusz

[IDEA] Why we don't update chevron?

Do you have a locked phone with Nodo?
So, at this moment your chances are:
Restore the phone to previous version (from Zune)
If your device is LG, you can use the integrated registry editor to unlock it
Buy a developer account subscription
What if your country is not supported by the Marketplace to buy a developer account subscription?
Well, you can ask someone to unlock your phone via remote desktop with their account, then apply any relock prevention
You can use Yallapps unlocking service
I was thinking on update chevron for nodo. There is no marketplace in my country to test and check what is the token used by the developer unlocker application from the phone tools.
Recently I discovered yallaapps (where everyone can register and unlock their phones). It is very unfair compared to the standard marketplace rules (you can upload only free apps, and like 3-4 every 80 dollars).
Anyone here have a yallaapps account to share? (via remote-ethernet usb for example) and unlock my phone to check what is the token, and test if microsoft did something to avoid chevron.cer, etc... I can work some nights trying to get an updated unlocker for us.
Comments?

I've thought about this too. But I have an unlocked Omnia 7 now, with NoDo. And I'm kinda afraid to test for locking/unlocking, because it might lock my phone, while not being able to unlock again. Only a restore of backup or reflash firmware would possibly fix that, but I too busy to risk that now. If it wasn't for that I would've tried a couple of things.
With registry access we can set the value of HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\PortalUrlProd to anything we like. Set it to something like this: http://www.wp7unlock.com. That site does not exist, but that doesn't matter. Note that I mention "http" and not "https" to make it easier. Then add this url to the hosts-file on your computer. Open a http-server on port 80 which logs all http-requests. Now run ChevronWP7 unlocker and try to lock / unlock. Note: Don't try this if your device is upgraded to NoDo and unlocked, and you wish to keep it like that. You can grab the exact request. That is the first step. But this may already lock your device, if you got it unlocked. You need an unlocked device in the first place to edit the registry. If you got the exact http-request that is sent by the NoDo-device, you can manually try to send it to the original url: https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010. Now grab the response. That will be the second step. Having the request and response may already provide very useful information and help us further.
I think the chance of getting your device re-locked is small. But only someone who is doesn't matter restoring a backup or older firmware in order to re-unlock should try this. If someone feels like testing this, we may get a start on unlocking NoDo.
Ciao,
Heathcliff74

I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.

Another possibility is to hide a registry editor in some app and submit it to the marketplace. But soon or later they will notice the trick.
Pretty convenient the LG devices with their integrated registry editor...

The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.

GoodDayToDie said:
The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.
Click to expand...
Click to collapse
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?

hounsell said:
I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.
Click to expand...
Click to collapse
Ok.. Think with me please.. I am by no means a HTTP or SSL expert, but I know a little bit about it. So please correct me if I'm wrong.
HTTPS is HTTP over SSL. SSL does a handshake for encryption keys. Any HttpListener will support this. And SSL with mutual authentication will also do a certificate check. Tom, if what you said is true, then we should install a genuine certificate for developerservices.windowsphone.com. I'm sure some devs have one laying around for us to use. The phone will accept it, because a certified authority has issued it. That would solve things at the end of the WP7 device.
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74

eried said:
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?
Click to expand...
Click to collapse
I'm guessing now. But I think the capabilities are stored somewhere. And if you didn't have the Interop-capability when you installed the app, you will still not be able to load a COM-dll later on. Also, I don't think you will be able to call LoadLibrary on a file in the IsolatedStorage.
And in my WP7 Root Tools, there are NO Samsung dll's. Only my own code. Both native and managed dll's are written 100% by me. No copyrighted dll's from another party in my code. I explicitly avoided that, because my app will never be banned for that reason. I think Julien Schapman's Windows Phone Device Manager does ship the HTC dll's (not 100% sure about that though). I think he might have a problem with that if he ever want to sell his product.
Ciao,
Heathcliff74

Heathcliff74 said:
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74
Click to expand...
Click to collapse
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.

Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices or was that just another way to get xaps to work instead of resigning them? Could it be used if not?

I did a bit of reading up on SSL and certificates. I'm still not sure about alot of things, but this is what I get from it:
SSL sets up a secure transport layer by exchanging encryption-keys. And it also supports client-authentication and server-authentication. Authentication can take place by letting one party send its certificate and let the other verify it. For a client this usually means that the issuing party sent a generated certificate against which it can be authenticated. A server is authenticated by its certificate. The certificate needs to be verified. The verification is done by checking the certification-path. The issuers must be trusted by the verifying device. I'm not sure, but I don't think it is normally necessary to install a certificate when you genuine unlock your device. If it is necessary, then that means that the unlock server from Microsoft does client-authentication too. But that is not important when we want to spoof that server with a http-server on our localhost (like ChevronWP7), because we can just skip the client-authentication. We simply don't care about that.
(nico) said:
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.
Click to expand...
Click to collapse
I think the unlocking software on the WP7 device probably does something like this (pseudo-code):
Code:
if (!SecureConnection.Server.IsTrusted())
{
LockDevice();
return;
}
If the server is not trusted, the unlock will fail. So Chevron has its own built-in http-server. With its own certificate. Except that certificate is normally not trusted by the WP7 device, because that certificate is not signed/issued by one of the Certified Authorities that is known by the device. So in order to let the IsTrusted() succeed, a certificate must be installed on the device first. That certificate adds the signing authority (self-signed by Chevron) to the trusted authorities.
Now in NoDo, if Tom is right, Microsoft changed it into something like this:
Code:
if (!SecureConnection.Server.IsTrustedByCertifiedAutority())
{
LockDevice();
return;
}
That means, that it does not only verify if it is trusted, but the top of the certification-path must be a Certified Authority. In this case a self-signed certificate is not accepted anymore.
I have access to the certificate-stores on my Samsung Omnia 7. But for that the device needs to be unlocked. So, that is not useful for unlocking devices. And that exploit only works on Samsung devices.
Now that I understand this better, I see that my previous proposal won't work. But it gives me something to think about. Got to get a way around that.
lucasryan said:
Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices. Was that a cert that just allowed us to use those apps to work on other devices just like we do now by resigning a xap to work from another brand, or is it a cert that might could be used?
Click to expand...
Click to collapse
That was some developer-certificate from the WinMo 6.5 SDK or something. It didn't really do anything other than invalidating the signature, which in combination with removal of the DRM file in the XAP would remove the DRM-protection. It works even better to simply remove the certificate from the file. The certificate was simply to replace the valid certificate with an invalid one. The certificate from xboxmod is not of any use here.
Ciao,
Heathcliff74

ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.

Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)

lucasryan said:
ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.
Click to expand...
Click to collapse
No. These are the best kept secrets in the industry. When those key leak a lot of DRM is compromised. And in most systems certificates, once compromised, can be revoked (through updates that are pushed or pulled). The ChevronWP7 guys did a brilliant job in finding the loophole in the server-authentication. I think Microsoft has closed that one now. But maybe there's another loophole in the unlocking system.
There might also be other attack-vectors. If we can get XML-provisioning working from outside the device we can set the registry-values to unlock the device. Maybe OTA Provisioning can be done with WP7 devices.
Another possibility for XML provisioning can be found in this dll:
Code:
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0\v4 .0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0.dll
You can open it in Reflector. There's a class called DevicePackageClass. It has a method called ProvisionDeviceXML(). So I tried using it, but when I instantiate the DevicePackageClass it gives me an error:
Retrieving the COM class factory for component with CLSID {E987B9DE-8471-11DB-96A9-00E08161165F} failed due to the following error: 80040154 Class not registered (REGDB_E_CLASSNOTREG)
The class is actually a wrapper for a COM class. So I looked it up in the registry. It seemed to be found in this dll:
Code:
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\dip.dll (VSD Device Integration Package)
But is actually part of Visual Studio 2008, not Visual Studio 2010. The dip.dll is not installed with Visual Studio 2010. So I figured I might have a better chance with this dll:
Code:
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0.dll
But it gives me the same error. I also tried to register dip.dll with regsvr32. The registration worked, but the error was still the same. I even tried to access dip.dll directly, but I still couldn't create the COM class DevicePackageClass ("Can't create object").
So if we can somehow instantiate that class we might get XML provisioning working and unlock the device directly in the registry. Needs more research.
Ciao,
Heathcliff74

eried said:
Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)
Click to expand...
Click to collapse
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.

Heathcliff74 said:
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.
Click to expand...
Click to collapse
My idea was not an app for the marketplace but a desktop app like Chevron

eried said:
My idea was not an app for the marketplace but a desktop app like Chevron
Click to expand...
Click to collapse
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.

Heathcliff74 said:
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.
Click to expand...
Click to collapse
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile

eried said:
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile
Click to expand...
Click to collapse
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.

Heathcliff74 said:
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.
Click to expand...
Click to collapse
Nobody likes a locked device.
But I do understand the Microsoft posture about this.

Samsung Wave custom firmware

Are there any tutorials on how to make custom firmware for the Samsung Wave line of devices? Specifically, a custom firmware that does not signature check applications?

There isn't any tutorial as there isn't such a firmware at the moment. Try reading more posts than You write as it's getting silly - You ask lots of obvious questions without a definite purpose. It's not getting us anywhere. Maybe you should stop 'teaching others know their ****' and actually do something? Google for Mencken's Law.

Original Samsung JB6 is without Sig Check of Apps... this is the oldest FW leaked for S8500 (Wave)...
There are no mandatory RSA 1024 Certificats in JB6...
nearly all system files unsigned... because no BluetoothAppControl.so.htb or sig files...
"Problem".
I am not able to flash this Firmware with Multiloader nor with JTAG Hardware.
Because boot_loader.mbn is NOT encrypted...
For JTAG I'm not able to manipulate correct "Boot Image", because my brain to small...
Read here:
http://forum.xda-developers.com/showpost.php?p=13785413&postcount=64
http://forum.xda-developers.com/showthread.php?t=912728
Best Regards

adfree said:
"Problem".
I am not able to flash this Firmware with Multiloader nor with JTAG Hardware.
Because boot_loader.mbn is NOT encrypted...
For JTAG I'm not able to manipulate correct "Boot Image", because my brain to small...
Click to expand...
Click to collapse
I don't think encryption is the problem here. The algorithm (korean SEED) is already known and we can go both ways - decrypt and encrypt with any key (key for encryption is in plaintext in the description block being last 1024 bytes of the file. What we rather should worry about are the version signatures (with 512 bit RSA keys) also in the same block. The solution I see is loading a crafted file using some Bada 1.0/1.2 bootloader patched in the memory (the shadowed image) to ignore signature. We can do the patching through FOTA. As you have the JTAG we can experiment with that some time next week.

If I'm correct, an RSA key with a 512-bit modulus is easy to crack by modern computing standards.

There is a slight difference between feasibility and reasonable time to achieve that.
If you have enough resources then the modulus is: BF1834F775B9861F13E15BA3E01F91CED970B76F2E9D5767EC39C5C1DAD7A8AF9F2A60F131E1D3715E15FDE4B07AC04BF5FC148D95BFF180E9F675D6211F76F1
exponent: 010001

Thank you. And to be clear, that is the public key used by the bootloader to verify the operating system correct?
Sent from my DROID2 GLOBAL using XDA App

Yes, it's used to validate signatures on bootloader and apps (nucleus kernel and bada).
Each bootloader stage seems to have additional layer of security (some form of signature - 128 bytes at the end of each bootloader, includes some time variable/random data for "signing" as it's different for different releases of same version), but it's yet to be figured out .

As for factoring the 512-bit modulus (scroll down to the part about TI calculators):
http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml

This is why I said "If you have enough resources" as myself I'm not interested in waiting months for results, haven't got PS3, FPGA cluster or even several hundred PCs. Years back I thought about using public pay-phones network (tens of thousands of units with some RISC uC and FPGA) for distributed computation (back then with a phreaking crew we had such a possibility) like some symmetric and asymmetric cryptography keys brute-forcing and factorizing, but it's all gone now. Some sat-tv conditional access guys had some distributed factorization projects as well, but I never tracked what happened with that.
To make long story short, I know it's all possible with this modulus length, but I'm interested in doing it. If you or anybody have access to computing power (a large grid, cluster, cray or other supercomputer) then I'd be happy to see the results.

I have enough time to run my PC(s) day and night... weeks, months...
Maybe we should for "Brain training"... start with lower RSA...
I've never seen FREE Software for testing... only theory to use Graphiccards like NVIDIA...
Maybe someone is willing to offer Software for noobs like me to compute RSA Keys between RSA "30" and RSA "100"... to understand dreams and reality...
We could make some funny Thread. Who fastest generate "private Key", if public Key is given...
Again, only as lesson. So maximum RSA 100...
Example... with answer...
Code:
P = 0375BA25E7B805
Q = 03B4498980CEAB
Exp1 = 033842E45590F5
Exp2 = 02DCCB06EAF6C9
Coeff = 034F5F18D35B33
Priv Exp = 8A7ED170D08D37ACBC8920D1
Publ Exp = 010001
Modulus = 0CD0F3C2312AED609B775BF157
So the Question would be...
pub key = 0CD0F3C2312AED609B775BF157
Exponent 010001
Please give as private Exponent aka private Key...
Answer:
8A7ED170D08D37ACBC8920D1

adfree said:
I have enough time to run my PC(s) day and night... weeks, months...
Maybe we should for "Brain training"... start with lower RSA...
I've never seen FREE Software for testing... only theory to use Graphiccards like NVIDIA...
Maybe someone is willing to offer Software for noobs like me to compute RSA Keys between RSA "30" and RSA "100"... to understand dreams and reality...
We could make some funny Thread. Who fastest generate "private Key", if public Key is given...
Again, only as lesson. So maximum RSA 100...
Example... with answer...
Code:
P = 0375BA25E7B805
Q = 03B4498980CEAB
Exp1 = 033842E45590F5
Exp2 = 02DCCB06EAF6C9
Coeff = 034F5F18D35B33
Priv Exp = 8A7ED170D08D37ACBC8920D1
Publ Exp = 010001
Modulus = 0CD0F3C2312AED609B775BF157
So the Question would be...
pub key = 0CD0F3C2312AED609B775BF157
Exponent 010001
Please give as private Exponent aka private Key...
Answer:
8A7ED170D08D37ACBC8920D1
Click to expand...
Click to collapse
Great piece of software, if you run Windows, is xca. I've used it to make 8192-bit RSA keys. It is very simplistic, and I consider it a god send after trying to use OpenSSL via the command line.
Edit: I don't know if it will save the factors of the modulus, but I know that OpenSSL will. Anyway, give it a try.
Edit: Sorry, I didn't realize that you meant factoring RSA keys (I forgot about that). xca will generate them for you, though. Unfortunately, there is no (known) classical algorithm that can factor numbers in polynomial time. Shor's algorithm can do it in polynomial time, but only with a quantum computer.
Edit: The 512-bit key could be factored using a distributed effort. (See this: http://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy) Time shares could also be rented on a supercomputer.

Code:
BF1834F775B9861F13E15BA3E01F91CED970B76F2E9D5767EC 39C5C1DAD7A8AF9F2A60F131E1D3715E15FDE4B07AC04BF5FC 148D95BFF180E9F675D6211F76F1
is approximately 2.0238493722395799×10^155. To factor a number you only need to test every number from 1 to the floor of the square root of said number. In this case, every number from 1 to about 4.49872134×10^77.

Master Melab said:
Code:
BF1834F775B9861F13E15BA3E01F91CED970B76F2E9D5767EC 39C5C1DAD7A8AF9F2A60F131E1D3715E15FDE4B07AC04BF5FC 148D95BFF180E9F675D6211F76F1
is approximately 2.0238493722395799×10^155. To factor a number you only need to test every number from 1 to the floor of the square root of said number. In this case, every number from 1 to about 4.49872134×10^77.
Click to expand...
Click to collapse
:/
Oh, come on, it is only comparable to the number of atoms in the universe...
The naive fraction algorithm does not make sense for large numbers - rather some specialized variants of Number Field Sieve, where you don't need to test every number

I was only laying out the fundamentals/basics.

Master Melab said:
To factor a number you only need to test every number from 1 to the floor of the square root of said number.
Click to expand...
Click to collapse
Master Melab said:
I was only laying out the fundamentals/basics.
Click to expand...
Click to collapse
The fundamental is you don't need to test every number.

Successful TCP Connection via CoreCon

So during my break today I added a few more registry paths to check on my HTC Radar and I found HKCU\Software\Microsoft\ConMan\HostLauncher\HostData\. There I found a few Service entries:
Code:
7ABBE0D5-B437-42CA-B57B-CEED61680E4F
11EE50CA-6CD3-45BA-9D65-46E133CFF009
B2FC26AB-D6EC-4426-91FA-9E039F92A639
The first entry did not take me any where but the other two did.
Running those in my test application sent back:
Code:
Int32Type: 0
Int32Type: -2147024809
I know it isnt much and I am not sure what to send to the ConMan so if someone does please tell me:
Code:
private static void ExecutionTest()
{
#region Create Objects
ObjectId DeviceID = new ObjectId("30F105C9-681E-420b-A277-7C086EAD8A4E");
Platform platform = datastoremanager.GetPlatform(PlatformObjectID);
Device device = platform.GetDevice(DeviceID);
#endregion
try
{
//Connect to the device.
device.Connect();
if (device.IsConnected())
{
RemoteAgent ra = device.GetRemoteAgent(new ObjectId("910DCB1B-487B-452b-87FC-73852B5A239C"));
DevicePacketStream ps = ra.CreatePacketStream(new ObjectId(new Guid("11EE50CA-6CD3-45BA-9D65-46E133CFF009")));
// Create and write a packet of data.
Packet packet;
packet = new Packet();
for (int i = 0; i < 4; i++) packet.WriteInt32(i);
packet.WriteString("Hello Smart Device");
ps.Write(packet);
#region While stream is connected, try to read a packet.
while (ps.IsConnected())
{
if (ps.IsPacketAvailable())
{
packet = ps.Read();
while (!packet.IsEndOfPacket())
{
switch (packet.ReadDataType())
{
case DataType.BoolType: bool boolValue = packet.ReadBool(); break;
case DataType.ByteArrayType: byte[] buffer = packet.ReadBytes(); break;
case DataType.ByteType: byte byteValue = packet.ReadByte(); break;
case DataType.CharType: char charValue = packet.ReadChar(); break;
case DataType.Int32Type: Console.WriteLine("Int32Type: " + packet.ReadInt32().ToString()); break;
case DataType.StringType: Console.WriteLine("String: " + packet.ReadString()); break;
default: break;
}
}
break;
}
System.Threading.Thread.Sleep(1000);
}
#endregion
}
}
catch (Exception ex)
{
throw ex;
}
finally { device.Disconnect(); }
}

Huh, you got the remote "GetRemoteAgent" working. Right?
I think i might know how to resolve what to call in to the packet. VS2010 talks to wp7, and uses one of those GUID's; meaning one should be able do binary search all files (in a rom) to see who owns the GUID (what dll handler), disassemble that dll (to ASM/c), and extract "what it wants".
Or if MS has a hidden caller class somewhere
Ill look further into this, thanks

fiinix said:
Huh, you got the remote "GetRemoteAgent" working. Right?
I think i might know how to resolve what to call in to the packet. VS2010 talks to wp7, and uses one of those GUID's; meaning one should be able do binary search all files (in a rom) to see who owns the GUID (what dll handler), disassemble that dll (to ASM/c), and extract "what it wants".
Or if MS has a hidden caller class somewhere
Ill look further into this, thanks
Click to expand...
Click to collapse
Yes I did . Yeah I just need to know what to actually send to to the device. I know Visual Studio communicates this way.

MJCS said:
Yes I did . Yeah I just need to know what to actually send to to the device. I know Visual Studio communicates this way.
Click to expand...
Click to collapse
Great
I, myself tried 20+ GUID's once (from wp7 that _could_ be); all threw exceptions (aka not a remote agent handler).
It feels better now knowing what GUID's i can use.
Well the reg path was quite obvious; why did i not stumble upon that one earlier..

fiinix said:
Great
I, myself tried 20+ GUID's once (from wp7 that _could_ be); all threw exceptions (aka not a remote agent handler).
It feels better now knowing what GUID's i can use.
Well the reg path was quite obvious; why did i not stumble upon that one earlier..
Click to expand...
Click to collapse
Well I only found it since I know have an HTC Radar. My Dell venue pro requires you to manually enter in registry paths to see if they exist or not. I was able to decompile an older HTC registry viewer and then fix it so it didnt require interop unlock.

It should be possible to do registry browsing (but not editing) just fine on a DVP using the standard tools, unless there's a check that specifically blocks them. The browsing uses a native homebrew DLL that doesn't require ID_CAP_INTEROPSERVICES and has no device-specific dependencies. It's the editing that requires interop-unlock and device-specific DLLs.

GoodDayToDie said:
It should be possible to do registry browsing (but not editing) just fine on a DVP using the standard tools, unless there's a check that specifically blocks them. The browsing uses a native homebrew DLL that doesn't require ID_CAP_INTEROPSERVICES and has no device-specific dependencies. It's the editing that requires interop-unlock and device-specific DLLs.
Click to expand...
Click to collapse
There is no GetSubKeys method...anyways lets get back on topic.

I've been trying for weeks to get anything out of this. Nothing so far. I did find out that the Developer unlock is just a byte array of a cookie taken from Microsoft's auth server.

Has anyone had any success with this socket method yet? I really don't know enough about sockets to try.

BTW you have to have a core con connection to the device already open either from app debugging or some other method