Related
Please see title. Does Microsoft's ToS allow them in the marketplace, like with Android's Marketplace or are they banned like in the iOS App Store?
Seems like WP7 is considerably more optimized than Android, and should be able to give beter performance.
If an emulator falls under "Unauthorized use of another entity‟s intellectual property, including but not limited to: software, music, art, and other copyrighted, trademarked or patented materials or trade secrets." then it's not allowed on the marketplace.
You can read the doc at http://go.microsoft.com/fwlink/?LinkID=183220
Heh, I expected some sort of vague, far-reaching rule like that. So basically it's up to Microsoft's interpretation.
Thanks for the help.
so what happens if, someone develops an app or game or whatever and it doesn't get accepted into the market. Is there going to be or is there already some kind of 3rd party market (similar to Cydia, Installer etc.) for Win Mobile 7?
There is no side loading allowed right now. If you are a registered developer you can load apps on your phone without going through the marketplace but a developer account costs $99 per year and only allows 5 phones.
Of course there's the option of jail breaking the phone but who knows when that's going to happen.
Ren13B said:
There is no side loading allowed right now. If you are a registered developer you can load apps on your phone without going through the marketplace but a developer account costs $99 per year and only allows 5 phones.
Of course there's the option of jail breaking the phone but who knows when that's going to happen.
Click to expand...
Click to collapse
I'm pretty sure it was reduced to 3 I haven't checked lately though because we only need 2 at my company.
Since you don't have access to the native API I think it would be hard to make an emulator in Silverlight or XNA.
I haven't signed up yet so you may be right.
ckacey said:
I'm pretty sure it was reduced to 3 I haven't checked lately though because we only need 2 at my company.
Click to expand...
Click to collapse
Once WP7 is jailbroken, we might start to see custom ringtones, emulator, tethering, and maybe a lot more. However, this is just pure speculation of mine. I am sure by the end of November(by the time USA gets WP7) we will have something to sideload apps etc.
Sent from my SGH-T959 using XDA App
Ren13B said:
There is no side loading allowed right now. If you are a registered developer you can load apps on your phone without going through the marketplace but a developer account costs $99 per year and only allows 5 phones.
Of course there's the option of jail breaking the phone but who knows when that's going to happen.
Click to expand...
Click to collapse
Ive spoken to a few reps from HTC and Samsung, they all say side loading will be available so i dont see why not for emulators (but not right now ofcourse... *tear*)
SysRq said:
Since you don't have access to the native API I think it would be hard to make an emulator in Silverlight or XNA.
Click to expand...
Click to collapse
Maybe hard, but not impossible. There is already a C64 emulator written in Silverlight available. http://silverlightc64.codeplex.com/
XNA might also be a good choice to write more powerful emulators.
Ren13B said:
There is no side loading allowed right now. If you are a registered developer you can load apps on your phone without going through the marketplace but a developer account costs $99 per year and only allows 5 phones.
Of course there's the option of jail breaking the phone but who knows when that's going to happen.
Click to expand...
Click to collapse
It is only 3 devices. Also, if you are a college student, you can get a developer account for free.
diablos991 said:
It is only 3 devices. Also, if you are a college student, you can get a developer account for free.
Click to expand...
Click to collapse
Do you have a link? I'm not in college still, but still have access to everything I did when I was.
ryotgz said:
Do you have a link? I'm not in college still, but still have access to everything I did when I was.
Click to expand...
Click to collapse
1. Register with Dreamspark.com
2. Validate your college identity
3. Register with windowsphone.create.msdn.com (be sure to select student account to avoid the fee)
4. Submit a dummy WP6.5 application to get the identity verification email from GeoTrust. (dummy application is only needed for student accounts)
5. If you pass GeoTrust's test on your personal information, you will then have your account verified shortly. (mine was the next morning)
All of the verification has to be done in order to enable developer devices. I have yet to receive my HTC HD7, but the section says that I have 3 device registrations available to me.
This whole process took about 2 hours for me to complete.
sxdejan said:
Ive spoken to a few reps from HTC and Samsung, they all say side loading will be available so i dont see why not for emulators (but not right now ofcourse... *tear*)
Click to expand...
Click to collapse
Really? Because I just tried side-loading an app into my Samsung SGH-I917, using the Zune software, and it didn't work at all. Are you sure those reps knew what they were talking about?
athompson said:
Really? Because I just tried side-loading an app into my Samsung SGH-I917, using the Zune software, and it didn't work at all. Are you sure those reps knew what they were talking about?
Click to expand...
Click to collapse
AFAIK sideloading is available through Visual Studio with unlocked developer phones (e.g. you have to have a developer account and then register your phone there).
Ignore the reps. They have no idea how development on WP7 works.
Ren13B said:
Ignore the reps. They have no idea how development on WP7 works.
Click to expand...
Click to collapse
Agreed. Samsng told me the same story when in fact it's only possible on developers registered devices. TBH though, the registration fee isn't really that big a deal - release one (good) $.99 app and it'll pay for itself fairly quickly - especially now when the marketplace is still 'small'.
They should be allowed now based on this article here http://news.cnet.com/8301-27076_3-20021948-248.html
diego1985 said:
They should be allowed now based on this article here http://news.cnet.com/8301-27076_3-20021948-248.html
Click to expand...
Click to collapse
That doesn't change what is allowed in the store, simply WHO can submit.
Let me give some background. I know the very basics of hacking. That's it, not much more. I know how to root Android phones, install homebrew on WebOS, and I have tweaked Blackberry software, installed new os', just basic stuff like that. I have never built an app but I want to learn how to develop applications for Windows Phone 7 as this will be my next phone. Any advice? I went to the site and they have the tools there, I was just looking for any pre-reading I should do, or any advice from those already doing it.
Thanks
Download the free developer tools and play. Expression Blend is pretty easy and made for more visually-oriented people vs. hardcore coders.
The catch is that you can't deploy your apps onto your phone without a developers account.
But fi you're a student you might be able to claim a Student account from Dreamspark.
Sir. Haxalot said:
The catch is that you can't deploy your apps onto your phone without a developers account.
But fi you're a student you might be able to claim a Student account from Dreamspark.
Click to expand...
Click to collapse
Just watch the Dreamspark method as you don't seem to be able to register a device until you have your identity verified which, for students, doesn't happen until you submit an application for certification. I am still waiting to hear back from MS on that and if there is a way round it. It means you cannot test your application on a real device until after you have submitted it for certification which seems rather odd.
The tools themselves are very good it is very easy to produce a good looking functional application. There is quite a bit on http://create.msdn.com/ to get you started.
Omega Point said:
Just watch the Dreamspark method as you don't seem to be able to register a device until you have your identity verified which, for students, doesn't happen until you submit an application for certification. I am still waiting to hear back from MS on that and if there is a way round it. It means you cannot test your application on a real device until after you have submitted it for certification which seems rather odd.
The tools themselves are very good it is very easy to produce a good looking functional application. There is quite a bit on http://create.msdn.com/ to get you started.
Click to expand...
Click to collapse
Thanks for the Dreamspark tip! I just got verified and DLd the software.
Hopefully this developer account will come in handy.
Might want to check out this site too: http://msdn.microsoft.com/en-us/beginner/dd435692.aspx It'll help you get through the basics of programming that you'll need to know
why not
i can give you i got an account
pm me if you need
Free WP7 eBook
If you have some time to read the excellent Charles Petzold 's ebook...
Programming Windows Phone 7 which comes with Sample Code.
Ok, this may sound a little stupid but please bear with me....
I'm a student, so I have a ".edu" email address which allowed me to sign up for a free dev account.
Although I'm on a Mac I'm downloading parallels desktop so I can get zune software.
From what I understood from reading these forums...I can use the dev tools and unlock my device with Zune?
Is this essentially the same as using Chevron unlocker?
I can't use Chevron Unlocker because I have a HTC Arrive that has the NoDo update already applied...but if I use the above methods, it would be the same...no?
Yes, as far as I am aware.
I am also a student in the uk with an .ac.uk email
I have signed up and my account is started being activated today, will let you know! I am on NoDo too
I also have a .edu account, so this means I can sign up as a developer and get the official unlock code? Would I actually have to do any developing for them to keep my account open?
I don't have NoDo yet but will want to unlock it once it's available (AT&T branded Focus).
This would be interesting because it say's I can have up to 3 registered devices under my Dev Account.
I personally just created it so I could unlock my NoDo Arrive, but I might actually try at creating some apps...I wonder if it's really that hard
its a little more complicated than what it first seems, but nothing too hard.
Sign up through dreamspark, that gets you your account.
To dev unlock the phone you use the windows phone tools that you get through dreamspark, but it wont let you unlock it untill you have activated your developer account through geotrust
To do this on a student account you have to submit and application to microsoft first. I just created a basic dice roller, there are guides on the internet for how to make this app, it only took me two hours to do using the guide, and 1 day after submitting the app to microsoft I got an email from geotrust asking me to validate my account.
To validate you need to fill in the form with a photocopy of your driver licence or passport and email/fax it to them, they then tell microsoft all is good, and your account is activated
But yeh, if your a student, then its definetly worth doing, because you will effectively be "jailbroken" but in a completely legit microsoft are happy way.
The major problem with an actual developer unlock, is there is a limit on the number of applications you can side-load at the same time - 3 for student accounts, 10 for individual/corporate accounts, if I remember correctly. Makes it difficult to use them for homebrew - I know I had more than 10 homebrew applications together.
loomx said:
its a little more complicated than what it first seems, but nothing too hard.
Sign up through dreamspark, that gets you your account.
To dev unlock the phone you use the windows phone tools that you get through dreamspark, but it wont let you unlock it untill you have activated your developer account through geotrust
To do this on a student account you have to submit and application to microsoft first. I just created a basic dice roller, there are guides on the internet for how to make this app, it only took me two hours to do using the guide, and 1 day after submitting the app to microsoft I got an email from geotrust asking me to validate my account.
To validate you need to fill in the form with a photocopy of your driver licence or passport and email/fax it to them, they then tell microsoft all is good, and your account is activated
But yeh, if your a student, then its definetly worth doing, because you will effectively be "jailbroken" but in a completely legit microsoft are happy way.
Click to expand...
Click to collapse
So if we have a student developer account we have to create an app first? Exactly what guide did you use?
I have "ZERO" coding experience, even though I do dabble in web development...is it hard to do? I'm not asking someone to hold my hand, just point me in the general direction.
Isn't there a "hack" available on these forums that allows you to "sideload" more than the limits?
I mean essentially a person could use the free Dev Account to unlock their device, then use the registry hack (available on these forums) to allow more than the limit for sideloading....
...or am I missing something?
Yup there is a hack somewhere, I might give it ago, but TBH, im happy to install the reg editor do the edits and unistall it, then do the same for ringtones and unistall it and so on, and just keep 3 that I really need.
After a bit of googling, it seems it might be even simpler...
You still need to have the Dev tools download from dreamspark, but someone posted that all you need to do is this...
Create a new project.
Build the project.
Look in the bin directory that was created.
Find the .xap.
Then submit that
loomx said:
Yup there is a hack somewhere, I might give it ago, but TBH, im happy to install the reg editor do the edits and unistall it, then do the same for ringtones and unistall it and so on, and just keep 3 that I really need.
After a bit of googling, it seems it might be even simpler...
You still need to have the Dev tools download from dreamspark, but someone posted that all you need to do is this...
Create a new project.
Build the project.
Look in the bin directory that was created.
Find the .xap.
Then submit that
Click to expand...
Click to collapse
So even though it's a "shell" app (empty app) and it would get rejected by AppHub...all that really matters is that you submit something for GeoTrust to send you the verification email???
I'm interested in this aswell. I've just updated to nodo.
I'm currently studying computer science at uni and tempted to do a WP7 app for my final year or in my spare time.
Developer Unlock is the same thing as what Chevron does.
For students that are interested, Microsoft provides the Dreamspark program where they give students access to free software, development tools and WP7 developer registration
ducylowycz said:
So even though it's a "shell" app (empty app) and it would get rejected by AppHub...all that really matters is that you submit something for GeoTrust to send you the verification email???
Click to expand...
Click to collapse
Exactly. That's all you need. Once you submit it you'll just get an email from "GeoTrust" (Hotmail marked it as spam), and then you'll be on your way.
If you like in a country were Marketplace isn't available yet it complicates things a bit.
Even if you get a student account tied to your swedish live-account(like I did) you can't access the Marketplace. But you can still submit apps and get them published with that account!
The only solution here is to get a UK/USA live-account and then jailbreak your phone.
So when NoDo gets released I have to choose between running my own apps or run apps from the Marketplace.
The live account on your phone, doesnt have to match the live account of your developer account as far as I am aware.
My phone is now Dev unlocked and on No-Do.
If you install advance config,it can make it so you can sideload as many apps as you want
Do you think there should be a tut for doing this?
I was thinking of creating one because, as of now, this is the only option to "unlock" our devices.
Ok...I have everything installed but when I "build" the app and submit it to Apphub, it just gives me an exception out of range error...
Any insight?
ducylowycz said:
Do you think there should be a tut for doing this?
I was thinking of creating one because, as of now, this is the only option to "unlock" our devices.
Click to expand...
Click to collapse
It's pretty simple - register your student email with dreamspark
submit an app (doesn't even have to work) to get geotrust to start the identity process
when you verify your identity wait 2 business day
You now have the option to have 3 devices that can be unlocked
For the respective device, go and edit the registry to increase the app loading limit to unlimited (student has I think 3) and you're done
Legit chevron. unlocked device for sideloading. I'll be getting my brother to do it for his phone as well as his school too! Although I can see an impending rape of this...
It's also pretty profitable...
my country is not in the list box, singapore is the closest one, im from indonesia, any suggestion?
domineus said:
It's pretty simple - register your student email with dreamspark
submit an app (doesn't even have to work) to get geotrust to start the identity process
when you verify your identity wait 2 business day
You now have the option to have 3 devices that can be unlocked
For the respective device, go and edit the registry to increase the app loading limit to unlimited (student has I think 3) and you're done
Legit chevron. unlocked device for sideloading. I'll be getting my brother to do it for his phone as well as his school too! Although I can see an impending rape of this...
It's also pretty profitable...
Click to expand...
Click to collapse
I just spent 2 hours to figure out the tools and built a quote of the day app. Just submitted it. Will wait for Geotrust to contact me.
Well although many might abuse it, it will expose students to the platform. MS has really good tools. I am not a computer major, but I managed to build an app in 2 hours. I am quite exited about my app..and I will definitely read more about the tools and try few more things.
PS: now I need to buy a windows phone device :-D
Do you have a locked phone with Nodo?
So, at this moment your chances are:
Restore the phone to previous version (from Zune)
If your device is LG, you can use the integrated registry editor to unlock it
Buy a developer account subscription
What if your country is not supported by the Marketplace to buy a developer account subscription?
Well, you can ask someone to unlock your phone via remote desktop with their account, then apply any relock prevention
You can use Yallapps unlocking service
I was thinking on update chevron for nodo. There is no marketplace in my country to test and check what is the token used by the developer unlocker application from the phone tools.
Recently I discovered yallaapps (where everyone can register and unlock their phones). It is very unfair compared to the standard marketplace rules (you can upload only free apps, and like 3-4 every 80 dollars).
Anyone here have a yallaapps account to share? (via remote-ethernet usb for example) and unlock my phone to check what is the token, and test if microsoft did something to avoid chevron.cer, etc... I can work some nights trying to get an updated unlocker for us.
Comments?
I've thought about this too. But I have an unlocked Omnia 7 now, with NoDo. And I'm kinda afraid to test for locking/unlocking, because it might lock my phone, while not being able to unlock again. Only a restore of backup or reflash firmware would possibly fix that, but I too busy to risk that now. If it wasn't for that I would've tried a couple of things.
With registry access we can set the value of HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\PortalUrlProd to anything we like. Set it to something like this: http://www.wp7unlock.com. That site does not exist, but that doesn't matter. Note that I mention "http" and not "https" to make it easier. Then add this url to the hosts-file on your computer. Open a http-server on port 80 which logs all http-requests. Now run ChevronWP7 unlocker and try to lock / unlock. Note: Don't try this if your device is upgraded to NoDo and unlocked, and you wish to keep it like that. You can grab the exact request. That is the first step. But this may already lock your device, if you got it unlocked. You need an unlocked device in the first place to edit the registry. If you got the exact http-request that is sent by the NoDo-device, you can manually try to send it to the original url: https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010. Now grab the response. That will be the second step. Having the request and response may already provide very useful information and help us further.
I think the chance of getting your device re-locked is small. But only someone who is doesn't matter restoring a backup or older firmware in order to re-unlock should try this. If someone feels like testing this, we may get a start on unlocking NoDo.
Ciao,
Heathcliff74
I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.
Another possibility is to hide a registry editor in some app and submit it to the marketplace. But soon or later they will notice the trick.
Pretty convenient the LG devices with their integrated registry editor...
The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.
GoodDayToDie said:
The odds of being able to sneak any app with the InteropServices capability into the marketplace is pretty low, I think. Without that capability, you can't access COM, which means no native code, which means no registry editing.
Click to expand...
Click to collapse
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?
hounsell said:
I'm just guessing here, I haven't actually done any research into it, but I believe the patch was relating to the certificate - aimed at the fact that ChevronWP7 relied on WP7 accepting an untrusted certificate being used by the unlocking server if that certificate had been installed to the phone's store. Simply doing some basic checking on the certificate to ensure it's from a trusted authority for example, is probably the route Microsoft took, or something along those lines.
I'm kinda busy with other things right now, but I'll have to get a copy of a NoDo ROM at some point and take a peak at the relevant files.
Click to expand...
Click to collapse
Ok.. Think with me please.. I am by no means a HTTP or SSL expert, but I know a little bit about it. So please correct me if I'm wrong.
HTTPS is HTTP over SSL. SSL does a handshake for encryption keys. Any HttpListener will support this. And SSL with mutual authentication will also do a certificate check. Tom, if what you said is true, then we should install a genuine certificate for developerservices.windowsphone.com. I'm sure some devs have one laying around for us to use. The phone will accept it, because a certified authority has issued it. That would solve things at the end of the WP7 device.
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74
eried said:
I am just guessing here, but can't you download a dll file to the isolatedStorage, then on the next app start use that file (for example the samsung dll to edit registry keys used by samsung "root" tools)?
Click to expand...
Click to collapse
I'm guessing now. But I think the capabilities are stored somewhere. And if you didn't have the Interop-capability when you installed the app, you will still not be able to load a COM-dll later on. Also, I don't think you will be able to call LoadLibrary on a file in the IsolatedStorage.
And in my WP7 Root Tools, there are NO Samsung dll's. Only my own code. Both native and managed dll's are written 100% by me. No copyrighted dll's from another party in my code. I explicitly avoided that, because my app will never be banned for that reason. I think Julien Schapman's Windows Phone Device Manager does ship the HTC dll's (not 100% sure about that though). I think he might have a problem with that if he ever want to sell his product.
Ciao,
Heathcliff74
Heathcliff74 said:
Now the important part. As far as I know, but I may very well be wrong about this, the certificate is only verified on the end of the server. In this case that would be our own HttpListener on the local PC with the hosts-file containing a mapping for developerservices.windowsphone.com to 127.0.0.1. I think the WP7 device does not validate the server, isn't it? So when we let our server accept the certificate, we're done. We can let it accept the certificate with this line of code:
Code:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
Would that do the trick???
Ciao,
Heathcliff74
Click to expand...
Click to collapse
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.
Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices or was that just another way to get xaps to work instead of resigning them? Could it be used if not?
I did a bit of reading up on SSL and certificates. I'm still not sure about alot of things, but this is what I get from it:
SSL sets up a secure transport layer by exchanging encryption-keys. And it also supports client-authentication and server-authentication. Authentication can take place by letting one party send its certificate and let the other verify it. For a client this usually means that the issuing party sent a generated certificate against which it can be authenticated. A server is authenticated by its certificate. The certificate needs to be verified. The verification is done by checking the certification-path. The issuers must be trusted by the verifying device. I'm not sure, but I don't think it is normally necessary to install a certificate when you genuine unlock your device. If it is necessary, then that means that the unlock server from Microsoft does client-authentication too. But that is not important when we want to spoof that server with a http-server on our localhost (like ChevronWP7), because we can just skip the client-authentication. We simply don't care about that.
(nico) said:
Just a guess here, but I would say that it's the phone who verify the certificate, not the server. That's why you had to install the chevron cert on the phone.
Click to expand...
Click to collapse
I think the unlocking software on the WP7 device probably does something like this (pseudo-code):
Code:
if (!SecureConnection.Server.IsTrusted())
{
LockDevice();
return;
}
If the server is not trusted, the unlock will fail. So Chevron has its own built-in http-server. With its own certificate. Except that certificate is normally not trusted by the WP7 device, because that certificate is not signed/issued by one of the Certified Authorities that is known by the device. So in order to let the IsTrusted() succeed, a certificate must be installed on the device first. That certificate adds the signing authority (self-signed by Chevron) to the trusted authorities.
Now in NoDo, if Tom is right, Microsoft changed it into something like this:
Code:
if (!SecureConnection.Server.IsTrustedByCertifiedAutority())
{
LockDevice();
return;
}
That means, that it does not only verify if it is trusted, but the top of the certification-path must be a Certified Authority. In this case a self-signed certificate is not accepted anymore.
I have access to the certificate-stores on my Samsung Omnia 7. But for that the device needs to be unlocked. So, that is not useful for unlocking devices. And that exploit only works on Samsung devices.
Now that I understand this better, I see that my previous proposal won't work. But it gives me something to think about. Got to get a way around that.
lucasryan said:
Im not up to date on how these certificates work and where or how they are approved and if there is a difference between certain certs but i was wondering about the cert that we used by xboxmod when he released those omnia apps for all devices. Was that a cert that just allowed us to use those apps to work on other devices just like we do now by resigning a xap to work from another brand, or is it a cert that might could be used?
Click to expand...
Click to collapse
That was some developer-certificate from the WinMo 6.5 SDK or something. It didn't really do anything other than invalidating the signature, which in combination with removal of the DRM file in the XAP would remove the DRM-protection. It works even better to simply remove the certificate from the file. The certificate was simply to replace the valid certificate with an invalid one. The certificate from xboxmod is not of any use here.
Ciao,
Heathcliff74
ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.
Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)
lucasryan said:
ok I understand now how they work and what it needs to be. Alot more to it than i was thinking, so there is a chance to find a cert somewhere. somehow.
Click to expand...
Click to collapse
No. These are the best kept secrets in the industry. When those key leak a lot of DRM is compromised. And in most systems certificates, once compromised, can be revoked (through updates that are pushed or pulled). The ChevronWP7 guys did a brilliant job in finding the loophole in the server-authentication. I think Microsoft has closed that one now. But maybe there's another loophole in the unlocking system.
There might also be other attack-vectors. If we can get XML-provisioning working from outside the device we can set the registry-values to unlock the device. Maybe OTA Provisioning can be done with WP7 devices.
Another possibility for XML provisioning can be found in this dll:
Code:
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0\v4 .0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.10.0.dll
You can open it in Reflector. There's a class called DevicePackageClass. It has a method called ProvisionDeviceXML(). So I tried using it, but when I instantiate the DevicePackageClass it gives me an error:
Retrieving the COM class factory for component with CLSID {E987B9DE-8471-11DB-96A9-00E08161165F} failed due to the following error: 80040154 Class not registered (REGDB_E_CLASSNOTREG)
The class is actually a wrapper for a COM class. So I looked it up in the registry. It seemed to be found in this dll:
Code:
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\dip.dll (VSD Device Integration Package)
But is actually part of Visual Studio 2008, not Visual Studio 2010. The dip.dll is not installed with Visual Studio 2010. So I figured I might have a better chance with this dll:
Code:
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.DeviceConnectivity.Interop.9.0.dll
But it gives me the same error. I also tried to register dip.dll with regsvr32. The registration worked, but the error was still the same. I even tried to access dip.dll directly, but I still couldn't create the COM class DevicePackageClass ("Can't create object").
So if we can somehow instantiate that class we might get XML provisioning working and unlock the device directly in the registry. Needs more research.
Ciao,
Heathcliff74
eried said:
Very good information, I am not too much into SSL security also. I have an Idea for a new unlocker (not based in chevron's method):
Someone in a Marketplace-enabled country buys a subscription
An application uses that subscription + the code inside the Developer unlock application to unlock a phone
Then the same application deploys (and executes) a xap (like samsung tools) to prevent the device relocking
The same application then deletes the device from the developer account
So, with a minor cost, we can have unlocked phones. I don't know if the dev account can get blocked if the user unlocks and "relocks" a lot of devices, but if one account is good for 10 phones, its fine ($10 usd each unlock)
Click to expand...
Click to collapse
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.
Heathcliff74 said:
Microsoft scans the apps that are submitted for the marketplace. I doubt very much this will ever pass through. And if it will Microsoft will block it as soon as they find out. And it also needs the InteropService capability, which will never be allowed in the Marketplace.
Click to expand...
Click to collapse
My idea was not an app for the marketplace but a desktop app like Chevron
eried said:
My idea was not an app for the marketplace but a desktop app like Chevron
Click to expand...
Click to collapse
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.
Heathcliff74 said:
Ohw. Sorry. Misunderstood. I get what you meant. But you're gonna need new dev-accounts all the time. Everytime Microsoft will block one dev-account after a certain amount of unlocks, you'll have to get a new one. Who is willing to get all these accounts? This will probably run out very fast.
Click to expand...
Click to collapse
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile
eried said:
Of course, but I personally don't have a problem about paying $10-$40 usd to unlock my device. Even $100-$200 seems fair to me for the complete developer account, but I can't pay here in Chile
Click to expand...
Click to collapse
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.
Heathcliff74 said:
Personally I don't like the idea, that I just bought a device of €550 and I have to pay another €100 to actually be able to have control over the device. I also needed to put in countless hours of work to get access to my system and to be able to set the colordepth for instance.
To be real honest, I really don't like the locked-down nature of the device. I liked Microsoft for their open systems (not open source, but highly customizable etc). And I also highly appreciate their developer tools and SDKs. And I love Silverlight. But if I would have known that the phone was so much locked down, I may have considered a Samsung Galaxy S instead of Samsung Omnia 7. Both great phones with super AMOLED etc. WP7 looks much better than Android, but Android is an open OS, which I would prefer. I think Microsoft should have made 2 flavors of WP7; one locked down version for the privacy-freaks and an open version for the tweakers. Anyway, I have the Omnia 7 now with WP7. And I will get it open, even if I have to break it open myself.
Click to expand...
Click to collapse
Nobody likes a locked device.
But I do understand the Microsoft posture about this.
Hi all,
I was wondering if it's possible to inject into zune app and make it install another app instead of the one you choose using zune.
Using fillder, I briefly tried to look what requests are made by zune but I could not see anything which looks like downloading the app.
Just sideload its a whole lot easier and I don't think something like that exists otherwise it would be on Android and iPhone.
Sent from my GT-I5800 using XDA App
andreiuc said:
I was wondering if it's possible to inject into zune app and make it install another app instead of the one you choose using zune.
Click to expand...
Click to collapse
Hmm, I can say - interesting idea! But I am afraid it's a very difficult to implement. You need to emulate whole MS store server...
I think all requests go via secure connection and checked by trusted certificates on device.
same with dev unlock.
Cotulla said:
I think all requests go via secure connection and checked by trusted certificates on device.
same with dev unlock.
Click to expand...
Click to collapse
Not at all, some requests are non-secure. I'm able (with WireShark) to catch xap requests, store/app info etc. Actually, we have a lot of marketplace replacements (even I have my own implementation ).
sensboston said:
Not at all, some requests are non-secure. I'm able (with WireShark) to catch xap requests, store/app info etc. Actually, we have a lot of marketplace replacements (even I have my own implementation ).
Click to expand...
Click to collapse
I tried with Fiddler to catch xap requests but I was not able to see any.
My idea is to to write an app which injects code in Zune to hijack calls to download a XAP from zune and download from my location instead(or get it from local disk).
it's good to hear this. but marketplace XAP files are signed and it also makes a problem. unsigned will not work. (it's not deploy, it's installation!)
Cotulla said:
it's good to hear this. but marketplace XAP files are signed and it also makes a problem. unsigned will not work. (it's not deploy, it's installation!)
Click to expand...
Click to collapse
Right. They are signed with developer key.
Not sure if WP7 OS checks this and how would it know if it's the real app?
I mean, I can sign my own XAP which I make Zune to get it and deliver it to WP7.
andreiuc said:
Right. They are signed with developer key.
Not sure if WP7 OS checks this and how would it know if it's the real app?
I mean, I can sign my own XAP which I make Zune to get it and deliver it to WP7.
Click to expand...
Click to collapse
Looking to the requests responses when you select to install an app, I was able to see this response XML:
Code:
<a:entry>
<a:updated>2011-09-08T18:03:25.3198784Z</a:updated>
<a:title type="text">3D Paperball 1.3.0.0</a:title>
<a:id>urn:uuid:1ea47c77-79c1-4c5a-b441-549b4e93dcea</a:id>
<version>1.3.0.0</version>
<url>http://apps.marketplace.windowsphone.com/E0C15284-972B-41D3-B245-8C16AAF73A66/CurrentBinary.xap</url>
<packageSize>9235456</packageSize>
<installSize>19616768</installSize>
<clientTypes>
<clientType>WinMobile 7.0</clientType>
<clientType>WinMobile 7.1</clientType>
</clientTypes>
<supportedLanguages>
<supportedLanguage>English</supportedLanguage>
</supportedLanguages>
<deviceCapabilities><capability><id>ID_CAP_NETWORKING</id><string>data services</string><disclosure>Disclose</disclosure></capability><capability><id>ID_CAP_SENSORS</id><string>movement and directional sensor</string><disclosure>Disclose</disclosure></capability><capability><id>ID_CAP_IDENTITY_USER</id><string>owner identity</string><disclosure>Disclose</disclosure></capability><capability><id>ID_CAP_IDENTITY_DEVICE</id><string>phone identity</string><disclosure>Disclose</disclosure></capability></deviceCapabilities>
<averageLastInstanceUserRating>0</averageLastInstanceUserRating>
<lastInstanceUserRatingCount>0</lastInstanceUserRatingCount>
</a:entry>
<a:author>
<a:name>Microsoft Corporation</a:name>
</a:author>
As you can see, the XAP URL is right there.
However, with Fiddler, I am not able to see any requests to this URL.
Maybe someone can share some info using more advanced tools like WireShark.
LOL, my hunch is it's actually the WP7 OS which is doing the download of the file
yeah. but it seems signed with own MS certificate ?
so developers push app to MS and they verify and sign it? (I don't know much about market space publishing)
andreiuc said:
LOL, my hunch is it's actually the WP7 OS which is doing the download of the file
Click to expand...
Click to collapse
I believe you are right as it's been discovered already that it's pacmaninstaller.exe (I think that's the spelling) on device that prevents the sideloading of homebrew apps with INTEROPSERVICES.
andreiuc said:
However, with Fiddler, I am not able to see any requests to this URL.
Maybe someone can share some info using more advanced tools like WireShark.
Click to expand...
Click to collapse
Did you "reverse tether" your phone to PC? I believe, handset is responsible to download and install xap...
BTW, all these talks is about "warez" I don't see any other reasons to do that kind of hack (or may be, for research purposes only).
To get a "prove of concept", we need:
- download MS signed xap;
- using some kind of filtering proxy, replace request to http://apps.marketplace.windowsphone.com/{GUID}/CurrentBinary.xap to the local server;
If phone will be able to download and install that xap (what is impossible by using MS or third-party deployers), we'll get a solution or at least prove of solution
Cotulla said:
yeah. but it seems signed with own MS certificate ?
so developers push app to MS and they verify and sign it? (I don't know much about market space publishing)
Click to expand...
Click to collapse
Yep, "Ed Zachary" (c) Dave Barry, "Big Trouble"