Hi all.
This is a little collection of things that i have been noticing while testing hacking issues on the phone.
Remember that those are "non-useful" (not to jailbreak) the phone, and just curiousity as topic.
Easy Hidden Menu Call
Do you need a search on the net to remember the hidden menu code? No more!. Test this phone-number string instead:
(Edited now): ##PROGRAMNITT
Max size for an app name/web favorite
Seems to be no max per se, but after doing some test, where i created title as: "chunk1chunk2chunk......chunkN" i was able to load a 1691124 characters title. Further than that, the browser seems to crash.
That's about a 3MB text string, just for the title. Would work well, when testing if several of them pinned reduce our 8gb storage(use storage) or doesn't (uses other).
Btw, you can pip up to 67 apps, (51 new) so... that's a max anyway,
Application Menu "About:blank" hack
Test this in the browser bar as direction: "about:blank". Kin IE will yell that it's not a supported protocol. Yeah, that's right. Let's dev a page on a local webserver with:
PHP:
<html>
<head>
<title>Mad redirection!</title>
</head>
<body>
<h3>Mad redirection tool!</h3>
<p> Testing: <div id="testTab"></div></p>
<p> Errors:
<div id="errorsTab"></div>
</p>
<script type="text/javascript">
var urlToTest = "about:blank";
try {
var test = document.getElementById("testTab");
test.innerHTML = urlToTest;
window.location=urlToTest;
}
catch (error) {
var err = document.getElementById("errorsTab");
err.innerHTML = "Error going to " +urlToTest+"<br/>"+error.message;
}
</script>
</body>
</html>
Browse it with the kin and you will land in the about:blank page, with the ability to be pinned on the application menu. Of course it will work, having the App link on the App menu, with a non working link (Kin still yells if you use it from menu).
Useless, but weird...
I do know that this is pure thread necromancy and that those are old news but:
a) if you are able to do the trick (using the sample html i posted) you can see that indeed it comes to about:blank and is shown as that on the title: "ABOUT:BLANK".
b) if you are so smart to change it to "about:lame" it goes there but shows a "Action canceled" webpage, where it suggest you to press the "refresh" button or use menu opcion "File -> work offline".
Like if you could.. rofl.
That means:
1) "about:" protocol is supported (at least about:blank) to be navigated BUT is nerfed from the direction bar. So other protocols could work. For example, smtp and ftp does trigger a popup from the IE, but res:// file:// and rtsp:// do not (even if they crash later, and rtsp opening zune for streaming).
2) This is a pure IE (with file menu,hopefully )
3) some other things can be tested, and every person can!
I upgraded the posted code, so it outputs an error when the redirection doesnt work (almost allways).
If you try it, remember not to end your url with \ (backslash) as it interferes with the doublequotes.
I've just completed testing a couple of things.
First, I successfully tested the "about:blank".
I also tried "about:", "about:about", "about:cache", and "about:home". These each resulted in the action canceled page described above.
I also tried the "file://" protocol, with the address "file://localhost/c:/" and received the following:
Errors:
Error going to file://localhost/c:/
Could not complete the operation due to error 80070005.
[edit] It seems that error 80070005 is given when you do not permission. The solution? Log on with administrator privileges... (see link)
Upon further testing:
about:desktopitemnavigationfailure works and displays "navigation cancelled" page.
about:navigationcanceled works and displays "navigation cancelled" page.
about:navigationfailure works and displays "navigation cancelled" page.
about:noadd-ons displays "navigation cancelled" page.
about: offlineinformation works and informs the user that the current page can not be viewed off line.
about: postnotcached works and informs the user that to refresh the current page, information entered in a form will have to be re-posted.
about:securityrisk displays "navigation cancelled" page.
about:tabs (unsuprisingly) displays "navigation cancelled" page.
I read that about:mozilla works in older versions of IE. However, it displayed the "navigation cancelled" page. You can also supposedly access the about:mozilla page using the following URL: res://mshtml.dll/about.moz
However, while this "res" protocol appears to be supported, I received the same permissions error as referenced in the above post.
I tested the mms protocol on a couple of working mms streams, but received the notification that the protocol is not supported.
I tried view-source://(random web address) and unsuprisingly was told that the protocol isn't supported. While this protocol works with some browsers, it doesn't seem to work on internet explorer even on a regular computer.
I tried the javascript protocol and it seems to work, but is different than about:, http:, etc. Mainly, it processes the javascript without leaving the script "address" in the address bar like we see with about: and http:
I was a little disappointed in this one, hoping to bookmark a javascript to test the videohamster flash video viewer for ipods, or itransmogrify for other flash files.
very nice work here. I like what you have done with this.
I'm glad that other than about:blank works (apart of the "action cancelled").
I took my time to install a wm6.5 emulator and test where do this "Action cancelled" come from in the pocket IE url bar.
They are from " res://.....navcancl.dll ".
Maybe there's a way to bypass the restrictions (the permission error) by calling some parameter in the "about:XXXX", but i can't bet on it.
Edit:
about:version seems to work (it auto-says "cannot find server", although my python custom-made-for-exploits server says that it delivered my html). But it keeps loading after the javascript redirection happens.... lol, so random .
One thought I had, that I have not had time to experiment with yet, is how deep the permissions restrictions go. For example, at times I have been logged on to a windows-based computer and have access to certain user-specific files but not to system files or to files or folders closer to the root. So for instance, we may be able to access the WinCE equivalent of "C:\Documents and Settings\<UserName>" using the file:// or res:// protocols even though we don't have permission to access "C:\".
Here's another potential avenue for information related to the "res" protocol. Apparently, it can be used to enumerate the software on a machine by identifying certain executables or dlls. (see here).
Unfortunately, the example cited in the article is not available so I can't view the code on how it was done. However, the results can be viewed here, where incidentally you can see the software installed on the computer that crawled this webpage.
Luckily, a manual or how-to paper is available here. I will try to check it out and see if I can figure out something useful.
i checked, it doesnt yell at you if you use a res:// but either if using ftp:// so the big problem is that you must pre-know the res:// uri before testing.
And in the best case, you will just get an image shown, ad js cannot give you the binary data.
anyway, i'm interested in this things....
Here's a couple other likely non-useful tidbits.
The browser will attempt to open the following filetypes with the Zune player:
.avi
.3gp
.mov
.fli
.mp4
.wmv
.wmx
When you open a VBScript in the browser, the script isn't executed, but it is displayed.
The mailto: protocol works from the browser and opens up the email dialog.
The following script causes the browser to hang (and deleting temporary files does not resolve the problem--but restarting the Kin does):
HTML:
<html><body onLoad=Demo()><script>
// MoBB Demonstration
function Demo() {
var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;
for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}
}
</script>
</body></html>
I haven't played around with the logs at all, but would this provide an error that gives some useful log output?
After some further testing, I discovered the Kin does not yell about the following protocols as being unsupported (in other words, they seem to be supported):
gopher://
nntp://
telnet://
news://
snews://
windowsmail.url.mailto://
windowsmail.url.news://
windowsmail.url.nntp://
windowsmail.url.snews://
johnkussack said:
Maybe there's a way to bypass the restrictions (the permission error) by calling some parameter in the "about:XXXX", but i can't bet on it.
Click to expand...
Click to collapse
I tried playing around with about:____, such as with the following types of addresses:
about:<input%20type=file>
about:<a%20href=C:\windows\>Click-Here</a>
but without luck.
I also tried the shell handler "Shell:" which seems to be another supported protocol, but again without luck. I tried the following Shell commands:
Shellrofile
ShellrogramFiles
Shell:System
Shell:ControlPanelFolder
Shell:Windows
Shell:::{21EC2020 shell:::{21EC2020-3AEA 3AEA-1069 1069-A2DD A2DD-08002B30309D}
Here are a couple more that I found other people sometimes try that I haven't tried (at least not yet):
shell:ControlPanelFolder
shell:::{35786D3C-B075-49b9-88DD-029876E11C01}
shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D}
shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}
shell:::{E17D4FC0-5564-11D1-83F2-00A0C90DC849}
Ok, so this will be my last post in this thread tonight . For some unknown reason, you can access your emotes when in camera mode.... It doesn't do anything if you try to use one though.
great to hear about the shell::XXXX thing.
Does it trigger something? like about:blank or the other trigger a blank or a "cannot go" page.
btw, a real path on the phone (granted by the logs) is:
\Windows\eri.bin
That's assured , with the start backslash ("\\" if used on js code)
these hacks arent nonuseful
you should have called these hacks something other than non useful because we can use these little tips and tricks in combination with others to actually create an in browser jailbreak using the unrestricted protocols.
shell commands
try the net user admin <username> <password> console command in the shell protocol and see if you an bypass restrictions. theres no reason why console commands shouldnt work even though i havent tried this myself.
X-15D9W8491 said:
try the net user admin <username> <password> console command in the shell protocol and see if you an bypass restrictions. theres no reason why console commands shouldnt work even though i havent tried this myself.
Click to expand...
Click to collapse
Sorry, I'm not sure where you mean to do this. Unless I completely missed the revelation, so far, nobody has been able to get any type of shell/console access (as it doesn't really exist on a Windows Mobile OS anyway).
i called them as is, cause in first place, they were non useful, lol.
Although now, it could be a good try to get some "jailbreak" procedure.
as we dunno what windows mobile i6 can do, i guess we should/must try into a real mobile device (maybe my old pda too), or a win mobile 6.5 emulator, to test procedures (less restrictions), and then repeat on the kin (restricted).
I always though that the browser was the weakest part anyway
if you do tel: in the browser, and write anything after that it opens it up in a bubble....it lets you call letters, although it gives an error in the phone app
When using the TRACERT (Trace Route) in the programnitt menu I found a quirk.
Using 127.0.0.1 to Trace replies: WindowsCE
...that's obvious but interesting.
Using 127.0.0.0 to Trace replies: * 87 (30 times, hits limit and stops)
I have no idea why it would reply with the voicemail number....
Related
Hi guys
I've just started working with Silvermoon. When testing the demo app (as well as my own app) on my HD2, it works fine for 6 times, but when I start the app for the 7th time, it crashes without any message.
Has anyone else had this problem? Any ideas?
Any help would be appreciated!
Thanks, Rob
I don't have these problems on my HD. It looks like some resources are not cleaned up at application exit. Do you call 'Screen.Close();' when exiting the application?
edit:
As you're using an HD2 you don't have the libGLES_cm.dll and I assume you have copied the one of the demo. This is a software implementation and could also be the reason of running out of memory. The OpenGLES 1.x dll on GLES2 devices is called something like libGLESv1.dll. To use OpenGLES in a managed application/library the methods have to be imported from the dll and the dll name has to be defined at compile time. So, take a look at the silvermoon sources and if you find dllimport(...) using libGLES_cm.dll you'll have to replace this dll name with libGLESv1.dll (look up the correct name in your /windows directory) and rebuild framework.
(had to do that in my OpenGL test app for gles2 devices)
edit2:
Had a quick look into the silvermoon sources and for gles2 devices it has to be recompiled after changing the dll names:
in Silvermoon\OpenGL\Native\
egl.cs: change const string LibGlesDllName = "libgles_cm.dll"; to ... = "libEGL.dll"
gl.cs: change const string LibGlesDllName = "libgles_cm.dll"; to ... = "libGLESv1.dll"
(the egl dll could also be changed to "libGLESv1.dll" just in case this doesn't work)
You'll need VS2008 to compile the solution.
Hello heliosdev,
Thank you very much for your reply, I really appreciate it!!! I am calling Screen.Close() in my app and have the same problem in Silvermoon demo, so this shouldn't be the issue...
My HD2 has the following files in Windows directory:
libEGL.dll
libEGL_org.dll
libGLES_CL.dll
libGLES_CM.dll
libGLESv1_CM.dll
libGLESv2.dll
I recompiled OpenGl.dll in VS2008 with the folowing combinations & results:
libGLES_CM.dll in gl.cs & libEGL.dll in egl.cs -> app not starting at all.
libGLES_CM.dll in gl.cs & egl.cs -> app crashes at 7th start
libGLESv1_CM.dll in gl.cs & egl.cs -> app not starting at all.
libGLESv1_CM.dll in gl.cs & libEGL.dll in egl.cs -> app crashes at 7th start
Any further ideas?
I think the last version (v1 and egl) should be used on gles2 devices instead of the software renderer.
Now it's getting difficult.
Maybe try to disable Manila (Sense) restart device and test your app.
If it still fails:
Try to start another opengles app several times. (try my opengl test app (snapdragon version))
edit:
something else to try (yes, I'm getting out of ideas...)
Before Screen.Close() you could call gl.DeleteTextures() with for example an array of 100 uints starting at 1.
Disabling "HTC Sense" allows for one extra launch of the app, meaning it crashes at the 8th start attempt. Exactly the same problems using your TestOpenGL.
The only difference is, that when trying to launch my app for the 7th/8th time, the busy cursor appears shortly on the screen, as if it were starting up, but then just disappears and nothing more happens. When I launch TestOpenGL, the busy cursor appears and freezes, then nothing more happens.
ok, so it looks like resources are not cleaned up.
Try the glDeleteTextures suggestion. (even though this is called)
btw: Are you using a stock rom? Have you installed any 3d drivers (like chainfire's patch found in the sticky thread in the forum)?
Nope, unfortunately gl.DeleteTextures(1, 100) just before Screen.Close() is not helping either...
I'm using Xannys Pandora ROM which has GLTweaks integrated. However, taking into consideration the posts from codeplex, where several people are having the exact same problem on different phones (tg01, hd2), can it really be a ROM problem?
BTW: Thank you so much for taking the time to try and help!!!!
I struggle with the same issue in my own app (here) using silvermoon (7th start fails using HW renderers).
heliosdev Test app runs fine and can start numerous times without problems (gave up after 20 starts), also tried "coin toss" (here) without problems running multiple times.
Running on Miri's 6.5.x v8 without any enhancements installed.
Ok, I've created a small test app, which simply loads a form containing a Silvermoon window control, with a ChromeButton on it. On clicking the button, I call Screen.Close() to exit the app.
Testing on the Emulator works fine, but on my HD2 the 7th attempt to launch the app results in the following error: "Error on glGenTexture.". I have traced this Error to Line 37 in "Texture.cs" of the OpenGL source:
Code:
public Texture()
: base()
{
this.Name = gl.GenTexture();
[b]if (this.Name == 0) throw new OpenGlException("Error on glGenTexture.");[/b]
}
I added a line in Texture.cs to output the gl.GenTexture() uint value. On the first 6 start attempts it returns the values 1 and 2, but on the 7th it returns 0, which obviously is what causes the error.
Digging further, the GenTexture() method (which is returning 0) comes from pInvoking glGenTextures() in libgles_cm.dll.
Sadly, this is where my programming skills end... I really hope we can find a solution to this issue! It would hurt, having to give up on Silvermoon.
Looks like 'out of memory'. Call the following method before and after the GenTexture call (1285 is out of memory error).
Code:
private void CheckErrorGL(string info)
{
uint err = gl.GetError();
if (err != gl.GL_NO_ERROR)
{
MessageBox.Show(err.ToString(), "GL " + info);
}
}
Doesn't seem to be OutOfMemory... gl.GetError() is returning 0.
The exception is thrown without any glerror message box?
Run cleanRAM before calling it for the 7th time.
Correct, it's not throwing a glerror! Although, VS2008 is not showing me GL_NO_ERROR option on gl. But an if I remove the if-clause from your code (if (err != gl.GL_NO_ERROR)), the messagebox always returns 0.
Just ran a level 3 purge with cleanRAM... problem remains
The error definitions are in the namespace Silvermoon.OpenGL.Native (gl/egl)
And what does egl.GetError() return? (EGL_SUCCESS is 12288)
Code:
private void CheckErrorEGL(string info)
{
int err = egl.GetError();
if (err != egl.EGL_SUCCESS)
{
MessageBox.Show(err.ToString(), "EGL " + info);
}
}
the error definitions are surrrounded by a
#region obsolete
#if false
...
#endif
Change the false to true to access them.
get a EGL 12294 before calling gl.GenTexture()
seems to be a EGL_BAD_CONTEXT
Before calling gl.GenTexture() I'm also getting error code 12294 (EGL_BAD_CONTEXT) and afterwards 12288 (EGL_SUCCESS).
(Had a typo in my code, therefore I got the wrong result previously...)
I have the same problem with my tiny graphics engine. I think its the same problem because the egl.cs and its setup are nearly identical. So here's what I've found out:
- Its only about Egl, not about OpenGl, so forget deleteTextures etc (I've written a little test, that simply creates a display, context and surface and destorys them, no Gl calls and the same bug)
- create context creates a "Gl_Bad_Alloc" error
- everything that is allocated by egl is also destroyed
I think its also not a bug in the driver, because there is for example that ogles 2 game electopia or something like that, and this game is not affected!
I found a solution!!! I don't know about Silvermoon, but it works with my tigre engine. I can't explain it, I have no idea, and itse not the best solution, but it seems to work. Just DO NOT destroy the display, DO NOT delete context and DO NOT delete the surface. Any one have a idea why it is like that?
Phippu said:
I found a solution!!! I don't know about Silvermoon, but it works with my tigre engine. I can't explain it, I have no idea, and itse not the best solution, but it seems to work. Just DO NOT destroy the display, DO NOT delete context and DO NOT delete the surface. Any one have a idea why it is like that?
Click to expand...
Click to collapse
Amazing! That did the trick with silvermoon too. Great find, thanks!
No idea why that works though.
Sometimes it seems to be better leaving a mess instead of cleaning everything up properly
Hello,
I recently bought and installed surfcube (which is pretty cool) but whenever i click on any link outside the browser (ex: twitter/ facebook), it automatically opens an IE window. Any hack out there to get that to go to a different browser, such as surfcube?
This may be based on the default handler for the http: URI format. If anybody finds a way to change this (either the URI handlers, file extension handlers, or just default browser) we would all love to know. I don't think anybody has pulled this off yet, though.
GoodDayToDie said:
This may be based on the default handler for the http: URI format. If anybody finds a way to change this (either the URI handlers, file extension handlers, or just default browser) we would all love to know. I don't think anybody has pulled this off yet, though.
Click to expand...
Click to collapse
And almost more importantly, SurfCube doesn't have the code to read a URL from a command line (or whatever method is used), so the best it would do is just open the app without the specified URL.
davux said:
And almost more importantly, SurfCube doesn't have the code to read a URL from a command line (or whatever method is used), so the best it would do is just open the app without the specified URL.
Click to expand...
Click to collapse
Hi,
I am the developer of SurfCube - if somebody can figure out how to open it as the default browser, we will work hard on making it actually open the URL if it gets passed to us.
That would be pretty cool. I would suspect that there is a registry key for the default handling of URL's. Passing that URL to the third party browserr would most likely need command line and lower file system access.
Sent from my Samsung Focus
HKEY_CLASSES_ROOT is present on WP7, although it works a little differently than on desktop Windows. One thing worth noting is that built-in software, such as IE, is invoked differently from installable apps. Built-in software is compiled to actual EXEs, which of course have a standard way to be passed parameters. WP7 apps are DLLs, invoked by a hosting EXE. Also, the way apps are specified is a bit weird; it's by GUID instead of by path.
There is one installable app which is registered as the handler for a file extension (Adobe Reader for PDF). By picking apart its registry entries, I have at least a partial view of how it works.
HKCR\.pdf:
Default = PDFFile
Content Type = application/pdf
HKCR\PDFFile
AppID = "BC4F319A-9A9A-DF11-A490-00237DE2DB9E"
Application Task = "app://BC4F319A-9A9A-DF11-A490-00237DE2DB9E/_default?"
EditFlags = d:0x00010000
HKCR\PDFFile\shell\open\command
Default = "app://5B04B775-356B-4AA0-AAF8-6491FFEA5665/_default?type=PDFFile&file=%s"
There are some interesting hings here. First of all, the BC4F GUID is the one for the Adobe Reader app. Therefore, AppID is the GUID for an installed app that handles a file or protocol association.
Second of all, the shell\open\command\Default value is present for every openable type, but the GUIDs it contains are *not* in the Applications list (note the difference between it and the AppID value). This appears to be how the OS specifies native applications.
Third, it *is* possible to pass parameters to installable apps. See the %s on the end of the value? That gets replaced by the filename, I suspect. Anybody want do pull apart the Adobe Reader or YouTube apps (the only ones with AppID values) and see how they do it?
Fourth, I'm pretty sure we can use this to add our own associations even if we can't get it to open files in them. I'm not sure how easy it will be, but it should be possible.
For those interested in browsers:
HKCR\http
Default = "HyperText Transfer Protocol"
Source Filter = "{97e7c245-4d6f-483b-a772-de22b15fa999}"
URL Protocol = ""
HKCR\http\Extensions
.3g2 = "{97e7c245-4d6f-483b-a772-de22b15fa999}"
.3gp = "{97e7c245-4d6f-483b-a772-de22b15fa999}"
.aif = "{e436ebb6-524f-11ce-9f53-0020af0ba770}"
... and 20-odd more like this
HKCR\http\Shell\Open\Command
Default = "app://5B04B775-356B-4AA0-AAF8-6491FFEA5665/_default?StartURL=%s"
HKCR\PROTOCOLS\Handler\about
CLSID = "{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
HKCR\PROTOCOLS\Handler\javascript
CLSID = "{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}"
HKCR\PROTOCOLS\Handler\mailto
CLSID = "{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}"
HKCR\PROTOCOLS\Handler\res
CLSID = "{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"
... note that these GUIDs are very similar but not the same.
HKCR\.html
Default = "htmlfile"
Content Type = "text/html"
HKCR\htmlfile
Default = "HTML Document"
EditFlags = d:0x00010000
HKCR\htmlfile\CLSID
Default = "{25336920-03F9-11cF-8FD0-00AA00686F13}"
HKCR\htmlfile\Shell\Open\Command
Default = "app://FB04B775-356B-4AA0-AAF8-6491FFEA5660/_default?StartURL=file://%s
HKCR\MIME\Database\Content Type\text/html
CLSID = "{25336920-03F9-11cf-8FD0-00AA00686F13}"
Encoding = 08-00-00-00 (binary)
Extension = ".htm"
I'm omitting a few fairly irrelevant keys, like DefaultIcon. This FB04B775 app is interesting - it seems to serve as a launcher, although that's just a guess for now. In any case, it accepts parameters like StartURL, Type, and File (with the last two coming together) and file substitution (the %s that stands in for the URL or file).
Anybody want to have a go at detangling this?
Also, Good News Everyone: it *is* possible to add associations between unknown extensions and known files, at least. I just added HKCR\.log as a clone of HKCR\.txt (Default = "txtfile"; Content Type = "text/plain") and opening a .LOG file in Outlook now opens the file in Work (it used to trigger a MessageBox saying file type was not known). So cool!
Looks like you can override OnNavigatedTo (from PhoneApplicationBase class) and use NavigationContext.QueryString() to get the required information.
If you use something like
Default = "app://5B04B775-356B-4AA0-AAF8-6491FFEA5665/_default?type=PDFFile&file=%s"
you could use
var params = NavigationContext().QueryString();
if (params.ContainsKey("file"))
{
// code here
}
so any param of the caller url will be part of the query string dictionary.
Hope this helps.
P.S.: Office does it in a more elegant way , They use only one param "CmdLine" and can use the normal cmd line argument parsing on this param, e.g. ...........?CmdLine=-opendoc %s
kuerbis2 said:
Looks like you can override OnNavigatedTo (from PhoneApplicationBase class) and use NavigationContext.QueryString() to get the required information.
...
P.S.: Office does it in a more elegant way , They use only one param "CmdLine" and can use the normal cmd line argument parsing on this param, e.g. ...........?CmdLine=-opendoc %s
Click to expand...
Click to collapse
Yes, this is pretty much what I wanted to go with. The question now is how to get SurfCube to open if you click on a link in en email or twitter or the poeple hub.
I can only imagine one solution (but my imagination is limited <g>): Create two apps.
1.) SurfCube prepared for parameter passing
2.) HomeBrew App which replaces HKCR\http\Shell\Open\Command
-t
kuerbis2 said:
I can only imagine one solution (but my imagination is limited <g>): Create two apps.
1.) SurfCube prepared for parameter passing
2.) HomeBrew App which replaces HKCR\http\Shell\Open\Command
-t
Click to expand...
Click to collapse
Yes, this is exactly what I am thinking about. But I need help with the second one from this group. Also, is there any way to do the registry edits on the emulator? I would prefer to play with that until things get fairly stable.
After digging a bit deeper, it looks like you are out of luck. I don't know why but the AppID of MobileIE is hardcoded in the WebBrowserTask (reference assemblies and Samsung Omnia 7 GAC assembly):
ChooserHelper.LaunchSession("app://5B04B775-356B-4AA0-AAF8-6491FFEA5660/_default?StartURL=" + this.URL);
So, even if you manage to change the html handler, you won't get the calls from the correspondig task.
Long time since I've seen something hardcoded like this on a windows platform...
I can't confirm this now, but I think 5b04b is actually the application host process. In other words, it's the thing that makes the navigation buttons work, and which runs the installable app DLLs. The StartURL parameter may just mean "look up things defined as a URL Protocol (HTTP is one such thing) and launch the corresponding app." The Filter value may be relevant here, perhaps even as the actual app id for IE. In any case, I get the feeling that the reason it's hard-coded is because it's the launcher app, and StartUrl is just how you tell it to invoke the web browser.
However, the hardcoded GUID and the ones in htmlfile, http and related keys is different from for example the one used in PDFFile.
Crap, you're right. I wasn't paying enough attention to the last couple digits. It doesn't help that searching registry data (as opposed to keys and value names) doesn't seem to work. I'm tempted to say that some experimentation is in order, although I'd prefer to know what I'm messing with.
I have a main form with a load of controls on it. I have a listbox, and a piece of code that is looking at individual items eg:
Code:
dim listitem as listboxitem = me.listbox.item(0)
when i use the navigationservice.navigate function to navigate to a different page, and then navigate back to the main page i can no longer edit that list box. The code still runs and doesnt error, but the list item is not updating. Its almost like there are two instances of the form open.
Any ideas?
thanks
when im navigating back to the main form i am using another navigationservice.navigate. Im guesing this is creating a new form everytime you use the .navigate as when i use navigationservice.goback from the second form it works fine.
To that end, is there a way you can close a form once you have navigated away from it using .navigate? and can you navigate to an already open form (without creating a new instance) and without using .goforward?
thanks (im using vb silverlight by the way)
adamrob69 said:
... i can no longer edit that list box. The code still runs and doesnt error, but the list item is not updating. Its almost like there are two instances of the form open.
Click to expand...
Click to collapse
Hmm... Could you explain what do you mean? How do you "edit" list box?
Post your code and explain what are you trying to do.
P.S. Have you tried to trace your code with breakpoints on the page constructors? Just try - you will be very surprised
Code:
''MainForm
sub EditListBox()
dim listitem as listboxitem = me.listbox.item(0)
listitem.content = "New List Text"
end sub
sub Navigate()
NavigationService.Navigate(new uri("/Page2.xml",relative))
end sub
Code:
''Form 2
sub NavigateBack()
NavigationService.Navigate(new uri("/MainForm.xml",relative))
end sub
The EditListBox() routine is called every x mins from a system timer. When navigated to form2 then back again the code still runs, i can put a break in and can see it running through the code but the listbox isn't updating. I believe this is because when you use the NavigationService.Navigate function it creates a new instance of the page. On form2 if I use NavigationSevice.GoBack instead of .navigate the main form updates the listbox correctly.
So if that is the case; is there a way you can close a form once you have navigated away from it using NavigationService.navigate? and can you navigate to an already open form (without creating a new instance) and without using .goforward?
I've already gave you a hint (to debug constructors). Yes, if you are using NavigationService.Navigate(new Uri("/MainPage.xaml", UriKind.Relative)); or NavigationService.Source = new Uri("/MainPage.xaml", UriKind.Relative); it creates a new page.
This implementation have a sense if you start thinking in web-based terms (what is Silverlight built for!)
BTW, I don't understand your requirements. Why do you need this? What's wrong with GoBack() or GoForward()? Also, have you tried other WP7 layouts (Panorama etc.)?
Try to follow the MS "Metro UI" recommendations and many questions will disappear shortly...
GoFoward won't work:
http://msdn.microsoft.com/en-us/lib...ation.navigationservice.goforward(VS.92).aspx
It seems like your problem isn't navigation, (because you should be using GoBack) but that the previous page that you GoBack to isn't how you wanted it.
If this is the case, you should add some sort of way to tell an event occurred. For example, if you did (note this is really rough)
Page2.xaml.cs
{
...
public static bool VisitedPage = false;
...
}
and when you visit the page, simply set it to true.
Then, when you GoBack, in OnNavigatedTo
protected override void OnNavigatedTo(NavigationEventArgs e)
{
if (Page2.VisitedPage)
{
//process why you needed to go tot he page
//clear the page for a fresh run
}
}
Have you tried unselecting that listbox item when you goback?
I had this same issue not too long ago where since it was the same instance of the page the listbox item was still selected when I returned and since the event on the listbox is "selectedchanged" it doesnt change when you select the same 1.
Network Exploitation
Hello Everyone! This is my first ever post, I just got the Kin TWOm a few days ago and i've been playing around with a few different exploits.
Port Scanning
There are only two open ports on this device:
Port 138: NetBios-DGM
Port 137: Microsoft Windows Mobile netbios-ssn
I will be attempting to run a few different netbios attacks and I'll let you guys know if I gain root access!
Browser Exploits
According to the Wikipedia page on the Kin Series of phones the Browser Agent is: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; en-US; KIN.Two 1.0)
I will also attempt to run many IE 6,7,8 etc. exploits on this device.
I'LL KEEP YOU GUYS POSTED! Also, If you know any more information about the networking aspect of this device PLEASE RESPOND TO THIS POST!
Thanks.
True, but port hacks use the 139 port.
Also, netbios commands (alas "nbstat") don't work with the kin ip (just retested with router-asigned local ip), but kin answers pings.
Also, dont just believe what wiki says. Test a browser detector page for the browser headers, and the capabilities.
As we have understood the storage upload/download i guess that we can also retest this kind of approach.
Dont want to upset ya, but i tried most of the exploits and the meta xploit things without nothing more than explorer crashes without rooting. Also, we do not know anything (or almost) from the OS, so shellcodes in ARM assembly may not work when using dll addresses.
As othes say that the M versions can open youtube, that's a good point to check too. I will think about it.
Edit, just checked it. Kin uses the "rtsp" protocol, which was unable on the version "kin two" (without M). Unfortunately, my kin doesnt play any vid from the net (maybe because not using 3g and just wifi).
Don't forget to test on 1.00 firmware. Since 1.00 had KIN Studio, which synced up everything. You might be able to get through the KIN Studio Sync.
Give me a working kin two then. Also, a CDMA connection tower to at least, get the kin to try to call home.
.... just kidding.
@john, your kin wont let you watch videos? Well it's not because your using a wifi network because I use a wifi network all the time. If you want youtube to work, then go to the page with the video, close out, go to settings then browser and delete temporary files and cache
i appoligize if this doesnt pertain, but on MS answers fourms i read that the loop on the orginial KIN OS uses a URL to function. Maybe this is exploitable..
somebody should look into this though.
So.. i doubt that is up to a common user level to test this but, as i said before, the kin two (twoM version only) uses RTSP.
It's possible to use a custom url for that protocol in the normal address bar. For example:
rtsp://lamewebsite.com/roflvideo/
Of course, if you'r on a lan, you can achive something like:
rtsp://192.168.1.2/roflvideotest/
having a a custom program listening on port 554 (default rtsp) at 192.168.1.2 .
There are some exploits (old, around the web) called "PoC rtsp exploit" which uses customized rtsp packets to execute code and/or crash the receiver program.
Mmmm or probably not crashing either, but showing the "Doh! can't play this".
Of course, as you can see, you can patiently wait for a rtsp random url (not a real rtsp one) to load ("Loading...") to see that's Zune (aka "Music & more") App what loads the video.
So zune is the program to crash and/or exploit, which is not a weak target (not much more info about it or its weaknesses).
@JohnKussack,
What about this HTTP zune exploit that allows overwriting zune files:
http://securityresponse.symantec.co...sponse/attacksignatures/detail.jsp?asid=22921
(I don't know anything about this exploit other than that it exists)
Marcellus1 said:
What about this HTTP zune exploit that allows overwriting zune files:
http://securityresponse.symantec.co...sponse/attacksignatures/detail.jsp?asid=22921
Click to expand...
Click to collapse
From what i see, it's a (microsoft caused) name mistake. This seems to be for the Zune software at windows, not for the zune software (at Zune devices/kin).
It's like zune of zune devices under zune os to run zune apps in a zune world where everything is named zune.
Yup, i was right. Just tested a local server at home:
Code:
Kin RTSP server test on port 554
Waiting for connection from the kin
Kin connected from Address: ('192.168.2.150', 49173)
##########################
DESCRIBE rtsp://192.168.2.134/ RTSP/1.0
CSeq: 1
Accept: application/sdp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
##########################
Edit: after several tries, it seems like it just su.... accepts .3gp files, and refuses to get another filetype. Ironically, the Microsoft papers about this, say that rtsp client should send the accepted files with the DESCRIBE request. (Home team failing, anyone?).
I doubt it would just accept the exploit idea (found the code for the exploit and did not work, just normal error) or be a possible hole into the system.
johnkussack said:
Edit: after several tries, it seems like it just su.... accepts .3gp files, and refuses to get another filetype.
Click to expand...
Click to collapse
Have you tried an mp4 or m4a file?
Marcellus1 said:
Have you tried an mp4 or m4a file?
Click to expand...
Click to collapse
Not in the mood. It just refused the others, so i skipped creating or downloading a mp4 to test.
Anyway, every joe can stream in Vlc (windows) and test both. I just tested local issues.
Would this exploit work or be useful? It is said to cause an exploitable heap corruption using a GIF file:
http://mobile.securiteam.com/exploits/5YP012A8AW.html
Here's another potential exploit that works by sending a malformed RTSP response header that allows shell code to be executed:
http://www.eweek.com/c/a/Security/Trio-of-Exploits-Out-for-Windows-QuickTime-RTSP-Flaw/
Marcellus1 said:
Would this exploit work or be useful? It is said to cause an exploitable heap corruption using a GIF file:
http://mobile.securiteam.com/exploits/5YP012A8AW.html
Here's another potential exploit that works by sending a malformed RTSP response header that allows shell code to be executed:
http://www.eweek.com/c/a/Security/Trio-of-Exploits-Out-for-Windows-QuickTime-RTSP-Flaw/
Click to expand...
Click to collapse
No. The second one is my named rtsp exploit.
why dosent some one try using the v cast store instead od android or windows 7
I have a PhoneGap application designed to work on multiple mobile platforms. I'm loading a dynamic HTML content from an external page on the Internet using jQuery Mobile. The problematic system is Windows Phone 7.
This is what I get from the external page, with the URL of the script tag already replaced to load from the phone instead of from the net to save bandwidth:
HTML:
<script type="text/javascript" charset="utf-8" src="x-wmapp1:/app/www/test.js"></script>
This works fine on Android, iPhone and even BlackBerry when I replaced the x-wmapp1: part by a respective counterpart (e.g. file:///android_asset/www/ on Android). However, on Windows Phone 7 it doesn't seem to work at all.
When I try to load the same URL via $.getScript function, it always returns a 404 eror, even if I try and load it with a relative path only.
Any suggestions?
First of all, this type of question may be better suited to the Software Development or Apps and Games sub-forums, as a lot of the people who hang out here are more familiar with homebrew hacks. I'll give it a shot, though.
First of all, what kind of path are you trying to use? I haven't tried loading scripts or images in HTML or JS, but to dynamically load content within the app itself typically requires some care with regard to the path. For example, is the JS file being built into the assembly (as a resource) or included alongside it (as content)? How about the HTML page?
This is a kind of lame approach, but one option that's sure to work is just inlining the scripts in the page, directly. That won't increase the total app size or load time at all, although it might make maintaining the app take a little bit more effort.
Thanks for the reply, I will try to post this into the more appropriate forum.
With regards to paths - you can see the path in the HTML snippet I provided in the original question. It's all a bit specific and we cannot afford to load JS directly from page, since that does increase the size of the resulting HTML, sent from an external PHP page, thus increasing bandwidth. This is the first reason why we chose to have all JS and CSS files directly bundled with the application and load them internally rather than from Internet.
Also, all of JS files are included alongside the application as content. I'm using the same approach for all images, since if they were included as a resource, they would not show in the application.
GoodDayToDie said:
First of all, this type of question may be better suited to the Software Development or Apps and Games sub-forums, as a lot of the people who hang out here are more familiar with homebrew hacks. I'll give it a shot, though.
First of all, what kind of path are you trying to use? I haven't tried loading scripts or images in HTML or JS, but to dynamically load content within the app itself typically requires some care with regard to the path. For example, is the JS file being built into the assembly (as a resource) or included alongside it (as content)? How about the HTML page?
This is a kind of lame approach, but one option that's sure to work is just inlining the scripts in the page, directly. That won't increase the total app size or load time at all, although it might make maintaining the app take a little bit more effort.
Click to expand...
Click to collapse
First question: have you set the IsScriptEnabled proerty on the control to True? It defaults to False, preventing scripting within the control. Also, changing it only takes effect
on navigation, so if you already loaded the page and then set this property, it still won't work.
Anyhow, I missed that your HTML was coming externally, and only the scripts and stylesheets were local. That's... interesting, and seems reasonable enough, and I can't find any info online that exactly matches your use case. The way you're structuring the script src URI looks weird to me, but I haven't messed with the WebBrowserControl very much at all.
One solution, though a bit hacky:
Use the WebBrowserControl's InvokeScript function to dynamically load scripts into your pages. To do this, you would first need to load the script file content into a .NET String object. The GetResourceStream function is probably your best friend here, combined with ReadToEnd(). Then, just invoke the eval() JS function, which should be built-in, and pass it the JS file content. That will load the JS into the web page, creating objects (including functions) and executing instructions as the files are eval()ed.
Of course, you'd need to do this on every page navigation, but you can actually automate it such that the page itself requests that the app load those scripts. In your app, bind the script-loading function to the ScriptNotify event handler, probably with some parameter such as the name of the script to load. Then, on each page served from your server to the app, instead of including standard <script src=...> tags, use <script>window.external.notify('load localscript1.js')</script> and so on; this will trigger the app's ScriptNotify function for you.
I hope that helps. I can see your use case, but somewhat surprisingly, I couldn't find anybody else online who had either run into your problem or written a tutorial on doing it your way.
Thank you for your reply, it was very informative. One question though - why do you think the way I'm structuring the SCRIPT URI is wierd? I tried to mess around with relative URIs and the such, however those would load the JavaScript file from Internet rather than from the application itself.
The problem I'm running into with your proposed solutions, however is that:
1. the project is a PhoneGap/Cordova application, using its own components, so I have no idea where I would look for IsScriptEnabled here (although this all worked on an older PhoneGap release, so I'm guessing they have it set up correctly)
2. injecting a script programmatically on each navigation would require me to rewrite much of the code we already use for other platforms, not to mention those custom Cordova components, which I don't even know if they can handle such thing
As for my user case - I was surprised to be the only guy on the internet with this methodology in place as well. So it either works for everyone else or nobody really thought of doing it my way, since it's basically an Internet application (maybe the don't want to disclose their sources, who knows).
CyberGhost636 said:
1. the project is a PhoneGap/Cordova application, using its own components, so I have no idea where I would look for IsScriptEnabled here (although this all worked on an older PhoneGap release, so I'm guessing they have it set up correctly)
Click to expand...
Click to collapse
In the WebBrowser properties.
CyberGhost636 said:
As for my user case - I was surprised to be the only guy on the internet with this methodology in place as well.
Click to expand...
Click to collapse
Of course you not "the only guy". I've tried to port/run a few HTML java-script based games on WP7 (Digger and couple more) more then year ago; they runs well with one HUGE exception - touch screen events are freezing scripts execution and make games not playable.
The "x-wmapp1:" URI scheme was what I was referring to. Not sure where that comes from, but I haven't done anything really with the WebBrowser control.
I have no knowledge of PhoneGap or Cordova; I assume they're "we write your app for you" frameworks? One would assume that such tools would know to set IsScriptEnabled, but you may have to do so manually. A bit of web searching on that direction may be fruitful - maybe earlier versions enabled scripting by default, and now it's disabled by default so you have to specify an option somewhere?
Injecting the script on navigation really doesn't require any major change to the server-side code. I mean, is sending
<script>window.external.notify('load localscript1.js')</script>
really much different from sending
<script type="text/javascript" charset="utf-8" src="x-wmapp1:/app/www/test.js"></script>
? If that's too different, you could instead send
<script src="http://yourserver.com/LoadLocalScripts.js"></script>
and put "LoadLocalScripts.js" on your server with the following code:
window.external.notify('load localscript1.js');
This has only a trivial increase in server traffic and load time, but lets you continue using external scripts instead of inline ones. Very little server-side change needed at all.
Now, the additional client-side code to support the window.external.notify and call InvokeScript... normally I'd say that's dead easy, because it is if you have any experience with the .NET framework, but in your case I get the feeling that this isn't so? I code to the framework, or to the underlying native code, and I tend to code "raw" (very little auto-generated code), so I'm not going to be able to help you solve the problems with a "make me an app" wizard unless I can see the code it generates for you.
For what it's worth, here's the approximate raw code that I'd use (it's over-simplified, but close enough):
void HandleNotify (String param) {
String[] parts = param.split(" ");
if (parts[0] == "load") LoadScript(parts[1]);
}
void LoadScript (String script) {
String content = Application.GetResourceStream(new Uri(script, UriType.Absolute)).ReadToEnd();
theBrowserControl.InvokeScript("eval", content);
}
void theBrowserControl_Loaded (...event handler args here...) {
theBrowserControl.IsScriptEnabled = true;
theBrowserControl.ScriptNotify += HandleNotify;
theBrowserControl.Navigate("http://yoursite.com");
}
the URI comes from Windows Phone itself, with this code, you can see for yourself:
var a = document.createElement('a');
a.setAttribute('href', '.');
alert(a.href);
also, I've been informed that this works in Cordova 2.0, so it might be a 1.8.1 bug... will try and see how it goes
thanks for your help so far!
Looks like it was a problem with PhoneGap 1.8.1 - after upgading to Cordova 2.0 (PhoneGap got renamed) it all works now... thanks for all the help!