As it is known that HTCUtility.dll will provide complete, unrestricted access to the TCB chamber on HTC devices, can this be used to unlock (at any level) the OS?
I have not heard anyone speaking of it and exists on my HTC Arrive. Seems to be a bypass for unrestricted access to anything within HTC devices.
I am looking at it myself, but thought I would share.
See details here...
http://labs.mwrinfosecurity.com/files/Advisories/mwri_htc-htcutility-kernmem_2011-11-10.pdf
Your link is down
very interesting but you link is down so please fix it so I can take a look. I too have a HTC arrive and have been working on an unlock.
Don't know what happened to the link.
Here is the link to the google docs version.
https://docs.google.com/viewer?a=v&...1C1HkN&sig=AHIEtbTwK-r8RyAyFmt1ai119m7EVAqsNA
-Paul
This looks promising, I'd like to know if what's written there is true ...
The paper is a couple months old, so it *could* have been patched by HTC... but hey, it also might not have been! This bears investigation post-haste.
It's easy enough to use this to execute some arbitrary code at high permissions, which is certainly useful as-is (do things like unrestricted registry and filesystem access). The real potential of it, though, is to turn off the security restrictions for specific apps. Essentially, get the benefits of a "fully unlocked" ROM but on a stock ROM, and only for the apps you specify.
One thing to note here: this is still going to require an interop-unlocked phone. It's opening a handle to a driver, and just like everything else that does so, it needs ID_CAP_INTEROPSERVICES. This is great news for owners of interop-unlocked/unlockabe phones (since this makes interop-unlock useful again) but probably doesn't help on 2nd-gen phones or on the Arrive (unless you want to roll back to NoDo, in which case this can probably be used to make an interop-unlock that works on Mango, though it wouldn't be easy).
I hope some one gets this working for the Arrive ASAP
Oh this was talked about a while back. It was patched back in NODO
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
GoodDayToDie said:
I'll try it out in any case, and report back.
Click to expand...
Click to collapse
Thank you
GoodDayToDie said:
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
Click to expand...
Click to collapse
Yeah I think it was mentioned here on XDA and it was believed to already have been patched.
I think by "patch" they mean that Interop was restricted as of Mango, thereby securing this exploit, in Mango. But for those that are Interop unlocked, this should still grant full access to everything else.
Just my observations. I have an Arrive and am not Interop unlocked yet, so I can't test it.
Looking at the hand-free provisioning to see if I can find a way to leverage that....
-Paul
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
All the information looks like it is in the advisory. KDataStruct is what you want. That is equivalent to the PEB in Windows CE.
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
Can you confirm this works only on already Interop Unlocked device ?
Thx for your efforts.
Could htclv.dll be helpful in setting security on an app? It supports the following functions:
LVModInitialize LVModUninitialize LVModAuthenticateFile LVModRouting LVModAuthorize LVModGetPageHashData LVModCloseAuthenticationHandle LVModGetHash LVModProvisionSecurityForApplication LVModDeprovisionSecurityForApplication LVModGetSignerCertificateThumbprint LVModSetDeveloperUnlockState LVModAuthorizeVolatileCertificate LVModGetDeveloperUnlockState
In particular the "Deprovision Security for App" and "Get/set DeveloperUnlock" or maybe "Authorize Volatile Certificate"....
Or maybe htcpl.dll which seems to be the HTC policy engine interface. Supports:
GetFunctionTable PolicyCloseHandle PolicyEngineInit PolicyRuleAbortTransaction PolicyRuleAddRawData PolicyRuleBeginTransaction PolicyRuleBuildRawData PolicyRuleCommit PolicyRuleCommitTransaction PolicyRuleCreate PolicyRuleDelete PolicyRuleFindFirst PolicyRuleFindNext PolicyRuleGetInfo PolicyRuleOpen PolicyRuleParseRawData PolicyRuleReadRawData
These all look good to modify the security policies on HTC, assuming Interop-Unlocked.
-Paul
@dragonide: Confirmed, this requires interop-unlock since the very first step is opening a handle to a driver.
@Paul_Hammons: The LVMod functions look quite interesting indeed. Where are you getting these functions from (straight out of the DLLs, or some doc somewhere, or decompiled code, or...?), are they user or kernel entry points, and what permissions do they require? The ability to modify app security doesn't do as much good if you already have to be high-privileged to call it, though it might simplify my current goal.
@n0psl3d: Cool, I'll get to work on it.
@n0psl3d: KDataStruct contains kernel information, but I'm pretty sure what I need is in a PROCESS struct (such as is pointed to by pCurPrc). The problem is, I can't find any documentation for that struct. I'm searching online but so far coming up empty. CE doesn't seem to use PEBs or TEBs as I've seen them on NT (not terribly surprising, but annoying).
EDIT: I'm downloading the Embedded CE toolkit, which comes with source code. It'll take a while but hopefully that will have what I need.
OK, digging through the CE source I've found some interesting things. No idea if this will work yet; it'll be exciting just to make it compile.
PROCESS struct -> hTok (handle to a Token) -> phd (PHDATA, pointer to the handle data) -> pvObj (PVOID to the actual object, which is probably a TOKENINFO) -> psi (pointer to ADBI_SECURITY_INFO) -> contains the actual ACLs and privileges, and can be created from an account ID.
Probably the easiest option is to find a relatively high-privilege process and clone its token or some such. Token re-use (if I increment the reference count, this should work) may be easier. Modifying an existing token might also be doable.
Anyhow, I'm not going to have this finished tonight, but it'll get there. For those wondering wht you can do with this, it basically breaks you out of the sandbox entirely. You can call any function, access any resource, etc. that is available to a userland process (executing in kernel mode is also possible but trickier). Practically speaking, this makes all the other high-privilege COM DLLs useless - instead of ComFileRW, just use the file IO methods (anywhere you want), instead of DMXMLCOM just call ConfigProvXml directly. Even things like launching native EXEs directly should become possible (run those Opera ports on a stock ROM, for example).
I'm sorry, I still don't know what any of that means. But it sounds good! I wish I knew how to do this kind of stuff. Thanks for all of your work!
Related
At the moment I'm working on an app called "WP7 Root Tools". I got the registry editor almost finished, but I am also going to add a File Explorer, Certificate Stores and maybe more. When the registry editor is working I will release the first alplha-version. As the title of the app implies, the tool uses root privileges to perform queries and transactions. I let the tools parasitize other processes to get the code executed in the TCB chamber of the device. I have this working stable now on my Samsung Omnia 7. Unfortunately I have to use a little bit of device-specific API's to do this. And I have to make quite a detour to make it work, which has a negative impact on the performance.
So the ultimate goal is that, in the end, this will work with other, more direct API's, which work on all devices. During my research I found some possiblities that need more investagation. I already decided that I will first concentrate on getting this working with my Samsung device, so that I have at least the tools to do further research. But I thought I'd drop some of my findings here that may lead to better device-support and better performance for future-versions of the tools.
There are many ways that may lead to executing code with elevated or root privileges. But in this post I want to concentrate on XML provisioning. A lot of info can be queried and configured through these API's. I have tried to call the native OS functions for XML provisioning. The function you need to call is: DMProcessConfigXML(). And it is declared in: Cfgmgrapi.h. If you call this function it returns errorcode: 0x4ec (or 0x800704ec), which means "Access disabled by policy". If you use a native COM dll and you forget to add ID_CAP_INTEROPSERVICES to the WMAppManifest.xml, you will get the same errorcode when calling a native function through the COM-interop. So when I get the same errorcode when calling DMProcessConfigXML() this may suggest, that I might be missing a capability in the WMAppManifest.xml.
In another thread on this forum some undocumented capabilities were discussed. One of them was ID_CAP_WAP. Since OMA Client Provisioning is also call WAP-Provisioning, I thought that might be the missing capability. I was not able to add the capability from within Visual Studio, because the capability is missing from the corresponding xsd's so it will give an validation error on building the project. But I could add it manually after the project was build. When I deploy it to the device, using the Application Deployment tool, it would return "Access is denied". I thought it might be an invalid capability, but when I changed the capability to ID_CAP_XXXXXX that would return "Install failed. Fix the capabilities." which is the real error message for an invalid. That implies that ID_CAP_WAP is in fact an existing capability, but I'm just not allowed to use it. When I would be able to use it, I would probably have access to the function DMProcessConfigXML(). That part of the app would be impesonated into higher chambers.
So the big question is what is keeping me from using the ID_CAP_WAP? Why am I not allowed to use it? I tried to attach a debugger to XapDeploy.exe, but it does not throw any exceptions at all. The errorcode is generated in the phone. Getting this fixed will give a big boost to getting closer to root access on all devices. Any help or insight on this will be appreciated.
Heathcliff74
I sent some tweets to da_g, chris, chevron, julien schapman, and a few other devs to let them know this is going on...I'll try tom hounsell too he may know a bit more about this
I'm notifying notebookgrail too because he has been doing some work with dell venue pro devices
Good luck
At a wild guess, it's probably looking for a signature. Using signed code for trusted functions is the kind of thing MS likes to do. :-/
All that said, if you have ProvXML working on Samsung, I would *love* to take a look at it. I'm maintaining a cross-platform Homebrew library. Currently I have at least partial ProvisionXML on HTC and LG, but none on Samsung. I don't have a Samsung device to test with, which is making it hard to try things out...
ID_CAP_WAP isn't a capability you can assign yourself. A higher up has to assign it to you.
<!-- Account loaded from: W:\WINCEROOT\temp\oakcopy28570\Release\x86\XDE\Policy\cb659c75-eac9-4db7-afd8-055632acf233.policy.xml(292,2) -->
<Account Id="S-1-5-112-0-0X71-0X49445F4341505F574150" Description="Autogenerated group for capability ID_CAP_WAP" FriendlyName="ID_CAP_WAProvides access to WAP API" Type="Group">
<!-- MemberOfGroup loaded from: W:\WINCEROOT\temp\oakcopy28570\Release\x86\XDE\Policy\cb659c75-eac9-4db7-afd8-055632acf233.policy.xml(293,2) -->
<MemberOfGroup GroupAccountId="S-1-5-112-0-0X71" />
Click to expand...
Click to collapse
(BasePolicy.xml)
domineus said:
I sent some tweets
Click to expand...
Click to collapse
Thanks.
GoodDayToDie said:
All that said, if you have ProvXML working on Samsung, I would *love* to take a look at it.
Click to expand...
Click to collapse
Well, the whole ProvXml stuff will become irrelevant, when I finish the tools. Because ProvXml is not really user-friendly and my tools will provide that functionality in a user-friendly fashion. So at this moment I want to concentrate on finishing the first alpha-version. Later on, I will probably clean-up the code and release it. But it's quite complex, because I added async multithreading to keep it all smooth.
WithinRafael said:
ID_CAP_WAP isn't a capability you can assign yourself. A higher up has to assign it to you.
Click to expand...
Click to collapse
Thanks for this info. But what I read from this is that you just need to be able to impersonate. Has anyone tried CeImpersonateToken() with this SID?
Abstraction of the ProvXml capabilities is awesome, assuming that we can fully use them and/or extend them if needed. It's useful for a ton of stuff. I've written a small amount of abstraction for registry writes and such, but having the full functionality exposed through a clean API would be fantastic.
Hello everybody,
I got a WP7 Samsung Focus and I want to port my old application to this device and join native forces for WP7
My plan is simple: I'll convert my app into a dll, rewrite new gui in C# (or whatever the way to do it on WP7). I saw multiple posts about calling native code (original from Cris Walsh: http://goo.gl/2Tjks). Then I saw a few posts mentioning that it's impossible etc etc.
So, a few questions:
0) can I do it for my app (I don't need marketplace exams etc, I don't care for that)? I know that some WinAPI could be unavailable/broken, all I ask at this point if it's possible to load and run native dll without changing or re-flashing ROM.
1) ms wants 100$ out of my pocket to be able to deploy to my own device (WTF?!). What can I do to deploy to my phone without paying the crooks? (VS2010 tell me to register there and registration askes for 100$).
2) Is there a sample project I could D/L and run, I have zero experience in C# and I have no idea how to load and call native DLL from managed code in WP7? All these half broken samples are totally useless to me, I simply wanted to working HelloWorld app that loads and runs simple dll.
thanks
0) Yes, what you describe is possible. There are lots of limits, though - WP7 applications have very low permissions, and calling native code doesn't fix that. Unless you need to edit something outside the app's own iolated storage, though, you're probably OK.
1) Aside from the official marketplace account ($100), there are a few options:
a) if you've got an LG phone, they come with a built-in registry editor that can be used to dev-unlock your phone. I forget the exact key you need, though.
b) if you've got a student email address (ends in .edu) you can try registering through DreamSpark. This is free.
c) if you don't mind rolling back to pre-NoDo (7004 or 7008) you can use ChevronWP7 Unlock (instructions available on this forum). If you don't have a restore point that far back you can flash an official ROM for that version.
d) if you don't mind waiting, ChevronWP7 Labs will be available at some point (no ETA that I've seen, but it's been talked about for months) and will provide dev-unlock (but not marketplace account) for a nominal fee.
2) There are lots of apps distributed with source, and most of them will use some native code. You could do a search on this forum for subject lines including the tag "[SOURCE]" and find several (I release source for all my apps). However, I suspect what you'd find most useful is Heathcliff74's guide to WP7 apps that use native code, which is on this forum at http://forum.xda-developers.com/showthread.php?t=1299134. It includes step-by-step instructions.
Hope that helps! I look forward to seeing your app. Also, don't hesitate to ask for help with the actual development; I suck at GUIs and Silverlight but am fairly proficient at C# if you need somebody who knows that language, for example.
There is an ETA for the new ChevronWP7 unlocker:only a few weeks away from launch!
Hi GoodDayToDie
GoodDayToDie said:
0) Yes, what you describe is possible. There are lots of limits, though - WP7 applications have very low permissions, and calling native code doesn't fix that. Unless you need to edit something outside the app's own iolated storage, though, you're probably OK.
Click to expand...
Click to collapse
At this point I want to make a DLL from my simple app and call a few functions that interact with filesystem and network. FS is needed only for simple stuff (loading config file etc) from installation folder and creating some temporary files for local storage. Network is tcp/udp, I guess network should be available.
GoodDayToDie said:
1) Aside from the official marketplace account ($100), there are a few options:
...
Click to expand...
Click to collapse
I did some search, it seem that I've done that part. Chevron dev unlock was pulled out from their site, but the old version remains scattered all over the board. There is a good thread a good thread on how to do it. It happens that my phone is 7004. Where can I get old ROM in case if something goes bad and I need to re-flash? Is it easy, am I risking to brick and loose my phone?
I just tried to run sample phone app and it runs on the phone. Initially it said that it was revoked by MS, I run dev-unlock one more time and now it works.
GoodDayToDie said:
2) There are lots of apps distributed with source, and most of them will use some native code. You could do a search on this forum for subject lines including the tag "[SOURCE]" and find several (I release source for all my apps). However, I suspect what you'd find most useful is Heathcliff74's guide to WP7 apps that use native code, which is on this forum at http://forum.xda-developers.com/showthread.php?t=1299134. It includes step-by-step instructions.
Click to expand...
Click to collapse
I'll try to search, hope I'll be up and running soon. Too bad WP7 is DOA. They always had much better tools than all these ghetto Symbian/Android/Xcode crapware tools... WTF is wrong with these guys, at the point when they were surpassed at speed of light by newbies iPhone and Android they made some backward steps to cut off most of the devs (but they added all these 500K Silverlight newbie devs...). I'm so disappointed with Android, seems like they hired all these retards who were fired at symbian: same **** tools
I downloaded a few samples and it seems that all of them contain prebuild dll's and all of them are COM dlls or something like that.
What I'd like to find is simple sample that contains src code to native WinMo dll and C# project that it uses.
As far as I know native dll cannot be build with latest tools (am I right?), but I can use cegcc or VS2008 to build native DLL's.
stuff like:
Code:
if (ComBridge.RegisterComDll("ComFileRw.dll", new Guid("EEA7F43B-A32D-4767-9AE7-9E53DA197455")) != 0)
is totally unknown to me. I would really like to avoid to even elarning anything about COM related stuff. I prefer not to mess up with code that isn't portable.
HI mtlgui,
unless Heathcliff finishes his WP7 Root Tools SDK, you don't have any other way to access native c++ code besides using COM. DFT (The DarkForcesTeam) released a firmware loader, that allows you to flash customized unsigned firmware. They were also able to do some native c++ coding with the WM API. However the used firmware for that is not public and it is limited to HTC devices.
Did you already consider to write your application in c#? Mango has now TCP/UDP socket support for outgoing connections. Incoming connections or services running on the phone aren't possible without using native code, at least for the moment.
Hi rudelm,
if the only way to use native is to build COM dll, then I'm OK with that. My app code is old and I'd rather throw my WP7 device to trash can than trying to rewrite my app in C#.
Eventually, down the road while hacking maybe I'll learn c# well enough to do anything with it other than GUI and calling native/COM dlls.
So, just to confirm my understanding. I need to write COM dlls that access native API (socket, filesystem, wavein/waveout etc) and then load these COM dlls and call their functions from C# (or whatever is the closest lang to c/c++ in the WP7 world).
@mtlgui:
You've pretty much got it. A few thoughts, though:
There is a webserver project available on this site. It includes source for its C++ native component (the library is called NativeIO; I can probably send you the source if you can't find it). It exposes registry, filesystem, and TCP server and client sockets to COM. Note that because this library was built for pre-Mango phones, just compiling it and shipping it may not work on Mango phones as many deprecated libraries were removed in Mango and if the DLL contains any references to them, it won't load.
Generally speaking, what you're asking for with TCP/UDP is possible, though you may have to code against the winsock API directly. It sounds like you're doing as little as possible with C#, so even if the Socket API that is available with Mango were sufficient for your app's needs, you wouldn't be using it.
Filesystem access... even if you have read access to your app's install folder (I haven't checked, though you should), you almost certainly won't have write access. Each app does have a writable "isolated storage" though, under \Applications\Data\{GUID}\Data\IsolatedStore\. I've only ever tried writing to it using C# though, so I don't know for sure if it's writable using the native APIs directly (should be, though).
It's probably perfectly OK to write your app as one big native DLL (hell, it *might* work to just change the build type from Application to Library, then rename main() or something like that). You will need to expose the library to COM, but that's easy. You can then write a very simple C#/Silverlight app (see Heathcliff's instructions, or just post the COM interface and soembody could write it for you). All the C# app needs to do is use ComBridge to access the native DLL, and call a "run()" function or something similarly simple.
For what it's worth, C# is very close to a superset of C++, at least on the desktop. The phone version is crippled a little by not allowing the use of pointers - everything has to be done with strongly-typed references instead, which can make network code a little annoying but is otherwise rarely a problem - but with a little experimentation you may find your disdain for C# to be misguided. It's a useful language to know it today's job market, if nothing else.
Why is your phone still on 7004? That's the launch retail build, something like eight months out of date. On the plus side, this means that things like ChevronWP7 Unlocker still work for you, as you found. On the minu side, it means you're putting up with bugs and missing features that you needn't be. Have you tried updating at all? If/when you do update, make sure to back up the restore points that the Zune software generates (they got in %localappdata%\Microsoft\Windows Phone Update\). That way, if you ever need to roll back to 7004, you can do it. Normally, only the most recent restore point is kept.
Flashing ROMs is safe so long as you don't try something like flashing the wrong one for your device. Unless your bootloader is unlocked (only possible on HTC), you can only flash official ROMs anyhow, which saves you from most of the risks. On the other hand, you're already on as old a ROM as you will find, and so long as you keep your restore points, you can return to it any time you want to, easily.
I'm googling now the board to find NativeIO and that webserver app. So far only references to it, but no src code.
I'm ok with isolated read/write access. All I care is persistent fs storage.
My phone is still 7004 because I just bought it so I can do some WP7 development. I don't want to mess up with updates at the moment.
As I understand from another post ComBridge is C#->COM->native c++ dll or any other dll that can be used, right? I'm just learning some COM to learn enough to start actually programming for the phone. I see that I can pass whatever data I want, but I don't seem to be able to see a way to register callbacks so that native/COM could call back to C#
mtlgui said:
I'm googling now the board to find NativeIO and that webserver app. So far only references to it, but no src code.
I'm ok with isolated read/write access. All I care is persistent fs storage.
My phone is still 7004 because I just bought it so I can do some WP7 development. I don't want to mess up with updates at the moment.
As I understand from another post ComBridge is C#->COM->native c++ dll or any other dll that can be used, right? I'm just learning some COM to learn enough to start actually programming for the phone. I see that I can pass whatever data I want, but I don't seem to be able to see a way to register callbacks so that native/COM could call back to C#
Click to expand...
Click to collapse
Basic introduction to native code and COM, including references to more background info: http://forum.xda-developers.com/showthread.php?t=1299134.
Callback from C++ -> COM -> C# can be done. Decompile the WP7 Acrobat Reader app. You'll see how it works.
Ciao,
Heathcliff74
Hi hackers!
Found something pretty cool while I was digging around looking for new interop-unlock hacks. The bad news is that it looks like it's not usable for interop unlock, the good news is that it's still pretty cool.
This previously required a dev-unlock, but no longer does. It does not require interop-unlock. It works on all phones (as far as I know).
UPDATE 3: ZIP file usable on non-unlocked phones EDIT: I think this will not work on most phones. Sorry! The XAPs still work, if you can sideload them
I've added a ZIP file that can be used to switch the OEM Marketplace without needing to sideload a XAP at all. Instructions are inside, but basically you tap the XML file for the OEM you want, then reboot the phone.
UPDATE 2: Dell Apps.xap, Nokia Apps.xap (v2)
The Dell apps collection is hidden, like the Nokia one was (see Update 1 below). The only app I was able to find was "Newsroom" (another app kind of like HTC Hub). If there are others, please let me know and I'll try to find them.
Nokia has collected their apps into a single marketplace section, like HTC/Samsung/LG. The new Nokia Apps.xap reflects this, so disregard the Update 1 note below for Nokia, and download the new XAP!
UPDATE 1: Nokia Apps.xap (See the Update 2 note - Nokia Apps.xap has been changed)
Be aware that this app works a little differently. Rather than actually adding a "Nokia" store to your Marketplace list, it just enables your phone to access Nokia's apps though the normal marketplace. Not sure why some OEMs did their own store and others didn't, but that's why it wasn't working before (it isn't a stand-alone store section).
An easy way to find the Nokia apps is to do a seach for a well-known app, like Nokia Maps. Then, open it and tap the "More from Nokia Corporation" link. This will take you to a list of all of Nokia's apps.
WHAT IS IT?
Install a XAP or tap an XML file in the ZIP, and restart your phone. Then, open the marketplace, and you'll discover that, instead of "HTC Apps" or "Samsung Zone" or whatever your default is, you can install OEM apps from a different OEM.
WHAT CAN I DO?
If you want to install Nokia, HTC, Samsung, LG, or Dell apps, open the ZIP file on your phone, look for the OEM name you want, and tap the XML file immediately under that OEM name. You'll need to restart your phone before the Marketplace changes.
If you want to help out, give me as much info as you can about the other OEM marketplaces (Toshiba/Fujitsu, perhaps?)
IS IT DANGEROUS?
Well, it's a hack. There's always *some* danger. However, you don't need to worry very much. The phone will automatically revert the Marketplace after a day or so. You can also get your proper marketplace back by installing the corresponding app/tapping the desired ZIP.
However, you *really* should keep an up-to-date restore point any time you're messing with stuff like that, especially with new hacks. If something screws up and doesn't straighten out, restore a backup or hard-reset and it will fix itself.
EDIT: The ZIP does not appear to work on most phones. The XAP files should still work on 7.8, though.
WHO CAN I THANK?
Well, aside from myself thanks go to:
Heathcliff74, for the XAP deployer hack and the Samsung marketplace configuration file.
Schaps, for TouchXplorer (let me find the relevant file).
Voluptuary, for info about both OEM and MO marketplaces (working on those).
wpxbox, for the info about "Nokia collection".
CAN I ASK A QUESTION?
You just did, or at least, I did for you. Please see the next post after this one for FAQ. Otherwise, feel free to post a reply with your question. Please, if it's at all relevant, include the make, model, and version of your phone and OS/firmware.
OK, I know you all will have some questions. I'll try to collect them, and their answers, here so people don't have to read every post.
If you ask a question that is already answered here, I may facepalm and/or use sarcasm.
DO I NEED TO RUN THIS APP?
No, you don't. It doesn't do anything at all after installing. In fact, I re-used another app that I had handy, so the message you see isn't even accurate!
WHY DOES THE MESSAGE IN THE APP TALK ABOUT INTEROP UNLOCK? CAN I USE THIS APP FOR INTEROP UNLOCK?
It talks about it because I reused in interop-unlock app (which works exactly the same way, but with a different file). This app will not interop-unlock your phone, or even allow you to do so. However, it doesn't need interop-unlock, either. Furthermore, why are you running the app? You don't need to; none of the instructions say to run it.
CAN I DELETE THE APP?
Yes. Once it's installed, you can delete it immediately if you want to.
HOW DO I GET MY OWN OEM'S MARKETPLACE BACK?
You can either install the corresponding XAP and reboot, or you can wait a day or so for the phone to recover on its own.
HOW CAN I GET BACK TO AN OEM MARKETPLACE THAT I ACCESSED BEFORE?
Remove the app (and any variant of it), if it's currently installed. Then, install it again. Then, reboot as before, and you should see the marketplace corresponding to whatever XAP you used.
WHY DON'T ALL APPS WORK?
Many apps will use native drivers to do their work. These drivers are specific to each OEM's firmware, and are baked into the ROM. Apps that don't need special permissions, like the Samsung Now app or LG's Look n Type, should work. Apps that have high permissions or do device-specific things, like a Network Profile app or HTC Sound Enhancer (if it ever appears again) won't work on other phones.
SOME OF THESE APPS HAVE ID_CAP_INTEROPSERVICES, CAN WE USE THEM FOR INTEROP UNLOCK?
No. The apps may appear to work (even on interop-locked phones) because they were installed from the Marketplace and have valid signatures. However, they won't actually be able to do anything useful, because the wrong drivers will be installed (see the previous question).
CAN YOU ADD A XAP FOR ANOTHER MARKETPLACE?
Sure, once the required configuration data is available. This can be tricky - for example, the values for HTC and Samsung are "HTC" and "Samsung", respectively, but the one for LG is actually "LGE" (LG Electronics). I don't know what they are for Toshiba/Fujitsu, and I'm not sure I have everything from Dell, and I don't have any others. Any help here would be appreciated!
CAN I ACCESS MORE THAN ONE OEM MARKETPLACE AT ONCE?
No, sorry. I tried to build support for multiple OEM markets, but it didn't work. The last one overwrites the previous.
WILL APPS KEEP WORKING AFTER THE MARKETPLACE REVERTS?
So far, yes. I don't know whether they'll get updates, although I suspect they will.
CAN SOMETHING BE DONE ABOUT APPS COMPLAINING THEY DON'T WORK ON MY PHONE?
Sadly, no (nothing safe). Most of the LG and Samsung apps that I've tried work just fine (interop aside) on my HTC phone. It helps that in Mango, a lot of formerly interop capabilities (like compass for LG ScanSearch) are now in the official APIs. Some apps will still check though, and there's nothing I can do about that.
CAN WE ACCESS MARKETPLACES FOR OTHER OPERATORS?
It's probably possible, but I haven't bothered to try yet. If there are interesting apps for carriers that work outside of that carrier's network, I'll give it a shot. It's a different file but the structure is very similar.
IS THERE A LIST OF APPS KNOWN TO WORK?
Courtesy of user JusThinK, as of 1 Feb 2012:
JusThinK said:
Converter
FunShot
HTC Hub
Look n Type
MiniDiary
Notes
Now
Photo Enhancer
Photo Studio
Photo Stylist
Photogram
ScanSearch
SmartShare(previously know as Play To - Working fine on with my Samsung HDTV)
ToolBox
Click to expand...
Click to collapse
can you just deploy all three and have access to all 3 sources in marketplace?
once you install apps from the other oem sources, and the market reverts back, do you lose the apps you have installed?
No. I tried to build it so you could access multiple OEM marketplaces at once, but it didn't work - only ever used the last one in the config file.
Apps stay installed and runnable even after the marketplace reverts. However, I can't promise they'll receive updates. I think they will, but I haven't been testing this long enough to find out.
Dell's marketplace string is "Dell"
Nokia's marketplace string is "Nokia"
I still haven't figured out Fujistu's.
thanx dude,
The 3 xap files are working on the HTC Trophy.
But the LG apps that you can download, if you run the downloaded app from LG place. He said Only for LG devices.
So are you editing the files in the 'keepers' folder? I had found those some time ago and posted them HERE back in October. I thought they would lead to this since when they were deleted the OEM marketplaces would simply go away, same can be done to remove the carrier marketplaces, but I had trouble getting them off my device to really look at them.
Be warned though in my similar pre-mango hack with the registry we found that changing the OEM marketplace values made the DRM wig out and would prevent any apps from starting. The only way to fix it was a full reset or restore to a point before the modifications were done.
I would guess that if you edit LKG_MOStoreConfig.xml you could do the same thing with carriers.
OEM's:
Samsung
HTC
LGE
Dell
Nokia
MO's:
Att
Tmous
Tmode
I am pretty sure these are case sensitive too so keep that in mind.
Thanks GoodDayToDie
this solution it gives me solved my phone not show OEM App in market
Just wondering and perhaps some people might want to test with me if we set LKG_MOStoreConfig.xml and LKG_OEMStoreConfig.xml to read only will it stay set instead of only lasting a few days?
The reason I want this is becuase I want at&t's stupid marketplace entry to remain GONE so I edited LKG_MOStoreConfig.xml to this:
Code:
<ConfigurationFile version="1">
<MOStore>
<setting id="MOName"></setting>
<setting id="MOStoreName"></setting>
<setting id="MOStoreID"></setting>
<setting id="MOStoreEnabled">False</setting>
</MOStore>
</ConfigurationFile>
Now I'm just guessing that this is how it should look since like I said before I never could get the original files off my phone to look at them.
@voluptuary: That would probably work (in fact, the "false" alone is probably enough). Marking the file read-only may or may not be sufficient.
@cyclonemon: You're welcome! I didn't even realize people were having that issue but yes, it should help there too.
I am confused, can't I do this already with Milkman's WP7 3MktPlace? I can search/list 3MktPlace apps . I can add new info such as Nokia to the application. It finds and saves the XAP to the PC and from which I can deploy it to the phone.
ok, after reading more carefully, the program process above would require interop unlock, your route doesn't
@voluptuary (again): Thanks for the OEM names. I'm pretty sure I tried "Nokia" and it didn't work, but I'm trying it again (I did the edit on the phone during testing, and that's pretty typo-prone). For what it's worth, they are not case sensitive (a good thing, since the official casing for Samsung is actually SAMSUNG).
EDIT: Confirmation, "Nokia" does not work.
You're exactly right about which file I'm replacing (you can see that if you crack the XAP). I was looking to use the embedded provxml in MOConfig to do interop-unlock, but it looks like the process which reads that file doesn't have the required permissions. I could do something for the MO marketplaces too, but I'm really not sure there's value to it; do the MOs have apps that are useful if you're not a subscriber?
So far, no DRM wig-outs. I'm hoping it works when I don't mess with the registry. We shall see.
@derausgewanderte: This method doesn't use up unsigned app limit (aside from briefly, when the configuration app is installed). It also allows updates from the phone itself.
GoodDayToDie said:
@derausgewanderte: This method doesn't use up unsigned app limit (aside from briefly, when the configuration app is installed). It also allows updates from the phone itself.
Click to expand...
Click to collapse
I see, thanks for the clarification.
just for your info. Milkman's program works with "Nokia" if that helps.
Thanks, but... neither "Nokia" nor "Dell" are working. It's rather annoying. Samsung I had the actual file to work from, but LG[E] I figured out on my own, and it works. Not so with Nokia or Dell though.
Nokia on the marketplace has the string nokia.
As this seems a nice hack, be very carefull with changing the OEM name of your phone. Doing this a couple of times will invalid something with the DRM and will force you to do a hard reset. You will not be able to run any app installed trough the MP otherwise and you will not be able to install anything.
I dont know for sure if the same thing would happen trough this method, but I'm not going to try it out. I tried it with editing the registry and if you do that about 5 times, your phone cant do anything without a hard reset.
I'm posting this to avoid problems, not to kill this hack. Because its defenetly good work, but before any complications arise, be warned.
Marvin_S said:
Nokia on the marketplace has the string nokia.
As this seems a nice hack, be very carefull with changing the OEM name of your phone. Doing this a couple of times will invalid something with the DRM and will force you to do a hard reset. You will not be able to run any app installed trough the MP otherwise and you will not be able to install anything.
I dont know for sure if the same thing would happen trough this method, but I'm not going to try it out. I tried it with editing the registry and if you do that about 5 times, your phone cant do anything without a hard reset.
I'm posting this to avoid problems, not to kill this hack. Because its defenetly good work, but before any complications arise, be warned.
Click to expand...
Click to collapse
Yes yes please heed this warning. It happened to me.
I'm aware of the problem with the registry editing method. I can't guarantee it won't happen here (make sure you have a recent backup!) but I'm hopeful. I've made far more than 5 changes, and while I haven't had it in this state for weeks yet, I have for days, and so far no problems at all.
EDIT: @VoodooKing: Just to confirm, your problem was with the registry tweak method, right? If you hit that problem with these XAPs, please let me know.
GoodDayToDie said:
@voluptuary (again): Thanks for the OEM names. I'm pretty sure I tried "Nokia" and it didn't work, but I'm trying it again (I did the edit on the phone during testing, and that's pretty typo-prone). For what it's worth, they are not case sensitive (a good thing, since the official casing for Samsung is actually SAMSUNG).
EDIT: Confirmation, "Nokia" does not work.
You're exactly right about which file I'm replacing (you can see that if you crack the XAP). I was looking to use the embedded provxml in MOConfig to do interop-unlock, but it looks like the process which reads that file doesn't have the required permissions. I could do something for the MO marketplaces too, but I'm really not sure there's value to it; do the MOs have apps that are useful if you're not a subscriber?
So far, no DRM wig-outs. I'm hoping it works when I don't mess with the registry. We shall see.
Click to expand...
Click to collapse
Yeah, I can't get Nokia to work either, however my Lumia 800 never had a "Nokia Marketplace" to begin with on the phone so that may have something to do with it. I think the other programs that have been mentioned are pulling apps in a slightly different way than what acctually happens on the phone. I would guess pehaps there is some handset ID matching or something on the phone marketplace whereas with the PC/Web based methods there isn't. (just guessing)
On a side note I tried setting the MOConfig to read only (like I said before) and while att's marketplace still sadly came back, it came back different. It used to be "AT&T AppCenter(tm)" now it reads "AT&T Featured" so that is odd. As for carrier app usefullness IMHO the at&t ones are garbage but I can't speak to any other carriers.
You have to search for Nokia apps in the marketplace for them to show up. There is no Nokia store.
Yes changing registry a few times caused my phone to not launch apps and install from marketplace. I think I changed the name more than 5 times.
LiveLibs is an SDK that you can use in your apps. It allows you to have automatically updating code written in JavaScript. And yes, it'll even pass Marketplace approval. For more info, go here:
LiveLibs.com
Alpha 2 changes:
- Completely changed over from IronRuby to Jurassic (JavaScript) engine
- Improved security (hints and libraries are signed; lib.xml contains more verification data)
(Reserved)
Even though I do respect all the effort you may have put in this project, I'm still not too sure about it. As we've already seen and learned from Android and even iOS there's always the risk of a misuse of such an updating method as unauthorized code can be injected. I rather wait for updates to pass the official certification ways than let my apps update on their own and not knowing what exactly was downloaded.
You are right. With alpha 1 there is a risk of a MitM attack causing apps to download something they shouldn't. However, the framework is already in place to mitigate that - I just haven't had time to implement it fully.
All library ZIP files are signed on the server side with the LiveLibs private key, and the signature is checked by the SDK upon download. Starting with alpha 2, hints will also be signed, which will ensure that erroneous updates are never downloaded.
Also, you don't have to trust the LiveLibs.com site to do the updating. The SDK lets you specify alternate URLs for hints and for libraries.
Just stumbled across this link from your sig. Very cool idea. However, I want to know: have you tested it on a developer-locked phone? Dev-unlock allows the phone to execute code that doesn't have a Microsoft signature (Marketplace apps receive this on all DLLs) but user-replaced or self-compiled binaries won't have that signature. I don't know exactly how your libs worked, but from the look of things (based on your choice of languages) you're looking at monkey-patching the code in place. That's a cool idea, and may well get through Marketplace ingestion, but as soon as the patching is used, you'll have a file without a valid Marketplace signature, and the app won't run anymore...
At least, that's my guess on what would happen. If you can get around that, it would be incredible. That would provide a way to run homebrew code on dev-locked Windows Phones...
The way it worked with IronRuby is the Ruby code was interpreted on the fly. With Jurassic, the JavaScript is compiled into anonymous classes (IIRC from docs/forums on Jurassic.codeplex.com) and executed w/o ever creating separate assemblies. In other words, there's no monkey patching - just live emitted code via Reflection.Emit and similar methods. I'm in the process of getting alpha 2 ready for release now, actually.
Hmm, it's sounds quite interesting! However it's not a way to get an interop-unlock. Also (from the marketing side) it has another cons: an official updates via marketplace for some reasons are increasing number of app customers/downloads (so, good idea - if you have ads-based app - to publish updates at least monthly) but silent, "self-update" I afraid will not.
There's no reason to stop doing proper Marketplace-based updates. The biggest benefit of LiveLibs is the ability to quickly crush bugs instead of having to wait for Marketplace approval while your users complain and give your app bad ratings because of some simple bug.
Arktronic said:
There's no reason to stop doing proper Marketplace-based updates. The biggest benefit of LiveLibs is the ability to quickly crush bugs instead of having to wait for Marketplace approval while your users complain and give your app bad ratings because of some simple bug.
Click to expand...
Click to collapse
Agree. But your code also may have a bugs so it's still not an easy decision: should I add that app's overhead or better to spend more time/money for beta-testing
That, my friend, is entirely up to you
LiveLibs alpha 2 is out. Also, here's a little demo app I wrote using LiveLibs: Rando!
I'm posting this here because it says I need to get 10 posts in order to post on the Windows 8 development forums.
Why does the Windows RT jailbreak require that you press the volume button? As far as I can tell, pressing volume is used to trigger a code path in winsrv.dll on which a hook is placed. The hook jumps to the code cave between the .text and .data segments.
Reading the disassembly, the injected code uses the native API equivalent of EnumDeviceDrivers to get ntoskrnl.exe's base address, then calls the broken NtUserSetInformationThread subfunction 9 0x7EFF0 times to clear g_ciEnabled in the kernel. (I read the part about interlocked operations causing an exception in ARM if the target is unaligned, unlike x86 where it's merely not atomic.)
Instead of hooking an existing code path, why not inject a DLL into csrss.exe and create a thread in it? This seems like it would be much more stable, and wouldn't require pressing the volume button. CreateRemoteThread doesn't work with csrss.exe, because it tries to register the new thread with csrss.exe. Oops. However, RtlCreateUserThread *does* work, since native threads don't need to talk to csrss.
Where did cdb.exe come from? It doesn't come with the Visual Studio 2012 Remote Tools, so I'm guessing that it's a leak. In the absence of any other information, I'm going to guess that it's a leaked ARM version of Debugging Tools for Windows given to hardware developers who write drivers for Windows RT.
I'm working on a custom jailbreak that improves on a lot of issues. It's a single file, a .bat, that extracts everything needed, and a jailbreak program written in C. I've already gotten the custom C DLL loaded and executing, and am now looking into what I need to do to csrss.exe. Getting code executing inside csrss.exe won't be too hard, but I'm wondering what that code will need to do.
Moved here as not an Android related development issue, so was out of place in General forums.
You won't be able to inject .dll's. Windows will refuse to load the modules, unless the jailbreak has already ran.
As far as why it needs the volume button, you're correct in that it just executes an easily hooked code path in csrss.
netham45 said:
You won't be able to inject .dll's. Windows will refuse to load the modules, unless the jailbreak has already ran.
As far as why it needs the volume button, you're correct in that it just executes an easily hooked code path in csrss.
Click to expand...
Click to collapse
My DLL was linked with /filealign:4096, resulting in a perfect RVA to file offset mapping (assuming I don't create more than a small amount of zero-initialized global variables). With that, I can use NtMapViewOfSection without SEC_IMAGE to map it into csrss's memory without ci.dll getting in the way.
Once the DLL is mapped, I fix up its relocations, load the imports, and RtlAddFunctionTable. From there, the DLL is stable enough to do most things. All this works already - I'm just writing what to do next.
Does Tuesday's win32k.sys patch fix this bug? I saw that the patch had fixes for like 20 win32k bugs found by the Google guy who discovered the NtUserSetInformationThread 9 exploit.
Myriachan said:
I'm posting this here because it says I need to get 10 posts in order to post on the Windows 8 development forums.
Why does the Windows RT jailbreak require that you press the volume button? As far as I can tell, pressing volume is used to trigger a code path in winsrv.dll on which a hook is placed. The hook jumps to the code cave between the .text and .data segments.
Reading the disassembly, the injected code uses the native API equivalent of EnumDeviceDrivers to get ntoskrnl.exe's base address, then calls the broken NtUserSetInformationThread subfunction 9 0x7EFF0 times to clear g_ciEnabled in the kernel. (I read the part about interlocked operations causing an exception in ARM if the target is unaligned, unlike x86 where it's merely not atomic.)
Instead of hooking an existing code path, why not inject a DLL into csrss.exe and create a thread in it? This seems like it would be much more stable, and wouldn't require pressing the volume button. CreateRemoteThread doesn't work with csrss.exe, because it tries to register the new thread with csrss.exe. Oops. However, RtlCreateUserThread *does* work, since native threads don't need to talk to csrss.
Where did cdb.exe come from? It doesn't come with the Visual Studio 2012 Remote Tools, so I'm guessing that it's a leak. In the absence of any other information, I'm going to guess that it's a leaked ARM version of Debugging Tools for Windows given to hardware developers who write drivers for Windows RT.
I'm working on a custom jailbreak that improves on a lot of issues. It's a single file, a .bat, that extracts everything needed, and a jailbreak program written in C. I've already gotten the custom C DLL loaded and executing, and am now looking into what I need to do to csrss.exe. Getting code executing inside csrss.exe won't be too hard, but I'm wondering what that code will need to do.
Click to expand...
Click to collapse
Hello!
Glad to see here sensible Guru, who understand, that non-permanent JB, requiring "Vol -" pressing and hanging in RAM - is a vicious way! I can't understand reluctance of Netham45 to make a permanent JB (nothing personal). If you will develop your own JB with options, described above, it will be a breakthrough! Wish you good luck and fastest implementation of planned :fingers-crossed:
If you think netham45 is reluctant to make a permanent jailbreak, your lack of understanding is far greater than you know. A permanent jailbreak would be excellent, especially one that was active immediately at boot (instead of requiring a delay after booting, during which time the default restrictions are still in place).
However, there are some issues with the current jailbreak technique. In particular, it's dependent upon knowing the correct offset for the flag that needs changing, there's no way to know for certain the state of that flag before writing it, and the offset changes with updates. If the wrong offset is written to, or the wrong value written, the system crashes. Therefore, making a "permanent" jailbreak using this hack runs a very real and serious risk of putting the device into a bluescreen-reboot loop after an update, even one that isn't intended to break the jailbreak, just by accident.
In order to make a reasonably safe permanent jailbreak, a new jailbreak method will need to be discovered. That's not a trivial thing; the first one took some time to discover at all, and the effort on finding new methods has fallen off somewhat as many people are now looking for ways to use the existing one rather than looking for new ones. Additionally, even if a new method is found (which would be good; we should always have a backup), there's no guarantee that the new technique will any better-suited for being persistent or even automatic on bootup.
GoodDayToDie said:
However, there are some issues with the current jailbreak technique. In particular, it's dependent upon knowing the correct offset for the flag that needs changing, there's no way to know for certain the state of that flag before writing it, and the offset changes with updates. If the wrong offset is written to, or the wrong value written, the system crashes. Therefore, making a "permanent" jailbreak using this hack runs a very real and serious risk of putting the device into a bluescreen-reboot loop after an update, even one that isn't intended to break the jailbreak, just by accident.
Click to expand...
Click to collapse
I did put in some code to automatically find the offset (downloads the pdbs from MS and disassembles that chunk of code from ntoskrnl and parses it), though it still does make some heavy assumptions that I wish I could do without. It should be in 1.13a.
Note that it's still just assuming that csrss is perfect, though.
Denis_63 said:
Hello!
Glad to see here sensible Guru, who understand, that non-permanent JB, requiring "Vol -" pressing and hanging in RAM - is a vicious way! I can't understand reluctance of Netham45 to make a permanent JB (nothing personal). If you will develop your own JB with options, described above, it will be a breakthrough! Wish you good luck and fastest implementation of planned :fingers-crossed:
Click to expand...
Click to collapse
I'd love a persistent jailbreak, but we don't have an exploit for one yet. I'm not reluctant to make one, I don't presently have the ability to. The tool that Myriachan is talking about would have the same issue.
netham45
GoodDayToDie
Hey, guys, I bag pardon, if I were too harsh... I'm not the Guru as you are, and really had no notion about the level of complexity of the problem. Becose of that I wrote - "Nothing personal" Wish all of you GOOD LUCK in your important work!