I have a PhoneGap application designed to work on multiple mobile platforms. I'm loading a dynamic HTML content from an external page on the Internet using jQuery Mobile. The problematic system is Windows Phone 7.
This is what I get from the external page, with the URL of the script tag already replaced to load from the phone instead of from the net to save bandwidth:
HTML:
<script type="text/javascript" charset="utf-8" src="x-wmapp1:/app/www/test.js"></script>
This works fine on Android, iPhone and even BlackBerry when I replaced the x-wmapp1: part by a respective counterpart (e.g. file:///android_asset/www/ on Android). However, on Windows Phone 7 it doesn't seem to work at all.
When I try to load the same URL via $.getScript function, it always returns a 404 eror, even if I try and load it with a relative path only.
Any suggestions?
First of all, this type of question may be better suited to the Software Development or Apps and Games sub-forums, as a lot of the people who hang out here are more familiar with homebrew hacks. I'll give it a shot, though.
First of all, what kind of path are you trying to use? I haven't tried loading scripts or images in HTML or JS, but to dynamically load content within the app itself typically requires some care with regard to the path. For example, is the JS file being built into the assembly (as a resource) or included alongside it (as content)? How about the HTML page?
This is a kind of lame approach, but one option that's sure to work is just inlining the scripts in the page, directly. That won't increase the total app size or load time at all, although it might make maintaining the app take a little bit more effort.
Thanks for the reply, I will try to post this into the more appropriate forum.
With regards to paths - you can see the path in the HTML snippet I provided in the original question. It's all a bit specific and we cannot afford to load JS directly from page, since that does increase the size of the resulting HTML, sent from an external PHP page, thus increasing bandwidth. This is the first reason why we chose to have all JS and CSS files directly bundled with the application and load them internally rather than from Internet.
Also, all of JS files are included alongside the application as content. I'm using the same approach for all images, since if they were included as a resource, they would not show in the application.
GoodDayToDie said:
First of all, this type of question may be better suited to the Software Development or Apps and Games sub-forums, as a lot of the people who hang out here are more familiar with homebrew hacks. I'll give it a shot, though.
First of all, what kind of path are you trying to use? I haven't tried loading scripts or images in HTML or JS, but to dynamically load content within the app itself typically requires some care with regard to the path. For example, is the JS file being built into the assembly (as a resource) or included alongside it (as content)? How about the HTML page?
This is a kind of lame approach, but one option that's sure to work is just inlining the scripts in the page, directly. That won't increase the total app size or load time at all, although it might make maintaining the app take a little bit more effort.
Click to expand...
Click to collapse
First question: have you set the IsScriptEnabled proerty on the control to True? It defaults to False, preventing scripting within the control. Also, changing it only takes effect
on navigation, so if you already loaded the page and then set this property, it still won't work.
Anyhow, I missed that your HTML was coming externally, and only the scripts and stylesheets were local. That's... interesting, and seems reasonable enough, and I can't find any info online that exactly matches your use case. The way you're structuring the script src URI looks weird to me, but I haven't messed with the WebBrowserControl very much at all.
One solution, though a bit hacky:
Use the WebBrowserControl's InvokeScript function to dynamically load scripts into your pages. To do this, you would first need to load the script file content into a .NET String object. The GetResourceStream function is probably your best friend here, combined with ReadToEnd(). Then, just invoke the eval() JS function, which should be built-in, and pass it the JS file content. That will load the JS into the web page, creating objects (including functions) and executing instructions as the files are eval()ed.
Of course, you'd need to do this on every page navigation, but you can actually automate it such that the page itself requests that the app load those scripts. In your app, bind the script-loading function to the ScriptNotify event handler, probably with some parameter such as the name of the script to load. Then, on each page served from your server to the app, instead of including standard <script src=...> tags, use <script>window.external.notify('load localscript1.js')</script> and so on; this will trigger the app's ScriptNotify function for you.
I hope that helps. I can see your use case, but somewhat surprisingly, I couldn't find anybody else online who had either run into your problem or written a tutorial on doing it your way.
Thank you for your reply, it was very informative. One question though - why do you think the way I'm structuring the SCRIPT URI is wierd? I tried to mess around with relative URIs and the such, however those would load the JavaScript file from Internet rather than from the application itself.
The problem I'm running into with your proposed solutions, however is that:
1. the project is a PhoneGap/Cordova application, using its own components, so I have no idea where I would look for IsScriptEnabled here (although this all worked on an older PhoneGap release, so I'm guessing they have it set up correctly)
2. injecting a script programmatically on each navigation would require me to rewrite much of the code we already use for other platforms, not to mention those custom Cordova components, which I don't even know if they can handle such thing
As for my user case - I was surprised to be the only guy on the internet with this methodology in place as well. So it either works for everyone else or nobody really thought of doing it my way, since it's basically an Internet application (maybe the don't want to disclose their sources, who knows).
CyberGhost636 said:
1. the project is a PhoneGap/Cordova application, using its own components, so I have no idea where I would look for IsScriptEnabled here (although this all worked on an older PhoneGap release, so I'm guessing they have it set up correctly)
Click to expand...
Click to collapse
In the WebBrowser properties.
CyberGhost636 said:
As for my user case - I was surprised to be the only guy on the internet with this methodology in place as well.
Click to expand...
Click to collapse
Of course you not "the only guy". I've tried to port/run a few HTML java-script based games on WP7 (Digger and couple more) more then year ago; they runs well with one HUGE exception - touch screen events are freezing scripts execution and make games not playable.
The "x-wmapp1:" URI scheme was what I was referring to. Not sure where that comes from, but I haven't done anything really with the WebBrowser control.
I have no knowledge of PhoneGap or Cordova; I assume they're "we write your app for you" frameworks? One would assume that such tools would know to set IsScriptEnabled, but you may have to do so manually. A bit of web searching on that direction may be fruitful - maybe earlier versions enabled scripting by default, and now it's disabled by default so you have to specify an option somewhere?
Injecting the script on navigation really doesn't require any major change to the server-side code. I mean, is sending
<script>window.external.notify('load localscript1.js')</script>
really much different from sending
<script type="text/javascript" charset="utf-8" src="x-wmapp1:/app/www/test.js"></script>
? If that's too different, you could instead send
<script src="http://yourserver.com/LoadLocalScripts.js"></script>
and put "LoadLocalScripts.js" on your server with the following code:
window.external.notify('load localscript1.js');
This has only a trivial increase in server traffic and load time, but lets you continue using external scripts instead of inline ones. Very little server-side change needed at all.
Now, the additional client-side code to support the window.external.notify and call InvokeScript... normally I'd say that's dead easy, because it is if you have any experience with the .NET framework, but in your case I get the feeling that this isn't so? I code to the framework, or to the underlying native code, and I tend to code "raw" (very little auto-generated code), so I'm not going to be able to help you solve the problems with a "make me an app" wizard unless I can see the code it generates for you.
For what it's worth, here's the approximate raw code that I'd use (it's over-simplified, but close enough):
void HandleNotify (String param) {
String[] parts = param.split(" ");
if (parts[0] == "load") LoadScript(parts[1]);
}
void LoadScript (String script) {
String content = Application.GetResourceStream(new Uri(script, UriType.Absolute)).ReadToEnd();
theBrowserControl.InvokeScript("eval", content);
}
void theBrowserControl_Loaded (...event handler args here...) {
theBrowserControl.IsScriptEnabled = true;
theBrowserControl.ScriptNotify += HandleNotify;
theBrowserControl.Navigate("http://yoursite.com");
}
the URI comes from Windows Phone itself, with this code, you can see for yourself:
var a = document.createElement('a');
a.setAttribute('href', '.');
alert(a.href);
also, I've been informed that this works in Cordova 2.0, so it might be a 1.8.1 bug... will try and see how it goes
thanks for your help so far!
Looks like it was a problem with PhoneGap 1.8.1 - after upgading to Cordova 2.0 (PhoneGap got renamed) it all works now... thanks for all the help!
Related
*Anyone get the reference? Haha*
Resident Mort
The Scripter's Companion
Current News / Status:
Resident Mort is currently Under Development
Resident Mort is planned to be a background EXE that will extend the functionality of MortScript available to developers through the usage of the "PostMessage" function.
Resident Mort is planned to extend functionality by adding extra, possibly more complex, functions or even adding in the ability for more complex GUIs.
Features (Green = Implemented, Blue = In Testing, Orange = Planned, Red = Failed):
GetProcessList - Gets a list of Running Programs
GetRecentApps - Gets a list of Recent Apps (10)
CreateScript - Creates a MortScript with the provided info
MakeFile - Makes a file of any kind with the provided info
MakeFolder - Makes a folder at the specified location
RegToEvent - Registers a File to an event
UnRegFromEvent - Unregisters a File from an event
IsIdEventRegistered - Checks to see if a File is registered to an event.
DispImg - Displays an Image to the screen [and gets where the user Presses]
MakeForm - The Initial call for setting up an 'advanced GUI' form
FormAddObject -A Call that will add one of the predefined objects to the form being created
DeployForm - The Final call for setting up an 'advanced GUI' form, displays it to the user
This application is being made for MortScripters, to possibly make some projects easier. Since I don't use MortScript so much any more, I do rely on you the developers who use MortScript, to tell me what you want in the program.
Since I have a good deal of Functions there, I will commence work on a primary release
Saved For Future Use - Features and Screenshots
like the idea! advanced guis would be very useful
so this is a compiler? I am not sure what this is about
-sorry
No, this is a Resident App, an EXE that is always running in the background. It will have certain functions in it which can be accessed by MortScripters.
All the functions can be called with PostMessage ( I will provide documentation on how to do so, when I make a first release ). Then the results will either be written in the REGISTRY, written to a FILE, or copied to the CLIPBOARD (depending on how the scripter wants to handle the task).
Does this clarify it a bit?
Thanks for sharing!
A small update:
I am using this 'decent' planning utility, to help me keep track of my growing projects. According to this utility, the program is close to 30% complete. Then again, this is just a 'decent' utility haha. I would say, in my estimation (since some Code is "Copy + Paste"), I am close to 60% to 75% done.
A small change in my plans:
While I originally had the intentions of making this program as simple as a PostMessage in MortScript, I found out the following two Limitations:
1) MortScript's PostMessage/SendMessage only support(s) sending Numbers in the wParam and lParam parameters...very disheartening.
2) Due to #1, I made an assistant EXE, which would be run instead of calling PostMessage [this way I could do it Natively in my own control], but it is MUCH harder to transfer data between two applications that I would have thought! Due to Virtual Stacks and Memory Allocation 'rules', I couldn't EASILY do this.
So Here is my change:
In order to use Resident Mort, scripters will have to do about 3 or 4 commands to run. The only real commands that need to be used are PostMessage and RegWriteString (Did I get those right?).
In any case, my Resident Mort will read the Registry for corresponding wParam and lParam values and use those [in the future I will attempt Clipboard integration, to avoid Registry Interfacing].
When I release this program to the public, I will try to include a MortScript file that shows how to use all the functions. I don't remember much of MortScript [unfortunately], but I was thinking it could be helpful to make a "Library" of MortScript functions so a script will only have to call that function. But that is if some kind dev. would like to help out later on
Anyways, Thats that for this update. Expect a result in the coming week.
That sounds interesting for adv. gui functions.
Cyclonezephyrxz7 said:
1) MortScript's PostMessage/SendMessage only support(s) sending Numbers in the wParam and lParam parameters...very disheartening.
Click to expand...
Click to collapse
That's not MortScript's fault, it is design of whole Windows CE kernel, more here
I'd go with background EXE, that would listen to messages WM_USER+somenumber, maybe even region (for different actions, so you'd have both lParam and wParam free for another parameters). If you need help with this part, drop me PM on MSN, I had to study this a bit in the PinchToZoom project myself.
@OndraSter : Yeah, I know that Windows CE has limitations, however it is not impossible. Such an ability could be implemented in a code-update to MortScript. I did my reseach (if you look at #2, I mention that I found it much harder to transfer data between exe's that I had hoped) and found that you can transfer data via SendMessage (the Synchronous method) using a TRANSFERDATASTRUCT and WM_COPYDATA. If MortScripts interpreter could identify a SendMessage with a String value in either wParam or lParam, then it would create such a structure and transfer it, the receiving app would HAVE to take care of deleting the data though, or you have mis-used RAM.
As for how it is going to work now, I did not consider using WM_USER + a value, mainly because my program won't be using other Messages, and will only act if the correct wParam/lParam are provided (preventing accidental execution if the System decides to post a message with the same ID). I have it mostly covered, and I am closing in on finishing (currently with Reg data retrieval only, no Clipboard yet). I have completed 3 of the 7 Proposed Functions (MakeFile, MakeFolder, CreateScript) and I would have finished RegToEvents, but I got sorta lazy hehe. DispImg shouldn't take me more than a few minutes when I get to it, and once I get the API calls for Processes and figure out how to read the MRU reg-entry, I will have the last 3 complete!
As for Clipboard data retrieval, unless I am using the entirely wrong API calls, MortScript has an interesting way of using the Clipboard...I tried copying simple strings like "hello world" to the clipboard using MortScript, then trying to retrieve them in my Resident Mort, but the clipboard always comes up empty... Any ideas anyone?
Thats that for now I am about ready to release....any other functions you want implemented?
As for how it is going to work now, I did not consider using WM_USER + a value, mainly because my program won't be using other Messages, and will only act if the correct wParam/lParam are provided (preventing accidental execution if the System decides to post a message with the same ID).
Click to expand...
Click to collapse
http://msdn.microsoft.com/en-us/library/ms644947(v=VS.85).aspx
Good idea, the only downside being that it will generate the Message Numbers each time it is run... It is not assured that the Post / Send Message MsgIDs will remain constant.
Thanks for the link however
Cyclone,
Sorry about taking so long to post here...
How about, when the BT is on, this reports what is "out there" based on what the BT stack is telling you.
That is, it should read the surrounding area, then report that is saw my BT dongle. In the car, it should report that it saw my BT GPS unit.
Then, I can use that information to change my profile. That is, when it sees the BT dongle, regular phone calls. When it sees the BT GPS unit, run speaker mode, or connect to the GPS unit for phone calls.
Thanks!
--Ironhead
P.S. it would need to support the Touch Pro 2, Rhodium (my understanding is that it is Widcomm BT stack)
I"ll see what I can manage. I am really 'grid-locked' in my work on a couple of projects already So a release of this may have to wait a while....Sorry
I wish I had caught you a little sooner...
AutohotkeyCE may be a better base to work from than Mortscript...
http://www.autohotkey.net/~Micha/AutohotkeyCE/html/index.htm
In fact... AHKCE should be able to cater to all of your needs without the separate resident app
Yeah, I have seen that before. This project is really just a little challenge for myself to expand upon MortScript [because I know it is widely used].
Thank you for the link/suggestion however
I've been playing with Mortscripts for a while, I'm really thinking I can do everything I want, right from there...
EXCEPT:
Actually getting the information from the BT stack. I just need to see if there are any registered BT devices around my phone (so I can tell if I am in my car, at home, at work, etc.).
--Ironhead
Bumpity bump!
Hehe...Yeah, sorry for the lack of work on this. Check out FFP_LockScreen. I am working on a new release. I have very little time now, and I can't manage more than just one or two projects at a time. Once I release FFP_LS 3.0, I can devote some time MAYBE to this project. It all depends on how quickly the XDA-Marketplace idea takes off.
Sorry =\
I you can add a tool to make an GUI... it s must be soo cool...
Hey guys,
There has been a lot of great strides here in learning more about this WP7 and what it's capabilities are! I'm very excited about what everyone is doing!
I'm sure a lot of you have been doing your own tinkering and was hoping to combine some efforts and maybe eventually come up with a solid SDK for home brew applications.
Here is where I'm at with my exploration:
With the COM bridge and Visual Studio 2008 one can develop a native ARM COM DLL to talk to native code from Silverlight.
I believe the ComBridge.RegisterComDll does not really register the COM class in the system registry. I believe the runtime simply caches the clsid and filename and creates the class when the runtime is looking to instantiate the ComImport COM class.
We are able to use wince's win32 API to make operating system calls from the C++ code.
There does not seem to be any security restrictions that I have come across in using the operating system from native code. I will note that without the NETWORKING caps in the manifest, DNS would only resolve cached addresses, but the rest of the sockets worked fine. I do not believe this to be a security measure, but more of a missing initialization method I am not aware of.
We can return other COM interfaces created in our native code and talk to it by implementing the COM interop interfaces in C# ( InterfaceType(ComInterfaceType.InterfaceIsIUnknown))
Currently I have written a sockets library here: dl[dot]dropbox[dot][c][o][m]/u/4165054/PhoneNetworkingSample[dot]zip
I also have the workings of a file system library that I have not completed yet. I realize there is some OEM lib out there that does FS access, but I believe it to be important to homebrew that we make our own.
I recently have been looking into Direct3D 11 API support for the phone. I have successfully created a D3D11 device and passed it back to .NET code where I was able to execute some methods on it. A lot of work needs to be done here. First the device is almost useless if we cannot render to something. I believe I have been able to create a window, but not been able to actually show it. My next method of attack will be to find the hwnd Silverlight is rendering to, hook its WndProc and do our own rendering here.
If anyone else has any information on their hacking, please let us know! You can contact me on this board or on twitter [at-sign]jmorrill.
-Jer
Great work! I will definitely have a look at the sockets source code. This should open up a lot of possibilities for app developers
Sent from my HTC HD2 using XDA App
jmorrill said:
Hey guys,
[*]We are able to use wince's win32 API to make operating system calls from the C++ code.
[*]There does not seem to be any security restrictions that I have come across in using the operating system from native code. I will note that without the NETWORKING caps in the manifest, DNS would only resolve cached addresses, but the rest of the sockets worked fine. I do not believe this to be a security measure, but more of a missing initialization method I am not aware of.
[/LIST]
Click to expand...
Click to collapse
There definitely are security restrictions applied to the native code. This is what I think. Our applications are deployed in the Least Privilidged chamber (LPC) which has dynamic capabilities by the ones we specify when the application is deployed.
<Macro Id="LEAST_PRIVILEGE_CHAMBER_GROUP_NAME" Description="Least Privilege Chamber Group" Value="S-1-5-112-0-0X80" />
and are members of the:
<Account Id="S-1-5-112-0-0X70" Description="All public capability accounts are members of this group" FriendlyName="Public capabilities group" Type="Group" />
There are certain win32 API calls which are allowed but anything which could be used to compromise the OS is only allowed to be called from the TCB chamber.
<Macro Id="SYSTEM_CHAMBER_GROUP_NAME" Description="TCB Chamber Group" Value="S-1-5-112-0-0X00" />
<Macro Id="SYSTEM_USER_NAME" Description="TCB user SID" Value="S-1-5-112-0-0-1" />
For example, loading nativeinstallerhost.exe:
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/LOADERVERIFIER/ACCOUNT/(+)/ACCOUNT_CAN_LAUNCH/NONE/NONE/PRIMARY/WINDOWS/NATIVEINSTALLERHOST.EXE" SpeakerAcc ountId="S-1-5-112-0-0-1" Description="Only TCB can launch into this chamber">
I am guessing the LOADVERIFIER is doing this using the code signing certificates. If you check your apps they will be signed with a LPC certificate but if you look ones included in the ROM then they have TCB signing.
I can't see anything that would prevent you from doing socket stuff in the security policy (as you have found). However, it looks like you need:
<Macro Id="ELEVATED_RIGHTS_RESOURCE_GROUP_NAME" Description="Elevated Rights Resource Group SID" Value="S-1-5-112-0-0X14" />
To use raw sockets:
<Rule PriorityCategoryId="PRIORITY_STANDARD" ResourceIri="/RESOURCES/GLOBAL/WINSOCK/RAWSOCKET" SpeakerAccountId="S-1-5-112-0-0-1" Description="Acess to Winsock Ra w sockets">
<Authorize>
<!-- Match loaded from:
<Match AccountId="S-1-5-112-0-0X14" AuthorizationIds="GENERIC_ALL" />
</Authorize>
Would be useful to confirm that this is the case and that this policy is actually being applied
Yep, that reflects the same behavior in Windows on the desktop. Normal socket use is okay, raw requires admin.
Do we have a tutorial on how to create native COM classes?
Also, this url explains why you cannot copy/read some files from the \Windows directory, but can LoadLibrary on them (which is how I load d3d11.dll).
blogs.msdn.com/b/windowsmobile/archive/2007/12/29/why-can-t-i-copy-programs-out-of-windows.aspx
Sorry no tutorial on making COM objects. But basically just create a new smart device mfc dll in VS2008, then add a new ATL class to the project. I modified the COM interface/classes to inherit from IUnknown vs. IDispatch.
I guess I misspoke about the security restrictions. Really what I'm looking for, is to have about the same level of access to the device as any Windows Mobile application has, which is enough to suite most of my needs personally.
Ok, I've just created a native dll and call it from Silverlight.
Once you know what type of project to create it's quite easy. The longest part was to reinstall Visual Studio 2008.
Quick question: how do you handle passing string between native and managed? I have several ways in mid but they all seems very complicated.
(nico) said:
Ok, I've just created a native dll and call it from Silverlight.
Once you know what type of project to create it's quite easy. The longest part was to reinstall Visual Studio 2008.
Quick question: how do you handle passing string between native and managed? I have several ways in mid but they all seems very complicated.
Click to expand...
Click to collapse
Depends. Sometimes you can get away with StringBuilder. Or you can do a string outgument, and create the wchar_t in native code.
What I've done so far is creating wchar_t in native code, return an IntPtr to managed code, use Microsoft.Phone.InteropServices.Marshal.PtrToStringUni to get a string and then call a custom native method to delete my wchar_t array (didn't find a release method).
Seems a lot of work just to get a string...
(nico) said:
What I've done so far is creating wchar_t in native code, return an IntPtr to managed code, use Microsoft.Phone.InteropServices.Marshal.PtrToStringUni to get a string and then call a custom native method to delete my wchar_t array (didn't find a release method).
Seems a lot of work just to get a string...
Click to expand...
Click to collapse
Just stick it in a function, and be done with it. That way you only have to do it once. Don't worry about efficiency; unless it is in a tight loop, the string conversion isn't going to slow you down noticeably.
BTW, I got registry working and started working on a registry viewer.
However, I got access denied when trying to browser most of the node.
For example I can browse HKLM\System\State but not HKLM\System.
(nico) said:
What I've done so far is creating wchar_t in native code, return an IntPtr to managed code, use Microsoft.Phone.InteropServices.Marshal.PtrToStringUni to get a string and then call a custom native method to delete my wchar_t array (didn't find a release method).
Seems a lot of work just to get a string...
Click to expand...
Click to collapse
That isn't necessary at all. Simply define your managed class/interface with the MarshalAs attribute on your params. .NET will take care of the rest.
For example:
HRESULT MyFunction([in] LPWSTR param)
Would translate to:
UInt32 MyFunction(
[MarshalAs(UnmanagedType.LPWStr)]
[In] String param);
Thanks Rafael.
This is nice! How do I do the opposite? I need to create a string in unmanaged and use it from managed code Do I just have to use [out] instead of [in] in your example?
This is much simpler that my method
(nico) said:
Thanks Rafael.
This is nice! How do I do the opposite? I need to create a string in unmanaged and use it from managed code Do I just have to use [out] instead of [in] in your example?
Click to expand...
Click to collapse
Yep, it should match the direction indicated in your COM library's IDL. It basically just drives how Marshaller handles copying of memory, pinning, etc.
You guys are smarter the me at this, obviously, but is there a site where you share your code? because i'm smart enough to use existing code and make something happen..
jmorrill said:
I recently have been looking into Direct3D 11 API support for the phone. I have successfully created a D3D11 device and passed it back to .NET code where I was able to execute some methods on it. A lot of work needs to be done here. First the device is almost useless if we cannot render to something. I believe I have been able to create a window, but not been able to actually show it. My next method of attack will be to find the hwnd Silverlight is rendering to, hook its WndProc and do our own rendering here.
Click to expand...
Click to collapse
Have you checked out ZuneBoards? They've done some work in this area already with their OpenZDK, which looks similar to what we may need to do. Their method of breaking out of the CLI virtual machine is different than ours, but a lot of what they've done is what we want to do, too.
One thing that doesn't work are the typical WinCE graphics functions:
GetDC(NULL) ;
GetDesktopWindow();
LineTo();
GetClientRect();
That is they work, but the root window is empty! 0 wide and 0 tall. The drawing engine (unsurprisingly) is elsewhere.
ajhvdb said:
You guys are smarter the me at this, obviously, but is there a site where you share your code? because i'm smart enough to use existing code and make something happen..
Click to expand...
Click to collapse
Have you gotten anything to compile yet?
Check this one out: http://dl.dropbox.com/u/4165054/PhoneNetworkingSample.zip
And see if you can get it to compile (I would make it an attachment in this post but it's jmmorril's code). I've been using Visual Studio 2008 and the WinCE 6 refresh to compile the com dll: http://www.microsoft.com/downloads/...3A-A651-4745-88EF-3D48091A390B&displaylang=en
Then I copy the com dll over to my visual studio 2010 Windows Phone project, ready to be used. There are probably better ways, but you need to find out at least some way of doing it.
I've managed to create a basic Registry Viewer, readonly for the moment.
For now, I didn't manage to get access to root path, so the first 2 levels are hardcoded.
Download it here: (link removed, see below)
Edit:
Updated version here: http://bit.ly/eEZ0Uf
(nico) said:
I've managed to create a basic Registry Viewer, readonly for the moment.
For now, I didn't manage to get access to root path, so the first 2 levels are hardcoded.
Download it here: http://bit.ly/hOWLnI
Click to expand...
Click to collapse
wow man nice work , could you also make a file explorer ?
edit: here is a direct link http://www.xda-developers.ch/download/?a=d&i=7061084002
Hey everyone, I've thought for a while now that there should be a way to install homebrew applications on the device itself and have written a little something talking about the idea here. This post is mostly copied from there and focuses on the installation problem, so if you want the full thing, check it out.
Guillemet is (well, will be) a package manager for Windows Phone 7; basically the equivalent of Cydia for iOS, except not based on an existing system like dpkg (because is it Windows-based, and a package system like this is not in widespread use for Windows). This means its main tasks will be:
Downloading packages (applications... or other things) from outside sources (repositories)
Installing these packages on the user's device
Periodically checking the repositories for any new versions of packages
Why call it Guillemet? There are a couple of reasons for this name. First of all, I was looking for a name that was short (a single word), unique enough to catch people's attention and just sounded nice. Guillemets are the characters used in certain languages (like French) where quotation marks would be used in English. They look like this: « Ce sont des guillemets. » Because it's a typographic character, I thought it fit in nicely with Microsoft's Metro design concept. Also, it pointing forward can represent 'progress' (or something like that... that's marketing right?). Finally, it makes a nice reference to one of the things that made this possible in the first place: a guillemet consists of two chevrons.
Because the installing of applications is required for the application to be useful at all, I think it would be important to focus on this for now. Here's a short overview of what it currently known:
Installation can be done via provxml, but requires DRM (and cracking it is not feasible).
There are some functions present that might do the job, but we cannot access them at the moment due to our low privileges (this thread is trying to do something about that).
Manual installation would require us to 'register' the application, which probably has to be done by editing the file \Application Data\Microsoft\PackageManager\pacman.edb, but we cannot access this at the moment (it might also be in use by the OS). This manual approach will give us more customization options, though.
With a system to install even just standard XAP's in place, the first step would probably be to create a protocol handler so XAP's can be downloaded and installed right from the browser. This will create an open environment akin to that on the desktop, and will be very simple to implement and maintain (or rather, not maintain). Later on a package management system can also be implemented (more about that here).
I hope some of you will like the idea and might even discover something to make this work
Wow, first post here I like the idea but I guess it's nearly impossible =/ There's already a project like that.. it's called xda market and they still work on a device client ^^ I'm curious if on-phone-deployment will work one day
Hello everybody,
I got a WP7 Samsung Focus and I want to port my old application to this device and join native forces for WP7
My plan is simple: I'll convert my app into a dll, rewrite new gui in C# (or whatever the way to do it on WP7). I saw multiple posts about calling native code (original from Cris Walsh: http://goo.gl/2Tjks). Then I saw a few posts mentioning that it's impossible etc etc.
So, a few questions:
0) can I do it for my app (I don't need marketplace exams etc, I don't care for that)? I know that some WinAPI could be unavailable/broken, all I ask at this point if it's possible to load and run native dll without changing or re-flashing ROM.
1) ms wants 100$ out of my pocket to be able to deploy to my own device (WTF?!). What can I do to deploy to my phone without paying the crooks? (VS2010 tell me to register there and registration askes for 100$).
2) Is there a sample project I could D/L and run, I have zero experience in C# and I have no idea how to load and call native DLL from managed code in WP7? All these half broken samples are totally useless to me, I simply wanted to working HelloWorld app that loads and runs simple dll.
thanks
0) Yes, what you describe is possible. There are lots of limits, though - WP7 applications have very low permissions, and calling native code doesn't fix that. Unless you need to edit something outside the app's own iolated storage, though, you're probably OK.
1) Aside from the official marketplace account ($100), there are a few options:
a) if you've got an LG phone, they come with a built-in registry editor that can be used to dev-unlock your phone. I forget the exact key you need, though.
b) if you've got a student email address (ends in .edu) you can try registering through DreamSpark. This is free.
c) if you don't mind rolling back to pre-NoDo (7004 or 7008) you can use ChevronWP7 Unlock (instructions available on this forum). If you don't have a restore point that far back you can flash an official ROM for that version.
d) if you don't mind waiting, ChevronWP7 Labs will be available at some point (no ETA that I've seen, but it's been talked about for months) and will provide dev-unlock (but not marketplace account) for a nominal fee.
2) There are lots of apps distributed with source, and most of them will use some native code. You could do a search on this forum for subject lines including the tag "[SOURCE]" and find several (I release source for all my apps). However, I suspect what you'd find most useful is Heathcliff74's guide to WP7 apps that use native code, which is on this forum at http://forum.xda-developers.com/showthread.php?t=1299134. It includes step-by-step instructions.
Hope that helps! I look forward to seeing your app. Also, don't hesitate to ask for help with the actual development; I suck at GUIs and Silverlight but am fairly proficient at C# if you need somebody who knows that language, for example.
There is an ETA for the new ChevronWP7 unlocker:only a few weeks away from launch!
Hi GoodDayToDie
GoodDayToDie said:
0) Yes, what you describe is possible. There are lots of limits, though - WP7 applications have very low permissions, and calling native code doesn't fix that. Unless you need to edit something outside the app's own iolated storage, though, you're probably OK.
Click to expand...
Click to collapse
At this point I want to make a DLL from my simple app and call a few functions that interact with filesystem and network. FS is needed only for simple stuff (loading config file etc) from installation folder and creating some temporary files for local storage. Network is tcp/udp, I guess network should be available.
GoodDayToDie said:
1) Aside from the official marketplace account ($100), there are a few options:
...
Click to expand...
Click to collapse
I did some search, it seem that I've done that part. Chevron dev unlock was pulled out from their site, but the old version remains scattered all over the board. There is a good thread a good thread on how to do it. It happens that my phone is 7004. Where can I get old ROM in case if something goes bad and I need to re-flash? Is it easy, am I risking to brick and loose my phone?
I just tried to run sample phone app and it runs on the phone. Initially it said that it was revoked by MS, I run dev-unlock one more time and now it works.
GoodDayToDie said:
2) There are lots of apps distributed with source, and most of them will use some native code. You could do a search on this forum for subject lines including the tag "[SOURCE]" and find several (I release source for all my apps). However, I suspect what you'd find most useful is Heathcliff74's guide to WP7 apps that use native code, which is on this forum at http://forum.xda-developers.com/showthread.php?t=1299134. It includes step-by-step instructions.
Click to expand...
Click to collapse
I'll try to search, hope I'll be up and running soon. Too bad WP7 is DOA. They always had much better tools than all these ghetto Symbian/Android/Xcode crapware tools... WTF is wrong with these guys, at the point when they were surpassed at speed of light by newbies iPhone and Android they made some backward steps to cut off most of the devs (but they added all these 500K Silverlight newbie devs...). I'm so disappointed with Android, seems like they hired all these retards who were fired at symbian: same **** tools
I downloaded a few samples and it seems that all of them contain prebuild dll's and all of them are COM dlls or something like that.
What I'd like to find is simple sample that contains src code to native WinMo dll and C# project that it uses.
As far as I know native dll cannot be build with latest tools (am I right?), but I can use cegcc or VS2008 to build native DLL's.
stuff like:
Code:
if (ComBridge.RegisterComDll("ComFileRw.dll", new Guid("EEA7F43B-A32D-4767-9AE7-9E53DA197455")) != 0)
is totally unknown to me. I would really like to avoid to even elarning anything about COM related stuff. I prefer not to mess up with code that isn't portable.
HI mtlgui,
unless Heathcliff finishes his WP7 Root Tools SDK, you don't have any other way to access native c++ code besides using COM. DFT (The DarkForcesTeam) released a firmware loader, that allows you to flash customized unsigned firmware. They were also able to do some native c++ coding with the WM API. However the used firmware for that is not public and it is limited to HTC devices.
Did you already consider to write your application in c#? Mango has now TCP/UDP socket support for outgoing connections. Incoming connections or services running on the phone aren't possible without using native code, at least for the moment.
Hi rudelm,
if the only way to use native is to build COM dll, then I'm OK with that. My app code is old and I'd rather throw my WP7 device to trash can than trying to rewrite my app in C#.
Eventually, down the road while hacking maybe I'll learn c# well enough to do anything with it other than GUI and calling native/COM dlls.
So, just to confirm my understanding. I need to write COM dlls that access native API (socket, filesystem, wavein/waveout etc) and then load these COM dlls and call their functions from C# (or whatever is the closest lang to c/c++ in the WP7 world).
@mtlgui:
You've pretty much got it. A few thoughts, though:
There is a webserver project available on this site. It includes source for its C++ native component (the library is called NativeIO; I can probably send you the source if you can't find it). It exposes registry, filesystem, and TCP server and client sockets to COM. Note that because this library was built for pre-Mango phones, just compiling it and shipping it may not work on Mango phones as many deprecated libraries were removed in Mango and if the DLL contains any references to them, it won't load.
Generally speaking, what you're asking for with TCP/UDP is possible, though you may have to code against the winsock API directly. It sounds like you're doing as little as possible with C#, so even if the Socket API that is available with Mango were sufficient for your app's needs, you wouldn't be using it.
Filesystem access... even if you have read access to your app's install folder (I haven't checked, though you should), you almost certainly won't have write access. Each app does have a writable "isolated storage" though, under \Applications\Data\{GUID}\Data\IsolatedStore\. I've only ever tried writing to it using C# though, so I don't know for sure if it's writable using the native APIs directly (should be, though).
It's probably perfectly OK to write your app as one big native DLL (hell, it *might* work to just change the build type from Application to Library, then rename main() or something like that). You will need to expose the library to COM, but that's easy. You can then write a very simple C#/Silverlight app (see Heathcliff's instructions, or just post the COM interface and soembody could write it for you). All the C# app needs to do is use ComBridge to access the native DLL, and call a "run()" function or something similarly simple.
For what it's worth, C# is very close to a superset of C++, at least on the desktop. The phone version is crippled a little by not allowing the use of pointers - everything has to be done with strongly-typed references instead, which can make network code a little annoying but is otherwise rarely a problem - but with a little experimentation you may find your disdain for C# to be misguided. It's a useful language to know it today's job market, if nothing else.
Why is your phone still on 7004? That's the launch retail build, something like eight months out of date. On the plus side, this means that things like ChevronWP7 Unlocker still work for you, as you found. On the minu side, it means you're putting up with bugs and missing features that you needn't be. Have you tried updating at all? If/when you do update, make sure to back up the restore points that the Zune software generates (they got in %localappdata%\Microsoft\Windows Phone Update\). That way, if you ever need to roll back to 7004, you can do it. Normally, only the most recent restore point is kept.
Flashing ROMs is safe so long as you don't try something like flashing the wrong one for your device. Unless your bootloader is unlocked (only possible on HTC), you can only flash official ROMs anyhow, which saves you from most of the risks. On the other hand, you're already on as old a ROM as you will find, and so long as you keep your restore points, you can return to it any time you want to, easily.
I'm googling now the board to find NativeIO and that webserver app. So far only references to it, but no src code.
I'm ok with isolated read/write access. All I care is persistent fs storage.
My phone is still 7004 because I just bought it so I can do some WP7 development. I don't want to mess up with updates at the moment.
As I understand from another post ComBridge is C#->COM->native c++ dll or any other dll that can be used, right? I'm just learning some COM to learn enough to start actually programming for the phone. I see that I can pass whatever data I want, but I don't seem to be able to see a way to register callbacks so that native/COM could call back to C#
mtlgui said:
I'm googling now the board to find NativeIO and that webserver app. So far only references to it, but no src code.
I'm ok with isolated read/write access. All I care is persistent fs storage.
My phone is still 7004 because I just bought it so I can do some WP7 development. I don't want to mess up with updates at the moment.
As I understand from another post ComBridge is C#->COM->native c++ dll or any other dll that can be used, right? I'm just learning some COM to learn enough to start actually programming for the phone. I see that I can pass whatever data I want, but I don't seem to be able to see a way to register callbacks so that native/COM could call back to C#
Click to expand...
Click to collapse
Basic introduction to native code and COM, including references to more background info: http://forum.xda-developers.com/showthread.php?t=1299134.
Callback from C++ -> COM -> C# can be done. Decompile the WP7 Acrobat Reader app. You'll see how it works.
Ciao,
Heathcliff74
OK, time to give this subject its own thread. You can read about previous efforts here: http://forum.xda-developers.com/showthread.php?t=1113066. In particular, http://forum.xda-developers.com/showthread.php?t=1113066&page=11 is where I started.
Background: the policy database is essentially the Access Control List (ACL) store for WP7. ACLs are typically attached to objects (files/folders, registry keys/values, drivers/services, possibly even APIs). When a process tries to do something, the OS uses the process's security identifier (called a "Token", it identifies the account running the process and therefore the permissions that process has) and looks up the ACL specific to that operation. If the ACL authorizes that account to perform the operation, the kernel permits it. If not, it blocks the operation and indicates an error (most famously on WP7, 1260 or 0x4EC, meaning blocked by policy). For some OSes, like NT, that attachment is in the metadata which describes the object (for example, NTFS stores ACLs for each file and folder). Apparently, WP7 uses a centralized database of ACLs, stored as "policies", instead.
Why I'm doing this: the policy database is the key to fully unlocking the phone. I mean that literally; "full unlock" ROMs achieve that state by basically turning off policy enforcement. I don't necessarily want to do that - at least not phone-wide and constantly - but I want to be able to set my own policies, and possibly modify existing ones.
What can be done with it: well, one example is the subject of the thread I linked above: homebrew native EXEs require first being able to add policies for them. There are some other cool possibilities, like turning off ID_CAP_INTEROPSERVICES enforcement or allowing apps to write to the MaxUnsignedApp registry value directly. That gets around the risk of phones being re-locked and unable to interop-unlock again. Basically, it allows an app to do anything short of modify the ROM.
Purpose of this thread:
* Provide a central location of information about the policy system, policy database, and creation of custom policies.
* Collaborate on the project of understanding and modifying the policy database and policy system overall.
* Share interesting policies we've found in the database, or post custom policies that can be added to enable a cool hack.
* Discuss and share ways to preserve, going forward, our control over the policy system.
There has been concern raised that this work should not be mde public, because Microsoft will look at what we are doing and use that knowledge against us. There is some validity to that argument; if the work is done in secret, and any files posted that use the fruits of that work are heavily obfuscated, it would probably take Microsoft a little longer to block it if they decided to do so. Not terribly *much* longer though, I suspect - they have many tools at their disposal, full source code and documentation, and full understanding of the system in their engineer's minds. Any hack we find, they can reverse engineer or simply block access to whether or not they can read a thread about it here on XDA-Devs.
There's also the risk of malware. Malicious homebrew apps could abuse this knowledge to do serious damage to your phone, to steal info, and possibly even for direct financial effect (send premium SMS, for example). However, I see no real way around that problem; it's an inherent risk of unlocking a device. The simplest and best step to combat it is to not install untrasted apps, and the best way to be sure an app is trusted is to be able to analyze it. (This is one of the reasons I include the source for my apps, and encourage others to do the same.) Besides, it's already possible to do plenty of damage with existing homebrew hacks, yet somehow that problem hasn't materialized.
So, instead of secrecy, I propose openness. The best option we have to offset Microsoft's tools, knowledge, and source code is to collaborate, pooling the knowledge and effort of many hackers. If people want to keep certain things secret, by all means use email or PMs. In general, though, I think the failure to spread knowledge does more harm than good.
OK, that turned into a long enough intro that I'm going to post my first actual findings in a reply.
Policy-related files
There are actually two databases: one is for policies, and one is for accounts. They are located in \Windows\Security\ and are called policydb.vol and accountdb.vol. These files are locked (opened without sharing permitted) while the OS is running. There are two additional files in this folder: PolicyMeta.xml and PolicyCommit.xml. These files can be accessed using provxml, TouchXplorer, WP7 Root Tools, or HtcRoot Webserver.
The PolicyMeta XML file contains macros describing accounts, and metadata about the policies in the database. In particular, it contains a large number of bit masks that indicate different permissions. By itself, this file doesn't tell us much of use, but it will be a big help for understanding binary data in the the database. It's small and not commented, but easy to read.
The PolicyCommit.xml file contains the merged result of combining all the policy files on the phone. I don't know if anything actually reads this fine, but it's a nice human-readable (and searchable) view of the data that goes into the policy database. It contains a number of comments, but most are just where the various policies were merged from. It is the largest file.
The policy database file ("Volume" to use the term of the CEDB APIs) itself is large-ish (mine approaches a megabyte) and contains three CEDB databases. The first is a small single-record "database" (in SQL you'd call it a table) that appears to be used for transaction locking. The second is a single large record (several KB) that appears to be a bloom filter (Wikipedia has a pretty good article, the short version is that it is a quick and compact data structure for checking whether a given item is in a collection). The third database (named "PatternDBmultimap") is the real deal, containing thousands of policy records.
I haven't looked at the Accounts database much yet. It's smaller than the Policy database volume, but still a few hundred KB. A substantial portion of that is probably custom accounts created for each app that is installed (since each app has different permissions - specifically, each app has read and write access to a different set of folders - there must be a unique account for each).
The policies appear to come from a few sources. One of them is the many *.policy.xml files (the first part is usually a GUID) in the Windows folder. These files are locked in ROM, and define the core system policies (system accounts, permissions for system objects, etc.). The \Windows\Security\PolicyCommit.xml file (which is not in ROM, or even marked read-only) appears to be simply the result of merging all these files.
Another source of policies must be the application installer. Application-specific polices are not present in the PolicyCommit.xml merged file, but are in the database itself. It is reasonable to expect that they are created and removed by the package manager. This is a good sign for being able to modify policies ourselves.
The initial creation of the policy files appears to be up to a program, \Windows\PolicyLoader.exe. This program takes policy.xml files, merges them, and produces the merged result file and the policy database(s?). It's even possible to run it, given sufficient permissions. Unfortunately, it seems unable to modify the policies on a running device, and is believed to only run at first boot (or after a hard reset) or when an update CAB installs new policy XML files.
EDIT: Attaching the \Windows\Security\*.xml files from my phone, along with the decompiled source for PolicyLoader that was posted on the other thread.
The LG MFG app has a section for editing certain security policies. I can post the info from there, if it'd be of any help. By the way, it specifically says "Edit security policy through registry" so it might not be the same policies that you're talking about, I don't know.
EDIT: Actually, looks like those policies are a subset of the ones listed here: http://msdn.microsoft.com/en-us/library/bb416355.aspx
Analysis of the policy database
I wrote a function to dump the policy database to a text file (with inevitably some embedded binary). Each record in the database has four fields. I'll do my best to describe them below.
1) The first is a DATETIME struct (two 32-bit integers). This is the only 64-bit numerical type available except for a DOUBLE, so it might be selected just as a convenient way to store that many bits rather than because it's actually a date and time. In particular, when I converted them to actual dates and times, the years ranged from the 1970s well into future centuries... this seems an unlikely candidate for an actual set of dates.
What I think it actually is, is some kind of hash of the second field. It might be the index bits for the bloom filter, for example. The reason I think so is that, when there are multiple records with the same value in the second field, they also have the same value in this field, but even a slight difference in the value of the second field results in a very different first field.
This field is not unique, but it does appear to be the default sort order for the database. I don't know if that's ust because it's the first field, but it would make sense to have it be indexed using this field for fast lookup (binary search) after the bloom filter finds that the item is (probably) present.
2) This field is a binary BLOB struct (a size and a pointer). This field contains Unicode strings, sometimes with a bit of binary data (small, typically less than 20 bytes) tacked on the end. Strings plural; each one is NULL-character terminated.
This field appears to be the paths that indicate the object (or objects, since it can contain wildcards) that the policy applies to. If there is a policy in the XML for ResourceIri="/REGISTRY/HKLM/SOFTWARE/MICROSOFT/CAMERA/READWRITESETTINGS" then there will be a record in the database with the second field that would be written like this in C source code: L"REGISTRY\0HKLM\0SOFTWARE\0MICROSOFT\0CAMERA\0READWRITESETTINGS\0". I'm not sure what the occasional binary afterwards means, although there appears to be a specific value for a wildcard (represented in the source XML as ResourceIri=/PATH/WILDCARD/BASE/(*)", but the last part doesn't translate to Unicade the way you'd expect).
As mentioned above, I'm pretty sure that the first field is related to this one. Since the value of a bloom filter on this database would be to quickly establish "Is there a policy for this object?" it makes sense that the path (second field) is the data that gets hashed to produce the bits of the key. It's not really required to then store the key bits, but they make a reasoanble value to sort on.
3) The third field is also a binary BLOB, but the value of it is much more opaque. Typically in the range of 50-300 bytes in length, there are certain patterns that I've noticed within it (0x01 00 01/02 00 65 is a common prefix, and they typically end with 0x00 3X) but I have not yet determined what they actually represent.
Some logical possibilities are an account identifier (though that seems needlessly long for such a purpose) or possibly the permissions data directly. When the second field has a path to related objects (for example, the isolated storage of an application), the third field is often similar as well.
4) The fourth field is another DATETIME struct, but in this case is obviously not an actual date value. The high four bytes are (almost?) always 0xFFFFFFFC, and the low four bytes are typically 0x0000XXXX where the Xs can be anything. This value is not unique - there are numerous instances of 0xFFFFFFFC00000001, for example - but I'm not yet sure what it is.
The same guesses I offered for field 3 apply as well, with the caveat that it's probably not just a different representation of field 3 because two records can have the same value on field 4, and their field three values may not only differ, but be different sizes. I need to look at the XML files and see if there's a pattern between policies with the same field 4 and an equivalent data item in the XML.
I'm attaching the dump file I created of the policy database. It's best opened in a hex editor (Visual Studio does well enough) although you can also use Wordpad (Notepad won't respect the line endings). Wordpad can't show you the binary, of course, but it's a readable layout of the data.
The format is as follows:
ASCII string: "Index "
ASCII representation of an Integer for the index.
ASCII string: ": Prop0 (FILETIME): 0x"
ASCII representation of the DateTime, with a space between the high and low DWORDs.
ASCII string: " | Prop1 (BLOB, "
ASCII representation of the blob's integer size.
ASCII string: " bytes): "
Direct dump of the second field's BLOB buffer (multiple UNICODE strings).
ASCII string: " | Prop2 (BLOB, "
... and so on. I intentionally used ASCII to make the direct memory dumps, which are in UNICODE for the second field at least, stand out.
@Arktronic: Interesting. Those policies (in the registry) are a legacy holdover from WinMo, and at least some of them have been superceded by the new policy system, but the fact that LG gave them specific mention in their app suggests that they still have some relevance.
However, you're correct that those aren't the policies I was speaking of elsewhere in the thread. It may be a good idea to explore them both in parallel, though. Which ones does the LG app list?
Arktronic said:
The LG MFG app has a section for editing certain security policies. I can post the info from there, if it'd be of any help. By the way, it specifically says "Edit security policy through registry" so it might not be the same policies that you're talking about, I don't know.
EDIT: Actually, looks like those policies are a subset of the ones listed here: http://msdn.microsoft.com/en-us/library/bb416355.aspx
Click to expand...
Click to collapse
We already did some testing with those policy settings, but the ones granting more access were not available and the others could not get the app itself into an "unsafe" mode. But then again, I'm far from a professional when it comes down to these things, I just crossreferenced them all against the MSDN DB and looked for the ones that would make fileops possible, no luck.
I'm not sure if they added policies to the LG MFG app in the meanwhile (unlikely) but it might be worth it to investigate how the MFG app modifies those select policies.
GoodDayToDie said:
@Arktronic: Interesting. Those policies (in the registry) are a legacy holdover from WinMo, and at least some of them have been superceded by the new policy system, but the fact that LG gave them specific mention in their app suggests that they still have some relevance.
However, you're correct that those aren't the policies I was speaking of elsewhere in the thread. It may be a good idea to explore them both in parallel, though. Which ones does the LG app list?
Click to expand...
Click to collapse
The latest ROM's MFG app has the following policy IDs: 4104, 4105, 4108, 4109, 4110, 4111, 4113, 4119, 4120, 4121, 4124, 4131, 4132, 4141, 4142, 4143, and 4149.
The last one isn't in the MSDN doc; it calls itself "FIPS Self Test Policy" or SECPOLICY_FIPS_SELF_TESTS.
There are potentially useful things like SECPOLICY_OTAPROVISIONING (4111), which has the value of 3732 - no idea which flag(s) that represents - but if there's a way to send provisioning messages to WP7, that might open up quite a few possibilities.
I believe there's at least a chance for OTA provisioning. Sending custom SMS appears to be possible (click around from the link):
http://msdn.microsoft.com/en-us/library/ee498239.aspx
That said, it's almsot certainly either secured or disabled by default.
Hmm... does anybody want to take a shot at getting a decent decompile of lvmod.dll? I don't have the tools, though I probably should. Reading the disassembly is slow and painful.
I've found a few new things:
It's possible for two records to differ *only* on the third field, and even then the binary was more alike than not. Look at indexes 12 and 13 in the dump - they're really similar. They are built from the following policy rules (no promises on order):
Code:
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/REGISTRY/(*)" SpeakerAccountId="S-1-5-112-0-0-1" Description="TCB can do anything to all registry keys">
<Authorize>
<Match AccountId="S-1-5-112-0-0X02" AuthorizationIds="KEY_ALL_ACCESS, KEY_READ, KEY_WRITE, KEY_EXECUTE, GENERIC_READ, GENERIC_WRITE, GENERIC_EXECUTE, GENERIC_ALL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, STANDARD_RIGHTS_REQUIRED, SPECIFIC_RIGHTS_ALL, ALL_ACCESS" />
</Authorize>
</Rule>
Code:
<Rule PriorityCategoryId="PRIORITY_LOW" ResourceIri="/REGISTRY/(*)" SpeakerAccountId="S-1-5-112-0-0-1" Description="Catch all rule to allow Normal and above apps to read/write to all unnamed keys">
<Authorize>
<Match AccountId="S-1-5-112-0-0X23" AuthorizationIds="KEY_ALL_ACCESS, KEY_READ, KEY_WRITE, KEY_EXECUTE" />
</Authorize>
</Rule>
I would have thought that either the different permissions being granted, or the different accounts they were granted to, would result in a different fourth field... but no such luck. Time to look into this further.
The accountdb.vol file has two databases in it, GroupMemberships (1105 records on my phone) and Accounts (291 records). The latter is actually much bigger in terms of data size, though - 70KB vs 31KB for GroupMemberships. The records in GM must be very small, probably just pair mappings.
Hey GoodDayToDie,
Awesome job on sharing all this low level findings from underneat the hood of my favourite mobile OS. While i'm not capable of researching this myself due to lack of knowledge I love to read about how you (and other well known WP7 hackers as well of course!!) tackle the security and are willing to share this with the community to combine power. I think threads such as these are really necessary to get to the finish. Keep up the good work, i've got a strong feeling we will get there eventually .
THANKS
Looks to me like this is the policy database.
Here is an example set of policies that enable/disable tethering on the Arrive.
Is shows the values needed to create/add a policy to the policy database. HTClv.dll shoudl be able do set/modify these values using "LVModProvisionSecurityForApplication"
You may already know this, but figured I would share.
Also, HTC has regedit.exe and HTC uses it to provision/make registry changes.
I will attach the regedit4 file HTC uses to configure the radios.
This also defines where the key UserProcGroup defines the TCB chamber a driver runs under. see... "UserProcGroup"=dword:5 ; TCB chamber
Seems with using the registry editor, we could elevate any driver to the Kernel chamber.
See attached....
Thanks for the info Paul!
I've heard of the "LVModProvisionSecurityForApplication" API before, yes, and it might be possible to use it here (*really* depends on how it works; if it just reads the app's manifest file like the normal XAP installer does, that's not very useful). LVModAuthenticateFile, LVModRouting, and LVModAuthorize may be extremely useful, though. It also might be helpful to try reverse-engineering how it interacts with the policy database.
The weird thing is, I don't have any htclv.dll or htcpl.dll on my phone, at least not in the \Windows folder. Perhaps they were removed in an older firmware update? It certainly sounds like they would provide the APIs I need - only for HTC phones, true, but they would provide.
The policy.xml file is the standard format read by PolicyLoader.exe, but that doesn't really help unless I can convince PolicyLoader to modify the ploicy database on a running phone.
Elevating an (already installed) driver to TCB might be useful (although I'm not certain that LVMod route-to-chamber rules wouldn't interfere) but all the useful HTC drivers are already in TCB, and installing any more drivers... well, I haven't been able to make that work yet, even old versions of official drivers with the necessary changes to the DllName in the registry.
It's really too bad you can't join in on hacking this stuff though, you've got the right ideas. Do you by any chance have a NoDo restore point you could downgrade to in order to try out some stuff on the old firmware?
Dumped the account database
Turns out the account info is quite straightforward. There are four fields per record.
0) String - the SID ("S-1-5-112-0-0X10-0X00000024").
1) Int32 - 0 for accounts, 1 for groups.
2) Int32 - always 0 on my phone.
3) String - account or group name ("TCB" or "ID_CAP_FILEVIEWER:Capability for hybrid file view app such as PDF reader etc." or "Settings3.exe Chamber" or "9BFACECD-C655-4E5B-B024-1E6C2A7456AC").
Not sure why the third field is there if it's always 0, but OK. The first and last were obvious, and the second was easy to infer. The last record has no fields, and the three immediately before it are without a fourth field; not sure why. All three are groups, and their SIDs are:
S-1-5-112-700-4160
S-1-5-112-700-5132A485-ADEE-5842-9490-856FFFFF2D6D
S-1-5-112-700-A22CF327-25C3-DB2A-A8DF-7BE586F11FBD
This database contained no binary blobs, so the dump file is plain ASCII text (the strings were originally Unicode but converted to ASCII gracefully). In the interest of making it easier to analyze, I ran a quick pass over the dump with sed and produced a CSV, which is attached.
Then, there's the GroupMemberships database. I think this one is probably less important for our concerns, but I wanted to take a look anyhow. It's the simplest so far, though that's not necessarily good. Each record has two fields, and both are just 32-bit ints.
0) Ranges from 0x30000006 to 0x3F0004A6, though the the third through fifth hex digits are always 0. Includes duplicates.
1) Ranges from 0x31000008 to 0x3100007A, then from 0x32000380 to 0x3200038C. Includes duplicates.
The mappings appear to be many-to-many (each account in multiple groups, each group holding multiple accounts) as expected. I'm guessing the first column is accounts and groups, and the second is the groups that the account or group belongs to. Given that some values appear in both columns (through in different records), I'm guessing nesting of groups is allowed.
I dumped and CSV-d this database, and it is attached as well. Ideas as to what's up with it are welcome too.