Related
Hi,
Setting up my SBS2003 for push mail on my Qtek 9100.
I have been following the Microsoft setup white papers.
(Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 )
Trouble is the certificates seem to be causing the problem.
I copy across the only one found in my server clientsapps/sbscert directory ,( its called SBSCert.) to my qtek and it wont run.
It says cannot access certificate.
I tried loading the spaddcert file then adding the certificate and it says not a valid certificate.
CAn someone help me on this?
thanks,
Dave.
Hi,
Check out http://www.msexchange.org for MS Exchange information.
They have lots of information of MS Exchange server stuff. This site is mainly for the XDA/MDA related stuff.
-Tim
I'm going to assume you've already created a certificate (easiest way is through the Connect to Internet Wizard)
On your SBS server run mmc from the Run line. Then go to File - Add/Remove Snapi-n. Click Add and add the Certificates snap-in.
Then open the Certificate snap-in. Drill down to Trusted Root Certification Authorities\Certificates and locate the certificate that you created. Right click , All Tasks, Export. Export to der encoded binary (the first one). Now copy that file to your device, execute and all should be well!
Hope that helps.
thanks but i'm not sure now what I'm looking for.
Anybody who has it working can you provide me with some help.
You need to export the certificate you created and then install it on your device.
To export:
Open internet explorer and then click,
Tools - internet options - content - certificates - trusted root certificates
locate the one you created, highlight it and then click export.
Follow through the instructions, and export it to a location where you can find it.
After you've exported it copy the exported cert' to your device.
Finally on your device navigate to the certificate and click on it.
Well it seems to be working at the moment.
Dr Puttingham has been a great help.
Just trying to sort it out so that I can turn SSL back on but other than that its working just fine.
Introducing the SslChainSaver
Here's a GREAT lil util I found that makes this all just a little easier!
http://blogs.msdn.com/windowsmobile/archive/2006/08/11/sslchainsaver.aspx
I ran into this as I'm writing a cab will install my self gererated cert from my customized Extended ROM along with my many registry tweaks, etc and discovered that it's not that easy!
I am having a similar problem. My work's certificate is issued internally. I used Sslchainsaver to get the root.cr file and installed it on my T-Mobile MDA (on Cingular network). When it attemps to syncronize I get the following error:
You have an incorrect SSL certificate common name in the Host Name field. For example, you may have entered www.tailspintoys when the common name on the certificate is actually www.wingtiptoys.com. Make sure the server name is entered correctly.
Support Code: 0x80072F06
Any help would be really appreciated since I have been trying to get this to work for quite sometime now.
Thanks
@azaouk - my rule of thumb has always been to name this with the Fully Qualified Name (FQN) of my mx record. For instance say my domain is www.whyeatme.com. I would typically create a "A" record for "mail.whyeatme.com" or such. Then I create my self gernerated certificate with that same name. It's telling you what it's complaint is ...
Dr Puttingham said:
I'm going to assume you've already created a certificate (easiest way is through the Connect to Internet Wizard)
Click to expand...
Click to collapse
Hi all !
So... how about assuming I didn't create the user certificate yet...
The thing is, I already had to do that for one user, worked fine, created a user.cer file, and already have a mobile.cer file, if I put them both on a windows mobile device, mails arrive from the exchange server.
Now I have to do this again, but I don't remember how I did it and however I did this all alone last time, it seems I'm unable to retreive that path again...
So, I'm not sure we are talking about the same method here, I do this very very simple, but I'm sure someone here can tell me how I just get that cer file for a specific user.
Thanks in advance !!
Michel
Hello Everyone,
I recently bought an EEE PC as a second computer and seeing as it's about the most easily lost or stolen laptop ever made, I thought it might be an idea to run some software on it that might help me recover it should it ever go missing.
After trying a few existing bits of software and not finding any satisfactory, I resorted to writing my own.
Since it seemed useful to me, I thought I'd make it available to anyone interested. It's a very early version at the moment and very basic, but I don't think there are too many bugs (famous last words!! ).
I thought I would post a message here as I use this forum quite a lot, and I know a lot of people here won't have a problem with editing the config file to set it up, I've tried to make things as simple as possible. However, if you don't know the difference between POP3 and SMTP mail servers, this app is probably not for you!!
If people are interested, I'll continue to develop it further. A few ideas are listed on my website.
Visit www.ajhonline.co.uk for download links and help.
Alex
this isn't hard to circumvent.
Nice app, but wouldn't they probably wipe the HDD?
How would it compare to Lojack's (utilizes Computrace) service? Some laptops have the Computrace service embedded in the bios. I currently use a Dell D410 and Panasonic CF-19, and they both have Computrace built into the bios. If someone formats my hard drive, or installs another harddrive, the bios will rebuild the neccessary files, run in the the background and start reporting the IP address back to Lojack.
Yes, of course the hard drive could be wiped, or it could never be connected to the internet. It is also easy to circumvent, although if I do develop it further, it would be fairly straight forward to make it less obvious and better hidden. This is only a very first version, to gauge interest more than anything,
It's not meant to be 100% foolproof, that probably isn't possible anyway. The advantage is it's free. I really developed it because I couldn't get Adeona to work (it just kept failing to connect to its server), not to compete with commercial solutions.
Hmmm, you know how I said I didn't think there were any bugs....
I just found that the Windows version was not saving the detected IP addresses correctly, so it would email you a "new" IP address message every time the computer was rebooted.
However the problem is now fixed, and a new version 0.1a available for download. The cross platform version wouldn't have been affected, but there's a new version of that too, just for completeness.
Sorry
Alex
I've now made some additions and released a new version which includes the changes below:
Added a separate configuration application to simplify initial setup
Added the ability to encrypt the mail server password for better security
Added a link to DNSTools to the IP Detected email for easy lookup of the WHOIS records for the IP Address
As before, visit www.ajhonline.co.uk and download version 0.2 from there.
Alex
PS - If you are using the Windows version and doing an upgrade from a previous version, make sure you keep a copy of your existing fyl.properties file, otherwise it will be overwritten during the install and any existing known IP addresses will be lost.
huff,.
i wish i have seen this before i lost my friend laptop,.
great help sir,. keep up,.
Version 0.22 is now available for download from www.ajhonline.co.uk.
It's only a small update; you are now able to specify a range of IP addresses as already known so that you don't get an email when one of those is detected.
Alex
First of all: Hello world
I am a new and proud owner of the Nexus One Everything is just fine BUT one thing. Maybe we can sort that out..
My college uses WPA Enterprise 802.1X (TTLS+PAP) with a root certificate. Thats not the problem Android 2.1 supports it
I am able to connect, Nimbuzz and Opera Mini work, BUT none of the standard apps (Browser, Mail, News, Weather...)
I know I have to use a HTTP proxy, and I kinda think the standard apps are too dumb to do so ... (Thank you google: Issue 1273)
Is there any way to get atleast the Mail to work? I dont really get why Nimbuzz works, but shouldnt something like K9-Mail work too?
I was so worried that WPA Enterprise might not work that I totally forgot about the proxy
My Nexus one is not rooted!
Thanks in advance
Breece
Ps.: And I really dont get why the cellphone doesnt simply use the Mobile connection if WiFi doesnt work -_- That would be atleast somewhat acceptable...
How did you manage to install a root certificate on the Nexus? Apparently it just supports .p12 files, not .cer.
In the case I just have the public key, there is no way to create a .p12 file out of it. I'm lost here.
Our wireless here at work doesn't require a certificate as far as I can tell, but my N1 (2.1 or 2.2) won't ever connect to it, shows it as WEP
In Linux, I have wpa_supplicant set as:
eap=TTLS
phase2="auth=PAP"
But it just doesn't work
henriquesp said:
How did you manage to install a root certificate on the Nexus? Apparently it just supports .p12 files, not .cer
Click to expand...
Click to collapse
You can use openSSL to convert between certificate formats, if you're on windows I believe easySSL (ezSSL?) which comes with openVPN is an easy way to obtain a binary version.
Same issue here, how to get cert?
My company wifi is
eap=TTLS
phase2="auth=PAP"
and requires certificates to install. I've been googling the last 5 days and still haven't found an answer yet. Any one know how to convert .cer to .p12 for androids?
how did u instal the root cert?
Have a look here for troubleshooting: searchnetworking.techtarget.com.au/articles/41635-How-to-fix-Android-Wi-Fi-problems
It should be possible to install certificates under Settings/Security and Location(dunno the exakt term,it's all in German on my phone), if it's on your SD Card.
If however it fails, try realmb.com/droidCert
I think it's pretty much the same thing though.
//edit: somehow, it's something different...I couldn't really figure out what this is all about, 'gonna read more stuff next couple of weeks...
If you got another format, you can use this website sslshopper.com/ssl-converter.html to convert your certificate. Or just google OpenSSL convert ...something like that.
I haven't tested it, so I can't say if it works in the end, but I might find out on Thursday...Or next semester because that's gonna be the last day for the next 10 weeks I'm gonna be at uni
Try the http/s thing out yourself, I can't post links, because I'm a new user-.-
AndyBurns said:
You can use openSSL to convert between certificate formats, if you're on windows I believe easySSL (ezSSL?) which comes with openVPN is an easy way to obtain a binary version.
Click to expand...
Click to collapse
Have you tried to use any of these tools for that?
It is indeed possible to encapsulate a public + private key within a .p12 (PKCS#12) format, but if you try to create a .p12 file out of a public only key (.cer file), it will keep asking you for the private key.
So, I have no clue on what to do next. Which private key should I use?? I don't have the private key, since it is another party certificate!! So asking for a private key in this case doesn't make sense at all.
AFAIK, PKCS#12 format is to encapsulate public + private keys only, and cannot hold a public only file. Or is this assumption wrong?
CyanogenMod supports WiFi proxy. It is one global setting (not per SSID).
Ok, so lets get cracking on this bootloader.
boot.img and recovery.img certs (thanks to ntwrkwizard):
http://ponack.net/designgears/atrix/mmcblk0p10 - cert extract.zip
http://ponack.net/designgears/atrix/mmcblk0p11 - cert extract.zip
Flaw in the X.509 certs:
http://www.darkreading.com/security/vulnerabilities/218900008/index.html
Boot.img & Recovery.img
http://www.ponack.net/designgears/dump.7z
DG, afaik, that exploit deals with the md2 hash algorithm. it is a good possible starting point. has the signing cert been found/recovered/viewed yet?
if moto signed it with an md5 hash cert, then that may not be possible.
Well if you guys need any processing power to help crack anything let me know. I am willing to donate my system. Current specs:
i7-970 six core 4.8ghz overclocked
4 gtx580 gpus
24gb ddr3 2000
HSDL 240gb ssd
Like I said, if you guys need any processing power let me know.
Sent from my "5 inch Galaxy Tab"
Atrix here on the 22nd
dtmcnamara said:
Well if you guys need any processing power to help crack anything let me know. I am willing to donate my system. Current specs:
i7-970 six core 4.8ghz overclocked
4 gtx580 gpus
24gb ddr3 2000
HSDL 240gb ssd
Like I said, if you guys need any processing power let me know.
Sent from my "5 inch Galaxy Tab"
Atrix here on the 22nd
Click to expand...
Click to collapse
Please don't post here. This is a dev only thread. Post your offer in General.
Thanks!
These downloads look like just CA certs. Could someone extract the x.509 cert embedded in the beginning of the boot.img and post it to this thread? I'm out and about this weekend and don't have a box with a hex editor handy.
perdurabo2 said:
These downloads look like just CA certs. Could someone extract the x.509 cert embedded in the beginning of the boot.img and post it to this thread? I'm out and about this weekend and don't have a box with a hex editor handy.
Click to expand...
Click to collapse
If you could tell me how to do that I will be more than happy to get those for you. I'm the go to guy, remember?
Here is the extracted cert from within mmcblk0p10.img. This hex dump is extracted from 7FF7FC through 7FFDF9.
Also is the extracted cert from within mmcblk0p11.img. This hex dump is extracted from 7FF7FC through 7FFE79.
Not sure the value of an extracted public side of the x.509 is post signature but I'm sure someone will define that.
Good luck..
NW
back on topic please.
Mr. Clown said:
back on topic please.
Click to expand...
Click to collapse
Who are you talking to? The cert conversation is applicable.
Hi friend,
is the bootloader encrypten the same as defy or milestone?
Or a new one?
Maybe we could get all a free bootloader if this would work?
Or other technical?
Thanks
perdurabo2 said:
Who are you talking to? The cert conversation is applicable.
Click to expand...
Click to collapse
He deleted some unnecessary posts which were getting off topic. That's all.
The structure of an X.509 v3 digital certificate is as follows:
Certificate
Version
Serial Number
Algorithm ID
Issuer
Validity
Not Before
Not After
Subject
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (optional)
Subject Unique Identifier (optional)
Extensions (optional)
...
Certificate Signature Algorithm
Certificate Signature
Click to expand...
Click to collapse
The extensions they come in are:
pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
.cer, .crt, .der - usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
.p7b, .p7c - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
.p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.
PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.
Click to expand...
Click to collapse
Flaws in the X509 Certificate:
Specification: Complexity and lack of quality
The X.509 standard was primarily designed to support the X.500 structure, but todays use cases center around the web. Many features are of little or no relevance today. The X.509 specification suffers from being over-functional and underspecified and the normative information is spread across many documents from different standardization bodies. Several profiles were developed to solve this, but these introduce interoperability issues and did not fix the problem.
Architectural flaws
Use of blacklisting invalid certificates (using CRLs and OCSP) instead of whitelisting
CRLs are particularly poor because of size and distribution patterns
Ambiguous OCSP semantics and lack of historical revocation status
Revocation of root certificates not addressed
Aggregation problem: Identity claim (authenticate with an identifier), attribute claim (submit a bag of vetted attributes) and policy claim are combined in a single container. This raises privacy, policy mapping and maintenance issues.
Delegation problem: CAs cannot technically restrict subCAs to issue only certificates within a limited namespaces and attribute set – this feature of X.509 in not in use. Therefore a large number of CAs exists in the Internet, and classifying them and their policies is an insurmountable task. Delegation of authority within an organization cannot be handled at all, like it is common business practice.
Federation problem: Certificate chains that are the result of sub-CAs, bridge- and cross-signing make validation complex and expensive in terms of processing time. Path validation semantics may be ambiguous. Hierarchy with 3rd-party trusted party is the only model. This is inconvenient when a bilateral trust relationship is already in place.
Problems of Commercial Certificate Authorities
Flawed business model: The subject, not the relying party, purchases certificates. The RA will usually go for the cheapest offer; quality is not being paid for in the competing market.
CAs deny almost all warranties to the user.
Expiration date: Should be used to limit the time the key strength is deemed sufficient. Abused by CAs to charge the client an extension fee. Places unnecessary burden on user with key roll-over.
Client certificates have zero protection value against dedicated attackers.
In browsers, the security is that of the weakest CA. There are very weak CAs.
“Users use an undefined certification request protocol to obtain a certificate which is published in an unclear location in a nonexistent directory with no real means to revoke it.“
Implementation issues
Implementation suffer from design flaws, bugs, different interpretations of standards and lack of interoperability of different standards. Some problems are:
Many implementations turn off revocation check:
Seen as obstacle, policies are not enforced
Would it be turned on in all browsers by default, including code signing, it would probably crash the infrastructure.
DNs are complex and little understood (lack of cononicalization, i18n problems, ..)
rfc822Name has 2 notations
Name and policy constraints hardly supported
Key usage ignored, first certificate in a list being used
Enforcement of custom OIDs is difficult
Attributes should not be made critical because it makes clients crash.
Unspecified length of attributes lead to product-specific limits
Exploits
In 2005, Arjen Lenstra and Benne de Weger demonstrated "how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys", achieved using a collision attack on the MD5 hash function.
In 2008, Alexander Sotirov and Marc Stevens presented at the Chaos Communication Congress a practical attack that allowed them to create a rogue Certificate Authority, accepted by all common browsers, by exploiting the fact that RapidSSL was still issuing X.509 certificates based on MD5.
X.509 certificates based on SHA-1 had been deemed to be secure up until very recent times. In April 2009 at the Eurocrypt Conference , Australian Researchers of Macquarie University presented "Automatic Differential Path Searching for SHA-1" . The researchers were able to deduce a method which increases the likelihood of a collision by several orders of magnitude.
Domain-validated certificates („Junk certificates“) are still trusted by web browsers, and can be obtained with little effort from commercial CAs.
EV-certificates are of very limited help, because Browsers do not have policies that disallow DV-certificates,
There are implementation errors with X.509 that allow e.g. falsified subject names using null-terminated strings or code injections attacks in certificates.
Click to expand...
Click to collapse
From the sound of it, the X.509 cerificate the Atrix uses will be in .p12 format, although I could be wrong.
Example of a Decoded X509 cert: http://pastie.org/1590676
Great post, this is def a way to go and explore , i have been messsing with NVIDIAFlash all day so far.. i think if i can get a bootstrap or something on here so that i can mount and add some files to system folder with phone off i may be on to something ..
t0dbld said:
Great post, this is def a way to go and explore , i have been messsing with NVIDIAFlash all day so far.. i think if i can get a bootstrap or something on here so that i can mount and add some files to system folder with phone off i may be on to something ..
Click to expand...
Click to collapse
Adding things to the system folder means nothing, the system partition is only check when a new system is flashed via (sbf_flash, rsdlite, or flashing a CG via an update.zip) otherwise you can add/remove items from the /system partition with no worries of the signatures.
I've got a question. Since we are dealing with a closed system. Can we not validate -enddate of the signed boot image. Make note of the exact date and time. Then change the system clock to less than 24 hrs. after this date. This will allow the entire system to think that the bootloader and cert have done their job and simply needs updated. Now we simply need to insert new boot.img that has a valid -startdate within that 24 hr period. The system should simply stop using the expired image and boot the "updated image". Once this generic image is booted, it can simply be swapped out with any further custom roms that we feel the need to use. Once all is done, the system clock will need to be restored to appropriate time. If I knew how to code, I would simply try this myself. But I don't, so I hope this might at least provide some insight to the possibility. I would love to work with developers on finding a solution to this problem, so feel free to ask questions.
jimmydafish said:
Adding things to the system folder means nothing, the system partition is only check when a new system is flashed via (sbf_flash, rsdlite, or flashing a CG via an update.zip) otherwise you can add/remove items from the /system partition with no worries of the signatures.
Click to expand...
Click to collapse
I 100% agree i didnt say that was the end all.... the reason for doing this is so that the computer recoginizes the device in NVIDIAFlash mode and i than can hopefully overwrite the bootloader with the dev version of bootloader.bin
t0dbld said:
I 100% agree i didnt say that was the end all.... the reason for doing this is so that the computer recoginizes the device in NVIDIAFlash mode and i than can hopefully overwrite the bootloader with the dev version of bootloader.bin
Click to expand...
Click to collapse
That will not work, the bootloader is just one piece of a longer chain..changing that out "will" just have the phone reboot and use the backup bootloader. The problem to cracking it lies in all parts. Especially the NvRam where it begins and the MBR.
jimmydafish said:
That will not work, the bootloader is just one piece of a longer chain..changing that out "will" just have the phone reboot and use the backup bootloader. The problem to cracking it lies in all parts. Especially the NvRam where it begins and the MBR.
Click to expand...
Click to collapse
I very much respect all of the work you and your team has put into this situation with other devices, and i very much appreciate the help given by you guys to this forum, and no one including myself wants to waste time, so that being said i have not seen any ideas contributed ... only negative posts on what isnt going to work, i agree that you guys know more than me on this situation perhaps if you could share some of your ideas or the approach or direction you are going i and others could be of some help. We our fresh and not quite so beat up , its like when debuging a program thats driving you nuts and you cant figure out whats going wrong , sometimes a break, sleep, etc is in order so that when you come back your whole train of thought has been altered and you see something differently because you were not looking there before.
I follow instructions well, so lead... i am willing to donate my time my resources, and more than likely my device (at least for the next 29 days )
t0dbld said:
I very much respect all of the work you and your team has put into this situation with other devices, and i very much appreciate the help given by you guys to this forum, and no one including myself wants to waste time, so that being said i have not seen any ideas contributed ... only negative posts on what isnt going to work, i agree that you guys know more than me on this situation perhaps if you could share some of your ideas or the approach or direction you are going i and others could be of some help. We our fresh and not quite so beat up , its like when debuging a program thats driving you nuts and you cant figure out whats going wrong , sometimes a break, sleep, etc is in order so that when you come back your whole train of thought has been altered and you see something differently because you were not looking there before.
I follow instructions well, so lead... i am willing to donate my time my resources, and more than likely my device (at least for the next 29 days )
Click to expand...
Click to collapse
I am not being negative just helping you all steer clear of dead ends. We are looking over some files now and may have some useful tidbits soon. I think we can tell the boot chain from start to finish.
Great!! thanks for the update... on a side note esp in loom of this whole ps3 thing i hope motorola uses the same signing keys for all devices, so that if our day ever comes its x-mas for all
After enrolling my Lumia 920 to the corporate Exchange email, new MDM (mobile device management) policies are applied to my phone. It's OK but company administrator(s) set the unlock password (pin) expiration time too short. Every damn month I should choose and remember a new pin... And I can not use the old pins (or I don't know what is the time for "clearing" my old passwords).
Do you know/could you suggest any tricks/hacks to get around this situation? I want to reuse my old pins.
Hey Dude,
I don't think that you can do anything. And this is not the correct thread for such questions.
In the MS World the recommended value for reusing old passwords is 24 so after 2 years
(if 4 weeks was choosen) you can use the first one again.
Why do you think it's an incorrect forum? This forum is about "hacking", and I need a hack. It's definitely not a "Q&A" or "General" forums question...
Hmmm this WOULD fall under the Q&A because it is technically asking a how-to although it involves hacking. Typically the threads under the Development and Hacking are threads that start projects with the hopes of hacking instead of asking how to. With that said, I'll move that over there for now and if there is some development that comes out of this, it can be renamed and moved back to Development and Hacking.
If you have a registry editor, it's pretty easy to tweak those settings. Unfortunately, you're on a Lumia so right now that's not possible (we're working on it!)
The only other option I can think of right now is to try intercepting the communication between the phone and the corporate server. Exchange ActiveSync uses HTTPS, so any standard HTTPS proxy (like Fiddler or Burp Suite) should work. You may need to set the proxy to use a client certificate (if one was provided for your phone), and you definitely need to install the proxy's certificate on the phone (so the phone trusts it to spoof the corporate server). Anyhow, once you have interception set up, it should be pretty easy to modify the policy rules that get pushed down.
In either case, though, the changes will only last until the next time the phone checks its policy rules. I don't know how often that happens - it *might* even be only at initial enrollment, in which case if you un-enroll and then re-enroll you should be fine - but it could be a problem.
GoodDayToDie, thanks for reply. Could you remind me: is it possible to just read values from registry on the Lumia handsets? At least I want to know value of the DevicePasswordHistory settings (according to this article).
[UPDATE] I installed Fiddler's root certificate on the phone, and able to catch & decode https traffic; however there is nothing about provisioning xml in the content, account synchronization produces 3 https requests, first response is a short binary data, second contains an email body (or header) etc. , no xml at all. Looks like MDM policies are applied only on service discovery (I should google for that). Will try to remove this Exchange account and add it again. By the way, I'm not very familiar with the Fiddler: can I change https XML response on the fly?