Database Develop

Possible Tethering Hack?

So after that guy figured out the tethering hack for iOS by just changing a few lines of test, I decided to try to find one for Windows Phone 8. I have no idea how it would get on the phone (besides possibly flashing a new rom?), but I went and looked anyway. I mounted the VHD from the SDK and I think that I found something. If you use something like Visual Studio's Find in Files and search for ICSSVC, you'll find some interesting stuff.
First of all, in Microsoft,Net.NetCore.reg, I found this: puu.sh/3J9yS.png That's how I learned about ICSSVC. So then I searched for that and in Microsoft.Net.NetCore.policy.xml there is a bunch of capability stuff. I have no idea what to do past here, and the emulator doesn't have the Internet Sharing option. So, yeah.

MichaelC97 said:
So after that guy figured out the tethering hack for iOS by just changing a few lines of test, I decided to try to find one for Windows Phone 8. I have no idea how it would get on the phone (besides possibly flashing a new rom?), but I went and looked anyway. I mounted the VHD from the SDK and I think that I found something. If you use something like Visual Studio's Find in Files and search for ICSSVC, you'll find some interesting stuff.
First of all, in Microsoft,Net.NetCore.reg, I found this: puu.sh/3J9yS.png That's how I learned about ICSSVC. So then I searched for that and in Microsoft.Net.NetCore.policy.xml there is a bunch of capability stuff. I have no idea what to do past here, and the emulator doesn't have the Internet Sharing option. So, yeah.
Click to expand...
Click to collapse
Unfortunately, this involves dumping phone ROMs and modifying the policies (We don't know how crazy this process will be). Another set back involves the fact that the bootloaders for WP8 are signed which would require the the ROM to be signed with the correct cert, etc.
Basically, this will be extremely painful due to WP8 running a Windows NT Kernel (WP7 uses Windows CE) and all kinds of other obstacles that we haven't discovered yet.

snickler said:
Unfortunately, this involves dumping phone ROMs and modifying the policies (We don't know how crazy this process will be). Another set back involves the fact that the bootloaders for WP8 are signed which would require the the ROM to be signed with the correct cert, etc.
Basically, this will be extremely painful due to WP8 running a Windows NT Kernel (WP7 uses Windows CE) and all kinds of other obstacles that we haven't discovered yet.
Click to expand...
Click to collapse
Also while I was searching, I found a registry entry for 'DeveloperUnlock'. So when you run the program to dev unlock your phone, the program must modify the registry on the phone. I'm pretty sure that it would be possible to replicate that.

MichaelC97 said:
Also while I was searching, I found a registry entry for 'DeveloperUnlock'. So when you run the program to dev unlock your phone, the program must modify the registry on the phone. I'm pretty sure that it would be possible to replicate that.
Click to expand...
Click to collapse
As of now, we can't execute the native EXEs on the phone so we won't know whether we can replicate that or not. I know with talking with HeathCliff74, modifying the policy on WP7 took quite a long time and effort to figure out. I can almost guarantee the policies on WP8 are implemented completely different from WP7 and even a bigger pain to modify

snickler said:
As of now, we can't execute the native EXEs on the phone so we won't know whether we can replicate that or not. I know with talking with HeathCliff74, modifying the policy on WP7 took quite a long time and effort to figure out. I can almost guarantee the policies on WP8 are implemented completely different from WP7 and even a bigger pain to modify
Click to expand...
Click to collapse
I meant the program on your computer that comes with the SDK. I think that it modifies the phones registry to dev unlock it.

MichaelC97 said:
I meant the program on your computer that comes with the SDK. I think that it modifies the phones registry to dev unlock it.
Click to expand...
Click to collapse
You are correct, it does modify the registry to dev unlock it by connecting to a running service on the phone and executing native DLLs. The main DLL that interacts with the phone within the program's folder is an Win32 compiled .DLL rather than a .NET file which would require some disassembly to get an idea of what's going on. It also doesn't help that it is a signed DLL.

[Q] Idea / Possibility to open Bootloader ...

I've searched a little bit in GDTD's Native Access Web Server and found something interesting...
shouldn't it be possible with the interop unlock / new registry access to disable the secure boot via changing the
"HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled" to "0" (default is "1")
another question: would it be worth to do it or lead to something? (custom ROM Flash for example?)

I believe that registry value reports the state of the system, rather than controlling it; the same value is present on RT and changing it doesn't seem to have any affect.
Good idea, though, and worth exploring.

(Q) Internet Sharing registry settings

Does any one know the registry settings to enable internet sharing?

There's a small collection of them, what isn't working about it on your phone? If it's something like the mobile operator permission check, then yeah, we can bypass that.

GoodDayToDie said:
There's a small collection of them, what isn't working about it on your phone? If it's something like the mobile operator permission check, then yeah, we can bypass that.
Click to expand...
Click to collapse
Really? I missed that. Is that in a thread somewhere?
I have the Samsung Ativ S Neo from Ssprint.
-Tdecision10

There are a number of threads about Internet Sharing and about registry tweaking. The requirement for tethering to be enabled on your account is checked by a mobile operator-specific DLL that is used by ICSSVC (the Internet Connection Sharing SerViCe). There's a registry value that tells the phone what DLL to load, or whether to load any. If you don't tell it to use any, it defaults to assuming you have access.
There are a number of ways to make registry changes on your phone. You can flash a custom CSC (not a full ROM, though if you look for "custom ROM" on the dev&hacking subforum, you'll find stuff about it), or you can edit the registry directly using a hijacked app chamber, or you can interop-unlock (itself requiring a registry edit, so you probably need to use the chamber hack unless you're on an old version of Samsung's firmware) and unblock RPC, then use the RPCComponent.

GoodDayToDie said:
There are a number of threads about Internet Sharing and about registry tweaking. The requirement for tethering to be enabled on your account is checked by a mobile operator-specific DLL that is used by ICSSVC (the Internet Connection Sharing SerViCe). There's a registry value that tells the phone what DLL to load, or whether to load any. If you don't tell it to use any, it defaults to assuming you have access.
There are a number of ways to make registry changes on your phone. You can flash a custom CSC (not a full ROM, though if you look for "custom ROM" on the dev&hacking subforum, you'll find stuff about it), or you can edit the registry directly using a hijacked app chamber, or you can interop-unlock (itself requiring a registry edit, so you probably need to use the chamber hack unless you're on an old version of Samsung's firmware) and unblock RPC, then use the RPCComponent.
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=54929482&postcount=13
http://forum.xda-developers.com/showpost.php?p=54652850&postcount=575
I followed and did everything posted in these but I'm still not sure if there was a solution for s print.
"and unblock RPC, then use the RPCComponent. " I think this is the part I need to be educated on.
-tdecision10

That is one (of several) methods for editing the registry. It can write more places than the other methods, but only works on Strings and Integers (DWORDs) and is only usable on Samsung phones. It requires that your process have ID_CAP_INTEROPSERVICES, which many OEM apps (and some first-party ones, like Skype) have, but which is not normally available to sideloaded apps.
"Unblock RPC" is the term we use for telling a Samsung service that it's in test mode by placing a file named "Non-production errors.txt" in the Documents folder of the phone. This will allow using RPCComponent anywhere in the registry, instead of just in a few specific places. Search for "unblock rpc" to learn more.
RPCComponent is a Samsung-provided native (C++/CX) DLL and WINMD for accessing various privileged functions by means of a high-privilege RPC (Remote Procedure Call) server. It is not publicly available but is bundled in many of Samsung's OEM apps and is available on this forum inside most .XAP files intended for use on Samsung phones (such as my own BootstrapSamsung tool; see the interop-unlock thread). As mentioned above, you need ID_CAP_INTEROPSERVICES for it to be useful.

GoodDayToDie said:
That is one (of several) methods for editing the registry. It can write more places than the other methods, but only works on Strings and Integers (DWORDs) and is only usable on Samsung phones. It requires that your process have ID_CAP_INTEROPSERVICES, which many OEM apps (and some first-party ones, like Skype) have, but which is not normally available to sideloaded apps.
"Unblock RPC" is the term we use for telling a Samsung service that it's in test mode by placing a file named "Non-production errors.txt" in the Documents folder of the phone. This will allow using RPCComponent anywhere in the registry, instead of just in a few specific places. Search for "unblock rpc" to learn more.
RPCComponent is a Samsung-provided native (C++/CX) DLL and WINMD for accessing various privileged functions by means of a high-privilege RPC (Remote Procedure Call) server. It is not publicly available but is bundled in many of Samsung's OEM apps and is available on this forum inside most .XAP files intended for use on Samsung phones (such as my own BootstrapSamsung tool; see the interop-unlock thread). As mentioned above, you need ID_CAP_INTEROPSERVICES for it to be useful.
Click to expand...
Click to collapse
I interop-unlocked (all-capabilities) my phone using methods you've posted. This was earlier in the year sometime.
http://forum.xda-developers.com/showpost.php?p=54929482&postcount=13
I followed this closely but didn't see any finality.
I just added the Non-production errors.txt in the place noted on that relative thread.
Not sure what to do next.
Forgive me if I am being a bother.
-tdecision10

Yeah i'm completely lost. The EnableAllSideloading XAP won't deploy for me (The manifest could not be loaded and may not be valid) so I can't even full unlock, and I have no clue how to go about using the MBN creator. So if you could hold my hand, I'd love it....

okay so I figured out MBN creator (kinda) but I still need to know the proper reg settings to disable the carrier authorization check.... i.e. the setting that points to the carrier specific DLL you mentioned...

EnableAllSideloading doesn't work on WP8.1 because they changed the security on the registry key where it operates. If you can't sideload it, that's because you're not interop-unlocked at all.
MBN Creator should, in theory, not require any particular customization unless your operator requires it; the *default* state of the Internet Sharing feature is "no restrictions, enabled by default". Several people have reported that IS started working after they flashed a custom CSC even though that CSC had nothing to do with IS, just because it removed the carrier-specific customizations that were present (and were blocking IS from working) before.
@tdecision10: If you are or were able to capability-unlock, then you can just sideload any registry editor tool you want and use that. Some of them are better than others, of course. A handful of apps, like WPTelnetD (https://github.com/FurballTheGreat/WPTelnetD/releases), ship with almost no capabilities so that they can be sideloaded on any phone, but you could unpack the XAP and edit the capability list before installing if you want to. A capability that gives access to the relevant registry key is ID_CAP_RUNTIME_CONFIG.

GoodDayToDie said:
EnableAllSideloading doesn't work on WP8.1 because they changed the security on the registry key where it operates. If you can't sideload it, that's because you're not interop-unlocked at all.
MBN Creator should, in theory, not require any particular customization unless your operator requires it; the *default* state of the Internet Sharing feature is "no restrictions, enabled by default". Several people have reported that IS started working after they flashed a custom CSC even though that CSC had nothing to do with IS, just because it removed the carrier-specific customizations that were present (and were blocking IS from working) before.
@tdecision10: If you are or were able to capability-unlock, then you can just sideload any registry editor tool you want and use that. Some of them are better than others, of course. A handful of apps, like WPTelnetD (https://github.com/FurballTheGreat/WPTelnetD/releases), ship with almost no capabilities so that they can be sideloaded on any phone, but you could unpack the XAP and edit the capability list before installing if you want to. A capability that gives access to the relevant registry key is ID_CAP_RUNTIME_CONFIG.
Click to expand...
Click to collapse
Okay, I put Pasquiindustry CustomPFD on my pc unzipped it added that capability in the WPAppManifest. xml file, rezipped it but now it won't deploy.
Did I think it was too simple?
EDIT:
For Spr int, I think I need to figure out how to do this:
TetheringNAIConnection
Optional. Specifies the CDMA TetheringNAI Connection Manager cellular connection that internet sharing will use as a public connection.
If a CDMA mobile operator requires using a Tethering NAI during internet sharing, they must configure a TetheringNAI connection and then specify the connection in this node.
Specified connections will be mapped, by policy, to the internet sharing service. All attempts to enumerate Connection Manager connections for the internet sharing service will return only the mapped connections.
The mapping policy will also include the connections specified in the DedicatedConnections as well.
(This is the error I get)
If the specified connections do not exist, internet sharing will not start because it will not have any cellular connections available to share
Anyone know how to add this to the APN settings?
-tdecision10

well, i reverted to 8.0 and then updated to 8.1 via retail without thinking.... so i got the new firmware and took myself out of the game :crying:
edit: reverted back to 8.0 again and i have the old firmware again. i think using the mbn creator is key. with older versions of windows phone, the APN settings were all built into the rom. now they are provisioned OTA. everytime i change the CSC, the device fails the authorization check with sprints servers and the device doesn't provision itself. what we need is the provxml that contains all of sprints APN settings. I used to have this information in a kitchen for WM 6.5, but sadly, I deleted it a long time ago. i can currently do one thing or another, unlock internet sharing but have no data connection, or, have a data connection with internet sharing locked. i believe that i can make a custom CSC with all the necessary edits but I need to get my hands on the correct sprint provxml first. I've tried and tried to find an old kitchen for Sprint with the correct files in it, but because it's so old most of them are dead download links. I think even a stock RUU for the GOLD_C (Sprint's HTC Arrive) would do. If anyone has this or can track it down I think we'd be in business....
@GoodDayToDie thanks for all the input, it's really helpful. I think that most people have found success by simply changing their CSC because their phones are not CDMA. we've got all these extra restrictions that keep the technology from working automatically
also, i believe that if I could manage to somehow get my MSL unlock code, I could manually program the APN. problem is, CDMA Workshop can't read it, and the free version doesn't let you use the brute force option to find it. Sprint changed their policy in October to under no circumstances giving out the MSL code unless your contract is up. I'm going to continue to keep trying different tech support reps to see if I can get one of them to give it up.
@tdecision10 I'm getting close, but I REALLY need those WM 6.5/7 Sprint OEM packages..... if you know of anyone or come across it browsing it would be immensely helpful!

mtstmp, I have leadpoizon's old rom for HTC Arrive. Let me know if that will work and if so, how to get it to you.
-tdecision10

[Close][Q] How to use CustomPFD: registry editor + tweaks [0.3]

Hello I would like to help to know the required manipulation to modify the registry of my 520 lumia.
There are really interesting thing. If you can explain me it'd be fun.
ps : I understand not too have spoke to develop preview patch in order to have access to the registry but I dry.

Is this what you are searching for?
http://forums.windowscentral.com/windows-phone-8-1/332711-tutorial-customizing-wp.html

[Q&A] [WP8.1] Hypothesis about a possible interop unlock with Messaging+ app

Q&A for [WP8.1] Hypothesis about a possible interop unlock with Messaging+ app
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [WP8.1] Hypothesis about a possible interop unlock with Messaging+ app. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!

CAPs required for editing registry
snickler said:
You won't achieve any sort of interop-unlock with such an app. The Messaging+ app uses capabilities specific to chat that are restricted. Just because an app uses the interopservices capability, does not mean that it has rights to write to the specific portion of the registry needed to provide interop-unlock. There are a few threads out there that discuss this already
Click to expand...
Click to collapse
I am curious what CAP is required for editing the registry?

gingerjoke said:
I am curious what CAP is required for editing the registry?
Click to expand...
Click to collapse
You at least need ID_CAP_INTEROPSERVICES or ID_CAP_OEM_DEPLOYMENT at the minimum. There are many threads that detail that interop unlock canNOT be achieved unless we have an RPC Service that runs under the SYSTEM account. The MaxUnsignedApp reg value is locked down so that it can only be edited in the way that I just spoke of.
No app on the marketplace, no modifying a store app will achieve this. We were just VERY lucky with Samsung in the beginning.. That's all.

More generally true: there are lots of CAPs (such as OEM_DEPLOYMENT) that permit editing specific parts of the registry. There is *NO* capability that allows you to edit all of it (in theory ID_CAP_BUILTIN_TCB should, through minor additional work, but in practice that cap doesn't seem to do anything for an app).
ID_CAP_INTEROPSERVICES does not give registry access, or at least not any meaningful amount. All that it gives is the ability to call into RPC servers and drivers. *IF* one of those services exposes an externally-callable API for editing the registry - as one of Samsung's (FCROUTER?) does, or at least did - then you can use that to edit the registry. So in that specific case, INTEROPSERVICES indirectly makes it possible to edit the registry, but it doesn't inherently do anything of the sort.

GoodDayToDie said:
More generally true: there are lots of CAPs (such as OEM_DEPLOYMENT) that permit editing specific parts of the registry. There is *NO* capability that allows you to edit all of it (in theory ID_CAP_BUILTIN_TCB should, through minor additional work, but in practice that cap doesn't seem to do anything for an app).
ID_CAP_INTEROPSERVICES does not give registry access, or at least not any meaningful amount. All that it gives is the ability to call into RPC servers and drivers. *IF* one of those services exposes an externally-callable API for editing the registry - as one of Samsung's (FCROUTER?) does, or at least did - then you can use that to edit the registry. So in that specific case, INTEROPSERVICES indirectly makes it possible to edit the registry, but it doesn't inherently do anything of the sort.
Click to expand...
Click to collapse
Finally found RPC service in NdtkSvc.dll
But requires InteropServices Capability
Here is list of functions works as "SYSTEM".
CopyFileEx()
NdrServerCall2()
CreateThreadpoolWait()
SetThreadpoolWait()
CloseThreadpoolWait()
SetEvent()
SetServiceStatus()
CreateEventW()
RegisterServiceCtrlHandlerW()
CloseHandle()
OpenProcessToken()
FindFirstFileW()
CopyFileExW()
GetCurrentProcess()
CreateDirectoryW()
RegCreateKeyExW()
RegQueryValueExW()
IsCharAlphaNumericW()
LookupPrivilegeValueW()
FindClose()
RemoveDirectoryW()
RegOpenKeyExW()
FindNextFileW()
AdjustTokenPrivileges()
InitiateSystemShutdownExW()
DeleteFileW()
RegCloseKey()
RegSetValueExW()
RpcServerUnregisterIfEx()
RpcServerInqBindings()
RpcEpRegisterW()
RpcServerUseProtseqW()
RpcBindingVectorFree()
RpcServerRegisterIf3()
RpcEpUnregister()
ResetPhoneEx()
EncodePointer()
DecodePointer()
QueryPerformanceCounter()
GetCurrentThreadId()
GetSystemTimeAsFileTime()
GetTickCount64()
But I'm confused about how to write a code for as RPC Client or using any DllImport functionality. ?
Can someone provide me at least demo/example code of RPC client ?

... Whoa, that is a seriously valuable list of APIs. Those are callable as SYSTEM, without any restrictions except the caller needing ID_CAP_INTEROPSERVICES? Either I've been out of the loop longer than I thought or this should have been discovered long ago (is it new to some not-yet-widely-available version?) You cannot *trivially* get root this way - it doesn't, for example, include the APIs you would need to inject arbitrary code into a SYSTEM process or similar - but you can certainly do things like write an arbitrarily powerful file-and-registry browser. With that, you can do a hell of a lot of other stuff, stuff that even Samsung's RPCComponent didn't permit.
MS RPC is documented on MSDN here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378651(v=vs.85).aspx
It includes a full API reference, lots of guidance on development, and a tutorial. The tutorial looks pretty well-written, and is probably a better place to start than the API reference unless you know more about RPC at the moment than I do.
However, this documentation is aimed at "normal" implementations, where the client has, if not the server's source code, at least the interface definition. You have to know the UUID (probably easily findable though I'm not sure where) and the function interfaces (in a reasonable level of detail). Black-boxing that is going to be one of the harder tricks, I think, though somebody may have written one or more tools to make it easier.
EDIT: I can't find NdtkSvc, or its binary, on my phone. It's either OEM-specific or (more likely) requires a particular OS update/upgrade. What version did you find it in?
EDIT2: How'd you get the list of APIs it serves? Do you have the IDL file for the RPC server? That would help a ton; if you have that, we're good to go.
EDIT3: Don't forget you can PM people if you don't want to put this stuff out in public.

@GoodDayToDie
Hi, Sorry for the late reply.
It is only specific for Lumia.
NdtkSvc.dll known as "Nokia Device Toolkit Service".
"C:\Windows\System32\NdtkSvc.dll"
Yes, ID_CAP_INTEROPSERVICES cap is everything here too on Lumia.
Here is a one of the example which same "Nokia.SilentInstaller.Runtime" does that on RPC Access,
Code:
static bool NRSCopyFile(String sourcePath, String destPath);
works without any "RESTRICTIONS", with any "PARTITION".
Even possibilities to "REPLACE" the hidden/non-accessible Registry "HIVE" Files.
Such as,
"C:\Windows\System32\Config\ProvisonStore"
But unfortunately they are all in simply zip file having a signed.
We can't modify and place back them such HIVE/POLICY files, sad
So what i did it so far,
-Modified "DeviceReg.exe" with hex-editor and replaced to "C:\PROGRAMS\DEVICEREG\DeviceReg.exe". (signature getting a braked)
-Replaced "PolicyFiles". (signature getting a braked)
It's frustrating to me, It's shame for me that i cant do anything having a full FS Access, lol.
Such files and System binaries are fully signed with the new 8.1 "Policy Engine".
but i think .dll files doesn't required to be signed to run in System chamber.
Well, Time to write a some RPC library
Thanks.
Edit: I don't know about which update is required, I think it is from WP8.0 GDR1. At least WP8.1 GDR1 or above.
but the "NdtkClient.dll" is available since WP8.0 GDR1 in "Extras+Info" App.