New hack? - Windows Phone 8 Q&A, Help & Troubleshooting

Guys, I found something interesting in the net. Looks like some kind of new hack. Any ideas what it is?
https://twitter.com/HD2Owner/status/635914603139084290

yes.

-W_O_L_F- said:
Guys, I found something interesting in the net. Looks like some kind of new hack. Any ideas what it is?
https://twitter.com/HD2Owner/status/635914603139084290
Click to expand...
Click to collapse
seems it is an application deployer .
I don't know if it is a signed package installer or unsigned one because installing signed packages are really easy .
but if he did it for unsigned packages it can be good because it can decrease number of PC deployer errors

Wow, it can read reg remotely and maybe it can edit it remotely.

This is Telnet
http://forum.xda-developers.com/windows-phone-8/development/xda-devs-wp-telnet-daemon-app-t2979988

titi66200 said:
This is Telnet
http://forum.xda-developers.com/windows-phone-8/development/xda-devs-wp-telnet-daemon-app-t2979988
Click to expand...
Click to collapse
Indeed that appears to be a screenshot of my TelnetD. Looks rather like its running with super-user privileges however!

Related

Extended ROM - Some CABs don't Execute

I'm trying to customize a few Extended ROMs here and I'm running into some stubborn CABs. When installed manually, everything works fine. No warnings, no errors. Just click the CAB, let it do its thing, then click OK.
Put these same ROMs into an Extended ROM and hilarity ensues. Some will work, others will not and I don't know why. Any suggestions on what I might be missing will be greatly appreciated.
Quick question?
Are the CAB's signed, if not are you installing the 'signed' unsign CAB 1st .
Edit: Thinking more about this (and realising that the 1st thing you do is disable signing in your ROM's ) can you provide a little more info about the CAB's (maybe an offending CAB if the content is not private?).
I managed to replicate this issue with a CAB that had a warm reset as part of it's install process (seems to bork the autoexec batch process) and I have had a similar issue with a CAB that just contained some simple OMA in the _setup.xml.
John
yes, that's the point. But how to make any Unsigned CABs become Signed?
huangyz said:
yes, that's the point. But how to make any Unsigned CABs become Signed?
Click to expand...
Click to collapse
Without wanting to sounds facetious you sign them ;-)
You would use a private key to generate an Authenticode signature for the CAB (and maybe the apps inside if you need to) however you would still need to install the ROOT certificate into the code stores on your device. Or get your app signed by a 3rd party with a certificate that has it's ROOT already on the device (MS's MobileToMarket and things like that take care of this for ISV's that need it).
Once you have the ROOT cert on the device in the correct store signing is trivial, you either use SignTool.exe from many of the MS SDK’s or just use the GUI options if Visual Studio is your poison. All you need is an export of the PKF (Private key) and the password to the certificate.
In enterprises one of the 1st things people often do before giving Windows Mobile devices out to users is to install a ROOT certificate for the enterprise onto the device in both the code and transmission stores. This means from then on you can sign in-house apps and CAB’s and they behave as signed commercial apps and you can use features like internal signed SSL for ActiveSync etc. etc.
Don’t forget you can also do away with a lot of this by installing the HTC signed “Disable Certificates” CAB 1st and then the signatures are not checked on subsequent CAB’s, EXE’s or anything code related for that matter.
djwillis said:
huangyz said:
yes, that's the point. But how to make any Unsigned CABs become Signed?
Click to expand...
Click to collapse
Without wanting to sounds facetious you sign them ;-)
You would use a private key to generate an Authenticode signature for the CAB (and maybe the apps inside if you need to) however you would still need to install the ROOT certificate into the code stores on your device. Or get your app signed by a 3rd party with a certificate that has it's ROOT already on the device (MS's MobileToMarket and things like that take care of this for ISV's that need it).
Once you have the ROOT cert on the device in the correct store signing is trivial, you either use SignTool.exe from many of the MS SDK’s or just use the GUI options if Visual Studio is your poison. All you need is an export of the PKF (Private key) and the password to the certificate.
In enterprises one of the 1st things people often do before giving Windows Mobile devices out to users is to install a ROOT certificate for the enterprise onto the device in both the code and transmission stores. This means from then on you can sign in-house apps and CAB’s and they behave as signed commercial apps and you can use features like internal signed SSL for ActiveSync etc. etc.
Don’t forget you can also do away with a lot of this by installing the HTC signed “Disable Certificates” CAB 1st and then the signatures are not checked on subsequent CAB’s, EXE’s or anything code related for that matter.
Click to expand...
Click to collapse
I am NOT a software developer so, most of your opinions sound enigmatic to me except that the last one: put the HTC signed "Disable Cert" in the 1st place of the ext-rom config.txt.
Thanks very much! I'll try later on.
gamescan said:
I'm trying to customize a few Extended ROMs here and I'm running into some stubborn CABs. When installed manually, everything works fine. No warnings, no errors. Just click the CAB, let it do its thing, then click OK.
Put these same ROMs into an Extended ROM and hilarity ensues. Some will work, others will not and I don't know why. Any suggestions on what I might be missing will be greatly appreciated.
Click to expand...
Click to collapse
most problably you forgot to set some cab file to read-only before saving the extende-rom.check the cabs atrebutes and the config.text file while inside de program that you are using to edit the extended-rom.its not because they are not signed as long you got the cert .cab set to be the first to be installed.also cab files that require user input will not work.this is from experience, as posted above.
huangyz said:
I am NOT a software developer so, most of your opinions sound enigmatic to me except that the last one: put the HTC signed "Disable Cert" in the 1st place of the ext-rom config.txt.
Thanks very much! I'll try later on.
Click to expand...
Click to collapse
So, where did you found the signed Disable_Cert.cab?
faria said:
most problably you forgot to set some cab file to read-only before saving the extende-rom.check the cabs atrebutes and the config.text file while inside de program that you are using to edit the extended-rom.its not because they are not signed as long you got the cert .cab set to be the first to be installed.also cab files that require user input will not work.this is from experience, as posted above.
Click to expand...
Click to collapse
Sorry to ping an old thread - flogging to proceed immedietly after...
Being that this is a windows device, isn't there a flag that can be passed when executing the cab - like you can on a windows installer application? Similar to setup.exe -q or whatever you're trying to do. Some flags set the answers to yes, admin mode... you get the picture. Does the cab installer engine allow similar flags to get passed with the cab execution command?
In PPC, it calls wceload.exe to install and uninstall a cab.
As shown in http://msdn2.microsoft.com/en-us/library/ms926281.aspx , the only possible argument is to ask or not ask for destination, but no quiet mode.
How can you call wceload.exe manually at ExtROM installation may be a question.

Mount ExtROM for Writing without SuperCID

Hi, can someone here send me the OEM_FLASHDRV.dll file from their Trinity so I can patch it to do what's stated in the topic title, cheers.
Patcher complete; download here.
File now signed, redownload
manual DLL included now
If you tell my how I'll gladly do it. I get access denied when I try to copy it via Vista explorer.
ZakMcRofl said:
If you tell my how I'll gladly do it. I get access denied when I try to copy it via Vista explorer.
Click to expand...
Click to collapse
get it from a ROM dump of an OS image on your computer, not from the PDA
Olipro said:
get it from a ROM dump of an OS image on your computer, not from the PDA
Click to expand...
Click to collapse
There it is....
It is from RUU_Trinity_DOPODASIA_WWE_1.23.707.6_6275_1.35.00.11_108_Ship.exe
ok, it's done, enjoy
Thanks. Although being the noob that I am right now I don't exactly know how this will help me
I saved a copy in case I need to edit the ExtROM someday.
Sorry, I can't find any change after patch , please help, I realy want to put some software in the ext_rom.
eddietse said:
Sorry, I can't find any change after patch , please help, I realy want to put some software in the ext_rom.
Click to expand...
Click to collapse
you still have to unhide the ExtROM manually, and sadly, I haven't quite worked out certificate deployment, so you need to use Security Configuration Manager to drop the developer certificates onto your device.
Olipro said:
you still have to unhide the ExtROM manually, and sadly, I haven't quite worked out certificate deployment, so you need to use Security Configuration Manager to drop the developer certificates onto your device.
Click to expand...
Click to collapse
I've unhide my Trinity. But after I run the patch, I can't see my extrom anymore. I can't unhide it again...
ok, sorry guys, I forgot to sign the dll... I'll do it later.
you STILL have to put the developer certificates on the device yourself though.
Olipro said:
ok, sorry guys, I forgot to sign the dll... I'll do it later.
you STILL have to put the developer certificates on the device yourself though.
Click to expand...
Click to collapse
So Olipro have you signed the .dll??
yes, I've recently been indulging in the consumption of booze down the local pub, so sorry for the delay; it's done now.
Remember that you still need to provision the developer certificates onto your device yourself.
I'm afraid that the Security Configuration Manager still finds the app "Unsigned".
Any further help would be appreciated.
sammis said:
I'm afraid that the Security Configuration Manager still finds the app "Unsigned".
Any further help would be appreciated.
Click to expand...
Click to collapse
the application is unsigned... the dll that gets put on your phone by the app however is not.
Olipro said:
the application is unsigned... the dll that gets put on your phone by the app however is not.
Click to expand...
Click to collapse
I'm afraid that i may be a bit on the slow side but i can't make heads or tails out of this process,i've read the Hermes posts and still nothing .
If you find the time please post a step by step guide as to how the app can be signed with a privileged certificate as that seems to be the problem.
sammis said:
I'm afraid that i may be a bit on the slow side but i can't make heads or tails out of this process,i've read the Hermes posts and still nothing .
If you find the time please post a step by step guide as to how the app can be signed with a privileged certificate as that seems to be the problem.
Click to expand...
Click to collapse
no... it's not.
the application just needs to be executed on your device, the DLL that is placed on the device needs to be signed... which I have done.
specifically, it's OEM_FLASHDRV.dll that I signed, and no, you can't view it till it's on your Trinity.
Let me tell you what i did,i ran the Security Configuration Manager, changed the configuration from locked to Security Off then pressed Provision.unhid the EXROM using Hermes_MountALLExTrom,transfered the patch to the PPC and ran it .
I got the message Extrom Patched Resetting..,i reset the device but alas no extrom.
sammis said:
Let me tell you what i did,i ran the Security Configuration Manager, changed the configuration from locked to Security Off then pressed Provision.unhid the EXROM using Hermes_MountALLExTrom,transfered the patch to the PPC and ran it .
I got the message Extrom Patched Resetting..,i reset the device but alas no extrom.
Click to expand...
Click to collapse
yeah... you need to go to the Device menu to install the developer certificates.
The only things in the "file" menu are, Save connected Device Configuration,Sign File and Check File Signature.
my mistake; the Device menu.
really... couldn't people have the intelligence to actually bother looking for it.
people on this forum have now successfully exceeded the level of stupidity I've experienced on the Hermes section.

INTERNAL xap installer

Could someone to develop INTERNAL xap installer program [ homebrew] that
will be able to install xap inside phone ?
Thanks.
the os already has its own framework for that so no point, the installation of non signed apps is discussed loads on the forum. An app is avail called chevron to achieve it, unless you have updated your phone it should still work
I have investigated this. No luck so far. But I have a couple of leads that may let me make it. But it needs more research. I will have a look at it soon. But I can't give an ETA. So far I know there are no others that have succeeded so far.
Ciao,
Heathcliff74
This will be key for cydia/installius kind apps for WP7
anarchyuk said:
the os already has its own framework for that so no point, the installation of non signed apps is discussed loads on the forum. An app is avail called chevron to achieve it, unless you have updated your phone it should still work
Click to expand...
Click to collapse
is it possible ? I like to install apps inside the phone as in WINMO.
I can have XAP on skydrive a if i click it on browser it will automatically download and install, this will be awsome.
marek1 said:
is it possible ? I like to install apps inside the phone as in WINMO.
I can have XAP on skydrive a if i click it on browser it will automatically download and install, this will be awsome.
Click to expand...
Click to collapse
Nope. Not possible. Read my previous answer. Anarchyuk did not understand your question correctly.
Sent from my OMNIA7 using XDA Windows Phone 7 App
Heathcliff74 said:
Nope. Not possible. Read my previous answer. Anarchyuk did not understand your question correctly.
Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
Why is not possible, reason ? Will Mango make it possible ?
marek1 said:
Why is not possible, reason ? Will Mango make it possible ?
Click to expand...
Click to collapse
No. Microsoft doesn't want you to sideload apps. They want you to use the Marketplace. If you would be able to use an internal xap installer, you would be using it for sideloading.
It is not possible to use the API's for installing XAP's because you need TCB access for that. Normal apps have only LPC access, so normally you can't create an app for that. Needs hacking.
Ciao,
Heathcliff74
Would this type of access be possible with the 'DLLImport Project'?
So today i installed a random app from marketplace to see what was going on i the process-list. Here i saw "PacmanInstaller.exe" (after "Downloading..." > "Installing..."); later i tried to remote execute that one without any important args, and it said "This application can not run in Win32 mode.", eh? Didn't that exe just ran in the process list. Seems weird not to be able to launch that one. (it did not say the exe did not exist).
Tested another thing to, what happens when i deploy an app from Visual Studio??
>PacmanInstaller.exe shows up there too.?!?!?
THEN WTF, WHERE IS THE DRM?
Found this in "PacmanInstaller.c":
if ( v19 != v2 )
*(_DWORD *)(v17 + 4 * v18 - 4) = L"ID_CAP_DEBUG";
XAP > Phone side:
- IO Explorer, all files have the exact same byte size, no magic changes added "ID_CAP_DEBUG""
- No "WMAppPRHeader.xml" added (generated/downloaded)
__
This means its just copying it to phone (XAP).
Runs pacman to register app > \Applications\Install\GUID\Install
"PacmanInstaller.exe GUID" ??
>Cant execute remote PacmanInstaller? From within?
Just having fun, thanks
SimzzDev said:
Would this type of access be possible with the 'DLLImport Project'?
Click to expand...
Click to collapse
Nope. DllImport project is about accessing native API's. Not really about elevating privileges (so far). The package manager API's are native API's, but they require elevated privileges too. For having higher privileges you need to hack the system...
fiinix said:
So today i installed a random app from marketplace to see what was going on i the process-list. Here i saw "PacmanInstaller.exe" (after "Downloading..." > "Installing..."); later i tried to remote execute that one without any important args, and it said "This application can not run in Win32 mode.", eh? Didn't that exe just ran in the process list. Seems weird not to be able to launch that one. (it did not say the exe did not exist).
Click to expand...
Click to collapse
"This application can not run in Win32 mode" is error 0xbf:
Error 0xbf: error_invalid_exe_signature
Description: Cannot run <application> in Windows NT mode
Or: Cannot run <application> in Win32 mode
This means that your executable is not properly signed / elevated to launch into the required account.
fiinix said:
This means its just copying it to phone (XAP).
Runs pacman to register app > \Applications\Install\GUID\Install
"PacmanInstaller.exe GUID" ??
>Cant execute remote PacmanInstaller? From within?
Just having fun, thanks
Click to expand...
Click to collapse
C'mon fiinix! You of all people should know!!
Code:
<!-- Rule loaded from: \IMGFS\969eb155-55ff-4884-9ecb-241c8a4b6e09.policy.xml(405,6) -->
<Rule PriorityCategoryId="PRIORITY_STANDARD" ResourceIri="/LOADERVERIFIER/ACCOUNT/(+)/ACCOUNT_CAN_LAUNCH/NONE/NONE/PRIMARY/WINDOWS/PACMANINSTALLER.EXE" SpeakerAccountId="S-1-5-112-0-0-1" Description="Only TCB can launch into this chamber">
<!-- Authorize loaded from: \IMGFS\969eb155-55ff-4884-9ecb-241c8a4b6e09.policy.xml(406,10) -->
<Authorize>
<!-- Match loaded from: \IMGFS\969eb155-55ff-4884-9ecb-241c8a4b6e09.policy.xml(407,14) -->
<Match AccountId="S-1-5-112-0-0-1" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
<!-- Stop loaded from: \IMGFS\969eb155-55ff-4884-9ecb-241c8a4b6e09.policy.xml(409,10) -->
<Stop>
<!-- Match loaded from: \IMGFS\969eb155-55ff-4884-9ecb-241c8a4b6e09.policy.xml(410,14) -->
<Match AccountId="S-1-5-112-0-0XFF" />
</Stop>
</Rule>
That's why you can't run it! So, not the right account to launch. Not even when you use the Samsung exploit. Because that uses "Elevated". Not "TCB".
The proper way to call PacmanInstaller.exe is:
Code:
pacmaninstaller.exe <int> <guid>
I'm not really sure, but the <int> is the type of operation. Possible values are between 1 and 7 if I recall correctly. The guid is the applicationid. So far I know, the PacmanInstaller looks in \Application Data\Phone Tools\10.0\Install. That is where the xap's are initially uploaded to the phone and extracted by the packagemanger.
Ciao,
Heathcliff74
PS. New version of WP7 Root Tools coming up....
"Not even when you use the Samsung exploit. Because that uses "Elevated". Not "TCB"."
> What about "\Windows\Startup\"
That one launch what ever lnk (exe pointer) listed under startup directory. Would be an opportunity to restart after installed all "cydia" apps on the phone.
Another small but interesting find:
>Checking the mail launches another "servicesd.exe".
All those exe's of multiple sessions like "udevice.exe" and "servicesd.exe" go with an arg, right? then what is put in? Maybe an dll as arg?
>Then again, the custom dll (VS2008 made) will not run due it does not have "LV_ACCESS_EXECUTE", so that locks TCB out for dll arg inject.
udevice.exe (Driver host, runs under "SYSTEM" level)
servicesd.exe (Ordinary exe for dll host)
So making custom drivers wont work... (probably),
to be middle hand for executing under SYSTEM.
edit:
haha post "404" (current post count)
>HTTP Not Found.
Heathcliff74 said:
No. Microsoft doesn't want you to sideload apps. They want you to use the Marketplace. If you would be able to use an internal xap installer, you would be using it for sideloading.
It is not possible to use the API's for installing XAP's because you need TCB access for that. Normal apps have only LPC access, so normally you can't create an app for that. Needs hacking.
Ciao,
Heathcliff74
Click to expand...
Click to collapse
OK,I know that MS don't want to allow but I want to to know if is possible to hack it and do the internal XAP installer ? That's why I am asking.
I think that everybody who have unlocked phone will appreciate it !!
As everyone already said.. CANNOT be done. There's no, "I want to know if someone can hack this". The people working to bring full file/registry access and a better experience to all phones are too busy to worry about trying to make an internal xap installer. Just hook the damn thing up to a computer and use the applications to push a xap to your phone and be happy. I'm no admin or anything, but please don't pester over something like this.

[XAP] [REQUEST] Can someone with an Ativ S upload DiagnosticTool_Sprint for me?

I am hoping that someone with an Ativ S can download the "DiagnosticTool_Sprint" from the Windows Phone store and upload it here. It is available if you set "oemId=htc" in fiddler. I think there are some hidden pages we can use to interop unlock HTC.
Link:
"DiagnosticTool_Sprint" for Windows Phone http://www.windowsphone.com/s?appid=e69a2877-59b8-43ed-898d-554fbc4b8b2b
Thanks!
To be clear, you are asking that somebody download this HTC app to their phone and install it, then use the MTP full file system access to extract the binaries for reverse engineering? Sounds like a plan, if I could persuade my phone to do the full file system access thing right now I would (away from home, on my Surface RT right now).
compu829 said:
I am hoping that someone with an Ativ S can download the "DiagnosticTool_Sprint" from the Windows Phone store and upload it here. It is available if you set "oemId=htc" in fiddler. I think there are some hidden pages we can use to interop unlock HTC.
Link:
"DiagnosticTool_Sprint" for Windows Phone http://www.windowsphone.com/s?appid=e69a2877-59b8-43ed-898d-554fbc4b8b2b
Thanks!
Click to expand...
Click to collapse
Hi
first to download this app we need someone with a sprint device to grab correct url using fiddler.
like this one:
Code:
http://marketplaceedgeservice....................os=8.0.10512.0&cc=us&lang=en-us&hw=268473858&moid=sfr-fr/
this way we can have correct hw & moid value & install on any device...
@GoodDayToDie yup. that is what I am asking for. Based on what @thals1992 saw when he was playing with this on his 8XT is that depending on what dial codes you put in, the same app loads with different pages.
@xboxmod the only thing that needs to be changed to enable downloading from the store is the oemId. It needs to be HTC. I was able to download it to my T-Mobile Branded 8x (which Sprint doesn't even sell) with no issues. (it's moID is "null" for some reason on my phone after applying GDR3 and hard resetting)
compu829 said:
@xboxmod the only thing that needs to be changed to enable downloading from the store is the oemId. It needs to be HTC. I was able to download it to my T-Mobile Branded 8x (which Sprint doesn't even sell) with no issues. (it's moID is "null" for some reason on my phone after applying GDR3 and hard resetting)
Click to expand...
Click to collapse
Thanks
"null" value was the trick.:good:
xboxmod said:
Thanks
"null" value was the trick.:good:
Click to expand...
Click to collapse
Were you able to get this off your Ativ? I'd love to start ripping into it.
compu829 said:
Were you able to get this off your Ativ? I'd love to start ripping into it.
Click to expand...
Click to collapse
I did manage to extract the DiagnosticTool_Sprint and it's now an unencrypted xap, the data.zip is all the files how I found them on my phone (with the exact path to the program and the appdata).
I will decompile The dlls and Look for hidden pages
Sent from my RM-821_eu_euro2_248 using Tapatalk
bruce142 said:
I did manage to extract the DiagnosticTool_Sprint and it's now an unencrypted xap, the data.zip is all the files how I found them on my phone (with the exact path to the program and the appdata).
Click to expand...
Click to collapse
Thanks!
@GoodDayToDie @xboxmod Apparently there is a capability called <!--Capability Name="ID_CAP_NVREADWRITE" /-->. Too bad it's commented out in their manifest :/ I wonder what it does? (besides the obvious, based on the name)
edit:
I was able to plug in my phone and Windows Updates decided to install drivers! I now have "HTC Diagnostic Interface (Com 6)", HTC NEMA Interface (Com 8)", "HTC USB Modem", and "HTC Remote NDIS-Based Device" (this one is currently Code 10.) Thanks Sprint! >

Give system service permission to external storage

Hi,
I'm studying how PackageManagerService works, and i noticed that if an application was downloaded to /data/app i can access the file and open inputstream .
but if APK was downloaded to SD card, i can't access the file from PackageManagerService.
is there something i can do?
I want to be able to read the APK before it get installed...
Thanks,
pi.publicSourceDir = apk file path
pyler said:
pi.publicSourceDir = apk file path
Click to expand...
Click to collapse
not sure i follow you.
I'm in the packageManagerService context, i don't have PackageInfo (the application is still not installed)
You could hook PermissionGranter and give the process extra permissions, or see where the system is actually parsing the APK's manifest before installing it.
GermainZ said:
You could hook PermissionGranter and give the process extra permissions, or see where the system is actually parsing the APK's manifest before installing it.
Click to expand...
Click to collapse
Thanks, what I don't understand is, if i give my xposed module permissions to read external storage, why does it still can't read it?
shnapsi said:
Thanks, what I don't understand is, if i give my xposed module permissions to read external storage, why does it still can't read it?
Click to expand...
Click to collapse
They're different processes.
http://forum.xda-developers.com/showpost.php?p=55332926&postcount=9
http://forum.xda-developers.com/showpost.php?p=55186575&postcount=2
GermainZ said:
They're different processes.
http://forum.xda-developers.com/showpost.php?p=55332926&postcount=9
http://forum.xda-developers.com/showpost.php?p=55186575&postcount=2
Click to expand...
Click to collapse
So just to make sure I understand, I can create a service and run it from the hooked method and it should work?
if so, i have another question
How can i stop the original method from running until a point i allow it to continue?
Thanks GermainZ !
shnapsi said:
So just to make sure I understand, I can create a service and run it from the hooked method and it should work?
Click to expand...
Click to collapse
I don't understand how you read that from my reply, to be honest. Here's what I meant:
Hooked code *is not* run as your app. The hooked code is run as the hooked app.
If the hooked app can't do X, then the hooked code can't do X either.
Your app's permissions do not affect the hooked code in any way, only normal (not hooked) code.
shnapsi said:
How can i stop the original method from running until a point i allow it to continue?
Click to expand...
Click to collapse
Using the normal ways you'd normally use if it weren't an Xposed module, in the beforeHookedMethod hook. I'm not familiar with the exact methods, you can look that up. Just be aware that blocking it for too long will cause an ANR.

Categories

Resources