Hi hackers!
IMPORTANT ANNOUNCEMENT!
WP7 Root Tools will soon be available for Mango!
More info HERE
With this tool you get root-access to parts of your WP7 device. The first release only contains a registry-editor. The file-explorer and certificate stores will follow.
This tool is in alpha stage. That means that it is not feature complete and it is not yet properly tested. This tool also provides you with high privileges with which you can alter low level settings and data on this device. All this may result in unexpected and undesired behaviour, which may ultimately damage your device. Use this tool with care and use it at your own risk. The developer of this tool cannot be hold responsible for any kind of damages, caused directly or indirectly by using this tool.
The current version of this tool can only be used on Samsung devices. A small part of the code uses Samsung-specific functionality. The performance of the tool may sometimes be slow. This is the result of the way access to the system is elevated. The goal is to make this tool device-independent and to elevate access more directly in the future, but that requires more research.
To install this you need a developer-unlocked Windows Phone 7 device. For questions about unlocking your device, please refer to the appropriate threads.
If you have bug-reports or feature-requests, please give a full description.
If you like this, hit the "Thanks" and/or "Donate to me" button.
Ciao,
Heathcliff74
Update 2011/04/06:
1. Some people requested a possibility for donations. I opened a paypal-account and the "Donate to me" should work. Thanks!
2. I get an overwhelming amount of comments and pm's. I can't answer them all right now. I will try to answer them a bit later. Sorry.
Thanks for all the support guys!
Update 2011/04/13: RELEASE "WP Root Tools 0.2 alpha"
Consider this an "interim build". Most changes are under the hood. I did a lot of refactoring for performance improvements and paving the way for the file-explorer. This version does not include the file-explorer just yet. That will be the next release. Fixes in the new 0.2 alpha version:
- Compatible with light theme.
- Navigate out of the app with back-button.
- Due to refactoring and better use of the exploit I gained a lot of performance. It is very fast compared to the previous version. Should also reduce battery drain significantly.
Update 2011/04/14: RELEASE "WP Root Tools 0.3 alpha"
Mightyhog found a regression bug in the 0.2 version. HKLM\Software\Microsoft\ was not listed properly. It is fixed in the 0.3 alpha version.
Update 2011/04/18: Info about known limitations
Yesterday I added some info here which, after more research, did not seem to be entirely correct. I misinterpreted some of the file-flags I was seeing. So here's some more detailed info about the know limitations of the current Registry Editor and the File Explorer which is coming soon. It seems that having TCB privileges still has some limitations on accessing the filesystem and the registry.
Some registry values can be changed but they are reset back to their default value after the device is restarted. One example of such value is:
HKLM\System\CurrentControlSet\Control\Power\Timeouts\BattUserIdle DWord 300
Possible explanations:
- The value is stored in a ROM registry hive. The change is made in RAM and after the device is restarted and RAM is cleared, the value is read from ROM.
- In the boot sequence of the device some xml-files which contain settings, are provisioned and overwrite changes made to the registry.
- A certain service or startup-program simply overwrites settings on system-startup.
I'm working on the File Explorer now. While testing I found out that eventhough I have TCB privileges some access is still restricted, because system-files are mapped directly in ROM. There are 2 file-flags that have impact on this:
- 0x0040 = FILE_ATTRIBUTE_INROM - This file is an OS file stored in ROM. Most files in the \Windows folder have this attribute. These files cannot be moved, modified, renamed or removed. Only a firmware update can change these files.
- 0x2000 = FILE_ATTRIBUTE_ROMMODULE - The exe- and dll-files in the \Windows folder also have this flag set. These ROM files are mapped directly into executable read-only address-space, rather than being first copied to RAM. They cannot even be accessed as a file. They can only be executed. And therefore these files also can't be copied to another location, ie. we don't even have read-access on these files. However, I may have found a way to access these files anyway. This needs a bit more research, but I hope that I can at least copy the files to a location where they can be accessed.
Everything else seems to be possible. Creating files in the \Windows folder is no problem. I hope to be able to release a version with a File Explorer soon. I guess it will be in about two weeks or something. Bear with me.
Update 2011/04/19: No luck on reading the ROM modules
I did more testing. I wanted to have at least read-access to the exe- and dll-files in the \Windows folder. As it is not possible to call CreateFile() on those files, I tried LoadLibrary(). That works. With CreateToolhelp32Snapshot(), Module32First() and Module32Next() I can enumerate the modules and find the one I loaded. I also get a baseaddress and size of the module. The problem is that I can't access that memory. I tried direct-access and I tried using ReadProcessMemory(). ReadProcessMemory() returns "Incorrect parameter" as soon as I try to access the ROM memory. Also using VirtualProctect() to unlock the memory gives me "Incorrect parameter" all the time. So it seems we won't have read-access to the exe- and dll-files in the \Windows folder for now. I will now concentrate on other functionality for the File Browser. I will try to get access to the ROM modules later on.
Update 2011/06/14: RELEASE "WP Root Tools 0.4 alpha"
It has taken me a long time, here's a new release, finally. Actually this release is not very useful yet, because the file-explorer is read-only so far. The "Cut / Copy / Paste / Delete / Rename" will follow soon. The browsing part has been extremely difficult. The main problem was the performance. Opening a folder could take up to 4 minutes. Ouch! Through a combination of multi-threading techniques, caching and combining multiple exploits I finally got this to a stable solution where browsing can be done in quite an acceptable way. The write actions don't have these performance issues, because it is not a real problem when copying a file will take a few seconds more or less. I already started on implementing this. This release also has a few minor fixes to the Registry editor, but no new functionality. I also did a lot of testing on the certificate stores. I got full read / write access to all the stores, but none of that is implemented in the WP7 Root Tools yet. That will be next.
Update 2011/06/24: RELEASE "WP Root Tools 0.5 alpha"
In this version I implemented the basic file-operations and a certificate installer.
You might wonder why I created a certificate installer, because it is already possible to add certificates. When you email a certificate to yourself and tap that attachment, WP7 will install it. But if you install like this, the certificate will always be installed in the "Root" certificate store. With my certificate installer you can also install in "CA", "My" and "Code Integrity" stores. This may be very useful for hacking attempts. You can install a certificate by browsing to the ".cer" file and tap it. The possibilities for getting a certificate file on your phone will follow below. If you start installing certificates on your phone you should consider making backups in advance. I once experienced Zune going totally bezerk after installing certs. Zune took 100% and lost connection with the phone all the time. Everything was back to normal when I deleted the certs. In this version there is no view on the certificate stores available yet. In a future version you will be able to view the contents of all the certificate store and also uninstall certificates from there.
I specifically mentioned that this version has basic file-operations, because not everything is implemented. This is what you can do:
- Cut / Copy / Paste / Delete / Rename single files
- Delete empty folders
- Create new folders
This is what you can't do (will be possible in later versions):
- Cut / Copy / Paste multiple files or entire folders
- Delete folders with content
- Rename folders
Last, but not least: I fixed some performance issues. Mainly memory-leaks in native code and in COM interop. I'm not sure if I got all leaks now, because it's not easy to do native C++ without debugger and profiler. But improvement is clearly noticeable.
This version does not have a connection with the PC. So it is not possible to use WP7 Root Tools to transfer files between the phone and the PC. You can however, use other tools to get files onto your phone and then use WP7 Root Tools to move the files to the desired location. WP7 Root Tools has write access on every folder of your phone.
How to transfer files to your phone:
Have fun!
Some screenshots:
IMPORTANT ANNOUNCEMENT!
WP7 Root Tools will soon be available for Mango!
More info HERE
With this tool you get root-access to parts of your WP7 device. The first release only contains a registry-editor. The file-explorer and certificate stores will follow.
This tool is in alpha stage. That means that it is not feature complete and it is not yet properly tested. This tool also provides you with high privileges with which you can alter low level settings and data on this device. All this may result in unexpected and undesired behaviour, which may ultimately damage your device. Use this tool with care and use it at your own risk. The developer of this tool cannot be hold responsible for any kind of damages, caused directly or indirectly by using this tool.
The current version of this tool can only be used on Samsung devices. A small part of the code uses Samsung-specific functionality. The performance of the tool may sometimes be slow. This is the result of the way access to the system is elevated. The goal is to make this tool device-independent and to elevate access more directly in the future, but that requires more research.
To install this you need a developer-unlocked Windows Phone 7 device. For questions about unlocking your device, please refer to the appropriate threads.
If you have bug-reports or feature-requests, please give a full description.
If you like this, hit the "Thanks" and/or "Donate to me" button.
Ciao,
Heathcliff74
Update 2011/04/06:
1. Some people requested a possibility for donations. I opened a paypal-account and the "Donate to me" should work. Thanks!
2. I get an overwhelming amount of comments and pm's. I can't answer them all right now. I will try to answer them a bit later. Sorry.
Thanks for all the support guys!
Update 2011/04/13: RELEASE "WP Root Tools 0.2 alpha"
Consider this an "interim build". Most changes are under the hood. I did a lot of refactoring for performance improvements and paving the way for the file-explorer. This version does not include the file-explorer just yet. That will be the next release. Fixes in the new 0.2 alpha version:
- Compatible with light theme.
- Navigate out of the app with back-button.
- Due to refactoring and better use of the exploit I gained a lot of performance. It is very fast compared to the previous version. Should also reduce battery drain significantly.
Update 2011/04/14: RELEASE "WP Root Tools 0.3 alpha"
Mightyhog found a regression bug in the 0.2 version. HKLM\Software\Microsoft\ was not listed properly. It is fixed in the 0.3 alpha version.
Update 2011/04/18: Info about known limitations
Yesterday I added some info here which, after more research, did not seem to be entirely correct. I misinterpreted some of the file-flags I was seeing. So here's some more detailed info about the know limitations of the current Registry Editor and the File Explorer which is coming soon. It seems that having TCB privileges still has some limitations on accessing the filesystem and the registry.
Some registry values can be changed but they are reset back to their default value after the device is restarted. One example of such value is:
HKLM\System\CurrentControlSet\Control\Power\Timeouts\BattUserIdle DWord 300
Possible explanations:
- The value is stored in a ROM registry hive. The change is made in RAM and after the device is restarted and RAM is cleared, the value is read from ROM.
- In the boot sequence of the device some xml-files which contain settings, are provisioned and overwrite changes made to the registry.
- A certain service or startup-program simply overwrites settings on system-startup.
I'm working on the File Explorer now. While testing I found out that eventhough I have TCB privileges some access is still restricted, because system-files are mapped directly in ROM. There are 2 file-flags that have impact on this:
- 0x0040 = FILE_ATTRIBUTE_INROM - This file is an OS file stored in ROM. Most files in the \Windows folder have this attribute. These files cannot be moved, modified, renamed or removed. Only a firmware update can change these files.
- 0x2000 = FILE_ATTRIBUTE_ROMMODULE - The exe- and dll-files in the \Windows folder also have this flag set. These ROM files are mapped directly into executable read-only address-space, rather than being first copied to RAM. They cannot even be accessed as a file. They can only be executed. And therefore these files also can't be copied to another location, ie. we don't even have read-access on these files. However, I may have found a way to access these files anyway. This needs a bit more research, but I hope that I can at least copy the files to a location where they can be accessed.
Everything else seems to be possible. Creating files in the \Windows folder is no problem. I hope to be able to release a version with a File Explorer soon. I guess it will be in about two weeks or something. Bear with me.
Update 2011/04/19: No luck on reading the ROM modules
I did more testing. I wanted to have at least read-access to the exe- and dll-files in the \Windows folder. As it is not possible to call CreateFile() on those files, I tried LoadLibrary(). That works. With CreateToolhelp32Snapshot(), Module32First() and Module32Next() I can enumerate the modules and find the one I loaded. I also get a baseaddress and size of the module. The problem is that I can't access that memory. I tried direct-access and I tried using ReadProcessMemory(). ReadProcessMemory() returns "Incorrect parameter" as soon as I try to access the ROM memory. Also using VirtualProctect() to unlock the memory gives me "Incorrect parameter" all the time. So it seems we won't have read-access to the exe- and dll-files in the \Windows folder for now. I will now concentrate on other functionality for the File Browser. I will try to get access to the ROM modules later on.
Update 2011/06/14: RELEASE "WP Root Tools 0.4 alpha"
It has taken me a long time, here's a new release, finally. Actually this release is not very useful yet, because the file-explorer is read-only so far. The "Cut / Copy / Paste / Delete / Rename" will follow soon. The browsing part has been extremely difficult. The main problem was the performance. Opening a folder could take up to 4 minutes. Ouch! Through a combination of multi-threading techniques, caching and combining multiple exploits I finally got this to a stable solution where browsing can be done in quite an acceptable way. The write actions don't have these performance issues, because it is not a real problem when copying a file will take a few seconds more or less. I already started on implementing this. This release also has a few minor fixes to the Registry editor, but no new functionality. I also did a lot of testing on the certificate stores. I got full read / write access to all the stores, but none of that is implemented in the WP7 Root Tools yet. That will be next.
Update 2011/06/24: RELEASE "WP Root Tools 0.5 alpha"
In this version I implemented the basic file-operations and a certificate installer.
You might wonder why I created a certificate installer, because it is already possible to add certificates. When you email a certificate to yourself and tap that attachment, WP7 will install it. But if you install like this, the certificate will always be installed in the "Root" certificate store. With my certificate installer you can also install in "CA", "My" and "Code Integrity" stores. This may be very useful for hacking attempts. You can install a certificate by browsing to the ".cer" file and tap it. The possibilities for getting a certificate file on your phone will follow below. If you start installing certificates on your phone you should consider making backups in advance. I once experienced Zune going totally bezerk after installing certs. Zune took 100% and lost connection with the phone all the time. Everything was back to normal when I deleted the certs. In this version there is no view on the certificate stores available yet. In a future version you will be able to view the contents of all the certificate store and also uninstall certificates from there.
I specifically mentioned that this version has basic file-operations, because not everything is implemented. This is what you can do:
- Cut / Copy / Paste / Delete / Rename single files
- Delete empty folders
- Create new folders
This is what you can't do (will be possible in later versions):
- Cut / Copy / Paste multiple files or entire folders
- Delete folders with content
- Rename folders
Last, but not least: I fixed some performance issues. Mainly memory-leaks in native code and in COM interop. I'm not sure if I got all leaks now, because it's not easy to do native C++ without debugger and profiler. But improvement is clearly noticeable.
This version does not have a connection with the PC. So it is not possible to use WP7 Root Tools to transfer files between the phone and the PC. You can however, use other tools to get files onto your phone and then use WP7 Root Tools to move the files to the desired location. WP7 Root Tools has write access on every folder of your phone.
How to transfer files to your phone:
- Mail the file to yourself. Use your phone to go to your mailbox (not webmail). The attachment will be downloaded in the background. Then use WP7 Root Tools to navigate to \Application Data\Volatile\EmailAttachments\Attachments(number). You have to look which attachment is the one you want. The filename may be changed. The extension is the same.
- Install Davux' webserver on your phone. Configure a password in that webserver. The IP of the phone is visible in the webserver app. Browse to the phone like this: http://192.168.1.2/IsolatedStorage using the IP of the phone. Upload a file to the phone. Open WP7 Root Tools 0.5 alpha. Navigate to this folder: \Applications\Data\9BFACECD-C655-4E5B-B024-1E6C2A7456AC\Data\IsolatedStore\. There's your file. You can copy it to another location if you want.
- Use the Zune storage hack, described here and here. If you copied the files to your phone in this way, they will be located at \My Documents\Zune\Content in one of the subfolders. Again, the files here are renamed. You have to find the file you want and then rename it.
Have fun!
Some screenshots:
Last edited: