5,600,429 Members 32,220 Now Online
XDA Developers Android and Mobile Development Forum

Project: Let's 'jailbreak' NoDo

Tip us?
 
Jaxbot
Old
#1  
Recognized Developer - OP
Thanks Meter 542
Posts: 1,216
Join Date: Mar 2009

 
DONATE TO ME
Default Project: Let's 'jailbreak' NoDo

Introduction
This post is to help pool together ideas on how to finally get unofficially developer unlocking (I'm just gonna call it 'jailbreaking' for now, even though thats politically-incorrect) on NoDo and later builds of Windows Phone 7.
The main motivation here is, of course, homebrew. It seems a little ridiculous to me to pay $99 for a Marketplace account that I would never publish to, and aside from that, I find it very hard to share any homebrew applications I make when only a small subset of users can sideload them, and they would of course never be approved to the Marketplace.

So, here's the sitch
I've been working on and off for a few weeks on how to get this working, and since I simply do not have the time or resources to crack it myself, I'm sharing what I've found in hopes that some of the much brighter minds here on XDA can finally crack this thing open.

First off, let's start with the basics. To developer unlock WP7, the internal change is really quite simple: change the DeveloperUnlocked key from 0 to 1. This, of course, requires registry access, which we don't have (LG aside) without sideloading, which is a bit of a paradox.

Fortunately, we have the official Phone Registration tool to look at, and the code is, thankfully, not obfuscated. Let's lay out how it works:

-Tool logs into the Live account
-Tool gets some sort of auth token from the live login
-Tool connects to the phone on port 27077 and sends a special packet, containing a cookie for the phone to use in its internal authorization
-Phone connects to developerservices.windowsphone.com, and sends this cookie (auth token) over to the server over HTTPS to get the response.
On success, the server returns something like this:
Code:
<ResponseOfRegisteredDeviceStatus xmlns="Microsoft.WindowsMobile.Service.Marketplace"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
  <ResponseCode>0x00000000</ResponseCode>
  <ResponseMessage i:nil="true" />
  <Entity xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.WindowsMobile.Service.Marketplace.BLLDevPortal.Entities">

    <a:DaysLeft>365</a:DaysLeft>
    <a:AppsAllowed>10</a:AppsAllowed>
  </Entity>
</ResponseOfRegisteredDeviceStatus>
And the phone sends this byte sequence back the the registration tool:
Code:
16, 81, 7, 0, 1, 4, 0, 2, 0, 0, 0
If anything goes wrong, it sends back something like this:
Code:
16, 82, 7, 0, 1, 4, 0, 100, 0, 0, 0
Pretty simple, actually.

Taking a lesson from past examples
Two important pieces of information: How did ChevronWP7 work, and more importantly, how was it blocked?
The program was actually quite simple. To lay it out:
-ChevronWP7 starts an HTTPS webserver
-Chevron changes the hosts file in Windows to reroute all developerservices.windowsphone.com traffic to itself (localhost)
Since this is an HTTPS connection, a valid certificate must be used, or else the connection will fail. To get around this, the Chevron team made that ChevronWP7.cer file, which, essentially, created a developerservices.windowsphone.com certificate to match a fake one on the server. Since this wouldn't be issued by an authority, the user had to manually install it.
-With the certificate manually installed, Chevron sends the unlock packet to the phone, the phone tries to connect the to webserver, Windows connects it to localhost instead of the real server, and Chevron sends back a success packet.
Voila.

How it was blocked
Despite what people seem to think, Microsoft didn't exactly block ChevronWP7 specifically. Rather, they fixed the security hole it exploited.
To test things out, I wrote my own unlocking system using some C# and an SSL Apache server. Sure enough, after installing a fake certificate I made, it worked on my 7004 build. On my 7390 build, however, it instantly returned the same error code as if no certificate was installed:
Build 7008 with no certificate:
Code:
16, 82, 7, 0, 1, 4, 0, 100, 0, 0, 0
Build 7390 with certificate:
Code:
16, 82, 7, 0, 1, 4, 0, 100, 0, 0, 0
What does this mean? I'm no expert here, but here's what I think: Microsoft patched the hole by preventing the unlocking system from using custom-installed certificates to connect to SSL. My reasoning here is that I can connect to the server through Internet Explorer with a secure connection after installing the certificate on the phone, but the unlocking system acts as if no such certificate exists. Guess it only uses trusted certificates, now.

What I've tried
I've tried a couple different things to get around this plateau, actually. Aside from constructing my own debug unlocker for my 7004 device, I also tried mirroring the Marketplace XAPs, which didn't work due to the DRM. I've also knocked on any loose bits I can find, but no use-it just won't budge.

tl;dr
Here's the deal. I've tried what I can think of, and now I hope some more bright minds can finally crack this thing open. Again, my goal here is the homebrew, and while I know this has been promised before, I cannot simply wait in uncertainty until it is finally implemented.

What steps we take from here, I'm not too sure. If we want to take the web-spoofing route, we'll need a way to install trusted certificates, which is probably not the easiest thing to do. But if there are any other gaping holes in the OS, now is the time to find them

As a general favor, I would like it if we could keep this thread low on off-topic posts; I know many of you want this, but expressing those thoughts will only slow things down

Thanks, and good luck to us all
~Jaxbot
That guy from Windows Phone Hacker, 2009-2013. Retired June 2013.
Personal Blog | Twitter | Youtube
The Following 18 Users Say Thank You to Jaxbot For This Useful Post: [ Click to Expand ]
 
SwooshyCueb
Old
#2  
Junior Member
Thanks Meter 0
Posts: 7
Join Date: Mar 2011

 
DONATE TO ME
I've found a certificate in the Windows folder of my WP7. Maybe this is the one you need to use?

Sent from my T8788 using XDA Windows Phone 7 App
 
MarcHoover
Old
#3  
Member
Thanks Meter 143
Posts: 71
Join Date: Sep 2008
Location: Han(n)over

 
DONATE TO ME
Nice work Few days ago, I thought about a quite similar project.
What about the "USB"-Way, no Webservers, no certificates just raw (manipulated) USB packages?

When my developer account becomes activated I could "sniff" some traffic between PC and Phone for you, if you want
Ben. 'Marc Hoover' Wagner - Homepage - XING - Live Gamer Tag
HD7 16GB -- HD2 -- Touch Pro 2 -- TynT II -- Nike
Windows Phone 7 USB Storage Enabler - Turn your WP7 into an USB "Stick"
WP7 Easy Backup Tool
The Following User Says Thank You to MarcHoover For This Useful Post: [ Click to Expand ]
 
Jaxbot
Old
#4  
Recognized Developer - OP
Thanks Meter 542
Posts: 1,216
Join Date: Mar 2009

 
DONATE TO ME
Quote:
Originally Posted by SwooshyCueb View Post
I've found a certificate in the Windows folder of my WP7. Maybe this is the one you need to use?

Sent from my T8788 using XDA Windows Phone 7 App
No, I believe that is for app signing or the like. The certificate has to match the private key on the webserver, so the only way around this would be access to Microsoft's private key, which is basically impossible to obtain (and illegal)
That guy from Windows Phone Hacker, 2009-2013. Retired June 2013.
Personal Blog | Twitter | Youtube
 
Jaxbot
Old
#5  
Recognized Developer - OP
Thanks Meter 542
Posts: 1,216
Join Date: Mar 2009

 
DONATE TO ME
Quote:
Originally Posted by MarcHoover View Post
Nice work Few days ago, I thought about a quite similar project.
What about the "USB"-Way, no Webservers, no certificates just raw (manipulated) USB packages?

When my developer account becomes activated I could "sniff" some traffic between PC and Phone for you, if you want
Can you expound upon this? Are you talking about USB deploying or something else? From what I can tell, you can't deploy packages to the phone without it being dev unlocked. In fact, not even reading data from the device is possible to this extent. Or are you talking about something else?

Thanks
That guy from Windows Phone Hacker, 2009-2013. Retired June 2013.
Personal Blog | Twitter | Youtube
 
colossus_r
Old
#6  
colossus_r's Avatar
Senior Member
Thanks Meter 367
Posts: 2,014
Join Date: Feb 2007
Thumbs up Good Work m8

Well done m8...This serious research ....
I hope someone can help you with this....

Keep up the good work
Contributions - WinMo :
1.
What to do before and after a flash
2. My XDA_UC scripts Examples
3. Icons 1. For GTX Roms 2. For Sencity
Android : HowTo 1. Rafdroid 2. Desire_DL 3. Frameworks for Desire_DL
If i helped you please hit "Thanks" button


Devices: Qtek2020i-S200-HTC3540 - ETENx500 - HTCCruise - iPhone(for a while)-HTC HD-HD2-Trophy-Titan Lumia 920
 
ChrisKringel
Old
#7  
Senior Member
Thanks Meter 70
Posts: 358
Join Date: Jan 2009
Hey

another possibility i can think of is trying to use the update-process to update the registry. Did someone look into this approach?
 
Jaxbot
Old
#8  
Recognized Developer - OP
Thanks Meter 542
Posts: 1,216
Join Date: Mar 2009

 
DONATE TO ME
Quote:
Originally Posted by ChrisKringel View Post
Hey

another possibility i can think of is trying to use the update-process to update the registry. Did someone look into this approach?
I've thought about this, but it would involve some complicated understanding of the update system. If anyone knows how to go about doing this, though, I'm all ears
That guy from Windows Phone Hacker, 2009-2013. Retired June 2013.
Personal Blog | Twitter | Youtube
 
kingjovius
Old
#9  
Junior Member
Thanks Meter 0
Posts: 27
Join Date: May 2010
Quote:
Originally Posted by ChrisKringel View Post
Hey

another possibility i can think of is trying to use the update-process to update the registry. Did someone look into this approach?
Ive no knowledge in this stuff but instead of the update process, how bout maybe the use of flashing? Like instead of flashing a whole new rom, maybe use that process to just put in an edited registry key or something, however it works
 
ChrisKringel
Old
(Last edited by ChrisKringel; 14th May 2011 at 04:50 PM.)
#10  
Senior Member
Thanks Meter 70
Posts: 358
Join Date: Jan 2009
Quote:
Originally Posted by Jaxbot View Post
I've thought about this, but it would involve some complicated understanding of the update system. If anyone knows how to go about doing this, though, I'm all ears
I don't own a WP7 myself so I can only hypothesize... When an update is available it is downloaded by Zune. Zune itself checks on a Web-Server whether an update is available. The emulation of this server would not be complicated... The question is the type of the updates and what they consist of... And they have somehow to be transmitted via Zune. Maybe we could reverse engineer the chevron updater?

€dit: I just took a look into the "Unwalsh"-Tool. It seems to download the selected updates as *.cab files:

Code:
    Mui item = new Mui {
        ID = 1,
        MUI = "0409",
        MuiName = "English (United States)",
        CabinetUrl = new List<string> { "http://download.windowsupdate.com/msdownload/update/software/dflt/2011/03/diff-7.0.7008.0-7.0.7355.0-armv7-retail-microsoft.lang_0409.pks_65fe09539f02edc8e1d44609fb537b87613063ea.cab", "http://download.windowsupdate.com/msdownload/update/software/dflt/2011/01/diff-7.0.7355.0-7.0.7389.0-armv7-retail-microsoft.lang_0409.pks_0cdfd833159cd10036e6025ec1db784dd712b2f4.cab", "http://download.windowsupdate.com/msdownload/update/software/dflt/2011/03/diff-7.0.7389.0-7.0.7390.0-armv7-retail-microsoft.lang_0409.pks_b4e3f25a79cfd5514895169ba167d9bd0cdb135d.cab" }
    };
These updates are cab files that consist of multiple pku files.

The Following 2 Users Say Thank You to ChrisKringel For This Useful Post: [ Click to Expand ]
Tags
chevron, hack, jailbreak, nodo, unlock
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes