Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800

OP biktor_gj

22nd April 2012, 01:55 PM   |  #671  
Senior Member
Thanks Meter: 25
 
152 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by mousey_

These are the files for the 12120 euro1 update:

http://xdafil.es/Lumia800/Dev/12120

That's 12070, not 12120...
The Following User Says Thank You to tjramage For This Useful Post: [ View ]
22nd April 2012, 02:29 PM   |  #672  
donpromillo's Avatar
Member
Thanks Meter: 15
 
66 posts
Join Date:Joined: Nov 2011
More
Quote:
Originally Posted by biktor_gj

but you can try to disassemble it with osbuilder's Dump Tool and see if you can find your files in there...

Unfortunatly, OsBuilder latest failed to dump. I'll try with imgfstools.

DonPromillo
The Following User Says Thank You to donpromillo For This Useful Post: [ View ]
22nd April 2012, 02:46 PM   |  #673  
Senior Member
Thanks Meter: 114
 
800 posts
Join Date:Joined: Jul 2009
Donate to Me
More
Quote:
Originally Posted by donpromillo

In the very first part of data.0.dat, you can find that Microsoft Primitive Provider with AES and SHA1 is used to create a CBC-Stream, which is stored by zune in the data.x.dat files. That means to me, either there is a static key used to crypt the CBC-Stream or a certificate. If a static key is used, it should be possible to find it, if a cert is used, the private key for this cert must be stored on phone, cause I do not need network to achieve a privatekey stored at MS-Sites to create a backup.

True, my guess is that it should be a static key, because you should be able to restore your phone with the backup. If the cert is on the phone and you made your phone in a unusable state the cert may be deleted as well and the backup is useless. Just some thoughts though.

Quote:
Originally Posted by donpromillo

My first thought was, that the cert "zune-tuner://windowsphone/UUID... "in my private certstore on my PC is used, but my attempts to decrypt the backup-files weren't successful. But the explicit reference in the C:\Users\Myname\AppData\Local\Microsoft\Windows Phone Update\xxxxxxx - xxxxxxxx - xxxxxxxx - xxxxxxxxx\Properties\properties.xml onto this cert must have a cause.

I think this is just some sort of identifier for the device. If you look at the name of the node in the XML document it is called DeviceUrlId.

I found that the backup consists of blocks of 4194328 bytes (every .dat file has this size, except the last one). So it would be very difficult to change contents of the ROM, because it is just split into pieces and every piece has a hash (Data.x.dat.hash). If you'd want to change contents, you would have to be careful with the splitted data, and you would have to generate a new hash for each piece.

Then there is also the C:\Users\MyName\AppData\Local\Microsoft\Windows Phone Update\xxxxxxxx - xxxxxxxx - xxxxxxxx - xxxxxxxx\RestorePoint\XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\Data\Manifest.xml file which contains data about every Data.x.dat file. It contains the size, and the index in the ROM (every DAT has an index, as they are splitted into pieces). There is also an DibrVersion key for every Data.x.dat file, but I have no clue on what this could be...
The Following 2 Users Say Thank You to _Madmatt For This Useful Post: [ View ]
22nd April 2012, 02:48 PM   |  #674  
Senior Member
Thanks Meter: 42
 
184 posts
Join Date:Joined: Nov 2009
Quote:
Originally Posted by donpromillo

Yes, I think too thats there is a sort of signature. In the very first part of data.0.dat, you can find that Microsoft Primitive Provider with AES and SHA1 is used to create a CBC-Stream, which is stored by zune in the data.x.dat files. That means to me, either there is a static key used to crypt the CBC-Stream or a certificate. If a static key is used, it should be possible to find it, if a cert is used, the private key for this cert must be stored on phone, cause I do not need network to achieve a privatekey stored at MS-Sites to create a backup.

My first thought was, that the cert "zune-tuner://windowsphone/UUID... "in my private certstore on my PC is used, but my attempts to decrypt the backup-files weren't successful. But the explicit reference in the C:\Users\Myname\AppData\Local\Microsoft\Windows Phone Update\xxxxxxx - xxxxxxxx - xxxxxxxx - xxxxxxxxx\Properties\properties.xml onto this cert must have a cause.

So if I'm able to identify the mechanism, either cert or static secret, and able to export either private key or used secret, I should be able to create a valid signature for edited files too.

Regards

Good thought!! As phone backups are unique to the phone that made it (you cannot restore a backup made on phone #1 and restore it to phone #2, even if both are, for example, Lumia 800's), i think there is no static certificate. Each phone stores it's own unique certificate to encrypt the data. It is true that zune only handles the encrypted stream of data, the phone does the encryption, i read that over here some while ago . Best of luck!
22nd April 2012, 03:04 PM   |  #675  
Heathcliff74's Avatar
Recognized Developer
Thanks Meter: 2,056
 
1,439 posts
Join Date:Joined: Dec 2010
Donate to Me
Quote:
Originally Posted by donpromillo

Yes, I think too thats there is a sort of signature. In the very first part of data.0.dat, you can find that Microsoft Primitive Provider with AES and SHA1 is used to create a CBC-Stream, which is stored by zune in the data.x.dat files. That means to me, either there is a static key used to crypt the CBC-Stream or a certificate. If a static key is used, it should be possible to find it, if a cert is used, the private key for this cert must be stored on phone, cause I do not need network to achieve a privatekey stored at MS-Sites to create a backup.

My first thought was, that the cert "zune-tuner://windowsphone/UUID... "in my private certstore on my PC is used, but my attempts to decrypt the backup-files weren't successful. But the explicit reference in the C:\Users\Myname\AppData\Local\Microsoft\Windows Phone Update\xxxxxxx - xxxxxxxx - xxxxxxxx - xxxxxxxxx\Properties\properties.xml onto this cert must have a cause.

So if I'm able to identify the mechanism, either cert or static secret, and able to export either private key or used secret, I should be able to create a valid signature for edited files too.

Regards

The device unique certs are stored in the MY-store on the WP7-device. They are refreshed about once a month (when they expire). There is a total of 4 certs in the MY-store. They are for different device-unique purposes. One of them is a zune-tuner cert.

Ciao,
Heathcliff74
The Following User Says Thank You to Heathcliff74 For This Useful Post: [ View ]
22nd April 2012, 03:10 PM   |  #676  
donpromillo's Avatar
Member
Thanks Meter: 15
 
66 posts
Join Date:Joined: Nov 2011
More
Quote:
Originally Posted by _Madmatt

I think this is just some sort of identifier for the device. If you look at the name of the node in the XML document it is called DeviceUrlId.

No, this is a certificate with a private key that could be used to encrypt something. Normaly the private key of that cert is not marked as exportable, so you can use this cert only on one computer, cause you cannot move the private key. I found a tool to export the private key as a first step. Now I'm on a search of information about the structure of the imgfs (which seems to be used in the backupfile and in the dump of sdx9 and how to extract that containers into a usable structure like direktories and files.
My attempts using OSBuilder and IMGFSTOOLS 2.1rc failed - any hints here?
The Following User Says Thank You to donpromillo For This Useful Post: [ View ]
22nd April 2012, 04:01 PM   |  #677  
Senior Member
Flag Seine Maritime
Thanks Meter: 4
 
288 posts
Join Date:Joined: Mar 2010
More
Quote:
Originally Posted by donpromillo

No, this is a certificate with a private key that could be used to encrypt something. Normaly the private key of that cert is not marked as exportable, so you can use this cert only on one computer, cause you cannot move the private key. I found a tool to export the private key as a first step. Now I'm on a search of information about the structure of the imgfs (which seems to be used in the backupfile and in the dump of sdx9 and how to extract that containers into a usable structure like direktories and files.
My attempts using OSBuilder and IMGFSTOOLS 2.1rc failed - any hints here?

http://forum.xda-developers.com/show...79&postcount=1
http://forum.xda-developers.com/show...82&postcount=1

Im put the 'cecompr_nt.dll' of FFUParttool_v.1.3.1 on the bin folder of xidump_v1.0_beta and the dump of the RM801_12w07_prod_euro1_FlashClean.ffu work see a lot file ... don't know if help you
The Following User Says Thank You to meLIanTQ For This Useful Post: [ View ]
22nd April 2012, 04:56 PM   |  #678  
donpromillo's Avatar
Member
Thanks Meter: 15
 
66 posts
Join Date:Joined: Nov 2011
More
Quote:
Originally Posted by meLIanTQ

http://forum.xda-developers.com/show...79&postcount=1
http://forum.xda-developers.com/show...82&postcount=1

Im put the 'cecompr_nt.dll' of FFUParttool_v.1.3.1 on the bin folder of xidump_v1.0_beta and the dump of the RM801_12w07_prod_euro1_FlashClean.ffu work see a lot file ... don't know if help you

Thanks, I tried this, but xidump crashes on my w7_x64. all other tools I tried weren't able to extract the imgfs-part from a dump of partition 9. I do not know, if its really neccessary to extract the dump, but thought, it would be easier to unterstand the file and folder organization on the phone and so being better prepared to discover the zune backup files.

Regards

---------- Post added at 04:56 PM ---------- Previous post was at 04:44 PM ----------

Quote:
Originally Posted by Heathcliff74

The device unique certs are stored in the MY-store on the WP7-device. They are refreshed about once a month (when they expire). There is a total of 4 certs in the MY-store. They are for different device-unique purposes. One of them is a zune-tuner cert.

Ciao,
Heathcliff74

Hi Heathcliff74,

are the certs on the phone refreshed every month with a new private key or refreshed using the same private key. If the latter is correct, then there is a chance that a cert is part of the backup encryption. If the private key changes, then it would impact, thats this is not a part of backup encryption, cause every backup older than the actual certificate becomes undecryptable, when the private key changes and no "master key" exists.
Regards

DonPromillo
The Following User Says Thank You to donpromillo For This Useful Post: [ View ]
22nd April 2012, 07:57 PM   |  #679  
Junior Member
Flag Vilnius
Thanks Meter: 0
 
12 posts
Join Date:Joined: Jan 2007
Quote:
Originally Posted by mousey_

Mirrored:

Direct Link: http://xdafil.es/Lumia800/ROM/FullUnlock-os-new.nb

Zipped: http://xdafil.es/Lumia800/ROM/Zipped

Does it mean that FullUnlock-os-new.nb does the trick and wipes SIM LOCK too?
My sister has its Lumia 800 SIMLOCKED to Orange T-Mobile UK and asks me to help with that problem.

Sorry to disturb you, you can answer me with PM. Thanks!
22nd April 2012, 09:11 PM   |  #680  
voluptuary's Avatar
Senior Member
Flag Mukwonago
Thanks Meter: 747
 
941 posts
Join Date:Joined: Dec 2010
Donate to Me
More
Quote:
Originally Posted by das_boot

Does it mean that FullUnlock-os-new.nb does the trick and wipes SIM LOCK too?
My sister has its Lumia 800 SIMLOCKED to Orange T-Mobile UK and asks me to help with that problem.

Sorry to disturb you, you can answer me with PM. Thanks!

No

Post Reply Subscribe to Thread

Tags
android, bootloader, full unlock, interopunlock, nand
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes