Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,733,899 Members 48,880 Now Online
XDA Developers Android and Mobile Development Forum

DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800

Tip us?
 
donpromillo
Old
#681  
donpromillo's Avatar
Member
Thanks Meter 15
Posts: 66
Join Date: Nov 2011
I searched a bit in rom-files and found OEM_7x30_MODEM.cab. It contains a file "modem" which seems interesting in 2 ways.

First:

I'm a lazy man and enthusiast of analogism and think, that developers at microsoft are lazy too and reuse code : Is it possible, that the procedure to pack the data for modem into one file and encrypting it is the same then in backup procedure? Look at the file which starts with a xml part, describing the crypting algorithm for the payload.


Code:
<?xml version="1.0" encoding="UTF-8"?>
<SSD_METADATA>
<MD_SIGN>
    <MD_VERSION>1.3</MD_VERSION>
    <MFG_ID></MFG_ID>
    <SW_VERSION></SW_VERSION>
    <IEK_ENC_INFO>
        <IEK_ENC_METHOD>RSA-1024</IEK_ENC_METHOD>
        <IEK_ENC_PADDING_TYPE>PKCS#1-V1.5</IEK_ENC_PADDING_TYPE>
        <IEK_ENC_PUB_KEY_ID>NFam5Ryq2eM2EQ04EqlMEm2sppaxqh2kbc68ggJmfdM=</IEK_ENC_PUB_KEY_ID>
        <IEK_CIPHER_VALUE>Ci8igrQ69DQ/CqfRenEqrqrJHLU5dUgNMolOQS3irzQjuHY9CdybeWy+ThIafiok1ZD5qgsbb4n96lR13c3k+NkYAbnd7xi5sib1aIbqLOg2AKHH5rtclTp8GGzessaflPivkQH3AVoEL5fMfYpJYPULCFVOn1EwaKQBt/SFY4E=</IEK_CIPHER_VALUE>
    </IEK_ENC_INFO>
    <IMG_ENC_INFO>
        <IMG_ENC_METHOD>AES-128-ENCRYPT</IMG_ENC_METHOD>
        <IMG_ENC_PADDING_TYPE>RFC_2630</IMG_ENC_PADDING_TYPE>
        <IMG_ENC_OPERATION_MODE>CBC_MODE</IMG_ENC_OPERATION_MODE>
        <IMG_ENC_IV>2ZQOB2U6lZ9ky84o7qOW0w==</IMG_ENC_IV>
        <IMG_ENC_IMG_SIZE>23112352</IMG_ENC_IMG_SIZE>
    </IMG_ENC_INFO>
    <IMG_HASH_INFO>
        <IMG_HASH_METHOD>SHA-256</IMG_HASH_METHOD>
        <IMG_HASH_VALUE>V8G3czcnj/2wd5ZejWtsgQto+4qX2zQ77iWFBKEja1A=</IMG_HASH_VALUE>
    </IMG_HASH_INFO>
    <MD_SIG_INFO>
        <MD_SIG_DGST_METHOD>SHA-256</MD_SIG_DGST_METHOD>
        <MD_SIG_METHOD>RSA-1024</MD_SIG_METHOD>
        <MD_SIG_PADDING_TYPE>PKCS#1-V1.5</MD_SIG_PADDING_TYPE>
        <MD_SIG_OEM_PUB_KEY_ID>XKCYyiLufvHyG1NqylHXl/rwfPecv57Q/8r4qvrfB60=</MD_SIG_OEM_PUB_KEY_ID>
    </MD_SIG_INFO>
</MD_SIGN>
<MD_SIGNATURE>j0F3B6ERPOg8olsz9rhM2ypdRZYxwcWgtN+X4FSLZFB9Trhsq9irpuAxkXWignKMGC0T5iJ3dEnd1S02SHucUI6wCmOkbzecvvbWIubotptMC4Xi6llaS9odtkZyLPH7ujDxe3c/iURyiIyF0qg7ivUP4fD5qpsPfFCuQiHL7sc=</MD_SIGNATURE>
</SSD_METADATA>

Second (is a guess, inspired by the ver.ver file which has a 7.35.00 in it, exactly like the bootloader version ):

the packed and crypted parts of "modem" are unpacked to partition sdx3 on Lumia as adsp.mbn, amss.mbn and emmcboot.mbn, which could be the bootmodes called when a backup/restore runs.
So my question is: Could someone with a full unlocked lumia search through the files on the phone for a similar xml file, containing configuration for image encryption and what programs or processes call them?
The Following User Says Thank You to donpromillo For This Useful Post: [ Click to Expand ]
 
Heathcliff74
Old
#682  
Heathcliff74's Avatar
Recognized Developer
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Quote:
Originally Posted by donpromillo View Post
Hi Heathcliff74,

are the certs on the phone refreshed every month with a new private key or refreshed using the same private key. If the latter is correct, then there is a chance that a cert is part of the backup encryption. If the private key changes, then it would impact, thats this is not a part of backup encryption, cause every backup older than the actual certificate becomes undecryptable, when the private key changes and no "master key" exists.
Regards

DonPromillo
I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full

The Following User Says Thank You to Heathcliff74 For This Useful Post: [ Click to Expand ]
 
Briefcase
Old
#683  
Senior Member
Thanks Meter 42
Posts: 184
Join Date: Nov 2009
Quote:
Originally Posted by Heathcliff74 View Post
I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74
A few post earlier he said he could make a backup without a network connection (unplugging the cable). This would mean the certs do have the private parts included?
 
Heathcliff74
Old
#684  
Heathcliff74's Avatar
Recognized Developer
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Quote:
Originally Posted by donpromillo View Post
Thanks biktor_gj,

my idea behind the question is the following, and I would to know, if my assumptions are logical:

I discovered, that in the backup process with zune all data sent between the phone and the zune-pc are scrambled before they reach the pc (I snooped the usb data stream and could find that the beginning of the usb data stream is the same as the beginning of the stored files in the zune backup folder)
So my assumption is, that scrampling the backup is done by phone. Furthermore, I can backup without any network connection, so all the things needed must be present on phone. If so, then if I'm able to identify the encryption process and it's parameters, I should be able to decrypt the stored files in zune backup folder too, provided, I were able to port that process to x86-procedures. And the last assumption: If I'm able to decrypt the backup files, it could be possible to edit these and re-encrypt the edited files. After that, they should be used to restore in normal restore process using zune.

Am I right?

DonPromillo
Quote:
Originally Posted by Heathcliff74 View Post
I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74
Quote:
Originally Posted by Briefcase View Post
A few post earlier he said he could make a backup without a network connection (unplugging the cable). This would mean the certs do have the private parts included?
donpromillo,

Are you sure you can do this without network? I'm pretty sure this is not possible. Maybe you had Wifi and 3G disabled. But you say you were snooping the USB connection while you were making a backup. At that moment, the phone uses your PC to get an internet connection too. :P

So if you really want to test if all info is on the device, you should also disconnect your pc from the internet. If you have your phone in airplane mode and your pc has both wifi and ethernet disabled, you will probably get an error if you try to make a backup.

Ciao,
Heathcliff74

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full

The Following User Says Thank You to Heathcliff74 For This Useful Post: [ Click to Expand ]
 
tjramage
Old
#685  
Senior Member
Thanks Meter 25
Posts: 152
Join Date: Dec 2011
Quote:
Originally Posted by Heathcliff74 View Post
So if you really want to test if all info is on the device, you should also disconnect your pc from the internet. If you have your phone in airplane mode and your pc has both wifi and ethernet disabled, you will probably get an error if you try to make a backup.
If this is true - that means anyone who doesn't have a data connection can't make a backup of their phone... Surely Microsoft wouldn't allow that???
 
Heathcliff74
Old
#686  
Heathcliff74's Avatar
Recognized Developer
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Quote:
Originally Posted by tjramage View Post
If this is true - that means anyone who doesn't have a data connection can't make a backup of their phone... Surely Microsoft wouldn't allow that???
Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full

 
lilstevie
Old
#687  
lilstevie's Avatar
Senior Recognized Developer
Thanks Meter 1020
Posts: 1,304
Join Date: Apr 2009

 
DONATE TO ME
Quote:
Originally Posted by Heathcliff74 View Post
Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??
The backup is done in SCDL so wifi and 3G of the device would be disabled anyway
 
voluptuary
Old
(Last edited by voluptuary; 23rd April 2012 at 04:53 AM.)
#688  
voluptuary's Avatar
Senior Member
Thanks Meter 738
Posts: 939
Join Date: Dec 2010
Location: Mukwonago

 
DONATE TO ME
So, I've built ROM's for the Samsung Focus and for the HTC HD2. Both of these have flashing tools to allow us to flash the fancy new ROM's we built to our phones. If we have the unlocked bootloader can't we just rebuild the esco and flash that with QPST? Or is there something I am missing? Building the Lumia ROM in OSBuilder seems to be the same as other devices. So if I just take the .nb that is built and rename it boot.img then add that to a zip and then rename that zip bla_bla_rom.esco will that not work? Or is there something more? Does the Qualcomm bootloader still need signed files of some sort? I ask this becuase if we can do it this way then we won't have the Live services activation issues as well ass the other odd problems plus it is just way more end user friendly.
My contributions:
Clean ROM for Samsung Focus v1.3, Nokia Lumia 800, and HTC HD2
Samsung Interop Unlock & Internet Sharing All-In-One for Windows Phone
Samsung Custom Theme & Accent Colors for Windows Phone
List of Windows Phone Unlocks by Type/OEM

Allstars that donated: RonV42, dark.angel

CURRENT DEVICES: HTC HD2, Nokia Lumia 800, Nokia N9, Apple iPhone 4, Nokia Lumia 920

Get a FREE 2GB Dropbox account plus we'll get a bonus 500MB!
 
tjramage
Old
#689  
Senior Member
Thanks Meter 25
Posts: 152
Join Date: Dec 2011
Quote:
Originally Posted by Heathcliff74 View Post
Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??
Good point. But I figured there is a possibility someone may not have a data connection and need to create a backup... If it was me, I wouldn't disallow people in those circumstances to backup their phone... But maybe Microsoft is different.

Quote:
Originally Posted by lilstevie View Post
The backup is done in SCDL so wifi and 3G of the device would be disabled anyway
I may be wrong, but I think Heathcliff74's point is that the cert-checking is done before the phone enters this mode.
 
JusThinK
Old
#690  
JusThinK's Avatar
Senior Member
Thanks Meter 111
Posts: 310
Join Date: Oct 2011
Location: Chandannagar

 
DONATE TO ME
Quote:
Originally Posted by tjramage View Post
Good point. But I figured there is a possibility someone may not have a data connection and need to create a backup... If it was me, I wouldn't disallow people in those circumstances to backup their phone... But maybe Microsoft is different.



I may be wrong, but I think Heathcliff74's point is that the cert-checking is done before the phone enters this mode.
As far as I know, there is no real backup procedure available for Windows Phone, The way all current backup tools work by fake firmware update, which actually initiate zune to create a restore point. So, this entire process related to firmware update via zune, which actually required internet connection.

PS: I will try a offline backup today, will update the result.

Nokia Lumia 620/820/920
Nokia Phone | Nokia 5800 | N8 | Lumia 800

Acer Iconia A100 - Unlocked.
Transcend microSDHC Class 4 32 GB LTW
Nokia BH 505 SOLD


Join & Let us both have DropBox(2 GB+250 MB)

Show ur Love, Like Lumia on FaceBook http://lumia.technochat.in/

Tags
android, bootloader, full unlock, interopunlock, nand
Thread Tools
Display Modes