DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800

Search This thread
By:
Advanced…
B

Briefcase

Senior Member
Nov 10, 2009
185
43
inket said:
****, then. You seem to know your stuff, any ideas about possible weak areas of the OS ?
Click to expand...
Click to collapse

I'm not one of the hardcore hackers here, I did dig into the network setup app and noticed the possibility of an exploit but once I informed Heathcliff about that he already had his proof of concept finished and was looking into the driver stuff. I'm not hardcore enough to deal with the low level hacking stuff (disamble arm dlls and such). But I do read a lot here at this forum and that's how you pick up on things.

- Bootloader attemps seems to be stuck for now, at least for the phones that have Nokia DLOAD, it's very hard to bypass the certificate required for flashing or to find a exploit that allows for arbitrary code execution. This is really hardcore stuff.

- Network setup attempts are stuck because of the reasons mentioned in my previous post

- There is also some research done by trying to understand the update progress via Zune. This traffic is encrypted but we don't know yet if the keys used for that are static or dynamic (different for each phone). We did found some keys in the Nokia DLOAD bootloader, but we don't know if they are public or private. If public we may only be able to read the content, not to alter (and reencrypt). This proces is in an early stage.

- Just mentioned STK app possibilities (maybe it's possible to run code via an infected sim card if exploits exist in the app ('s driver) that handles these kind of operations). Not even started yet/requires special hardware.

- Other nokia app's that require interop permissions. I think this is unlikely too be successful as these apps do not use configuration files (like Network Setup's 'database') but instead use hardcoded registry keys inside the program. Changing these values would require altering the program=>mismatch in signatuer=>no go.

Nokia and MS clearly did not make our lives easy, but to be fair I actually think this is a good thing too. With a system as secure as this we are also protected from attempts to hack the system for other reasons than we have (software piracy (very bad for a developers point of view!)/malicious software/etc).
 
  • Like
Reactions: pedrocel85, vt2912 and inket
iawa

iawa

New member
Oct 14, 2006
3
0
South East, UK
iawa2k.co.uk
surya467 said:
Was the network setup app already in your firmware when u bought it and turned it ON or did u have to download it from the maretplace?

If u downloaded from marketplace then it is of no use..
thanks for letting know :)
Click to expand...
Click to collapse
I know I have updated it via Marketplace but not sure if was on there. Would a factory reset tell me? It is an unlocked Cyan model (hence I think it was on there to help with whatever SIM was installed).
 
T

trenbeth

Senior Member
Nov 9, 2010
79
11
Two questions:

Are we able to get the individual files (like coredll.dll) of WP7 from the filesystem dump (of those Lumias with Qualcomm bootloader)? If so, how do we get them?

I discovered that if you connect the Lumia 800 by USB to the PC, and have Zune running, then the Lumia can use the Internet connection of the PC through USB. Is this a known feature?
 
ap3rus

ap3rus

Senior Member
May 8, 2010
109
10
Saint-Petersburg
trenbeth said:
I discovered that if you connect the Lumia 800 by USB to the PC, and have Zune running, then the Lumia can use the Internet connection of the PC through USB. Is this a known feature?
Click to expand...
Click to collapse

Yes, for every Windows Phone, not just Lumia.

http://www.microsoft.com/windowsphone/en-us/howto/wp7/start/connecting-how-and-when.aspx
And when your phone's connected to your computer using a USB cable and your computer is connected to a network, your phone will choose your computer's network connection over the other connections.
Click to expand...
Click to collapse
 
biktor_gj

biktor_gj

Senior Member
Jan 25, 2008
1,408
7,008
Hey everyone,

I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.

I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.

Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked :)
 
  • Like
Reactions: pedrocel85, chessdragon136, Briefcase and 9 others
surya467

surya467

Senior Member
Jan 31, 2012
629
166
mumbai
www.instagram.com
HTC Leo
Nokia Lumia 920
biktor_gj said:
Hey everyone,

I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.

I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.

Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked :)
Click to expand...
Click to collapse

ohh manh!
:/
it was awesome having u around..thanks for everything, i wish it would be possible for the other 800's as well.
as we knw we still have 900 and 610 as well.
hope someone can do somthing about this.
 
  • Like
Reactions: biktor_gj
D

dy_domyoung

Senior Member
Feb 13, 2010
53
0
i think i may cry, thank you anyways biktor_gj, hopefully some one will carry on your work and find a way for all lumia's to be fully unlocked.

Fair well
 
beidl

beidl

Senior Member
Apr 30, 2009
467
217
Vienna
fredl.me
biktor_gj said:
Hey everyone,

I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.

I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.

Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked :)
Click to expand...
Click to collapse

Sad to read this. I salute you, dude! You did a great job and allowed the few lucky users to enjoy their devices more than before.
If some day we will both have the same/similar devices again, maybe we can do some bootloader experiments! :p
Have fun, and most importantly: Thank you!
 
Last edited:
  • Like
Reactions: biktor_gj and Briefcase
g-gabber

g-gabber

Member
Apr 15, 2012
26
16
Ебать!
Some information from my side, nokia implemened own protocol used by Nokia Care Suite to read informations about the phone, imei, sn, model, type etc. This protocol is based on JSON. I managed to find the handler, and reverse it. I also recognized that nokia use jsoncpp open source. Lucky this is an open source project, and they have Bugs Tracker here. There is a very interesting report called "Crash on specific partial Json string. - ID: 3495702". This "partial Json string" is:
PHP: 
"0, \"test_string\", 2, [ 2006, 1, 1, 12, 28, 57 ] ] }\n"

I tested this with nokia implementation, and this is true the process which is responsible for JSON message handling was crashed after sending this string. No clue if we can exploit it, maybe some one can it check more deep.

br g
 
Last edited:
  • Like
Reactions: Briefcase, surya467, Bph&co and 1 other person
Bph&co

Bph&co

Senior Member
Apr 14, 2012
110
101
g-gabber said:
No clue if we can exploit it, maybe some one can it check more deep.

br g
Click to expand...
Click to collapse

Hi,

NCSD v 1.9, send "ControlLogging" with arg "ON", do the crash test, then send
the same with arg "OFF". Not sure if you crash the exe clean up code will
close the file(probably not), but since they update with append(), data should
be in the FS(if not too much buffering).

File(ncsdapp_log.txt) is in the last partition, the user part, you can find it with
simple binary search in the partition also.

Edit: check attached example

BR
 

Attachments

  • ncsdapp_log.txt
    23.5 KB · Views: 38
Last edited:
  • Like
Reactions: Briefcase
Bph&co

Bph&co

Senior Member
Apr 14, 2012
110
101
It seems this string causes some kind of crash in the current NCSD json implementation. It is not the whole string, but the lack of left curly bracket most probably. After testing with some variants of the string, the result is always the same:

Code: 
Enter:CNcsd::RecvData 
Leave:CNcsd::RecvData 
CNcsd::Receiver Recv Data [4 bytes]: "0, 8"
Enter:CNcsd::HandleJsonMessage 
Enter:CNcsd::Process 
Parsing succeeded

- result is for "0, 888888888888888888888888888888"

The logging stops, also the handler stops responding. I guess is not possible
to trap the exception via modding of the nscd executable, we need proper OS
crash dump to see what really happens. Maybe ultrashot and co have a clue
how to enable this in the custom rom ?

BR
 
  • Like
Reactions: Briefcase
R

rescbr

Member
Mar 1, 2008
31
11
Have anyone seen this?
When we initially identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft, we immediately began investigating Microsoft’s signing infrastructure to understand how this might be possible. What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.
Click to expand...
Click to collapse
http://blogs.technet.com/b/srd/arch...added-to-the-untrusted-certificate-store.aspx
 
I

inket

Senior Member
Apr 8, 2012
69
9
We could maybe try to reverse engineer the marketplace transaction with that fake certificate. Possible ?
 
I

inket

Senior Member
Apr 8, 2012
69
9
I think the flashing process requires a firmware signed by Nokia, not Microsoft. Zune updates may be another story.
 
You must log in or register to reply here.

Similar threads

suzughia
Interop-Unlock Lumia 800 plus bootloader and NAND access [Q&A]
Replies
450
Views
293K
W
wassim.0
lucifer3006
[ROM] RainbowMod 2.2 for Lumia 710 [Updated 04.08.2013]
Replies
439
Views
414K
thinhx2
thinhx2
lucifer3006
[ROM] RainbowMod 2.2 for Lumia 800 [Updated 04.08.2013]
Replies
146
Views
314K
M
mdrayhann70@gmail.com
N
[Tutorial] 100% Noob's guide to full unlock Lumia 710 RM-809 ROGERS (UPDATED 5/30/12)
Replies
177
Views
117K
S
shinnen
B
[GUIDE] How to flash a dead Lumia 800 RM-801
Replies
100
Views
196K
K
kaimano76

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 81
    biktor_gj
    biktor_gj
    UPDATE: First custom rom with Interop Unlock flashed succesfully. Requires hard reset after installing and an unlocked bootloader. See post for proof:
    http://xdaforums.com/showpost.php?p=24818275&postcount=242
    BIG THANK YOU TO ULTRASHOT!
    Without you I couldn't have done it!
    NOTICE: Testing full unlock (XIP unlock etc) with ultrashot. Will post new files as soon as I get a working build which doesn't get stucked on boot ;)

    Disclaimer:
    I AM NOT RESPONSIBLE IF YOU LOOSE DATA, BREAK YOUR PHONE, OR SET YOUR HOUSE ON FIRE. DO THIS AT YOUR OWN RISK. BTW, REQUIRES A HARD RESET SO YOU WILL LOOSE ALL THE DATA IN YOUR PHONE BY FLASHING THIS. IF UNSURE, DON'T DO IT.
    PLEASE STOP PM'ING ME FOR HELP, I CAN'T REPLY 20 PMS/HR. Please use the forum, maybe someone can create a discussion topic to help others and leave this for links and development. Thank you very much!

    PLEASE STOP SENDING ME PMS ASKING FOR HELP AND USE THE DEDICATED THREAD
    THIS THREAD IS FOR DEVELOPMENT ONLY, PLEASE RESPECT THAT AND USE THE Q&A THREAD FOR YOUR QUESTIONS.
    LINKS:
    Lumia 800: Full Unlock
    New firmware: May 16, 2012 (removed foursquare and stuff)
    sdb3.rar: Flash it to PARTITION #3. It contains 12070's amss & adsp. Not absolutely required but if you have an older version this should give you better battery life.
    http://www.mediafire.com/?kwjladlgvq81rha
    OS-NEW:
    As always, flash it to PARTITION #9.
    Part1: http://www.mediafire.com/?21by2oj7acnhkhw
    Part2: http://www.mediafire.com/?wkeduvp9l4199qh
    Part3: http://www.mediafire.com/?cnbkms40dy4y06z
    Part4: http://www.mediafire.com/?rabunpmnaqclq3o
    Complete Mediafire folder access: http://www.mediafire.com/?uo2dqcl34b9cy
    ___________________
    Alternate ROM with Full Unlock + Some apps:
    Part1: http://www.mediafire.com/?8gnqm418v32im3e
    Part2: http://www.mediafire.com/?bgtg2t5infrnua1
    Part3: http://www.mediafire.com/?l0sl5hbr0v9gfi1
    Part4: http://www.mediafire.com/?emt2dfswdhn0z0w
    Apps preinstalled:
    DS Supertool
    File Deployer
    Metro Theme
    WebServer
    WinTT
    WM Device Center
    WP7 Root Tool

    ___________________
    Lumia 710: Interop Unlock (no full unlock yet)
    ROM Based on: RM803_059N2L6_1600.3015.8107.12070_010
    Mediafire folder access: http://www.mediafire.com/?9z6og65ozgrnr
    http://www.mediafire.com/download.php?d3bj3dkfbffbakn
    http://www.mediafire.com/download.php?l35zjaebdrsm315
    http://www.mediafire.com/download.php?ys5bapu8ubezybo
    http://www.mediafire.com/download.php?tnadd4uuoxhatv3
    CAUTION: I don't have a 710, so these images AREN'T TESTED. Use at your own risk. Be careful, people are reporting problems with this rom.
    Full Unlock Image for Lumia 710 by lucifer3006 -BE CAREFUL, IT HAS BUGS, FOR TESTING PURPOSES ONLY- (thanks ultrashot & lucifer3006): http://www.mediafire.com/?p3318y5l19abb

    You have a mirror of all the stuff on mediafire on xdafil.es: http://xdafil.es
    Thank you mousey_!

    PLEASE DO A FULL BACKUP OF THE NAND BEFORE PLAYING AROUND.
    If you are developing fixes for the bootloader 'problem', feel free to grab a copy of the rest of partitions and stuff I posted over this thread here: http://www.mediafire.com/?kknt4lnc3tn7w


    INSTRUCTIONS:
    Requires an unlocked bootloader (a.k.a. qualcomm development bootloader).
    Easy to check: Turn the phone OFF, then press and hold VOLUME UP + POWER until you notice a short vibration. Plug in to the computer. If the phone turns up in disk mode (USB Mass Storage Device), then you have an unlocked bootloader. IF you're in Windows, it will ask if you want to format the disk. SAY NO OR IT WILL EXPLODE (it won't explode but you might break it)
    If the device detected by the computer is Nokia DLOAD you have a locked bootloader and you're out of luck, at least for now.

    I used 'dd' in Linux, I guess you can do it with Windows version too (http://www.chrysocome.net/dd) but it's more involved to find the appropiate partition:
    dd if=./os-new.nb of=/dev/sdX9
    Where X is the disk detected by your linux distribution.
    After that, you'll need to hard reset the phone. Hold Power button for 10 seconds to exit Qualcomm's disk mode, and press and hold POWER+VOLUMEDOWN+CAMERA until you feel the phone vibrate. After that, RELEASE power button but KEEP HOLDING volume down + camera for five or more seconds. This will trigger the hard reset.

    Now time to play with bootloaders and try to get this to work for everyone!

    If you like my work and want to donate for a beer (or two), follow this link
    View
    22
    biktor_gj
    biktor_gj
    ChrisKringel said:
    I'd suggest renaming on of the colors. Would be great if it was possible to interop the phone without losing data.
    Click to expand...
    Click to collapse

    Well, you can always make a backup and then restore via zune. The thing is the dumped OS is about 600Mb, the generated image is 378Mb. I don't know how it will reside on the flash, you could always check where the flash starts to get filled with zeros and clean it up before the first boot... If they had done it right and separated user data from the main OS we wouldn't have this problem...

    INTEROP UNLOCK ACHIEVED!

    Now time for a nice beeer ;)
    I'll put mediafire to work and upload the image I just did. Everyone who has an unlocked bootloader: after you flash this to the phone, DO A HARD RESET, otherwise it will get stucked on 'Installing Applications'
    View
    12
    biktor_gj
    biktor_gj
    Hey everyone,

    I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.

    I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.

    Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked :)
    View
    8
    U
    ultrashot
    Btw, here is my DppImplant app.
    Implants DPP partition with your stock Live Id to a custom rom.
    Usage:
    1) Put backup of the biggest partition to the folder with DppImplant.exe and call it "stock.nb"
    2) Put "os-new.nb" there - target firmware in which you want to see your old Live Id.
    3) Open DppImplant.exe. It will extract DPP from stock.nb and create mydpp.bin file. (After that you won't really need to have stock.nb in that folder).
    "os-new.nb" will be patched.
    4) Done.

    P.S. if you open DPP using Notepad or any hex editor, you'll see saved Live Id.
    View
    6
    biktor_gj
    biktor_gj
    djtonka said:
    Ok L710 fully unlocked :)
    Those 2 parts are wrong. I used to narod.ru

    ---------- Post added at 07:29 PM ---------- Previous post was at 06:40 PM ----------
    http://www.youtube.com/watch?v=-rQbFp7yasc
    Click to expand...
    Click to collapse


    CAN WE KEEP THIS FOR DEVELOPMENT ONLY PLEEEEEEEEEEEEEASSSEEEEE?

    Gift from our friends at Qualcomm:

    Full AMSS firmware + Secboot Sources (Qualcomm loader)! Grab it while it's hot!

    http://www.mediafire.com/?ir2h15f663ja6wc
    View

New posts