Android TV Launcher Pushed to Google Play

Over the past decade, the tech universe has seen two drastic and widely contrasting changes with … more

Cyngn, OnePlus, Micromax – The Legal Battle

Recently, a battle has been waging in India over the rights to distribute the commercial … more

Lean Mean Battery Power Saving App Review

We talk a lot about battery topics here at XDA TV. We talk about everything from Power Banks to USB … more

Android 5.1 Possibly Coming February 2015

Google released Android 5.0 just over a month ago, and since then Lollipop has been trying to … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Thread Deleted

Reversing Kin Syncing Procedure [Theory]

OP johnkussack

1st May 2011, 01:15 AM   |  #1  
johnkussack's Avatar
OP Senior Member
Thanks Meter: 22
 
293 posts
Join Date:Joined: Aug 2010
Mmm at last, the thing was discovered, and just experimentation is needed, so we can test the syncing (Cheack Thread Page 3).

Old post text:
Code:
Mmm as I am far from a selfish guy, and have been asked about this, i think that i will share in an independent thread for anyone to see.

Note that this comes from my own ideas, not tested as i cannot use MTP protocol anymore.

Responsability Disclaimer
This may be agains DCMA or laws about reversing in your country. It's not probably being that way as is a development to interoperate with an unsupported OS (linux) and its one of the exceptions, but i'm not responsable for any liability you can have or imagine.

What is this for?
This is the procedure to follow before thinking in hacking the phone itself, trying to get to write and read files from the device.

It could faild and serve to no purpose or be gold, depending on the success of the tests.

In the best case, this will lead to the reading and writing of files at will to the device storage.

USB protocol Pre-Knowledge (fast)
I know you dont wanna know about it, and i am far from an expert but i must just express that USB devices support two operations:

Bulk Transfers -> Big chunks of data, used mostly for the common data transfers up to 512Bytes per transmission (at a max/time).
Interrupt Transfers -> Short chunks of data, used for changing settings on the device or short burst of information.

For your personal knowledge, MTP protocol instructions are bunch of hex codes and they use bulk transfers for all of the MTP instructions.

Required items - Gathering
- Working Kin
- Windows OS as host OS
- USB sniffer / monitor (I like Usblyzer, has trial for 30 days)
- CPU with virtualization capabilities (google how to check)
- Vmware
- Mac OSX image dvd (Snow leopard)
- Software & registration from MacSpace for Kin Media Sync 

Procedure
- Unplug the kin & close all zune software opened.
- Install OSX in an vmware machine
- Install and setup Kin Media sync  for mac
- Kill the process that launches zune when you plug the device ("ZuneLauncher.exe")
- Plug the kin now. Use a port where no other device is, so try to put it not together with other usb device like mouse/keyboard which could send packets and confuse the capture.
- Install and setup usb sniffer for windows.
--- Set it to sniff/capture at the USB port where the kin is (it's a tree view structure, so easy to see where to put the check). Dont do it at the left of the KIN device!!! do it on the bus/port as you will disconnect the kin later. Press start capture.
--- Open the zune software and visually check that the sniffer is capturing data (eeeeeeeeeeeeaaaaaaasssssyyyyyyy as it appears there). If it doesnt, you'r doing it wrong, probably cause the port/bus issue.
--- Close zune
--- Reset the capturing (stop, dont save, start).
- Open the virtual machine if it isnt.
- In the virtual machine you should have Kin Media Sync installed, which autolaunches if you have plugged the phone (virtually).
- In the virtual machine window bottom right (vmware border) you will see an item with usb icon. Hover over it and see if the tooltip says KIN. If there are more, look for the right one. Right-Click on it and pick "Connect (Disconnect from host".

- Hopefully, the usb sniffer on Windows would turn mad and begin capturing data, while Kin Media Sync is opening on the OSX virtual machine.
- I cant remember if it does put the label "Connected" at the Kin (you should remember that window from the Zune syncing :P). If it does, close Kin Media Sync and stop the capture on the windows usb sniffer. Else, do a sync before closing (doesnt matter what).
- Save the captured log as a file (in my case, Usblyzer file).

Yeah, but why this is better than other software?
Other users (and myself) have tried software that uses the MTP software which has some success on getting info from the device but fail when it comes to do reading or writing to the device.

I guess it's probably because the rest of the protocol, the private part that microsoft uses (MTPz) has some control values through the usb that turn on/off device properties, among ones is the one to write/read files.

My first idea was to understand this through the Zune software, but as i said many times, it uses DRM (Janus) to protect the songs (sigh!) and the mtp specification varies if using DRM protection, so i can never find out a way to solve it, without hacking the Zune software cryptography itself (not my intention at all) or became an old man finding how to bypass it. In any case, the Zune software does a RSA challenge-response handshake to the kin before calling to MTP-OpenSession, i can assure that, so its out of reach.

On the other hand Kin Media Studio for the OSX has no official DRM and it can just do easy syncing, so it's pretty much obvious for a dev guy (i am, haha) that its an easiest way to replicate. So i tried to go that way and i was correct, so it just does normal operations through usb and control interrupts.

The problem is that the native sniffers from OSX only capture 16 bytes of data through the usb bus, so messages over that cipher were not reachable for me at the moment. I contacted apple USB master guys about getting a bigger limit, and the resumed answer was something (just much more politely) like: "you'r screwed & stuck with 16 bytes".

So the only approach is to emulate Kin Media Sync in an OSX virtual machine under a windows os machine for the best sniffer software. Another bad point for the fruit logo machines.... (and i'm an owner... imagine a hater!). Here is why I stopped, as my normal working device (laptop) is kinda old and has no VMX/virtualization support, so i couldnt setup the virtual machine for OSX, stopping all the needed setup.

From sniffed data to magic
At this point, comes the complicate part. Understanding & testing the packets sent to the device to make things work. This is the part where i was going to operate with a new device or my current one if it wasnt bricked/stuck.

The problem appears with this structure (what is on the logged sniffed session):

- Plug the device
- Device <-> OS Handshake (Interrupt/Bulk transfers possible)
- Kin media sync queries (Interrupt transfers)
- Kin media write/read enable (Interrupt transfers)
- Kin media MTP Open session (Bulk transfer)
- Kin media MTP GetStorageInfo (Bulk transfer)
..... more MTP xxxxx (bulk transfer)
- Kin media MTP Close session (bulk transfer)
- Kin media write/read disable (Interrupt transfers)
- Kin media bye bye sync queries (Interrupt transfers)
(if unplugged, the ones below)
- Device <-> OS Goodbye (Interrupt/Bulk transfers possible)
- UnPlug the device

As some of you may realize, normal MTP software used didnt make the "read/write enable" cause the kin is not a standard device. So they fail. Once some person identifies which of this interrupt values make the kin "Connected" window shown and also enables it to be writable, profit comes.

So to test this and later make it published, you need a program to communicate with the device itself and do what some of you called "send hex codes to the kin" (which technically is "bulk and interrupt transfering values to the kin")

There seems to be none, so i code one from scratch and could polish it a bit and giveaway as a Netbeans C++ proyect.
I had some success and it works ok as i reused it(almost all the code) to operate my G15 on linux, iluminating keys and using the LCD pixels.

This can brick my device?
The short answer to this is NO. The long answer is no again, but cannot be sure of what happens enabling the the device settings while testing. It may become frozen and need to be restarted for example.

During the few test i made, mine refused to operate within my usb program and it was autosolved by libmtp-tools, which did a protocol reboot and it just work as is without doing nothing.

Anyway, i was aware that it was better than getting stuck with the phone "as is".



mmm All being said above, i just leave space for you guys to think what you wanna do with the info and questions that may appear.
Last edited by johnkussack; 17th May 2011 at 09:31 PM.
1st May 2011, 01:52 AM   |  #2  
Junior Member
Thanks Meter: 0
 
25 posts
Join Date:Joined: Feb 2011
Thanks but Hardware Virtualization came up as a no on my laptop.
I hope someone else tries.
I know I know I have to change my username as there are many similar and it gets confusing.
Thanks for taking the time for all the above text
1st May 2011, 04:26 AM   |  #3  
Senior Member
Thanks Meter: 9
 
115 posts
Join Date:Joined: Apr 2011
I had a quick read-over what you put, but haven't looked at everything in detail. My wife had a baby yesterday morning, so I'm finding myself rather busy as of late.

Anyway, I'm more than happy to run some tests. Here's what I have access to right now (at home), with much more available when I get back to work in two weeks:

XPS m1530 laptop running x86 Windows 7 (dual-boot to Ubuntu 10.10 running as the Joli OS front). No Hardware Virtualization available for this system, though it can run VMWare for 32-bit Windows OS's.
Macbook Pro (Intel 64-bit archetecture) running 10.6.7 Snow Leopard. Can set up virtual machines if needed, using VMWare, but I'm not sure if that's necessary or not.
Powerbook G4 (PPC) running 10.5.x (latest 10.5 build). Can't run virtual machines, but can be used if another source is helpful to trace.
My personal KIN TWOm running the M OS build. Can technically be reverted back to the TWO (non-M) OS, but I'd rather not lose everything as it's my working phone.
My wife's TWOm, not activated. I can probably play with this more, as she isn't ready to use it yet, but I'd be in trouble if I bricked it.

At work, I have access to a number of different computers and OS's, as needed. I don't think this would be necessary, but they are still there.

John, can I ask where you're at? I've gotten the notion that you're not in the US, as you've said you don't have access to a CDMA network. Is there any way we can get your phone to a US Verizon store for assistance?
1st May 2011, 12:49 PM   |  #4  
johnkussack's Avatar
OP Senior Member
Thanks Meter: 22
 
293 posts
Join Date:Joined: Aug 2010
Quote:
Originally Posted by klamation

Macbook Pro (Intel 64-bit archetecture) running 10.6.7 Snow Leopard. Can set up virtual machines if needed, using VMWare, but I'm not sure if that's necessary or not.

This has hardware capabilities (VMX feature), but you should have to install XP (or 7) through bootcamp and then install the OSX there, as the host must be windows. Anyway, you'r "lucky" as 64 bit machines can get up to 32 bytes from the usb bus, so 2x my limitation (not enough but more).

Quote:
Originally Posted by klamation

John, can I ask where you're at? I've gotten the notion that you're not in the US, as you've said you don't have access to a CDMA network. Is there any way we can get your phone to a US Verizon store for assistance?

I'm from Europe, so most phone network is common GSM with some 3G implementations. I didn bought the phone from verizon, so have no relation to them and hence, no way to give them the phone expecting a working return (why should they in any case?).
2nd May 2011, 04:30 AM   |  #5  
Senior Member
Thanks Meter: 9
 
115 posts
Join Date:Joined: Apr 2011
Quote:
Originally Posted by johnkussack

This has hardware capabilities (VMX feature), but you should have to install XP (or 7) through bootcamp and then install the OSX there, as the host must be windows. Anyway, you'r "lucky" as 64 bit machines can get up to 32 bytes from the usb bus, so 2x my limitation (not enough but more).

After I read the details of what you want to do, I thought the same thing. I have 64-bit Windows 7 set up on a bootcamp partition (I actually use VMware Fusion to run it, most of the time, but can natively boot into it, if I need). I have never been successful at setting up an OSX VM though, as it's not officially supported. If you have any reference on how to do it, I'm all ears. I'll do more research into it after posting this.

Quote:
Originally Posted by johnkussack

I'm from Europe, so most phone network is common GSM with some 3G implementations. I didn bought the phone from verizon, so have no relation to them and hence, no way to give them the phone expecting a working return (why should they in any case?).

Considering the phone is less than a year old, it should still be under warranty. I know I've taken phones into their stores before and had them reimage them. I should try that with the KIN to see if they can do it (if the stores actually have the ability to reimage a KIN phone, indicating they have a ROM of it)
2nd May 2011, 05:14 AM   |  #6  
Member
Thanks Meter: 10
 
36 posts
Join Date:Joined: Apr 2011
More
I could assist, I have a tri-boot of vista, 7, and OS X.

I doubt that there is a 128 bit processor emulator, let alone the OS...so wouldn't a solution be to use the same technique ,but "freeze" the process to collect data being transferred?

When I mean freezing, I mean slowing the USB data transfer speeds (using hardware underclocking, on the computer and/or phone)
2nd May 2011, 04:32 PM   |  #7  
johnkussack's Avatar
OP Senior Member
Thanks Meter: 22
 
293 posts
Join Date:Joined: Aug 2010
@klamation
http://www.redmondpie.com/how-to-ins...ows-7-9140301/

Also, it could be a hackintosh image, i guess. At least if it is able to install the kin media sync software...

Quote:
Originally Posted by awesome71717

...

i didnt understand anything beyond the 1st line.
there is no need to slow anything as it was a OSX kernel limitation thing, period.
Last edited by johnkussack; 2nd May 2011 at 04:34 PM.
3rd May 2011, 12:54 AM   |  #8  
Junior Member
Thanks Meter: 0
 
25 posts
Join Date:Joined: Feb 2011
John,
Why do we need 64bit vmx capability to capture messages when the Zune Software is successfully messaging with 32 bit on windows machines? Obviously I am missing something important.
Dave
3rd May 2011, 02:17 AM   |  #9  
johnkussack's Avatar
OP Senior Member
Thanks Meter: 22
 
293 posts
Join Date:Joined: Aug 2010
Quote:
Originally Posted by kintwouser

....Dave

You'r missing a more detailed reading of the first post.

Quoteing myself:
Quote:

My first idea was to understand this through the Zune software, but as i said many times, it uses DRM (Janus) to protect the songs (sigh!) and the mtp specification varies if using DRM protection, so i can never find out a way to solve it, without hacking the Zune software cryptography itself (not my intention at all) or became an old man finding how to bypass it. In any case, the Zune software does a RSA challenge-response handshake to the kin before calling to MTP-OpenSession, i can assure that, so its out of reach.

3rd May 2011, 05:09 AM   |  #10  
Member
Thanks Meter: 10
 
36 posts
Join Date:Joined: Apr 2011
More
John, I was talking about halting the processor of the phone to allow the cache of data to be recorded and cleared. Once cleared, the processor will resume and the cycle can be repeated until the data is fully collected.

Anyway, has anyone found a jtag port on the board?

Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes