Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,738,603 Members 41,430 Now Online
XDA Developers Android and Mobile Development Forum

Windows Phone 8 Root/other Certificates Maybe?

Tip us?
 
compu829
Old
(Last edited by compu829; 7th May 2013 at 09:52 PM.)
#1  
Senior Member - OP
Thanks Meter 224
Posts: 264
Join Date: Nov 2006
Angry Windows Phone 8 Root/other Certificates Maybe?

Hey Guys,

Below is a list of the things that my HTC 8x does when it checks for Windows Updates. I am waiting for Microsoft's server to decide to give me a new firmware, so I decided to sniff out the TCP stream. Of note, I found the following:

1. Phone contacts http://fe1.update.microsoft.com/WP8/...sDetection.dll
The Phone goes out and fetches this dll onto the system. It references the following certificates (which you can download):
root cert http://www.microsoft.com/pki/certs/M...2010-06-23.crt
production cert http://www.microsoft.com/pkiops/cert...PCA%202012.crt
time stamp PCA? http://www.microsoft.com/pki/certs/M...2010-07-01.crt

2. After that, it goes and fetches the following cab file:http://sds.download.windowsupdate.co...ir/duredir.cab. This cab file contains a single xml file called wuredir.xml. It has two values: the clientServerURL and the ReportingServer URL.

3. After this, some https traffic occurs to the clientserver URL. I am guessing this is it checking for updates.

4. Then it posts to http://statsfe1.update.microsoft.com...ebService.asmx with a SOAP action of http://www.microsoft.com/SoftwareDis...portEventBatch with a whole bunch of info on the phone.

The User Agent being used for all of these communications is as follows: Windows-Mobile-Device-Update-Agent

If this dll it is fetching is unsigned, I wonder if we could have some fun....I am also wondering what happens if we develop and sign an xap with Microsoft's certificate if it will allow us to do more things within the OS.
The Following 14 Users Say Thank You to compu829 For This Useful Post: [ Click to Expand ]
 
dazza9075
Old
#2  
Recognized Contributor
Thanks Meter 442
Posts: 2,785
Join Date: Jul 2007
Location: Glasgow

 
DONATE TO ME
Sign with Microsoft's private key? If you have access this then your about to become very popular

Sent from my Arc using xda app-developers app
Please Click Thanks below if I've helped at all, but more importantly please donate to XDA Developers to help keep this place running, 10 Euros isn't much and for that you get to have a funky wee Star
Please click Here to donate to
XDA-Developers
 
snickler
Old
#3  
snickler's Avatar
Forum Moderator / Recognized Developer
Thanks Meter 430
Posts: 777
Join Date: Aug 2010
Location: Wheeling, WV

 
DONATE TO ME
Hmm, the 5_UssDetection seems to be a normal PE32 .dll. Not .NET compiled. I don't see any COM Imports/Exports for it so finding this out may be a little difficult. I haven't used any tools like IDA though, just a normal PE explorer program.

This is good information though. I wonder if GoodDayToDie may have some further input?
My Apps:
R1ng3d | CloudMuzik V1.5 Now in the MarketPlace for both WP7 and WP8
My Projects and Contributions:
WP8 Registry Tools | Async Wrapper for WP7 Root Tools SDK
My Phones:
Lumia 1520 - (8.1) / Lumia 920 - (8.1) / Focus v1.3 (7.8 via Dynamics ROM)
Contact
twitter: @sinclairinator | fb for: CloudMuzik | Skype: jsinnie

 
GoodDayToDie
Old
#4  
Recognized Developer
Thanks Meter 2645
Posts: 5,539
Join Date: Jan 2011
Location: Seattle
Nice find. I've been monitoring phone traffic myself but hadn't caught this exchange yet.

The fact that it checks external cert files is very interesting. Typically, I would expect this to be using "certificate pinning" where the public key of the signing cert is stored internally in the software, and no other signature is trusted (even if it chains to a CA that is installed on the phone and would normally be trusted). MS does use pinning in a number of places; for example, this is how the original ChevronWP7 Unlocker was broken, and is used when adding a Microsoft account to the phone or when that account is updating. However, I figure there's an excellent chance that pinning is *not* being used in at least one place where it really should be (this can be tested using tools like Fiddler or Burp, which have the ability to intercept SSL traffic using a cert that chains to a cert installed in the phone's trusted authorities store).

If pinning isn't being used, it may be possible to modify/create our own detection DLL, then create our own CA cert, install the public key on the phone, use the private key to sign an intermediate cert (that we also create, and have the private key for), and use the intermediate cert to sign our customized DLL. If necessary, we could even intercept the lookups that the phone performs and control what is returned (assuming the lookups are actually over HTTP, or at least unpinned HTTPS).

The probability that the file is unsigned isn't even worth considering; it's quite likely that Microsoft is using a mandatory signing level on WP8 for all executable code. Unfortunately, if they are doing that, it's also likely that it's set to require a cert which chains to the MS root cert (this is how Windows RT is by default), which is effectively a form of system-wide cert pinning. However, if you want to check, signtool in the Visual Studio Command Prompt can dump authenticode certs on a file.

Reverse engineering the detection DLL is quite possibly worthwhile even if we can't modify it, too; it'll provide insight into the update process, which is one of the best places to mess with a system. It runs with high privileges and explicitly is capable of modifying system code.
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.
The Following 3 Users Say Thank You to GoodDayToDie For This Useful Post: [ Click to Expand ]
 
snickler
Old
#5  
snickler's Avatar
Forum Moderator / Recognized Developer
Thanks Meter 430
Posts: 777
Join Date: Aug 2010
Location: Wheeling, WV

 
DONATE TO ME
That sounds quite enticing! I wish I knew x86/ARM assembly :/. I'll see what the sign tool outputs in VS
My Apps:
R1ng3d | CloudMuzik V1.5 Now in the MarketPlace for both WP7 and WP8
My Projects and Contributions:
WP8 Registry Tools | Async Wrapper for WP7 Root Tools SDK
My Phones:
Lumia 1520 - (8.1) / Lumia 920 - (8.1) / Focus v1.3 (7.8 via Dynamics ROM)
Contact
twitter: @sinclairinator | fb for: CloudMuzik | Skype: jsinnie

 
IzaacJ
Old
#6  
IzaacJ's Avatar
Recognized Developer
Thanks Meter 82
Posts: 619
Join Date: Sep 2008
Location: Eskilstuna

 
DONATE TO ME
It feels great to see that you're here GoodDayToDie You helped out a lot on WinPho 7 for HD2 (a device I'll soon repurchase).

Hopefully there'll be some advancements on the "jailbreaking" of Windows Phone 8
IzaacJ | IzaacJ_Dev
Apps: PassPro | Infosode | ROMAbout (CHEFS ONLY)
PROJECTS: TrashMap (Soon heading for private beta)
My Official WP8 Apps: PassPro Free

Nokia Lumia 1520: WP 8.10.12382.878 (WP8.1 Developer Preview) | Officially DevUnlocked
Nokia Lumia 920: WP 8.10.12382.878 (WP8.1 Developer Preview) | Officially DevUnlocked
Nokia C6-00: Symbian S60v5 | "Jailbroken"
 
netham45
Old
#7  
Recognized Developer
Thanks Meter 529
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
I would be surprised if WP8 wasn't using the same code signing requirements as Windows RT.

As far as hijacking that dll goes, unless we can find an immediate privileged code execution exploit in it all it's most likely to do would be to give us write abilities to the FS, and there's a huge 'if' attached to that. That would be a big step if possible, though.

Something that would be interesting to check is if an EXE compiled for Windows RT (cdb, for example) would be capable of running on WP8. If MS used the same signing certificates it may be possible to put enough of Windows RT's dependencies on WP8 to allow it to run a simple console application. Obviously we wouldn't have any console windows or the sort, but it should be possible to capture output if it worked.

We have a decrypted OS dump around somewhere, right? It should be simple to check if they use the same signatures.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following User Says Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
GoodDayToDie
Old
#8  
Recognized Developer
Thanks Meter 2645
Posts: 5,539
Join Date: Jan 2011
Location: Seattle
Good call on checking the signatures. I'd also like to take a look at reverse engineering the OEM apps again; even if they don't give us a device-agnostic hack directly, they may reveal interesting things about the WP8 app model internals and also may give device-specific breaks which can be used to gain the knowledge we need for crafting device-agnostic ones.

Slightly off-topic:

The zipview exploit still (sort of) works. Hard to believe, but I bet MS just recompiled the program for NT's Win32 and didn't bother with it beyond that. Decent chance that the same holds for the XAP installer, though I haven't tried yet. However, A) the filesystem layout has changed, so write-only access is even more poking blind than it used to be, and B) zipview may be running with lower privileges than it used to. On a simple test ZIP (attached for your testing pleasure), I can open files and create directories up to three levels above the zip root, but no further. Trying to open a file in a folder directly higher than that gives a "cannot extract to a read-only location" error, and trying to open a file inside a subfolder above the third level up gives a generic error message (probably due to failing to create the folder).

Also, I got wired tethering working on my Ativ S today. I'll create a post about doing that if nobody else has done so yet (it was almost identical to the WP7 Samsung devices, the only hard part being finding the right 64-bit drivers). WindowBreak didn't work, though (the folder that it extracts at is above the permissions cutoff, which makes me suspect zipview can't write to the drive root) and I don't think the subcomponent of the Diagnostics app works the same, either (a lot of the diagnostics codes have changed; we should learn the new ones).I don't even know if WP8 understands provxml (it's historically a CE feature, not an NT one), although I found references in the Diag app to provxml being "ready".
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.
The Following 2 Users Say Thank You to GoodDayToDie For This Useful Post: [ Click to Expand ]
 
netham45
Old
#9  
Recognized Developer
Thanks Meter 529
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Here's what I came up with for a file list from some rudimentary (and possibly inaccurate) parsing of a .ffu: http://pastebin.com/hX6qJQeA

Got that from RM820_1232.2109.1242.1001_RETAIL_nam_usa_100_01_95 122.ffu.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following 2 Users Say Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
GoodDayToDie
Old
#10  
Recognized Developer
Thanks Meter 2645
Posts: 5,539
Join Date: Jan 2011
Location: Seattle
Great, thanks for that! Looks like provxml is definitely still here, and that's probably good. I'll bet they changed some things though, to make it more NT-ish (support for proper ACLs, for example). I should review those included provxml files for a look at how the phone is currently configured. Lots of potentially interesting .REG files too. I'll have to try some more things here!
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes