Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,780,077 Members 38,018 Now Online
XDA Developers Android and Mobile Development Forum

[WIP][HTC 8x][8.1]Fiddler2 Update Utility UEFI, BOOT Dumps & Templates[ExploitsFound]

Tip us?
 
grilledcheesesandwich
Old
(Last edited by grilledcheesesandwich; 24th May 2014 at 06:03 PM.) Reason: updated may 24th
#1  
Member - OP
Thanks Meter 20
Posts: 58
Join Date: Oct 2013
Default [WIP][HTC 8x][8.1]Fiddler2 Update Utility UEFI, BOOT Dumps & Templates[ExploitsFound]

heres the story. i hex edit, spyder, leech, rip, hack all day everyday from my inseure server. always trying to break security on multiple platforms and remote locations. anyways my pc is just filthy. my devices probably have more imfections than a skid row street hooker. the is no exact explination on how this happened but all i know is a combination of a app\xap called webserver native access 0.4.3 , xenu url checker for pc and fiddler2 all running on the same ip and port [9999] started doing strange things. i fiddles when i typed in the address that webserver xap gave me while spyder crawling my phone with xenu,fiddler picked up lots of certificates while decoding system files.then o e after another probably 5 or 6 updates poped up on my phone. ive already had 3 windows 8.1 updates in the past. and wasnt aware of anything new. . also fiddler never picked up any remote link only local. strabge thing is i think rom updates for other devices got flashed to my phone. anyways the phone still works. im not sure the exact situation but the other day microsoft gave me a security signed symantic enterprise mobile code signig certificate when i made my store on the app studio website. i could of swore it was something of 250 dollar fee to get symantic to sign the cert for you. cant rember the process i went through a year or 2 ago when i need a cert signed. nice of mixrosoft the hook it upi guess. thats not enen the start with certs . i ripped hundreds of crt and crl from ruu's including qualcomm protected root ca's htc-cert , uefi keys, pulled from my device. anyways i had a dumb idea to install all of these onto my pc. what a dumb/smart mistake good happening. now i cam download all ota cabs with out going through proxy loops, and now have deeper access to htc and qualcomm based devices, it seems as the mpment i plug and windows phone with secure boot locked within minutes the device registery hive syncs with my servers hive and forcesthephone to disable uefi secure boot since my server isnt uefi compatible. i not if any sense is made here. ........soonyou will be seeing custom roms for htc8x fully flashable with out the use of a ycable. 2 jumps away from fullly rebuilding partitions from a 3.41 ruu . new roms will be a completely different platform. choice is in the air. right now my htc 8x is compiled from a mixture of windows phone 7 & 8, embedded compact 2013 and windows RT. strange thing is my device is based on gdr2..



my thumbs hurt from thping this on my nexus. sorry for the bad grammer and broken up sentences.



one last note anybody know wherr to get the OAK (OEM Adaptation Kit) layers and the 9600_POWERTOOLS with out having to sign up as an oem for microsoft.? I Have part of oak but only the portion for embedded compact 8

if anybody woild lit to join in be my guest. the more heads in this project the faster we break one of the most secure phones in the world. i will get everyone caught up wothin the soon on info. got to sort my files.

as of right now i think the ruu_signed.nbh is actually a .egisenx file extension which can be decrypted with edatasecurity by acer. once i find the framework software to install edatasecurity. i will give it a shot. in the mean time in anybody has an acer or gateway computer with that software installled on it already you could take a crack at. pick up any ruu_accord and 7z the exe file directly open the ruu_signed.nbh with a hex editoe without extracting the file and save the the nbh as a .egisenx file extension then proceed to attempt to decrypt. if it requires a password. i will provid some strings i pulled from the hexeditor. even beter if anybody has decrypting software that might work too.


also some of the htc 8x partitions arr encrypted SHK (SENTENIAL SKYNET) this is interensting i think this might be easier to crack.




softqare used so far in project accord
Revskills final release
Revskills 1.xx
qmi by revskillz
winrar good for converting damaged files
7zip good old extract to temp location
telerik justdecompile standalone version or visual studio extenson
webserver 0.4.3 or 0.5.0 .xap for wp8 winpone8 works on windows phone 8.1 also!
xenu url checker
fiddler2
winhttrack rip my phone like a website
010 editor with lots of custom scripts templates and syntex.
hhd hex editor is optional
hiew hex editor for the pros. still experimentig with this one.
lots of time.
cmd.exe and ecery damn xommand executible you can find that rips, strios, converts, merges, splits de/compress makes thing go backwards forward up down and flip around.
lots more fime
brew mp
win phone 7 tools.
OAK
osbuilder for wp7
basicly any file you can find that de/compiles that was made my microsoft mobile, embedded or ce department.
wak, wdk, hck 8.1 microsoft hardware tools
visual studio 2012 2013.
visual studio .net compiler 'rosylin'
lots of samples.



2014-05-24

RUU PARTITION RIPPING THE EASY WAY.
7zFM build 932 can directly open any file when using the options in the contex menu. just right click on the .ruu_signed.nbh highlight 7z open with arguement submenu and eithe choose # option or the #e option. both arguements work but with different outcomes. when 7z is done loading you will end of with a numbered liat of files some witj or without extensions. extensions as folowing .efi, .elf, .fat, .ntfs, .exe. all extenses with extensions open. the fat files are complete partitions. thw ntfs partition is metadata that is also embedded with in a file called boot.sdi located in one of the fat partitions. the exe files are normal MZ PE executable system32 applications. efi executable files are also located within the fat partitions. the elf files which strangely exist within the phones operating system can be extracted and read with a hex editor. strange that windows phone contains elf. considering Microsoft binary format is COFF/PE. DOWNLOADS WILL BE UP SOON FOR DEVELOPMENT. it is a possibility that the boot partition ripped form a accord_u_wwe was part of the updateos.wim. therr is refrence on how to add packages to the wim on the windows phone developer oem site.


an interesting experement done which worked on nokia ffu files. convert the nokia ffu to a vhd using winimage with fixed size settings. once completed. mount it with osfmount tool. none of the partitions show up nor are they mountable. so i proceded to generate a raw img from the vhd in osfmount which put out a raw img just over 7gb. jezuz the vhd was only just over 1gb. decided to mount the raw img using diskinternals linux reader and what do you know every partition showed up. even the secret one. most were still unable to open but boot uefi data and mainos. it did give me good insite on what to look for and discover within the windows phone lock filesystem.

There is a metadata file hidden deeply with MFT (MasterFileTable) called $Boot. this $Boot file header is R.NTFS.
i will get more in depth on thia later.

File system encryption used for the MAINOS is called RSDS mi. very hard maybe impossible to reverse engineer. I did find an explination in a .text file located inside of the file Liveupdate.exe located in The windows/system32 folder of my phone. the file gave vague instructions on how to compile an Fupdate.xml template which and be used to push update packages over wifi. more details layer.

Possibility to mount several partitions including mainos directly on my pc by minipulating binary regestery keys on windows 7. more soon.
Found these in my pc. Going to play around with them see what happens

Quote:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\WP8]

[HKEY_CURRENT_USER\Software\WP8\DL]
"MODE"=dword:d10ad121
"CSC"=hex:00,00,00,00
"SBL"=hex:00,00,00,00
"RPM"=hex:00,00,00,00
"UEFI"=hex:00,00,00,00
"ACPI"=hex:00,00,00,00
"MainOS"=hex:00,00,00,00



Diffrences in files located in the fat16 partitions cross refrenced branded and unbranded ruu's csv.cfg on the branded ruu has the radio build number defined while the unbranded ruu is blank 00 hex bytes through the entire csv.cfg file. RADIOVER.CFG unbranded ruu has anextra line IMEI line configured to 1 while the branded ruu is missing the imei line. my guess is with the imei 1 assignment with the unbranded ruu is once the device gets flashed with the original firmware it also gets assigned a new imei as well. just my guess. some insite would help on this.
 
GoodDayToDie
Old
#2  
Recognized Developer
Thanks Meter 2,686
Posts: 5,659
Join Date: Jan 2011
Location: Seattle
Well, as the dev of NativeAccess I'm certainly very interested in what you found. My first guess is that you wandered into the section of the registry where the phone's certs are stored (yes, it's readable), although the format that the app returns them in isn't something that would normally be recognized as a certificate. Which means my *best* guess is that you wandered onto some certificate files stored on the phone in a readable directory, because the server app will let you download files

Everything from there is Really Weird though, and we'll need to investigate it more. I should spin up some VMs to try this... anyhow, getting additional updates to your phone is pretty weird, so let's start with that. Did you install those updates? What were their descriptions (i.e. what did they say was getting updated)? What are your current phone version strings (OS, Firmware, etc.) from Settings -> About -> More info (and do any of those look notably different than you expect)?

Installing certs ripped from RUUs onto your PC is... well, I would never have tried it on my main box, but now I really want to try it on a VM. Do you have the list of certs you installed anywhere handy? What ROMs did you rip them from, and where in those ROMs?

Deeper access into WP8 devices sounds *seriously* interesting! I don't have a modern HTC (only my old HD7, a WP7 device) but I could probably obtain one, at least temporarily, for research purposes. What registry hives do you think are synching (and why do you think it's a synch)? Is it actually turning off Secure Boot for real, or just causing the registry to report that it's off? (We can override the report value on Samsung WP8 phones, but that does no good.) If you've managed to turn off Secure Boot on HTC WP8 devices, you've probably just found the door to custom ROMs and possibly other fun hacks. Do you have any non-HTC WP8 devices you could test with too, to see if anything else interesting is happening?

Good luck cooking up those custom ROMs! That is unfortunately not my field at all, so I can't really help... but it would be pretty cool to have the ability to run RT instead of / in addition to WP! There's also a ton of tweaks and unlocks we can do if we have totally arbitrary access to the device and no pesky code signing enforcement getting in the way.
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.
The Following User Says Thank You to GoodDayToDie For This Useful Post: [ Click to Expand ]
 
grilledcheesesandwich
Old
(Last edited by grilledcheesesandwich; 19th May 2014 at 12:43 PM.)
#3  
Member - OP
Thanks Meter 20
Posts: 58
Join Date: Oct 2013
Quote:
Originally Posted by GoodDayToDie View Post
Well, as the dev of NativeAccess I'm certainly very interested in what you found. My first guess is that you wandered into the section of the registry where the phone's certs are stored (yes, it's readable), although the format that the app returns them in isn't something that would normally be recognized as a certificate. Which means my *best* guess is that you wandered onto some certificate files stored on the phone in a readable directory, because the server app will let you download files

Everything from there is Really Weird though, and we'll need to investigate it more. I should spin up some VMs to try this... anyhow, getting additional updates to your phone is pretty weird, so let's start with that. Did you install those updates? What were their descriptions (i.e. what did they say was getting updated)? What are your current phone version strings (OS, Firmware, etc.) from Settings -> About -> More info (and do any of those look notably different than you expect)?

Installing certs ripped from RUUs onto your PC is... well, I would never have tried it on my main box, but now I really want to try it on a VM. Do you have the list of certs you installed anywhere handy? What ROMs did you rip them from, and where in those ROMs?

Deeper access into WP8 devices sounds *seriously* interesting! I don't have a modern HTC (only my old HD7, a WP7 device) but I could probably obtain one, at least temporarily, for research purposes. What registry hives do you think are synching (and why do you think it's a synch)? Is it actually turning off Secure Boot for real, or just causing the registry to report that it's off? (We can override the report value on Samsung WP8 phones, but that does no good.) If you've managed to turn off Secure Boot on HTC WP8 devices, you've probably just found the door to custom ROMs and possibly other fun hacks. Do you have any non-HTC WP8 devices you could test with too, to see if anything else interesting is happening?

Good luck cooking up those custom ROMs! That is unfortunately not my field at all, so I can't really help... but it would be pretty cool to have the ability to run RT instead of / in addition to WP! There's also a ton of tweaks and unlocks we can do if we have totally arbitrary access to the device and no pesky code signing enforcement getting in the way.
right now im hexediting ruus and they seem almost completely decrypted. its strange becUse a few weeks ago they were all scrambled.
i will postnmy findings on my website for every one to view
i rememersomeones post on possible certificates could bethekey to jailbreaking qindows phone 8. i think theymight beright
 
grilledcheesesandwich
Old
(Last edited by grilledcheesesandwich; 19th May 2014 at 01:38 PM.)
#4  
Member - OP
Thanks Meter 20
Posts: 58
Join Date: Oct 2013
it said the updates i got stated they would further enchance my device. windows phone 8.1. funny.

i ripped certs from several ruu_accord_u and img_accord_u packages. i have 9 or 10 htc 8x ruu's stashed.
i installed the certs that had embedded htc_cert, qcom, qualcomm, symantic, uefi, and a few others i cant remember them all.

i have a lot to catch everybody up on. about 50gb of findings from accord ruu's and from files ripped from my phone. its a cluster **** of work.

uefi flashing
uefi disabling
source code
software lots of software refrences found.
wince800
winrt
qcomedk2 = edk2 part of the original dev kit ised to build flash dump reflash enable and disable uefi bios
certificates thousands of crl cer in every device. even the smallest file has a certificate. and i found their passwords
rsa-keys in the tesst faze
uefi keys
esn keeys
every partition size, format, offset and sector size.
port numbers and usages
every single registery key
.....
.....
keeps going on.
 
grilledcheesesandwich
Old
#5  
Member - OP
Thanks Meter 20
Posts: 58
Join Date: Oct 2013
reserved
 
grilledcheesesandwich
Old
#6  
Member - OP
Thanks Meter 20
Posts: 58
Join Date: Oct 2013
Quote:
Originally Posted by grilledcheesesandwich View Post
reserved

reserved
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


[OTA] Nvidia Shield Tablet Receives its First Update

The Nvidia Shield Tabletis the latest toy from one of the largest desktop graphics … more

Quick Control Panel Updated, Adds Notification Support

As some of you may remember, earlier this year we spoke about Quick Control Panel by … more

Narrate Makes Note Taking Efficient and Beautiful

Technology has put life on the fast track. Whether its travelling to multiple places or … more

Android App Review: How to Speed Up Your Android Phone – XDA Developer TV

Is your Android device running slow? Is your Android device … more