[Q] Disassembling ChevronWP7

---

I have been using ChevronWP7 for more than a month now and I was always wondering how does it work?
I tried to follow the obfuscated code in Reflector but it's really a mess and needs a lot of time and effort to follow the code's logic.

Aside from the code part, it seems that it changes the hosts file under C:\Windows\System32\drivers\etc to something like this

192.168.2.13 developerservices.windowsphone.com
172.26.68.53 developerservices.windowsphone.com
192.168.1.20 developerservices.windowsphone.com

So if anyone is working (has worked) on this, it would be great if you guys share your findings with the community here.
Thank you.

EDIT:

I am not sure if you guys have already seen the Windows Phone Developer Registration program that comes with the SDK or not (I didn't!!! for 3 months), but ChevronWP7 is just that program without the live services authentication! it is that simple, and you can see the source code with reflector

Basically the app does the flowing:

it uses a TcpClient to communicate with the phone over port 27077

PHP Code:

                    this.client = new TcpClient();
                    this.client.SendTimeout = 2000;
                    this.client.ReceiveTimeout = 2000;
                    this.client.LingerState.Enabled = true;
                    this.client.LingerState.LingerTime = 0;
                    this.client.NoDelay = true;
                    this.client.Connect("127.0.0.1", 27077); 


To check the status of the phone:

it sends this byte array

PHP Code:

byte[] buffer = new byte[4];
            buffer[0] = 16;
            buffer[1] = 1;
            this.commandData = buffer; 


To Unlock the phone :
it sends this byte array

PHP Code:

List<byte> list = new List<byte>();
            ASCIIEncoding encoding = new ASCIIEncoding();
            ushort num = (ushort)(((authToken.Length + 3) + 2) + 3);
            list.AddRange(new byte[] { 16, 3 });
            list.AddRange(BitConverter.GetBytes(num));
            list.Add(1);
            list.AddRange(BitConverter.GetBytes((ushort)authToken.Length));
            list.AddRange(encoding.GetBytes(authToken));
            list.Add(2);
            list.AddRange(BitConverter.GetBytes((ushort)2));
            ushort num2 = isInt ? ((ushort)0) : ((ushort)1);
            list.AddRange(BitConverter.GetBytes(num2));
            [COLOR="red"]this.commandData[/COLOR] = list.ToArray(); 


An http server is made to listen for any requests that come from the phone (which were redirected in the system\hosts file to 127.0.0.1) and returns as a response :

PHP Code:

<ResponseOfRegisteredDeviceStatus xmlns="Microsoft.WindowsMobile.Service.Marketplace" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><ResponseCode>0x00000000</ResponseCode>
<ResponseMessage i:nil="true"/>
<Entity xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.WindowsMobile.Service.Marketplace.BLLDevPortal.Entities">
<a:DaysLeft>365</a:DaysLeft>
<a:AppsAllowed>10</a:AppsAllowed>
</Entity>
</ResponseOfRegisteredDeviceStatus> 


The number <a:AppsAllowed> is the number of allowed apps, discussed here in the changed version without the side limit.

To lock the phone :

PHP Code:

internal LockCommand(string authToken)
{
    List<byte> list = new List<byte>();
    ASCIIEncoding encoding = new ASCIIEncoding();
    ushort num = (ushort) (authToken.Length + 3);
    list.AddRange(new byte[] { 16, 2 });
    list.AddRange(BitConverter.GetBytes(num));
    list.Add(1);
    list.AddRange(BitConverter.GetBytes((ushort) authToken.Length));
    list.AddRange(encoding.GetBytes(authToken));
    this.commandData = list.ToArray();
} 


Doesn't matter, next update will nullify it.

First of all, ChevronWP7 is a cool utility, but I don't understand why did they obfuscate the ripped M$ code. Yes the device communication part which is obfuscated it ripped from the Deployment Developer Tool.

Generally speaking this is what ChevronWP7 does:
- Rewrites the host file to redirect the developerservices.windowsphone.com address to localhost
- Bring up a HTTP server with it's own certificate to support HTTPS
- For the query during unlock operation the HTTP server sends back a baked in answer as a result of a successful unlock.

ChevronWP7 does exactly what the deployment tool do, but bypassing the windows live login.

Thanks,
Attila

Quote:

Originally Posted by WithinRafael

Doesn't matter, next update will nullify it.

How do you know that?

Anyways, I am also checking inside Chevron utility.

To unlock your phone, they send this:

Code:

10032200011A00436F6F6B69653A20486920436861726C6965204B696E64656C210202000100

Code:

.."....Cookie: Hi Charlie Kindel!.....

As a networkStream using this TcpClient:

Code:

chevronTCPClient.SendTimeout = 0x1388;
chevronTCPClient.ReceiveTimeout = 0x1388;
chevronTCPClient.LingerState.Enabled = true;
chevronTCPClient.LingerState.LingerTime = 0x1388;
chevronTCPClient.NoDelay = true;
chevronTCPClient.Connect("127.0.0.1", 0x69c5);

To relock the phone, the data is very similar, its shorter:

Code:

10021D00011A00436F6F6B69653A20486920436861726C6965204B696E64656C21

Also with the joke to Charlie Kindel.

Late to the party, guys

Google Cache because I must get my site up again sometime soon.

Quote:

Originally Posted by hounsell

Late to the party, guys

Google Cache because I must get my site up again sometime soon.

Meh, you edited a string

As Raf says, this won't work with the first update.

I thought the CheveronWP7 people were talking to Microsoft about allowing sideloading without the need to hack the phone.
Or was that just some BS from Microsoft to get the CheveronWP7 people to shut down their tool?

Quote:

Originally Posted by jfwfreo

was that just some BS from Microsoft to get the CheveronWP7 people to shut down their tool?

Probably.

Someone will always find a way though. This is the same dance jailbreakers go through with Apple.

FYI "WithinRafael" + "walshieau" + Long Zheng = ChevronWP7 people.

I am not sure if you guys have already seen the Windows Phone Developer Registration program that comes with the SDK or not (I didn't!!! for 3 months), but ChevronWP7 is just that program without the live services authentication! it is that simple, and you can see the whole source code with reflector.

I'm kinda unimpressed now