Running Homebrew Native Executables - Status: DONE!!

Search This thread

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
[2012/06/03] IMPORTANT UPDATE HERE

Hi hackers,

This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.

The goal is to run native homebrew executables on WP7

This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.

The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.

First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity

After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:

Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)

So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.

I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.

I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).

I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.

So why is this not working?

Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:

Code:
Microsoft Mobile Device Privileged PCA       - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA              - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA     - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA              - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group

I should find a way to add a policy with my certificate in it. Any ideas? :eek:

Ciao,
Heathcliff74
 
Last edited:

Flow WP7

Member
Mar 23, 2011
29
3
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome. :)

regards
 

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome. :)

regards

That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.

I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.

Thanks!
 

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).

taskhost.c (276 KB) in attachments.

edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")

Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
  a7 = sub_178E7(v10);
  if ( a7 >= 0 )
  {
    a7 = sub_180A5(v7, v7 + 64);
    if ( a7 >= 0 )
    {
      a7 = ThemeInitialize(v7 + 136);
      if ( a7 >= 0 )
      {
        v11 = sub_1862B(v13, v7);
        EnableHostAutoDehydration(v11 == 3);
        v16 = 0;
        a7 = InitializeEmClientEx(&a2, 0, &v16);
        if ( a7 >= 0 )
        {
          a7 = RegisterPausedHostCallback(sub_19D0D, 0);
          if ( a7 >= 0 )
          {
            a7 = RegisterResumingHostCallback(sub_19D31, 0);
            if ( a7 >= 0 )
            {
              if ( v11 != 3
                || (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
                && (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
              {
                a7 = RegisterExitHostCallback(sub_19D55, 0);
                if ( a7 >= 0 )
                  a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
              }
            }
          }
        }
      }
    }
  }
}

UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
  int v4; // [sp+0h] [bp-38h]@1
  char Dst; // [sp+4h] [bp-34h]@1
  int v6; // [sp+8h] [bp-30h]@1
  int v7; // [sp+Ch] [bp-2Ch]@1
  int v8; // [sp+18h] [bp-20h]@1
  int v9; // [sp+28h] [bp-10h]@1

  v4 = 0;
  memset(&Dst, 0, 0x34u);
  v8 = a3;
  v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
  v7 = (int)L"FMMain";
  v9 = 2;
  RunApplication(&v4);
  return dword_12034;
}


C++ converted
Code:
UIXApplicationInfo app;
app { ... }

RunApplication(&app);

struct UIXApplicationInfo
{
  int UNK_v4 = 0;
  char Dst = {0};
  char* uixFile;
  char* uixEntryPoint;
  int UNK_v8;
  int UNK_v9 = 2;
}

Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).

___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App  -->
<characteristic type="AppInstall">
      <nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>
 

Attachments

  • taskhost.zip
    44 KB · Views: 316
Last edited:

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://xdaforums.com/showthread.php?t=820455

Hello "co-founder of native code on WP7" ;)

I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.

Ciao,
Heathcliff74
 
  • Like
Reactions: XxXPachaXxX

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.

Marshal.Copy, my friends, there.

[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
 

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.

My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.



Marshal.Copy, my friends, there.



[SecurityFuckingSafeCritical]

(byte[] source, IntPtr destination, int length)

> Interopservices leaked dll (\windows)

destination = our ram ptr to modify.

Hmmm. 10 Points for inventiveness ;) But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().


Sent from my OMNIA7 using XDA Windows Phone 7 App
 
Last edited:
  • Like
Reactions: XxXPachaXxX

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Hmmm. 10 Points for inventiveness ;) But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().


Sent from my OMNIA7 using XDA Windows Phone 7 App
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.

[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value :p";
Debug.WriteLine(mscorlibStr + str);
}

This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
 
  • Like
Reactions: XxXPachaXxX

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.

[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value :p";
Debug.WriteLine(mscorlibStr + str);
}

This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.

I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.

Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit :D

Ciao,
Heathcliff74
 
  • Like
Reactions: XxXPachaXxX

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..

edit:
*Research

"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."

Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___

"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."

Source: http://www.spinics.net/lists/arm-kernel/msg58813.html

As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4

ARMv7 >> ARMv6 compatibility, not more.
_

Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!

__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame

EXPORT start
start

var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4

MOV     R12, SP
STMFD   SP!, {R4-R7,R11,R12,LR}
ADD     R11, SP, #0x1C
SUB     SP, SP, #4
MOV     R4, R3
MOV     R5, R2
MOV     R6, R1
MOV     R7, R0

.

Next up, decompile a ARMv7 from a raw device. (how, someone has one)
 
Last edited:

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Last edited:

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Going forward :)

Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"

/QRarch7 is the ARMv7.

edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb

o_O, feels soo good:
main.exe is there.

IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.

Code:
; Input MD5   : B50E8D8395DE7CA2419464DC3CE0BC74

; File Name   : C:\Users\Steven\Desktop\burn\main.exe
; Format      : Portable executable for ARMI (PE)
; Imagebase   : 10000
; Section 1. (virtual address 00001000)
; Virtual size                  : 00000018 (     24.)
; Section size in file          : 00000200 (    512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment     : default

; Processor       : ARM
; Target assembler: Generic assembler for ARM
; Byte sex        : Little endian


; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32



EXPORT start
start

var_4= -4

SUB     SP, SP, #4
MOV     R3, #1
STR     R3, [SP,#4+var_4]
LDR     R0, [SP,#4+var_4]
ADD     SP, SP, #4
BX      LR
; End of function start

Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
	return 1;
}


PE Explorer (main.exe):

Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI
 
Last edited:
  • Like
Reactions: XxXPachaXxX

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
**** so CLOSE!

Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.

Method:


WP7Process p = device.LaunchEXE(@"main.exe", "");

main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.


WP7Process p = device.LaunchEXE(@"ExeX.exe", "");

ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.

There IS different things going on! Something is missing, but what :p

edit:

Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.

edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:

Risky-mode.Activate();

Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);


"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"

<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>

<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>


edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.

edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.

edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):

Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)

How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.

(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574

edit 6:
Yep, loads of edits, just for you.

Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE

How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
    .Where(x => x.Name.LocalName == "Rule")
    .Where(x => x.Attributes("ResourceIri").Count() > 0)
    .Where(x =>
    {
        var r = x.Attribute("ResourceIri").Value;
        return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
    })
    .Select(x =>
    {
        var v = x.Attribute("ResourceIri").Value;

        var l = v.LastIndexOf('/');

        return v.Substring(l + 1);
    })
    .Distinct()
    .OrderBy(x => x)
    .ToArray();

edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
 
Last edited:

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
@fiinix,

You did a lot of testing. Good job, man.

A few comments:

0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.

The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.

Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember ;) And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.

I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.
 

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol

"Sent from my fingers on my phone", don't expect way too long text :)
 
Last edited:
  • Like
Reactions: XxXPachaXxX

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Excuse my ignorance...I'm a noob...This hack may also work on LG devices?

At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us ;)

Ciao,
Heathcliff74
 
  • Like
Reactions: XxXPachaXxX

Top Liked Posts

  • There are no posts matching your filters.
  • 25
    Breakthrough!

    Today I will change the topic title from "Status: Not possible >YET<" to "Status: Possible!".

    On Custom ROMs with Full Unlock it was already possible to run homebrew executables. For stock ROMs with Interop Unlock there is WP7 Root Tools which allows Policy Unlock for Silverlight applications. But running homebrew executables like Opera Mini was still not possible.

    But now I've found a way to unlock homebrew executables using policies and certificates. I need to do more research before I can implement this unlock in WP7 Root Tools, because the unlock currently still needs some manual actions. But I know it's possible now, because I have it working.

    I will keep you updated on the progress for implementing this in WP7 Root Tools.

    I have to thank Cotulla for helping me find a stupid mistake I made! His incredible knowledge helped me see why I thought it was not working yet :D

    Ciao,
    Heathcliff74
    10
    [2012/06/03] IMPORTANT UPDATE HERE

    Hi hackers,

    This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.

    The goal is to run native homebrew executables on WP7

    This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.

    The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.

    First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
    - CA
    - Root
    - My
    - Code Integrity

    After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:

    Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
    Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)

    So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.

    I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.

    I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).

    I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.

    So why is this not working?

    Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:

    Code:
    Microsoft Mobile Device Privileged PCA       - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
    Microsoft Mobile Device TCB PCA              - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
    Microsoft Mobile Device Unprivileged PCA     - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
    Microsoft Mobile Device VSD PCA              - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
    VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group

    I should find a way to add a policy with my certificate in it. Any ideas? :eek:

    Ciao,
    Heathcliff74
    6
    Great!

    I have to thank Cotulla for helping me find a stupid mistake I made! His incredible knowledge helped me see why I thought it was not working yet
    I won't tell to anyone :D
    4
    **** so CLOSE!

    Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.

    Method:


    WP7Process p = device.LaunchEXE(@"main.exe", "");

    main.exe (no signing, ARMv7):
    System.UnauthorizedAccessException: Access is denied.


    WP7Process p = device.LaunchEXE(@"ExeX.exe", "");

    ExeX.exe (signed with CA/ROOT custom, ARMv4):
    System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.

    There IS different things going on! Something is missing, but what :p

    edit:

    Signed main.exe with custom XDA ROOT certificate (ARMv7):
    signtool.exe sign /sha1 "[CertChomp]" "main.exe"
    > Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
    Ill see if i can add it to startup list , if it boot from there.

    edit 2:
    Nope gonna hijack "fieldtestapp.exe" with my app because policy says:

    Risky-mode.Activate();

    Backup(fieldtestapp.exe, backupPath);
    Copy(main.exe, > fieldtestapp.exe);


    "LOADERVERIFIER_ROUTE_BY_NAME"
    "LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"

    <Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
    <Authorize>
    <Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
    </Authorize>
    </Rule>

    <Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
    <Authorize>
    <Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
    </Authorize>
    </Rule>


    edit 3:
    Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.

    edit 4:
    Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
    Successful copy == no ROM lock.

    edit 5:
    There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):

    Direct exe name OR special certificate
    How we do:
    > Direct exe (hijack exe)

    How we cant do (SHA1) (Nope, ain't gonna happen):
    > We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.

    (1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
    (2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574

    edit 6:
    Yep, loads of edits, just for you.

    Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
    Code:
    ACCESSIBILITYCPL.EXE
    ACCOUNTSMANAGER.EXE
    ALARMS.EXE
    APPCHECKERSHIM.EXE
    APPPREINSTALLER.EXE
    AUTODATACONFIG.EXE
    AUTOSIM.EXE
    AUTOTIMEUPDATE.EXE
    BRIGHTNESSCPL.EXE
    BTUXCPL.EXE
    CALENDARAPP.EXE
    CALLSETTINGSHOST.EXE
    CALNOT.EXE
    CALUPD.EXE
    CAM_FW_UPDATE_UI.EXE
    CELLUXCPL.EXE
    CERTINSTALLER.EXE
    CFGHOST.EXE
    CFLAUNCHER.EXE
    CHDIALERHOST.EXE
    CIPHASE2.EXE
    CLIENTSHUTDOWN3.EXE
    CLOCKNOT.EXE
    CMACCEPT3.EXE
    COLDINIT.EXE
    COMMSVC.EXE
    COMPOSITOR.EXE
    CONFIGDM.EXE
    CONFIGXML.EXE
    CONMANCLIENT3.EXE
    CONTACTS.EXE
    CPROG.EXE
    DATETIMECPL.EXE
    DCVSSWITCH.EXE
    DEPOTCOPY.EXE
    DEVICEFEEDBACKCPL.EXE
    DEVICEREG.EXE
    DIAGPORTCHANGETEST.EXE
    DLLHOST.EXE
    DMSCHEDULERCALLBACK.EXE
    DMSRV.EXE
    DMSTOOLS.EXE
    DUACLIENT.EXE
    DW.EXE
    EDM3.EXE
    EMAIL.EXE
    EMAILSETUP.EXE
    ENDPOINT.EXE
    FCROUTERCMDTEST.EXE
    FIELDTESTAPP.EXE
    FLIGHTMODE.EXE
    GAMESUX.EXE
    IEXPLORE.EXE
    INITIATEDMSESSION.EXE
    INVALIDLICENSEUXLAUNCHER.EXE
    KEYBOARDCPL.EXE
    LASSCREDENTIALEXPIRATIONCHECK.EXE
    LASSRESTARTER.EXE
    LIVETOKEN.EXE
    LOCKCPL.EXE
    LOOPBACKTEST.EXE
    MEDIAGROVEL.EXE
    MEUX.EXE
    MITSMAN.EXE
    MMSPRPROXY.EXE
    MMSTRANSHOST.EXE
    MULTIMEDIALAUNCHER.EXE
    MYPHONECPL.EXE
    MYPHONETASKSRUNTIME.EXE
    NATIVEINSTALLERHOST.EXE
    OFFICEURL.EXE
    OMADMCLIENT.EXE
    OMADMPRC.EXE
    OMHUB.EXE
    ONBOOTSQM.EXE
    ONENOTEMOBILE.EXE
    OOBE.EXE
    PACMANINSTALLER.EXE
    PHOTOENT.EXE
    PHOTOENTCAPTURE.EXE
    PHOTOUPLOADER.EXE
    PPT.EXE
    PWORD.EXE
    PWRLOGCTRL.EXE
    PXL.EXE
    RAPICONFIG.EXE
    REGIONCPL.EXE
    RMACTIVATE.EXE
    SAPISVR.EXE
    SECSIMTKIT.EXE
    SERVICESD.EXE
    SERVICESSTART.EXE
    SETTELEPORTMODE.EXE
    SETTINGS3.EXE
    SHORTMSG.EXE
    SICLNT.EXE
    SIGNALEVENT.EXE
    SIREPSERVERAPPDEV.EXE
    SMSETTINGS.EXE
    SMSTRANSPORT.EXE
    SOUNDCPL.EXE
    SPEECHCPL.EXE
    SPMC.EXE
    SQMEVENT.EXE
    SSUPDATE.EXE
    TASKHOST.EXE
    TELSHELL.EXE
    TESTSHOW.EXE
    THEMECPL.EXE
    TOGGLEBROWSERHIBERNATION.EXE
    TOGGLEDOG.EXE
    UDEVICE.EXE
    UIF.EXE
    UNIFIEDPAIR.EXE
    USBMGR.EXE
    WEBSEARCH.EXE
    WIFIUXSPLASH.EXE
    WLANEXT.EXE
    WLIDSETUP.EXE
    WWANDATAMGR.EXE
    XDRMREMOTESERV.EXE
    ZIPVIEW.EXE
    ZMFTASKLAUNCH.EXE

    How code (yes i know its super un-optimized, fast put together):
    Code:
    var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
    var ea = doc.Elements().ToArray()[0].Elements()
        .Where(x => x.Name.LocalName == "Rule")
        .Where(x => x.Attributes("ResourceIri").Count() > 0)
        .Where(x =>
        {
            var r = x.Attribute("ResourceIri").Value;
            return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
        })
        .Select(x =>
        {
            var v = x.Attribute("ResourceIri").Value;
    
            var l = v.LastIndexOf('/');
    
            return v.Substring(l + 1);
        })
        .Distinct()
        .OrderBy(x => x)
        .ToArray();

    edit 7:
    yeah, lol i say too.
    Unprotected exe (FCRouterCmdTest.exe)
    > c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
    mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
    3
    FINALLY!!

    STATUS: DONE! :D

    www.wp7roottools.com

    Ciao,
    Heathcliff74