FORUMS
Remove All Ads from XDA

Running Homebrew Native Executables - Status: DONE!!

1,605 posts
Thanks Meter: 2,472
 
By Heathcliff74, Recognized Developer on 6th June 2011, 08:16 PM
Post Reply Email Thread
11th June 2011, 10:15 PM |#11  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..

edit:
*Research

"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."

Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___

"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."

Source: http://www.spinics.net/lists/arm-kernel/msg58813.html

As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4

ARMv7 >> ARMv6 compatibility, not more.
_

Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!

__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame

EXPORT start
start

var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4

MOV     R12, SP
STMFD   SP!, {R4-R7,R11,R12,LR}
ADD     R11, SP, #0x1C
SUB     SP, SP, #4
MOV     R4, R3
MOV     R5, R2
MOV     R6, R1
MOV     R7, R0

.
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
 
 
11th June 2011, 11:33 PM |#12  
Senior Member
Thanks Meter: 2
 
More
Quote:
Originally Posted by fiinix

Next up, decompile a ARMv7 from a raw device. (how, someone has one)

I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
12th June 2011, 10:37 AM |#13  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Quote:
Originally Posted by athompson

I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?

IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
12th June 2011, 10:47 AM |#14  
Heathcliff74's Avatar
OP Recognized Developer
Thanks Meter: 2,472
 
Donate to Me
More
Quote:
Originally Posted by fiinix

IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.

First use Andim's WP7 Rom Tools to extract the rommodules. Remember to always dump a folder, not a single file.

Then use Denomitor's version of Recmod and follow the instructions in the post. That works most of the time.
12th June 2011, 03:09 PM |#15  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Going forward

Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"
/QRarch7 is the ARMv7.

edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb

O.o, feels soo good:
main.exe is there.

IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.

Code:
; Input MD5   : B50E8D8395DE7CA2419464DC3CE0BC74

; File Name   : C:\Users\Steven\Desktop\burn\main.exe
; Format      : Portable executable for ARMI (PE)
; Imagebase   : 10000
; Section 1. (virtual address 00001000)
; Virtual size                  : 00000018 (     24.)
; Section size in file          : 00000200 (    512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment     : default

; Processor       : ARM
; Target assembler: Generic assembler for ARM
; Byte sex        : Little endian


; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32



EXPORT start
start

var_4= -4

SUB     SP, SP, #4
MOV     R3, #1
STR     R3, [SP,#4+var_4]
LDR     R0, [SP,#4+var_4]
ADD     SP, SP, #4
BX      LR
; End of function start
Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
	return 1;
}

PE Explorer (main.exe):

Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI
The Following User Says Thank You to fiinix For This Useful Post: [ View ] Gift fiinix Ad-Free
13th June 2011, 03:20 PM |#16  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
**** so CLOSE!

Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.

Method:


WP7Process p = device.LaunchEXE(@"main.exe", "");

main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.


WP7Process p = device.LaunchEXE(@"ExeX.exe", "");

ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.

There IS different things going on! Something is missing, but what :P

edit:

Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.

edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:

Risky-mode.Activate();

Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);


"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"

<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>

<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT )/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD " />
</Authorize>
</Rule>


edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.

edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.

edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):

Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)

How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.

(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574

edit 6:
Yep, loads of edits, just for you.

Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE
How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
    .Where(x => x.Name.LocalName == "Rule")
    .Where(x => x.Attributes("ResourceIri").Count() > 0)
    .Where(x =>
    {
        var r = x.Attribute("ResourceIri").Value;
        return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
    })
    .Select(x =>
    {
        var v = x.Attribute("ResourceIri").Value;

        var l = v.LastIndexOf('/');

        return v.Substring(l + 1);
    })
    .Distinct()
    .OrderBy(x => x)
    .ToArray();
edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
The Following 4 Users Say Thank You to fiinix For This Useful Post: [ View ] Gift fiinix Ad-Free
13th June 2011, 09:00 PM |#17  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Wow, this truly was a big step today
Done hacking today.
"After a day, there comes another day"
The Following 2 Users Say Thank You to fiinix For This Useful Post: [ View ] Gift fiinix Ad-Free
14th June 2011, 12:01 AM |#18  
Heathcliff74's Avatar
OP Recognized Developer
Thanks Meter: 2,472
 
Donate to Me
More
@fiinix,

You did a lot of testing. Good job, man.

A few comments:

0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.

The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.

Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.

I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.
14th June 2011, 12:20 AM |#19  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol

"Sent from my fingers on my phone", don't expect way too long text
The Following User Says Thank You to fiinix For This Useful Post: [ View ] Gift fiinix Ad-Free
14th June 2011, 09:35 AM |#20  
Heathcliff74's Avatar
OP Recognized Developer
Thanks Meter: 2,472
 
Donate to Me
More
Quote:
Originally Posted by XxXPachaXxX

Excuse my ignorance...I'm a noob...This hack may also work on LG devices?

At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us

Ciao,
Heathcliff74
The Following User Says Thank You to Heathcliff74 For This Useful Post: [ View ]
14th June 2011, 12:50 PM |#21  
fiinix's Avatar
Retired Recognized Developer
Flag Stockholm
Thanks Meter: 226
 
Donate to Me
More
Starting todays hacking, shall we?

Going through some research i'w found pretty fast.
MSDN > Security Loader

"
LVMOD uses the following criteria to determine whether to run an application:

* Any module loaded from read-only memory (ROM) can run.
* Any module that is digitally signed with a certificate from the device certificate store can run. For more information about digital signing with a certificate, see Signing Binaries.
* Any module that does not meet these criteria cannot run.
"

Microsoft's new retarded function:
MSDN > LoaderVerifierAuthorize
MSDN > LoaderVerifierAuthenticateFile

guidAuthClass: MSDN > LV_AUTHENTICATIONGUID_

Code:
HRESULT LoaderVerifierAuthorize(
    __in HANDLE                  hslauthnFile,
    __out LV_AUTHORIZATION*      pslauthz
);

HRESULT LoaderVerifierAuthenticateFile(
    __in const GUID*        guidAuthClass,
    __in_opt HANDLE         hFile,
    __in LPCWSTR            szFilePath,
    __in_opt LPCWSTR        szHashHint,
    __in HANDLE             hReserved,
    __out LPHANDLE          phslauthnFile
);
How it calls our exe to check it:

Code:
BOOL success = LoaderVerifierAuthenticateFile(
    LV_AUTHENTICATIONGUID_PORTABLEEXECUTABLE,
    fopen("\\Windows\\ExeX.exe") // file handle IO
    "\\Windows\\ExeX.exe",
    LoaderVerifierGetHash( ... ) //unknown if called OR NULL
    NULL,
    &OUT_authInfo);


BOOL success2 = LoaderVerifierAuthorize(
    OUT_authInfo, //from the function above; chained call.
    &OUT_auth
);
if second call "LoaderVerifierAuthorize" fails (return value = 0):

INT code = GetLastError();
Code:
LV_E_BLOCKED
The file is blocked by security policy.
LV_E_NO_SIGNATURE
The file is not digitally signed by trusted authorities.
LV_E_TAMPERED
The module has been tampered with.
LV_E_CERTIFICATE_EXPIRED
The signing certificate or one of the certificates in the trust chain is expired.
LV_E_CERTIFICATE_NOT_TRUSTED
The signing certificate or one of the certificates in the trust chain is not trusted.
LV_E_CERTIFICATE_USAGE_VIOLATION
The signing certificate or one of the certificates in the trust chain violated its usage constraint.
LV_E_RESTRICTED_TO_LAUNCH
The security policy restricted the file to launches from only one specific chamber.
The Following 3 Users Say Thank You to fiinix For This Useful Post: [ View ] Gift fiinix Ad-Free
Post Reply Subscribe to Thread

Tags
executable, homebrew, mango, native, wp7

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes