Running Homebrew Native Executables - Status: DONE!!

Breakthrough!

Today I will change the topic title from "Status: Not possible >YET<" to "Status: Possible!".

On Custom ROMs with Full Unlock it was already possible to run homebrew executables. For stock ROMs with Interop Unlock there is WP7 Root Tools which allows Policy Unlock for Silverlight applications. But running homebrew executables like Opera Mini was still not possible.

But now I've found a way to unlock homebrew executables using policies and certificates. I need to do more research before I can implement this unlock in WP7 Root Tools, because the unlock currently still needs some manual actions. But I know it's possible now, because I have it working.

I will keep you updated on the progress for implementing this in WP7 Root Tools.

I have to thank Cotulla for helping me find a stupid mistake I made! His incredible knowledge helped me see why I thought it was not working yet

Ciao,
Heathcliff74

[2012/06/03] IMPORTANT UPDATE HERE

Hi hackers,

This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.

The goal is to run native homebrew executables on WP7

This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.

The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.

First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity

After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:

Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)

So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.

I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.

I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).

I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.

So why is this not working?

Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:


I should find a way to add a policy with my certificate in it. Any ideas?

Ciao,
Heathcliff74

Great!

I have to thank Cotulla for helping me find a stupid mistake I made! His incredible knowledge helped me see why I thought it was not working yet

Click to expand...

Click to collapse

I won't tell to anyone

**** so CLOSE!

Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.

Method:


WP7Process p = device.LaunchEXE(@"main.exe", "");

main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.


WP7Process p = device.LaunchEXE(@"ExeX.exe", "");

ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.

There IS different things going on! Something is missing, but what

edit:

Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.

edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:

Risky-mode.Activate();

Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);


"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"

<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>

<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>


edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.

edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.

edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):

Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)

How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.

(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574

edit 6:
Yep, loads of edits, just for you.

Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):

How code (yes i know its super un-optimized, fast put together):

edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"

FINALLY!!

STATUS: DONE!

www.wp7roottools.com

Ciao,
Heathcliff74