Running Homebrew Native Executables - Status: DONE!!

Search This thread
By:
Advanced…
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
I saw that already in previous post. Plz read my last 3 posts.

Sent from my OMNIA7 using XDA Windows Phone 7 App
 
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
0x800704ec is the main problem I think. What Jaxbot did was different. He changed paths to non-existent to see if it would rebuild. I suggest we first copy to our own isostorage and then change registry to point there. We might have enough privs to modify it then.

Sent from my OMNIA7 using XDA Windows Phone 7 App
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Heathcliff74 said:
I saw that already in previous post. Plz read my last 3 posts.

Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
Yes i do read all post's :)
I have tried to copy that file way to many times (with way to many path's), fails every time tho due Rule:

Code: 
<Rule 
PriorityCategoryId="PRIORITY_HIGH" 
ResourceIri="/FILESYS/PRIMARY/WINDOWS/SECURITY/POLICYDB.VOL" 
SpeakerAccountId="S-1-5-112-0-0-1" 
Description="Protect the policy DB from everyone but the system">
    <Stop>
        <Match AccountId="S-1-5-112-0-0XFF" />
    </Stop>
</Rule>


Just some info:
"(Note that regardless of the file policy.vol name given here, the device's built-in Policy database will be used.)"
How come the "PolicyXmlLoadFromDatabase" uses my cmd input file then????? (\Windows\Security\policydb.vol)

Older policy commit':
PID:0DBB004E TID:0DA1004E \Windows\Security\policydb.vol : ERROR PolicyXml2011:
PID:0DBB004E TID:0DA1004E Internal error - function failed: PolicyRuleOpen(805307433) (GetLastError = 1260)
PID:0DBB004E TID:0DA1004E
PID:0DBB004E TID:0DA1004E PolicyLoader.exe : FATAL ERROR PolicyXml0000:
PID:0DBB004E TID:0DA1004E Failed: PolicyXmlLoadFromDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="\Windows\Security\PolicyMeta.xml"), HR=0x800704ec
PID:0DBB004E TID:0DA1004E

edit:

Current state (almost no errors):
(know how to fix a few)

PID:0D0A0102 TID:0D30010A PolicyLoader.exe : Info PolicyXml0000:
PID:0D0A0102 TID:0D30010A PolicyXmlLoadFromXml("\Applications\Install\B2A1493F-42E1-4C0E-A5CB-EF204B677C43\Install\xdaa.policy.xml")
PID:0D0A0102 TID:0D30010A
PID:0D0A0102 TID:0D30010A PolicyLoader.exe : Info PolicyXml0000:
PID:0D0A0102 TID:0D30010A PolicyXmlSaveToXml("PolicyMerged.xml", Flags=0x00000035)
PID:0D0A0102 TID:0D30010A
PID:0D0A0102 TID:0D30010A PolicyLoader.exe : Info PolicyXml0000:
PID:0D0A0102 TID:0D30010A PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="\Windows\Security\PolicyMeta.xml")
PID:0D0A0102 TID:0D30010A
PID:0D0A0102 TID:0D30010A \Windows\Security\policydb.vol : ERROR PolicyXml2011:
PID:0D0A0102 TID:0D30010A Internal error - function failed: PolicyRuleOpen(805306447) (GetLastError = 1260)
PID:0D0A0102 TID:0D30010A
PID:0D0A0102 TID:0D30010A \Windows\Security\policydb.vol : Warning PolicyXml3200:
PID:0D0A0102 TID:0D30010A Policy DB transaction was aborted.
PID:0D0A0102 TID:0D30010A
PID:0D0A0102 TID:0D30010A PolicyLoader.exe : FATAL ERROR PolicyXml0000:
PID:0D0A0102 TID:0D30010A Failed: PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="\Windows\Security\PolicyMeta.xml"), HR=0x800704ec
PID:0D0A0102 TID:0D30010A
PID:0D0A0102 TID:0D30010A PolicyLoader.exe : ERROR PolicyXml0000:
PID:0D0A0102 TID:0D30010A One or more errors were detected during processing.
PID:0D0A0102 TID:0D30010A
 
Last edited:
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Yeah, I understand why policydb is protected. But why is policyloader not elevating itself to TCB? Got to decompile it. I'll be off for the night. Diner with wife and friends. Be back tomorrow. Good luck!

Sent from my OMNIA7 using XDA Windows Phone 7 App
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Most of the time we get this (the last error that blocks us from updating policy):
PID:0D0A0102 TID:0D30010A Internal error - function failed: PolicyRuleOpen(805306447) (GetLastError = 1260)

ERROR_ACCESS_DISABLED_BY_POLICY
GetLastError = 1260 (0x4EC)


edit:

fopen("rw") fails for both
"\Applications\Install\B2A1493F-42E1-4C0E-A5CB-EF204B677C43\Install\PolicyMeta.xml"
and
"\Windows\Security\PolicyMeta.xml":

May be because of "\Windows\Security\PolicyMeta.xml" is "Protected" and that PolicyLoader is blocked out "\Applications\Install\" (no rights added to access that path (Rule))

PID:0C51007A TID:0C5A007A PolicyLoader.exe : ERROR PolicyXml2050:
PID:0C51007A TID:0C5A007A Unable to open file: FileName="\Applications\Install\B2A1493F-42E1-4C0E-A5CB-EF204B677C43\Install\PolicyMeta.xml", opened for write, GetLastError()=1260.
PID:0C51007A TID:0C5A007A

edit 2:
Verified that PolicyLoader is blocked out from accessing \Install: (write mode) (possible read too)

Code: 
<Rule 
PriorityCategoryId="PRIORITY_STANDARD" 
ResourceIri="/FILESYS/PRIMARY/APPLICATIONS/INSTALL/(+)/INSTALL/(*)" 
SpeakerAccountId="S-1-5-112-0-0-1" 
Description="ACL the application installation directory to be read + execute (so resource dlls can be read. This access is required by all who need to read an application's title">
    <Authorize>
        <Match AccountId="S-1-5-112-0-0X21-0X0000000A" AuthorizationIds="FILE_ALL_ACCESS, FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, FILE_LIST_DIRECTORY" />
        <Match AccountId="S-1-5-112-0-0X23" AuthorizationIds="FILE_GENERIC_READ, FILE_GENERIC_EXECUTE, FILE_READ_ATTRIBUTES, FILE_LIST_DIRECTORY" />
    </Authorize>
    <Stop>
        <Match AccountId="S-1-5-112-0-0XFF" />
    </Stop>
</Rule>

<

__

"Got to decompile it."
- So you know, there is a de-compiled version of it on page 5 :)

Also, have fun :)
 
Last edited:
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
OMFG! I DID IT!
> Completed successfully.

Now just hope we can write it to the real policy.vol

Remote CMD used:
var ar = @"/nowritemerged /mdb=""\PolicyMeta.xml"" /pdb=""\policydb.vol"" /adb=""\accountdb.vol""";

PID:0CE60056 TID:0DE30056 PolicyLoader.exe : Info PolicyXml0000:
PID:0CE60056 TID:0DE30056 PolicyXmlSaveToDatabase(P="\policydb.vol", A="\accountdb.vol", M="\PolicyMeta.xml")
PID:0CE60056 TID:0DE30056
PID:0CE60056 TID:0DE30056 PolicyLoader.exe : Info PolicyXml0000:
PID:0CE60056 TID:0DE30056 Completed successfully.
PID:0CE60056 TID:0DE30056

edit:
Seems to work against real policy.vol :)

Re-configured to "\Windows\policydb.vol":
var ar = @"/nowritemerged /mdb=""\PolicyMeta.xml"" /pdb=""\Windows\policydb.vol"" /adb=""\accountdb.vol""";

PID:0CDE0052 TID:0D39005A PolicyXmlSaveToDatabase(P="\Windows\policydb.vol", A="\accountdb.vol", M="\PolicyMeta.xml")
PID:0CDE0052 TID:0D39005A Completed successfully.
PID:0CDE0052 TID:0D39005A

edit 2:
lol'd, thats kind of fail:
Completed successfully
return code still "259"
 
Last edited:
  • Like
Reactions: Heathcliff74
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
fiinix said:
OMFG! I DID IT!
> Completed successfully.

Now just hope we can write it to the real policy.vol

Remote CMD used:
var ar = @"/nowritemerged /mdb=""\PolicyMeta.xml"" /pdb=""\policydb.vol"" /adb=""\accountdb.vol""";

PID:0CE60056 TID:0DE30056 PolicyLoader.exe : Info PolicyXml0000:
PID:0CE60056 TID:0DE30056 PolicyXmlSaveToDatabase(P="\policydb.vol", A="\accountdb.vol", M="\PolicyMeta.xml")
PID:0CE60056 TID:0DE30056
PID:0CE60056 TID:0DE30056 PolicyLoader.exe : Info PolicyXml0000:
PID:0CE60056 TID:0DE30056 Completed successfully.
PID:0CE60056 TID:0DE30056

edit:
Seems to work against real policy.vol :)

Re-configured to "\Windows\policydb.vol":
var ar = @"/nowritemerged /mdb=""\PolicyMeta.xml"" /pdb=""\Windows\policydb.vol"" /adb=""\accountdb.vol""";

PID:0CDE0052 TID:0D39005A PolicyXmlSaveToDatabase(P="\Windows\policydb.vol", A="\accountdb.vol", M="\PolicyMeta.xml")
PID:0CDE0052 TID:0D39005A Completed successfully.
PID:0CDE0052 TID:0D39005A
Click to expand...
Click to collapse

Weird. Specifying with -pdb does the trick? What you did is actually what I proposed here, but I didn't think it would work, because of this:

-pdb=FileName
Specifies the name to display for the Policy database file in diagnostic messages. Default is "policy.vol". (Note that regardless of the file policy.vol name given here, the device's built-in Policy database will be used.)
Click to expand...
Click to collapse

If this somehow still doesn't do what we want, we could also try the native database access I mentioned earlier.

I also thought of something else. In the opening post I described that I added a cert to the "Code Integrity" store. But it was a self-signed. And it is possible that there is a check on that. So I should also as the Key Usage and Extended Key Usage for CA and cert-signing and then add this extended cert to the CA store too.
 
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
So I assume you're still doing this in the emulator. We should now think of some policies that we can apply so we can test if this really works. I could be something like adding a high priority policy that block access for LPC. If we can't run any apps after we applied that policy, we know it works.
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Heathcliff74 said:
So I assume you're still doing this in the emulator. We should now think of some policies that we can apply so we can test if this really works. I could be something like adding a high priority policy that block access for LPC. If we can't run any apps after we applied that policy, we know it works.
Click to expand...
Click to collapse
Yes, everything is done in the Emulator, don't want to brick my phone by mistake :)
 
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Try to add this to the emulator:

Code: 
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/TASKHOST.EXE" SpeakerAccountId="S-1-5-112-0-0-1" Description="Stop taskhost.exe be loadable to $(TASKHOST_CHAMBER_SID)">
<Stop>
<Match AccountId="S-1-5-112-0-0X80-0X00000001" />
<Match AccountId="S-1-5-112-0-0X80" />
</Stop>

I'm not sure you can apply this, because it may conflict with existing policies and I don't know how that is handled by the PolicyLoader. If you can apply it and you can't run apps anymore afterwards, it means that it worked.

edit: Removed AuthorizationIds from XML, because it is in <Stop> instead of <Authorize> and stop-tags don't have the AuthorizationIds attribute in them.
 
Last edited:
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Heathcliff74 said:
Try to add this to the emulator:

Code: 
<Rule PriorityCategoryId="PRIORITY_HIGH" ResourceIri="/LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/TASKHOST.EXE" SpeakerAccountId="S-1-5-112-0-0-1" Description="Stop taskhost.exe be loadable to $(TASKHOST_CHAMBER_SID)">
<Stop>
<Match AccountId="S-1-5-112-0-0X80-0X00000001" />
<Match AccountId="S-1-5-112-0-0X80" />
</Stop>

I'm not sure you can apply this, because it may conflict with existing policies and I don't know how that is handled by the PolicyLoader. If you can apply it and you can't run apps anymore afterwards, it means that it worked.

edit: Removed AuthorizationIds from XML, because it is in <Stop> instead of <Authorize> and stop-tags don't have the AuthorizationIds attribute in them.
Click to expand...
Click to collapse
Got some problems :/

When having no <Rule>'s at all it succeeds
> Complete success.

Having one (the taskhost thing):
Internal error - function failed: PolicyRuleOpen(805307329) (GetLastError = 1260)

May be file system access somewhere. (open as "rwb") (read + write + binary)
 
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
fiinix said:
Got some problems :/

When having no <Rule>'s at all it succeeds
> Complete success.

Having one (the taskhost thing):
Internal error - function failed: PolicyRuleOpen(805307329) (GetLastError = 1260)

May be file system access somewhere. (open as "rwb") (read + write + binary)
Click to expand...
Click to collapse

Ok. Plz try with /pdb=""\Temp\policydb.vol""

edit: You may have to copy the orignal policydb.vol to \Temp\ first. Not sure about that.
edit2: It seems that \Temp\ needs only Standard Privs to write there.
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Heathcliff74 said:
Ok. Plz try with /pdb=""\Temp\policydb.vol""

edit: You may have to copy the orignal policydb.vol to \Temp\ first. Not sure about that.
edit2: It seems that \Temp\ needs only Standard Privs to write there.
Click to expand...
Click to collapse
Same error @ PolicyRuleOpen(805307329)
Corrupt database (maybe) when reading the binary, because creating an empty file and binary work that file.
We just have to try harder :)
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Definitely more debug data when using "3"
edit:
Or not, just printing double :/ eh what?


/output=3:

PolicyLoader.exe : Info PolicyXml0000:
PolicyLoader.exe : Info PolicyXml0000:
PolicyXmlLoadFromXml("\Applications\Install\B2A1493F-42E1-4C0E-A5CB-EF204B677C43\Install\xdaa.policy.xml")

PolicyXmlLoadFromXml("\Applications\Install\B2A1493F-42E1-4C0E-A5CB-EF204B677C43\Install\xdaa.policy.xml")

PolicyLoader.exe : Info PolicyXml0000:
PolicyLoader.exe : Info PolicyXml0000:
PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="PolicyMeta.xml")

PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="PolicyMeta.xml")

\Windows\Security\policydb.vol : ERROR PolicyXml2011:
\Windows\Security\policydb.vol : ERROR PolicyXml2011:
Internal error - function failed: PolicyRuleOpen(805307329) (GetLastError = 1260)

Internal error - function failed: PolicyRuleOpen(805307329) (GetLastError = 1260)

\Windows\Security\policydb.vol : Warning PolicyXml3200:
\Windows\Security\policydb.vol : Warning PolicyXml3200:
Policy DB transaction was aborted.

Policy DB transaction was aborted.

PolicyLoader.exe : FATAL ERROR PolicyXml0000:
PolicyLoader.exe : FATAL ERROR PolicyXml0000:
Failed: PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="PolicyMeta.xml"), HR=0x800704ec

Failed: PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="PolicyMeta.xml"), HR=0x800704ec

PolicyLoader.exe : ERROR PolicyXml0000:
PolicyLoader.exe : ERROR PolicyXml0000:
One or more errors were detected during processing.

One or more errors were detected during processing.



/output=1:

PolicyLoader.exe : Info PolicyXml0000:
PolicyXmlLoadFromXml("\Applications\Install\B2A1493F-42E1-4C0E-A5CB-EF204B677C43\Install\xdaa.policy.xml")

PolicyLoader.exe : Info PolicyXml0000:
PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="PolicyMeta.xml")

\Windows\Security\policydb.vol : ERROR PolicyXml2011:
Internal error - function failed: PolicyRuleOpen(805307329) (GetLastError = 1260)

\Windows\Security\policydb.vol : Warning PolicyXml3200:
Policy DB transaction was aborted.

PolicyLoader.exe : FATAL ERROR PolicyXml0000:
Failed: PolicyXmlSaveToDatabase(P="\Windows\Security\policydb.vol", A="\Windows\Security\accountdb.vol", M="PolicyMeta.xml"), HR=0x800704ec

PolicyLoader.exe : ERROR PolicyXml0000:
One or more errors were detected during processing.
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
mfw i did "/verbosity=5"

ExeName "\Windows\PolicyLoader.exe"
Arg 0: "" "\Windows\PolicyLoader.exe"
Arg 1: "nowritemerged" ""
Arg 2: "verbosity" "5"
Arg 3: "nowritedb" ""
Arg 4: "pdb" "\Windows\Security\policydb.vol"
Arg 5: "adb" "\Windows\Security\accountdb.vol"
Arg 6: "" "\Windows\D62F1CFD-4536-4A6F-BC6B-84A89DB28CC1.policy.xml"

Dump - After Args::Reset():
Arg bWantHelp = false
Arg sAdbFile = cesecurity.vol
Arg bAdbFileSet = false
Arg sPdbFile = policy.vol
Arg bPdbFileSet = false
Arg sMdbFile = PolicyMeta.xml
Arg bMdbFileSet = false
Arg sMergedXml = PolicyMerged.xml
Arg bMergedXmlSet = false
Arg sOldPolicyXml =
Arg bOldPolicyXmlSet = false
Arg sNewPolicyXml =
Arg bNewPolicyXmlSet = false
Arg sDbDumpXml = PolicyDump.xml
Arg bDbDumpXmlSet = false
Arg bCanonicalizeMerged = false
Arg bCanonicalizeMergedSet = false
Arg bExpandMacrosMerged = false
Arg bExpandMacrosMergedSet = false
Arg bWriteDb = true
Arg bWriteDbSet = false
Arg bWriteMerged = true
Arg bWriteMergedSet = false
Arg bWriteDump = false
Arg bWriteDumpSet = false
Arg bUpdateDatabase = false

Dump - After Args::parse(clp):
Arg bWantHelp = false
Arg sAdbFile = \Windows\Security\accountdb.vol
Arg bAdbFileSet = true
Arg sPdbFile = \Windows\Security\policydb.vol
Arg bPdbFileSet = true
Arg sMdbFile = PolicyMeta.xml
Arg bMdbFileSet = false
Arg sMergedXml = PolicyMerged.xml
Arg bMergedXmlSet = false
Arg sOldPolicyXml =
Arg bOldPolicyXmlSet = false
Arg sNewPolicyXml =
Arg bNewPolicyXmlSet = false
Arg sDbDumpXml = PolicyDump.xml
Arg bDbDumpXmlSet = false
Arg bCanonicalizeMerged = false
Arg bCanonicalizeMergedSet = false
Arg bExpandMacrosMerged = false
Arg bExpandMacrosMergedSet = false
Arg bWriteDb = false
Arg bWriteDbSet = true
Arg bWriteMerged = false
Arg bWriteMergedSet = true
Arg bWriteDump = false
Arg bWriteDumpSet = false
Arg bUpdateDatabase = false
Arg xmlInputFiles[0] = \Windows\D62F1CFD-4536-4A6F-BC6B-84A89DB28CC1.policy.xml
PolicyXmlCreate()
PolicyXmlLoadFromXml("\Windows\D62F1CFD-4536-4A6F-BC6B-84A89DB28CC1.policy.xml")
PolicyXmlDestroy()
Completed successfully.
 
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
So adding an existing policy file doesn't return an error. Probably, because nothing is changed by applying these policies and nothing got written to the database.

I dumped and fixed the ARM versions of these files:
PolicyLoader.exe
PolicyEngine.dll
PolicyXml.dll
iri.dll
CoreDll.dll

I loaded them into IDA pro. Looking at strings, imports and exports. No calls to CeImperonateToken() or CeImpersonateProcess(). But I think the PolicyLoader process should already be running under TCB, because it's a ROM-module. So I really don't get the 1260/0x4ec/0x800704ec "Blocked by policy" errors.

When you tried \Temp\Policydb.vol, did you first copy the original Policydb.vol to the \temp folder?
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
"did you first copy the original Policydb.vol to the \temp folder?"
I'm on the Emulator (how to copy there) :/
Without it i cant see if there were no errors/success.
 
Heathcliff74

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Hmmm. Does look like PolicyEngine.dll does call CeImpersonateCurrentProcess() after all. And it looks up account "S-1-5-112-0-0-0", which is "TEMPLATE_USER_NAME". But what is that? Is it impersonation the current user? Is that the account of the calling process?

I do have a lead on how to invoke an exe with TCB privs. It's a Samsung exploit. But ATM I don't dare to try is, because I might brick it.

I was planning to backup some stuff and do a firmware upgrade one of these days. So maybe I can test it then.
 
fiinix

fiinix

Retired Recognized Developer
Oct 9, 2010
570
224
31
Stockholm
Seems like kernel level (S-1-5-112-0-0-0).

Code: 
<Rule 
PriorityCategoryId="PRIORITY_HIGH" 
ResourceIri="/RESOURCES/(MATCH-CHAMBER)/(*)" 
SpeakerAccountId="S-1-5-112-0-0-1" 
Description="All chambers have access to their resources">
    <Authorize>
        <Match AccountId="S-1-5-112-0-0-0" AuthorizationIds="SCHEDULE_GENERIC_ACCESS, SCHEDULE_CREATE_PERSISTENT, SCHEDULE_ALL_ACCESS, MESSAGE_SEND, MESSAGE_RECEIVE, PROCESS_QUERY_INFORMATION, PROCESS_DUP_HANDLE, GENERIC_READ, GENERIC_WRITE, GENERIC_EXECUTE, GENERIC_ALL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, STANDARD_RIGHTS_REQUIRED, SPECIFIC_RIGHTS_ALL, ALL_ACCESS" />
    </Authorize>
</Rule>

<Rule 
PriorityCategoryId="PRIORITY_HIGH" 
ResourceIri="/KERNEL/(+)/(MATCH-CHAMBER)/(*)" 
SpeakerAccountId="S-1-5-112-0-0-1" 
Description="All chambers have access to their own kernel objects">
    <Authorize>
        <Match AccountId="S-1-5-112-0-0-0" AuthorizationIds="GENERIC_READ, GENERIC_WRITE, GENERIC_EXECUTE, GENERIC_ALL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE, STANDARD_RIGHTS_REQUIRED, SPECIFIC_RIGHTS_ALL, ALL_ACCESS" />
    </Authorize>
</Rule>

<Rule 
PriorityCategoryId="PRIORITY_LOW" 
ResourceIri="/LOADERVERIFIER/ACCOUNT/(MATCH-CHAMBER)/ACCOUNT_CAN_LAUNCH/(+)/(+)" 
SpeakerAccountId="S-1-5-112-0-0-1" 
Description="Allow every Chamber try to load non-rom exe into its own Chamber, if not blocked by other policies">
    <Authorize>
        <Match AccountId="S-1-5-112-0-0-0" AuthorizationIds="LV_ACCESS_EXECUTE" />
    </Authorize>
</Rule>

.
 
You must log in or register to reply here.

Similar threads

Heathcliff74
[GUIDE] INTEROP-UNLOCK - NEW unlocks for ALL SAMSUNG WP7 devices!!
Replies
2K
Views
687K
X
x.shayan.x
Cotulla
[DFT][Updated!#3] HSPL / RSPL for HTC WP7 First Generation
Replies
1K
Views
785K
spideyngo
spideyngo
Heathcliff74
[CAB] Official WP7 Updates List up to WP 7.8 + ALL LANGUAGES complete + OEM updates
Replies
2K
Views
1M
M
mike_san
W
WP7 Hacking for Beginners - Chevron, Theming, Ringtones, Registry, MMS/Data
Replies
194
Views
244K
F
frahman
Heathcliff74
  • Locked
[XAP] WP7 Root Tools 0.8 for MANGO
Replies
338
Views
265K
D
dazza9075

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 25
    Heathcliff74
    Heathcliff74
    Breakthrough!

    Today I will change the topic title from "Status: Not possible >YET<" to "Status: Possible!".

    On Custom ROMs with Full Unlock it was already possible to run homebrew executables. For stock ROMs with Interop Unlock there is WP7 Root Tools which allows Policy Unlock for Silverlight applications. But running homebrew executables like Opera Mini was still not possible.

    But now I've found a way to unlock homebrew executables using policies and certificates. I need to do more research before I can implement this unlock in WP7 Root Tools, because the unlock currently still needs some manual actions. But I know it's possible now, because I have it working.

    I will keep you updated on the progress for implementing this in WP7 Root Tools.

    I have to thank Cotulla for helping me find a stupid mistake I made! His incredible knowledge helped me see why I thought it was not working yet :D

    Ciao,
    Heathcliff74
    View
    10
    Heathcliff74
    Heathcliff74
    [2012/06/03] IMPORTANT UPDATE HERE

    Hi hackers,

    This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.

    The goal is to run native homebrew executables on WP7

    This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.

    The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.

    First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
    - CA
    - Root
    - My
    - Code Integrity

    After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:

    Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
    Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)

    So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.

    I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.

    I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).

    I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.

    So why is this not working?

    Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:

    Code: 
    Microsoft Mobile Device Privileged PCA       - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA              - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA     - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA              - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group

    I should find a way to add a policy with my certificate in it. Any ideas? :eek:

    Ciao,
    Heathcliff74
    View
    6
    Cotulla
    Cotulla
    Great!

    I have to thank Cotulla for helping me find a stupid mistake I made! His incredible knowledge helped me see why I thought it was not working yet
    Click to expand...
    Click to collapse
    I won't tell to anyone :D
    View
    4
    fiinix
    fiinix
    **** so CLOSE!

    Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.

    Method:


    WP7Process p = device.LaunchEXE(@"main.exe", "");

    main.exe (no signing, ARMv7):
    System.UnauthorizedAccessException: Access is denied.


    WP7Process p = device.LaunchEXE(@"ExeX.exe", "");

    ExeX.exe (signed with CA/ROOT custom, ARMv4):
    System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.

    There IS different things going on! Something is missing, but what :p

    edit:

    Signed main.exe with custom XDA ROOT certificate (ARMv7):
    signtool.exe sign /sha1 "[CertChomp]" "main.exe"
    > Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
    Ill see if i can add it to startup list , if it boot from there.

    edit 2:
    Nope gonna hijack "fieldtestapp.exe" with my app because policy says:

    Risky-mode.Activate();

    Backup(fieldtestapp.exe, backupPath);
    Copy(main.exe, > fieldtestapp.exe);


    "LOADERVERIFIER_ROUTE_BY_NAME"
    "LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"

    <Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
    <Authorize>
    <Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
    </Authorize>
    </Rule>

    <Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
    <Authorize>
    <Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
    </Authorize>
    </Rule>


    edit 3:
    Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.

    edit 4:
    Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
    Successful copy == no ROM lock.

    edit 5:
    There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):

    Direct exe name OR special certificate
    How we do:
    > Direct exe (hijack exe)

    How we cant do (SHA1) (Nope, ain't gonna happen):
    > We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.

    (1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
    (2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574

    edit 6:
    Yep, loads of edits, just for you.

    Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
    Code: 
    ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE

    How code (yes i know its super un-optimized, fast put together):
    Code: 
    var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
    .Where(x => x.Name.LocalName == "Rule")
    .Where(x => x.Attributes("ResourceIri").Count() > 0)
    .Where(x =>
    {
        var r = x.Attribute("ResourceIri").Value;
        return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
    })
    .Select(x =>
    {
        var v = x.Attribute("ResourceIri").Value;

        var l = v.LastIndexOf('/');

        return v.Substring(l + 1);
    })
    .Distinct()
    .OrderBy(x => x)
    .ToArray();

    edit 7:
    yeah, lol i say too.
    Unprotected exe (FCRouterCmdTest.exe)
    > c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
    mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
    View
    3
    Heathcliff74
    Heathcliff74
    FINALLY!!

    STATUS: DONE! :D

    www.wp7roottools.com

    Ciao,
    Heathcliff74
    View

New posts