WP7 Root Tools - Announcement: Coming to MANGO and to other devices: SAMSUNG, HTC, LG

Hi hackers!

IMPORTANT ANNOUNCEMENT!
WP7 Root Tools will soon be available for Mango!
More info HERE

With this tool you get root-access to parts of your WP7 device. The first release only contains a registry-editor. The file-explorer and certificate stores will follow.

This tool is in alpha stage. That means that it is not feature complete and it is not yet properly tested. This tool also provides you with high privileges with which you can alter low level settings and data on this device. All this may result in unexpected and undesired behaviour, which may ultimately damage your device. Use this tool with care and use it at your own risk. The developer of this tool cannot be hold responsible for any kind of damages, caused directly or indirectly by using this tool.

The current version of this tool can only be used on Samsung devices. A small part of the code uses Samsung-specific functionality. The performance of the tool may sometimes be slow. This is the result of the way access to the system is elevated. The goal is to make this tool device-independent and to elevate access more directly in the future, but that requires more research.

To install this you need a developer-unlocked Windows Phone 7 device. For questions about unlocking your device, please refer to the appropriate threads.

If you have bug-reports or feature-requests, please give a full description.

If you like this, hit the "Thanks" and/or "Donate to me" button.

Ciao,
Heathcliff74


Update 2011/04/06:

1. Some people requested a possibility for donations. I opened a paypal-account and the "Donate to me" should work. Thanks!
2. I get an overwhelming amount of comments and pm's. I can't answer them all right now. I will try to answer them a bit later. Sorry.

Thanks for all the support guys!

Update 2011/04/13: RELEASE "WP Root Tools 0.2 alpha"

Consider this an "interim build". Most changes are under the hood. I did a lot of refactoring for performance improvements and paving the way for the file-explorer. This version does not include the file-explorer just yet. That will be the next release. Fixes in the new 0.2 alpha version:

- Compatible with light theme.
- Navigate out of the app with back-button.
- Due to refactoring and better use of the exploit I gained a lot of performance. It is very fast compared to the previous version. Should also reduce battery drain significantly.

Update 2011/04/14: RELEASE "WP Root Tools 0.3 alpha"

Mightyhog found a regression bug in the 0.2 version. HKLM\Software\Microsoft\ was not listed properly. It is fixed in the 0.3 alpha version.

Update 2011/04/18: Info about known limitations

Yesterday I added some info here which, after more research, did not seem to be entirely correct. I misinterpreted some of the file-flags I was seeing. So here's some more detailed info about the know limitations of the current Registry Editor and the File Explorer which is coming soon. It seems that having TCB privileges still has some limitations on accessing the filesystem and the registry.

Some registry values can be changed but they are reset back to their default value after the device is restarted. One example of such value is:

HKLM\System\CurrentControlSet\Control\Power\Timeouts\BattUserIdle DWord 300

Possible explanations:
- The value is stored in a ROM registry hive. The change is made in RAM and after the device is restarted and RAM is cleared, the value is read from ROM.
- In the boot sequence of the device some xml-files which contain settings, are provisioned and overwrite changes made to the registry.
- A certain service or startup-program simply overwrites settings on system-startup.

I'm working on the File Explorer now. While testing I found out that eventhough I have TCB privileges some access is still restricted, because system-files are mapped directly in ROM. There are 2 file-flags that have impact on this:

- 0x0040 = FILE_ATTRIBUTE_INROM - This file is an OS file stored in ROM. Most files in the \Windows folder have this attribute. These files cannot be moved, modified, renamed or removed. Only a firmware update can change these files.
- 0x2000 = FILE_ATTRIBUTE_ROMMODULE - The exe- and dll-files in the \Windows folder also have this flag set. These ROM files are mapped directly into executable read-only address-space, rather than being first copied to RAM. They cannot even be accessed as a file. They can only be executed. And therefore these files also can't be copied to another location, ie. we don't even have read-access on these files. However, I may have found a way to access these files anyway. This needs a bit more research, but I hope that I can at least copy the files to a location where they can be accessed.

Everything else seems to be possible. Creating files in the \Windows folder is no problem. I hope to be able to release a version with a File Explorer soon. I guess it will be in about two weeks or something. Bear with me.

Update 2011/04/19: No luck on reading the ROM modules

I did more testing. I wanted to have at least read-access to the exe- and dll-files in the \Windows folder. As it is not possible to call CreateFile() on those files, I tried LoadLibrary(). That works. With CreateToolhelp32Snapshot(), Module32First() and Module32Next() I can enumerate the modules and find the one I loaded. I also get a baseaddress and size of the module. The problem is that I can't access that memory. I tried direct-access and I tried using ReadProcessMemory(). ReadProcessMemory() returns "Incorrect parameter" as soon as I try to access the ROM memory. Also using VirtualProctect() to unlock the memory gives me "Incorrect parameter" all the time. So it seems we won't have read-access to the exe- and dll-files in the \Windows folder for now. I will now concentrate on other functionality for the File Browser. I will try to get access to the ROM modules later on.

Update 2011/06/14: RELEASE "WP Root Tools 0.4 alpha"

It has taken me a long time, here's a new release, finally. Actually this release is not very useful yet, because the file-explorer is read-only so far. The "Cut / Copy / Paste / Delete / Rename" will follow soon. The browsing part has been extremely difficult. The main problem was the performance. Opening a folder could take up to 4 minutes. Ouch! Through a combination of multi-threading techniques, caching and combining multiple exploits I finally got this to a stable solution where browsing can be done in quite an acceptable way. The write actions don't have these performance issues, because it is not a real problem when copying a file will take a few seconds more or less. I already started on implementing this. This release also has a few minor fixes to the Registry editor, but no new functionality. I also did a lot of testing on the certificate stores. I got full read / write access to all the stores, but none of that is implemented in the WP7 Root Tools yet. That will be next.

Update 2011/06/24: RELEASE "WP Root Tools 0.5 alpha"

In this version I implemented the basic file-operations and a certificate installer.

You might wonder why I created a certificate installer, because it is already possible to add certificates. When you email a certificate to yourself and tap that attachment, WP7 will install it. But if you install like this, the certificate will always be installed in the "Root" certificate store. With my certificate installer you can also install in "CA", "My" and "Code Integrity" stores. This may be very useful for hacking attempts. You can install a certificate by browsing to the ".cer" file and tap it. The possibilities for getting a certificate file on your phone will follow below. If you start installing certificates on your phone you should consider making backups in advance. I once experienced Zune going totally bezerk after installing certs. Zune took 100% and lost connection with the phone all the time. Everything was back to normal when I deleted the certs. In this version there is no view on the certificate stores available yet. In a future version you will be able to view the contents of all the certificate store and also uninstall certificates from there.

I specifically mentioned that this version has basic file-operations, because not everything is implemented. This is what you can do:

- Cut / Copy / Paste / Delete / Rename single files
- Delete empty folders
- Create new folders

This is what you can't do (will be possible in later versions):

- Cut / Copy / Paste multiple files or entire folders
- Delete folders with content
- Rename folders

Last, but not least: I fixed some performance issues. Mainly memory-leaks in native code and in COM interop. I'm not sure if I got all leaks now, because it's not easy to do native C++ without debugger and profiler. But improvement is clearly noticeable.

This version does not have a connection with the PC. So it is not possible to use WP7 Root Tools to transfer files between the phone and the PC. You can however, use other tools to get files onto your phone and then use WP7 Root Tools to move the files to the desired location. WP7 Root Tools has write access on every folder of your phone.

How to transfer files to your phone:

1. Mail the file to yourself. Use your phone to go to your mailbox (not webmail). The attachment will be downloaded in the background. Then use WP7 Root Tools to navigate to \Application Data\Volatile\EmailAttachments\Attachments(number). You have to look which attachment is the one you want. The filename may be changed. The extension is the same.
2. Install Davux' webserver on your phone. Configure a password in that webserver. The IP of the phone is visible in the webserver app. Browse to the phone like this: http://192.168.1.2/IsolatedStorage using the IP of the phone. Upload a file to the phone. Open WP7 Root Tools 0.5 alpha. Navigate to this folder: \Applications\Data\9BFACECD-C655-4E5B-B024-1E6C2A7456AC\Data\IsolatedStore\. There's your file. You can copy it to another location if you want.
3. Use the Zune storage hack, described here and here. If you copied the files to your phone in this way, they will be located at \My Documents\Zune\Content in one of the subfolders. Again, the files here are renamed. You have to find the file you want and then rename it.

Have fun!

Some screenshots:

WP7 Root Tools coming to MANGO!!

Hi all!

I just figured out how to run native DLL's in a Silverlight App on MANGO. This is a major breakthrough! This means that I will be able to port all code and exploits that I got so far to Mango.

A little while ago I announced that the next version of WP7 Root Tools would have support for HTC and LG too (Samsung was supported from the beginning). I found all the necessary exploits for that and I was busy putting the puzzle together. But on the side, I've also been working on Mango. And it started to frustrate me more and more, that native homebrew code was not possible on Mango, because everyone is migrating to Mango and our tools would become unusable. Unacceptable!!

These are the pieces of the puzzle I got now:

1. Support for Mango (running native DLL's)
2. Full Root Access to all resources and API's with possibility to enable/disable per app (also bringing huge performance improvements)
3. Support for HTC and LG
4. Building an SDK for other developers

I have to be a little bit reticent! I am making these announcements because I've done a lot of research in finding all the pieces of the puzzle. And in theory they will all fit together. But I have to do more work to make a complete tool of it all. I can only be real sure that everything works, when I got it all finished.

Having said that, I will start with piece number 1 by releasing a version for Mango asap. It will be exactly the same as the previous version, but now also supporting Mango. I know I promised HTC and LG support in the next version, but releasing a version for Mango is easier for me now, so that will come first. Sorry to HTC and LG users. Just a little more patience please.

Shortly after, I will release a version with pieces 2 and 3. HTC, LG and Full Root Access per app.

And shortly after that, I will release piece number 4; the SDK.

Ciao,
Heathcliff74

New release: version 0.2 alpha

Hi, I'm back!

I got a new release of the WP7 Root Tools. Consider this an "interim build". It's version 0.2 alpha. Most changes are under the hood. I did a lot of refactoring for performance improvements and paving the way for the file-explorer. This version does not include the file-explorer just yet. That will be the next release. Fixes in the new 0.2 alpha version:

- Compatible with light theme.
- Navigate out of the app with back-button.
- Due to refactoring and better use of the exploit I gained a lot of performance. It is very fast compared to the previous version. Should also reduce battery drain significantly.

If you like this, hit the "Thanks" and/or "Donate to me" button.

Ciao,
Heathcliff74


Edit: attachment of version 0.2 alpha removed. Newer version is now in the opening post.

Full Root Access

Hi hackers!

I have not posted much lately. But that doesn't mean that I haven't been hacking

First a little info on the Windows Phone 7 security mechanisms. WP7 RTM has the Developer lock and the policy engine. The developer lock was broken by ChevronWP7 and the policy engine was partly broken by the exploits I created for WP7 Root Tools. NoDo got improved developer locking, but other than that it was unchanged. In Mango there is a third security mechanism: No native code is allowed for unsigned apps.

Today I had a little breakthrough. I have now Root Access on my Samsung Omnia7 with NoDo. You might think that I already had root access, because the WP7 Root Tools work really well. That's true, but I did not have Full root access yet. The main exploit I used was a very complicated work-around. And it was extremely slow. I had to use all kinds of multi-threading tricks to make WP7 Root Tools usable, performance wise. If you would use the native API's that are meant for Filesystem access and Registry access, the system is much faster. But we are not allowed to use those API's. They will usually return error 0x000004ec, which means "Blocked by policy". Also, the native API's provide much more functionality than the exploits I used. Having access to all the native API's also provides new perspectives for future development.

So I started working on the policy engine. See this thread for more info. I got some help from fiinix there. Later on I was contacted by YukiXDA, who was working on a custom ROM for HTC HD2 with Root Access. We combined our knowledge so I could work on a version of WP7 Root Tools that would work on his HD2 ROM. I've been working on that for the last couple of weeks and I'm making good progress now. In the mean time I continued research on the policy engine with a different approach than YukiXDA is using. And now I have found a way to apply root access to selected apps. This was important to me. I didn't want to break down the security of WP7 all together, because that would mean we're back to WM6 with security. And one rogue app could mess up your device or leak all private info to the web. So I wanted to let the user decide which apps he trusts to give root access and which apps should retain in their sandbox. And that's what I got working now! The security mechanism that Microsoft has implemented for WP7 is actually really cool, but I think they should have made it possible for users to select apps that can break out of the sandbox and apply tweaks to the system. We hackers and tweakers are smart enough to decide that.

To get this working I'm installing some prerequisites. And for that I'm still using Samsung specific exploits at the moment. But I'm quite sure I can get that working for HTC's and LG's too. But that needs a bit more research.

So with Chevron WP7 Labs and this new Root Access we finally have full control over our NoDo devices. But for now, we still can't run native code on Mango yet. But I have a couple of attack-vectors, that I want to try for that. I have good faith that I can defeat that. But before I start working on Mango, I first want to finish the next version of WP7 Root Tools, which will work faster and will also work in HTC HD2 and possibly other devices.

I have had so many requests from people who asked me to share source code of the exploits, that I have decided to create a WP7 Root Tools SDK. This will be released after the next version of WP7 Root Tools. The SDK will contain libraries that allow other apps to get full access to the registry and filesystem. By then everybody can start working on cool backup-apps and tweak-apps, etc.

Will keep you posted on progress of the new version and SDK.

Ciao,
Heathcliff74

Hi,

I did more testing. I got WP7 Root Tools running now on my Samsung Omnia 7 with Mango RTM. Wonderful! I have to finish up some things and I think I'll be able to release version 0.6 tomorrow.

singularity0821 said:

This is awesome, thank you for your work!

Will we need a full unlock for it in Mango or is the Dev Unlock sufficient?

Click to expand...

Click to collapse

Nope, I have my own Full Root Access And you don't even need to flash anything! Cotulla also has exploits to run native executables. This will not be possible with my WP7 Root Tools. Though I'm pretty sure that I have the exploits to do that now too. I just haven't tested it yet. I may try this later on.

GoodDayToDie said:

This is FANTASTIC news! Way to make serious breakthroughs, man!

Just a few questions about the Mango support:
A) Does it require doing anything in NoDo, or will it work on phones that ship with Mango?
B) Can it be used on any native DLL? For example, could it be used with the screen capture program?
C) Can it be combiled with your per-app full root access to make (for example) a fully cross-platform registry browser that doesn't need device-specific DLLs?
D) Will you share the technique you use for it? I understand your reasoning for not wanting to share the "gain root" exploit technique, but I'm always hopeful.

Anyhow, this is awesome! Can't wait to use Wp7 Root Tools on my HTC phone running 7720!!

Click to expand...

Click to collapse

A) Will work with shipped Mango!
B) It will probably work on (almost) any dll, but the chance is that it need to be recompiled. I will post guides on how to do it. I can't guarantee things, because I know for a fact that Microsoft has removed some API's in Mango that were present on NoDo. But as fas as I can see, all the good stuff is still there
C) Let me explain. First WP7 Root Tools needs to get Full Root Access. Then WP7 Root Tools will be able to provide Full Root Access for other apps. These apps don't need any device-specific DLL's at all. Once your app is provided with Full Root Access, you can use any native or managed API you want. For native DLL's you will need to follow the guide I will write later on. You can also use the SDK I will create later, but that is just to make it easier. Using the SDK is mandatory. BUT... For WP7 Root Tools to get Full Root Access I still need device-specific exploits. As of now I have the necessary exploits for Samsung, HTC and LG. So your app will only work on these devices. Because the users will need to install WP7 Root Tools to give your app Full Root Access.
D) I will share my technique in the form of the WP7 Root Tools and the SDK. The real magic underneath will be my trade-secret.

experience7 said:

Wow! I've been following this thread since the first release and it's just wonderful to see how fast things go on Heathcliff74, in my opinion you're one of the best programmers i've ever seen! This would be the first common registry editor.. (by 'common' i mean: working on all devices )
This will make things much easier.. can't wait for it to be released!

Click to expand...

Click to collapse

Thanks for the compliment. It will be almost common. As I explain in the my response to GoodDayToDie there is still some need of device-specific exploits. And I have these exploits for Samsung, HTC and LG now. Later on I may try to find exploits for Dell, Asus, etc.

Ciao,
Heathcliff74