DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800

Search This thread

donpromillo

Senior Member
Nov 26, 2011
74
16
http://technet.microsoft.com/en-us/security/advisory/2718704 was updated a long time ago. Windows Phone is "non-affected".

hello inket
You are right, wp7 isn't vulnarable in the way that the Trojan flame used to attack systems. Even if WP7 was vulnarable, you execute the code in the chamber with lowest privileges and would need an extra exploid to gain higher privileges.
But that is not the way I would use a code signing cert from Microsoft. I suggest to edit or build patch packages and sign them. Then use cabsender method to insert the edited patches. If the package is properly signed, Zune update process should accept the package and in this way you can reach also chambers with highest privileges or even bootloader partition.


Regards

Donpromillo
 

donpromillo

Senior Member
Nov 26, 2011
74
16
mate i so hope you get this right!!
Cuz we need the BABE of a phone unlocked!

"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."
This is what MSFT has found so far (read more here), so my hope is to get such a Terminal Services activation license.

Then we can see what's possible with it

Regards
 

trenbeth

Senior Member
Nov 9, 2010
79
11
thats another good idea pm me if u find that terminal i would really like to help u out :D

If such a working TS private key gets leaked, it would be all over the internet.
Just follow the security mailing lists and websites.

What we need is to have a chat on IRC where all dev questions are welcome.
Without that, I see we are a disconnected group of people with partial levels of knowledge.
 

cdbase

Senior Member
Aug 24, 2009
74
11
If such a working TS private key gets leaked, it would be all over the internet.
Just follow the security mailing lists and websites.

What we need is to have a chat on IRC where all dev questions are welcome.
Without that, I see we are a disconnected group of people with partial levels of knowledge.

yep IRC , also NOKIA people got multiple acc on XDA so we should give them less information on how to lock us down
he's not looking for a key but a pre-activated TS be4 update left untouched since then
 

Jaxbot

Inactive Recognized Developer
Mar 14, 2009
1,224
548
windowsphonehacker.com
This is what MSFT has found so far (read more here), so my hope is to get such a Terminal Services activation license.

Then we can see what's possible with it

Regards
I've considered trying this for a while now, but I could never get my hands on the key that the trojan was signed with. If someone happens to know where to find it, it's worth a shot, I suppose.
 

donpromillo

Senior Member
Nov 26, 2011
74
16
Hi Jaxbot,

Not necessary to get exactly the cert from Trojan, every Ts activation cert could help, if it was createt before 5/12.The difference between the cert used by flame and any activation cert is, that this cert was prepared by a md5 collission, so it was usable to attack vista and win 7 too, not only XP. For our aim not necessary and difficult to achieve

Regards
 

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
Because it seems, there are no new ideas to get a solution for nokia dload bootloaders, I want to bring a old one in new flavor:

As discussed here and here the MS Cert Chain is (was) vulnerable. I personally mean that "is still" vulnerable on non patched systems (like WP7 Roms before May 2012). After reading a lot of blogs and MSFT explanations regarding the Vulnerability I'm sure: Everyone, who owns a Terminal Server Certifcate through Windows Activation Service got also a Code Signing Cert which is able to sign code as Microsoft. This could made us able to implement all the code needed to make any WP7 Phone unlocked, because we can sign it with a certificate trusted by WP7.
So, if somebody here administers a Terminal Server 2008, activated before May 2012 and not being patched with MS Updates after May 2012 ( or has a systemstate backup from the Server before the patches were applied) will be able to export this Certificate (or the system state backup ) and provide it here, the way to the goal is smoothed.
I deeply know about the risks publishing such a certificate, so I would ask only to provide it to trustworthy members of this forum in secret/private channels.

Regards

Donpromillo

Guys, I hate to break it to ya, but this is not going to work.

The vulnerability you discuss here is related to the "Flame" malware. Flame exploits the fact the the OS still accepts certs with an MD5 hash. Though the MD5 hash algorithm has been compromised years ago, finding a real hash-collision is still extremely hard. Only the best crypto-analists with the best computers can do this. The vulnerability in the MD5 algorithm was actually more a theory and it was published back then.

The hash-collision that was made in the Flame malware was a new type op hash-collision, that has not been seem before. It was not based on the theory that had already been published. So that means that some pretty smart crypto-analysts must have worked on this in secret and with criminal intentions. An d they succeeded. Nothing about this is public knowledge.

So the infected system do not contain this information either. An infected system only has the PUBLIC key, on it. And it is a legit MSFT key. The point is that the malware was signed with a PRIVATE key, which has the collisioned hash. And the private key is only in the hands of those criminals. Just as the legit Private Keys are only in the hands of Microsoft.

WP7 is also affected by this, in theory, because WP7 also accepts binaries, that are signed by certificates from this certificate-chain. But to run binaries in WP7 you also need to get past the whole policy-engine too. So, in practice, WP7 is not vulnerable.

You won't find that private key on the internet. So, I guess that ends it here.

For more info, look here: https://www.google.com/search?sclient=psy-ab&q="flame"+"certificate"+"collision"&oq="flame"+"certificate"+"collision"

Ciao,
Heathcliff74
 

Jaxbot

Inactive Recognized Developer
Mar 14, 2009
1,224
548
windowsphonehacker.com
Guys, I hate to break it to ya, but this is not going to work.

The vulnerability you discuss here is related to the "Flame" malware. Flame exploits the fact the the OS still accepts certs with an MD5 hash. Though the MD5 hash algorithm has been compromised years ago, finding a real hash-collision is still extremely hard. Only the best crypto-analists with the best computers can do this. The vulnerability in the MD5 algorithm was actually more a theory and it was published back then.

The hash-collision that was made in the Flame malware was a new type op hash-collision, that has not been seem before. It was not based on the theory that had already been published. So that means that some pretty smart crypto-analysts must have worked on this in secret and with criminal intentions. An d they succeeded. Nothing about this is public knowledge.

So the infected system do not contain this information either. An infected system only has the PUBLIC key, on it. And it is a legit MSFT key. The point is that the malware was signed with a PRIVATE key, which has the collisioned hash. And the private key is only in the hands of those criminals. Just as the legit Private Keys are only in the hands of Microsoft.

WP7 is also affected by this, in theory, because WP7 also accepts binaries, that are signed by certificates from this certificate-chain. But to run binaries in WP7 you also need to get past the whole policy-engine too. So, in practice, WP7 is not vulnerable.

You won't find that private key on the internet. So, I guess that ends it here.

For more info, look here: https://www.google.com/search?sclient=psy-ab&q="flame"+"certificate"+"collision"&oq="flame"+"certificate"+"collision"

Ciao,
Heathcliff74
But the point isn't to run a fake EXE, the point is to create a CAB update that the OS recognizes as it's own. Of course, considering the defaultcerts file, I doubt this is even possible in the first place, but it's the idea that counts.
 

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,610
But the point isn't to run a fake EXE, the point is to create a CAB update that the OS recognizes as it's own. Of course, considering the defaultcerts file, I doubt this is even possible in the first place, but it's the idea that counts.

DefaultCerts dont even have such cert-chains. The issuer is for example "Microsoft Windows Mobile Firmware Installation PCA", without path to a CA. So default-certs mechanism isn't even vulnerable to this at all.
 

donpromillo

Senior Member
Nov 26, 2011
74
16
DefaultCerts dont even have such cert-chains. The issuer is for example "Microsoft Windows Mobile Firmware Installation PCA", without path to a CA. So default-certs mechanism isn't even vulnerable to this at all.

Hi Heathcliff;

I think, that the common on both certchains is MS Root authority, which signed the "Microsoft Windows Mobile Firmware Installation PCA" and the Licensing CA from a TS-Server too. (see attached Picture taken from "Default Certs" in OSBuilder ). So the 1. task is to get the TS-Activation Cert, the second, how to implement the different "intermediate Authority " not included in WP 7 (if that would neccessary.)

Regards

EDIT: Sorry, I just was to fast, only the "Microsoft Mobile Device Unpriviledged PCA" has the MS ROOT CA as Root. The important 2 certs "Microsoft Mobile Firmware Installation PCA" have no known root.
It seems a dead end, what a pity
 

Attachments

  • MSRootCA.jpg
    MSRootCA.jpg
    38.1 KB · Views: 260
Last edited:

donpromillo

Senior Member
Nov 26, 2011
74
16
Guys, I hate to break it to ya, but this is not going to work.

The vulnerability you discuss here is related to the "Flame" malware. Flame exploits the fact the the OS still accepts certs with an MD5 hash. Though the MD5 hash algorithm has been compromised years ago, finding a real hash-collision is still extremely hard. Only the best crypto-analists with the best computers can do this. The vulnerability in the MD5 algorithm was actually more a theory and it was published back then.

The hash-collision that was made in the Flame malware was a new type op hash-collision, that has not been seem before. It was not based on the theory that had already been published. So that means that some pretty smart crypto-analysts must have worked on this in secret and with criminal intentions. An d they succeeded. Nothing about this is public knowledge.

So the infected system do not contain this information either. An infected system only has the PUBLIC key, on it. And it is a legit MSFT key. The point is that the malware was signed with a PRIVATE key, which has the collisioned hash. And the private key is only in the hands of those criminals. Just as the legit Private Keys are only in the hands of Microsoft.

WP7 is also affected by this, in theory, because WP7 also accepts binaries, that are signed by certificates from this certificate-chain. But to run binaries in WP7 you also need to get past the whole policy-engine too. So, in practice, WP7 is not vulnerable.

You won't find that private key on the internet. So, I guess that ends it here.

For more info, look here: https://www.google.com/search?sclient=psy-ab&q="flame"+"certificate"+"collision"&oq="flame"+"certificate"+"collision"

Ciao,
Heathcliff74

Hi Heathcliff74,

if you read this and this, you'll see, that the collision isn't neccessary in our case. The thing that we need is the Activation Cert of a Term Server, cause this is also a "code signing Cert" and allows to sign every code (in unpatched environments) as it was done by MSFT

Regards
 

trenbeth

Senior Member
Nov 9, 2010
79
11
Hi Heathcliff74,

if you read this and this, you'll see, that the collision isn't neccessary in our case. The thing that we need is the Activation Cert of a Term Server, cause this is also a "code signing Cert" and allows to sign every code (in unpatched environments) as it was done by MSFT

You use the term 'Activation Cert' (probably Activation Certificate) which is not known to Google.
A certificate file most commonly contains a public key, which is not usable for signing files.
You would need a private key to sign a code file.

If the private key of some intermediate certificate was known (even recently revoked), it would have tremendous value in the malware market. It would be in the news before we hear it here.
 

donpromillo

Senior Member
Nov 26, 2011
74
16
Hi,

You use the term 'Activation Cert' (probably Activation Certificate) which is not known to Google..

Yes, I use appreviations, and most people understand the term cert in this way
And Yes, Google sometime fails (to much advertising???)

A certificate file most commonly contains a public key, which is not usable for signing files.
You would need a private key to sign a code file.

If the private key of some intermediate certificate was known (even recently revoked), it would have tremendous value in the malware market. It would be in the news before we hear it here.
You read the wrong news http://xdaforums.com/images/smilies/smile.gif

Even if I stated above, that we are at a dead end: if you've read the links I gave, you could know: By activating a Terminal Server you create a private/public-key pair which is signed by a SubCA of MSFT and at the end of the chain by MSFT-Root-CA. Through a huge mistake of MSFT engineers this certificate you get and you as consumer hold the private key, isn't restricted in the key-usage, so code signing with this certificate and your private key is possible, and the code is signed by MSFT too, caused they signed your cert.
Unfortunatly, that isn't as helpful as I thought, cause WP 7 does not use certificates with MSFT root CA as a part of the cert chain. They learned by theire mistakes and set up WP7 certifcates using a standalone root ca.

Regards
 

djtonka

Senior Member
Aug 1, 2010
1,104
514
City
As far I know we can copy .dat and .xml files into Windows folder even after developed unlock what I did with KeepAlife mod and modified file to increase limit of MBs for downloading using network. Maybe you should focus on simplicities? :D
 
Last edited:

zinoubinabil

New member
Mar 14, 2006
2
0
:( Both not working for me :(

I will try another computer tomorrow. But I doubt that will make a difference.

Also when I powered off and connect it to pc, the phone immediately powers on, so I'm not sure why I would need to press and hold the power button. I did it with and without power button; no difference.

Heathcliff74
i have same problem; phone powres on after vibrate
are you solve your problem??

---------- Post added at 10:51 AM ---------- Previous post was at 10:39 AM ----------

with NSS i have this log
----------------------------------------------------
Looking for phone...Done.
IMEI: 359289046290504
---------------------------------------
Please follow these steps:
1. Power off the phone
2. Remove the USB cable
3. Press and hold the Vol+ button
4. Plug the USB cable, wait for the buzz
5. Release the Vol+ button
---------------------------------------
Waiting for 30 seconds...Done.
----------------------------------------------------------------------------
Looking for NAND disk...Not found.
Things to check:
1. Is the phone connected?(Plug to the USB)
2. Is it in the correct mode?(Try to switch to OSBL mode)
3. Have you installed the Qcom loader ?(Use the Install button)



when Press and hold the Vol+ button and plug the USB cable phone turned on
already update to last firmware with zune
pls any help!!
 
Last edited:

lumpaywk

Senior Member
Mar 30, 2010
597
59
Portsmouth/Gosport
This may be really stupid but if you dont ask you never know. As the bootloader gets updated when you used Nokia care suite cant we maybe take the old bootloader and trick the caresuite into thinking its a newer update?
 

donpromillo

Senior Member
Nov 26, 2011
74
16
MSFT announces trouble with some certs and stops publishing marketplace apps

Hi,

has somebody of you the here named apps in a version before MSFT stops publishing? Could we investigate the certs they used in that app to see, what's meant by
We’ve run into an issue with the digital certificates used to sign apps, and this is preventing some phones from installing some apps published during the last couple of days.

We’ve investigated and determined the issue only affects phones that upgraded to Windows Phone 7.5 from an earlier version of the operating system. It does not appear to impact phones sold with Windows Phone 7.5 preinstalled.

We estimate the issue also affects only a small percentage of the 100,000-plus apps in Marketplace. Among the more popular ones affected are the New York Times, WhatsApp, and Translator from Bing—all of which recently issued new updates.

Regards

Donpromillo
 

cdbase

Senior Member
Aug 24, 2009
74
11
what about IRC where we all could share ideas on lumia 800 ?? also we can try donate Jaxbot maybe when he recieves some fee he could make things happen faster ,someone should ask him :)
 
Last edited:
Dec 14, 2011
11
1
I got another problem here,
Yesterday I was able to enter Qualcomm mode by pushing vol+ and power.. But today I cant do it anymore..
When I push vol+ and power it vibrate long and after then it does nothing?
What can be the problem, the Phone doesnt get detected by anything (not DLOAD or Qualcomm)
its the v2.3 and I am sure its qualcomm but I cant enter that mode anymore?/
 

Top Liked Posts

  • There are no posts matching your filters.
  • 81
    UPDATE: First custom rom with Interop Unlock flashed succesfully. Requires hard reset after installing and an unlocked bootloader. See post for proof:
    http://xdaforums.com/showpost.php?p=24818275&postcount=242
    BIG THANK YOU TO ULTRASHOT!
    Without you I couldn't have done it!
    NOTICE: Testing full unlock (XIP unlock etc) with ultrashot. Will post new files as soon as I get a working build which doesn't get stucked on boot ;)

    Disclaimer:
    I AM NOT RESPONSIBLE IF YOU LOOSE DATA, BREAK YOUR PHONE, OR SET YOUR HOUSE ON FIRE. DO THIS AT YOUR OWN RISK. BTW, REQUIRES A HARD RESET SO YOU WILL LOOSE ALL THE DATA IN YOUR PHONE BY FLASHING THIS. IF UNSURE, DON'T DO IT.
    PLEASE STOP PM'ING ME FOR HELP, I CAN'T REPLY 20 PMS/HR. Please use the forum, maybe someone can create a discussion topic to help others and leave this for links and development. Thank you very much!

    PLEASE STOP SENDING ME PMS ASKING FOR HELP AND USE THE DEDICATED THREAD
    THIS THREAD IS FOR DEVELOPMENT ONLY, PLEASE RESPECT THAT AND USE THE Q&A THREAD FOR YOUR QUESTIONS.
    LINKS:
    Lumia 800: Full Unlock
    New firmware: May 16, 2012 (removed foursquare and stuff)
    sdb3.rar: Flash it to PARTITION #3. It contains 12070's amss & adsp. Not absolutely required but if you have an older version this should give you better battery life.
    http://www.mediafire.com/?kwjladlgvq81rha
    OS-NEW:
    As always, flash it to PARTITION #9.
    Part1: http://www.mediafire.com/?21by2oj7acnhkhw
    Part2: http://www.mediafire.com/?wkeduvp9l4199qh
    Part3: http://www.mediafire.com/?cnbkms40dy4y06z
    Part4: http://www.mediafire.com/?rabunpmnaqclq3o
    Complete Mediafire folder access: http://www.mediafire.com/?uo2dqcl34b9cy
    ___________________
    Alternate ROM with Full Unlock + Some apps:
    Part1: http://www.mediafire.com/?8gnqm418v32im3e
    Part2: http://www.mediafire.com/?bgtg2t5infrnua1
    Part3: http://www.mediafire.com/?l0sl5hbr0v9gfi1
    Part4: http://www.mediafire.com/?emt2dfswdhn0z0w
    Apps preinstalled:
    DS Supertool
    File Deployer
    Metro Theme
    WebServer
    WinTT
    WM Device Center
    WP7 Root Tool

    ___________________
    Lumia 710: Interop Unlock (no full unlock yet)
    ROM Based on: RM803_059N2L6_1600.3015.8107.12070_010
    Mediafire folder access: http://www.mediafire.com/?9z6og65ozgrnr
    http://www.mediafire.com/download.php?d3bj3dkfbffbakn
    http://www.mediafire.com/download.php?l35zjaebdrsm315
    http://www.mediafire.com/download.php?ys5bapu8ubezybo
    http://www.mediafire.com/download.php?tnadd4uuoxhatv3
    CAUTION: I don't have a 710, so these images AREN'T TESTED. Use at your own risk. Be careful, people are reporting problems with this rom.
    Full Unlock Image for Lumia 710 by lucifer3006 -BE CAREFUL, IT HAS BUGS, FOR TESTING PURPOSES ONLY- (thanks ultrashot & lucifer3006): http://www.mediafire.com/?p3318y5l19abb

    You have a mirror of all the stuff on mediafire on xdafil.es: http://xdafil.es
    Thank you mousey_!

    PLEASE DO A FULL BACKUP OF THE NAND BEFORE PLAYING AROUND.
    If you are developing fixes for the bootloader 'problem', feel free to grab a copy of the rest of partitions and stuff I posted over this thread here: http://www.mediafire.com/?kknt4lnc3tn7w


    INSTRUCTIONS:
    Requires an unlocked bootloader (a.k.a. qualcomm development bootloader).
    Easy to check: Turn the phone OFF, then press and hold VOLUME UP + POWER until you notice a short vibration. Plug in to the computer. If the phone turns up in disk mode (USB Mass Storage Device), then you have an unlocked bootloader. IF you're in Windows, it will ask if you want to format the disk. SAY NO OR IT WILL EXPLODE (it won't explode but you might break it)
    If the device detected by the computer is Nokia DLOAD you have a locked bootloader and you're out of luck, at least for now.

    I used 'dd' in Linux, I guess you can do it with Windows version too (http://www.chrysocome.net/dd) but it's more involved to find the appropiate partition:
    dd if=./os-new.nb of=/dev/sdX9
    Where X is the disk detected by your linux distribution.
    After that, you'll need to hard reset the phone. Hold Power button for 10 seconds to exit Qualcomm's disk mode, and press and hold POWER+VOLUMEDOWN+CAMERA until you feel the phone vibrate. After that, RELEASE power button but KEEP HOLDING volume down + camera for five or more seconds. This will trigger the hard reset.

    Now time to play with bootloaders and try to get this to work for everyone!

    If you like my work and want to donate for a beer (or two), follow this link
    22
    I'd suggest renaming on of the colors. Would be great if it was possible to interop the phone without losing data.

    Well, you can always make a backup and then restore via zune. The thing is the dumped OS is about 600Mb, the generated image is 378Mb. I don't know how it will reside on the flash, you could always check where the flash starts to get filled with zeros and clean it up before the first boot... If they had done it right and separated user data from the main OS we wouldn't have this problem...

    INTEROP UNLOCK ACHIEVED!

    Now time for a nice beeer ;)
    I'll put mediafire to work and upload the image I just did. Everyone who has an unlocked bootloader: after you flash this to the phone, DO A HARD RESET, otherwise it will get stucked on 'Installing Applications'
    12
    Hey everyone,

    I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.

    I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.

    Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked :)
    8
    Btw, here is my DppImplant app.
    Implants DPP partition with your stock Live Id to a custom rom.
    Usage:
    1) Put backup of the biggest partition to the folder with DppImplant.exe and call it "stock.nb"
    2) Put "os-new.nb" there - target firmware in which you want to see your old Live Id.
    3) Open DppImplant.exe. It will extract DPP from stock.nb and create mydpp.bin file. (After that you won't really need to have stock.nb in that folder).
    "os-new.nb" will be patched.
    4) Done.

    P.S. if you open DPP using Notepad or any hex editor, you'll see saved Live Id.
    6
    Ok L710 fully unlocked :)
    Those 2 parts are wrong. I used to narod.ru

    ---------- Post added at 07:29 PM ---------- Previous post was at 06:40 PM ----------
    http://www.youtube.com/watch?v=-rQbFp7yasc


    CAN WE KEEP THIS FOR DEVELOPMENT ONLY PLEEEEEEEEEEEEEASSSEEEEE?

    Gift from our friends at Qualcomm:

    Full AMSS firmware + Secboot Sources (Qualcomm loader)! Grab it while it's hot!

    http://www.mediafire.com/?ir2h15f663ja6wc