try to disable all data signal (3G-2G, WIFI, etc) and try to install the .xap
NO FLASHING ROMS, possibility to port Interop-unlock to Lumias
- Thread starter HenryTheX
- Start date
The store always seems to check online for authorization. Going to the SD card menu with all data off still gives "Identifying apps..." but then it gives an error message.
I tried using reker's proxy, but it does not work.
I tried using reker's proxy, but it does not work.
So.. "diagnosis" will not work, so we need found a nokia OEM app with the same permissions.
Or we can found a way to decrypt the app, but i think it's impossible, anyway if you decrypt the app and sideload the app, don't work because the app need high privileges, so sideload the app will give a error...
Or we can found a way to decrypt the app, but i think it's impossible, anyway if you decrypt the app and sideload the app, don't work because the app need high privileges, so sideload the app will give a error...
Last edited:
You'd better search for a bug in Nokia apps.
How we can found bug in nokia apps?
I have a ffu filesystem opened, and have the registry files from WP Amber.
So how know if some app will have the required permissions?
If you or someone told me how i will try to found some apps... :victory:
Why don't try somebody who already interop-unlocked own Samsung phone to RECOMPILE Diagnosis xap and upload it here for us. That xap would not be encrypted and we will be able to install it by Deployer?
Don't work because Diagnosis apps have high privileges and Application deployer don't let us installing this app
WP8Diag.xap isn't encrypted
But it requires Interop Unlock to install. It uses InteropServices after all
Is it same with Windows Phone Power Tools ?
oh boyWP8Diag.xap isn't encrypted
But it requires Interop Unlock to install. It uses InteropServices after all
If WMAppManifest.xml and decompilation via Reflector, ILSpy, Dotpeek, Dissharp etc makes any sense for you, then go on.
Actually I don't change my mind: looks like Nokia doesn't have so obvious bugs (or features?
). I could overlook something, but I don't think so.
You guys shouldn´t spent time in trying to port the Samsung diagnosis app to Nokia devices. I don´t think that there is any chance to do that because the app comes with the rom and it requires the interop-unlock to get installed.
The Samsung OMNIA 7 also got interop-unlocked through the diagnosis app but nobody could deploy it to another locked device.
The Samsung OMNIA 7 also got interop-unlocked through the diagnosis app but nobody could deploy it to another locked device.
I have already tried that without results
tl;dr
I have dumped the lastest amber update for my lumia 920 using ImgMount.
Inside file.mnt\PROGRAMS\CommonFiles\Xaps you have some xap the OS install when you configure your phone for the first time.
and also here file.mnt\PROGRAMS\CommonFiles\OEM\Public\PreloadedApps\tier3Apps
I copied all these xap's to other directory, opened them one by one to see their manifest and declared capabilities. If I find someone with high ones I drag and drop all its dlls to ILSpy, remove the native dll's and start by looking at the Resource section of the remaining dll's, if they don't have this section, removed. Then I open the MODULENAME.g.resources section of the remaining ones to see all xaml pages we could navigate to by using the toast hack.
If during the inspection I find any promising page, for example (/menu/debug/hotchicks.xaml) I open it on my phone to really know what we can do with it.
So, imagine I was inspecting the preinstalled Nokia Drive app (c843585440544fb0a4cadf1bb696839a.xap) and I have found a promising page inside and want to open it.
First I need the AppID of this xap, get it from WMAppManifest.xml, <App xmlns="" ProductID="GUID".... by the way I also have a look inside this file at it's declared capabilities.
This is my candidate page to inspect:
It's inside the Drive.dll, the module name of this dll is Drive.
In order to open it, I need first to install the Native Toast Notification Launcher to my Lumia 920 -> http://forum.xda-developers.com/showthread.php?t=2398275
Them edit the uri inside the app like this:
app://GUID/_default#/MODULENAME;component/pages/debug/debugmenupage.xaml
So in this case:
app://31bbc68c-503e-4561-8d85-a294d54df06f/_default#/Drive;component/pages/debug/debugmenupage.xaml
Tap on the toast and start looking around to see if this page allows us to modify the OS filesystem or registry.
Notice that if you made any filesystem modification you are in fact doing them with the capabilities of the app you set in the uri. So that's the trick here.
Also notice that with this uri notation we could open xaml pages from whatever dll inside the xap we want.
I did all this procedure by hand with the xap's I mentioned earlier and couldn't find anything interesting.
Right know I have two ideas to keep working:
We can automatize this procedure, get all xap's we could install in our lumias and particulary the ones we thought could contain native code and high privs, decrypt them somehow and see if we find hidden xaml gems like the samsumg diagnosis registry page
I think I can do a program that outputs all the xaml pages from a list of managed dlls, then inspect all them to see good candidates and try.
We also have to consider that the default xap's that get installed when we updated to amber may had change due to marketplace updates. So we need the last version to inpect their xaml pages. Any jailbreaked Samsumg owner could provide us this xaps.
The other idea is to iterate though every reachable file inside the \Windows and \Windows\system dir's and try to write on them, I think I can do this with the wp8nativeaccess project from GoodDayToDie. Them list the ones we have write access to, see if we hit any dll or exe.
If there are any executable file with high priv, them will need to figure out how to execute it by using our phone as a normal user. See what functions get call when we do these normal actions (imagine we can write inside the alarm app dll, and we know that when we set a new alarm, the SetNewAlarm() function gets call inside this dll), edit the arm code to redirect the flow to a place where we wrote our jailbreak arm code before.
You know, set a hook inside the SetNewAlarm() and blah blah. This is only possible if wp8 dll's aren't signed with authenticode or other stuff.
Maybe GoodDayToDie could help here.
In the case we hit any writtable file, we could think how to modify it to write in other places as long as we suppose this file is used by any process with high privs.
We need to automate our hacking process!!
tl;dr
I have dumped the lastest amber update for my lumia 920 using ImgMount.
Inside file.mnt\PROGRAMS\CommonFiles\Xaps you have some xap the OS install when you configure your phone for the first time.
and also here file.mnt\PROGRAMS\CommonFiles\OEM\Public\PreloadedApps\tier3Apps
I copied all these xap's to other directory, opened them one by one to see their manifest and declared capabilities. If I find someone with high ones I drag and drop all its dlls to ILSpy, remove the native dll's and start by looking at the Resource section of the remaining dll's, if they don't have this section, removed. Then I open the MODULENAME.g.resources section of the remaining ones to see all xaml pages we could navigate to by using the toast hack.
If during the inspection I find any promising page, for example (/menu/debug/hotchicks.xaml) I open it on my phone to really know what we can do with it.
So, imagine I was inspecting the preinstalled Nokia Drive app (c843585440544fb0a4cadf1bb696839a.xap) and I have found a promising page inside and want to open it.
First I need the AppID of this xap, get it from WMAppManifest.xml, <App xmlns="" ProductID="GUID".... by the way I also have a look inside this file at it's declared capabilities.
This is my candidate page to inspect:
It's inside the Drive.dll, the module name of this dll is Drive.
In order to open it, I need first to install the Native Toast Notification Launcher to my Lumia 920 -> http://forum.xda-developers.com/showthread.php?t=2398275
Them edit the uri inside the app like this:
app://GUID/_default#/MODULENAME;component/pages/debug/debugmenupage.xaml
So in this case:
app://31bbc68c-503e-4561-8d85-a294d54df06f/_default#/Drive;component/pages/debug/debugmenupage.xaml
Tap on the toast and start looking around to see if this page allows us to modify the OS filesystem or registry.
Notice that if you made any filesystem modification you are in fact doing them with the capabilities of the app you set in the uri. So that's the trick here.
Also notice that with this uri notation we could open xaml pages from whatever dll inside the xap we want.
I did all this procedure by hand with the xap's I mentioned earlier and couldn't find anything interesting.
Right know I have two ideas to keep working:
We can automatize this procedure, get all xap's we could install in our lumias and particulary the ones we thought could contain native code and high privs, decrypt them somehow and see if we find hidden xaml gems like the samsumg diagnosis registry page
I think I can do a program that outputs all the xaml pages from a list of managed dlls, then inspect all them to see good candidates and try.
We also have to consider that the default xap's that get installed when we updated to amber may had change due to marketplace updates. So we need the last version to inpect their xaml pages. Any jailbreaked Samsumg owner could provide us this xaps.
The other idea is to iterate though every reachable file inside the \Windows and \Windows\system dir's and try to write on them, I think I can do this with the wp8nativeaccess project from GoodDayToDie. Them list the ones we have write access to, see if we hit any dll or exe.
If there are any executable file with high priv, them will need to figure out how to execute it by using our phone as a normal user. See what functions get call when we do these normal actions (imagine we can write inside the alarm app dll, and we know that when we set a new alarm, the SetNewAlarm() function gets call inside this dll), edit the arm code to redirect the flow to a place where we wrote our jailbreak arm code before.
You know, set a hook inside the SetNewAlarm() and blah blah. This is only possible if wp8 dll's aren't signed with authenticode or other stuff.
Maybe GoodDayToDie could help here.
In the case we hit any writtable file, we could think how to modify it to write in other places as long as we suppose this file is used by any process with high privs.
We need to automate our hacking process!!
Last edited:
i will try...
And yes, forget try to port the "Diagnosis" app, there is no chance to decrypt the app, and if magically you can decrypt them, there is no chance you can install them, because "Diagnosis" Requires more elevated privileges, it's only reachable if you are interop unlocked :silly:
And yes, forget try to port the "Diagnosis" app, there is no chance to decrypt the app, and if magically you can decrypt them, there is no chance you can install them, because "Diagnosis" Requires more elevated privileges, it's only reachable if you are interop unlocked :silly:
Look inside the extras + info xap... I thought it had some interesting .dll's but I don't know enough about decompiling... I also noticed that the city lens .xap has some .dll's similar to the diagnosis app at least in name... Got me wondering if snickler's registry app was missing a key .dll to allow it to write to the system but I give way to his dev skills... @snickler?
Sorry, they both have some dll's similar to the diagnosis app.
Sent from my RM-860_nam_usa_100 using Tapatalk
Sorry, they both have some dll's similar to the diagnosis app.
Sent from my RM-860_nam_usa_100 using Tapatalk
Last edited:
No, that isn't the case. As has been noted multiple times, those applications have been given specific permissions to use normally restricted capabilities via the policy engine + the particular certificates installed. The Dlls mean nothing when it is outside of that scope. The current reason why the Interop Unlock works for the ATIV S is due to the Diagnosis app having that hidden XAML Registry View. The app itself was granted a crap load of permissions and was preloaded on the ROM. The only way apps that require higher privileges without the phone being InterOp Unlocked is by installing through provxml. The extras+info app installs the storage checker and calls + sms filter via provxml. So, unless we find an app with a secret XAML view within it (Highly unlikely from what I've been finding), Nokia phones are SOL at the moment
Doesn't mean it's not worth continuing to expplore, though; there's lots of good possibilities, and in my experience the OEM apps are always a mess, security-wise. Nokia does seem to do better than most, but that doesn't mean they're impregnable. Besides, there other other attack vectors than the toast launcher (although that's certainly a handy one).
@snickler no disrespect intended ... Learning as I go and trying to do my part... Spent all night going through my 928's dumped files but as I said learning as I go and think I need to better organize my methods.
Sent from my RM-860_nam_usa_100 using Tapatalk
... Learning as I go and trying to do my part... Spent all night going through my 928's dumped files but as I said learning as I go and think I need to better organize my methods.Sent from my RM-860_nam_usa_100 using Tapatalk
I'm trying to install from the XAP and I've managed to make the app appear between the apps available to be installed but it's all greyed up and I can't install it.
That's the best that I got.
EDIT:
I've been able to select it and start the setup but it gives the 8039000 error
That's the best that I got.
EDIT:
I've been able to select it and start the setup but it gives the 8039000 error
Last edited:
I agree with the automation, but we have a limited amount of unencrypted xaps to work from, so I don't think manually filtering would be too difficult.
I have some interesting screenshots from your uid, it lists a file explorer, but only for a limited range of the internal nand. I was trying to get it to recognize the SD card by downloading maps to it, but it doesn't want to budge.
There are also some lua scripts contained within, which might prove as useful. Unfortunately the text application cannot scroll past a certain amount of lines, there is a save feature though.
Pics:
Here is the URI for access point test page:
Test page: (not sure if the CMD is useful)
File Browser for Nokia Drive app:
