• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

The WindowBreak Project

Search This thread

Jaxbot

Inactive Recognized Developer
Mar 14, 2009
1,224
548
windowsphonehacker.com
"What am I doing, why am I here, what is this about, and where am I going with this."

Hello all. After dealing with rumors, rumors of rumors, and the like, I've finally managed to disclose something I hold very dear to me: the WindowBreak project.
As the name suggests, this is a jailbreak project for Windows Phone 7. I started something a while back that had little success, but through the months, I've managed to figure out something that should bring light into the Windows Phone jailbreaking scene.

Real quick, though:
What this is: A project, with information about some interesting exploits I found, and a call for the community to dive in.
What this isn't: A full fledged jailbreak. Please don't post replies such as "when will XXXX device be supported". It just wastes time, and I assure you, I want every device included.
It also is not a full unlock. Just interop.

The details
So here's the sitch. We all know how Heathcliff74's interop unlock works. XAP files are just ZIP files, and ZIP files can have entries that allow extracting in parent directories.
Interesting thing is, this can be done using the ZipView application, which normally stores data in \Application Data\Volatile\Zipview\<random id>
Thus, creating a directory in a ZIP file called ../../../../provxml will copy all those files into the \provxml\ folder upon extraction.
See what I did there?

Limitations
Of course, there are limitations.
1) We cannot extract into \Windows\. There's a policy that prevents it.
2) The bad one: We can only extract known MIME types, at least to my knowledge. This is because the files are only extracted when they are clicked on in ZipView. And clicking on a .dbz file, for example, will just say the file type is not supported. Bummer.

What we can do...
As mentioned above, this can be used for a fresh out of the box jailbreak for Samsung devices, using provxml. Here's a video of that:
Try it yourself: with a Samsung device, go to http://windowsphonehacker.com/windowbreak and press WindowBreak Me.

In theory, this would be all we need to jailbreak most Windows Phone devices. Unfortunately, Nokia and HTC devices block the registry entries in provisioning files. I'm not sure what the extent of this "whitelist" (or is it a blacklist?) is, and details/tests on this would be appreciated.


What needs to be done...

Nokia: I don't have a Nokia device, but I've been working a great deal on figuring out how to crack it's shell, and have a couple of ideas. If I'm able to get my hands on a Nokia device soon, I'll try some of these unorthodox exploits out, otherwise I'll need some daring volunteers.

HTC: I do have an HTC device, but I can't figure out how to extract the files for the Connection Setup program. If someone can give me details on what the password encryption is on it, etc, for the HTC interop unlock, that would be much appreciated.

Other devices: Not a lot of demand for these (and LG needs no jailbreak, since it has MFG), but if something comes up, feel free to share where the provisioning files exist and I'll see about "windowbreaking" them.


So this is my little project, and I hope the details I'm sharing will lead to further development. My personal device (Samsung Focus) is easily interop unlocked now, without costing me a cent. I'd really like this to be the case for everyone; I'm not saying the $9 unlock for Chevron Labs is bad, in fact, it's greatly supported homebrew. What I am saying, though, is that freedom is still possible, and regardless, any developments made here will further support interop unlocking on Chevron/apphub unlocked devices. With that in mind...

Merry Christmas. ;)

Special thanks to: Heathcliff74 for much of the research and idea behind the exploit
All the supporting members of XDA, who bring appreciation for what we do. Thank you. ;)
 
Last edited:

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,609
Cool! Ridiculous that I didn't think of this myself ;)

I will send you the password of the dbz files when I get home. I don't have it here.

But the real problem for HTC and NOKIA are the whitelists. I've been working on this for the past time. And today I made more progress. I developed a new way of debugging native 3rd party dll's/drivers. U can isolate functions and call them from a test app for unit-testing. This makes testing a lot easier. This will help me find exploits much faster. I can even call the whitelist functions of HTC and NOKIA on my Samsung now ;) Working on it right now.

Good find!!

Heathcliff74
 

Jaxbot

Inactive Recognized Developer
Mar 14, 2009
1,224
548
windowsphonehacker.com
Cool! Ridiculous that I didn't think of this myself ;)

I will send you the password of the dbz files when I get home. I don't have it here.

But the real problem for HTC and NOKIA are the whitelists. I've been working on this for the past time. And today I made more progress. I developed a new way of debugging native 3rd party dll's/drivers. U can isolate functions and call them from a test app for unit-testing. This makes testing a lot easier. This will help me find exploits much faster. I can even call the whitelist functions of HTC and NOKIA on my Samsung now ;) Working on it right now.

Good find!!

Heathcliff74

Haha, I knew you would say that when you saw this. Most credit of this goes to your work, in fact, which gave me much of the idea.

As for the whitelists, do you know exactly how it's blocking? Is just registry blocked, or all non-APN related settings?
 

Heathcliff74

Inactive Recognized Developer
Dec 1, 2010
1,646
2,609
Haha, I knew you would say that when you saw this. Most credit of this goes to your work, in fact, which gave me much of the idea.

As for the whitelists, do you know exactly how it's blocking? Is just registry blocked, or all non-APN related settings?

Both brands have very similar mechanisms. They both have a driver dedicated to provisioning. The whitelists are implemented in those drivers. HTC has whitelisted only specific registry keys for APN's and stuff. NOKIA does not have the registry on the whitelist at all.

Heathcliff74
 

Jaxbot

Inactive Recognized Developer
Mar 14, 2009
1,224
548
windowsphonehacker.com
Both brands have very similar mechanisms. They both have a driver dedicated to provisioning. The whitelists are implemented in those drivers. HTC has whitelisted only specific registry keys for APN's and stuff. NOKIA does not have the registry on the whitelist at all.

Heathcliff74

Shame it's a whitelist instead of a blacklist :\
Do you know which CSPs are allowed? I've managed to move files around using provxml on my Samsung, but it seems to allow just about anything.
 

pLUSpISTOL

Senior Member
Jan 29, 2009
390
66
Yeah I want you two to get the free Nokia Lumia's too! You both do great work - thank you :) keep giving love to the Omnia 7 too please since it's my girlfriend who has the Lumia 800 (dammit!)
 

contable

Senior Member
Oct 25, 2009
1,755
996
Indeed a very cool solution ! Thanks button pressed.

Is it limited to 1st gen samsung devices or does it work on 2nd gen devices too ?
 

DJSave

Senior Member
Oct 27, 2011
315
123
Tbilisi
When I go to http://windowsphonehacker.com/windowbreak/
I don't get any buttons, just these text :

WindowBreak

By WindowsPhoneHacker

WindowBreak is a project with the goal of enabling true jailbreaking on Windows Phones.
We believe in freedom, both in gratis and in libre.

For details on WindowBreak, see here [add XDA link here].

BTW Nice worrk, hope to see more nice hacks these Xmas!
 

Jaxbot

Inactive Recognized Developer
Mar 14, 2009
1,224
548
windowsphonehacker.com
When I go to http://windowsphonehacker.com/windowbreak/
I don't get any buttons, just these text :

WindowBreak

By WindowsPhoneHacker

WindowBreak is a project with the goal of enabling true jailbreaking on Windows Phones.
We believe in freedom, both in gratis and in libre.

For details on WindowBreak, see here [add XDA link here].

BTW Nice worrk, hope to see more nice hacks these Xmas!

You visit it on your phone, silly :p
And thanks, forgot to add the XDA links to that page.
 

Marvin_S

Retired Recognized Developer
Dec 8, 2010
883
239
Well done man, exactly what worked also with calling provxml files from the iso storage in DiagProvXML. Just do "../the entire path to iso storage/provxml.ext" this worked also on htc. Although of course your mechanism is different as you have to copy it to the correct folders while we just needed to change the default paths of the drivers to a custom folder.
Well done and nice creative solution. It would be great if you manage to get this working for more devices.
Maybe somebody can somehow find the exact provisioning the Developer Registration Tool makes, so you can use that one as that should be white listed I assume.
 

asim2462

Member
Dec 3, 2009
5
1
hey ii was just wonderiing, as nobody rarely mentions the dell venue pro, if something was going to be actually done for it. I know you said dont post stuff liike this but its just that ive never heard something like this or anything done about the Dell Venue Pro.

Thanks :)
 

shinkstor

Senior Member
May 25, 2011
52
0
Is the point of this for it to go from out of the box to interop unlocked, or from chevron/dev unlock to interop?

In /Classes Root/ registry part you can add the file type so it's known...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 99
    "What am I doing, why am I here, what is this about, and where am I going with this."

    Hello all. After dealing with rumors, rumors of rumors, and the like, I've finally managed to disclose something I hold very dear to me: the WindowBreak project.
    As the name suggests, this is a jailbreak project for Windows Phone 7. I started something a while back that had little success, but through the months, I've managed to figure out something that should bring light into the Windows Phone jailbreaking scene.

    Real quick, though:
    What this is: A project, with information about some interesting exploits I found, and a call for the community to dive in.
    What this isn't: A full fledged jailbreak. Please don't post replies such as "when will XXXX device be supported". It just wastes time, and I assure you, I want every device included.
    It also is not a full unlock. Just interop.

    The details
    So here's the sitch. We all know how Heathcliff74's interop unlock works. XAP files are just ZIP files, and ZIP files can have entries that allow extracting in parent directories.
    Interesting thing is, this can be done using the ZipView application, which normally stores data in \Application Data\Volatile\Zipview\<random id>
    Thus, creating a directory in a ZIP file called ../../../../provxml will copy all those files into the \provxml\ folder upon extraction.
    See what I did there?

    Limitations
    Of course, there are limitations.
    1) We cannot extract into \Windows\. There's a policy that prevents it.
    2) The bad one: We can only extract known MIME types, at least to my knowledge. This is because the files are only extracted when they are clicked on in ZipView. And clicking on a .dbz file, for example, will just say the file type is not supported. Bummer.

    What we can do...
    As mentioned above, this can be used for a fresh out of the box jailbreak for Samsung devices, using provxml. Here's a video of that:
    Try it yourself: with a Samsung device, go to http://windowsphonehacker.com/windowbreak and press WindowBreak Me.

    In theory, this would be all we need to jailbreak most Windows Phone devices. Unfortunately, Nokia and HTC devices block the registry entries in provisioning files. I'm not sure what the extent of this "whitelist" (or is it a blacklist?) is, and details/tests on this would be appreciated.


    What needs to be done...

    Nokia: I don't have a Nokia device, but I've been working a great deal on figuring out how to crack it's shell, and have a couple of ideas. If I'm able to get my hands on a Nokia device soon, I'll try some of these unorthodox exploits out, otherwise I'll need some daring volunteers.

    HTC: I do have an HTC device, but I can't figure out how to extract the files for the Connection Setup program. If someone can give me details on what the password encryption is on it, etc, for the HTC interop unlock, that would be much appreciated.

    Other devices: Not a lot of demand for these (and LG needs no jailbreak, since it has MFG), but if something comes up, feel free to share where the provisioning files exist and I'll see about "windowbreaking" them.


    So this is my little project, and I hope the details I'm sharing will lead to further development. My personal device (Samsung Focus) is easily interop unlocked now, without costing me a cent. I'd really like this to be the case for everyone; I'm not saying the $9 unlock for Chevron Labs is bad, in fact, it's greatly supported homebrew. What I am saying, though, is that freedom is still possible, and regardless, any developments made here will further support interop unlocking on Chevron/apphub unlocked devices. With that in mind...

    Merry Christmas. ;)

    Special thanks to: Heathcliff74 for much of the research and idea behind the exploit
    All the supporting members of XDA, who bring appreciation for what we do. Thank you. ;)
    14
    Cool! Ridiculous that I didn't think of this myself ;)

    I will send you the password of the dbz files when I get home. I don't have it here.

    But the real problem for HTC and NOKIA are the whitelists. I've been working on this for the past time. And today I made more progress. I developed a new way of debugging native 3rd party dll's/drivers. U can isolate functions and call them from a test app for unit-testing. This makes testing a lot easier. This will help me find exploits much faster. I can even call the whitelist functions of HTC and NOKIA on my Samsung now ;) Working on it right now.

    Good find!!

    Heathcliff74
    6
    Wow. It actually worked. Changed some stuff around, added folders and files into a Marketplace XAP and then had Fiddler replace it when downloading. .. trick works, XAP installs, etc. Beautiful... just beautiful. *sob* I can really make something out of this :p
    Nice call!

    P.S. apparently i was wrong about the size check. Was pretty sure I wasn't, though. Not sure what happened, but it works right now, so I'll just not complain.
    4
    DBZ Password
    030D681B-1DFC-4bd0-A72A-A9B3CCCDA653

    ---------- Post added at 10:30 AM ---------- Previous post was at 10:29 AM ----------

    Oh and it was found here http://forum.xda-developers.com/showthread.php?p=18916888
    4
    First of all, the OS version does *not* matter here, it's all about the firmware version or bootloader version.
    Second, "jailbreak" is a very ambiguous term on WP7, and one I really wish people wouldn't use, because there are multiple levels of unlocking.

    The first, developer-unlock, is actually a feature of the OS and is supported by Microsoft. All phones can be dev-unlocked, but normally you have to pay for it (an AppHub account, intended for Marketplace developers, lets you unlock up to 3 phones and install up to 10 unsigned apps on each, for $99/year). Students can get a free account through DreamSpark, but only for one phone and up to three unsigned apps at once. There's another way, for $9 a ChevronWP7 Labs token lets you unlock one phone and put up to 10 unsigned apps on it. Unfortunately, those tokens are sold out and we have heard nothing on them getting any more (had to be approved by Microsoft). There are also some hacks that will dev-unlock a phone, such as WindowBreak (this thread). There aren't currently any such hacks available for HTC, though.

    Next, there's interop-unlock. This means removing the 3- or 10-app limit, and also allowing the installation of apps that can use system components (drivers and long-running services) to break out of their sandboxes. These apps, commonly called "interop" apps after the ID_CAP_INTEROPSERVICES line in their manifests' that enables this capability, include things like registry editors and the HtcRoot project. All ways of getting interop-unlock are based on hacks. For Samsung phones, WindowBreak can be used to interop-unlock at the same time as dev-unlock. For HTC phones, though, you need to first be dev-unlocked before you can interop-unlock.

    The third level is called "full unlock" and means the policy system that controls app sandboxing and user permissions has been disabled completely. Any app can run, and all apps run with full access to the whole device. Although this heightens the risk of malware or o accidentally damaging the device, it also allows all kinds of cool features to be added right into the phone, as well as enabling some very cool apps (including ports of WinMo apps). Currently, the only way to get full-unlock is to use a custom ROM.

    In order to use a custom ROM, your device must have an unlocked bootloader. This is done by installing an alternate bootloader called RSPL, and can be made permanent by installing HSPL. You can read the DFT (Dark Forces Team, who are responsible, directly or indirectly, for almost all custom ROM achievements on WP7) threads on R/HSPL on this forum. Although all first-gen HTC phones are now supported for xSPL, be aware that it can only be installed over stock SPL (bootloader) versions on 3.1 or lower. Most fully up-to-date phones will be running SPL 5.x.

    For you, in particular, you can either try interop-unlocking, or you can try installing an unlocked bootloader and a custom ROM. The first option preserves your phone data, but is less permissive in what you can do. The second option allows almost anything, but you'll have to wipe the phone and will also be at the mercy of any bugs in the custom ROMs. Additionally, either option may require rolling back the phone in some way (firmware for interop-unlock, SPL for bootloader unlock), and interop-unlock will require first getting dev-unlock (may cost money).