WP8 SYSTEM registry files from FFU

[GoodDayToDie]

System.Runtime.InteropServices is just the stuff for interop with native code / COM (marshaling flags, COM interop, DllImport, etc.). It was used in (non-interop) native WP7 app components as well.

The WPInteropManifest is probably require to allow use of COM, I'm guessing, much as it was in WP7...

 

[snickler]

System.Runtime.InteropServices is just the stuff for interop with native code / COM (marshaling flags, COM interop, DllImport, etc.). It was used in (non-interop) native WP7 app components as well.

The WPInteropManifest is probably require to allow use of COM, I'm guessing, much as it was in WP7...

I've only seen the Interopmanifest on a few xaps, but I can't truly find ANYTHING that utilizes it with any of the DLLS. The bulk of the xaps I've looked through that use the native winmd's and dlls don't use the CAP and the WPInteropManifest.

 

[thals1992]

I added the quick instructions in the op, hopefully some people will start looking inside them.

 

[aclegg2011]

I was thinking...

I added the quick instructions in the op, hopefully some people will start looking inside them.

if we modify a .reg file on the emulator and try to send it to our phone either through an email attachment or clicking it through the web browser will the changes apply to the windows phone system? I'm sure no because this would seem like a simple exploit, but I havent tried it. Has anyone else? We can send certs through email.

 

[snickler]

if we modify a .reg file on the emulator and try to send it to our phone either through an email attachment or clicking it through the web browser will the changes apply to the windows phone system? I'm sure no because this would seem like a simple exploit, but I havent tried it. Has anyone else? We can send certs through email.

No, that won't work. The reason why it's possible to send certs through e-mail because the file type is associated to run a program to install certificates. This isn't available for installing registry files. Microsoft carefully thought this through.

 

[compu829]

I doubt this would work, but is there something on the phone equivalent to "REGEDIT.EXE [ /L:system | /R:user ] [ /S ] importfile.REG"? I am wondering if we could use CPUGuy's Native Toast Application launcher (Haven't played with it) to run a native app with parameters to specify a regedit file.


So on this 928, the FM radio is disabled. the setting is under SOFTWARE\FMRadio\OEM\ The Dword for NotPresent is set to 1. I am guessing flipping this to 0 will enable it.

Another interesting place to look is SOFTWARE\Microsoft\SecurityManager\ There is a list of ALL applications and capabilities required to use them. For example, the following things require InteropServices when used:

LIFETIMERSERVICE
ACCESSLIB_SVC
NCSDSVC
QCGNSSSVC
MULTIVARIANTSVC
NOKIASECNVUPD
PHONEPROVISIONER_OEM
DUMIGRATIONPROVISIONEROEM
EMMCCLNRSVC
HTTPSVC
MEDIASHARESVC
NOKCGSVC
NGPSVC
SENSOR_SERVICE
UPNPSVC


ok..so I think I figured out how the security stuff works with Windows Phone. The different capabilities are tied to "tiers" (called principle classes). "first party Applications, Second party applications, and third party applications. The phone determines what "tier" the application belongs to based on the EKU values the app was signed with. All of this data, including what EKU value is needed is located in SOFTWARE\Microsoft\SecurityManager\PrincipalClasses.

Since we do have the ability to install root certificates on the phone, I am wondering if we could "sign" a test app with the right EKU, thus making it valid when the proper root certificate is installed on the device.

 

[thals1992]

I doubt this would work, but is there something on the phone equivalent to "REGEDIT.EXE [ /L:system | /R:user ] [ /S ] importfile.REG"? I am wondering if we could use CPUGuy's Native Toast Application launcher (Haven't played with it) to run a native app with parameters to specify a regedit file.


So on this 928, the FM radio is disabled. the setting is under SOFTWARE\FMRadio\OEM\ The Dword for NotPresent is set to 1. I am guessing flipping this to 0 will enable it.

Another interesting place to look is SOFTWARE\Microsoft\SecurityManager\ There is a list of ALL applications and capabilities required to use them. For example, the following things require InteropServices when used:

LIFETIMERSERVICE
ACCESSLIB_SVC
NCSDSVC
QCGNSSSVC
MULTIVARIANTSVC
NOKIASECNVUPD
PHONEPROVISIONER_OEM
DUMIGRATIONPROVISIONEROEM
EMMCCLNRSVC
HTTPSVC
MEDIASHARESVC
NOKCGSVC
NGPSVC
SENSOR_SERVICE
UPNPSVC


ok..so I think I figured out how the security stuff works with Windows Phone. The different capabilities are tied to "tiers" (called principle classes). "first party Applications, Second party applications, and third party applications. The phone determines what "tier" the application belongs to based on the EKU values the app was signed with. All of this data, including what EKU value is needed is located in SOFTWARE\Microsoft\SecurityManager\PrincipalClasses.

Since we do have the ability to install root certificates on the phone, I am wondering if we could "sign" a test app with the right EKU, thus making it valid when the proper root certificate is installed on the device.

Is it possible to remote this using the PC regedit instead of the one on the phone, or will that require the remote registry service be service started?





Sent from my RM-860 (Lumia 928) using the OFFICIAL Tapatalk app.

 

[compu829]

The phone needs the RemoteRegistry service enabled. You would also need a way to authenticate to the phone in order to access it. Another issue (At least with the Nokia devices) is that it appears that Nokia installed a Firewall service that runs at startup. So that firewall service could be blocking some interesting ports.

 

[aclegg2011]

Is there anyway to associate a file extension to a program? Like how adobe does with .pdf files?

Sent from my Nokia 521 using XDA Windows Phone 7 App

 

[snickler]

Is there anyway to associate a file extension to a program? Like how adobe does with .pdf files?

Sent from my Nokia 521 using XDA Windows Phone 7 App

It still wouldn't make it possible. Microsoft has set up specific policies and tied them down to specific programs.

 

[thals1992]

The phone needs the RemoteRegistry service enabled. You would also need a way to authenticate to the phone in order to access it. Another issue (At least with the Nokia devices) is that it appears that Nokia installed a Firewall service that runs at startup. So that firewall service could be blocking some interesting ports.

Well I don't recall seeing the firewall reg file wasn't included in the gdr2 rom for my Lumia when I was running WinMerge on the vhd files, so it might be able to be fired. What would need to be done to start the service? We could brute force a username and password if it isn't administrator or your MS account like on Win8.

Sent from my RM-860 (Lumia 928) using the OFFICIAL Tapatalk app.

 

[aclegg2011]

<?xml version="1.0" encoding="utf-8"?>
<PhoneSecurityPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" HashType="Sha256" PackageID="Microsoft.PhoneTools" xmlns="urn:Microsoft.WindowsPhone/PhoneSecurityPolicyInternal.v8.00">
<Capabilities>
<Capability ElementID="816FF727210984FE928C651ADF22D7DFFE00FF4C8BAA360F7712B701AF6546AB" AttributeHash="EAFE6D30C46B83AAD75C39FFB4D2425C9D5BB57C13683FCA39EB1A533C72A6B8" Id="ID_CAP_WPTOOLS_INSTALL_FOLDER" AppCapSID="S-1-15-3-1024-670527361-4270065953-442862738-3755418335-1291780350-255240843-28775031-2873517487" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1403" FriendlyName="WPTools Bootstrap capability. Gives access to WPTools private resources, e.g. WPTools Folders, so that Bootstrapper agent (SIREP) can deploy PHoneTools binaries and start them." Visibility="Internal">
<CapabilityRules>
<Rules>
<Directory ElementID="A1742758E91A81D7573E1365797CA9180CE21CAD37007CE40CE2CF27ADCCDF8B" DACL="(A;CIOI;FA;;;S-1-15-3-1024-670527361-4270065953-442862738-3755418335-1291780350-255240843-28775031-2873517487)(A;CIOI;FA;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CIOI;FA;;;S-1-5-21-2702878673-795188819-444038987-1403)" Flags="259" Path="\Data\SharedData\PhoneTools" />
</Rules>
</CapabilityRules>

anyone have an idea what the wptools are or how to activate them?

 

[GoodDayToDie]

Microsoft dev stuff, almost certainly. "Internal" capabilities generally aren't even available to OEMs, only to MS.

 

[compu829]

There is no "RemoteRegistry" service on the phone. I just check your dump.

The service entry for the Nokia Firewall service is "NokiaFirewall".

I was able to use CPUGUY's Native Toast launcher to launch various control panel items listed in the "SOFTWARE" hive. I also figured out that if you open any xap's "WMAppManifest.xml file, the "ProductID" line is the base URL for the app://links. Also, the "DefaultTask" Name property will be what is needed at the end to launch the task.

Since we know know how to build app://links based on the AppManifest file, maybe we can start looking through ROM dumps for hidden applications we can launch!


here's an interesting Reg Value:

Name: 3DFBC5C4583DDA88_Command_Prompt_lnk_arm.lnk Data: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk Location: SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\InboxApp

 

[thals1992]

There is no "RemoteRegistry" service on the phone. I just check your dump.

The service entry for the Nokia Firewall service is "NokiaFirewall".

I was able to use CPUGUY's Native Toast launcher to launch various control panel items listed in the "SOFTWARE" hive. I also figured out that if you open any xap's "WMAppManifest.xml file, the "ProductID" line is the base URL for the app://links. Also, the "DefaultTask" Name property will be what is needed at the end to launch the task.

Since we know know how to build app://links based on the AppManifest file, maybe we can start looking through ROM dumps for hidden applications we can launch!


here's an interesting Reg Value:

Name: 3DFBC5C4583DDA88_Command_Prompt_lnk_arm.lnk Data: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk Location: SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\InboxApp

Bummer, I thought it would just have most of the services from Win8. Where did you find that the service didn't exist, is there is list somewhere?

At the very least, I can take my dial string thread and make it just the general hidden app thread. I don't know if I should just keep it or split it between those that use the Dialer and the Native Toast Launcher. There are already a number of posts relating to the launcher in my thread though. Decisions, decisions.

 

[compu829]

I came to the conclusion about Remote Registry not being there because I looked at all the services listed under System/ControlSet001/Services. (This is where all installed services live). There was nothing there that matched the windows 8 equivalent folder for Remote Registry :/

 

[thals1992]

I came to the conclusion about Remote Registry not being there because I looked at all the services listed under System/ControlSet001/Services. (This is where all installed services live). There was nothing there that matched the windows 8 equivalent folder for Remote Registry :/

Ahh, I usually skip that whole part. Any of the controlsets are daunting to sift through. At least it should be easy to find now. Its sad that the service isn't there though. Anyways, in a few, I'll be adding the new files to the OP from the 928 Amber+GDR2 update.