[XAP][SOURCE] Native Toast Notification Launcher

[ultrashot]

the correct MediaInstanceId can be gleaned from using the "SKU" line contained elsewhere in the xml. Without the correct offerID, you can download the app, but it will fail to install due to the registration server not supplying a license. If someone can figure out the correct "offerID", we can install this app on any device.

Offer ID and Instance ID can be taken from corresponding MPAP_*.provxml from Ativ S ROM. I don't remember exact order, but I guess that first guid (in <parm name="InstallInfo" value=...) is Instance ID, second is offer ID.

I haven't looked into any Ativ S internals yet, so main questions are:
1) Isn't Samsung using its very own custom drivers?
2) Will such app pass certificate check on other devices?
I have doubts regarding both points.

EDIT: I indeed told you right order. Such provxmls are parsed inside my XAP Deployer.

 

[compu829]

Offer ID and Instance ID can be taken from corresponding MPAP_*.provxml from Ativ S ROM. I don't remember exact order, but I guess that first guid (in <parm name="InstallInfo" value=...) is Instance ID, second is offer ID.

I haven't looked into any Ativ S internals yet, so main questions are:
1) Isn't Samsung using its very own custom drivers?
2) Will such app pass certificate check on other devices?
I have doubts regarding both points.

EDIT: I indeed told you right order. Such provxmls are parsed inside my XAP Deployer.

ooOOOooo can anyone upload the provxml file?

 

[-W_O_L_F-]

ooOOOooo can anyone upload the provxml file?

I can. Just tell me a path/name.

 

[djadry]

The app doens't look available on Ativ S.

BTW, we can try to do what you're saying...

 

[compu829]

I can. Just tell me a path/name.

It should be located in PROGRAMS\CommonFiles\Provisioning\OEM and be called either MPAP_Diagnostics_001.provxml or something weird like MPAP_randomcharacters_001.provxml. If you can search for the file that contains "8448ced7-7a7e-41c7-8142-a7b2f0561395"

 

[compu829]

In the meantime, enjoy this screenshot from my HTC 8x! >

 

[ryotgz]

In the meantime, enjoy this screenshot from my HTC 8x! >

Nevermind

 

[compu829]

lol I still cant download it yet...I need the offerId

 

[cpuguy]

In the meantime, enjoy this screenshot from my HTC 8x! >

I was able to download it on my Lumia 920 but the install fails... It gets to the "Installing..." phase, stays there for about a few seconds and finally says "Attention required. Tap here." which then gives me "There's a problem installing the item. Tap and hold the item, then tap Retry...".

To add further, it fails when it makes a call to "marketplaceedgeservice.windowsphone.com". But since that's an HTTPS request, I can't see what it asked for (if I get Fiddler to decrypt the HTTPS traffic, the phone drops the request instantly). Anyone know a way to decrypt the HTTPS traffic to and from MS services?

 

[compu829]

I was able to download it on my Lumia 920 but the install fails... It gets to the "Installing..." phase, stays there for about a few seconds and finally says "Attention required. Tap here." which then gives me "There's a problem installing the item. Tap and hold the item, then tap Retry...".

To add further, it fails when it makes a call to "marketplaceedgeservice.windowsphone.com". But since that's an HTTPS request, I can't see what it asked for (if I get Fiddler to decrypt the HTTPS traffic, the phone drops the request instantly). Anyone know a way to decrypt the HTTPS traffic to and from MS services?

that's cuz we need the offerID for the fiddler script. (I hope).

The HTTPS://traffic is the call it makes to the license server to actually get the license. If fiddler is allowed to decrypt https traffic, the request will fail because we don't have the certificate that is baked into the Windows Phone app store on our PCs to auth to it. I am guessing it is still failing here because we are using an invalid offer id

Also, what country is your device registered as? I keep getting the error "this item isn't available from the Store in your region."

 

[-W_O_L_F-]

It's a middle of the night in Moscow. I'll post any provxml you want from ativ s rom next morning. Do you need provxml that installs diagnosis?

 

[da1stprince]

This is exciting news..i love this dev community!

 

[ultrashot]

It's a middle of the night in Moscow. I'll post any provxml you want from ativ s rom next morning. Do you need provxml that installs diagnosis?

exactly

 

[compu829]

It's a middle of the night in Moscow. I'll post any provxml you want from ativ s rom next morning. Do you need provxml that installs diagnosis?

yes. Sorry for bothering you so late. it's 6PM here in the Eastern US!

 

[mrZoSo]

Awesome! Awesome! This is great stuff here!! Thanks to all!!!
Hope this will be possible on the Nokias' soon,,, especially the 928

 

[GoodDayToDie]

Well, that set off a firestorm! I'm sorry I was incommunicado so much of the day; work, ya know.

Anyhow, here's the provxml (and the license, for good measure) from my phone. They're in \Windows\System32 (\windows\system32\provisioning for the provxml).

I'm going to move this over to a new thread...

By the way, the value I used for MaxUnsignedApp (10003) is completley arbitrary; if this is like WP7, it just needs to be at least 300.

 

[cpuguy]

that's cuz we need the offerID for the fiddler script. (I hope).

The HTTPS://traffic is the call it makes to the license server to actually get the license. If fiddler is allowed to decrypt https traffic, the request will fail because we don't have the certificate that is baked into the Windows Phone app store on our PCs to auth to it. I am guessing it is still failing here because we are using an invalid offer id

Also, what country is your device registered as? I keep getting the error "this item isn't available from the Store in your region."

My country is set to Canada... To clarify, the only way I got it to "download" was by intercepting a request for an app in the store (I click on one I know my device supports) and changing the request GUID and "deviceId" in Fiddler. Doing so loaded up the application page with the name of that particular app but with the details of the "Diagnostic" app. I could then click on "Install" and it would download but not install...

 

[jacano]

I'm not completely sure about this but maybe the oem drivers that are used by the Diagnosis Samsumg App are incompatible for other devices different from Samsung's. ultrashot asked the same.

Besides trying to install the Diagnosis App from the store it would be great to get the decrypted Diagnosis Samsumg App xap (any interop unlocked Samsung ATIV owner could provide this xap to us) to have a look and see how it really works.

 

[toywlf]

You are the man!!! Just heard about this on wphckr. Can't wait to try in a few hrs.!

 

[jacano]

I am currently inspecting the decrypted version of WP8Diag.xap from GoodDayToDie, big thanks!!

So far,

Inside WP8Diag.dll we have WP8Diag._7_ETC namespace and RegistryOperationsCheck class with the useful ButtonWrite_Click method.

private void ButtonWrite_Click(object sender, RoutedEventArgs e)
{
	if (string.IsNullOrWhiteSpace(this.ValueTextBox.get_Text()))
	{
		return;
	}
	bool? isChecked = this.IsDwordCheckBox.get_IsChecked();
	if (isChecked.GetValueOrDefault() && isChecked.get_HasValue())
	{
		try
		{
			uint num;
			CRPCComponent.Registry_SetDWORD(this.hKey, this.PathTextBox.get_Text(), this.KeyTextBox.get_Text(), uint.Parse(this.ValueTextBox.get_Text()), ref num);
			this.ValueTextBox.set_Text((num == 1u) ? "OK!" : "Failed!");
			return;
		}
		catch (Exception ex)
		{
			this.ValueTextBox.set_Text(ex.get_Message().ToString());
			return;
		}
	}
	try
	{
		uint num2;
		CRPCComponent.Registry_SetString(this.hKey, this.PathTextBox.get_Text(), this.KeyTextBox.get_Text(), this.ValueTextBox.get_Text(), ref num2);
		this.ValueTextBox.set_Text((num2 == 1u) ? "OK!" : "Failed!");
	}
	catch (Exception ex2)
	{
		this.ValueTextBox.set_Text(ex2.get_Message().ToString());
	}
}

Seems CRPCComponent.Registry_SetDWORD() and CRPCComponent.Registry_SetString() are doing good stuff.

WMAppManifest.xml has tons of esoteric capabilities:

<Capabilities>
      <Capability Name="ID_CAP_APPOINTMENTS" />
      <Capability Name="ID_CAP_CONTACTS" />
      <Capability Name="ID_CAP_IDENTITY_DEVICE" />
      <Capability Name="ID_CAP_IDENTITY_USER" />
      <Capability Name="ID_CAP_LOCATION" />
      <Capability Name="ID_CAP_MAP" />
      <Capability Name="ID_CAP_MEDIALIB_AUDIO" />
      <Capability Name="ID_CAP_MEDIALIB_PLAYBACK" />
      <Capability Name="ID_CAP_MICROPHONE" />
      <Capability Name="ID_CAP_NETWORKING" />
      <Capability Name="ID_CAP_NETWORKING_ADMIN" />
      <Capability Name="ID_CAP_CSP_FOUNDATION" />
      <Capability Name="ID_CAP_CSP_OEM" />
      <Capability Name="ID_CAP_CSP_W4_APPLICATION" />
      <Capability Name="ID_CAP_PHONEDIALER" />
      <Capability Name="ID_CAP_PUSH_NOTIFICATION" />
      <Capability Name="ID_CAP_SENSORS" />
      <Capability Name="ID_CAP_WEBBROWSERCOMPONENT" />
      <Capability Name="ID_CAP_CELL_API_COMMON" />
      <Capability Name="ID_CAP_CELL_API_UICC" />
      <Capability Name="ID_CAP_CELL_API_UICC_LOWLEVEL" />
      <Capability Name="ID_CAP_CELL_API_LOCATION" />
      <Capability Name="ID_CAP_CELL_API_OEM_PASSTHROUGH" />
      <Capability Name="ID_CAP_CELL_WNF" />
      <Capability Name="ID_CAP_INTEROPSERVICES" />
      <Capability Name="ID_CAP_ISV_CAMERA" />
      <Capability Name="ID_CAP_MEDIALIB_PHOTO_FULL" />
      <Capability Name="ID_CAP_OEMPUBLICDIRECTORY" />
      <Capability Name="ID_CAP_DEVICE_MANAGEMENT_SECURITY_POLICIES" />
      <Capability Name="ID_CAP_DEVICE_MANAGEMENT_ADMIN" />
    </Capabilities>

It also declares the CRPCComponent as a InProcessServer:

<InProcessServer>
        <Path>RPCComponent.dll</Path>
        <ActivatableClass ActivatableClassId="RPCComponent.CRPCComponent" ThreadingModel="both" />
</InProcessServer>

RPCComponent.dll is compiled for ARM.
Let's have a look at its import table:

There we have our beloved RegSetValueExW. As this application got installed with really privileged capabilities I suppose the final call to RegSetValueExW works.

I have just tried to deploy the decrypted xap with the Microsoft SDK to my Lumia 920 but doesn't work. It fails with error 0x81030120, I think because of the privileged capabilities the manifest declares.

I hope someone could install this xap from the store with any spoofing technique, cheating the download and installation of the marketplace app.
Maybe the installation done by the marketplace app doesn't check for privileged capabilities inside the manifest.

Keep up the good work guys!!