Of course, it is not a proper way but we have to just take an advantage of the registered OEM components. Which can permit's to write the values in Registry.
I'm also investigating for those devices, which don't have SD Card.
[XAP][SOURCE] WP8 Registry Tools
- Thread starter snickler
- Start date
Of course, it is not a proper way but we have to just take an advantage of the registered OEM components. Which can permit's to write the values in Registry.
I'm also investigating for those devices, which don't have SD Card.
A happy Diwali to you too!
There are two completely unrelated problems you're having with reading things like the MaxUnsignedApp value. One of them is that the access control lists - the standard NT security model ACLs, same as you'd find on your PC - don't allow low-privilege apps to read some parts of the registry. Even the AllCapabilities version of the webserver can't read everywhere. The other problem is that the webserver itself has a glitch right now where sometimes it closes a socket before sending the full response. I'm trying to figure out why, and fix it. In any case the solution is to simply not display those registry keys. On an interop-unlocked phone you can get specific values, if you know their names, but getting the key (with the list of all its values) is not so easy.
The OEM components don't need to be "pre-registered", exactly. There are two types of OEM components. The first type is a driver or other Windows service that runs with high privileges - usually SYSTEM - and offers an inter-process communication channel (usually RPC and/or IOCTLs) which OEM apps can use to request privileged operations. This type is baked into the OEM firmware and requires both a signed binary (almost always in the System32 directory) and at least one registry key. Any process that has ID_CAP_INTEROPSERVICES can call into these services, but knowing *how* to call into them is a trick. The other OEM components are application libraries which communicate with the first type. Apps (usually OEM apps) load the second type - WP7 used explicit COM interfaces, WP8 uses WINMD interfaces for C++/CX libraries - and call their exported functions, which the libraries translate into inter-process calls to the SYSTEM services. The libraries are parts of OEM apps, not parts of system firmware; they are installed out of .XAP files and run with the privileges of the OEM apps (since OEM apps have INTEROPSERVICES, the second-type libraries can call into the first-type components). These second-type components don't need to be registered in any way that I'm aware of; in a sideloaded app, you can use modified or from-scratch versions of them. However, any app that uses them needs ID_CAP_INTEROPSERVICES, or they can't do anything useful because they can't talk to the system services.
I'm really not sure what exactly you're asking in the third question. If you're wondering about replacing the OEM service binaries - the first-type stuff that runs as SYSTEM - with our own code, that's not possible because the SYSTEM chamber requires that all binaries be signed, and modifying the library would break the signature. If you're wondering about replacing the OEM libraries - the second-type stuff - then there's a problem. There's no inherent reason it won't work - you don't even have to mess with the SD card; I wrote a second-type library from scratch on WP7 and it worked fine - but while reverse-engineering an IOCTL interface isn't too hard, RPC looks to be a lot harder. Nobody has yet come up with a way for us to call the RPC functions of the system services directly, so that's why we're all still using the OEM libraries for now.
There are two completely unrelated problems you're having with reading things like the MaxUnsignedApp value. One of them is that the access control lists - the standard NT security model ACLs, same as you'd find on your PC - don't allow low-privilege apps to read some parts of the registry. Even the AllCapabilities version of the webserver can't read everywhere. The other problem is that the webserver itself has a glitch right now where sometimes it closes a socket before sending the full response. I'm trying to figure out why, and fix it. In any case the solution is to simply not display those registry keys. On an interop-unlocked phone you can get specific values, if you know their names, but getting the key (with the list of all its values) is not so easy.
The OEM components don't need to be "pre-registered", exactly. There are two types of OEM components. The first type is a driver or other Windows service that runs with high privileges - usually SYSTEM - and offers an inter-process communication channel (usually RPC and/or IOCTLs) which OEM apps can use to request privileged operations. This type is baked into the OEM firmware and requires both a signed binary (almost always in the System32 directory) and at least one registry key. Any process that has ID_CAP_INTEROPSERVICES can call into these services, but knowing *how* to call into them is a trick. The other OEM components are application libraries which communicate with the first type. Apps (usually OEM apps) load the second type - WP7 used explicit COM interfaces, WP8 uses WINMD interfaces for C++/CX libraries - and call their exported functions, which the libraries translate into inter-process calls to the SYSTEM services. The libraries are parts of OEM apps, not parts of system firmware; they are installed out of .XAP files and run with the privileges of the OEM apps (since OEM apps have INTEROPSERVICES, the second-type libraries can call into the first-type components). These second-type components don't need to be registered in any way that I'm aware of; in a sideloaded app, you can use modified or from-scratch versions of them. However, any app that uses them needs ID_CAP_INTEROPSERVICES, or they can't do anything useful because they can't talk to the system services.
I'm really not sure what exactly you're asking in the third question. If you're wondering about replacing the OEM service binaries - the first-type stuff that runs as SYSTEM - with our own code, that's not possible because the SYSTEM chamber requires that all binaries be signed, and modifying the library would break the signature. If you're wondering about replacing the OEM libraries - the second-type stuff - then there's a problem. There's no inherent reason it won't work - you don't even have to mess with the SD card; I wrote a second-type library from scratch on WP7 and it worked fine - but while reverse-engineering an IOCTL interface isn't too hard, RPC looks to be a lot harder. Nobody has yet come up with a way for us to call the RPC functions of the system services directly, so that's why we're all still using the OEM libraries for now.
What the ****kkkkkkkkkk
I did it.
This is my 3rd Attempt with success.
Now i can side load 3rd party apps with any documented capability.
Hahahahaha I'm the worlds first Windows Phone Lumia Hacker.
I cant explain my words, what I've achieved.
I'm feeling very crazy
---------- Post added at 12:53 PM ---------- Previous post was at 12:17 PM ----------
Another point is now 8.1 package support Samsung"RPCComponent".
Have you any tried it ??
I did it.
This is my 3rd Attempt with success.
Now i can side load 3rd party apps with any documented capability.
Hahahahaha I'm the worlds first Windows Phone Lumia Hacker.
I cant explain my words, what I've achieved.
I'm feeling very crazy
---------- Post added at 12:53 PM ---------- Previous post was at 12:17 PM ----------
Another point is now 8.1 package support Samsung"RPCComponent".
Have you any tried it ??
Last edited:
ExplainWhat the ****kkkkkkkkkk
I did it.
This is my 3rd Attempt with success.
Now i can side load 3rd party apps with any documented capability.
Hahahahaha I'm the worlds first Windows Phone Lumia Hacker.
I cant explain my words, what I've achieved.
I'm feeling very crazy
---------- Post added at 12:53 PM ---------- Previous post was at 12:17 PM ----------
Another point is now 8.1 package support Samsung"RPCComponent".
Have you any tried it ??
.Also, Samsung's RPC Component won't work with Lumia devices at least
@djamol: Do I understand you correctly as having capability-unlocked a Lumia phone? Is it on a stock ROM or did you have to flash it / JTAG it / something like that? Whatever info you can provide, please provide it! Feel free to PM me if you aren't sure how much to go public with or something like that.
@snickler: Hypothetically, they *could* work. All you'd have to do is take the relevant binaries and registry keys from a Samsung phone, and put them in a Lumia phone. I doubt it works *out of the box* - you can include the library in an app, but anything it tries to do via RPC (which is what it needs InteropServices for) will probably fail - but it's not actually that hard to add support for other OEMs' components once you have sufficient control over the FS and registry. If I was able to add registry keys under the Services key, I'd have done it already on my phone just because Samsung's library is honestly rather limited (for example, no way to create reg keys).
@snickler: Hypothetically, they *could* work. All you'd have to do is take the relevant binaries and registry keys from a Samsung phone, and put them in a Lumia phone. I doubt it works *out of the box* - you can include the library in an app, but anything it tries to do via RPC (which is what it needs InteropServices for) will probably fail - but it's not actually that hard to add support for other OEMs' components once you have sufficient control over the FS and registry. If I was able to add registry keys under the Services key, I'd have done it already on my phone just because Samsung's library is honestly rather limited (for example, no way to create reg keys).
I hate J-Tag. J-tag methods are totally useless for configure registry.
Because these registry values must be configure at the runtime. In short mean after the boot process.
Yes, I've stock ROM, Retail Image and never did flash.
I'm on my own code with "InteropServices", so of course i can "READ" and even the "WRITE" Registry Values. My code have a permissions.
I'm confused to where to report these one. To Microsoft or here on XDA. For Microsoft because of Nokia has a good security model so i think we have to really improve the security more and more. An another i really love this forum. I really want to put it here. But sadly my exams are ahead and firstly i should be concentrate on my study. I really don't have a time.
Because these registry values must be configure at the runtime. In short mean after the boot process.
Yes, I've stock ROM, Retail Image and never did flash.
I'm on my own code with "InteropServices", so of course i can "READ" and even the "WRITE" Registry Values. My code have a permissions.
I'm confused to where to report these one. To Microsoft or here on XDA. For Microsoft because of Nokia has a good security model so i think we have to really improve the security more and more. An another i really love this forum. I really want to put it here. But sadly my exams are ahead and firstly i should be concentrate on my study. I really don't have a time.
maybe explain Abit how you did that or pm it to me so that also others can look at it because when this really works this means that Nokia has the same fun as Samsung
and no , MS doesn't need this because they want to kill freedom for devs who want to code nice and cool apps
interop makes allot of stuff really interesting and the security isn't hacked with that so there is nothing for MS to worry about
Last edited:
I hate J-Tag. J-tag methods are totally useless for configure registry.
Because these registry values must be configure at the runtime. In short mean after the boot process.
Yes, I've stock ROM, Retail Image and never did flash.
I'm on my own code with "InteropServices", so of course i can "READ" and even the "WRITE" Registry Values. My code have a permissions.
I'm confused to where to report these one. To Microsoft or here on XDA. For Microsoft because of Nokia has a good security model so i think we have to really improve the security more and more. An another i really love this forum. I really want to put it here. But sadly my exams are ahead and firstly i should be concentrate on my study. I really don't have a time.
When you have time please explain it to us over PM at least what you're able to achieve. I wouldn't rush to MS with this, but instead help to improve those who are trying to make the most out of the Windows Phone.
While I'm no fan of JTAG myself, it is a workable way to unlock phones (I've got a Lumia 520 next to me that was unlocked via JTAG, I use it for researching Lumia stuff when I have the time). If your method relies on changing registry values after boot, and they don't persist across reboots or something like that, that's weird but cool!
If you're not sure whether to report a vuln publicly or not, I strongly recommend PMing one or more of the RDs (myself, @snickler, @ceesheim, @-W_O_L_F-, @Heathcliff74, etc.) with a description of what the hack does and what it takes to use it. You don't have to go into detail if you don't want to, though if you do and ask me not to release the hack I'll go along with your wishes (ask @Myriachan if you're curious; I'm sitting on a couple findings of hers). You will find *in general* that the overwhelming majority of the people on this forum operate under the belief that "it's my phone, I should be able to run whatever I want on it" and are therefore going to want you to publish your findings. With that said, as an information security consultant, part of my job is figuring out how severe a vulnerability is, which has a big impact on whether it is safe to report it. I have reported a number of findings to MS already - stuff that is not helpful to WP8 owners looking to run their own stuff, only to malware authors - although they actually haven't been very good about fixing them yet...
Here's some of the questions that determine how dangerous it is to release your discovery publicly:
One final thought: When the first iPhone jailbreak came out, it worked for all models of the phone that existed at the time, but Apple only patched it for the newer versions that they still supported. That was a remotely exploitable direct-to-kernel vulnerability - visit a website and get arbitrary code execution with full privileges - and was quite dangerous to leave unpatched. Therefore, if you had an older iPhone and wanted to be safe (without buying hundreds of dollars worth of new phone), you had to use the jailbreak *yourself* so that you could patch the vulnerable code. You say you want to "really improve the security more and more"? Give the people who own the phones the ability to do that! Right now, for example, I have made my phone invulnerable to the POODLE attack (see https://www.poodletest.com/ to check if you're vulnerable, but by default WP8 is) by changing a single registry value. On the desktop, there's UI for blocking SSLv3, but on the phone there isn't - editing the registry is the only way, and you need interop-unlock to do it. Microsoft will *eventually* release an update to secure people's phones - it's possible they already did, though I doubt it, and they definitely hadn't a few weeks ago when I secured myself - but everybody who doesn't have an unlocked phone will be vulnerable until then. Allowing people to control their phones means allowing people to make them *more* secure, too!
If you're not sure whether to report a vuln publicly or not, I strongly recommend PMing one or more of the RDs (myself, @snickler, @ceesheim, @-W_O_L_F-, @Heathcliff74, etc.) with a description of what the hack does and what it takes to use it. You don't have to go into detail if you don't want to, though if you do and ask me not to release the hack I'll go along with your wishes (ask @Myriachan if you're curious; I'm sitting on a couple findings of hers). You will find *in general* that the overwhelming majority of the people on this forum operate under the belief that "it's my phone, I should be able to run whatever I want on it" and are therefore going to want you to publish your findings. With that said, as an information security consultant, part of my job is figuring out how severe a vulnerability is, which has a big impact on whether it is safe to report it. I have reported a number of findings to MS already - stuff that is not helpful to WP8 owners looking to run their own stuff, only to malware authors - although they actually haven't been very good about fixing them yet...
Here's some of the questions that determine how dangerous it is to release your discovery publicly:
- Is it remotely exploitable (for example, just visiting a web page or connecting to a WiFi network with the attacker on the same network), or does the user need to install something / run some special command? Part of the reason I had no problem releasing the Interop-unlock hack for Samsung was because it required the user carry out a bunch of specific steps first.
- Does it completely break the security model of the OS, or just reduce the lockdown? Something that, for example, made every app run as SYSTEM (the equivalent of root) would be very useful to us here at XDA but would also be potentially very dangerous. Something that simply allows sideloading more-privileged apps is actually pretty hard for an attacker to exploit - they have to get you to install their malicious app, and anybody who wants to can read the manifest before installing the app to see what privileges the app is demanding - but takes away most of the "you think it's your device but you can't actually control what runs on it, Microsoft/Nokia does" lockdown.
- Is it globally usable or specific to one group of phones? While universal hacks are the most useful to us, they're also more likely to be abused by an attacker. They're also rarer; Microsoft's code is usually way more secure than any given OEM's code because OEMs focus on hardware first and software as a distant second.
- Is it reversible? If somebody wants to "re-lock" their phone, how hard is that? For example, interop-unlock and even capability-unlock can be undone by reversing the relevant registry changes, or by doing a hard reset.
- Is it persistent? If the hack goes away every time somebody reboots, that's really hard to exploit because users won't unlock their phones except when they need to. The Windows RT 8.0 jailbreak is a good example of this.
One final thought: When the first iPhone jailbreak came out, it worked for all models of the phone that existed at the time, but Apple only patched it for the newer versions that they still supported. That was a remotely exploitable direct-to-kernel vulnerability - visit a website and get arbitrary code execution with full privileges - and was quite dangerous to leave unpatched. Therefore, if you had an older iPhone and wanted to be safe (without buying hundreds of dollars worth of new phone), you had to use the jailbreak *yourself* so that you could patch the vulnerable code. You say you want to "really improve the security more and more"? Give the people who own the phones the ability to do that! Right now, for example, I have made my phone invulnerable to the POODLE attack (see https://www.poodletest.com/ to check if you're vulnerable, but by default WP8 is) by changing a single registry value. On the desktop, there's UI for blocking SSLv3, but on the phone there isn't - editing the registry is the only way, and you need interop-unlock to do it. Microsoft will *eventually* release an update to secure people's phones - it's possible they already did, though I doubt it, and they definitely hadn't a few weeks ago when I secured myself - but everybody who doesn't have an unlocked phone will be vulnerable until then. Allowing people to control their phones means allowing people to make them *more* secure, too!
My exploit allows a modification to the registry so as to trigger a bug resulting in allowing unsigned code to execute--including kernel drivers. I don't know how WinPhones work, but if they're similar in the kernel and use UEFI booting, the exploit should work.
Note that this requires modifying SYSTEM areas of the registry in order to do.
Melissa
Note that this requires modifying SYSTEM areas of the registry in order to do.
Melissa
Last edited:
Hi Melissa
If you have a Samsung you could test your exploit because that's the only phone that can modi the register.
or drop it at GDTD and let him test it
, could be real interesting.Greetings cees
She already pointed me at it. I don't want to reveal *why* I haven't gotten it to work (because that would give away info about what it is, and Myriachan has not given me permission to do that), but... I haven't gotten it to work. It's hypothetically possible, but will require considerable work. BTW, Myriachan, I sent you an encrypted PM with the results of my latest research in that area. Incidentally, a Huawei phone may be easier for this hack than a Samsung (but I don't have one and don't know much of anything about ROM hacking, which is how we unlock Huawei phones).
Bringing this thread back on topic: if djamol really can edit the registry of a Lumia phone, that makes a hack like Myriachan's more likely to be possible too. Allowing execution of unsigned code would enable full "root" pretty easily; just add (or modify) any service that runs as SYSTEM with a custom binary. You'd still have to get Myria's hack working though, which I haven't yet managed on my Samsung.
Bringing this thread back on topic: if djamol really can edit the registry of a Lumia phone, that makes a hack like Myriachan's more likely to be possible too. Allowing execution of unsigned code would enable full "root" pretty easily; just add (or modify) any service that runs as SYSTEM with a custom binary. You'd still have to get Myria's hack working though, which I haven't yet managed on my Samsung.
Last edited:
Just gave first exam paper.
Ok, read all posts. So I'm posting it here very soon when I've a time. I'm also excited.
Ok, read all posts. So I'm posting it here very soon when I've a time. I'm also excited.
Deploying XAP file to WP
Hi,
I'm sorry if this is too basic of a question, but I hope I'm posting it to a relevant thread/forum (if not, please let me know and I'll be happy to move).
I tried side-loading the file WP8RegistryToolsv1.1.xap to my Lumia 1520, using the Application Deployment tool under Windows Phone SDK 8.0 group that I got on my computer during the developer preview registration, choosing Device as the target (phone connected to the laptop, screen unlocked), and it displays "Deploying XAP file..." for a while, but then fails with "Error - 0x89731B01."
Do you know by any change what might be wrong or if there's a better way to side load?
My ultimate goal is to be able to change the defaults fonts on the phone.
Thanks in advance.
– Arthur
Hi,
I'm sorry if this is too basic of a question, but I hope I'm posting it to a relevant thread/forum (if not, please let me know and I'll be happy to move).
I tried side-loading the file WP8RegistryToolsv1.1.xap to my Lumia 1520, using the Application Deployment tool under Windows Phone SDK 8.0 group that I got on my computer during the developer preview registration, choosing Device as the target (phone connected to the laptop, screen unlocked), and it displays "Deploying XAP file..." for a while, but then fails with "Error - 0x89731B01."
Do you know by any change what might be wrong or if there's a better way to side load?
My ultimate goal is to be able to change the defaults fonts on the phone.
Thanks in advance.
– Arthur
First point: that's just plain not going to work, unless you know something about hacking WP8 that we don't (this is possible but seems unlikely). Most people can't write to the registry at all with this app. If you hijack the chamber of a privileged OEM app, you can write to a *little* bit of the registry. I don't know what registry key you're planning to change to modify the system fonts, but unless it's one of the handful of OEM-writable ones, this won't work.
Second point: did you try doing a search on that error code? By the way, the first character is a zero, not an o; 0x is the prefix for a hexadecimal number.
Third point: the usual series of debugging steps, in order, are to try unplugging and reconnecting the phone, closing and restarting the deployment software, rebooting the phone, and rebooting the PC. If none of that works, you may need to reinstall the SDK or something.
Second point: did you try doing a search on that error code? By the way, the first character is a zero, not an o; 0x is the prefix for a hexadecimal number.
Third point: the usual series of debugging steps, in order, are to try unplugging and reconnecting the phone, closing and restarting the deployment software, rebooting the phone, and rebooting the PC. If none of that works, you may need to reinstall the SDK or something.
Last edited:
Thanks a lot for your response, GoodDayToDie. Based on your reply, I think I'm going to give up on this for now. What I understand from it is that such font change hasn't been done to your knowledge, and may not be possible even with this tool.
I have successfully changed the system font on an Android phone (there was an app that did it easily), as well as on my Windows 8.1 computers, so I was wanting to do the same on my new Windows Phone as well.
The error message I quoted has a proper 0x prefix for hex; it unfortunately looks too much like the letter 'o' due to the font… I normally search for the error codes, but this time I thought it would be unlikely to find since what I'm trying to do seems to be kind of unique (the searches I did for this didn't bring up much -- this thread was one of the few, hence my message here).
I'll still search for the error then. Maybe the unlocking I did through the developer program didn't take, I remember seeing a successful message, but I couldn't find any way to verify it later. For the problem, I did the usual disconnect/reconnect, reset etc. steps but to no avail.
Perhaps it will be possible later down the road if the WP becomes more popular.
Thanks again,
– A.
I have successfully changed the system font on an Android phone (there was an app that did it easily), as well as on my Windows 8.1 computers, so I was wanting to do the same on my new Windows Phone as well.
The error message I quoted has a proper 0x prefix for hex; it unfortunately looks too much like the letter 'o' due to the font… I normally search for the error codes, but this time I thought it would be unlikely to find since what I'm trying to do seems to be kind of unique (the searches I did for this didn't bring up much -- this thread was one of the few, hence my message here).
I'll still search for the error then. Maybe the unlocking I did through the developer program didn't take, I remember seeing a successful message, but I couldn't find any way to verify it later. For the problem, I did the usual disconnect/reconnect, reset etc. steps but to no avail.
Perhaps it will be possible later down the road if the WP becomes more popular.
Thanks again,
– A.
Last edited:
If you tell me what key you want changed I can check (on my heavily hacked Samsung WP8 device) to see if it's writable, but yeah, otherwise your odds aren't great.
Also, there's something ironic about asking for help changing fonts using a (non-forum-default) font that makes 0 and o indistinguishable...
Also, there's something ironic about asking for help changing fonts using a (non-forum-default) font that makes 0 and o indistinguishable...
Can you please check if it is possible to enable 2 column tiles on start screen using some registry changes for Lumia phones? hopefully the new exploits found will help in re-enabling 2 column tiles in new phones.
That option is in the startscreen setting on windows phone 8.1.x
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone