Database Users

Running Sim Toolkit Apps

Hi,
Does anyone know if there is a way to get a list of the STK Apps installed on the SIM and execute them on user's request. I'am not looking for an app to do that, I'm interestend in implementing this functionality in my application. So I am basically asking is if there is any way to do that using the APIs provided by the SDK.
SimReadRecord could be an option, provided somebody knew which address to look for and how data is formated. Anyone has any ideas?
Thanks in advance.
Nikos.

no, you won't have it with SimReadRecord (as the toolkit menu is generated "on the fly" as the card notify the phone). There is a way to retrieve it through the RIL, but I don't have understood it fully, yet, but it's probably related to an internal command (such as RILSendMsg). If you have a way to "spy" the exchanged RIL messages, it may help you :wink:
it's easier to execute them, with the appropriate envelope command. See the RIL SIM commands and your favorite 11.14 standard :wink:

Do u know if I can succesfully use RIL_SendSimToolkitEnvelopeCmd() to send envelope commands?
I read and implemented function to build a ENVELOPE CMD SMS-PP (11.14) DOWNLOAD, but when I execute RIL_SendSimToolkitEnvelopeCmd() I get
Ril_* error RIL_RESULT_ERROR = 0x00000003 ...
Can you help me?
What about directly accessing ril.dll ?
Thank

Reversing IMEI-CHECK's Wizard Unlocker :)

Hey Folks,
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
The application is protected by Themida which is in my view the leading protector on the market currently (yes better than execryptor).
The unlocker has Ring0 protection, Emulated API's, Resource Encryption + Lots more fun and games.
Now onto what I have found so far.
The GUI stuff:
Code:
set 1 0
set 5 ffffffff
set 2 0
set 6 000000
set 4 000000
progressbar 0 239 0 255 ffffff 100 0
shmsg 0 0 " . : | Wizard Unlock | : ."
info 1
shmsg 3 0 " ..detecting device.."
set 32 2
info 0
shmsg 4 0 " >>> Wizard found"
Is plain to see, but the evil work is well tucked away in a procedure which is pushed onto the VirtualMachine.
So I still need to fish that out (loooonnnng task)...
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Download:
http://rapidshare.com/files/12763879/_00CC0000.mem
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
The following tools are also 'picked up':
Filenames:
Code:
PORTMON.exe
SnoopyPro.exe
Device Monitor.exe
Window Titles:
Code:
Portmon Class
SnoopyPro
USB Monitor
Device Monitor
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Since he has NO terms about his programs what so ever then there is no legal problems with what I am doing to his application.
He is probably too scared of HTC anyway, since he is decompiling their firmwares in order to make the product. (Which is outlawed in HTC's terms)
Anyway....
Watch this space

Very interesting, would information gathered from the Wizard unlocker lead to cracking the Treo 750 unlocker? Or any other phone that imei-check supports for that matter?

Whiterat said:
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
Click to expand...
Click to collapse
Great, will you disclose your findings? there was an earlier post about the unlocker for G4 wizards, here (see comment #36):
http://forum.xda-developers.com/showthread.php?t=284312
Whiterat said:
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Click to expand...
Click to collapse
It seems that this is the patched SPL that is flashed on the first unlocking step, it is modified so that when it is told to flash an splash screen, it flashes the security area, overwriting the CID.
Whiterat said:
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
Click to expand...
Click to collapse
I will load it at IDA and compare with a normal wizard SPL...
Whiterat said:
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Click to expand...
Click to collapse
Yes, the imei-check guys are doing great job with their unlockers... similar method is used in artemis unlocker too. They load a modified SPL in RAM and jump to its physical address from WinCE, this modified SPL shows the DOC ID in help of "set" command and allows flashing unsigned code, then they use obtained DOC ID info to patch the security area by sending a "fake" splash screen, same as in wizard unlocker.
Whiterat said:
Watch this space
Click to expand...
Click to collapse
I will

phoa not much point in me continuing!
You've got the whole lot there!
I'm a lover not a coder, I simply reverse in order to help others succeed.
Since you have all important info anyway, Not really going to be of much help here
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......

Whiterat said:
phoa not much point in me continuing!
You've got the whole lot there!
Click to expand...
Click to collapse
Well I didn't want to discourage you on continuing the reversing process, I just pointed you to the thread where we discussed about the unlocking method a while ago...
I admire the fact that you reached that far only disassembling / debugging the binary, what we actually did to have the full process was capturing it with USB monitor; the unlocker can be tricked if you run the usb monitor process as one user, ant the unlocker as a different user, but imei-check seem to have corrected this 'bug' in newer unlockers.
Whiterat said:
Since you have all important info anyway, Not really going to be of much help here
Click to expand...
Click to collapse
We don't have _all_ the important info, we have the commands that the unlocker sends to the bootloader, but the data sent to flash the security area is actually different in every phone, so flashing what is sent in one phone to another phone will actually brick it.
I think it can be helpful if you manage to reverse the algorithm that the unlocker uses to generate the code which is flashed on the security area, this can't be done capturing usb traffic, this has to be reversed from the binary, and Themida is not easy to break as you sure have noticed
Whiterat said:
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
Click to expand...
Click to collapse
No sorry, i don't have any... I am not very used to IDA, started using it few months ago and still learning new things about it everytime I start it

Ah cool I will look into it a bit further
(Need to get a friend to code a tool to remove the junk code)
e.g
PUSH EAX
PUSH EDX
MOV EAX,2282
INC EAX
DEC EDX
POP EDX
POP EAX
Since it is popping those registers off the stack, its actually altered nothing
Themida is a cow, Because my friend didnt manage to make a start on the junk code remover (and I didnt realise there was a virtualised function) I just did each Import by hand (approx 4 hours lol)
Also rebuilt the OEP by hand too, not too hard since it was VC++6.
I have a G4 which I have unlocked with Imei-Calc (thus I have the key file, which I *think* might decrypt parts of the program, or possibly is part of an encrypted rom.)
3 Last things:
1. Can the G3/G4 chip be worked out by IMEI, i.e IMEI represents a date and the chips were only used after a certain date? or is this tool generic for G3/G4 ?
2. Do you have an SPL for 2.08.10
3. How can I dump my SPL (bearing in mind my only minisd has a full backup of my rom, Just in case crossbow gets a little ugly for my liking)
Ohh one last thing, kbdus.dll on Crossbow.....Is there a kbduk.dll as far as you know?
My Wizard has british keyboard and all the chars are shifted +1.....
Thats my next major task I think before continuing on this thing
Btw, To use the usb logger on newer versions of IMEI-CALC, just rename the exe and change the class name

Hi..Answer on the "Last Three Things"
1.) No one cannot identify G3/G4 with imei.If u lok carefully the place below yr battery u will find a"G4" written besides yr imei no.In G3, nothing is written.The most commeon way is to check IPL/SPL .001 in the end is G4.
2) Take a ROM which has 2.08 SPL. and use typho5.exe to dismantle the ROM parts.If ROM is release recently then you will find IPL/SPL for G3/G4 both.Chek the threads here..
3) As such crossbow ROM has no IPL/SPL..if u know what ROM u were using prior to that, u can apply above to dump yr ipl SPL..secondly you can do this with awizard1.3 beta.
I hope this helps

LINUX BOOTS at OPAL! Thanks to linwizard project!

Hi there,
I got Linux to boot at OPAL via linwizard project. Here are steps needed to get it work.
1) download image from:
http://tinderbox.x86.dev.gentoo.org/embedded/linwizard/gizard-20080602.tar.bz2
2) copy content of file to the microSD card
3) edit default txt and replace init=/linuxrc with init=/bin/sh
4) run haret and let it boot.
After a while you'll get to shell. No graphics.
Now you can attach microusb cable and connect it with your linux laptop (I recommend ubuntu)
and you will get usb0 interfece to start up.
Which IP to use to connect with OPAL I still must investigate.

Well ip connectivity now works:
ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
Notas:/# ifconfig usb0 up 192.168.2.200 netmask 255.255.255.0
Listik:/usr/src/linux-2.6.27/Documentation# ping 192.168.2.202
PING 192.168.2.202 (192.168.2.202) 56(84) bytes of data.
64 bytes from 192.168.2.202: icmp_seq=1 ttl=64 time=2.95 ms
64 bytes from 192.168.2.202: icmp_seq=2 ttl=64 time=1.72 ms
And how to do it:
prolong "set CMDLINE" line with
ip=192.168.2.202:192.168.2.200:192.168.2.200pal:usb0
But in this image there doesn't seem to be any telnet/ssh server running. I will try cook image with ssh server support later

Download error
Were not able to re-upload

404 file not found error!!

http://tinderbox.x86.dev.gentoo.org/embedded/linwizard/
and open latest gizard-<date>.tar.bz2
or that I suppose.
The latest link should be http://tinderbox.x86.dev.gentoo.org/embedded/linwizard/gizard-20090703.tar.bz2

does this mean any chance of android working? anyone tried?

Hey,
I'm a new Opal user and I'm interested in getting *nix running on my device. I still haven't had the chance to mess around with this stuff but I'm excited to see this thread.
I was looking into the possibility of running Android on the Opal and it seems the closest thing is this thread bout running it on the Herald (it uses the same processor as the Opal).
I don't any experience in Linux porting so I thought I'd share this, in case anyone else is interested. And at the same time, I'll try to see if I can get something working based on what has been/is being done for other devices.
Sorry for the long post.

Hey Folks,
Any progress on getting Android on Opal? I am eagerly waiting to load one.
Kindly let me know, if this version of Linux when loaded, gives the UI.
Cheers'
Vijay
cijoml said:
Hi there
I got Linux to boot at OPAL via linwizard project. Here are steps needed to get it work.
1) download image from:
http://tinderbox.x86.dev.gentoo.org/embedded/linwizard/gizard-20080602.tar.bz2
2) copy content of file to the microSD card
3) edit default txt and replace init=/linuxrc with init=/bin/sh
4) run haret and let it boot.
After a while you'll get to shell. No graphics.
Now you can attach microusb cable and connect it with your linux laptop (I recommend ubuntu)
and you will get usb0 interfece to start up.
Which IP to use to connect with OPAL I still must investigate.
Click to expand...
Click to collapse

Android can boot on Opal
I have some good news, Android can boot on the Opal. This is just a proof of concept as it's missing tons of drivers and is completely useless.
Touchscreen and all keys except for the volume control (and obviously the reset button) are not working. So you basically can't do anything when you run it.
What I tried is the same as what's written in this thread about running Android on Gene. They're using the build made for the Herald/Wing (just as I was proposing in my last post) with customized initramfs and kernel.
You'll find all the necessary details in that thread. However, there's a newer build than the one mentioned there it's wing-linux-0.4pre2.cab. And the suitable kernel for that build is supposed to be the pre2 posted in this post but it didn't work on my Opal so I tried the older Gene kernel and it worked. The main difference between the two is bluetooth support, and that's obviously is of no use for us.
This doesn't effect the Windows rom, nor does it requires any special partitioning. Still it's best to have everything backed up before launching it, just in case.
This is the official site for the wing/herald build:
http://wing-linux.sf.net/
This thread on their forums about the Gene port will probably be of use to us:
http://sourceforge.net/apps/phpbb/wing-linux/viewtopic.php?f=4&t=4
I'm reading about the next steps but as I said before, I don't have any previous experience or knowledge about this type of things. If someone can give me hand, I would be more than grateful. At any rate, once I have better understanding of the concept I'll contact the people behind the Wing and the Gene ports.
P.S: If you do try to run this, keep in mind that this will take lots of time, specially for the first launch. And when you get an error saying something like "android sh: can't access tty" just ignore it and keep waiting. After a while you'll have a flashing "android" on the screen, and after some more waiting you'll reach the main screen.

Is this just THE BEGINNING
Sooper Stuff..!! So is this just THE BEGINNING??
How do we port the drivers and other required information in the build?
Cheers'
Vijay
www.msigeek.com

A Lil' help
I'm going through the Gene port thread here and on the Wing-linux sourceforge forums but I'm still a bit overwhelmed.
I would appreciate any help as I'm completely new to porting. I have some programming and linux knowledge but never attempted this type of things.
Click to expand...
Click to collapse
So am I.
Hmmm...
Right. Lets do it the way I did it.
1. Get the touchscreen working. Through HaRET, you must have got the GPIO interrupt whenever you pressed the touchscreen. You must have got two numbers corresponding to each press - a smaller number and a bigger number. The smaller number is the GPIO, and the larger number is, well, lets say a special GPIO value for the same pin.
Now checkout the Gene branch through git.
Goto /wing-linux/kernel/arch/arm/mach-omap1/board-htcherald.c
Scroll down to a block of code where you'll see the touchscreen code. Enter the smaller number in the .dav_gpio statement, and the IRQ number in the OMAP_GPIO_IRQ() statement below.
2. Follow the Kernel build instructions on the development section of the wing-linux wiki (the two make commands)
Copy the zImage into the linux folder on your SD card
Boot into wing-linux. The touchscreen should start working.
3. Now, hopefully, after the touchscreen's working, You would essentially just require two more buttons - the home button and the back button for minimum functionality. Everything else can be worked on by the touchscreen.
Then follow the instructions on the wing-linux forum (Page 2) to get the KEY(row,col) values of the keys on your handset. Hopefully you should get atleast a couple. Note down the corresponding keys and their KEY(r,c) values output.
4. Fire up board-htcherald.c again and goto the place where you have the KEY(r,c,KEY_blah) thing and replace the codes as per your obtained KEY(r,c,KEY_blah) values (The Home button is the one commented as Left Button)
5. That's all I can help you with as of now. I'm also figuring out a stable way of getting the DPad and the center select key to work, but It'll take some time.

Thanks kshaurya!
(This guy right here is the one who fixed the kernel for Gene, I asked him for some pointers).
I don't want to take my device apart just yet (I usually do my best not take to dismantle anything that I haven't owned for at least 3 months unless absolutely necessary) and I couldn't find a place that states what touchscreen it uses. I'm just hoping that it's the same a tsc2046 as well. [Is there anyone without a warranty and/or willing to check for us?]
I'm gonna double check the values I got from the touchscreen as for some reason I seem to have to IRQ values, probably forgot to get rid of some spamming irq. And, at the same time, I'm currently setting up a VM as a building environment, my main boot is Intrepid 64 and there's no 'psyco' package for 64 machines.
If anyone else have some experience and wants to try this, refer to: http://www.handhelds.org/moin/moin.cgi/HaRET_20Documentation (using haret to get the GPIO and IRQ values needed).
And to:
http://sourceforge.net/apps/trac/wing-linux/wiki/Development (acquiring the source code from Wing Linux and how to build it).
And a quick question for anyone that tried booting Android on the Opal, what screen did you get when Android finally finished booting?

I don't want to take my device apart just yet
Click to expand...
Click to collapse
Huh? where did that come from? Wing Linux will not touch your WM.
I seem to have to IRQ values
Click to expand...
Click to collapse
Do you mean two? Well, that's exactly what you should get. Even if it's just one, enter that value in the code.
my main boot is Intrepid 64 and there's no 'psyco' package for 64 machines
Click to expand...
Click to collapse
Oh no. dont tell me that you are building the entire thing. all you need to do is build the KERNEL! Please! Don't go into building the whole thing from scratch. Use the make ARCH ARM commands given on that page.

kshaurya said:
Huh? where did that come from? Wing Linux will not touch your WM.
Click to expand...
Click to collapse
I mean to check the screen, in case it turned out to be different that what you have.
kshaurya said:
Do you mean two? Well, that's exactly what you should get. Even if it's just one, enter that value in the code.
Click to expand...
Click to collapse
Yeah, stupid typo.
I noticed now that one of them appears when I keep the screen 'touched' for a bit longer.
kshaurya said:
Oh no. dont tell me that you are building the entire thing. all you need to do is build the KERNEL! Please! Don't go into building the whole thing from scratch. Use the make ARCH ARM commands given on that page.
Click to expand...
Click to collapse
I'm not gonna build the complete thing. Seems like I got too exited and failed to notice that building the kernel only requires a cross-compile toolchain, te rest is for compiling the whole thing.
I'm not THIS stupid usually . Honestly!
Thanks again!

I'm not THIS stupid usually . Honestly!
Click to expand...
Click to collapse
Its pretty normal

Weird.
I've only changed the two touchscreen values and built the kenrel. It finished without any error but now it won't boot.
It gets stuck, even before the space allocation part, with this error: "sh: can't access tty; job control turned off". And then it displays a prompt.
I'll try modifying an older build, I'm pulling them from the repos at the moment.
After all, the pre2 kernel from Gene didn't boot on my device (although it got stuck later on).

Try doing a clean install - Remove the linux folder and try again.
Also, make sure that you're not forgetting to checkout the Gene branch.
Code:
git checkout Gene
Is your default.txt modified? And have you downloaded the modified initramfs.cpio?
check in the Gene forums for that.

Already tried the clean install, no dice. The default.txt is untouched and I'm using the modified intramfs. What happened this time is different from what happens using the original one, it's not asking me to specify the partition size but instead it's waiting for a command. I could probably ssh via usb but I have no clue how that might help.
And I've already checked out the Gene branch from the beginning.
I've tried compiling the kernel for pre1 (after changing the screen values) from SVN and it did boot (both using the cabs for pre1 and pre2) but no touch screen yet. All in all, I'm guessing that there's too much hardware difference here.
And the button for lowering volumes didn't work either, it seems like whatever you changed for getting it to work on Gene is the same as what we need here, but I'll think about that later.
I only have two ideas left:
- Trying to go back to a more stable build (with lesser features and lesser possibilities for errors). Maybe 0.3.
- Trying to create some kind of hybrid kernel using this alongside the HTC Vogue build as it probably has closer hardware to the Opal (obviously, I'm talking about everything beside the MSM7500 400MHz processor that it has). I'm hoping it won't get to this cause I'm definitely under qualified for that at the time being.

What happened this time is different from what happens using the original one, it's not asking me to specify the partition size but instead it's waiting for a command.
Click to expand...
Click to collapse
Could you post a screenshot?
I've tried compiling the kernel for pre1 (after changing the screen values)
Click to expand...
Click to collapse
I'm assuming you mean the touchscreen values? Try interchanging and see.
Trying to go back to a more stable build
Click to expand...
Click to collapse
I wouldn't recommend that. Defeats the whole purpose.
Why don't you try getting in touch with darkstar?

kshaurya said:
Could you post a screenshot?
Click to expand...
Click to collapse
A friend borrowed my digital camera, I tried my laptop's webcam but the text it too blurry. Couldn't fix it using gimp either. So here's exactly what's showing on the screen:
Code:
mdir: Cannot creat directory `/mnt' : File exists
modprbe: could not parse modules.dep
initramfs: Creating device nodes:
initramfs: Loading /initrd.d/10-initfs.sh module
initramfs: Loading /initrd.d/30-wingboot.sh module
Selected:
ROOT_DEVICE=/dev/
CMDLINE=debug quiet psplash=false loglevel=7 init=/sbin/init console=tty0 video=omapfb:accel fbcon=rotate:3 4 root=/dev/
initramfs: Loading /initrd.d/80-loopboot.sh module
initramfs: Loading /initrd.d/85-blockboot.sh module
booting from: /dev/
mount: Mounting /dev/ on /mnt failed: Invalid argument
Unable to mount rootfs device
sh: can't access tty; job control turned off
/ $
And after the prompt, on the same line, there's a flashing '_' waiting for input.
Using the original zImage (from the pre2 cab) it's right around here that the screen clears and the Wing Linux installation script kicks in.
kshaurya said:
I'm assuming you mean the touchscreen values? Try interchanging and see.
Click to expand...
Click to collapse
Will try that next.
kshaurya said:
I wouldn't recommend that. Defeats the whole purpose.
Click to expand...
Click to collapse
I meant it as just a temporary test to till the cause of the incompatibility is figured out. With less things that could go wrong, it'll be easier to locate the ones that are going wrong.
kshaurya said:
Why don't you try getting in touch with darkstar?
Click to expand...
Click to collapse
You're right. I should post a thread on the project's forums asking for his help.

DVP File Copy and another registry editor

I just found a neat little bit of code while browsing the em.dll.
In the RD TEST go to "About EM" type in 6814 and you will get the "+/others/EM_in_EM.xaml" menu. I have not really played around with this yet but it is the first time I have heard of this menu.
This also allows you to execute things like:
EM:ATCMD_REQUEST:
EM:ATCMD_GET:
EM:FILE_COPY:
EM:S_SWINFO;
EM:FLASH_LED_ON
EM:FLASH_LED_OFF
etc
You can also do EM:REGISTRY_SET:" + <path> + "," + <key> + "," + <data type, e.g. DWORD> + "," + <data> + "," + <path_type expressed as int> + ";", 1, false but it just seems to hang there. Trying to see if we can write to anything at all.
Also further look when I was HEX editing, there is a set button in the registry editor but forwhatever reason it is hidden. I need to find a way to actually de compile the dll's but it needs a CLI interpreter.

good find but what of the details I wonder...

MJCS said:
I just found a neat little bit of code while browsing the em.dll.
In the RD TEST go to "About EM" type in 6814 and you will get the "+/others/EM_in_EM.xaml" menu. I have not really played around with this yet but it is the first time I have heard of this menu.
This also allows you to execute things like:
EM:ATCMD_REQUEST:
EM:ATCMD_GET:
EM:FILE_COPY:
EM:S_SWINFO;
EM:FLASH_LED_ON
EM:FLASH_LED_OFF
etc
You can also do EM:REGISTRY_SET:" + <path> + "," + <key> + "," + <data type, e.g. DWORD> + "," + <data> + "," + <path_type expressed as int> + ";", 1, false but it just seems to hang there. Trying to see if we can write to anything at all.
Also further look when I was HEX editing, there is a set button in the registry editor but forwhatever reason it is hidden. I need to find a way to actually de compile the dll's but it needs a CLI interpreter.
Click to expand...
Click to collapse
good work, keep on truckin'! wish I could help but i know nothing...

raiderfan247365 said:
good work, keep on truckin'! wish I could help but i know nothing...
Click to expand...
Click to collapse
Thank you. I decompiled the entire EM application and am in the process of recompiling it to bypass a few restrictions with the current com dll. I might have native comm access working by the end of the week

You're my f***ing hero!
Please keep up the great work!

MJCS said:
Thank you. I decompiled the entire EM application and am in the process of recompiling it to bypass a few restrictions with the current com dll. I might have native comm access working by the end of the week
Click to expand...
Click to collapse
Hey I dont know if you are on Mango or Nodo but I still have a NoDo backup so if you need testing that cant be done on Mango let me know.

raiderfan247365 said:
Hey I dont know if you are on Mango or Nodo but I still have a NoDo backup so if you need testing that cant be done on Mango let me know.
Click to expand...
Click to collapse
Thanks. I might need that.

The SET button doesn't work even after being enabled. Are you refering to the EM (v1.12) in the new Mango FW (.219).
By the way, the details you listed were there right from beginning and is of no use until post nodo DVP update(EM app V1.10)..worth a try in V1.12, but i doubt.

I only had the nodo 1.10 version. I don't know how to extract the EM app.

MJCS said:
I only had the nodo 1.10 version. I don't know how to extract the EM app.
Click to expand...
Click to collapse
Then no dice..But you keep doing your work..Especially if you write any C level programming and use the IDA pro disassemblers, you might be lucky..

notebookgrail said:
Then no dice..But you keep doing your work..Especially if you write any C level programming and use the IDA pro disassemblers, you might be lucky..
Click to expand...
Click to collapse
Got it to compile. Need to get the 1.12 dll's now
** EDIT **
Oh dear god...it was version 0.26 :|.
Grrrr. Where would the EM App be located ine the file structure. \Windows\?
** EDIT **
I think this was actually created by Microsoft for Dell if you look at the signing and the properties of the dll. I wonder if that is why it is so locked down

MJCS said:
Got it to compile. Need to get the 1.12 dll's now
** EDIT **
Oh dear god...it was version 0.26 :|.
Grrrr. Where would the EM App be located ine the file structure. \Windows\?
** EDIT **
I think this was actually created by Microsoft for Dell if you look at the signing and the properties of the dll. I wonder if that is why it is so locked down
Click to expand...
Click to collapse
Every Native dll is signed by Microsoft TCB. As for the EM App, it would most likely be hidden in \Windows. I would try \Windows\EM_App.xap. You can always see if you can copy the \Windows\FieldTestApp.xap and open it up and see what you get. Alternatively, look at the WMAppManifest.xml within the EM App project and you should be able to more or less guess what the name of the .xap would be.

What about EM:FILE_COPY command? What does it do?
Strange, but it seems this command has only one argument like:
EM:FILE_COPY:\Update.log;
If I write command with more arguments like EM:REGISTRY_GET, for example:
EM:FILE_COPY:\Update.log,\UpdateApp2.log;
It will return FALSE, FILE_NAME_ERROR!

WP8 SYSTEM registry files from FFU

I found where the system registry files are stored inside the ffus. This is from my Lumia 928 factory ffu.
Code:
\Windows\System32\config - DEFAULT, DRIVERS, FP, ProvisionStore, SAM, SECURITY, SOFTWARE, SYSTEM
\Windows\System32\config\MOUNTMGR - SYSTEM
\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
\EFIESP(Different Partition)\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
All of these files contain regf as the first few characters in hex. Beyond that, the files are mostly garbage looking at them in Notepad++.
I haven't been able to find any registry editors yet that can edit them, including ones built for Windows CE/Mobile or even Win7/8.
Anyone know of something that can display it in a normal fashion? (without needing a WP8 device to attempt to edit it on.)
EDIT: The files from \Windows\System32\config have been zipped for simplicity reasons (for those of you who don't have a ffu handy)
EDIT2 (August 22): The files from the GDR2/Amber update from my phone's rom have been added.
WalkingCat said:
OK, this is a reply to this thread, but apparently I can't post in that forum yet.
So, you've found registry file inside \Windows\System32\config, and this is the way to open and edit it.
No third-party tools needed, just use regedit.exe in your Windows system
1. Run regedit.exe
2. Click on any root key, like HKEY_LOCAL_MACHINE
3. Open File menu, select Load Hive
4. Select a file in your mounted ROM \Windows\System32\config, like SOFTWARE or SYSTEM, open it
5. In the dialog asking for a name, input any text, like WP8Software
6. Registry is now loaded under HKEY_LOCAL_MACHINE\WP8Software, you can edit it.
7. Open File menu, select Unload Hive, then its written back to disk.
reference: http://technet.microsoft.com/en-us/library/cc732157.aspx
Click to expand...
Click to collapse

Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file

vivekkalady said:
Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file
Click to expand...
Click to collapse
That works fine for .wim or a .zip, but these files are the complete registry store that's same format that Windows 2000, XP, Vista, ect. uses to store the settings for hardware/drivers, windows itself, and other apps that have that kind of access (e.x. Tier3 Applications)

If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.

GodlikePL said:
If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.
Click to expand...
Click to collapse
Apparently it isn't. I used RegistryEditorPE, that's supposed to work with offline registries for 2000 to 7, but it kept erroring out.
Sent from my RM-860 (Lumia 928) using the OFFICIAL Tapatalk app.

This is good stuff to know. Something that should be good to note is that while I decompiled the .NET for a few of the Verizon Xaps from the 928 ROM, I discovered some Nokia-specific COM Interop that interfaces with the registry. I'm hoping I can try something out and put up a test program within the next few days and make some registry changes.

Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know

@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...

GoodDayToDie said:
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
Click to expand...
Click to collapse
Hmmm, which phone do you have?
Edit: I tried to deploy just a sample app with one of the .winmds referenced, and got the 0x81030120 error
Holy fuzzle.. ANOTHER EDIT: I was able to do it. I had to remove all the damn Capabilities that I added from the Nokia Maps xap though.
I referenced the NokiaRegistryUtils.winmd and just ran this sample code
MessageBox.Show(NokiaRegistryUtils.Registry.IsChinaFirmware().ToString());
It returned "false" as expected.
I'm going to try something else now.
Something to note, in the WMAppManifest.xml, the following needs added after the <Tokens> declaration
<ActivatableClasses>
<InProcessServer>
<Path>NokiaRegistryUtils.dll</Path> <-- or whatever dll you're adding
<ActivatableClass ActivatableClassId="NokiaRegistryUtils.Registry" ThreadingModel="both" />
</InProcessServer>
</ActivatableClasses>

vivekkalady said:
Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
Click to expand...
Click to collapse
Where did you find that key?

in ffu file
location <ffu mount>\Windows\Packages\RegistryFiles\Microsoft.Office.Word.reg

Perfect. That's what I'm doing now, but just from my 920 ROM dump. I can access the registry sections that Nokia provides in their app, but I can't from the one you provided me. I'm going to do more tests to see if this is using HKCU rather than HKLM. It could also be that the registry keys have permissions placed on them.

Hmm,
I'm able to get the value of SOFTWARE\Classes\MIME\Database\Codepage\1254 -> BodyCharset

I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.

found these things dont know it is of any use
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3]
"DefaultId"="{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Click to expand...
Click to collapse
http://support.microsoft.com/kb/287547

vivekkalady said:
found these things dont know it is of any use
http://support.microsoft.com/kb/287547
Click to expand...
Click to collapse
I did find THIS..
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=dword:7FFFFFFF"
That translates to the value of InterOp unlock by default which means we should be able to sideload more than 10 apps at a time.
I also found these within policy xml files
Code:
Microsoft.BaseOS.SecurityModel.policy.xml
<Capability ElementID="2EF45E94A01864DE3387212D6E73AEA885E709AD0F24FB97FE2E84728CB09D14" AttributeHash="49B8EC80A54998B68D7F65A44A340FD28B535494B7A41D650FD94851E38A6B6B" Id="ID_CAP_DEVELOPERUNLOCK" AppCapSID="S-1-15-3-1024-2489250862-3731101856-757172019-2830005102-2903107461-2549818383-1921265406-345878668" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1443" FriendlyName="Enable bearing chamber to load unsigned modules" Visibility="Internal" />
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>

Need a Nokia Device?
snickler said:
I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
Click to expand...
Click to collapse
Thats great! If anyone needs a Nokia device to test on, Nokia has Remote Device Access to those who need it. Its a free service to anyone who has a Nokia DEVELOPER account, which is separate but free as well. The devices they mostly have are Lumia 820s, but the have a few others (620, 720, 920 and the 928.) The great thing about them, you can deploy an xap and run the apps. Some of those phones have sims in them and some of them have a "Nokia On-Device Diagnostic Tool". The only drawback, is that the connection can be SLOW.

Huh, you had to add the InProcServer manually? That may be the problem, then. I'm not sure why they're using COM - it works just fine to simply use the native Win32 APIs (add references to ADVAPI32LEGACY.LIB and/or KERNELBASE.LIB; that's what my NativeAccess library does and it works fine) - but it's good to know that COM is, in fact, usable.

Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.

GoodDayToDie said:
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
Click to expand...
Click to collapse
The best part is that the Nokia CityLens uses ID_CAP_INTEROPSERVICES, but I can't find anything that references it.
The winmds use System.Runtime.InteropServices though.
The Nokia app I got the RegistryRT from didn't use the INTEROP Capability at all, but I did notice that I had to add that extra stuff in the AppManifest.