Related
My IT guys have been trying to get this push email thing working and it seems to be one difficulty after another and is not as simple as pressing "push email" in the connection icon....
Our latest error appears on my device with the above error code stating
"the security certificate on teh server is invalid. contact your exchange server administrator or ISP to install a valid certificate to the server".
I have read that I need to buy a public certificate from a public authority (CA) or similar such as Verizon or Thawte. Is this the case, or is there a simpler way to get this push email working using the existing configuration and setup of the server?
We use exchange SP2, with outlook 2003 all around. Internet based webmail works correctly with full access, and activesync via PC works perfectly, but push email encounters the above error.
Any suggestions.
are you sure it's 80072fd or 80072efd ?
I don't have a solution, but the problem is described in M$ knowledgebase article: 915438 - see attached Acrobat .PDF.
I had already tried the suggestion in KB915840 to import the certificate from my sbs2k3-domain, but this had failed with "cannot access the certificate" - even with them on the device. However, certificates from my clients' servers, both sbs2k and sbs2k3, import without problems. This happened both before and after o2's AKU2 ROM update - so AKU2 is not the problem. In addition, I spent Easter *totally* reinstalling sbs2k3 and tested it immediately afterwards. All the sbs2k3/Exch2k3-Sp2 boxes are fully patched. The certificate itself is correct/working, since it works for Outlook Web Access via the web with laptops and even the Exec (Universal).
Whilst sync'ing from the workstation via ActiveStink/USB, if you turn off the SSL requirement the sync suceeeds, but that's obviously not a working solution via the 'Net.
Update:
Just had a thought, and checked the various certificates in a hex-editor. The one from my sbs2k3 box is a completely different format. :? I'll see what I can find out.....
maybe not related, but here's a list of all ActiveSync Server Error Codes: http://blogs.flaphead.dns2go.com/archive/2005/11/21/3202.aspx
80072f0d
Sorry, the correct code is 80072f0d.
I know your pains astage, but there is no way we are pulling the box down and putting it back up again, our server hosts 30 + staff simultaneously and I cant take it down just to fix my one desire to have push email.
But I do find it painful and frustrating that microsoft do not adequately support their own platforms and systems dont integrate as they should and as they are promoted.
M$ sks.
Re: 80072f0d
simon_darley said:
....I know your pains astage, but there is no way we are pulling the box down and putting it back up again, our server hosts 30 + staff simultaneously and I cant take it down just to fix my one desire to have push email.....
Click to expand...
Click to collapse
I'm not sure if it was clear from my reply - too tired - but rebuilding the server did not help at all.
Yeh, the pains of rebuilding SBS and having it all configured and running correctly when the staff arrive in the morning is not something I do willingly - hence the use of the holiday. It was done only as a last ditch attempt to solve this and another problem that had Micro$oft totally stumped - not related.
There is a difference in the certificate formats, so that's where I'm concentrating my efforts now. Will let you know what I find.
80072f0d error - the fix!
Just spent the past hour kicking and calling myself an £$%&* idiot.:x
Anyway, to cut the story short, the problem *is* indeed the damn format of the SSL certificate exported by sbs2k3. For the WM5 device to import it, it needs to be in DER X509 format.
If you have imported it into your PC/laptop for OWA/OMA/RWW, then you can easily export it from IE's Internet Options into DER format.
From Internet Options:
- go to Content-tab
- click Certificates-button
- find and highlight your certificate - I had imported mine into Trusted Root Authorities
- click Export-button
- click Next on wizard page
- enable the "DER encoded binary X.509 (.CER)" radio-button, and click Next
- enter a suitable path & filename, e.g.: "myserver.cer"
- click Next, click Finish, click Ok.
- Now copy the certificate to your PDA via ActiveSync.
- Open File Explorer on the PDA,
- Find the certificate file and launch it.
- click Yes to import it and you're done!
I think the reason why my sbs2000 certificates worked was that I had installed Certificate Services on those boxes and exported those certificate from there. I don't understand why some of my client's sbs2003 certificates were in DER-format, and others weren't, but we are talking about Microsoft software, so what else should I expect......
msfp and 80072f0d
After testing a few different certificate variations, the engineers that maintain our servers was able to send me two alternative certificates, one or bother of them appear to ahve worked effective.
So it imported, and now my active sync works for receiving these emails, now I need to look at these heartbeat pings and find out how I set the periodic checking.
Just wondering, normally if you dial a gprs/3g connection, you pay once, and stay connected all day. Does this now mean that it connects, downloads, disconnects, then 5 minutes later reconnects, downloads, and disconnects, thus paying a much larger reconnect fee everytime?
I am playing with this as a new toy, but I can see the costs are going to go ballistic....
and... perhaps for all those that are already experienced here, how does one send an email that remote wipes the device?
is there a command, or a key word or something that makes the system realise the remote wipe command....
sorry, I know this is off the topic of my original post, but thought you might know.
if not, I can start a new topic....!!!
The certificates that I was given was a server.cer and a root.cer.
If anybody needs to know, I can ask the engineers how they did what they gave me to get it to work.
The remote wipe is done from the sbs2k3 box - or rather the box running Exchange2k3Sp2. Your admin needs to install a small tool that he (Domain Administrator credentials needed) then accesses via IE.
Microsoft has published a new white paper (Feb 2006) that describes the whole procedure - just a shame they missed the need for the certificate to be in DER format. The white paper is: "Deploying Windows Mobile 5.0 with Windows Small Business Server 2003".
Here's the problem.
When I try to connect to my University's network , the Galaxy S is able to connect JUST fine. However, when I open a browser it says the incoming certificate is not secure and then I have NO INTERNET on any page.
What the network is supposed to do is redirect me to the login page so that I can register the device to the network. My phone can't do that apparently and just sits connected to the network with NO INTERNET connectivity. How can I fix the problem?
This is the university network and the instructions how to get on it for Android devices:
http://www.colorado.edu/its/docs/wireless/androidwireless.html
I connect to it just fine but am UNABLE to get to that device registration/login page.
This is NOT just for my university. ANY public network which requires me to accept an "agreement" before it lets me have internet access, my phone KILLS ITSELF and CANNOT pull up the agreement page but instead tells me there is no internet. I'm SURE its a software problem or something with settings but can't figure out just what it is. Help?
Just about the only networks I can connect to on Wi-Fi are home networks. It SUCKS.
Are you manually trying to type the page address into the browser (https://dhcp.colorado.edu/Public/forceresponse.cgi?SelectAccessData=true)?
No. I tried other websites. The phone browser is IMMEDIATELY redirected to that page and after 0.5 seconds it says "Communication Failed" or something similar and loads NOTHING. Hence my problem is that it can't get to that registration page.
I am not sure then. I have had no issues connecting to public connections that require logins. Maybe call the tech # listed on the instructions page and see what they say. I did notice the screenshot in the guide seems to be 2.2 so maybe this has something to do with it (probably not but who knows)
Sigh
That's not good.
EDIT: The EXACT error I get is:
"There is a problem with the security certificate for this site. This certificate is not from a trusted authority." I get this AS it attempts to load the redirect login page (both university and at work now). Same issue. It's browser/certificate related. And its ANNOYING as hell.
EDIT 2: Found the problem. It's that stupid certificate.
"This is a result of your corporation using an in house Certificate Authority to provide SSL encryption on your mail server and clients.
Basically....the computer that issued the certificate isn't trusted by the android phone. I'm new to android so I'm not sure if you can add a trusted CA (I haven't seen any options for it).
I don't know about future updates like the above poster mentioned.
Most companies will purchase a certificate from one of the major Certificate Authorities on the internet, which are pre-programed into most operating systems to be trusted. Internal CA's are trusted by the domain environment at your work, but not by anyone else. External (Internet) CA's are trusted by everyone.
if you want an example, open up IE (gross I know) and go to your options. Click the content tab, then there should be a button label certificates. inside the certificates window select Trusted Root Certification Authorities.
That is a list of all the builtin trusted CA's provided by Microsoft and the companies that govern the internet. "
I STILL have no idea how to fix it and to make the phone accept the certificate though.
hey, i used to have a way around the school router blocks but i cant seem to remember what it was for the life of me. What it consisted was of an .exe that installed some software that allowed me to browse freely. I vaguely remember that the software consisted of a icon on the taskbar that was kinda an earth with fire around it....maybe?
if you have any other good router/server bypasses then please let me know. .exe file executions are blocked everywhere except in the technology building at school. Preferably i would like to have something only requiring a flash drive or it can be done within IE or Chrome.
Do u mean that you are able to surf the internet but some website, like Facebook for example , are blocked?
yukinok25 said:
Do u mean that you are able to surf the internet but some website, like Facebook for example , are blocked?
Click to expand...
Click to collapse
yes exactly, often they have keywords that they block as well, (such as game, kill, black ops, etc). maybe a proxy would work? we used to have a couple good ones but they would eventually block it.
johnston9234 said:
yes exactly, often they have keywords that they block as well, (such as game, kill, black ops, etc). maybe a proxy would work? we used to have a couple good ones but they would eventually block it.
Click to expand...
Click to collapse
yes, a free proxy can be a solution in most cases, here try some in this list first:
http://www.publicproxyservers.com/proxy/list1.html
johnston9234 said:
hey, i used to have a way around the school router blocks but i cant seem to remember what it was for the life of me. What it consisted was of an .exe that installed some software that allowed me to browse freely. I vaguely remember that the software consisted of a icon on the taskbar that was kinda an earth with fire around it....maybe?
if you have any other good router/server bypasses then please let me know. .exe file executions are blocked everywhere except in the technology building at school. Preferably i would like to have something only requiring a flash drive or it can be done within IE or Chrome.
Click to expand...
Click to collapse
To do this would require some form of exe to use a proxy via a specially setup browser, or admin rights to set the system proxy.
You will find that your IT admins will block the proxies you use (I have to block proxies at my work network when we detect them).
If implemented properly (any good professional IT admin should be able to do it right), you will struggle to tunnel out using most systems.
You can't ssh forward if they block non-standard ports, or filter protocols. You can't use SOCKS proxies if they do the same. You can't use web proxies if they use smart URL filtering.
You can try web proxies, but it's an uphill battle. If you find a proxy that works, don't tell your friends, as that usage across multiple accounts flags the URL in some security systems (my users alert me to the latest proxy sites unwittingly )
Finally, you do realise you are probably breaking the acceptable use agreement? Isn't it better to do facebook etc out of school hours? Or use your phone? If you get good at evading, it is easy to remove internet access altogether from an account in most systems. Good luck in tunnelling out when you have zero internet access as your account is null routed
Summary? Try proxies, don't hold your breath, and do you really need to use facebook etc in school? Oh, and for goodness sake, don't run exes on school PCs... If they've not set them up right, you could infect the machines. They prevent EXE execution on most machines for good reason...
pulser_g2 said:
To do this would require some form of exe to use a proxy via a specially setup browser, or admin rights to set the system proxy.
You will find that your IT admins will block the proxies you use (I have to block proxies at my work network when we detect them).
If implemented properly (any good professional IT admin should be able to do it right), you will struggle to tunnel out using most systems.
You can't ssh forward if they block non-standard ports, or filter protocols. You can't use SOCKS proxies if they do the same. You can't use web proxies if they use smart URL filtering.
You can try web proxies, but it's an uphill battle. If you find a proxy that works, don't tell your friends, as that usage across multiple accounts flags the URL in some security systems (my users alert me to the latest proxy sites unwittingly )
Finally, you do realise you are probably breaking the acceptable use agreement? Isn't it better to do facebook etc out of school hours? Or use your phone? If you get good at evading, it is easy to remove internet access altogether from an account in most systems. Good luck in tunnelling out when you have zero internet access as your account is null routed
Summary? Try proxies, don't hold your breath, and do you really need to use facebook etc in school? Oh, and for goodness sake, don't run exes on school PCs... If they've not set them up right, you could infect the machines. They prevent EXE execution on most machines for good reason...
Click to expand...
Click to collapse
This is a REALLY good explanation Pulser, I always liked the way you answer to the people on XDA! (specially on the Hero thread )
By the way, why an .exe file would infect a machine? Do you mean any kind of .exe? Even from a well known company, who create safe and populars software?
I used to run, without tell anyone, firefox portable in my office to bypass firewall restrictions, is that dangerous as well?
Considering you are at school, you will lack a lot of needed rights to edit certain things. I would know, I had to get around blocks on both Windows and Mac computers my freshman year.
I would advise you use the software, Your Freedom, it's free, but requires an account, you will also need to use a browser such as Firefox, and edit the settings to use the correct IP and Port as a proxy.
It also works on both Mac's and PC's. There is another software that I had used, strictly for windows PC's, but I can't recall the name of it.
Edit: I also ran the software from my flash drive..
i have special access to .exe and Command prompt just because of the position i am in as a student (several Technical courses). I can execute files on my computer and i have Chrome Installed. Does that help?
johnston9234 said:
i have special access to .exe and Command prompt just because of the position i am in as a student (several Technical courses). I can execute files on my computer and i have Chrome Installed. Does that help?
Click to expand...
Click to collapse
What I did was to download firefox portable, you can google it (and if you want you can copy it to an USB drive).
If you go to firefox networking setting, you can try to change the options in advanced with "no proxy" or as wisefire said just write an IP proxy address with the correct port, you should be able to visit any website.
At least this was working flawlessy for me..
yukinok25 said:
This is a REALLY good explanation Pulser, I always liked the way you answer to the people on XDA! (specially on the Hero thread )
By the way, why an .exe file would infect a machine? Do you mean any kind of .exe? Even from a well known company, who create safe and populars software?
I used to run, without tell anyone, firefox portable in my office to bypass firewall restrictions, is that dangerous as well?
Click to expand...
Click to collapse
Only a malicious exe would cause trouble...
But on a shared school network, who knows what the user before you used...
That's why I use disk freezing software on systems I run, and a forced reboot between logins, to give you a clean environment.
But while employees run portable firefox, what if they were to use it on another pc, and it had a virus, which infected the exe?
TBH, flash drives shouldn't be used in work environments, that were used outwith that environment... But that's not realistic in a school.
johnston9234 said:
i have special access to .exe and Command prompt just because of the position i am in as a student (several Technical courses). I can execute files on my computer and i have Chrome Installed. Does that help?
Click to expand...
Click to collapse
Come on... Surely you ain't gonna abuse that privilege? You got it because you were trusted, not to work round the restrictions that are in your acceptable use policy...
yukinok25 said:
What I did was to download firefox portable, you can google it (and if you want you can copy it to an USB drive).
If you go to firefox networking setting, you can try to change the options in advanced with "no proxy" or as wisefire said just write an IP proxy address with the correct port, you should be able to visit any website.
At least this was working flawlessy for me..
Click to expand...
Click to collapse
That would work unless they filter out proxy traffic (you can often detect SOCKS proxies and other ones that are working using this method, or even block common ports like 8080)
Back in high school we used Ultrasurf and GPass. I liked GPass because it was really easy to hide from the taskbar and notification area.
pulser_g2 said:
Only a malicious exe would cause trouble...
But on a shared school network, who knows what the user before you used...
That's why I use disk freezing software on systems I run, and a forced reboot between logins, to give you a clean environment.
But while employees run portable firefox, what if they were to use it on another pc, and it had a virus, which infected the exe?
TBH, flash drives shouldn't be used in work environments, that were used outwith that environment... But that's not realistic in a school.
Click to expand...
Click to collapse
haha, All of my schools have used disk freezing software. I thought about putting it on my parent's computer so I don't have to work on it anymore.
Eventhough I generally don't work on it anymore and just have them call someone to work on it for them. hahah.
buttes said:
Back in high school we used Ultrasurf and GPass. I liked GPass because it was really easy to hide from the taskbar and notification area.
Click to expand...
Click to collapse
Back in my days in high school we just got the many different IT and Librarian passwords/usernames and some teacher's passwords aswell. Then we'd log in to them and download Kazaa (yeah, it was that long ago lol), and downloaded like a gig or two of old NES, SNES, SEGA, Etc roms and started passing them around to everyone. haha.
It got so bad that the school threatened expulsion for everyone that had the games on their user accounts because it was overloading their network and storage space.
For a while they were just searching for the rom's extensions and you could just go and change them to a .txt and then change them back when you wanted to play them, but then they finally realized that the gig of space the roms took up were about 4 times the size of the data we were allowed to have and they could just sort the usernames by the usage of storage space.
The teacher's ones were fun to have though... it allowed you change some grades here and there...especially with my method of madness which I will not describe here. lol
pulser_g2 said:
That would work unless they filter out proxy traffic (you can often detect SOCKS proxies and other ones that are working using this method, or even block common ports like 8080)
Click to expand...
Click to collapse
So, I am really interested about this topic, is there anyway to bypass a restriction if they filter out the proxy traffic?
yukinok25 said:
So, I am really interested about this topic, is there anyway to bypass a restriction if they filter out the proxy traffic?
Click to expand...
Click to collapse
Hmmm... It's possible. If they use deep packet filtering it may be hard. But anything is possible...
I won't go into details, of getting round things, as it is my job to stop people getting round them, and I know a load of tricks, but look at the protocols in use in surfing - you need LDAP/AD to log into windows domain. Then you use DNS to resolve an IP (perhaps via a corporate web proxy). Then HTTP/HTTPS to access the page.
Now think what tools the domain admins might use to administer their network - RDP? SSH? Web services on high ports?
I think I've gone into enough detail for now... I can tunnel out almost any network these days, but I don't think it is sensible, wise, nor ethical to divulge this sort of thing.
pulser_g2 said:
Hmmm... It's possible. If they use deep packet filtering it may be hard. But anything is possible...
I won't go into details, of getting round things, as it is my job to stop people getting round them, and I know a load of tricks, but look at the protocols in use in surfing - you need LDAP/AD to log into windows domain. Then you use DNS to resolve an IP (perhaps via a corporate web proxy). Then HTTP/HTTPS to access the page.
Now think what tools the domain admins might use to administer their network - RDP? SSH? Web services on high ports?
I think I've gone into enough detail for now... I can tunnel out almost any network these days, but I don't think it is sensible, wise, nor ethical to divulge this sort of thing.
Click to expand...
Click to collapse
True I am agree with you Pulser, thus I am really into this sort of things recently.
I am eager to learn..
Could you please recommend me a book or something (not too advanced) that would help me to understand better LDAP/AD, DNS and everything about security and networking?
I obviously wanna learn just for myself and I definitely don't want to spread or divulge in anyway bad behaviors..
johnston9234 said:
hey, i used to have a way around the school router blocks but i cant seem to remember what it was for the life of me. What it consisted was of an .exe that installed some software that allowed me to browse freely. I vaguely remember that the software consisted of a icon on the taskbar that was kinda an earth with fire around it....maybe?
if you have any other good router/server bypasses then please let me know. .exe file executions are blocked everywhere except in the technology building at school. Preferably i would like to have something only requiring a flash drive or it can be done within IE or Chrome.
Click to expand...
Click to collapse
if not previously mentioned, you're looking for "Tor" which comes in both installable packages or portable exe files that can be run off flash drives and includes a custom made 'Mozilla Firefox' which comes preloaded with Tor and does not save any browsing information on your client machine, thus this program is completely anon when ran from a flash drive.
www.torproject.org and you're looking for the Stable Portable Browser Bundle
Please thanks me (click thanks) if this helped
really there is a simple way
use kon-boot and bypass admin password and change the settings
kylon said:
really there is a simple way
use kon-boot and bypass admin password and change the settings
Click to expand...
Click to collapse
not if he is on a school network, he would have to physically run kon-boot on the server itself which defeats the purpose because the server would already be logged in as an admin of some kind.
-correct me if I'm misunderstanding or have missed a key post somewhere-
Forgive my noobness if this sounds stupid but was looking at the company apps setting on my Lumia 928 and was wondering if it could be exploited in anyway as far as sideloading homebrew? Out of curiosity, not that I expected it to work, I emailed myself a .xap file and got an error saying there was something wrong with my company app and to contact the company's support person. So went to company app settings and it asks for email,password, username,domain, and server but does it actually check the authenticity of the domain and/or server for a legitimate company or could someone simply set up a server hosting .xap files to be downloaded simply by registering and logging in with these settings? Even wondered if I simply used this info from the email server if it would install through email but seems too simple and haven't messed with it.
tonbonz said:
Forgive my noobness if this sounds stupid but was looking at the company apps setting on my Lumia 928 and was wondering if it could be exploited in anyway as far as sideloading homebrew? Out of curiosity, not that I expected it to work, I emailed myself a .xap file and got an error saying there was something wrong with my company app and to contact the company's support person. So went to company app settings and it asks for email,password, username,domain, and server but does it actually check the authenticity of the domain and/or server for a legitimate company or could someone simply set up a server hosting .xap files to be downloaded simply by registering and logging in with these settings? Even wondered if I simply used this info from the email server if it would install through email but seems too simple and haven't messed with it.
Click to expand...
Click to collapse
this would work, but theres a lot you have to do to set it up:
There are some general steps that companies must follow to establish a company account, enroll devices, and distribute apps to their enrolled devices. The following sections provide an overview of this process:
1. The company registers a company account on Windows Phone Dev Center and acquires an enterprise certificate from Symantec.
2.The company creates an application enrollment token (AET).
3.The company develops a Company Hub app.
4.The company prepares their apps for distribution.
5. Employees (or other users) enroll for company app distribution on their phones and install the company apps by using the Company Hub app.
you have to use intune director. Companys have to register with windows phone dev and aquire an enterprise cert. This *could* be a way to install homebrew apps, but it'd be easier if there was some kind of workaround.
more info here..
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943(v=vs.105).aspx
Thanks aclegg2011 and my apologies to the Forum Administrator as I just saw a similar post in a different section.
While I was writing and testing a WP 8 web app, I had it connected via wifi to Fiddler2. When I plugged my Dev Unlocked HTC 8x into my computer, the phone "dialed out" to h ttps://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010/DeviceStatus?deviceId=deviceid&fulldDeviceId=fulldeviceid The response is an XML packet that tells the phone how many days are left of being DeveloperUnlocked as well as the number of apps that are allowed!
this request/response sequence happens EVERY time I plug my developer unlocked Windows Phone 8 into the USB port of my Dev PC and PIN unlock it.
Keep in mind I installed the root cert that Fiddler generated for my PC a while back, so it can decrypt HTTPS traffic to/from my phone.
If anyone knows what the integer equivalent of "that magic DWORD value" is, I will craft a custom response packet and see if it changes anything.
Please see the attached screenshot for proof!
Edit:
So I did try GoodDayToDie's xaps and it looks like increasing the value from 10 to 2147483647 (I think its the integer equivalent to 0x7FFFFFFF) didn't have any effect that I could see. The InteropCapNoOem xap fails to deploy with error code 0x81030120. This error code normally means you are NOT interop unlocked back in the WP7 days. The OemCapsNoInterop.xap file generates an error telling me to "fix the Capabilities in [the] WMAppMAnifest.xml file.
I wonder if I can sideload more than 10 apps now though?
Maybe we can figure out what app is generating this "call home" and see if there are any other funky things we can stick in the xml tree?
Whoa. I could have sworn they were using cert pinning for that. I'll investigate, though...
EDIT: Couldn't get that connection request even showing up on my work computer. Will try from home.
Here is the service operations page:
https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/help and (according to API) DeviceStatus call don't have fullDeviceId={FULLDEVICEID} parameter.
BTW, compu829, what is the fullDeviceId parameter, how it looks like?
Wait... You could change the value on the phone? That's a huge improvement. I'm stuck with only 3 apps (stupid dreamspark) and desperately need more!
This is a great find! I, unfortunately have never seen this happen though. Do you happen to know if you had the WP Device Registration program or the Application Deployment program running at the time?
EDIT: I've been debugging multiple apps with Fiddler up and proxy on my phone and I haven't noticed this. I see it now. I feel stupid lol Time to play around
EDIT 2: Microsoft does NOT like when you have fiddler intercepting on Registration. It returns a success result, but the developer registration tool gives an error indicating that it cannot connect to the phone. Grrr and after I went through the work of changing the response value for the number of apps that can be sideloaded. I bet this is a timing thing... I'll see what I can do.
I don't think it's timing. Even if I left the request completely unmodified and just ran it through the proxy to watch the process, the tool said that there was a problem, and the phone did not get unlocked. They're either testing for the presence of a proxy somehow, or there's some side channel that *is* using cert pinning, and is therefore unable to connect through Fiddler.
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
On my phone, I noticed it AFTER I had developer unlocked it. More concrete steps on what I did to reproduce:
1. On test PC, Installed Fiddler.
2. On test PC, exported trusted root certificate that Fiddler installed.
3. Emailed certificate to my phone and installed it.
4. Now enable the proxy on the phone. Things like email, Windows Phone Updates, etc will now work normally!
5. Plug phone in to Visual Studio Development PC, and wait for the PC to detect the device.
6. You will see the phone "dial out".
Without installing the fiddler trusted root certificate, you will see the handshake, but the phone doesn't know what do do with the packet because the certificate generated by fiddler is untrusted.
Using this same technique, you can have some serious fun with Windows Updates
GoodDayToDie said:
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
Click to expand...
Click to collapse
see last post Are you guys installing the trusted root certificate on your phone?
compu829 said:
see last post Are you guys installing the trusted root certificate on your phone?
Click to expand...
Click to collapse
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
more detailed instructions
snickler said:
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
Click to expand...
Click to collapse
this is what I did:
On Development PC:
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, click Add, select current user, and then click Finish.
4. click ok to close the add/remove snap-in dialog
5. In the left-hand pane navigate to "Trusted Root Certification Authorities" --> "Certificates"
6. in the right-hand pane, look for the certificates labeled "DO_NOT_TRUST_FiddlerRoot" (I have two for some reason, you may only have 1)
7. Right-click on the certificate and go to "All Tasks" --> "Export".
8. Run through the certificate export wizard, leaving everything as the defaults.
9. Once you have exported your certificates, email them as attachments to your Windows phone.
10. Open the email on your WIndows Phone. Click on the certificate file and wait for it to process. Then when prompted, install it.
11. After that, any https traffic that you intercept/edit will go through as trusted to your Windows phone, provided that the application isn't expecting a specific certificate.
Things this made work:
1. all App communications over https
2. Windows Updates
3. all email accounts.
4. App Store communications (except for actually downloading apps, IIRC).
Things that didn't work:
1. Anything that requires certificate pinning as the certificate is embedded within the app. Therefore it doesn't make a call into the trusted root certificate store. I believe this includes running the actual "Developer Unlock" app.
if you place the following code in the "OnBeforeResponse" section of the CustomRules.js file, you should be able to install more than 3 or 10 apps, provided the program that is "phoning home" isn't using certificate pinning.
Code:
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("AppsAllowed>10</","AppsAllowed>400</");
... These are steps that have already been taken. You actually did even more steps then necessary. All you have to do is point to your computer's IP address and port that Fiddler is running on within IE Mobile (Make sure Remote IP access in Fiddler is enabled), click on the certificate and it will install on the phone. You'll be able to see the requests from the phone. Everything you listed above is what I've been able to do. Nothing different from what I was saying .
@compu829: Yes, of course I am. If I weren't, it wouldn't be possible to edit that value at all; I wouldn't even see it because the TLS handshake would fail... (FWIW, I work with proxies all the time, usually Burp Suite not Fiddler, but in any case I'm quite familiar with setting up the MitM certs). I do wonder whether there's something changed here (GDR2 change, maybe?) because I could have sworn that intercepting the phone's traffic during unlock didn't work at all before (presumably due to cert pinning). I may be mistaken, though.
In any case, it still doesn't *actually* work. I guess I could try invisible proxying - use ARP spoofing or a custom routing rule on the router to send the data through my PC, and capture/modify it there, without revealing the presence of a proxy - but I don't know if that's the issue or if it's something else entirely.
EDIT: Your steps are way more complex than needed. For example, you can export the root cert from Fiddler by going to Tools menu (in Fiddler) -> Fiddler Options -> HTTPS.
whoops lol. Oh well. I didn't realize it was so easy to export/Import!
Anyways, All I know is that I could pretty much do nothing on my phone when I connected it to the proxy until I emailed myself the root cert. Once I did that, email started flowing, apps started working, and WIndows Updates stopped erroring out.
It is entirely possible that whatever is generating the call is silently rejecting the response packet. I was just shocked when I plugged my phone in to see that packet show up.
I know that Windows Updates lets me modify the requests and responses without complaining, so maybe that is another way in? I assume that must be running elevated lol. Maybe we can get it to launch a background app that is already on the phone.
The way I see it, this will only work temporarily. Next time phone dials home without you running the Fiddler it will reset the AppsAllowed value. Am I right?
@amaric: If you'd actually read the thread, you'd see that it doesn't appear to work at all...
But yes, it would probably reset itself too. We don't have the ability (right now) to edit the registry keys which control that phone-home behavior. However, it might be / have been possible to do that if we had interop-unlock...
on the phone there is the file "PhoneReg.exe", which works with this data, and it check certificate Common Name (must be Microsoft...) and Thumbprint to hardcoded data
Didn't the ChevronWP7 work exactly like this until MS fixed the bug in NoDo?
@snickler, @GoodDayToDie
There is something I can't get out of my head...after the Ativ S devices are interop unlocked, they'd "reset" after a while until we made them stop phoning home...This means that somehow Microsoft is associating the phone's device ID with your interop level...is this something done purely server side, or is there a way to maybe send this info TO Microsoft's servers so they can send the info back to our phones? Just a thought....
That's an interesting research question; we can set the URLs which are used to make those "phone home" checks to a site we control, possibly use HTTP instead of HTTPS, and see if they work. Worst case, cert pinning will cause the connection attempt to fail and we're right where we are now; best case, it's... umm, well it's interesting, but I don't see any likelihood of actually getting *additional* permissions out of this. Still, I've been wrong about things like that before. Somebody want to set up a transparent HTTP -> HTTPS proxy to listen for the request, forward it, record the response and forward it?