Disclaimer: I haven't confirmed if this actually works or not and I'm not really too smart with these things, but I am a programmer.
So I was talking to my friends about rolling back to root on my Fire 7 (2015) 5th generation and a little thought came into my head for the later versions that you can't root: what if you faked an OTA update to rollback? I can't go into much detail on how to do this, but an idea was creating a router filter to redirect all amazon OTA servers to your own local OTA server. (this would probably cause certificate issues to rise, since fireOS probably checks a security certificate before downloading and installing the update)
These ideas would only work if the rollback protection relied on OTA updates to tell it what's a rollback and what's real, so if it doesn't, then this won't work.
What do you all think?
OTAs have to be signed. You don't have the private key.
Even if you might "inject" an OTA as MITM, you couldn't roll back unless you rewrite the initial loader, to disable the anti-rollback measures built into the bootloader files (all three of them) - or manage to erase the RPMB which stores the anti-rollback version information (nobody knows whether this would brick or free the device).
So there are at least two minor obstacles on your path. Watch your step.
steve8x8 said:
OTAs have to be signed. You don't have the private key.
Even if you might "inject" an OTA as MITM, you couldn't roll back unless you rewrite the initial loader, to disable the anti-rollback measures built into the bootloader files (all three of them) - or manage to erase the RPMB which stores the anti-rollback version information (nobody knows whether this would brick or free the device).
So there are at least two minor obstacles on your path. Watch your step.
Click to expand...
Click to collapse
I've been trying to modify official Amazon APKs to trick then into thinking they are reinstalling themselves or installing an update. The main focus is /system/priv-app/FireTabletSettings. I have been trying to decompile (success, using APKtool...I think...), edit res/xml/development (I don't recall the rest of the file extension offhand but it's the only xml in that folder with development) to allow the OEM unlock option appear in settings (half success. Not sure what I am supposed to edit the code to but I can edit it) then reinstall the apk.
1) I don't know what to edit to make that setting appear, so I changed what I thought would.
2) I sent it back to internal storage and installed from there. Success. I was able to at least get it to "install"
3) Reinstallation didn't hold. No effect.
4) Tried adb sideload from recovery, installation aborted. Signature verification failed.
So not sure if I have anything or nothing.
EDIT NOTE: Prior to using APKtool, I would make small changes using other ways, and try to reinstall from internal storage, and each time the file was rejected. So I know APKtool works, but what I am doing clearly isn't correct.
DragonFire1024 said:
I've been trying to modify official Amazon APKs to trick then into thinking they are reinstalling themselves or installing an update. The main focus is /system/priv-app/FireTabletSettings. I have been trying to decompile (success, using APKtool...I think...), edit res/xml/development (I don't recall the rest of the file extension offhand but it's the only xml in that folder with development) to allow the OEM unlock option appear in settings (half success. Not sure what I am supposed to edit the code to but I can edit it) then reinstall the apk.
1) I don't know what to edit to make that setting appear, so I changed what I thought would.
2) I sent it back to internal storage and installed from there. Success. I was able to at least get it to "install"
3) Reinstallation didn't hold. No effect.
4) Tried adb sideload from recovery, installation aborted. Signature verification failed.
So not sure if I have anything or nothing.
EDIT NOTE: Prior to using APKtool, I would make small changes using other ways, and try to reinstall from internal storage, and each time the file was rejected. So I know APKtool works, but what I am doing clearly isn't correct.
Click to expand...
Click to collapse
You didn't give me credit for the idea, next time do.
savvytechwinner said:
You didn't give me credit for the idea, next time do.
Click to expand...
Click to collapse
Sorry was just a general post. Yes you have been more than a big help. I just am not sure if this will work. As good of an idea as it is...
DragonFire1024 said:
I've been trying to modify official Amazon APKs to trick then into thinking they are reinstalling themselves or installing an update. The main focus is /system/priv-app/FireTabletSettings. I have been trying to decompile (success, using APKtool...I think...), edit res/xml/development (I don't recall the rest of the file extension offhand but it's the only xml in that folder with development) to allow the OEM unlock option appear in settings (half success. Not sure what I am supposed to edit the code to but I can edit it) then reinstall the apk.
1) I don't know what to edit to make that setting appear, so I changed what I thought would.
2) I sent it back to internal storage and installed from there. Success. I was able to at least get it to "install"
3) Reinstallation didn't hold. No effect.
4) Tried adb sideload from recovery, installation aborted. Signature verification failed.
So not sure if I have anything or nothing.
EDIT NOTE: Prior to using APKtool, I would make small changes using other ways, and try to reinstall from internal storage, and each time the file was rejected. So I know APKtool works, but what I am doing clearly isn't correct.
Click to expand...
Click to collapse
Inspired by this idea, I decided to try my hand at things. The place to make the edits is going to be in the smali decompiled Dalvick instructions. I identified a number of locations that could potentially be modified to allow the OEM Unlock switch to appear in the developer settings, such as the following:
Code:
# Taken from smali/com/amazon/settings/DevelopmentSettings$4.smali, starting at line 61
.method public getNonIndexableKeys(Landroid/content/Context;)Ljava/util/List;
.locals 2
.param p1, "context" # Landroid/content/Context;
.annotation system Ldalvik/annotation/Signature;
value = {
"(",
"Landroid/content/Context;",
")",
"Ljava/util/List",
"<",
"Ljava/lang/String;",
">;"
}
.end annotation
.prologue
.line 1777
invoke-direct {p0, p1}, Lcom/android/settings/DevelopmentSettings$4;->isShowingDeveloperOptions(Landroid/content/Context;)Z
move-result v1
if-nez v1, :cond_1
.line 1778
const/4 v0, 0x0
.line 1785
:cond_0
:goto_0
return-object v0
.line 1781
:cond_1
new-instance v0, Ljava/util/ArrayList;
invoke-direct {v0}, Ljava/util/ArrayList;-><init>()V
.line 1782
.local v0, "keys":Ljava/util/List;, "Ljava/util/List<Ljava/lang/String;>;"
# invokes: Lcom/android/settings/DevelopmentSettings;->showEnableOemUnlockPreference()Z
invoke-static {}, Lcom/android/settings/DevelopmentSettings;->access$400()Z
move-result v1
######### BEGIN MODIFICATION ##########
# Commenting out this line should add the oem_unlock_enable key to the list of menu entries to show regardless of the method call above
# if-nez v1, :cond_0
######### END MODIFICATION ##########
.line 1783
const-string v1, "oem_unlock_enable"
invoke-interface {v0, v1}, Ljava/util/List;->add(Ljava/lang/Object;)Z
goto :goto_0
.end method
I was hoping that this would get the OEM unlock switch to show up in the Developer Settings. There were a couple of other modifications that I tried as well. I was able to recompile the APK and supposedly install it on my tablet, but I don't believe the installation was actually succeeding. None of the changes I tried to make had any affect, and when I copied back the supposedly updated APK and decompiled it again, none of my changes were there.
Anyway, that's just my $0.02 from a first attempt at tackling this issue. Editing the smali code would be the way to go in my book, but I'm guessing that FireTabletSettings won't actually take the update in this fashion.
I was hoping that this would get the OEM unlock switch to show up in the Developer Settings. There were a couple of other modifications that I tried as well. I was able to recompile the APK and supposedly install it on my tablet, but I don't believe the installation was actually succeeding. None of the changes I tried to make had any affect, and when I copied back the supposedly updated APK and decompiled it again, none of my changes were there.
Anyway, that's just my $0.02 from a first attempt at tackling this issue. Editing the smali code would be the way to go in my book, but I'm guessing that FireTabletSettings won't actually take the update in this fashion.
Click to expand...
Click to collapse
If I had to guess, without being totally bummed, I would put some money on the signature and maybe even properly decompiling an apk still messes with it. I think the fact we can even get the apks to "install" means we're half right or at least have the right idea.
DragonFire1024 said:
If I had to guess, without being totally bummed, I would put some money on the signature and maybe even properly decompiling an apk still messes with it. I think the fact we can even get the apks to "install" means we're half right or at least have the right idea.
Click to expand...
Click to collapse
You do realize that this type of generic vulnerability, if it actually existed, would have been exploited long ago by those with the technical background to easily move around the obsticles you are facing. Just say'in.
Davey126 said:
You do realize that this type of generic vulnerability, if it actually existed, would have been exploited long ago by those with the technical background to easily move around the obsticles you are facing. Just say'in.
Click to expand...
Click to collapse
Perhaps. Doesn't mean we can't at least try. Beats sitting around waiting for root, which seems less likely as the days go on. Computers have one sure thing in common with every other manufactured item on the planet: Humans built them. We're smart, but we're also dumb or at least we do dumb things, not necessarily intentionally. So that being said, with every update there's a chance for a mistake. All it takes it the smallest one.
On that note...How about this. I'll just come out and say it instead of hinting. Would it be possible, through editing an APK of an app such as Ice Box - Apps freezer and elevate it's permissions and or activities in order to get it the access it needs to do it's job, without root? In other words, it needs to be device owner and that's just not going to happen I don't think. I've tried literally every trick I can track down on the web. The only way to provision them again would be through ADB. Since Amazon has blocked NFC from functioning (which is weird because I thought Bluetooth relied on NFC or parts of it to function) , that avenue is out of the question.
There are two things I have yet to try because of the time I need, which I could do in the next two days. I'll write a quickie if anyone is interested. It would require Android Studio as you would be importing from GitHub and compiling a program/app.
EDIT: In this case we really don't have to worry about signatures. As long as it's resigned after editing, the app would still, theoretically, install. Whether it would work or not is another story.
---------- Post added at 11:46 AM ---------- Previous post was at 11:13 AM ----------
Ok So I just did a quick glance at the Android.Manifest of Ice Box. It requires certain permissions in order to perform it's functions, without root. I am going to paste two things below. I might be wrong so follow me for a second.
1). Android.Manifest lists the permissions each app asks for when you install it. If you go through play store, those are usually listed when it asks you to 'accept.' If not, you've already installed the app once and it's settings were saved. It also lists permissions it asks for, but doesn't get? I don't know maybe that's the wrong way of saying it. Below is the permission list:
Code:
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.catchingnow.icebox" platformBuildVersionCode="25" platformBuildVersionName="7.1.1">
<permission android:label="@string/e_" android:name="com.catchingnow.icebox.MODIFY_APP_STATE" android:protectionLevel="dangerous"/>
<uses-permission android:name="com.android.vending.BILLING"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.USE_FINGERPRINT"/>
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
Nothing too serious right? Well below is a list of permissions, that aren't listed above, but are listed as being required for certain other functions to be able to take place, according to Google anyways. Below are those permissions???
Code:
<receiver android:description="@string/ce" android:label="@string/gi" android:name="com.catchingnow.icebox.receiver.DPMReceiver" android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin" android:resource="@xml/g"/>
<intent-filter>
<action android:name="android.app.action.PROFILE_PROVISIONING_COMPLETE"/>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED"/>
<action android:name="android.app.action.DEVICE_ADMIN_DISABLE_REQUESTED"/>
<action android:name="android.app.action.DEVICE_ADMIN_DISABLED"/>
</intent-filter>
</receiver>
<receiver android:exported="true" android:name="com.catchingnow.icebox.receiver.FreezeActionReceiver">
<intent-filter>
<action android:name="com.catchingnow.icebox.FREEZE_APP"/>
</intent-filter>
<intent-filter>
<action android:name="com.twofortyfouram.locale.intent.action.FIRE_SETTING"/>
</intent-filter>
</receiver>
<receiver android:enabled="false" android:exported="true" android:name="com.catchingnow.icebox.receiver.InstallNewAppReceiver">
<intent-filter>
<action android:name="android.intent.action.PACKAGE_ADDED"/>
<data android:scheme="package"/>
</intent-filter>
</receiver>
<receiver android:exported="true" android:name="com.catchingnow.icebox.receiver.AppStateChangeReceiver">
<intent-filter>
<action android:name="android.intent.action.PACKAGE_ADDED"/>
<action android:name="android.intent.action.PACKAGE_CHANGED"/>
<action android:name="android.intent.action.PACKAGE_REMOVED"/>
<data android:scheme="package"/>
</intent-filter>
</receiver>
<receiver android:exported="true" android:label="@string/da" android:name="com.catchingnow.icebox.receiver.StartupReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<data android:scheme="package"/>
</intent-filter>
</receiver>
Those seemed to be the most important. There are a few others:
Code:
<service android:icon="@drawable/ca" android:label="@string/eh" android:name="com.catchingnow.icebox.service.QuickSettingService" android:permission="android.permission.BIND_QUICK_SETTINGS_TILE" android:process=":Service">
<intent-filter>
<action android:name="android.service.quicksettings.action.QS_TILE"/>
</intent-filter>
</service>
<service android:enabled="true" android:exported="true" android:label="@string/d7" android:name="com.catchingnow.icebox.service.LauncherObserverService" android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE" android:process=":Service">
<intent-filter>
<action android:name="android.accessibilityservice.AccessibilityService"/>
</intent-filter>
<meta-data android:name="android.accessibilityservice" android:resource="@xml/a"/>
</service>
<service android:label="@string/d_" android:name="com.catchingnow.icebox.service.NotificationObserverService" android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE" android:process=":Service">
<intent-filter>
<action android:name="android.service.notification.NotificationListenerService"/>
</intent-filter>
What if those "permissions" were added at the very top with the rest?
DragonFire1024 said:
Perhaps. Doesn't mean we can't at least try. Beats sitting around waiting for root, which seems less likely as the days go on. Computers have one sure thing in common with every other manufactured item on the planet: Humans built them. We're smart, but we're also dumb or at least we do dumb things, not necessarily intentionally. So that being said, with every update there's a chance for a mistake. All it takes it the smallest one.
Click to expand...
Click to collapse
Say it again - this type of attack vector (and the permission exploit outlined in the previous post) has virtually no chance in succeeding. Suggest reading up on basic security principles utilized by operating systems in general and Android in particular to protect against such obvious permission escalations.
Davey126 said:
Say it again - this type of attack vector (and the permission exploit outlined in the previous post) has virtually no chance in succeeding. Suggest reading up on basic security principles utilized by operating systems in general and Android in particular to protect against such obvious permission escalations.
Click to expand...
Click to collapse
Your not helping at all. Thinking that if it isn't happened in the past means that it will never happen in the future rudiculus. Sure, I see your point but telling everyone not to try things most people haven't ever tried before because their not "professional" is rude. You could help or just butt out instead of saying it won't work. Even if it won't or you think it won't work, you don't even have the erg to even try Dave. I'll say it again, let people try and fail or succeed, instead of saying it won't work.
savvytechwinner said:
Your not helping at all. Thinking that if it isn't happened in the past means that it will never happen in the future rudiculus. Sure, I see your point but telling everyone not to try things most people haven't ever tried before because their not "professional" is rude. You could help or just butt out instead of saying it won't work. Even if it won't or you think it won't work, you don't even have the erg to even try Dave. I'll say it again, let people try and fail or succeed, instead of saying it won't work.
Click to expand...
Click to collapse
Sigh - have at it. It would be great to see that energy directed at more plausible exploits which requires an understanding of likely vulnerabilities. On a positive note I'm sure you are learning quite a bit which ultimately may lead to a deeper interest in information security. It's a great profession.
Davey126 said:
Say it again - this type of attack vector (and the permission exploit outlined in the previous post) has virtually no chance in succeeding. Suggest reading up on basic security principles utilized by operating systems in general and Android in particular to protect against such obvious permission escalations.
Click to expand...
Click to collapse
I am very much aware of what you are saying. And I am sure the same goes the other way.
---------- Post added at 11:33 PM ---------- Previous post was at 11:28 PM ----------
Davey126 said:
Sigh - have at it. It would be great to see that energy directed at more plausible exploits which requires an understanding of likely vulnerabilities. On a positive note I'm sure you are learning quite a bit which ultimately may lead to a deeper interest in information security. It's a great profession.
Click to expand...
Click to collapse
We need scripts. There are none. I have no clue how you create them. Do you? There are a dozen or so we could try but no one who has been commenting, can write any. I'd be more than happy to do so if I knew how. Until then, we have to make do with what we can think of. Trying never hurt anyone.
DragonFire1024 said:
I am very much aware of what you are saying. And I am sure the same goes the other way.
We need scripts. There are none. I have no clue how you create them. Do you? There are a dozen or so we could try but no one who has been commenting, can write any. I'd be more than happy to do so if I knew how. Until then, we have to make do with what we can think of. Trying never hurt anyone.
Click to expand...
Click to collapse
Scripts aren't the issue. But as you said (in so many words) we agree to disagree on the viability of this effort. Best of luck.
Davey126 said:
Scripts aren't the issue. But as you said (in so many words) we agree to disagree on the viability of this effort. Best of luck.
Click to expand...
Click to collapse
Sure. I doubted it would work when we first suggested it. I knew it was a long shot. But to try is to learn. I have other things I'm trying to work on. So as bummed as I am, there is other work to be done.
Anyone have a chance to look over the Ice Box permissions? Is there an avenue there to at least get it to work?
Can we focus back on the device *hardware*?
Here's a number of questions I couldn't find consistent answers to:
Did anyone, with any device, ever succeed in corrupting the RPMB partition, by accident or on purpose?
Did anyone, for any MTK device, have a closer look at RPMB access from what we call "the bootloader" (i.e. little kernel, preloader, or tz), and which checks are performed in terms of anti-rollback *and* consistency of contents? (I remember a few names for the latter, but did we actually learn anything beyond the text of the patent application?)
There has been a suggestion that A*n wouldn't throw away a Fire with a bad flash, but AFAIK there's no JTAG. Anything else close to that?
For another device, there was a - USB? SDcard? HDMI? - JTAG adapter. Could this work, and if so, how?
Would it be possible to boot "something" from the SDcard, signed or unsigned? (Any hints in console logs?)
steve8x8 said:
Can we focus back on the device *hardware*?
Here's a number of questions I couldn't find consistent answers to:
Did anyone, with any device, ever succeed in corrupting the RPMB partition, by accident or on purpose?
Did anyone, for any MTK device, have a closer look at RPMB access from what we call "the bootloader" (i.e. little kernel, preloader, or tz), and which checks are performed in terms of anti-rollback *and* consistency of contents? (I remember a few names for the latter, but did we actually learn anything beyond the text of the patent application?)
There has been a suggestion that A*n wouldn't throw away a Fire with a bad flash, but AFAIK there's no JTAG. Anything else close to that?
For another device, there was a - USB? SDcard? HDMI? - JTAG adapter. Could this work, and if so, how?
Would it be possible to boot "something" from the SDcard, signed or unsigned? (Any hints in console logs?)
Click to expand...
Click to collapse
1) I don't think so, but if so, it's buried deep in the threads here. I've been hanging around for like 8 months or something and I've never seen anything.
2) I've seen bits here and there re bootloader. I don't think anything was done beyond the general peek-a-boo, but again, it would be buried. But yes I do recall something.
3) No idea what JTAG is.
I had an idea a while back, if it would be possible to install say a Linux OS over the top of the current OS, aka alongside, without root using an SDcard or something.
I also thought about USB OTG, which I asked in the HD 8 forums. I've read it's possible to hack one android with another, providing you have a USB OTG cable. There are some available online and I know that both my XT907 phone and my tablet support USB OTG (There are several apps to test if OTG is available on your device).
There is also the option of still trying to get device owner status back. I've tried just about everything I can to try and get it back. Only thing I can do is make the tablet CPU happy that I used ADB to issue admin status to Ice Box (yes I am aware I can do that in settings. I thought ADB would have more of an authority effect). I have NOT yet tried:
-Test Device Policy Control (Test DPC) App. Requires Android Studio and Gradlew.
-Supposedly when you factory reset, at the language select screen, the first screen you can interact with, you can use ADB to provision an app for device owner. See number 2 here, though this link is helpful all around.
-Merge "Set device admin on dpm set-device-owner command" into lmp-dev
-Android Shell Tricks: Using Mass Provisioning as an Example, Part 3
-Admin - On Google.
DomenicP said:
I was hoping that this would get the OEM unlock switch to show up in the Developer Settings. There were a couple of other modifications that I tried as well. I was able to recompile the APK and supposedly install it on my tablet, but I don't believe the installation was actually succeeding. None of the changes I tried to make had any affect, and when I copied back the supposedly updated APK and decompiled it again, none of my changes were there.
Anyway, that's just my $0.02 from a first attempt at tackling this issue. Editing the smali code would be the way to go in my book, but I'm guessing that FireTabletSettings won't actually take the update in this fashion.
Click to expand...
Click to collapse
Also For the signature I am sure you have to install the framework into APKtool. Not even sure if I am installing the right one. But pull and install:
Code:
adb pull /system/framework/framework-res.apk /xxx
(x being the apktool directory. I found it helpful to copy and paste ADB into APKtool directory as well).
Code:
apktool if framework-res.apk
That installs the Amazon framework into APKtool as a basis to decompile and build. The reference to installing the framework is here along with other instructions.
I think we were doing this wrong...well not wrong, but not right. If you read the link above regarding framework, you'll see, we haven't been resigning the APKs. Somehow the signature needs to be replaced into the APK and I don't think APKtool is doing that. If that's the case, we're just missing signature files. So we would have to resign them. See this reference on how we are to resign APKs.
In /data/system, is the hexdump of both the private and public keys of apps you installed onto your device. I still haven't figured that part out. It also contains other info such as permissions.
/data/system/packages.list contains the list of installed packages.
/data/system/packages.xml contains the list of permissions per package their issuer and many more
These files are created by com.android.server.PackageManagerService.Settings.writeLP().
The first contains 4 fields: the package name , the user id for the package , a flag (1 means debugable) and the data
dir of the packages.
The second file , packages.xml is more complex. it describes known permissions, packages and their signatures.
Click to expand...
Click to collapse
And there's this as well:
By default build/target/product/security will contain a set of pre-generated certificates that are used for signing
packages in the platform. Prior to releasing a device these keys must be replaced as having access to these keys gives
people access to the whole platform.
Click to expand...
Click to collapse
And here is an example of a packages.xml file and it's private keys.
In other words, if you have a rooted device, try to install any of the Amazon APKs we've been trying to modify. If you can, you'll be able to go to packages.xml and get the signatures.
Related
Does anyone know how to programmatically enable the network location finding? I've read that it's not possible to do normally because of user privacy protection (i.e. you can't even request a permission that lets you do it), but I'm wondering if it's possible to do it using a rooted phone. Does anyone know? I can write apps using the normal SDK, but I've never tried to do anything using the fact that my phone is rooted or the superuser permissions app.
This would be for an HTC Hero running a (very old) Android v1.5 MoDaCo ROM.
Or, if a widget already exists that lets you do this, please let me know
Steven__ said:
Does anyone know how to programmatically enable the network location finding? I've read that it's not possible to do normally because of user privacy protection (i.e. you can't even request a permission that lets you do it), but I'm wondering if it's possible to do it using a rooted phone. Does anyone know? I can write apps using the normal SDK, but I've never tried to do anything using the fact that my phone is rooted or the superuser permissions app.
This would be for an HTC Hero running a (very old) Android v1.5 MoDaCo ROM.
Or, if a widget already exists that lets you do this, please let me know
Click to expand...
Click to collapse
Note that Settings.apk is just an app and it can change these settings. My guess is it uses some private APIs to accomplish that. You could look into Android sources and check, what is this API, then use it in your own application. You will have to use system shared user in it and sign it with testkeys.
Brut.all said:
You will have to use system shared user in it and sign it with testkeys.
Click to expand...
Click to collapse
That's the part I don't know how to do. I've found the settings calls it makes from the source code:
Code:
Settings.Secure.putString(getContentResolver(),
Settings.Secure.LOCATION_PROVIDERS_ALLOWED,
"+" + LocationManager.NETWORK_PROVIDER);
but that dies with a permission failure "java.lang.SecurityException: Cannot write secure settings table". I've tried to grant myself that permission in the manifest using:
Code:
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS"/>
but that permission doesn't seem to be granted, as a this.checkCallingPermission always returns -1.
Is there a tutorial on how to use a "system shared user", or would it be easy for you to explain?
I'm not really sure, this is knowledge of rom cookers and I'm not one of them
But... look into AndroidManifest.xml from Settings.apk:
Code:
<manifest android:sharedUserId="android.uid.system" android:versionCode="7" android:versionName="2.1-update1" package="com.android.settings"
xmlns:android="http://schemas.android.com/apk/res/android">
This apk uses android.uid.system and so it has superpowers. You must set this UID for your apk, but to do that apk must be signed with same keys as other system files. I think you must use testsigner tool and fortunately there are many threads/articles about that
Yeah, it looks like I'd have to resign the whole ROM to make sure that my app had the same key as the system files. Hmm, I've swapped tracks to investigating how to get my app to work through the Superuser app, which I can half do now. However, this is getting more complicated to solve than I had hoped for - I think for a while I might just accept that clicking on button that directly brings up the settings menu will be enough. Thanks for trying!
So after reading about all the App Store hacks that have developed around Fiddler2, I decided to give it a go myself. After setting up the proxy, I noticed that most SSL-based transactions were failing to connect on my device (Windows Updates, Email, etc).
I exported the SSL cert that fiddler 2 installed on my development PC, emailed it to myself, and installed it on my Windows Phone device. LO and Behold, Most of my SSL issues went away! (App store still woudn't auth). More Interestingly, Windows Updates started checking for updates successfully. These transactions are done with SOAP calls.
The basic process is as follows:
1. Phone initiates a connection to the windows update server
2. a series of cab files are downloaded containing certificate and base URL info of the update server
3. the phone connects to the update server with a list of all updates it has installed as well as a unique device identifier.
4. the server responds with a list of updates that it wants the phone to evaluate.
5. If the phone decides it needs the update, it sends a request to the server for instructions to deter
6. the server responds with a specially crafted packet that contains a link to where the microsoft cab can be downloaded from as well as a checksum of the cab file and evaluation instructions to determine if the update is needed. (checking registry keys, etc the SOAP commands contain things like RegRead32)
7. the phone then downloads and installs the update, if needed.
Fiddling around with fiddler, I was able to remove the "filter" GUID from the phones request to the server. As a result, it evaluated and installed any update it could get its hands on. The Hardware Test app still shows that my last update was 5/1/2013, but the number of updated packages included in that update jumped from 83 to 200!
I have some more experiments I would like to try (such as trying to blindly write a reg key instead of just reading it...anyone know of a good one?). I am also wondering if I can somehow package a Microsoft cab file, and tell the update mechanism to download and install it. Depending on how it evaluates the cabs, I might be able to get away with signing the cab with the private key from the Fiddler certificate I installed.
Just thought I'd pass along
Very, very nice finds! I had noticed the cert pinning used on the store and on dev-unlocking, but apparently had failed to look into the update process.
Give me a little while and I'll find you the reg key used for dev-unlock. I can't guarantee you that I'll be able to give you the exact value you need - they seem to have changed the format since WP7, and I'll be working blind from templates and policy files here - but it's worth a shot. Mind you, I wouldn't be surprised if the whole process is read-only, or if the responses from Microsoft are signed (although you could try re-signing them, I guess). For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now. It's certainly possible that they messed that up, though.
I also kind of want to see if some of the recent ZIP signature validation bypass exploits from Android (where you could create a ZIP file containing multiple files that have the same name, and the original would be used for the signature but the *last* copy of each file would be the one actually unpacked) might be made to work as well. I've got some ideas about that... not sure if it would work for the update format, though.
Please keep researching this!
Not that i seriously looked into that, but you may probably consider these entries as interesting
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=DWORD:A
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppLicenseCheck"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppSignatureCheck"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppProvisioning"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\.NETCompactFramework\Managed Debugger]
"Enabled"=dword:0
"AttachEnabled"=dword:1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\Debugger]
"WaitForAttach"=dword:1
Some of those might get obsolete already, though.
Though, the most interesting thing one can do with registry is enabling KD.
For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now.
Click to expand...
Click to collapse
Yeah
I've never really looked at the fact: which certificate is used by actual cabs? look at *.cat file
GoodDayToDie said:
Very, very nice finds! I had noticed the cert pinning used on the store and on dev-unlocking, but apparently had failed to look into the update process.
Give me a little while and I'll find you the reg key used for dev-unlock. I can't guarantee you that I'll be able to give you the exact value you need - they seem to have changed the format since WP7, and I'll be working blind from templates and policy files here - but it's worth a shot. Mind you, I wouldn't be surprised if the whole process is read-only, or if the responses from Microsoft are signed (although you could try re-signing them, I guess). For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now. It's certainly possible that they messed that up, though.
I also kind of want to see if some of the recent ZIP signature validation bypass exploits from Android (where you could create a ZIP file containing multiple files that have the same name, and the original would be used for the signature but the *last* copy of each file would be the one actually unpacked) might be made to work as well. I've got some ideas about that... not sure if it would work for the update format, though.
Please keep researching this!
Click to expand...
Click to collapse
Will do! Here is where it gets interesting...The attached screenshots are of a SOAP request from my phone to the update server (I disabled filtering, so the GUID isn't present) and then it's response for "missing" updates to evaluate.
the section labeled "xml" contains the instructions on how to evaluate if the update is needed.
here is a cleaned up, friendly dump of what is in the "XML" section it needs to parse to determine if an update is applicable:
Code:
<UpdateIdentity UpdateID="f092f820-8161-410b-ab11-c7a6d36b7837" RevisionNumber="101" />
<Properties UpdateType="Software" />
<Relationships>
<Prerequisites>
<UpdateIdentity UpdateID="eb644fbf-5e6e-4719-b97c-485ffb9e867f" />
<AtLeastOne>
<UpdateIdentity UpdateID="450b8808-d056-4c18-a383-2db11e463eb0" />
</AtLeastOne>
</Prerequisites>
</Relationships>
<ApplicabilityRules>
<IsInstalled>
<CspQuery LocUri="./DevDetail/SwV" Comparison="GreaterThanOrEqualTo" Value="9.0.0.0" xmlns="http://schemas.microsoft.com/msus/2002/12/MobileApplicabilityRules" />
</IsInstalled>
<IsSuperseded />
<IsInstallable>
<And xmlns="http://schemas.microsoft.com/msus/2002/12/LogicalApplicabilityRules">
<CspQuery LocUri="./DevDetail/SwV" Comparison="LessThan" Value="9.0.0.0" xmlns="http://schemas.microsoft.com/msus/2002/12/MobileApplicabilityRules" />
<b.RegSz Key="HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Windows\CurrentVersion\DeviceUpdate\Agent\Protocol" Value="TestTarget" Comparison="EqualTo" Data="72c5dc6d-00a9-412f-9d13-f4f483f2ed7f" xmlns="http://schemas.microsoft.com/msus/2002/12/BaseApplicabilityRules" />
</And>
</IsInstallable>
</ApplicabilityRules>
an interesting URL with info from someone else that was looking into this for Win7...
http://withinwindows.com/2011/03/06/notes-on-windows-phone-7-update-process-thus-far/
I wonder if we can figure out what "updates" are actually required if we can trick the server into giving us more OOB updates/othercarrier updates/updates we aren't "supposed" to have..
Found some info on the "Evaluate" action:
Action: The action that clients in the specified target group will perform on this revision: Install, Uninstall, PreDeploymentCheck (which means that clients will not offer the update, just report back on the status), Block (which means that the update will not be deployed, and is used to override another deployment), Evaluate (which means that clients will not offer the update and will not report back on the status), or Bundle (which means that clients will not offer the update for install; it is only deployed because it is bundled by some other explicitly deployed update).
Click to expand...
Click to collapse
source:
http://msdn.microsoft.com/en-us/library/cc251980.aspx
I was also messing with fiddler and I noticed my phone access two different places when a phone update is selected. One of the pages is: http://ds.download.windowsupdate.com/wp8/MicrosoftUpdate/Redir/duredir.cab . In that cab is this file wuredir.xml and consists of:
<?xml version="1.0"?>
<WuRedir xmlns="http://schemas.microsoft.com/msus/2002/12/wuredir" redirectorId="1002">
<Protocol
elementVersion="1"
clientServerUrl="https://fe1.update.microsoft.com/v6/"
reportingServerUrl="http://statsfe1.update.microsoft.com/" />
</WuRedir>
the second page accessed is: http://fe1.update.microsoft.com/WP8/MicrosoftUpdate/Selfupdate/5_UssDetection.dll
I hexed the .dll after download and found some download links to some cert files, which are:
Microsoft Windows Phone Production PCA 2012.crt
http://www.microsoft.com/pkiops/certs/Microsoft Windows Phone Production PCA 2012.crt
MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
MicTimStaPCA_2010-07-01.crt
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt
can any of this info help us?
If either that DLL or any of those certificates are not signed (highly unlikely, but worth checking), or if the DLL doesn't enforce the signature check (extremely unlikely), or if any of the certs include the private key or use a weak hash algorithm or a short key... maybe. I checked the certs, though; they at least are clean. Nothing useful that I saw.
Reverse engineering the DLL may be useful, but it's probably native code and therefore a pain to decompile.
aclegg2011 said:
I was also messing with fiddler and I noticed my phone access two different places when a phone update is selected. One of the pages is: http://ds.download.windowsupdate.com/wp8/MicrosoftUpdate/Redir/duredir.cab . In that cab is this file wuredir.xml and consists of:
<?xml version="1.0"?>
<WuRedir xmlns="http://schemas.microsoft.com/msus/2002/12/wuredir" redirectorId="1002">
<Protocol
elementVersion="1"
clientServerUrl="https://fe1.update.microsoft.com/v6/"
reportingServerUrl="http://statsfe1.update.microsoft.com/" />
</WuRedir>
the second page accessed is: http://fe1.update.microsoft.com/WP8/MicrosoftUpdate/Selfupdate/5_UssDetection.dll
I hexed the .dll after download and found some download links to some cert files, which are:
Microsoft Windows Phone Production PCA 2012.crt
http://www.microsoft.com/pkiops/certs/Microsoft Windows Phone Production PCA 2012.crt
MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
MicTimStaPCA_2010-07-01.crt
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt
can any of this info help us?
Click to expand...
Click to collapse
Those are the first steps in the update process. Basically, it gets the certs that it will use for validation and server communication. then the CAB file contains the info on what servers are used for Windows Update communications. It then logs that a request has been made to the tracking server. After that, it gets a list of updates from the v6 address. If there are no updates, Once the update process is complete, it logs the result to the tracking server.
Do you guys think I could use this to fix the problems I seem to have when trying to stream or download music from Xbox Music? I get a lot of errors, or this song can't be played on your device and some times the app crashes. I have had this problem since I switch from my Windows Phone 7 device to my Nokia Lumia 920, and I am on my 4th 920. I think for some reason the Music store is getting botched certificates or something.
Kind of on the same subject. anyways i extracted around 140 Certificated from a HTC 8x Ruu. then installed them to my pc. Which is windows 7. The cool part was i was able to install windows phone sdk 8 and 8.1 with emulators and visual studio 2013. which i though all of these were not possible to run on windows 7. all because of certificates from a rom.
DERP (Device Environment Replacement Program)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
initial pre-alpha version 0.001
(Aug 3, 2013)
by fattire (twitter: @fat__tire)
tldr?
Derp is a general-purpose, platform-independent installer, written in python with wxpython, that executes .derp XML-based scripts to walk the user step-by-step through a ROM installation (or do whatever you want.) The idea is to replace text-based walkthroughs, howtos, and installation instructions by requiring a user to do almost nothing but run a .derp script and sit back. Derp walks through a series of scripted steps (as in, say, a ROM installation) and automatically does all the file downloading/adb/fastboot stuff while the user waits and maybe reads what's happening (at the script author's discretion). Derp also pre-installs and keeps Google's Android SDK tools up to date and even gives adb & fastboot a simple UI. .derp scripts are human-readable XML. Embedding bash and python is also supported in Derp, as is restricting scripts or even script parts to certain platforms. Derp runs as root on the local computer (it's an installer after all), and is open source/GPLv3 licensed. It also comes with sample scripts and a built-in tutorial for creating your own.
Still tldr? It's a script-runner thing!
-----
LONGER DISCUSSION...
WARNING: RIGHT NOW, DEVELOPER TYPES ONLY! This is not for end users...yet. Hopefully people will find bugs and help fix them before an end user uses this on a “live” computer with an actual device. Again, because this is a software installer, DERP AND ITS SCRIPTS RUNS AS ROOT. Never run random .derp or .xml scripts you find on the Internet. This could screw up your device AND your computer, so... treat it just like any other script you’d (not) run as root. Also, the discussion in this forum is how Derp is supposed to work, but of course, there may be (probably are?) bugs.
THE "PROBLEM" AS I SEE IT
Working on the CM wiki, I've grown to appreciate how varied firmware install methods can be. Some devices need rooting. Some need firmware downgrades. Sometimes you can use fastboot. Other times you can’t. Some systems need to unlock the bootloader, etc. etc.
Installing this stuff can be hard. Okay, maybe not for you, but how about your mom or dad? Could your grandparents buy a device today and put CM on it themselves? There's been some chatter on the interwebs about how to make rooting and replacing firmwares easier... some kind of graphical installer seems to be the answer. But there are a million devices out there...
So people have been using text-based HOWTOs, walkthroughs, step-by-step instructions, and/or shell scripts and batch-type files to do this. I thought maybe a generic, unified scripting method might work better that gives the users readable instructions but optionally automatically does technical steps for them.
Hoping to avoid creating yet-another-standard-way-to-do-something, back in February, I searched online for generic installation solutions. But they all seemed to be platform-dependent, or weren’t licensed for general use, or looked really ridiculously complicated....
So (and big caveat here-- I'm not a programmer!) I whipped up a proof-of-concept for developers to play with to start thinking about how to address the issue. It took me a few weeks to get going, but ended up sitting collecting dust for months as I worked on other things and occasionally bothered friends to test the latest version.
Derp is not necessarily intended as any kind of final solution per se-- it’s just for further discussion/testing. A totally legit question to be answered: is this in any way even a good idea?
Let's find out.
SO WHAT IS DERP?
It's a general-purpose installer, written in python with wxpython, that executes .derp XML-based scripts to walk the user step-by-step through a ROM installation, optionally doing all the "technical stuff" like downloading files and running commands in the background. Ideally, you wouldn't have to write a long tutorial for every platform on how to do stuff-- a .derp script could BE the walkthrough.
The first thing Derp does is install the latest adb and fastboot from Google. That looks like this:
(Mac version)
Next, when you run a .derp script, it can automatically download and verify ROM files like CyanogenMod or tools or whatever from the Internet, and then install them.
(Linux version)
(Mac version)
As it does all this, the script can provides information and/or feedback to the user via a UI that hopefully looks like a normal installer. What the user sees is written by the script author in simple HTML. As the .derp script runs, the user simply ftaps "Continue" to proceed through the scripted steps.
As mentioned, .derp scripts are written in XML, which is platform-generic and easy for a human to read. The .derp script syntax, explained below, is also very simple. The script author is also free to embed bash shell scripts or python (or both) if advanced stuff is needed.
Worth mentioning too-- sections, steps, text, actions, or entire scripts can be restricted by the type of computer its running on (ie, don't run certain python commands on Mac, but do run them in Linux, or whatever).
And finally-- while my initial thought was to use this for installations of ROMS like CyanogenMod to a device, I'd think Derp can be used for many kind of installations or scripted operations-- even to wrap a UI around a bash or python script to make it easier for users to run without having to open a Terminal and start typing. Derp scripts don't even have to have to be used for anything to do with mobile devices, though it does pre-set up the Google SDK tools for that purpose.
In fact, a Derp script can do NO actions-- simply serve as a click-through set of HTML-based instructional steps for a user to follow by hand. Conversely, it can say nothing to the user but "Stand by, doing everything." and that's it.
FEATURES:
Easy to install. Debian-based Linux just uses sudo dpkg -i derp_0.001-1_all.deb and it's ready to go. Mac users: it’s Derp.app. Done and done.
Derp is GPLv3-licensed and source code is available now. Read license for terms, conditions, and more disclaimers.
Automatically downloads/updates all SDK tools (primarily adb and fastboot) directly from Google at every launch. So the user is always up to date. (also requires users to agree to Google's T&C...)
Uses an XML-based, OS-neutral installation script format that is easy to write and understand. Just about anything you want the user to do-- restart in bootloader mode, unlock the device, etc-- the derp script should be able to do. Even run bash or python scripts from within the script.
XML Tags:
<derp> - the main tag for a derp script.
<section> - a major category for individual steps.
<step> - Put as many of these in a section as you want.
<info> - The stuff the user sees as the script runs. You can add HTML tags to make it look good.
<file> - tell derp a file’s URL, MD5/SHA hash, and local filename. Derp will grab it and verify it for you automatically. These files can be roms, scripts, recovery images, etc. whatever your script needs to do its job.
<action> - valid “action” types include “adb”, “fastboot”, “python”, and “bash”. Future versions of Derp can add more. <action> allows your script to do stuff. Never worry about whether the user installed and set up the latest versions of adb or fastboot properly. They should "just work".
Using the above tags, you can not only have your scripts automatically do full installations, rooting, bootloader unlocks, etc, but simultaneously tell the user what’s happening behind the scenes if you choose. The user feedback is written in standard HTML-formatted text. The user just hits “Continue” whenever you want to move from one step to the next.
Included are example scripts to install CyanogenMod 10.1.2 on stock Nexus 7, Nexus 4, Galaxy Nexus, and HTC One. The latter script, written by Cowmix, demonstrates how to embed python to interact with the user, and they all include bootloader unlocking.
The only things I can think of that can’t be done automatically are steps that requires hands-on (ie, holding down buttons during power-on) or where, say, debugging mode needs to be manually turned on, or the slider needs to be physically unlocked. In the few cases where user involvement can’t be avoided, the <info> tag can be used to walk them in “real time” through that step.
A built-in tutorial on how to write your own .derp scripts explain how the tags work. (The tutorial itself is a .derp script.)
A console window helps you see what derp is doing in real-time...
Also included: a quick-access adb and fastboot text-entry in the console. This lets you start up Derp and type quick adb or fastboot commands without needing a terminal (or to deal with PATH issues)
“Debug Mode” lets you go through the script without invoking the <action> tags. Makes writing scripts easy.
Derp should automatically detect when a device is connected via adb or fastboot and let you know.
You may filter any Derp tag (including <action> tags) by operating system. This means that using a single script, the user can see different text or the script may behave differently depending on the platform. In fact, you can restrict the entire script to a particular operating system(s).
The script doesn’t actually have to “do” anything. It can be used simply to create walkthroughs or tutorials in a much nicer format than a step-by-step text file. Just link to a .derp file and let it walk the user through whatever. Easy to convert a text walkthrough to an interactive click-through just by adding <section> and <step> tags.
WHY MUST DERP RUN AS ROOT?
Remember, Derp is an installer. It needs to do important stuff, and as such it runs as root. I had considered trying to sandbox the parts that "needed" root and only enable it there and ask for permission for a single operation via an "enter your password" type of dialog box. But because the .derp format is so flexible, there were a million potential places where a script author could do varying kinds of trickery-- by breaking out of Derp to execute python code, spoofing directory paths, abusing the embeddable bash scripts, etc. It just didn't seem to make sense to try to anticipate and counteract all that. Playing cat-and-mouse endlessly is pointless. Again, Derp is an installer. Installers get administration permissions. Just like any installation script you'd run with "sudo" would get. Just like the package installer on OS X. Also, it is much easier to run adb and fastboot with root permission-- you can easily kill all running versions of adb for example, and fastboot seems to prefer it. Plus, it avoids the need for playing with udev configuration stuff in Linux.
This means that, like pretty much every other type of installer, .derp scripts will have full access not only to your mobile device, but to the computer Derp is running on. This seems to make the most sense to me, but I invite others to chime in on improving the design if you disagree.
All caveats and considerations apply. Do not run untrusted scripts, and do not run Derp on a "sensitive" computer (however you wish to define that).
WHAT IS MEANT BY "CROSS-PLATFORM"? (IN OTHER WORDS, WHERE'S THE WINDOWS VERSION?!)
I don't have/use Windows. Right now, Mac & Linux builds are currently available. Derp still needs to be ported to Windows, but since it’s wxpython, and I tried to make as little dependent on the underlying operating system, 95% of the work is hopefully done. Anyone with Windows who’d like to help, let me know.
I think it should be some minor changes to the setup.py file and a few definitions. Also, not sure if Windows supports the “bash” shell...
ANYTHING ELSE?
Ummm... That’s it. Remember, this is a work in progress and a proof of concept... Again, I dunno if anyone will see the value here, and maybe it will need a complete rethink. There are likely to be bugs, maybe even really bad ones. But after a few months of playing around, I kinda feel it’s ready for other developers to at least see and even try in a secure environment (as suggested, maybe a VM or something).
SHOW ME THE CODE!
The code is on github-- please submit commits-- fixes, new features, whatever-- as well as bug reports there. And again, figure there will be tons of bugs to be squashed.
Enjoy.
fattire (@fat__tire)
THANKS TO...
Big thanks for helping me test w/different devices: cowmix, hashcode, kornyone, ciwrl, utkanos, verygreen, and jeagoss
DOWNLOADS:
Debian-based Linux (Debian, Ubuntu, Mint)
derp_0.001-1_all.deb
MD5: 6e8eabe94cdfdba649ea41198211bb64
SHA512: 307aed0ad79de17793bb445d2b588388bf66b42716de36a055227f555bfc12ab3e61d5f0e3de804eb4c0c560f140a6318ea6dd1608cc78ee84b50336895cdfc2
Mac OS X (Tested on: Snow Leopard, Lion, Mountain Lion)
Derp-v0.001-mac.zip
MD5: b738e0a270f53d274baec0ce121577fb
SHA512: 3cf7d438c4dfd0c5c5d7c2f29fe19a76dcbb728acfe73a24e28cdb3f21624510c94f1c4224ad31118851f17205e4d7152619c15281c98189cb33ccac82c1505a
Source code on GITHUB is here.
SAMPLE DERP SCRIPTS
Nexus 7 stock to CM 10.1.2 installer - included (written by me)
Nexus 4 stock to CM 10.1.2 installer - included (written by me)
HTC One stock to CM 10.1 nightly installer - included (written by cowmix)
Galaxy Nexus stock to CM 10.1.2 installer - included (written by cowmix)
EXTERNAL SCRIPTS BY OTHERS
None yet...?
DONATIONS?
Not to me, please. If you feel the need to give someone money, consider donating to the EFF or the Software Freedom Law Center. It's really a donation to your digital rights. (I'm not affiliated with them except as a huge fan and occasional donor.)
REMEMBER, DERP IS EXPERIMENTAL AND YOU RUN IT AT THE RISK OF YOUR COMPUTER, YOUR DEVICE, AND YOUR VERY EXISTENCE AS A HUMAN BEING. I TAKE NO RESPONSIBILITY FOR WHAT DOES OR DOESN'T HAPPEN. DON'T RUN DERP SCRIPTS YOU DON'T TRUST COMPLETELY. YOU ARE ADVISED, JUST IN CASE, TO ONLY RUN SCRIPTS IN A SANDBOXED VIRTUAL COMPUTER. And let me know what y'all think.
Script Syntax (Tutorial)
SCRIPT SYNTAX
So you want to write a Derp installation script? It's easier than you might think. Derp isn't too complicated-- it doesn't have a lot of "logic". It just follows a script and does what you tell it.
To start a script file, just get out any text editor (or XML editor) and name it something with the .derp file extension, such as:
sample.derp
Once you write up a sample script, you can load the file with Derp to see if it works.
The <derp> tag
Every script starts with the <derp> tag and ends with the </derp> tag. Within the "<derp>" tag, at least for this pre-alpha version, you need to put at least one required attribute, app_version:
<derp app_version="0.001">
</derp>
This is to identify the version of Derp that your script is for. Future versions may not support your script. You can put other attributes that might be used in the future:
<derp device_codename="mako" os="Linux Darwin" title="CM10.1-M1 for Mako" device_name="Nexus 4" device_vendor="lge" app_version="0.001" script_version=".5" author = "fattire" author_email="[email protected]" author_twitter="@fat__tire" license="GPLv2">
These additional tags may be required in future versions of Derp, so if you are able to supply 'em, it's recommended. They'll simply be ignored if they're not needed.
The title="CM10.1-M1 for Mako" is a general title for the script. VERY briefly explain what it does. It's not required, but recommended.
The one other important attribute, os="Linux Darwin", will be explained later. For now, just know that it is optional, but you can use it to restrict the whole script to only run only in certain operating systems.
The <section> tag
Every set of instructions should be divided into logical sections, such as the ones on the left. The section has its own required attribute, the name:
<derp app_version="0.001" os="Linux Darwin" script_version=".5">
<section name="This is the first section"></section>
</derp>
Notice the name attribute is used with a section to identify what the section is for.
There's not much more to say about sections. It's easy. Let's move on.
The <step> tag
Each Section can be made of (at least one but) an unlimited number of individual steps. And the tag for that is called <step>. Here's how it's used:
<derp app_version="0.001" script_version=".5">
<section name="This is the first section">
<step name="This is step one"></step>
<step name="This is step two"></step>
</section>
<section name="This is the second section">
<step name="This is step three"></step>
<step name="This is step four"></step>
</section>
</derp>
Notice that steps, like sections, need to have a designated name attribute so that Derp knows what to display. The step name will appear to the user at the top on the right as the centered step heading.
The <info> tag
The stuff that appears in the main info area should be wrapped in info tags.
Example:
<derp app_version="0.001" script_version=".5">
<section name="This is the first section">
<step name="This is step one">
<info>This is the text you'll see! It explains what's going on to the user. <b>I'm bolding this part because it's really important for the user to see.</b></info>
</step>
</section>
</derp>
Note: The stuff that you put between the <info> and </info> tags is...HTML!
So you can format it however you want. You can even include images from the Internet.
Here is the list of HTML tags that are recognized:
A NAME=[string]
HREF=
TARGET=[target window spec]
ADDRES... can add os="Linux Darwin" to the <derp> tag.
RESERVED
RESERVED
Derp
Derp is a pretty slick interface for scripting not only device installation, but resources needed for modifications on Android devices (namely the Android SDK). A developer can create a custom script to automate the installation, decreasing one off bad installs, and ensuring the process is completed as intended.
People new to Android customization or developers could find this of use. I am excited to see where it goes.
kornyone said:
Derp is a pretty slick interface for scripting not only device installation, but resources needed for modifications on Android devices (namely the Android SDK). A developer can create a custom script to automate the installation, decreasing one off bad installs, and ensuring the process is completed as intended.
People new to Android customization or developers could find this of use. I am excited to see where it goes.
Click to expand...
Click to collapse
Thanks.. BTW for those asking about the Windows port (in IRC)...
I simply don't have windows, but it was written to be as platform generic as possible. Anyone with a tiny amount of programming skills (again, I have zero myself) should be able to add Windows compatibility pretty quickly... I think it's a matter of just fixing that setup.py file to work with py2exe. See here for more info.
fattire said:
Thanks.. BTW for those asking about the Windows port (in IRC)...
I simply don't have windows, but it was written to be as platform generic as possible. Anyone with a tiny amount of programming skills (again, I have zero myself) should be able to add Windows compatibility pretty quickly... I think it's a matter of just fixing that setup.py file to work with py2exe. See here for more info.
Click to expand...
Click to collapse
Windows dev here, I may be able to help. Also, any interest in a Mono version? Looking for an excuse...
fattire said:
Thanks.. BTW for those asking about the Windows port (in IRC)...
I simply don't have windows, but it was written to be as platform generic as possible. Anyone with a tiny amount of programming skills (again, I have zero myself) should be able to add Windows compatibility pretty quickly... I think it's a matter of just fixing that setup.py file to work with py2exe. See here for more info.
Click to expand...
Click to collapse
Grats BTW, great idea...
I've come across several usages of Linux only Python functions so far and I don't see drop-in alternatives for Windows, so I've just commented out that particular section (line 1183). I managed to get the tool download working. Suggestion, maybe sticking with MD5 hashes would be simpler as the script receives updates to match Android SDK download updates. I can understand why you would want to use SHA512, but google offers MD5 on the site next the downloads for simple copy/paste replacement. There's the potential for lots of hard-coded configuration and for those configurations to be platform specific, such as the download folders for tool updates. I'll see if I can finish up the first bit of win compat this afternoon, but my Android device is at work and is a Dell Streak at that, so my test options are a bit limited.
http://docs.python.org/2/library/platform.html
1183 - os.geteuid()
1196 - os.uname()
fork:
https://github.com/strvmarv/derp
screen:
Windows... already?!!
Holy crap! I don't think it's been 12 hours and there's an early windows port.. amazing job!
The unix-only stuff was from a last second addition I did when I realized that dero would try to run on ARM-based linux machines. The easy fix is to simply indent everything past:
if platform.system() == "Linux"
so that the if not os.geteuid() == 0: and testarch = os.uname() stuff is conditional on it running Linux. (Unless there's a windows ARM version, in which case it also won't work).
In both cases it would work except for the fact that Google doesn't provide libraries for ARM. Interestingly though, debian does. So if we REALLY wanted, we could just apt-get install the tools for ARM Linux users. But that would (1) require a debian-based version of Linux, and (2) we wouldn't know that adb/fastboot/etc are the very latest from Google. But it might be a good version .002 feature, with a preference to turn it on or something.
Again, amazing work. Keep it up!
strvmarv said:
http://docs.python.org/2/library/platform.html
1183 - os.geteuid()
1196 - os.uname()
Click to expand...
Click to collapse
fattire said:
Holy crap! I don't think it's been 12 hours and there's an early windows port.. amazing job!
The unix-only stuff was from a last second addition I did when I realized that dero would try to run on ARM-based linux machines. The easy fix is to simply indent everything past:
if platform.system() == "Linux"
so that the if not os.geteuid() == 0: and testarch = os.uname() stuff is conditional on it running Linux. (Unless there's a windows ARM version, in which case it also won't work).
In both cases it would work except for the fact that Google doesn't provide libraries for ARM. Interestingly though, debian does. So if we REALLY wanted, we could just apt-get install the tools for ARM Linux users. But that would (1) require a debian-based version of Linux, and (2) we wouldn't know that adb/fastboot/etc are the very latest from Google. But it might be a good version .002 feature, with a preference to turn it on or something.
Again, amazing work. Keep it up!
Click to expand...
Click to collapse
Good deal, glad I could help. If you ever want to give a Mono/GTK# port a try just give me a shout. I could do the majority of the leg work code in C# very quickly, lightweight app, which is excellent these days.
I just pushed up my initial changes for the setup.py. I haven't figured it out yet, there are some imports, specifically in derp.py line 23 (platform) that aren't getting consolidated into the build with py2exe. It's most definitely how I've setup the options in the setup.py, hopefully someone is more familiar with py2exe than I and can provide some insight.
strvmarv said:
Good deal, glad I could help. If you ever want to give a Mono/GTK# port a try just give me a shout. I could do the majority of the leg work code in C# very quickly, lightweight app, which is excellent these days.
I just pushed up my initial changes for the setup.py. I haven't figured it out yet, there are some imports, specifically in derp.py line 23 (platform) that aren't getting consolidated into the build with py2exe. It's most definitely how I've setup the options in the setup.py, hopefully someone is more familiar with py2exe than I and can provide some insight.
Click to expand...
Click to collapse
Okay, let me take a second and fix the bug I described above... then-- damn, I wish I could try the setup.py myself. So you're saying that the platform stuff doesn't get imported into the build for some reason?
Standby for the fix.. just gotta test it and stuff.
Update: Pushed. Also added /build, /dist, and one other mac build-related directory to .gitignore to make things a little easier to see...
strvmarv said:
I haven't figured it out yet, there are some imports, specifically in derp.py line 23 (platform) that aren't getting consolidated into the build with py2exe. It's most definitely how I've setup the options in the setup.py, hopefully someone is more familiar with py2exe than I and can provide some insight.
Click to expand...
Click to collapse
Question, would doing something like this on line 52 do anything:
options = {'py2exe': {'bundle_files': 1, 'optimize': 2, 'compressed': 1,}},
I think you can also do something like:
includeList=["a list", "of modules", "to include"]
first, and then replace the line above with something like...
options = {'py2exe': {'bundle_files': 1, 'compressed': 1, 'optimize': 2, 'includes': includeList}},
see more info here and let me know if the above gets those modules in there! I see some option called "unbuffered".. dunno if that needs to be set to true.
bundle_files to 1 means that it hopefully will end up being a self-contained .exe
Let me know! Thanks!
Suggestion, maybe sticking with MD5 hashes would be simpler as the script receives updates to match Android SDK download updates. I can understand why you would want to use SHA512, but google offers MD5 on the site next the downloads for simple copy/paste replacement.
Click to expand...
Click to collapse
Forgot to answer this. You're totally right that MD5 is the one Google provides, and at first I used MD5 for everything-- then sluo reprimanded me, told me how MD5 can't be taken seriously any more, that it's really really easy for anyone to create a MD5 spoofed file these days... So I figured, since this runs as root, it's better to be very extra super-cautious and make absolutely sure the right file is downloaded
Of course, in a user-provided script, you can use md5s or whatever the author wants, but for the Android tools themselves I figured it was better practice to use SHA512 to be more forward/future looking and make sluo (a *real* programmer) happy
More work done by hashcode on a windows port
Okay strvmarv and other windows folk--
Hashcode helped me out by testing on his machine that has Windows.. we did a little debugging, and the result are these two commits:
Pull Request #1
He was able to run derp successfully and do adb/fastboot commands from the Console interface.
But because he's using win64, he couldn't build (apparently only win32 supports building .exe files) all the way.
So, if you have a win32 system-- after applying these, does python setup.py py2exe build an .exe?
Questions:
* on win32 does it build into an .exe?
* If so, does the .exe run properly as the administrator-- right-click and select "Run as Administrator" I am told
* if so, does it install the android tools and ask you to agree to the License?
* if so, does it download/detect your devices?
* if so, can you run scripts (does it work?)
Note: You may also need to manually install Java, since the android sdk updater uses java.
I'm wondering too if the installer installs any drivers, and/or if any were needed.
Thanks!
fattire said:
Okay, let me take a second and fix the bug I described above... then-- damn, I wish I could try the setup.py myself. So you're saying that the platform stuff doesn't get imported into the build for some reason?
Standby for the fix.. just gotta test it and stuff.
Update: Pushed. Also added /build, /dist, and one other mac build-related directory to .gitignore to make things a little easier to see...
Click to expand...
Click to collapse
Awesome, will take a look tonight. It's very likely I'm just not setting the options in the setup.py correctly.
You're running snow leopard, correct? You could grab a copy of the Windows 8.1 Preview (free until Jan something I believe - http://preview.windows.com) and dual-boot, or even just run a VM...if you wanted. I had to install Python 2.7 x86, wxPython x86, python2exe x86, and then run derp.py from source directly (powershell or cmd) to get where I'm at now.
strvmarv said:
Awesome, will take a look tonight. It's very likely I'm just not setting the options in the setup.py correctly.
You're running snow leopard, correct? You could grab a copy of the Windows 8.1 Preview (free until Jan something I believe - http://preview.windows.com) and dual-boot, or even just run a VM...if you wanted. I had to install Python 2.7 x86, wxPython x86, python2exe x86, and then run derp.py from source directly (powershell or cmd) to get where I'm at now.
Click to expand...
Click to collapse
Ideally I'd like to test it on a win32 system because that's the one that py2exe will make a .exe for. But that said, hashcode has it running and adb installs and works and such. It's now a matter of getting it packaged up properly I think. If you can double-check that it works for you, that would be a good start. Then hopefully the .exe can be made. It should also check to make sure java is installed (which is needed by the Google updater) and if not, maybe help the user do it (or even do it for them)...
Also, his version of windows already had drivers on them, so we're not sure whether derp (well, the android tools installer from Google) will take care of that or not.
One last note-- you may have had problems with the looping downloads because the sha512sum seemed to have been off. I did my own sha and it was different.. The new one worked for hashcode.. it's in his commit linked above..
Thanks!
fattire said:
Okay strvmarv and other windows folk--
Hashcode helped me out by testing on his machine that has Windows.. we did a little debugging, and the result are these two commits:
Pull Request #1
He was able to run derp successfully and do adb/fastboot commands from the Console interface.
But because he's using win64, he couldn't build (apparently only win32 supports building .exe files) all the way.
So, if you have a win32 system-- after applying these, does python setup.py py2exe build an .exe?
Questions:
* on win32 does it build into an .exe?
* If so, does the .exe run properly as the administrator-- right-click and select "Run as Administrator" I am told
* if so, does it install the android tools and ask you to agree to the License?
* if so, does it download/detect your devices?
* if so, can you run scripts (does it work?)
Note: You may also need to manually install Java, since the android sdk updater uses java.
I'm wondering too if the installer installs any drivers, and/or if any were needed.
Thanks!
Click to expand...
Click to collapse
* on win32 does it build into an .exe?
- I'm not win32, I'm running 8.1 x64, but it builds/executes just fine if you're using the 32 bit versions of Python, wxPython, and py2exe due to WOW64, long story
- It does build into an exe, see screen
Output
View attachment output.txt
Screen of dist folder
* If so, does the .exe run properly as the administrator-- right-click and select "Run as Administrator" I am told
- I'm running it with Run as Administrator, no, it still seems to blow up and stop running when it get's to __init__, it appears it can't find it for some reason when built with py2exe, likely the need for inclusion, not exactly sure yet...hard to capture error since it flashes by very quickly and then the console closes
* if so, does it install the android tools and ask you to agree to the License?
- If I run derp.py directly in Python it works just fine, android tools, etc...I haven't tried a script yet
* if so, does it download/detect your devices?
- I haven't tried a script yet
* if so, can you run scripts (does it work?)
- Ditto
Note: You may also need to manually install Java, since the android sdk updater uses java.
- Java SDK already installed, I dabble in Android
These missing modules indicated in build output worry me, not certain how to install them...
The following modules appear to be missing
['Carbon', 'Carbon.Files', 'ElementC14N', '_scproxy', '_sysconfigdata', 'win32api', 'win32con', 'win32pipe']
I've pulled a fresh copy of your repo, added Hashcodes changes, and tweaked the setup.py according to what I've found so far. Still blowing up as indicated above, but still moving in the right direction. If you want to go ahead and merge Hashcode's pull and ignore mine I'll reapply my changes so things don't get weird.
Pull request 2: https://github.com/fat-tire/derp/pull/2
I'll look over py2exe documentation and see if I can figure out what we need to change.
Ah, now we're getting somewhere, I changed console=["src/derp.py"] to windows=["src/derp.py"] as indicated here http://www.py2exe.org/index.cgi/ListOfOptions , get an error on execute, which is dumped into a text file, and looks like this...
Traceback (most recent call last):
File "derp.py", line 48, in <module>
NameError: name '__file__' is not defined
Any ideas?
scriptFolder = os.path.join(os.path.dirname(os.path.realpath(__file__)), "..", "scripts/")
UPDATE:
This may help...
http://stackoverflow.com/questions/...e-path-of-the-current-executed-file-in-python
Nice.. thanks!
strvmarv said:
* on win32 does it build into an .exe?
- I'm not win32, I'm running 8.1 x64, but it builds/executes just fine if you're using the 32 bit versions of Python, wxPython, and py2exe due to WOW64, long story
Click to expand...
Click to collapse
Ah, cool.
- It does build into an exe, see screen
Output
View attachment 2167579
Screen of dist folder
View attachment 2167586
* If so, does the .exe run properly as the administrator-- right-click and select "Run as Administrator" I am told
- I'm running it with Run as Administrator, no, it still seems to blow up and stop running when it get's to __init__, it appears it can't find it for some reason when built with py2exe, likely the need for inclusion, not exactly sure yet...hard to capture error since it flashes by very quickly and then the console closes
Click to expand...
Click to collapse
The file size looks tiny... it looks like it doesn't build into it all the stuff it needs...
* if so, does it install the android tools and ask you to agree to the License?
- If I run derp.py directly in Python it works just fine, android tools, etc...I haven't tried a script yet
Click to expand...
Click to collapse
^ This is awesome and a good sign for this working once we get the build finished.
* if so, does it download/detect your devices?
- I haven't tried a script yet
* if so, can you run scripts (does it work?)
- Ditto
Click to expand...
Click to collapse
Now that I think about it-- the "welcome" stuff and auto-download of the tools are all a running .derp script (welcome.derp) so yes, you are running them
These missing modules indicated in build output worry me, not certain how to install them...
The following modules appear to be missing
['Carbon', 'Carbon.Files', 'ElementC14N', '_scproxy', '_sysconfigdata', 'win32api', 'win32con', 'win32pipe']
Click to expand...
Click to collapse
Hmm.. Did you try adding them explicitly in the optionList as I suggested above?
And another way to do it is to use the -p and -i paremeters when you do python setup.py py2exe
Also maybe try adding:
import win32com
after "import py2exe" in setup.py I saw some reference to that somewhere...
What else...
looks like elementc14n is something related to the elementree module of python... win32api is here I think... but I think it would be installed when you installed python to begin with.
I've pulled a fresh copy of your repo, added Hashcodes changes, and tweaked the setup.py according to what I've found so far. Still blowing up as indicated above, but still moving in the right direction. If you want to go ahead and merge Hashcode's pull and ignore mine I'll reapply my changes so things don't get weird.
Pull request 2: https://github.com/fat-tire/derp/pull/2
I'll look over py2exe documentation and see if I can figure out what we need to change.
Click to expand...
Click to collapse
I'm looking too... See this?
For py2exe to work with packages loaded during runtime, the main thing seems to be that u explicitly import the modules needed by your app somewhere in your app. And then give py2exe in setup.py with moudlefinder.AddPackagePath( , ) the hint, where to search for modules it couldn't find by std. introspection. in the app
I won't do a full-on pull to the repo until everything is working and tested against linux/mac just to make sure we're only fixing stuff and not breaking the other platforms in the process
strvmarv said:
Ah, now we're getting somewhere..
UPDATE:
This may help...
http://stackoverflow.com/questions/...e-path-of-the-current-executed-file-in-python
Click to expand...
Click to collapse
Ah yes-- does this help as recommended in the link above..?
http://www.py2exe.org/index.cgi/WhereAmI
fattire said:
Ah yes-- does this help as recommended in the link above..?
http://www.py2exe.org/index.cgi/WhereAmI
Click to expand...
Click to collapse
jpath wouldn't pull in for some reason, despite installing via pip and having an import, so I resorted to logic to assign "." as the path (very hacky)...
So, here it is...running from derp.exe compiled with py2exe...when I get a moment I'll put together a quick summary of how to get a local win environment going..
Here's another pull:
https://github.com/fat-tire/derp/pull/3
UPDATE:
Ack, storing sdk tools in Program Files\Common Files is great and everything, but it needs to be store in Program Files (x86)\Common Files since it's x86 compiled. Pretty sure things may go wrong at some point as it is...
I found where the system registry files are stored inside the ffus. This is from my Lumia 928 factory ffu.
Code:
\Windows\System32\config - DEFAULT, DRIVERS, FP, ProvisionStore, SAM, SECURITY, SOFTWARE, SYSTEM
\Windows\System32\config\MOUNTMGR - SYSTEM
\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
\EFIESP(Different Partition)\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
All of these files contain regf as the first few characters in hex. Beyond that, the files are mostly garbage looking at them in Notepad++.
I haven't been able to find any registry editors yet that can edit them, including ones built for Windows CE/Mobile or even Win7/8.
Anyone know of something that can display it in a normal fashion? (without needing a WP8 device to attempt to edit it on.)
EDIT: The files from \Windows\System32\config have been zipped for simplicity reasons (for those of you who don't have a ffu handy)
EDIT2 (August 22): The files from the GDR2/Amber update from my phone's rom have been added.
WalkingCat said:
OK, this is a reply to this thread, but apparently I can't post in that forum yet.
So, you've found registry file inside \Windows\System32\config, and this is the way to open and edit it.
No third-party tools needed, just use regedit.exe in your Windows system
1. Run regedit.exe
2. Click on any root key, like HKEY_LOCAL_MACHINE
3. Open File menu, select Load Hive
4. Select a file in your mounted ROM \Windows\System32\config, like SOFTWARE or SYSTEM, open it
5. In the dialog asking for a name, input any text, like WP8Software
6. Registry is now loaded under HKEY_LOCAL_MACHINE\WP8Software, you can edit it.
7. Open File menu, select Unload Hive, then its written back to disk.
reference: http://technet.microsoft.com/en-us/library/cc732157.aspx
Click to expand...
Click to collapse
Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file
vivekkalady said:
Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file
Click to expand...
Click to collapse
That works fine for .wim or a .zip, but these files are the complete registry store that's same format that Windows 2000, XP, Vista, ect. uses to store the settings for hardware/drivers, windows itself, and other apps that have that kind of access (e.x. Tier3 Applications)
If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.
GodlikePL said:
If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.
Click to expand...
Click to collapse
Apparently it isn't. I used RegistryEditorPE, that's supposed to work with offline registries for 2000 to 7, but it kept erroring out.
Sent from my RM-860 (Lumia 928) using the OFFICIAL Tapatalk app.
This is good stuff to know. Something that should be good to note is that while I decompiled the .NET for a few of the Verizon Xaps from the 928 ROM, I discovered some Nokia-specific COM Interop that interfaces with the registry. I'm hoping I can try something out and put up a test program within the next few days and make some registry changes.
Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
GoodDayToDie said:
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
Click to expand...
Click to collapse
Hmmm, which phone do you have?
Edit: I tried to deploy just a sample app with one of the .winmds referenced, and got the 0x81030120 error
Holy fuzzle.. ANOTHER EDIT: I was able to do it. I had to remove all the damn Capabilities that I added from the Nokia Maps xap though.
I referenced the NokiaRegistryUtils.winmd and just ran this sample code
MessageBox.Show(NokiaRegistryUtils.Registry.IsChinaFirmware().ToString());
It returned "false" as expected.
I'm going to try something else now.
Something to note, in the WMAppManifest.xml, the following needs added after the <Tokens> declaration
<ActivatableClasses>
<InProcessServer>
<Path>NokiaRegistryUtils.dll</Path> <-- or whatever dll you're adding
<ActivatableClass ActivatableClassId="NokiaRegistryUtils.Registry" ThreadingModel="both" />
</InProcessServer>
</ActivatableClasses>
vivekkalady said:
Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
Click to expand...
Click to collapse
Where did you find that key?
in ffu file
location <ffu mount>\Windows\Packages\RegistryFiles\Microsoft.Office.Word.reg
Perfect. That's what I'm doing now, but just from my 920 ROM dump. I can access the registry sections that Nokia provides in their app, but I can't from the one you provided me. I'm going to do more tests to see if this is using HKCU rather than HKLM. It could also be that the registry keys have permissions placed on them.
Hmm,
I'm able to get the value of SOFTWARE\Classes\MIME\Database\Codepage\1254 -> BodyCharset
I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
found these things dont know it is of any use
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3]
"DefaultId"="{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Click to expand...
Click to collapse
http://support.microsoft.com/kb/287547
vivekkalady said:
found these things dont know it is of any use
http://support.microsoft.com/kb/287547
Click to expand...
Click to collapse
I did find THIS..
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=dword:7FFFFFFF"
That translates to the value of InterOp unlock by default which means we should be able to sideload more than 10 apps at a time.
I also found these within policy xml files
Code:
Microsoft.BaseOS.SecurityModel.policy.xml
<Capability ElementID="2EF45E94A01864DE3387212D6E73AEA885E709AD0F24FB97FE2E84728CB09D14" AttributeHash="49B8EC80A54998B68D7F65A44A340FD28B535494B7A41D650FD94851E38A6B6B" Id="ID_CAP_DEVELOPERUNLOCK" AppCapSID="S-1-15-3-1024-2489250862-3731101856-757172019-2830005102-2903107461-2549818383-1921265406-345878668" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1443" FriendlyName="Enable bearing chamber to load unsigned modules" Visibility="Internal" />
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>
Need a Nokia Device?
snickler said:
I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
Click to expand...
Click to collapse
Thats great! If anyone needs a Nokia device to test on, Nokia has Remote Device Access to those who need it. Its a free service to anyone who has a Nokia DEVELOPER account, which is separate but free as well. The devices they mostly have are Lumia 820s, but the have a few others (620, 720, 920 and the 928.) The great thing about them, you can deploy an xap and run the apps. Some of those phones have sims in them and some of them have a "Nokia On-Device Diagnostic Tool". The only drawback, is that the connection can be SLOW.
Huh, you had to add the InProcServer manually? That may be the problem, then. I'm not sure why they're using COM - it works just fine to simply use the native Win32 APIs (add references to ADVAPI32LEGACY.LIB and/or KERNELBASE.LIB; that's what my NativeAccess library does and it works fine) - but it's good to know that COM is, in fact, usable.
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
GoodDayToDie said:
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
Click to expand...
Click to collapse
The best part is that the Nokia CityLens uses ID_CAP_INTEROPSERVICES, but I can't find anything that references it.
The winmds use System.Runtime.InteropServices though.
The Nokia app I got the RegistryRT from didn't use the INTEROP Capability at all, but I did notice that I had to add that extra stuff in the AppManifest.
Hello,
I just got a new S 5 with build: KOT49H.G900FXXU1ANE2
Background:
- Rooted via Towelroot: o.k.
- Installed SuperSU: o.k
- Installed BusyBox Pro: o.k.
- Restore Titanium backup files (NO system data) with Pro version: worked fine
- installed SD card fix with this guide with total commander file editor:
-- Use a root-enabled file manager and navigate to /system/etc/permissions
-- Edit platform.xml and find “WRITE_EXTERNAL_STORAGE“
-- Add an additional group definition for this permission: <group gid=”media_rw” />
-- Save the changes and restart your device
-- You are now able to write on your external SD card again
After restarting device, many system apps were crashing over and over like:
samsung data cloud relay, samsung account, google account, ....
Steps did so far:
- Connecting via USB cable: No access to internal / external SD card > File explorer shows only internal and external SD card with no files
- Tried to copy/move/backup files from internal to external SD card: failed, files like photos, downloads are gone
- Factory reset: done, still app crashes
- Firmware flashed: done, initial configuration not possible due to app crashes, hangs in the form where to fill in my name
Any solutions, hints, to fix this ?
I would be very gratefull for constructive solutions.
Thanks in advance !
verona said:
Hello,
I just got a new S 5 with build: KOT49H.G900FXXU1ANE2
Background:
- Rooted via Towelroot: o.k.
- Installed SuperSU: o.k
- Installed BusyBox Pro: o.k.
- Restore Titanium backup files (NO system data) with Pro version: worked fine
- installed SD card fix with this guide with total commander file editor:
-- Use a root-enabled file manager and navigate to /system/etc/permissions
-- Edit platform.xml and find “WRITE_EXTERNAL_STORAGE“
-- Add an additional group definition for this permission: <group gid=”media_rw” />
-- Save the changes and restart your device
-- You are now able to write on your external SD card again
After restarting device, many system apps were crashing over and over like:
samsung data cloud relay, samsung account, google account, ....
Steps did so far:
- Connecting via USB cable: No access to internal / external SD card > File explorer shows only internal and external SD card with no files
- Tried to copy/move/backup files from internal to external SD card: failed, files like photos, downloads are gone
- Factory reset: done, still app crashes
- Firmware flashed: done, initial configuration not possible due to app crashes, hangs in the form where to fill in my name
Any solutions, hints, to fix this ?
I would be very gratefull for constructive solutions.
Thanks in advance !
Click to expand...
Click to collapse
Hmm... I've never seen a problem like this in my experience. The only thing I would suggest is going into your recovery and fixing permissions. Beyond that, I wouldn't know how to fix this without recommending you flash a new ROM after fixing permissions. If that still doesn't work, it may very well be a bad SD card or a bad SD card reader. For your sake, I hope it isn't either of these problems, as it would take longer to fix. Good luck!
BJSerpas said:
Hmm... I've never seen a problem like this in my experience. The only thing I would suggest is going into your recovery and fixing permissions. Beyond that, I wouldn't know how to fix this without recommending you flash a new ROM after fixing permissions. If that still doesn't work, it may very well be a bad SD card or a bad SD card reader. For your sake, I hope it isn't either of these problems, as it would take longer to fix. Good luck!
Click to expand...
Click to collapse
Bevor doing a firmware flash, I restored the originally settings for SD card permissions without solution.
If you think this is a persmission issue, how to fix this ?
Any further solutions, hints, tips ?
Greetings
verona said:
Bevor doing a firmware flash, I restored the originally settings for SD card permissions without solution.
If you think this is a persmission issue, how to fix this ?
Any further solutions, hints, tips ?
Greetings
Click to expand...
Click to collapse
Maybe anyone has a solution for how to fix permission as posted above ?
Thanks in advance.
EXACT same problem here
Hello Verona, I have EXACT the same problem here. Same hardware, same configuration, same setup, same symptomatic.And also the same: no solution in sight! :crying:
It sounds like a permissions issue. That could be time consuming to track down and fix. I'd suggest restoring your backup to restore your phone to a stable baseline. Then do the SD card write mod following the instructions in one of the proven threads that have a lot of feedback indicating that the method is sound.
Alternately if you don't care about the Knox flag, you could install a custom recovery like TWRP. TWRP has a option to fix permissions for key files with one click. Which may resolve your issues. I rather prefer the former option myself.
Good luck.
.
permission problem
fffft said:
It sounds like a permissions issue. That could be time consuming to track down and fix. I'd suggest restoring your backup to restore your phone to a stable baseline. Then do the SD card write mod following the instructions in one of the proven threads that have a lot of feedback indicating that the method is sound.
Alternately if you don't care about the Knox flag, you could install a custom recovery like TWRP. TWRP has a option to fix permissions for key files with one click. Which may resolve your issues. I rather prefer the former option myself.
Good luck.
.
Click to expand...
Click to collapse
Hello fffft,
Verona already installed a new firmware! Where is here the place for remaining permission problems? I always though that then everyting is written new to the system. I have no nandroid backup because I rooted only with towelroot and it could not be written to the external SDcard....where we are again at the beginning of the story.
Now I can take the decision to bring the S5 without knox flag to the service as it is or to take the risk, that the permission reset with a recovery doen't fix the problem WITH Knox flag.I see no clear way here to make it right
brachypelma said:
Where is here the place for remaining permission problems? I always though that then everyting is written new to the system. I have no nandroid backup because I rooted only with towelroot and it could not be written to the external SDcard....where we are again at the beginning of the story.
Now I can take the decision to bring the S5 without knox flag to the service as it is or to take the risk, that the permission reset with a recovery doen't fix the problem WITH Knox flag.I see no clear way here to make it right
Click to expand...
Click to collapse
It's not clear what you are describing or asking.
It would help if you elaborated in more detail. If I understand you, you are not willing to use TWRP because you don't want to increment the Knox counter. And want an alternative to TWRP to repair your messed up permissions.
I don't recommend that. Permissions are a key characteristic of an OS. If you mess them up in any non-obvious way, your OS is unlikely to ever be 100% stable again. Notwithstanding TWRP's great job in scripting a recursive fix script, I wouldn't want to trust an OS that had to be fixed that way. If you insist, try searching for an app that fixes OS permissions. Or alternately you could extract the script from TWRP and run it from a root command line.
If your OS permissions are a mess, the better solution is reinstalling your OS (firmware). So I'd recommend that you reinstall a full stock firmware image and wipe the data partition to get back to a stable system. Then do a backup before putting your phone at risk again. If not a Nandroid, then the next best thing e.g. Titanium. Then if you wish, do the SD permissions "fix" again, but follow the instructions from a thread that has abundant positive feedback. Meaning that you should succeed this time. And if not for any reason, then you can fall back on your backup.
.
Restored the original platforms.xml file, installed TWRP via Odin (no internet access on S5) and resetted the permissions. No effect at all.
What's now the next step? Wiping what can be wiped and re-flashing the T-Mobile firmware?
brachypelma said:
Restored the original platforms.xml file, installed TWRP via Odin (no internet access on S5) and resetted the permissions. No effect at all.
What's now the next step? Wiping what can be wiped and re-flashing the T-Mobile firmware?
Click to expand...
Click to collapse
Sorry to hear that your phone is still giving you problems. But you haven't taken my advice yet. I did not recommend the TWRP "fix". Merely mentioned that it was a possibility. I further added that it could not be expected to work in all cases.
It wasn't a complete loss though. TWRP is an outstanding backup method and invaluable for miscellaneous maintenance tasks.
As to resolving the permissions issues, I recommended Odin flashing a full stock firmware + wiping the data partition. That will revert you to 99%+ stock and give you a stable base to proceed from. It will also wipe your user files, so backup anything of value that isn't already backed up first.
.
back to life....
fffft said:
Sorry to hear that your phone is still giving you problems. But you haven't taken my advice yet. I did not recommend the TWRP "fix". Merely mentioned that it was a possibility. I further added that it could not be expected to work in all cases.
It wasn't a complete loss though. TWRP is an outstanding backup method and invaluable for miscellaneous maintenance tasks.
As to resolving the permissions issues, I recommended Odin flashing a full stock firmware + wiping the data partition. That will revert you to 99%+ stock and give you a stable base to proceed from. It will also wipe your user files, so backup anything of value that isn't already backed up first.
.
Click to expand...
Click to collapse
fffft, I'm back to a normal behaviour of my S5 now. Thx! Flashing stock rom !+! factory reset brougt it back. TWRP was also gone afterwards, but now with an already set knox counter I'm in a "stressless" situation because this decision is done now forever. Of course I lost 4 weeks of mobile configuration and I would like to investigate a little bit more on the original problem, because my SDcard is still write protected.
When I edited the platform.xml I forgot to the set the permissions to 664 before I rebooted. It was on 755 (don't remember exactly don't know the default umask by heart). A correction in a second loop didn't already help. Could this caused the problem?
You wrote, that I should try the modification with the platform.xml again and take instructions from a reliable source. We have indeed different information in the net.
Variant 1:
add media_rw to WRITE_EXTERNAL_STORAGE
Variant 2:
add media_rw to WRITE_EXTERNAL_STORAGE
add sdcard_rw to WRITE_MEDIA_STORAGE
Variant 3:
add media_rw to WRITE_READ_STORAGE
add media_rw to WRITE_EXTERNAL_STORAGE
add sdcard_rw to WRITE_MEDIA_STORAGE
Which mechanism created deviated problems? Otherwise the system should be ok after restornig the original file.
I could also imagine that the file coding has changed. The files was saved in UNIX mode (LF only), because I modified it with vi in a local root shell. Or that the indenting was done with TAB instead of blanks or someting like that.
Any ideas?
Is there any explanation what happend there and how this can be prevented with the next try?
brachypelma said:
Is there any explanation what happend there and how this can be prevented with the next try?
Click to expand...
Click to collapse
Good to hear that your system is stable again.
Make sure that you make a backup while it's still stable. What happened to you is that you made changes that had unexpected results. That's not a problem per se.. it can happen to anyone. The irredeemable problem is if you have no backup to revert to. Which caused you grief trying to sort it out and get back to a stable base.
The actual problem from your app's perspective was probably that they still didn't have as much SD access as they expected and they didn't cope well with that..
So, first thing - make sure that you make a backup. Opinions vary on how much access to give to the SD card. I'll give you a fairly liberal example that will probably work for you. If not, you can extend or restrict access to suit your situation. Just make sure you have a backup to restore if things go sideways.
The file being edited is /system/etc/permissions/platform.xml
Code:
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
</permission>
<permission name="android.permission.WRITE_EXTERNAL_STORAGE" >
<group gid="sdcard_rw" />
<group gid="media_rw" />
</permission>
<permission name="android.permission.ACCESS_ALL_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
<group gid="sdcard_rw" />
<group gid="sdcard_all" />
</permission>
.
.
To get another result, I decided to send my S5 back for warranty to the distributor.
The feedback will be posted in this thread.
The basic question is, what is the best way for backing up the specific model with its ROM to be on the safe way.
The only difference between branchypalma and me was, that I flashed the firmware and did a factory reset, but every app was crashing straight away.
Maybe branchypalma used another ROM (what exact version?) or something internal broke down.
Before having issues, I used titanium backup for backing up files after setting up the mobile, but it was inaccessible in every tried way.
Maybe someone has another idea for the case, the warranty is being denied. Maybe I used a wrong stock Rom.
What would you suggest (Rom, in this situation) ?
verona said:
To get another result, I decided to send my S5 back for warranty to the distributor.
The feedback will be posted in this thread.
The basic question is, what is the best way for backing up the specific model with its ROM to be on the safe way.
The only difference between branchypalma and me was, that I flashed the firmware and did a factory reset, but every app was crashing straight away.
Maybe branchypalma used another ROM (what exact version?) or something internal broke down.
Before having issues, I used titanium backup for backing up files after setting up the mobile, but it was inaccessible in every tried way.
Maybe someone has another idea for the case, the warranty is being denied. Maybe I used a wrong stock Rom.
What would you suggest (Rom, in this situation) ?
Click to expand...
Click to collapse
Feedback as promised: The device has been successfully repaired & returned.
Everything solved for me
verona said:
Feedback as promised: The device has been successfully repaired & returned.
Click to expand...
Click to collapse
Hello verona,
I downloaded the firmware from sammobile.com/firmwares and select my T-Mobile brand and flashed it with odin. After that I did a factory reset which solved my problem. Afterwards I installed towelroot again and with root access I reflashed the TWRP recovery again because the stock firmware brought the old one back.
To solve the original SD card problem I downloaded the SD KitKat Fixer from JRummy Apps Inc. which creates a perfect written platform.xml compared to the tool from NextApp with wrong alignment.
With TWRP I'm now able to make my desired nandroid backup as well as TitaniumBackup on my SD card. I'm with all Samsung devices already with knox flag on so I do not care at all about it meanwhile.
Now I'm there were I want to be and everything is fine. Hope you get it also working for you!
brachypelma