Alright, because I had the feeling that the simple "UNIVERSAL" password didn't unlock all commands, I set out to find out how the weird password with ~'s is created that the rom upgrade utility uses.
Here's what I came up with after several hours of debugging/disassembling
Code:
unsigned long Crc32Table[256] =
{
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
};
unsigned long Crc32(const unsigned char *pData, unsigned long nSize, unsigned long nPrev=0) {
unsigned long nCrc32=nPrev;//^0xFFFFFFFF;
while (nSize) {
nCrc32=((nCrc32) >> 8) ^ Crc32Table[(*pData) ^ ((nCrc32) & 0x000000FF)];
pData++;
nSize--;
}
//nCrc32 = nCrc32^0xFFFFFFFF;
return nCrc32;
}
//By TheBlasphemer
void DecodeSecurityBuffer(unsigned char *szBuffer) {
unsigned char pSolution[16];
memset(pSolution,20,sizeof(pSolution));
unsigned long nFirstCrc=Crc32(szBuffer,16,0);
unsigned long nSecondCrc=Crc32(szBuffer,32,0);
unsigned long nThirdCrc=nFirstCrc+nSecondCrc;
memcpy(pSolution,&nFirstCrc,sizeof(unsigned long));
memcpy(&pSolution[4],&nSecondCrc,sizeof(unsigned long));
memcpy(&pSolution[8],&nThirdCrc,sizeof(unsigned long));
unsigned long nFourthCrc=0;
unsigned long i;
for (i=0; i<12; i++)
nFourthCrc+=pSolution[i];
memcpy(&pSolution[12],&nFourthCrc,sizeof(unsigned long));
for (i=0; i<16; i++) {
if (pSolution[i]<'0')
pSolution[i]='0';
else if (pSolution[i]>'~')
pSolution[i]='~';
else if (pSolution[i]=='=')
pSolution[i]='>';
else if (pSolution[i]=='?')
pSolution[i]='@';
}
memset(szBuffer,0,32);
memcpy(szBuffer,pSolution,16);
}
void DecodeRadioSecurityBuffer(unsigned char *pBuffer) {
unsigned char pSillyStuff[]={0x1F,0x00,0x1E,0x01,0x1D,0x16,0x0A,0x0F,0x0E,0x08,0x03,0x19,0x06,0x17,0x11,0x0B,0x0A,0x11,0x00,0x16,0x04,0x0C,0x1D,0x07,0x0F,0x1A,0x01,0x0B,0x0D,0x10,0x17,0x1F};
unsigned char pTraditionalBuffer[32];
unsigned short al=0;
unsigned long i;
for (i=0; i<32; i++)
pTraditionalBuffer[i]=0xCF-(i*4);
for (i=0; i<16; i++)
pTraditionalBuffer[i*2]=pBuffer[pSillyStuff[i]];
DecodeSecurityBuffer(pTraditionalBuffer);
for (i=0; i<32; i++)
pBuffer[i]=0xFF-(i*3);
for (i=0; i<16; i++)
pBuffer[pSillyStuff[16+i]]=pTraditionalBuffer[i];
}
How to use them?
To identify with the normal bootloader
send an "info 3" command. This will send you a lot of data encapsulated within HTCS(data)(crc)HTCE.
You need 32 bytes starting from offset 0x100 (256).
copy that data to a new buffer, pass it to DecodeSecurityBuffer, and that same buffer will now contain the 16-byte password
This is tested on the Universal, and it also matches the information on the Hermes
To identify with the radio bootloader
First send "rtask a" to go into bootloader mode. Then send "rinfo". This should again give you a lot of data encapsulated in a HTCS-HTCE block.
copy 32-bytes starting from offset 0x2B0 to a temporary buffer, and run it through DecodeRadioSecurityBuffer. This new buffer now contains the radio password, but it is not a normal string.
To use it, send "rpass \r" (mind the space between rpass and \r), then send "HTCS" + the password + the Crc of the password as bytes + "HTCE". It should either return "T " for succes, or "F " for failure (Encapsulated in the HTCSHTCE block)
This was only tested on the Universal
Have fun, and let me know if it's of any use
I've tested the algoritms on the Hermes too and they work, so the password and radio-password calculations are the same on both TyTN and Universal.
The attachment shows the USB log on the Hermes.
It is possible that the algo was not changed since himalaya.
And knowing radio bootloader password may give the another method of SIM unlocking/IMEI manipulation. Who would check that?
Well, as far as I know, you're the only one capable of something like that... I have no idea where to get started on that
mamaich said:
It is possible that the algo was not changed since himalaya.
Click to expand...
Click to collapse
Don't know about Himalaya, but I can confirm it is the same on the Alpine Bootloader.
mamaich said:
And knowing radio bootloader password may give the another method of SIM unlocking/IMEI manipulation. Who would check that?
Click to expand...
Click to collapse
How can we test that? my Hermes is SIM Unlocked, the Hermes bootloader has no help at all, and there's not much known info on the radio bootloader commands:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
(see the bottom of the page)
Also, do you know if it is possible to get SuperCID on the Hermes? Where should I start looking to gather info on that?
Thanks!
TheBlasphemer: I've not had a chance to test your stuff yet, but thanks for your great research! You've been missed, nice to have you back
V
pof said:
I've tested the algoritms on the Hermes too and they work, so the password and radio-password calculations are the same on both TyTN and Universal.
The attachment shows the USB log on the Hermes.
Click to expand...
Click to collapse
POF,how do you do!
if SPL=1.06, CAN OBTAIN CID? CAN OBTAIN SUPER CID?
MY CID have closed.
howto run it through DecodeRadioSecurityBuffer
How do you actually "run it through DecodeRadioSecurityBuffer" do you have to use some sort of program to use this script??
Thanks for the code. Works fine with BlueAngel too.
FYI:
"info 6" - it is probably query for AC power state. Nothing more.
Related
Hi, all.
I find this perfect site through Google after I bought a Blackstone.
I want to do something on my phone, that's OpenGL ES.
When I download the sample code "7 OpenGL ES Tutorials for Win32/WinCE from TyphoonLabs" from khronos and compile them. The samples run well on the Windows Mobile 6.5 Emulator. (there is no libGLES_cm.dll file in the windows folder)
But, when I copy the exe files to my Blackstone, they failed to run. The Tutorials 1 only flash a title then over.
I can find a libGLES_cm.dll file in the windows folder of my Blackstone. It is 322KB, smaller than others I can get. (such as 491KB 10-10-2004). I can't replace it or delete it.
I think the 1st sample of TyphoonLabs is a typical and basic OpenGL ES app, it has not use any advanced ES feature.
however, VR HOLOGRAM runs well on my phone.
I installed "Ati d3d driver", and my app development environment is:
Visual Studio 2008
Windows Mobile 6 SDK
thanks
Have a look at the first post of my OpenGLES test app(check my sig) and try to run this app (take the latest one). There is also a link to a thread about a driverpack (v3 has just been released). Just to be sure that your device has some OpenGLES capable drivers.
AFAIK the hologram app uses d3d.
edit: The examples you mentioned create a rendering device using Red 8, Green 8, Blue 8 bits. Change them to 5, 6, 5 and try again. And don't copy their libgles_cm.dll to the device. Instead use the latest driverpack as described above.
Thank you, heliosdev
yes, i already tried your OpenGLES test app. it runs well also on my phone, but I don't understand C. do you have C code?
i try to modify the sample code following you instruction. but i failed. where am i wrong?
BOOL InitOGLES()
{
EGLConfig configs[10];
EGLint matchingConfigs;
const EGLint configAttribs[] =
{
EGL_RED_SIZE, 5, // i changed it from 8 to 5
EGL_GREEN_SIZE, 6, // i changed it from 8 to 6
EGL_BLUE_SIZE, 5, // i changed it from 8 to 5
EGL_ALPHA_SIZE, EGL_DONT_CARE,
EGL_DEPTH_SIZE, 16,
EGL_STENCIL_SIZE, EGL_DONT_CARE,
EGL_SURFACE_TYPE, EGL_WINDOW_BIT,
EGL_NONE, EGL_NONE
};
hDC = GetWindowDC(hWnd);
glesDisplay = eglGetDisplay((NativeDisplayType)hDC);
if(!eglInitialize(glesDisplay, NULL, NULL))
return FALSE;
if(!eglChooseConfig(glesDisplay, configAttribs, &configs[0], 10, &matchingConfigs))
return FALSE;
if (matchingConfigs < 1) return FALSE;
glesSurface = eglCreateWindowSurface(glesDisplay, configs[0], hWnd, configAttribs);
if(!glesSurface) return FALSE;
glesContext=eglCreateContext(glesDisplay,configs[0],0,configAttribs);
if(!glesContext) return FALSE;
eglMakeCurrent(glesDisplay, glesSurface, glesSurface, glesContext);
glClearColorx(0, 0, 0, 0);
glShadeModel(GL_SMOOTH);
RECT r;
GetWindowRect(hWnd, &r);
glViewport(r.left, r.top, r.right - r.left, r.bottom - r.top);
glMatrixMode(GL_PROJECTION);
glLoadIdentity();
glOrthox(FixedFromInt(-50), FixedFromInt(50),
FixedFromInt(-50), FixedFromInt(50),
FixedFromInt(-50), FixedFromInt(50));
glMatrixMode(GL_MODELVIEW);
glLoadIdentity();
return TRUE;
}
//----------------------------------------------------------------------------
void Render()
{
static int rotation = 0;
GLshort vertexArray[9] = {-25,-25,0, 25,-25,0, 0,25,0 };
GLubyte colorArray[12] = {255,0,0,0, 0,255,0,0, 0,0,255,0};
glClear(GL_COLOR_BUFFER_BIT | GL_DEPTH_BUFFER_BIT);
glLoadIdentity();
glTranslatex(0, 0, FixedFromInt(-10));
glRotatex(FixedFromInt(rotation++), 0, ONE,0);
glEnableClientState(GL_VERTEX_ARRAY);
glVertexPointer(3, GL_SHORT, 0, vertexArray);
glEnableClientState(GL_COLOR_ARRAY);
glColorPointer(4,GL_UNSIGNED_BYTE, 0, colorArray);
glDrawArrays(GL_TRIANGLES, 0, 3);
glDisableClientState(GL_VERTEX_ARRAY);
glDisableClientState(GL_COLOR_ARRAY);
eglSwapBuffers(glesDisplay, glesSurface);
}
On your device there is no libgles_cm.dll at the place where your exe is, right?
Otherwise remove it from the directory where your exe is.
edit:
If it still doesn't start you could try to write out some messages during initialization (at the places before returning false).
Do you have libgles_cl.dll? In the code you have thes FixedFrom* calls.
You could try to remove all these calls, i.e. instead of FixedFromInt(i) just i and you'll have to change the x to i,f or d in the calls like Rotatex.
heliosdev said:
On your device there is no libgles_cm.dll at the place where your exe is, right?
Otherwise remove it from the directory where your exe is.
Click to expand...
Click to collapse
I copied the libgles_cm.dll file before from windows folder to Storage Card, where the exe file locates.
now I delete the libgles_cm.dll file , but nothing changes.
heliosdev said:
On your device there is no libgles_cm.dll at the place where your exe is, right?
Otherwise remove it from the directory where your exe is.
edit:
If it still doesn't start you could try to write out some messages during initialization (at the places before returning false).
Do you have libgles_cl.dll? In the code you have thes FixedFrom* calls.
You could try to remove all these calls, i.e. instead of FixedFromInt(i) just i and you'll have to change the x to i,f or d in the calls like Rotatex.
Click to expand...
Click to collapse
thank you again.
I find the error occurs during initialization,
BOOL InitOGLES()
{
EGLConfig configs[10];
EGLint matchingConfigs;
const EGLint configAttribs[] =
{
EGL_RED_SIZE, 5, // i changed it from 8 to 5
EGL_GREEN_SIZE, 6, // i changed it from 8 to 6
EGL_BLUE_SIZE, 5, // i changed it from 8 to 5
EGL_ALPHA_SIZE, EGL_DONT_CARE,
EGL_DEPTH_SIZE, 16,
EGL_STENCIL_SIZE, EGL_DONT_CARE,
EGL_SURFACE_TYPE, EGL_WINDOW_BIT,
EGL_NONE, EGL_NONE
};
hDC = GetWindowDC(hWnd);
glesDisplay = eglGetDisplay((NativeDisplayType)hDC);
if(!eglInitialize(glesDisplay, NULL, NULL))
return FALSE;
if(!eglChooseConfig(glesDisplay, configAttribs, &configs[0], 10, &matchingConfigs))
return FALSE;
if (matchingConfigs < 1) return FALSE;
glesSurface = eglCreateWindowSurface(glesDisplay, configs[0], hWnd, configAttribs);
if(!glesSurface) return FALSE;
Here, it returns
Hy,
maybe this can be a workaround for you!
http://cegcc.sourceforge.net/docs/faq.html#DllDoesNotWorkWithWindowsMobile6.1
------------------
Memory management changes in Windows Mobile 6.1 cause some DLLs not to load. It has been suggested (see this blog that the underlying problem is a writable code section in the DLL, other reports suggest that the DLL size may be an issue.
The workaround or solution (I'm not sure what to call it) that we have is to restrict this DLL to Slot 0 by adding the following registry key:
[HKEY_LOCAL_MACHINE\System\Loader\LoadModuleLow] "MyDll.dll"=dword:1
Obviously you need to change "MyDll" into the name of the DLL that causes the problem.
Please note that using the this approach will force your entire DLL into Slot 0 and, it may prevent other modules from loading in that slot. Therefore, the above registry setting should be used with caution.
------------------
Greatz
mccoffein
mccoffein said:
Hy,
maybe this can be a workaround for you!
http://cegcc.sourceforge.net/docs/faq.html#DllDoesNotWorkWithWindowsMobile6.1
------------------
Memory management changes in Windows Mobile 6.1 cause some DLLs not to load. It has been suggested (see this blog that the underlying problem is a writable code section in the DLL, other reports suggest that the DLL size may be an issue.
The workaround or solution (I'm not sure what to call it) that we have is to restrict this DLL to Slot 0 by adding the following registry key:
[HKEY_LOCAL_MACHINE\System\Loader\LoadModuleLow] "MyDll.dll"=dword:1
Obviously you need to change "MyDll" into the name of the DLL that causes the problem.
Please note that using the this approach will force your entire DLL into Slot 0 and, it may prevent other modules from loading in that slot. Therefore, the above registry setting should be used with caution.
------------------
Greatz
mccoffein
Click to expand...
Click to collapse
thank you, mccoffein. that is a different idea.
But i think registry table is not the issue. Because the app can run on WM6.5 emulator, and heliosdev's OPENGL ES test app can run on my phone also.
I download glBenchmark 1.0 from glbenchmark.com, it can run also.
now I have no idea.
anyone can help me?
Got it
When I put my libgles_cm.dll in the same folder of my App, the App runs.
I think the libgles_cm.dll from HTC has some unknown problems.
Thanks
ak2009 said:
thank you again.
I find the error occurs during initialization,
BOOL InitOGLES()
{
EGLConfig configs[10];
EGLint matchingConfigs;
const EGLint configAttribs[] =
{
EGL_RED_SIZE, 5, // i changed it from 8 to 5
EGL_GREEN_SIZE, 6, // i changed it from 8 to 6
EGL_BLUE_SIZE, 5, // i changed it from 8 to 5
EGL_ALPHA_SIZE, EGL_DONT_CARE,
EGL_DEPTH_SIZE, 16,
EGL_STENCIL_SIZE, EGL_DONT_CARE,
EGL_SURFACE_TYPE, EGL_WINDOW_BIT,
EGL_NONE, EGL_NONE
};
hDC = GetWindowDC(hWnd);
glesDisplay = eglGetDisplay((NativeDisplayType)hDC);
if(!eglInitialize(glesDisplay, NULL, NULL))
return FALSE;
if(!eglChooseConfig(glesDisplay, configAttribs, &configs[0], 10, &matchingConfigs))
return FALSE;
if (matchingConfigs < 1) return FALSE;
glesSurface = eglCreateWindowSurface(glesDisplay, configs[0], hWnd, configAttribs);
if(!glesSurface) return FALSE;
Here, it returns
Click to expand...
Click to collapse
Yes. Because hWnd now is not valid handle. Hands of tutorial programmers is from ass .
Simple, call InitOGLES() after you created window.
Presently we're running a little short on kernel exploits, with the following being the only one that looks remotely plausible:
http://xorl.wordpress.com/2010/01/14/cve-2009-4141-linux-kernel-fasync-locked-file-use-after-free/
Big hold-up? For all that we have a trigger, we don't have an exploit. I believe it's up to us at this point to make that happen.
If I'm reading it right, it looks like the bug initially rears its head right here:
Code:
void __kill_fasync(struct fasync_struct *fa, int sig, int band)
{
while (fa) {
struct fown_struct * fown;
if (fa->magic != FASYNC_MAGIC) {
printk(KERN_ERR "kill_fasync: bad magic number in "
"fasync_struct!\n");
return;
}
[B]fown = &fa->fa_file->f_owner;[/B]
/* Don't send SIGURG to processes which have not set a
queued signum: SIGURG has its own default signalling
mechanism. */
if (!(sig == SIGURG && fown->signum == 0))
send_sigio(fown, fa->fa_fd, band);
fa = fa->fa_next;
}
}
... as fa_file now points to invalid memory (having been free'd earlier). The f_owner member gets shot out to send_sigio, which look like this:
Code:
void send_sigio(struct fown_struct *fown, int fd, int band)
{
struct task_struct *p;
enum pid_type type;
struct pid *pid;
int group = 1;
read_lock(&fown->lock);
type = fown->pid_type;
if (type == PIDTYPE_MAX) {
group = 0;
type = PIDTYPE_PID;
}
[B]pid = fown->pid;[/B]
if (!pid)
goto out_unlock_fown;
read_lock(&tasklist_lock);
do_each_pid_task(pid, type, p) {
send_sigio_to_task(p, fown, fd, band, group);
} while_each_pid_task(pid, type, p);
read_unlock(&tasklist_lock);
out_unlock_fown:
read_unlock(&fown->lock);
}
... in which we see the f_owner member being dereferenced. Also it gets pushed through several other functions which may be exploitable.
There are several questions to be answered before we can start attacking this:
Can we resolve the address of the fa_file data structure so we can overwrite the f_owner value?
Can we do anything with it once we've done that? (Presumably we can set it to zero to cause a null-pointer dereference, but we're mmap_min_addr = 32768 on the most recent versions, so unless we can flag the mmap region to grow down and apply memory pressure to reach page 0 this will do us no good.)
Failing the plan above: are any of the functions that f_owner gets pushed into vulnerable? I evaluated this over the weekend, but without the help of a trained kernel dev I'm not going to get very far.
While I studied a lot of this in uni, I'll admit I'm green when it comes to actually writing these exploits. I'm hoping that this will get the creative juices flowing, and perhaps provide a more comprehensive resource in case any hard-core kernel hackers want to take a look at what we're doing or give us pointers (harhar) in the right direction.
Thanks, guys. Great work up to this point.
In the original POC if you change /bin/true to /system/bin/sh you can get a new shell to open just not as root. So I'm guessing that their needs to be more added to the POC to make it a full exploit.
Right, the fork()'s in the PoC exist only to cause the file descriptor's fasync_struct to be erroneously killed, not start a root session. The root session would need to be started (presumably) by the kernel doing something to our maliciously crafted fown_struct.
The tough part is figuring out exactly where and what that fown_struct needs to be.
Well I definetly agree with you that this seems to be our best best bet I am some what of a newbie when it comes to linux allthough i am learning as i go. Do you know of any good sites to read up on kernel hacking?
Sorry Guys just got the word that this one is dead for us.....
Here is the explantion i got.
some_person said:
Nope, the bug didn't exist in 2.6.27. That's why they say >= 2.6.28 are vulnerable.
As far as how the bug works, there are 2 other issues. 1) our kernel probably wasn't compiled with AT_RANDOM 2) we don't have an elf executable.
The exploit you found does not give us root access, it crashes the system. Basically, you open the "random number generator" file, lock it, and close it... but the lock release when you close it. Then you have to call an elf executable because that generates a random number (running an elf executable) provided the kernel was compiled AT_RANDOM. you continue to call that executable (and generating random numbers) until the the lock is released on the "random number generator" file... then it's your program's turn... the kernel tries to send your program notification that the file is available, but your program has moved on. BLAM the kernel stops (or "oops").
Click to expand...
Click to collapse
Sorry to dredge up an old thread:
This exploit *will* work. According to Zanfur, the hole is in our kernel. We need to use it without AT_RANDOM (which I dont know how to do).
http://sourceware.org/ml/libc-alpha/2008-10/msg00016.html
I am pretty sure we do have elf executables, here is proof:
% file m6
m6: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
If our kernel is susceptible to this bug then it should work, as long as there is a way to do it without at random.
Though I do not in any way represent my self as a hacker or developer I was wondering if I could throw in my 2 cents. I notice that this bug/exploit won't work because it requires AT RANDOM. I was wondering if it s possible to write code that does what the function does and insert it in. Is root required to do this (i.e. insert code into the kernel that wasn't there before) or is this a matter of know-how? Just some brainstorming I thought that I would throw in.
jballz0682 said:
Though I do not in any way represent my self as a hacker or developer I was wondering if I could throw in my 2 cents. I notice that this bug/exploit won't work because it requires AT RANDOM. I was wondering if it s possible to write code that does what the function does and insert it in. Is root required to do this (i.e. insert code into the kernel that wasn't there before) or is this a matter of know-how? Just some brainstorming I thought that I would throw in.
Click to expand...
Click to collapse
This won't get us root. Even zanfur said it. Moving on....
Framework43 said:
This won't get us root. Even zanfur said it. Moving on....
Click to expand...
Click to collapse
To clarify, even if we get AT_RANDOM functionality working, we can't use this to exploit our kernel. All we can do with this is get data from a file that was recently closed. The point of this exploit is to send a signal to a process, but there are no processes we could send a signal to that would give us root.
Our kernel seems practically invulnerable, it appears that almost all exploits are patched
I'm trying to access the hidden API for Phone.class to switch the preferred network mode via reflection.
I know this is not safe for porting to other android versions/roms and requires a system app to hold permission WRITE_SECURE_SETTINGS.
I Already managed to switch data via reflection and toggle gps via Settings.Secure.putString() by moving my app to system partition, so i think this should work too.
Does anyone have experience with reflection and/or root and is willing to help?
Of course I will share all my code/findings here.
Thanks in advance!
Links:
http://stackoverflow.com/questions/8607263/android-4-0-4g-toggle
http://stackoverflow.com/questions/5436251/how-to-access-setpreferrednetworktype-in-android-source
You can achieve this with a simple sqlite3 query instead of bothering with java reflection
Here's how :
In a terminal :
To enable 2G only
Code:
su
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
insert into global values(null, 'preferred_network_mode', 1);
.exit
To enable 2G & 3G :
Code:
su
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
insert into global values(null, 'preferred_network_mode', 0);
.exit
In java :
Example to enable 2G only (just replace the 1 with a 0 in the insert into to enable 2G & 3G)
Code:
try {
Process process = null;
process = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(
process.getOutputStream());
os.writeBytes("sqlite3 /data/data/com.android.providers.settings/databases/settings.db" + "\n");
os.writeBytes("insert into global values(null, 'preferred_network_mode', 1);" + "\n");
os.writeBytes(".exit" + "\n");
os.writeBytes("exit\n");
os.flush();
process.waitFor();
} catch (IOException e) {
e.printStackTrace();
} catch (InterruptedException e) {
e.printStackTrace();
}
It might require a reboot to be active though, not sure
If it doesn't work on your rom (tested on cm10.1), it might be a different row name, try investigating your settings.db like this :
Code:
sqlite3 /data/data/com.android.providers.settings/databases/settings.db
.tables [COLOR="Green"]// returns all the tables[/COLOR]
select * from [I]tablename[/I]; [COLOR="green"]// in cm10.1 it's in [I]global[/I] but otherwise look in [I]secure[/I] and/or [I]system[/I]
// this command returns all the rows from the selected table, the names are usually explicit, so you should find the setting you're looking for[/COLOR]
Then, when you found it :
Code:
insert into [I]tablename[/I] values(null, [I]'row name'[/I], value);
Thanks, this is very helpful!
I think you are right, one will need to tell the system to update the settings or send a broadcast that this setting has changed (like for airplane mode).
I will look at the CM sources to find out what i can do.
superkoal said:
Thanks, this is very helpful!
I think you are right, one will need to tell the system to update the settings or send a broadcast that this setting has changed (like for airplane mode).
I will look at the CM sources to find out what i can do.
Click to expand...
Click to collapse
Glad it helped.
If you manage to find a way to make the settings read the db without a reboot, please share your findings, would be very useful.
Androguide.fr said:
Glad it helped.
If you manage to find a way to make the settings read the db without a reboot, please share your findings, would be very useful.
Click to expand...
Click to collapse
Of course i will!
Buddy... you can toggle network mode with intent, no root needed, nor permissions!!
Here´s entire sample:
Code:
package com.serajr.togglenetworkmode;
import android.os.Bundle;
import android.provider.Settings.Secure;
import android.provider.Settings.SettingNotFoundException;
import android.app.Activity;
import android.content.Intent;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
public class MainActivity extends Activity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Button bnt = (Button) findViewById(R.id.button1);
bnt.setOnClickListener(new OnClickListener() {
@Override
public void onClick(View v) {
// toggle
toggleNetworkMode();
}
});
}
private void toggleNetworkMode() {
int mode = getCurrentNetworkMode() + 1;
if (mode > 2) {
mode = 0;
}
// 0 = 3G_ONLY
// 1 = 3GSM_ONLY
// 2 = 3G_PREFERRED
// change mode
Intent intent = new Intent("com.android.phone.CHANGE_NETWORK_MODE");
intent.putExtra("com.android.phone.NEW_NETWORK_MODE", mode);
sendBroadcast(intent);
}
private int getCurrentNetworkMode() {
try {
int current = Secure.getInt(getContentResolver(), "preferred_network_mode");
return current;
} catch (SettingNotFoundException ex) {
return 0;
}
}
}
Try it and tell me later!!!
Thanks, but this will only work if your phone.apk has an exported receiver for this intent.
This is only the case if you or your rom dev modded it to be so.
Some custom ROMs also have this kind of "mod/bug" in the power widget, allowing you to toggle gps.
I tried it with slim bean 4.2 build 3 on i9000 and as expected it didn't work (and so will most likely in CM10.1 too).
Just too good to be true!
If youre following the root method Use RootTools for that
sak-venom1997 said:
If youre following the root method Use RootTools for that
Click to expand...
Click to collapse
Thanks, I already do.
Really helpful library!
And yes, I will do it by sql injection to settings.db
I only need to figure out what broadcasts have to be sent / methods called and if this is possible.
Argh I am kinda lost in CM sources.
Can anyone point me to the place where this is handled?
I managed to toggle flight mode by using this in a SU shell:
Code:
if(settingenabled)
{
executeCommand("settings put global airplane_mode_on 1");
executeCommand("am broadcast -a android.intent.action.AIRPLANE_MODE --ez state true");
}
else
{
executeCommand("settings put global airplane_mode_on 0");
executeCommand("am broadcast -a android.intent.action.AIRPLANE_MODE --ez state false");
}
Interstingly enough it didn't work if i manually injected the value and then sent the broadcast.
I have no idea why.
So atm I'm trying to do the same thing for preferred_network_mode. I can write the value to settings.db, but I just don't know what i have to do to make the system apply the setting yet.
EDIT: shell binary "settings" only works in android 4.2 (and probably upwards)
So i finally found it in CM Sources.
Seems like we need to get the currently running Instance of the Phone class to notify it about the change.
Also seems like we are back to reflection, as this is an internal system class.
I also killed com.android.phone process after updating the setting, but that didn't change anything.
EDIT:
1st step towards reflection:
I figured out that i need a jar file from the cm build to use system classes via reflection.
Does anyone have more information about this?
superkoal said:
So i finally found it in CM Sources.
Seems like we need to get the currently running Instance of the Phone class to notify it about the change.
Also seems like we are back to reflection, as this is an internal system class.
I also killed com.android.phone process after updating the setting, but that didn't change anything.
EDIT:
1st step towards reflection:
I figured out that i need a jar file from the cm build to use system classes via reflection.
Does anyone have more information about this?
Click to expand...
Click to collapse
Just a far fetched guess, but maybe try to add /system/framework/framework.jar from your rom to your app's build path
Is a reboot that unacceptable in your case ?
Maybe it's just the challenge, but i wanna change it like every other setting
A reboot is very far from what i call comfortable
superkoal said:
Maybe it's just the challenge, but i wanna change it like every other setting
A reboot is very far from what i call comfortable
Click to expand...
Click to collapse
Yeah, I get what you mean^^^
Here's a good (but old, 2009^^) official Android tutorial from the Android devs on reflection if it can help you : http://android-developers.blogspot.fr/2009/04/backward-compatibility-for-android.html
So i got some news
1. This setting is heavily protected by android system and can only be modified by the phone process itself
2. Some roms have a modified phone apk listening to a broadcast, enabling 3rd party apps to toggle
http://forum.xda-developers.com/showthread.php?t=1731187
3. His Majesty Chainfire started an app project which could amongst other features also toggle 2g/3g, but he gave up development. Regarding 2g/3g he implemented several methods, one of them being RIL injection, which he described as a really hard hack and highly experimental.
http://forum.xda-developers.com/showthread.php?t=807989
Seems this task is not that easy
But i found out that tasker can toggle 2g/3g on my phone (running slim bean 4.2.2), this is when i found out about the modified phone.apk from 2). So I'mcomfortable that it's working on my phone and i can at least develop an app for myself
Sent from my GT-I9000 using xda app-developers app
I was able to install the HTC Sprint Diagnosis app on my Nokia Lumia 1520 and also have the HTC CSDDiag app installed.
Interesting Part : I was able to run CSDDiag on the Lumia handset and all tests were completed.
Now what i would like to know is how do i run this code in the Native Toast Launcher :
Code:
// Type: DiagnosticTool_Sprint.MainPage
// Assembly: DiagnosticTool_Sprint, Version=1.3.2319.13220, Culture=neutral, PublicKeyToken=null
// MVID: B9415712-08FA-4E66-9A8E-A318594B96CD
// Assembly location: C:\Users\Joshua\Desktop\SPRINT\Data\programs\{E69A2877-59B8-43ED-898D-554FBC4B8B2B}\Install\DiagnosticTool_Sprint.dll
using HTCLogUtil;
using Microsoft.Phone.Controls;
using Microsoft.Phone.Shell;
using System;
using System.Diagnostics;
using System.Reflection;
using System.Windows;
using System.Windows.Controls;
using System.Windows.Navigation;
using Windows.System;
namespace DiagnosticTool_Sprint
{
public class MainPage : PhoneApplicationPage
{
public static string DIALER_CODE_CT_LAB = "0000";
public static string DIALER_CODE_EMBEDDED_TOOL = "634";
public static string DIALER_CODE_SERVICE_TOOL_1 = "778";
public static string DIALER_CODE_SERVICE_TOOL_2 = "786";
public static string DIALER_CODE_VZW_TOOL = "522";
public static string DIALER_CODE_CSDIAG_TOOL = "3424";
public static string DIALER_CODE_DEBUG = "33284";
public static string DIALER_CODE_ZONE_TOOL = "611";
public static string DIALER_CODE_DIAG = "3424";
public static string DIALER_CODE_SCRTN = "72786";
public static string DIALER_CODE_DATA = "3282";
public static string DIALER_CODE_UPDATE = "873283";
public static string strUri;
internal Grid LayoutRoot;
internal StackPanel TitlePanel;
internal Grid ContentPanel;
private bool _contentLoaded;
static MainPage()
{
}
public MainPage()
{
this.InitializeComponent();
}
protected override void OnNavigatedTo(NavigationEventArgs e)
{
base.OnNavigatedTo(e);
DiagDebugLogUtil.DiagDebugLog(LOG_SEVERITY.LOG_INFO, "[PC Tools]: OnNavigatedTo()++++", new object[0]);
try
{
if (!PhoneApplicationService.Current.State.ContainsKey("VersionNumber"))
PhoneApplicationService.Current.State.Add("VersionNumber", (object) ((object) Assembly.GetExecutingAssembly().GetName().Version).ToString());
string str = "634";
if (this.NavigationContext.QueryString.TryGetValue("DialString", out str))
{
if (str.Equals(MainPage.DIALER_CODE_SERVICE_TOOL_1) || str.Equals(MainPage.DIALER_CODE_SERVICE_TOOL_2) || (str.Equals(MainPage.DIALER_CODE_DATA) || str.Equals(MainPage.DIALER_CODE_SCRTN)))
this.NavigationService.Navigate(new Uri("/ServiceToolLib;component/View/PageLists.xaml", UriKind.Relative));
else if (str.Equals(MainPage.DIALER_CODE_EMBEDDED_TOOL) || str.Equals(MainPage.DIALER_CODE_DEBUG))
{
if (!PhoneApplicationService.Current.State.ContainsKey("DialString"))
PhoneApplicationService.Current.State.Add("DialString", (object) "634");
this.NavigationService.Navigate(new Uri("/EmbeddedTool;component/EmbMainPage.xaml", UriKind.Relative));
}
else if (str.Equals(MainPage.DIALER_CODE_CSDIAG_TOOL))
this.NavigationService.Navigate(new Uri("/RedirectionTool;component/RedirectionPage.xaml?tool=CSDDiag", UriKind.Relative));
else if (str.Equals(MainPage.DIALER_CODE_VZW_TOOL))
this.NavigationService.Navigate(new Uri("/RedirectionTool;component/RedirectionPage.xaml?tool=LabApp", UriKind.Relative));
else if (str.Equals(MainPage.DIALER_CODE_ZONE_TOOL))
{
if (!App.bNoBackForLaunchAPP)
{
MainPage.strUri = "sprintzone:callintercept?code=" + str;
App.bNoBackForLaunchAPP = true;
this.LaunchSprintAP();
}
}
else if (str.Equals(MainPage.DIALER_CODE_UPDATE))
{
if (!App.bNoBackForLaunchAPP)
{
MainPage.strUri = "ms-settings-networkprofileupdate:";
App.bNoBackForLaunchAPP = true;
this.LaunchUpdate();
}
}
else
this.NavigationService.Navigate(new Uri("/EmbeddedTool;component/EmbMainPage.xaml", UriKind.Relative));
}
else
this.NavigationService.Navigate(new Uri("/EmbeddedTool;component/EmbMainPage.xaml", UriKind.Relative));
}
catch (Exception ex)
{
DiagDebugLogUtil.DiagDebugLog(LOG_SEVERITY.LOG_ERROR, "[MainPage] Get Exception msg :" + ((object) ex.Message).ToString(), new object[0]);
this.NavigationService.Navigate(new Uri("/EmbeddedTool;component/EmbMainPage.xaml", UriKind.Relative));
}
DiagDebugLogUtil.DiagDebugLog(LOG_SEVERITY.LOG_INFO, "[PC Tools]: OnNavigatedTo()----", new object[0]);
}
public async void LaunchUpdate()
{
Uri uri = new Uri(MainPage.strUri);
int num = await Launcher.LaunchUriAsync(uri) ? 1 : 0;
}
public async void LaunchSprintAP()
{
Uri uri = new Uri(MainPage.strUri);
int num = await Launcher.LaunchUriAsync(uri) ? 1 : 0;
}
protected override void OnNavigatedFrom(NavigationEventArgs e)
{
base.OnNavigatedFrom(e);
this.RemoveEntry("MainPage");
}
private void RemoveEntry(string sPageName)
{
foreach (JournalEntry journalEntry in this.NavigationService.BackStack)
{
if (journalEntry.Source.ToString().Contains(sPageName))
{
this.NavigationService.RemoveBackEntry();
break;
}
}
}
[DebuggerNonUserCode]
public void InitializeComponent()
{
if (this._contentLoaded)
return;
this._contentLoaded = true;
Application.LoadComponent((object) this, new Uri("/DiagnosticTool_Sprint;component/MainPage.xaml", UriKind.Relative));
this.LayoutRoot = (Grid) this.FindName("LayoutRoot");
this.TitlePanel = (StackPanel) this.FindName("TitlePanel");
this.ContentPanel = (Grid) this.FindName("ContentPanel");
}
}
}
I can reach the Main page by issuing :
Code:
app://E69A2877-59B8-43ED-898D-554FBC4B8B2B/_default
However I would like to run the Dialer commands to see if I can mod anything else on the phone. Could some with good brain explain how this will be possible.
I have tried install other platform Diag tools but was only able to install the two above using fiddler ( thanks ngame for your tutorial )
Who did you do that ? I Try it many times before to install these aps on RM-821 Nokia Lumia 920 but didn't work !
how did you do that ? Could you please P.M Me ?
ngame said:
Who did you do that ? I Try it many times before to install these aps on RM-821 Nokia Lumia 920 but didn't work !
how did you do that ? Could you please P.M Me ?
Click to expand...
Click to collapse
It wasnt hard to install those apps. Just followed the fiddler tutorial posted.
Then I connected the phone and installed SysPushApp onto the device and did an update for the SysPushApp to get the non_OEM files of Samsung and HTC . I couldnt install Samsung Diagnosis as it wasn't letting nor was I able to install HTC Hub ( I dont know why, may be they check some .dll specific to them in the phone before install ) .
Change the oSession in fiddler config file to the specific OEM you want to install the app. Example for HTC[ ->
oSession (NOKIA)
(NOKIA), (HTC) /B]
Mt device is Dev-Unlock.
tids2k said:
It wasnt hard to install those apps. Just followed the fiddler tutorial posted.
Then I connected the phone and installed SysPushApp onto the device and did an update for the SysPushApp to get the non_OEM files of Samsung and HTC . I couldnt install Samsung Diagnosis as it wasn't letting nor was I able to install HTC Hub ( I dont know why, may be they check some .dll specific to them in the phone before install ) .
Change the oSession in fiddler config file to the specific OEM you want to install the app. Example for HTC[ ->
oSession (NOKIA)
(NOKIA), (HTC) /B]
Mt device is Dev-Unlock.
Click to expand...
Click to collapse
Samsung diagnosis already removed from wp store so you can't install it easy
and diagnosis you can see in store may different from one in Samsung phones! If you check file sizes you will get what i say
Most of HTC apps only can install ID_Resolution_HD720p and WVGA devices i don't know how is it possible to deploy them on 1080 devices
maybe MS accept this resolution for all apps because the old apps have to add 1080 support?
ngame said:
Samsung diagnosis already removed from wp store so you can't install it easy
and diagnosis you can see in store may different from one in Samsung phones! If you check file sizes you will get what i say
Most of HTC apps only can install ID_Resolution_HD720p and WVGA devices i don't know how is it possible to deploy them on 1080 devices
maybe MS accept this resolution for all apps because the old apps have to add 1080 support?
Click to expand...
Click to collapse
correct some Samsung apps are Unpublished like Diagnosis. Can you tell me how to run the above codes in Native Launcher .. what to type after app://GUID/??
tids2k said:
correct some Samsung apps are Unpublished like Diagnosis. Can you tell me how to run the above codes in Native Launcher .. what to type after app://GUID/??
Click to expand...
Click to collapse
I don't have this xaps but you have to use .Net Reflector 8 or any .net Decompiler then u can see all hidden xamls after _default you have to enter a #/ then dll name without it's dll them a ; and then folder and xaml address
example :
app://GUID/_default#/dllname;Pages/ExamplePage.xaml
ngame said:
I don't have this xaps but you have to use .Net Reflector 8 or any .net Decompiler then u can see all hidden xamls after _default you have to enter a #/ then dll name without it's dll them a ; and then folder and xaml address
example :
app://GUID/_default#/dllname;Pages/ExamplePage.xaml
Click to expand...
Click to collapse
here is the XAP
tids2k said:
here is the XAP
Click to expand...
Click to collapse
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/DiagnosticTool_Sprint;Component/app.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/DiagnosticTool_Sprint;Component/MainPage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/app.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/dmswitchpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/embcheckspc.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/embmainpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/fieldtrialpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ft1xpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftactiveapnconnpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftbtpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftconfigpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftdatastatuspage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftehrpdpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftgpspage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/fthdrpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftltepage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/EmbeddedTool;Component/ftmemorypage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/RedirectionTool;Component/redirectionpage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/homepage.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/view/checkspc.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/view/grouplists.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/view/itemedit.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/view/itemlists.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/view/lteavailablefile.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/view/pagelists.xaml
app://e69a2877-59b8-43ed-898d-554fbc4b8b2b/_default#/ServiceToolLib;Component/view/rwchoice.xaml
OMG!!!!!!!! so many xamls !
If you can get a Screen Shot of each xaml is more useful I think
None of them works. We need to add Dialercodes in the end.
tids2k said:
None of them works. We need to add Dialercodes in the end.
Click to expand...
Click to collapse
Oh i'm Really sorry . I have to buy an Ativ S to be a bit useful for other users but I have no money to buy
I'm again sorry I don't know what's going wrong in the Uris I provided :|
ngame said:
Oh i'm Really sorry . I have to buy an Ativ S to be a bit useful for other users but I have no money to buy
I'm again sorry I don't know what's going wrong in the Uris I provided :|
Click to expand...
Click to collapse
its alright mate.thanks for your help. I will try tomorrow.
did you check the xap's i posted in the other thread. I hope they will be useful. Thanks.
btw my phone came with Hong Kong firmware but I have installed the Australian firmware. Im glad atleast this was possible.
tids2k said:
its alright mate.thanks for your help. I will try tomorrow.
did you check the xap's i posted in the other thread. I hope they will be useful. Thanks.
btw my phone came with Hong Kong firmware but I have installed the Australian firmware. Im glad atleast this was possible.
Click to expand...
Click to collapse
@nGage were you able to install those apps on your phone ?
@nGage there is some good news i was able to run the strings which you posted. It was all about changing 'Component' -> 'component' and some other tweaks. But the .dll library refers to something else and hence the data is not fetchable. I will post the screenshots tomorrow. @W_O_L_F can this file 'HTC Diagnostics_Sprint be hacked in any way as I was able to install this on Nokia 1520 via Windows App Store -> SysPush ( via Fiddler i.e chainging the OEMID=HTC )
tids2k said:
@nGage there is some good news i was able to run the strings which you posted. It was all about changing 'Component' -> 'component' and some other tweaks. But the .dll library refers to something else and hence the data is not fetchable. I will post the screenshots tomorrow. @W_O_L_F can this file 'HTC Diagnostics_Sprint be hacked in any way as I was able to install this on Nokia 1520 via Windows App Store -> SysPush ( via Fiddler i.e chainging the OEMID=HTC )
Click to expand...
Click to collapse
Not for Nokia.
Be very careful with the HTC Sprint tool, since it has the ability to change NV values, even if it is commented out. (don't know why.) but it sure does.
hutchinsane_ said:
Be very careful with the HTC Sprint tool, since it has the ability to change NV values, even if it is commented out. (don't know why.) but it sure does.
Click to expand...
Click to collapse
thanks for the advice. But the app is pointless on Nokia phones as i have tried it and it doesn't work ... It can go to the menu's bit cannot get the values either it needs Interop or the dll linked is not for the device.
I need a way to search in StorageFiles with dynamically pattern, which comes from a TextBox. The directive "Windows.Storage.Search" doesnt exist in windows phone 8.1 runtime, as i saw. Now my question is, how can i do this in alternative way?
The only way to do it with WP 8.1 since Microsoft ALWAYS fails to implement the important things are to query using LINQ.
Ex:
Code:
var result = (await Windows.Storage.ApplicationData.Current.LocalFolder.GetFilesAsync(Windows.Storage.Search.CommonFileQuery.OrderByName)).
Where(x => x.Name.
Contains(x => txtBox.Text));
That's about all you can do pretty much. (Thanks Microsoft).
Thank you for the example. But it wont work for me, it shows me the following error(s):
Code:
A local variable named 'x' cannot be declared in this scope because it would give a different meaning to 'x', which is already used in a 'parent or current' scope to denote something else
and
Code:
Cannot convert lambda expression to type 'string' because it is not a delegate type
Thats really odd from Microsoft, that they havent implementet the search function like in WinRT (Windows Store App).
The first error is pretty simple. You already have the variable named "x" and it would be very bad if compiler didn't give you that error.
Change the name of the variable to something else that you don't use in that scope and it will work.
And for second problem, try this one:
Code:
private List<string> Result()
{
var result = ((List<Windows.Storage.Search.CommonFileQuery>)Windows.Storage.ApplicationData.Current.LocalFolder.GetFilesAsync(Windows.Storage.Search.CommonFileQuery.OrderByName)).Where(x => x.ToString().Contains(txtBox.Text));
return result as List<string>;
}
private async Task<List<string>> ResultAsync()
{
return await Task.Run(() => Result()).ConfigureAwait(continueOnCapturedContext: false);
}
You should call ResultAsync method and get the result in this way:
Code:
List<string> myList = ResultAsync().Result;
That's not going to work. You can't cast a StorageFile as a string.
To fix my code (simple lambda typo)
Code:
var result = (await Windows.Storage.ApplicationData.Current.LocalFolder.GetFilesAsync(Windows.Storage.Search.CommonFileQuery.OrderByName)).
Where(x => x.Name.
Contains(txtBox.Text));
if(result.Any())
{
// Do shtuff
}
Also, you should never access the .Result of an async task because you never know if it completed yet.
Ok, first error is done, but the second error is still here
Code:
Cannot convert lambda expression to type 'string' because it is not a delegate type
You are missing the point of the TAP (Task Async Pattern).
Both main thread and async method will be in execution in the same time. When the async method finish his work, main thread will stop and catch the result trough the Result property.
TAP is the recommended way of asynchronous programming in C#. The only thing with TAP is to use ConfigureAwait method in non-console type of apps to avoid deadlock.
Sooner or later you will get the result from TAP method. Nothing will get in the conflict with the main thread.
Oh wait, @andy123456 I updated my response. I forgot String.Contains ISNT a lambda .
@Tonchi91, I know all about the TAP. I've been using it since it was CTP. I've seen the awkward situations with threading in WP .
Now... if he did
Code:
List<string> myList;
ResultAsync().ContinueWith(t=> { myList = t.Result; });
I wouldn't be worried .
Ok the errors are gone, but the debugger show me the following exception:
Code:
Value does not fall within the expected range
Is this search method case-sensitive? I tried with an exact input in the TextBox.
Hmmm. Let's see your full code.
its actually only for testing, so i added your code to a button (asnyc) and will show the output in a textBlock.
Code:
private async void buttonTest_Click(object sender, RoutedEventArgs e)
{
//Result();
var result = (await Windows.Storage.KnownFolders.CameraRoll.GetFilesAsync(Windows.Storage.Search.CommonFileQuery.OrderByName)).
Where(x => x.Name.
Contains(textBox_test.Text));
if (result.Any())
{
// Do shtuff
textBlock_test.Text = result.ToString();
}
}
The error is coming from here
Code:
var result = (await Windows.Storage.KnownFolders.CameraRoll.GetFilesAsync(Windows.Storage.Search.CommonFileQuery.OrderByName))
andy123456 said:
its actually only for testing, so i added your code to a button (asnyc) and will show the output in a textBlock.
Code:
private async void buttonTest_Click(object sender, RoutedEventArgs e)
{
//Result();
var result = (await Windows.Storage.KnownFolders.CameraRoll.GetFilesAsync(Windows.Storage.Search.CommonFileQuery.OrderByName)).
Where(x => x.Name.
Contains(textBox_test.Text));
if (result.Any())
{
// Do shtuff
textBlock_test.Text = result.ToString();
}
}
The error is coming from here
Code:
var result = (await Windows.Storage.KnownFolders.CameraRoll.GetFilesAsync(Windows.Storage.Search.CommonFileQuery.OrderByName))
Click to expand...
Click to collapse
Oh Camera Roll.. You MIGHT need to have the capability to view the camera roll enabled. I forget what it's called, but you need a specific cap in order to view from there. Also, I would try to see if you can use a generic folder instead.
I would try Windows.Storage.ApplicationData.Current.LocalFolder.GetFilesAsync() as your method after the await just to test whether you can read correctly.
Yes but in wp8.1 runtime app, there arent caps anymore. The capability for access to the pictures is simply calles pictures library and is enabled. I have tested it as you said, but it gives me the same exception.
A quick tip: another way to do this is to use the Win32 C runtime API. You can, for example, use the FindFirst/NextFile functions (http://msdn.microsoft.com/en-us/library/windows/desktop/aa364418(v=vs.85).aspx) which support searches using wildcards (* and ? characters in the first parameter). These functions are wrapped in my NativeLibraries classes, but are also just publicly available for third0party developers to call from their own C++ DLLs.
Alternatively, you can use the .NET System.IO.Directory class, which has functions like EnumerateFiles(String path, String searchPattern). This is probably the better way to do it, actually.
Of course, if you want these operations to not block the current thread, you'll need to explicitly put them in their own thread or async function.
EDIT: This also assumes you have read access to the relevant directories. You application data directory works fine, for example (you can get its path from the relevant StorageFolder object). Other directories that can be accessed via WinRT functions may go through a broker function instead of being directly readable.
The point is, that i have an array with filenames. Now i need the StorageFile files which contains these filenames. My idea was to search for these files and return the files as StorageFile, so i can work with these. Or is there a simpler / another way?
http://msicc.net/?p=4182 <-- try this
Thank you, i have already done this and its working. But how can i compare the Files to read, with already read files and take only the not yet read files?