While I was writing and testing a WP 8 web app, I had it connected via wifi to Fiddler2. When I plugged my Dev Unlocked HTC 8x into my computer, the phone "dialed out" to h ttps://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010/DeviceStatus?deviceId=deviceid&fulldDeviceId=fulldeviceid The response is an XML packet that tells the phone how many days are left of being DeveloperUnlocked as well as the number of apps that are allowed!
this request/response sequence happens EVERY time I plug my developer unlocked Windows Phone 8 into the USB port of my Dev PC and PIN unlock it.
Keep in mind I installed the root cert that Fiddler generated for my PC a while back, so it can decrypt HTTPS traffic to/from my phone.
If anyone knows what the integer equivalent of "that magic DWORD value" is, I will craft a custom response packet and see if it changes anything.
Please see the attached screenshot for proof!
Edit:
So I did try GoodDayToDie's xaps and it looks like increasing the value from 10 to 2147483647 (I think its the integer equivalent to 0x7FFFFFFF) didn't have any effect that I could see. The InteropCapNoOem xap fails to deploy with error code 0x81030120. This error code normally means you are NOT interop unlocked back in the WP7 days. The OemCapsNoInterop.xap file generates an error telling me to "fix the Capabilities in [the] WMAppMAnifest.xml file.
I wonder if I can sideload more than 10 apps now though?
Maybe we can figure out what app is generating this "call home" and see if there are any other funky things we can stick in the xml tree?
Whoa. I could have sworn they were using cert pinning for that. I'll investigate, though...
EDIT: Couldn't get that connection request even showing up on my work computer. Will try from home.
Here is the service operations page:
https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/help and (according to API) DeviceStatus call don't have fullDeviceId={FULLDEVICEID} parameter.
BTW, compu829, what is the fullDeviceId parameter, how it looks like?
Wait... You could change the value on the phone? That's a huge improvement. I'm stuck with only 3 apps (stupid dreamspark) and desperately need more!
This is a great find! I, unfortunately have never seen this happen though. Do you happen to know if you had the WP Device Registration program or the Application Deployment program running at the time?
EDIT: I've been debugging multiple apps with Fiddler up and proxy on my phone and I haven't noticed this. I see it now. I feel stupid lol Time to play around
EDIT 2: Microsoft does NOT like when you have fiddler intercepting on Registration. It returns a success result, but the developer registration tool gives an error indicating that it cannot connect to the phone. Grrr and after I went through the work of changing the response value for the number of apps that can be sideloaded. I bet this is a timing thing... I'll see what I can do.
I don't think it's timing. Even if I left the request completely unmodified and just ran it through the proxy to watch the process, the tool said that there was a problem, and the phone did not get unlocked. They're either testing for the presence of a proxy somehow, or there's some side channel that *is* using cert pinning, and is therefore unable to connect through Fiddler.
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
On my phone, I noticed it AFTER I had developer unlocked it. More concrete steps on what I did to reproduce:
1. On test PC, Installed Fiddler.
2. On test PC, exported trusted root certificate that Fiddler installed.
3. Emailed certificate to my phone and installed it.
4. Now enable the proxy on the phone. Things like email, Windows Phone Updates, etc will now work normally!
5. Plug phone in to Visual Studio Development PC, and wait for the PC to detect the device.
6. You will see the phone "dial out".
Without installing the fiddler trusted root certificate, you will see the handshake, but the phone doesn't know what do do with the packet because the certificate generated by fiddler is untrusted.
Using this same technique, you can have some serious fun with Windows Updates
GoodDayToDie said:
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
Click to expand...
Click to collapse
see last post Are you guys installing the trusted root certificate on your phone?
compu829 said:
see last post Are you guys installing the trusted root certificate on your phone?
Click to expand...
Click to collapse
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
more detailed instructions
snickler said:
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
Click to expand...
Click to collapse
this is what I did:
On Development PC:
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, click Add, select current user, and then click Finish.
4. click ok to close the add/remove snap-in dialog
5. In the left-hand pane navigate to "Trusted Root Certification Authorities" --> "Certificates"
6. in the right-hand pane, look for the certificates labeled "DO_NOT_TRUST_FiddlerRoot" (I have two for some reason, you may only have 1)
7. Right-click on the certificate and go to "All Tasks" --> "Export".
8. Run through the certificate export wizard, leaving everything as the defaults.
9. Once you have exported your certificates, email them as attachments to your Windows phone.
10. Open the email on your WIndows Phone. Click on the certificate file and wait for it to process. Then when prompted, install it.
11. After that, any https traffic that you intercept/edit will go through as trusted to your Windows phone, provided that the application isn't expecting a specific certificate.
Things this made work:
1. all App communications over https
2. Windows Updates
3. all email accounts.
4. App Store communications (except for actually downloading apps, IIRC).
Things that didn't work:
1. Anything that requires certificate pinning as the certificate is embedded within the app. Therefore it doesn't make a call into the trusted root certificate store. I believe this includes running the actual "Developer Unlock" app.
if you place the following code in the "OnBeforeResponse" section of the CustomRules.js file, you should be able to install more than 3 or 10 apps, provided the program that is "phoning home" isn't using certificate pinning.
Code:
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("AppsAllowed>10</","AppsAllowed>400</");
... These are steps that have already been taken. You actually did even more steps then necessary. All you have to do is point to your computer's IP address and port that Fiddler is running on within IE Mobile (Make sure Remote IP access in Fiddler is enabled), click on the certificate and it will install on the phone. You'll be able to see the requests from the phone. Everything you listed above is what I've been able to do. Nothing different from what I was saying .
@compu829: Yes, of course I am. If I weren't, it wouldn't be possible to edit that value at all; I wouldn't even see it because the TLS handshake would fail... (FWIW, I work with proxies all the time, usually Burp Suite not Fiddler, but in any case I'm quite familiar with setting up the MitM certs). I do wonder whether there's something changed here (GDR2 change, maybe?) because I could have sworn that intercepting the phone's traffic during unlock didn't work at all before (presumably due to cert pinning). I may be mistaken, though.
In any case, it still doesn't *actually* work. I guess I could try invisible proxying - use ARP spoofing or a custom routing rule on the router to send the data through my PC, and capture/modify it there, without revealing the presence of a proxy - but I don't know if that's the issue or if it's something else entirely.
EDIT: Your steps are way more complex than needed. For example, you can export the root cert from Fiddler by going to Tools menu (in Fiddler) -> Fiddler Options -> HTTPS.
whoops lol. Oh well. I didn't realize it was so easy to export/Import!
Anyways, All I know is that I could pretty much do nothing on my phone when I connected it to the proxy until I emailed myself the root cert. Once I did that, email started flowing, apps started working, and WIndows Updates stopped erroring out.
It is entirely possible that whatever is generating the call is silently rejecting the response packet. I was just shocked when I plugged my phone in to see that packet show up.
I know that Windows Updates lets me modify the requests and responses without complaining, so maybe that is another way in? I assume that must be running elevated lol. Maybe we can get it to launch a background app that is already on the phone.
The way I see it, this will only work temporarily. Next time phone dials home without you running the Fiddler it will reset the AppsAllowed value. Am I right?
@amaric: If you'd actually read the thread, you'd see that it doesn't appear to work at all...
But yes, it would probably reset itself too. We don't have the ability (right now) to edit the registry keys which control that phone-home behavior. However, it might be / have been possible to do that if we had interop-unlock...
on the phone there is the file "PhoneReg.exe", which works with this data, and it check certificate Common Name (must be Microsoft...) and Thumbprint to hardcoded data
Didn't the ChevronWP7 work exactly like this until MS fixed the bug in NoDo?
@snickler, @GoodDayToDie
There is something I can't get out of my head...after the Ativ S devices are interop unlocked, they'd "reset" after a while until we made them stop phoning home...This means that somehow Microsoft is associating the phone's device ID with your interop level...is this something done purely server side, or is there a way to maybe send this info TO Microsoft's servers so they can send the info back to our phones? Just a thought....
That's an interesting research question; we can set the URLs which are used to make those "phone home" checks to a site we control, possibly use HTTP instead of HTTPS, and see if they work. Worst case, cert pinning will cause the connection attempt to fail and we're right where we are now; best case, it's... umm, well it's interesting, but I don't see any likelihood of actually getting *additional* permissions out of this. Still, I've been wrong about things like that before. Somebody want to set up a transparent HTTP -> HTTPS proxy to listen for the request, forward it, record the response and forward it?
Hello,
I am a beginner on Android coding.
I own a Minecraft Pocket Edition server, and I would like to create an assistant app that would include in-app purchases to get in-game ranks. As a consequence, when a player purchases something, it needs to edit my MySQL database to give him his purchase on all servers.
I though to use PHP script to do so, but anyone uncompiling the app would be able to see how it works and get ranks for free.
I would like to know a secure way to edit a MySQL database on in-app purchase.
Thanks for your help
Edit : apparently it has something to do with the RSA key we get on our dev console. If I understand, when a purchase is made, an encrypted data is sent back to our application. From the application, I have to send that encrypted data to a php script. The php script has to verify that data signature is correct using the RSA key that I have to put in my script, and use open_ssl_verify.
Did I understand or not at all ?
Thanks again
I am a little upset with the built in Note 4 encryption. I encrypted my phone with a password because I would like it to be secure, however, when I change my phone password it changed the encryption password to the same thing. This is troubling to me because this tells me that my phone is not necessarily encrypted using the original password I gave it as the unique encryption and decryption key. Could somebody explain to me how the Note 4's encryption works? I just can't believe it is very secure if the so the call encryption key is the exact same as the phone password which can just be scraped from the RAM.
Sorry to bring this old thread back up.
Regarding scraping from RAM, AFAIK there is currently no known way to use disk encryption on android or elsewhere without having the key stored in ram. I recently read about some proofs of concept and other ideas regarding possible different storage locations such as dedicated hardware, but I do not believe any commercial applications use this.
Regarding the key being linked to the password - this is a somewhat different issue from the one above. Usually the drive is encrypted with a master key that is randomly generated and consists of a certain fixed length. That key is then encrypted using your "user password". Therefore, when you change password, you (among other things) decrypt the master key and reencrypt it but with a new password. That was the key is not directly ties to the password.
New method of resolution ReCaptcha
This technique permits passing captchas while not the requirement to emulate browser and causation U.S.A. pictures, conjointly it provides a hundred resolution accuracy. UPD 17.08.2016: Please begin causation U.S.A. your proxies and urls wherever you get recaptcha (if you do not do therefore already) - before long google would force it and that we don't desire to own any interuptions in your work. See for details UPD twenty seven.06.2016: Hooray! currently we are able to solve recaptcha for any web site. however we tend to haven’t enforced the ultimate version with victimization proxies. presently staff receive captchas from their own science, that makes it straightforward for recaptcha to dam this temporary resolution. just in case such an incident happens before we tend to roll out the ultimate version of our interface we'll keep you updated here.
Intro: Let's begin with number of words on captcha's algorhytm, let's examine what traffic and at that purpose is being sent.
1. User enters the page and also the recaptcha type is uploaded from google
2. User clicks the checkbox and solves the captcha
3. once the captcha is resolved, google checks the solution and returns code to the user within the field <textarea id="g-recaptcha-response"
4. User fills all the forms on the page
5. User sends these forms. At an equivalent time code is distributed from the sphere "g-recaptcha-response"
6. web site receives knowledge from the users and sends a call for participation to google to ascertain code's validity from the sphere "g-recaptcha-response"
7. Google checks the validity of the code. If the code is valid the location continues process user's knowledge for extra data and a in small stages instruction please see the way to solve recaptcha while not the employment of the browser emulation
Recaptcha resolution scheme:
1. You fill all the required fields
2. You send U.S.A. Site_Key from the location + further knowledge ( optional: universal resource locator of the page, wherever you have encountered the captcha, PROXY that you simply use)
3. we tend to transfer captcha to our server and assign a employee to resolve it
4. once the employee solves his captcha we tend to receive g-recaptcha-response
5. we tend to come g-recaptcha-response to you
6. You enter our answer into the sphere g-recaptcha-response and pass the shape Price: one thousand for $2,99 wherever do i purchase and wherever do I input the data? Browse HTML-code of the page, wherever you have encountered the captcha:
1. notice this parameter
data-sitekey=
This is site's key, it's constant and distinctive for every web site (unless admin changes it manually)
Return the key back to U.S.A. as parameter
googlekey=%data-sitekey%
2. notice the sphere for text
<textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid #c1c1c1; margin: 10px 25px; padding: 0px; resize: none; "></textarea>
You will have to be compelled to enter our answer here