Possible to modify versionCode in compiled APK AndroidManifest.xml? - Android Software Development

I made a mistake and formatted the hard drive of my old computer and sold it, without backing up my keystore for my app published in the Android Market.
My attempted solution:
Take the version from the market signed with the original key (key A), sign it again with my new key (key B) and upload it to the market. Then I will be able to upload another version signed only with key B.
I successfully signed the application with both keys, the problem is that I can't upload the same application again because the version code is still 10, I need to change it to 11. I've opened the AndroidManifest.xml and found that I can change the irrelevant versionName, but can't find the versionCode in there.
Anyone have any ideas? I would really prefer not to unpublish the application because I rely on the income I make from advertisements in it and I don't want to compromise my downloads/rating/position in the market.
Thanks in advanced to all who provide constructive feedback.

Nexeo said:
Take the version from the market signed with the original key (key A), sign it again with my new key (key B) and upload it to the market. Then I will be able to upload another version signed only with key B.
Click to expand...
Click to collapse
I think Market will require signing by key A in every new version of an app. Otherwise signing would make no sense, because anyone could hack it using above technique.
Second, even if you modify AndroidManifest.xml, then signature for key A will be invalid.
If you have lost your key then you're screwed. I don't think you can do anything, but release new versions of your app as new app - with different package name. Even Google can't help you.

I could try to modify version number in your AndroidManifest.xml file if you really want, but I don't see any sense in this.

Brut.all said:
I could try to modify version number in your AndroidManifest.xml file if you really want, but I don't see any sense in this.
Click to expand...
Click to collapse
The sense/hope was that I could take version 1.9 (currently in the market signed with the now lost key) and sign it again with the new key, then upload it with both signatures as version 1.9.1 so therefore I could upload version 2.0 signed only with the new key. If I had both keys this would be a successful way of switching between keys, but because I do not have both I was hoping to modify the compiled/signed app to change the versionCode (not versionName) from 10 to 11 (so the android market would accept it as a new version) and then sign it with the new key, and somehow make it so the signature with the old key was still valid.
The more I work on this and try the more I realize it's probably not possible. I've tried inserting new MD2 hashes for everything that has changed after I've tried modifying files and such but I always get that the application failed to install on my device...

Nexeo said:
The sense/hope was that I could take version 1.9 (currently in the market signed with the now lost key) and sign it again with the new key, then upload it with both signatures as version 1.9.1 so therefore I could upload version 2.0 signed only with the new key. If I had both keys this would be a successful way of switching between keys, but because I do not have both I was hoping to modify the compiled/signed app to change the versionCode (not versionName) from 10 to 11 (so the android market would accept it as a new version) and then sign it with the new key, and somehow make it so the signature with the old key was still valid.
The more I work on this and try the more I realize it's probably not possible. I've tried inserting new MD2 hashes for everything that has changed after I've tried modifying files and such but I always get that the application failed to install on my device...
Click to expand...
Click to collapse
I was just in a similar situation and emailed Google directly. Surprisingly, I received a personally written response. So I can tell you with 100% confidence that you are out of luck: to update a published application you HAVE to use the same digital signature as the original. Otherwise, you'll have to publish the update under a new package name. There is absolutely nothing Google can do. Of course, if you were Angry Birds I'm sure they'd make an exception, but small timers like us are out of luck.

Nexeo said:
The sense/hope was that I could take version 1.9 (...)
Click to expand...
Click to collapse
Yeah, you said that already and I gave you two reasons, why you can't do that:
invalid signatures for key A
requirement for key A in all future versions of your app
Chalup said:
Of course, if you were Angry Birds I'm sure they'd make an exception, but small timers like us are out of luck.
Click to expand...
Click to collapse
Google can't do anything even if they want - it's technically impossible. They could replace your app with new one with different package name, then copy all ratings, comments, etc. from old one, but they simply can't change key for existent package name.

Been there, done that...lost keystores of 3 published apps. Wrote Google too...no joy.
You are puckered As am I because I can not post an update to my apps without a new package name. Which of course, leaves all current users unable to get the update without repurchasing.
I wish there was a better way.... we all lose files from time to time. Why not make part of the publish process an upload of your keystore to the Google servers? Seems like a solution to me
In the meantime, I now have at least 5 copies of my keystores saved on various medium: e-mails to myself, file server, CD etc. Just have to deal with it I guess

Sending the hard drive off to a data recovery company who seems to be pretty confident. Hopefully they can find .keystore files.

I GOT MY KEYSTORE BACK!!!
I used the best f-ing software in the universe to restore the file (it truly is amazing): http://www.ntfs.com/boot-disk.htm

Nexeo said:
I GOT MY KEYSTORE BACK!!!
I used the best f-ing software in the universe to restore the file (it truly is amazing): http://www.ntfs.com/boot-disk.htm
Click to expand...
Click to collapse
Sweet find, I have all my stuff backed up on an IronKey flash drive. But it's a lot more than just my Keystores, it's also all of my work files and such. If you have some extra money I would recommend one. The only bad thing is the highest model's capacity is 32GB.

Rootstonian said:
Why not make part of the publish process an upload of your keystore to the Google servers? Seems like a solution to me
Click to expand...
Click to collapse
I think you don't understand what is this signing for. Its purpose is to make sure you're installing application from original author, not some hacked or infected version. And you want to open some backdoor for installing an application created by different author (no keys = different author). Your "solution" would make signing totally useless.

Chalup said:
Of course, if you were Angry Birds I'm sure they'd make an exception, but small timers like us are out of luck.
Click to expand...
Click to collapse
I don't think that's true. Recently, the wildly popular app "Vignette" suffered from pretty much the same issue and had to republish.

Related

Creating Custom ROM for nexus one

To save me "re-inventing the wheel" can any one advise me on the propriety files needed from the N1 to build a custom ROM for it? e.g. libhtc_acustic.so and libhtc_ril.so
I am trying build a ROM from the open source project, so if anyone has advice for me please let me know.
Before you ask, the only reason i am doing this is because i have system apps i want to try on it and they need to be signed with the same key as the shared system uid. If you no a way i can build a ROM from the Nexus to do this please let me know.
Ne0
I don't believe the 2.1 source has hit the AOSP repos yet. So you won't be able to build a complete framework/kernel until that is released.
You could dump your N1 and then just unarchive and resign everything, but it would be a hell of a job I think
I realise 2.1 is not a public resource yet, but i am attempting to roll back to Eclair, just for the purpose of testing my system apps.
I want to resign everything and i dont mind if its a hell of a job!! What do you mean by unarchive? and whats the best way to get a complete dump?
Thanks for your help.
Ne0
Roll back to eclair won't work. The binary blob drivers are tied to a kernel and the kernels are (kinda) tied to the platform releases. So the N1 can only house 2.1 right now (IIRC)
What I was alluding to is that each APK/JAR contains a signature that you want to replace with a sig made by the test keys right?
So if you pulled /system from you're N1 and re-signed each apk and the framework with test keys and pushed that back or made and update.zip holding the re-signed apks (like the theme-makers) you should then be able to test your platform app that is also signed with test keys and a shared UID.
I too would like to know the answer to this.
SilentMobius said:
Roll back to eclair won't work. The binary blob drivers are tied to a kernel and the kernels are (kinda) tied to the platform releases. So the N1 can only house 2.1 right now (IIRC)
What I was alluding to is that each APK/JAR contains a signature that you want to replace with a sig made by the test keys right?
So if you pulled /system from you're N1 and re-signed each apk and the framework with test keys and pushed that back or made and update.zip holding the re-signed apks (like the theme-makers) you should then be able to test your platform app that is also signed with test keys and a shared UID.
Click to expand...
Click to collapse
SilentMobius said:
I don't believe the 2.1 source has hit the AOSP repos yet. So you won't be able to build a complete framework/kernel until that is released.
You could dump your N1 and then just unarchive and resign everything, but it would be a hell of a job I think
Click to expand...
Click to collapse
Correct ... resigning everything with test keys would enable some1 to test out said system apps (also signed with testkeys) ... but only as a test, as it would not be suitable for everyday ROM use.
Resigning with test keys is trivial (search for it) ... but I'd recommend you use the de-odex'd system (see the nexus1 theme templates in my sig).
The reason this is not a everyday solution is b/c resigning everything with testkeys will break the google checkin process, meaning signing into google and using the market will largely break.
But if this is truly just for some sorta system app test, that shouldn't matter.
Other than that, the OP's question is fairly broad in scope. A question like "how to create a custom ROM for nexus1" ... implies many things and many answers.
~enom~
enomther said:
Resigning with test keys is trivial (search for it) ... but I'd recommend you use the de-odex'd system (see the nexus1 theme templates in my sig).
The reason this is not a everyday solution is b/c resigning everything with testkeys will break the google checkin process, meaning signing into google and using the market will largely break.
~enom~
Click to expand...
Click to collapse
Thanks enom, great work. My system apps are just for testing, though it would be handy to make it into a complete ROM so i dont have to keep reflashing when i need to use them. Are you saying that it is not possible to get google checkin working this way? or just that no one has done it yet?
Ne0
Just resigned, sync'd with google, market works and i can install my system apps. All thanks to ~enom~, thanks for posting the deodexed system, saved me a bit of time!

[API][APP] ZipSigner -- signing zip and apks onboard the device

I've developed an open-source java library for signing files onboard the device and an app that demonstrates its use.
The app is "ZipSigner" and its in the market. Binaries and source for the libraries and app are available at http://code.google.com/p/zip-signer.
More information on using the app can be found at http://sites.google.com/site/zipsigner/
BASIC API USAGE:
Code:
import kellinwood.security.zipsigner.ZipSigner;
try {
// Sign with the built-in default test key/certificate.
ZipSigner zipSigner = new ZipSigner();
zipSigner.setKeyMode('testkey');
zipSigner.signZip( inputFile, outputFile);
} catch (Throwable t) {
// log, display toast, etc.
}
I developed this code as part of an effort to create a theming application that creates update.zip files on the device (ZipThemer).
I tested by having Titanium Backup generate its update.zip, signed it with the ZipSigner app, and then flashed it in recovery.
Enjoy,
Ken
Version 1.1
Version 1.1 is out. The library code size is significantly smaller in this version since I reduced the need to include sun.security.pkcs and sun.security.x509. For example, the ZipSigner app is now 1/6 its former size (now 47kb).
I'm not sure I see the relevance of this. I don't know about all devices, but from my understanding, for and update.zip to be accepted by the device, it needs to be signed by a trusted authority (i.e HTC or Samsung, etc.). On the other hand, if you're rooted and have a custom recovery partition, they ignore signatures anyway. Is it the case that some devices require a signed update.zip, but then don't give a hoot who signs it?
Yes, the root recovery programs do verify the signature, and no, the certificate does not need to be trusted.
I'm assuming this API its only going to be picked up for use in root-enabled apps where the developers can assume the users have the ability to flash updates.
kellinwood said:
Yes, the root recovery programs do verify the signature, and no, the certificate does not need to be trusted.
Click to expand...
Click to collapse
All of them? Are you sure? Clockwork recovery on my HTC Aria cares not-at-all about signatures on update.zip's.
Am I sure? No. After a bit of research it appears the recovery programs, if they verify the signature, require the signing certificate to match one built into recovery itself. In the case of most root recovery programs I think this is the test certificate available from Google, and also the one used by default in my code.
Clockworkmod recovery has the option to turn off signiture verification
Sent from my ADR6300 using XDA App
Runawaycoder said:
Clockworkmod recovery has the option to turn off signiture verification
Sent from my ADR6300 using XDA App
Click to expand...
Click to collapse
Yes, but the question seems to be: what signatures does it accept? The whole point is to verify the authenticity of the update, but if it uses the google debug key, then anybody can sign an update with that key thus eliminating any benefit of authenticity verification.
In other words, why bother turning it on at all?
Gene Poole said:
Yes, but the question seems to be: what signatures does it accept? The whole point is to verify the authenticity of the update, but if it uses the google debug key, then anybody can sign an update with that key thus eliminating any benefit of authenticity verification.
In other words, why bother turning it on at all?
Click to expand...
Click to collapse
If you use Amon_RA you need to sign them.
I'm not familiar with Amon_RA (other than the Egyptian deity). What certificates does it use for authentication?
Amon_RA on my Droid Eris allows update.zip files to be flashed if they've been signed with the Google test key.
Sent from my FroyoEris using XDA App
I was force to released "ZipSigner 2" today to deal with app signing issues that prevent further updates to the original app. There will be no more updates to the original version. Please uninstall ZipSigner and install "ZipSigner 2" in its place. See this page for the gory details of what went wrong.
Ken
Hello developer! I found your app while desperately trying to sign an app that I modded. It seems to work, but the output file is in .zip. I renamed it to .apk but it doesn't allow me to install, and gave a parse error message. Is it possible to troubleshoot for me? Thanks!
Send me a pm and attach the unsigned apk and I'll try and reproduce the problem.
Ken
qHD (Sensation XE). Bug?
App name change
I've just uploaded version 3.3 to Google Play. In this version I've renamed the app from "ZipSigner 2" to just "ZipSigner".
Ken
[zipsigning] Hacked Candy Crush
Hi Dev,
Great work! i have a question though, i have modified the file inside the candy crush APK files (1000 lives + 200 moves), and using your app to sign it again, it installs but the game cannot connect to facebook. Would you know why is this?
vertcam9 said:
Hi Dev,
Great work! i have a question though, i have modified the file inside the candy crush APK files (1000 lives + 200 moves), and using your app to sign it again, it installs but the game cannot connect to facebook. Would you know why is this?
Click to expand...
Click to collapse
Yes, I know why it doesn't work. Its complicated, but I'll do my best to explain...
In order to login to Facebook from an Android app, the app developer must first register the app with facebook. Facebook provides the developer with an API key value, and the developer provides Facebook with the app's "keyhash" value (computed from the certificate used to sign the app).
Developers usually hard-code the API key value into the app because it must be passed to Facebook when the app requests a login, along with any credential information such as the user's email and password. Facebook then recomputes the keyhash value using the app's certificate, and if the API key and computed keyhash combination don't match the expected value the login fails.
Long story, short... resigning the app with a different key/certificate is what breaks the login. In theory you can fix this but the level of effort is high... You'd have to register an app yourself on developers.facebook.com, then hack the Candy Crush code to swap in the API key value you've been provided by facebook, and register the keyhash of the certificate you are using to re-sign the hacked app. The difficult part IMO is finding and modyfing the API key value inside the original app.
Ken
@kellinwood, I sent you an email recently with this message:
First I want to thank you for creating ZipSigner library as I don't have to rewrite the whole thing.
I have some troubles using your latest zipsigner-lib 1.17 though as I can't use the zip signed with either media, platform, shared, testkey key with CWM 6.0.4.3 (on N7 2012 for that matter). The produced zip does not pass signature verification. I also tried your app version 3.4 and it has the same issue.
I attach the unsigned zip here for you. This zip is generated by my app here https://play.google.com/store/apps/details?id=me.timos.busyboxonrails
Click to expand...
Click to collapse
Any help will be greatly appreciated.
bigeyes0x0 said:
@kellinwood, I sent you an email recently with this message:
Any help will be greatly appreciated.
Click to expand...
Click to collapse
What are you using to verify the signature created by ZipSigner, the thing that says it can't verify the signature... e.g., jarsigner on the desktop? the recovery program on your device? Please attached the signed version of the zip file that doesn't pass verification. Thanks,
Ken

Fiddlin with WIndows Updates

So after reading about all the App Store hacks that have developed around Fiddler2, I decided to give it a go myself. After setting up the proxy, I noticed that most SSL-based transactions were failing to connect on my device (Windows Updates, Email, etc).
I exported the SSL cert that fiddler 2 installed on my development PC, emailed it to myself, and installed it on my Windows Phone device. LO and Behold, Most of my SSL issues went away! (App store still woudn't auth). More Interestingly, Windows Updates started checking for updates successfully. These transactions are done with SOAP calls.
The basic process is as follows:
1. Phone initiates a connection to the windows update server
2. a series of cab files are downloaded containing certificate and base URL info of the update server
3. the phone connects to the update server with a list of all updates it has installed as well as a unique device identifier.
4. the server responds with a list of updates that it wants the phone to evaluate.
5. If the phone decides it needs the update, it sends a request to the server for instructions to deter
6. the server responds with a specially crafted packet that contains a link to where the microsoft cab can be downloaded from as well as a checksum of the cab file and evaluation instructions to determine if the update is needed. (checking registry keys, etc the SOAP commands contain things like RegRead32)
7. the phone then downloads and installs the update, if needed.
Fiddling around with fiddler, I was able to remove the "filter" GUID from the phones request to the server. As a result, it evaluated and installed any update it could get its hands on. The Hardware Test app still shows that my last update was 5/1/2013, but the number of updated packages included in that update jumped from 83 to 200!
I have some more experiments I would like to try (such as trying to blindly write a reg key instead of just reading it...anyone know of a good one?). I am also wondering if I can somehow package a Microsoft cab file, and tell the update mechanism to download and install it. Depending on how it evaluates the cabs, I might be able to get away with signing the cab with the private key from the Fiddler certificate I installed.
Just thought I'd pass along
Very, very nice finds! I had noticed the cert pinning used on the store and on dev-unlocking, but apparently had failed to look into the update process.
Give me a little while and I'll find you the reg key used for dev-unlock. I can't guarantee you that I'll be able to give you the exact value you need - they seem to have changed the format since WP7, and I'll be working blind from templates and policy files here - but it's worth a shot. Mind you, I wouldn't be surprised if the whole process is read-only, or if the responses from Microsoft are signed (although you could try re-signing them, I guess). For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now. It's certainly possible that they messed that up, though.
I also kind of want to see if some of the recent ZIP signature validation bypass exploits from Android (where you could create a ZIP file containing multiple files that have the same name, and the original would be used for the signature but the *last* copy of each file would be the one actually unpacked) might be made to work as well. I've got some ideas about that... not sure if it would work for the update format, though.
Please keep researching this!
Not that i seriously looked into that, but you may probably consider these entries as interesting
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=DWORD:A
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppLicenseCheck"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppSignatureCheck"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppProvisioning"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\.NETCompactFramework\Managed Debugger]
"Enabled"=dword:0
"AttachEnabled"=dword:1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\Debugger]
"WaitForAttach"=dword:1
Some of those might get obsolete already, though.
Though, the most interesting thing one can do with registry is enabling KD.
For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now.
Click to expand...
Click to collapse
Yeah
I've never really looked at the fact: which certificate is used by actual cabs? look at *.cat file
GoodDayToDie said:
Very, very nice finds! I had noticed the cert pinning used on the store and on dev-unlocking, but apparently had failed to look into the update process.
Give me a little while and I'll find you the reg key used for dev-unlock. I can't guarantee you that I'll be able to give you the exact value you need - they seem to have changed the format since WP7, and I'll be working blind from templates and policy files here - but it's worth a shot. Mind you, I wouldn't be surprised if the whole process is read-only, or if the responses from Microsoft are signed (although you could try re-signing them, I guess). For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now. It's certainly possible that they messed that up, though.
I also kind of want to see if some of the recent ZIP signature validation bypass exploits from Android (where you could create a ZIP file containing multiple files that have the same name, and the original would be used for the signature but the *last* copy of each file would be the one actually unpacked) might be made to work as well. I've got some ideas about that... not sure if it would work for the update format, though.
Please keep researching this!
Click to expand...
Click to collapse
Will do! Here is where it gets interesting...The attached screenshots are of a SOAP request from my phone to the update server (I disabled filtering, so the GUID isn't present) and then it's response for "missing" updates to evaluate.
the section labeled "xml" contains the instructions on how to evaluate if the update is needed.
here is a cleaned up, friendly dump of what is in the "XML" section it needs to parse to determine if an update is applicable:
Code:
<UpdateIdentity UpdateID="f092f820-8161-410b-ab11-c7a6d36b7837" RevisionNumber="101" />
<Properties UpdateType="Software" />
<Relationships>
<Prerequisites>
<UpdateIdentity UpdateID="eb644fbf-5e6e-4719-b97c-485ffb9e867f" />
<AtLeastOne>
<UpdateIdentity UpdateID="450b8808-d056-4c18-a383-2db11e463eb0" />
</AtLeastOne>
</Prerequisites>
</Relationships>
<ApplicabilityRules>
<IsInstalled>
<CspQuery LocUri="./DevDetail/SwV" Comparison="GreaterThanOrEqualTo" Value="9.0.0.0" xmlns="http://schemas.microsoft.com/msus/2002/12/MobileApplicabilityRules" />
</IsInstalled>
<IsSuperseded />
<IsInstallable>
<And xmlns="http://schemas.microsoft.com/msus/2002/12/LogicalApplicabilityRules">
<CspQuery LocUri="./DevDetail/SwV" Comparison="LessThan" Value="9.0.0.0" xmlns="http://schemas.microsoft.com/msus/2002/12/MobileApplicabilityRules" />
<b.RegSz Key="HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Windows\CurrentVersion\DeviceUpdate\Agent\Protocol" Value="TestTarget" Comparison="EqualTo" Data="72c5dc6d-00a9-412f-9d13-f4f483f2ed7f" xmlns="http://schemas.microsoft.com/msus/2002/12/BaseApplicabilityRules" />
</And>
</IsInstallable>
</ApplicabilityRules>
an interesting URL with info from someone else that was looking into this for Win7...
http://withinwindows.com/2011/03/06/notes-on-windows-phone-7-update-process-thus-far/
I wonder if we can figure out what "updates" are actually required if we can trick the server into giving us more OOB updates/othercarrier updates/updates we aren't "supposed" to have..
Found some info on the "Evaluate" action:
Action: The action that clients in the specified target group will perform on this revision: Install, Uninstall, PreDeploymentCheck (which means that clients will not offer the update, just report back on the status), Block (which means that the update will not be deployed, and is used to override another deployment), Evaluate (which means that clients will not offer the update and will not report back on the status), or Bundle (which means that clients will not offer the update for install; it is only deployed because it is bundled by some other explicitly deployed update).
Click to expand...
Click to collapse
source:
http://msdn.microsoft.com/en-us/library/cc251980.aspx
I was also messing with fiddler and I noticed my phone access two different places when a phone update is selected. One of the pages is: http://ds.download.windowsupdate.com/wp8/MicrosoftUpdate/Redir/duredir.cab . In that cab is this file wuredir.xml and consists of:
<?xml version="1.0"?>
<WuRedir xmlns="http://schemas.microsoft.com/msus/2002/12/wuredir" redirectorId="1002">
<Protocol
elementVersion="1"
clientServerUrl="https://fe1.update.microsoft.com/v6/"
reportingServerUrl="http://statsfe1.update.microsoft.com/" />
</WuRedir>
the second page accessed is: http://fe1.update.microsoft.com/WP8/MicrosoftUpdate/Selfupdate/5_UssDetection.dll
I hexed the .dll after download and found some download links to some cert files, which are:
Microsoft Windows Phone Production PCA 2012.crt
http://www.microsoft.com/pkiops/certs/Microsoft Windows Phone Production PCA 2012.crt
MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
MicTimStaPCA_2010-07-01.crt
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt
can any of this info help us?
If either that DLL or any of those certificates are not signed (highly unlikely, but worth checking), or if the DLL doesn't enforce the signature check (extremely unlikely), or if any of the certs include the private key or use a weak hash algorithm or a short key... maybe. I checked the certs, though; they at least are clean. Nothing useful that I saw.
Reverse engineering the DLL may be useful, but it's probably native code and therefore a pain to decompile.
aclegg2011 said:
I was also messing with fiddler and I noticed my phone access two different places when a phone update is selected. One of the pages is: http://ds.download.windowsupdate.com/wp8/MicrosoftUpdate/Redir/duredir.cab . In that cab is this file wuredir.xml and consists of:
<?xml version="1.0"?>
<WuRedir xmlns="http://schemas.microsoft.com/msus/2002/12/wuredir" redirectorId="1002">
<Protocol
elementVersion="1"
clientServerUrl="https://fe1.update.microsoft.com/v6/"
reportingServerUrl="http://statsfe1.update.microsoft.com/" />
</WuRedir>
the second page accessed is: http://fe1.update.microsoft.com/WP8/MicrosoftUpdate/Selfupdate/5_UssDetection.dll
I hexed the .dll after download and found some download links to some cert files, which are:
Microsoft Windows Phone Production PCA 2012.crt
http://www.microsoft.com/pkiops/certs/Microsoft Windows Phone Production PCA 2012.crt
MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
MicTimStaPCA_2010-07-01.crt
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt
can any of this info help us?
Click to expand...
Click to collapse
Those are the first steps in the update process. Basically, it gets the certs that it will use for validation and server communication. then the CAB file contains the info on what servers are used for Windows Update communications. It then logs that a request has been made to the tracking server. After that, it gets a list of updates from the v6 address. If there are no updates, Once the update process is complete, it logs the result to the tracking server.
Do you guys think I could use this to fix the problems I seem to have when trying to stream or download music from Xbox Music? I get a lot of errors, or this song can't be played on your device and some times the app crashes. I have had this problem since I switch from my Windows Phone 7 device to my Nokia Lumia 920, and I am on my 4th 920. I think for some reason the Music store is getting botched certificates or something.
Kind of on the same subject. anyways i extracted around 140 Certificated from a HTC 8x Ruu. then installed them to my pc. Which is windows 7. The cool part was i was able to install windows phone sdk 8 and 8.1 with emulators and visual studio 2013. which i though all of these were not possible to run on windows 7. all because of certificates from a rom.

WP8 SYSTEM registry files from FFU

I found where the system registry files are stored inside the ffus. This is from my Lumia 928 factory ffu.
Code:
\Windows\System32\config - DEFAULT, DRIVERS, FP, ProvisionStore, SAM, SECURITY, SOFTWARE, SYSTEM
\Windows\System32\config\MOUNTMGR - SYSTEM
\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
\EFIESP(Different Partition)\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
All of these files contain regf as the first few characters in hex. Beyond that, the files are mostly garbage looking at them in Notepad++.
I haven't been able to find any registry editors yet that can edit them, including ones built for Windows CE/Mobile or even Win7/8.
Anyone know of something that can display it in a normal fashion? (without needing a WP8 device to attempt to edit it on.)
EDIT: The files from \Windows\System32\config have been zipped for simplicity reasons (for those of you who don't have a ffu handy)
EDIT2 (August 22): The files from the GDR2/Amber update from my phone's rom have been added.
WalkingCat said:
OK, this is a reply to this thread, but apparently I can't post in that forum yet.
So, you've found registry file inside \Windows\System32\config, and this is the way to open and edit it.
No third-party tools needed, just use regedit.exe in your Windows system
1. Run regedit.exe
2. Click on any root key, like HKEY_LOCAL_MACHINE
3. Open File menu, select Load Hive
4. Select a file in your mounted ROM \Windows\System32\config, like SOFTWARE or SYSTEM, open it
5. In the dialog asking for a name, input any text, like WP8Software
6. Registry is now loaded under HKEY_LOCAL_MACHINE\WP8Software, you can edit it.
7. Open File menu, select Unload Hive, then its written back to disk.
reference: http://technet.microsoft.com/en-us/library/cc732157.aspx
Click to expand...
Click to collapse
Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file
vivekkalady said:
Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file
Click to expand...
Click to collapse
That works fine for .wim or a .zip, but these files are the complete registry store that's same format that Windows 2000, XP, Vista, ect. uses to store the settings for hardware/drivers, windows itself, and other apps that have that kind of access (e.x. Tier3 Applications)
If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.
GodlikePL said:
If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.
Click to expand...
Click to collapse
Apparently it isn't. I used RegistryEditorPE, that's supposed to work with offline registries for 2000 to 7, but it kept erroring out.
Sent from my RM-860 (Lumia 928) using the OFFICIAL Tapatalk app.
This is good stuff to know. Something that should be good to note is that while I decompiled the .NET for a few of the Verizon Xaps from the 928 ROM, I discovered some Nokia-specific COM Interop that interfaces with the registry. I'm hoping I can try something out and put up a test program within the next few days and make some registry changes.
Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
GoodDayToDie said:
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
Click to expand...
Click to collapse
Hmmm, which phone do you have?
Edit: I tried to deploy just a sample app with one of the .winmds referenced, and got the 0x81030120 error
Holy fuzzle.. ANOTHER EDIT: I was able to do it. I had to remove all the damn Capabilities that I added from the Nokia Maps xap though.
I referenced the NokiaRegistryUtils.winmd and just ran this sample code
MessageBox.Show(NokiaRegistryUtils.Registry.IsChinaFirmware().ToString());
It returned "false" as expected.
I'm going to try something else now.
Something to note, in the WMAppManifest.xml, the following needs added after the <Tokens> declaration
<ActivatableClasses>
<InProcessServer>
<Path>NokiaRegistryUtils.dll</Path> <-- or whatever dll you're adding
<ActivatableClass ActivatableClassId="NokiaRegistryUtils.Registry" ThreadingModel="both" />
</InProcessServer>
</ActivatableClasses>
vivekkalady said:
Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
Click to expand...
Click to collapse
Where did you find that key?
in ffu file
location <ffu mount>\Windows\Packages\RegistryFiles\Microsoft.Office.Word.reg
Perfect. That's what I'm doing now, but just from my 920 ROM dump. I can access the registry sections that Nokia provides in their app, but I can't from the one you provided me. I'm going to do more tests to see if this is using HKCU rather than HKLM. It could also be that the registry keys have permissions placed on them.
Hmm,
I'm able to get the value of SOFTWARE\Classes\MIME\Database\Codepage\1254 -> BodyCharset
I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
found these things dont know it is of any use
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3]
"DefaultId"="{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Click to expand...
Click to collapse
http://support.microsoft.com/kb/287547
vivekkalady said:
found these things dont know it is of any use
http://support.microsoft.com/kb/287547
Click to expand...
Click to collapse
I did find THIS..
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=dword:7FFFFFFF"
That translates to the value of InterOp unlock by default which means we should be able to sideload more than 10 apps at a time.
I also found these within policy xml files
Code:
Microsoft.BaseOS.SecurityModel.policy.xml
<Capability ElementID="2EF45E94A01864DE3387212D6E73AEA885E709AD0F24FB97FE2E84728CB09D14" AttributeHash="49B8EC80A54998B68D7F65A44A340FD28B535494B7A41D650FD94851E38A6B6B" Id="ID_CAP_DEVELOPERUNLOCK" AppCapSID="S-1-15-3-1024-2489250862-3731101856-757172019-2830005102-2903107461-2549818383-1921265406-345878668" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1443" FriendlyName="Enable bearing chamber to load unsigned modules" Visibility="Internal" />
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>
Need a Nokia Device?
snickler said:
I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
Click to expand...
Click to collapse
Thats great! If anyone needs a Nokia device to test on, Nokia has Remote Device Access to those who need it. Its a free service to anyone who has a Nokia DEVELOPER account, which is separate but free as well. The devices they mostly have are Lumia 820s, but the have a few others (620, 720, 920 and the 928.) The great thing about them, you can deploy an xap and run the apps. Some of those phones have sims in them and some of them have a "Nokia On-Device Diagnostic Tool". The only drawback, is that the connection can be SLOW.
Huh, you had to add the InProcServer manually? That may be the problem, then. I'm not sure why they're using COM - it works just fine to simply use the native Win32 APIs (add references to ADVAPI32LEGACY.LIB and/or KERNELBASE.LIB; that's what my NativeAccess library does and it works fine) - but it's good to know that COM is, in fact, usable.
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
GoodDayToDie said:
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
Click to expand...
Click to collapse
The best part is that the Nokia CityLens uses ID_CAP_INTEROPSERVICES, but I can't find anything that references it.
The winmds use System.Runtime.InteropServices though.
The Nokia app I got the RegistryRT from didn't use the INTEROP Capability at all, but I did notice that I had to add that extra stuff in the AppManifest.

Soli availability how will that be enforced?

Looks like Soli is only available in certain countries. Short of disabling the hardware in countries which it's not available, I wonder how Google is going to stop it
If you're roaming to a country that does not support it, it possible Google will use GPS to determine your location and stop the capability. Then of that is the case then buying a phone say in the US and trying to use somewhere else might not work.
lchiu7 said:
If you're roaming to a country that does not support it, it possible Google will use GPS to determine your location and stop the capability
Click to expand...
Click to collapse
according to androidpolice.com, cellular triangulation is used to determine the phone's location and disable motion sense in unsupported regions
source: <ap.c>/2019/10/15/pixel-4s-motion-sense-will-disable-itself-in-unsupported-regions/ (sorry, I may not post links)
You mean this?
https://www.androidpolice.com/2019/...e-will-disable-itself-in-unsupported-regions/
I could live without gesture controls but what other functions might not work without Soli (facial unlock?)
lchiu7 said:
what other functions might not work without Soli (facial unlock?)
Click to expand...
Click to collapse
afaik facial unlock works without Soli, it will just be slower and may require you to tap the screen for login, rather than just reaching for the phone.
But Soli is also used to turn on battery saving features, e.g. turn off the screen when nobody is near the phone, which might be a problem, considering the small battery capacity of the smaller Pixel 4
Disassempled and looked into MotionSense APK from apkmirror. MotionSense determines country by phone number: it looks for android.telephony.extra.NETWORK_COUNTRY param to detect allowed country code. I think that can be bypassed by modifying apk but seems root needed to replace it because it looks like system app.
It's not hard to make it available in unsupported country, I'll try to unlock Soli when I get my phone and will upload here if it works
Eugnis said:
Disassempled and looked into MotionSense APK from apkmirror. MotionSense determines country by phone number: it looks for android.telephony.extra.NETWORK_COUNTRY param to detect allowed country code. I think that can be bypassed by modifying apk but seems root needed to replace it because it looks like system app.
It's not hard to make it available in unsupported country, I'll try to unlock Soli when I get my phone and will upload here if it works
Click to expand...
Click to collapse
That's encouraging. My Pixel 4XL is on back order so I have time to cancel it. Not sure about not hard to make it available if it needs root though. Then you need a working Magisk if you want NFC payments, some baning apps and for me, corporate apps like Outlook.
Eugnis said:
Disassempled and looked into MotionSense APK from apkmirror. MotionSense determines country by phone number: it looks for android.telephony.extra.NETWORK_COUNTRY param to detect allowed country code. I think that can be bypassed by modifying apk but seems root needed to replace it because it looks like system app.
It's not hard to make it available in unsupported country, I'll try to unlock Soli when I get my phone and will upload here if it works
Click to expand...
Click to collapse
Soli is disabled for now in Japan, but I was hoping that as long as I set it up without SIM it might not bother detecting the country. No go. So either trilateration or the phones sold here have this already disabled in software.
Eugnis said:
Disassempled and looked into MotionSense APK from apkmirror. MotionSense determines country by phone number: it looks for android.telephony.extra.NETWORK_COUNTRY param to detect allowed country code. I think that can be bypassed by modifying apk but seems root needed to replace it because it looks like system app.
It's not hard to make it available in unsupported country, I'll try to unlock Soli when I get my phone and will upload here if it works
Click to expand...
Click to collapse
I know how to make it works on every country, but can't build apk back (install, build is successful)
Maybe you have a secret knowledge?)
Fix is in two lines
In this article we can find function name https://www.xda-developers.com/google-pixel-4-motion-sense-list-countries-supported-apps/amp/
All what we need is change goto in default case
Xsikor said:
I know how to make it works on every country, but can't build apk back (install, build is successful)
Maybe you have a secret knowledge?)
Fix is in two lines
In this article we can find function name https://www.xda-developers.com/google-pixel-4-motion-sense-list-countries-supported-apps/amp/
All what we need is change goto in default case
Click to expand...
Click to collapse
Have you tried fixing yours ? Can you possibly make a tutorial for this ? I would really appreciate that as I will receive mine in two weeks and my country is not supported
---------- Post added at 01:01 AM ---------- Previous post was at 01:00 AM ----------
Eugnis said:
Disassempled and looked into MotionSense APK from apkmirror. MotionSense determines country by phone number: it looks for android.telephony.extra.NETWORK_COUNTRY param to detect allowed country code. I think that can be bypassed by modifying apk but seems root needed to replace it because it looks like system app.
It's not hard to make it available in unsupported country, I'll try to unlock Soli when I get my phone and will upload here if it works
Click to expand...
Click to collapse
Yes please do...we would all appreciate that
Xsikor said:
I know how to make it works on every country, but can't build apk back (install, build is successful)
Maybe you have a secret knowledge?)
Fix is in two lines
In this article we can find function name https://www.xda-developers.com/google-pixel-4-motion-sense-list-countries-supported-apps/amp/
All what we need is change goto in default case
Click to expand...
Click to collapse
Yep, and nothing secret here. Same for modified apps: After building APK, bump it's build number, sign it with your certificate and install with adb. Also you need root if this is system app (remove original motion sense apk and then install your modded). Look on xda for instructions to install modded google play store - they'll be same.
Eugnis said:
Yep, and nothing secret here. Same for modified apps: After building APK, bump it's build number, sign it with your certificate and install with adb. Also you need root if this is system app (remove original motion sense apk and then install your modded). Look on xda for instructions to install modded google play store - they'll be same.
Click to expand...
Click to collapse
It's possible to install motion sense over default system like a update without root. I try to decompile and then compile apk back by apktool, but after this can't sign apk because I don't know how.
Error when I try install by ADB is adb install dist/com.google.oslo.apk
adb: failed to install dist/com.google.oslo.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl1077585388.tmp/base.apk: Attempt to get length of null array]
This is my first time when I try to modify apk, so I don't have experience on this
Xsikor said:
It's possible to install motion sense over default system like a update without root. I try to decompile and then compile apk back by apktool, but after this can't sign apk because I don't know how.
Error when I try install by ADB is adb install dist/com.google.oslo.apk
adb: failed to install dist/com.google.oslo.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl1077585388.tmp/base.apk: Attempt to get length of null array]
This is my first time when I try to modify apk, so I don't have experience on this
Click to expand...
Click to collapse
Look here for instruction how to sign APK https://stackoverflow.com/a/40064149/3042448
Xsikor said:
It's possible to install motion sense over default system like a update without root
Click to expand...
Click to collapse
Maybe, can you try this?
AFAIK It should compare certificate of previous app with updated app (with same package name) and will show error if they're not same.
Eugnis said:
Maybe, can you try this?
AFAIK It should compare certificate of previous app with updated app (with same package name) and will show error if they're not same.
Click to expand...
Click to collapse
Nope =( can't install. So need root for first step
Code:
adb: failed to install com.google.oslo-aligned-debugSigned.apk: Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package com.google.oslo signatures do not match previously installed version; ignoring!]
adb uninstall do not help, it's delete only last update of motion sens
Really hoping there's a way to enable soli in all countries. Not having it making me feel left out ?
Looked one more time in MotionSense APK and looks like its developers left setting to disable country checks at all. TO do that, you just need to change android setting 'pixel.oslo.allowed_override' to '1' or 'true', modifying APK not needed.
I can't try this right now but if you want to check, then connect Pixel 4 with developer mode and execute command in adb shell:
Code:
adb shell "setprop persist.pixel.oslo.allowed_override true; setprop ctl.restart zygote"
or edit system/build.prop with some app
You still need root to do this.

Categories

Resources