Fiddlin with WIndows Updates - Windows Phone 8 Development and Hacking

So after reading about all the App Store hacks that have developed around Fiddler2, I decided to give it a go myself. After setting up the proxy, I noticed that most SSL-based transactions were failing to connect on my device (Windows Updates, Email, etc).
I exported the SSL cert that fiddler 2 installed on my development PC, emailed it to myself, and installed it on my Windows Phone device. LO and Behold, Most of my SSL issues went away! (App store still woudn't auth). More Interestingly, Windows Updates started checking for updates successfully. These transactions are done with SOAP calls.
The basic process is as follows:
1. Phone initiates a connection to the windows update server
2. a series of cab files are downloaded containing certificate and base URL info of the update server
3. the phone connects to the update server with a list of all updates it has installed as well as a unique device identifier.
4. the server responds with a list of updates that it wants the phone to evaluate.
5. If the phone decides it needs the update, it sends a request to the server for instructions to deter
6. the server responds with a specially crafted packet that contains a link to where the microsoft cab can be downloaded from as well as a checksum of the cab file and evaluation instructions to determine if the update is needed. (checking registry keys, etc the SOAP commands contain things like RegRead32)
7. the phone then downloads and installs the update, if needed.
Fiddling around with fiddler, I was able to remove the "filter" GUID from the phones request to the server. As a result, it evaluated and installed any update it could get its hands on. The Hardware Test app still shows that my last update was 5/1/2013, but the number of updated packages included in that update jumped from 83 to 200!
I have some more experiments I would like to try (such as trying to blindly write a reg key instead of just reading it...anyone know of a good one?). I am also wondering if I can somehow package a Microsoft cab file, and tell the update mechanism to download and install it. Depending on how it evaluates the cabs, I might be able to get away with signing the cab with the private key from the Fiddler certificate I installed.
Just thought I'd pass along

Very, very nice finds! I had noticed the cert pinning used on the store and on dev-unlocking, but apparently had failed to look into the update process.
Give me a little while and I'll find you the reg key used for dev-unlock. I can't guarantee you that I'll be able to give you the exact value you need - they seem to have changed the format since WP7, and I'll be working blind from templates and policy files here - but it's worth a shot. Mind you, I wouldn't be surprised if the whole process is read-only, or if the responses from Microsoft are signed (although you could try re-signing them, I guess). For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now. It's certainly possible that they messed that up, though.
I also kind of want to see if some of the recent ZIP signature validation bypass exploits from Android (where you could create a ZIP file containing multiple files that have the same name, and the original would be used for the signature but the *last* copy of each file would be the one actually unpacked) might be made to work as well. I've got some ideas about that... not sure if it would work for the update format, though.
Please keep researching this!

Not that i seriously looked into that, but you may probably consider these entries as interesting
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=DWORD:A
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppLicenseCheck"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppSignatureCheck"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\PackageManager]
"EnableAppProvisioning"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\.NETCompactFramework\Managed Debugger]
"Enabled"=dword:0
"AttachEnabled"=dword:1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\Debugger]
"WaitForAttach"=dword:1
Some of those might get obsolete already, though.
Though, the most interesting thing one can do with registry is enabling KD.
For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now.
Click to expand...
Click to collapse
Yeah
I've never really looked at the fact: which certificate is used by actual cabs? look at *.cat file

GoodDayToDie said:
Very, very nice finds! I had noticed the cert pinning used on the store and on dev-unlocking, but apparently had failed to look into the update process.
Give me a little while and I'll find you the reg key used for dev-unlock. I can't guarantee you that I'll be able to give you the exact value you need - they seem to have changed the format since WP7, and I'll be working blind from templates and policy files here - but it's worth a shot. Mind you, I wouldn't be surprised if the whole process is read-only, or if the responses from Microsoft are signed (although you could try re-signing them, I guess). For what it's worth, creating an entire update from scratch (or even editing one) is unlikely to work; Windows has required a Microsoft signature (not just any trusted signature) on update files for many years now. It's certainly possible that they messed that up, though.
I also kind of want to see if some of the recent ZIP signature validation bypass exploits from Android (where you could create a ZIP file containing multiple files that have the same name, and the original would be used for the signature but the *last* copy of each file would be the one actually unpacked) might be made to work as well. I've got some ideas about that... not sure if it would work for the update format, though.
Please keep researching this!
Click to expand...
Click to collapse
Will do! Here is where it gets interesting...The attached screenshots are of a SOAP request from my phone to the update server (I disabled filtering, so the GUID isn't present) and then it's response for "missing" updates to evaluate.
the section labeled "xml" contains the instructions on how to evaluate if the update is needed.
here is a cleaned up, friendly dump of what is in the "XML" section it needs to parse to determine if an update is applicable:
Code:
<UpdateIdentity UpdateID="f092f820-8161-410b-ab11-c7a6d36b7837" RevisionNumber="101" />
<Properties UpdateType="Software" />
<Relationships>
<Prerequisites>
<UpdateIdentity UpdateID="eb644fbf-5e6e-4719-b97c-485ffb9e867f" />
<AtLeastOne>
<UpdateIdentity UpdateID="450b8808-d056-4c18-a383-2db11e463eb0" />
</AtLeastOne>
</Prerequisites>
</Relationships>
<ApplicabilityRules>
<IsInstalled>
<CspQuery LocUri="./DevDetail/SwV" Comparison="GreaterThanOrEqualTo" Value="9.0.0.0" xmlns="http://schemas.microsoft.com/msus/2002/12/MobileApplicabilityRules" />
</IsInstalled>
<IsSuperseded />
<IsInstallable>
<And xmlns="http://schemas.microsoft.com/msus/2002/12/LogicalApplicabilityRules">
<CspQuery LocUri="./DevDetail/SwV" Comparison="LessThan" Value="9.0.0.0" xmlns="http://schemas.microsoft.com/msus/2002/12/MobileApplicabilityRules" />
<b.RegSz Key="HKEY_LOCAL_MACHINE" Subkey="Software\Microsoft\Windows\CurrentVersion\DeviceUpdate\Agent\Protocol" Value="TestTarget" Comparison="EqualTo" Data="72c5dc6d-00a9-412f-9d13-f4f483f2ed7f" xmlns="http://schemas.microsoft.com/msus/2002/12/BaseApplicabilityRules" />
</And>
</IsInstallable>
</ApplicabilityRules>

an interesting URL with info from someone else that was looking into this for Win7...
http://withinwindows.com/2011/03/06/notes-on-windows-phone-7-update-process-thus-far/
I wonder if we can figure out what "updates" are actually required if we can trick the server into giving us more OOB updates/othercarrier updates/updates we aren't "supposed" to have..
Found some info on the "Evaluate" action:
Action: The action that clients in the specified target group will perform on this revision: Install, Uninstall, PreDeploymentCheck (which means that clients will not offer the update, just report back on the status), Block (which means that the update will not be deployed, and is used to override another deployment), Evaluate (which means that clients will not offer the update and will not report back on the status), or Bundle (which means that clients will not offer the update for install; it is only deployed because it is bundled by some other explicitly deployed update).
Click to expand...
Click to collapse
source:
http://msdn.microsoft.com/en-us/library/cc251980.aspx

I was also messing with fiddler and I noticed my phone access two different places when a phone update is selected. One of the pages is: http://ds.download.windowsupdate.com/wp8/MicrosoftUpdate/Redir/duredir.cab . In that cab is this file wuredir.xml and consists of:
<?xml version="1.0"?>
<WuRedir xmlns="http://schemas.microsoft.com/msus/2002/12/wuredir" redirectorId="1002">
<Protocol
elementVersion="1"
clientServerUrl="https://fe1.update.microsoft.com/v6/"
reportingServerUrl="http://statsfe1.update.microsoft.com/" />
</WuRedir>
the second page accessed is: http://fe1.update.microsoft.com/WP8/MicrosoftUpdate/Selfupdate/5_UssDetection.dll
I hexed the .dll after download and found some download links to some cert files, which are:
Microsoft Windows Phone Production PCA 2012.crt
http://www.microsoft.com/pkiops/certs/Microsoft Windows Phone Production PCA 2012.crt
MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
MicTimStaPCA_2010-07-01.crt
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt
can any of this info help us?

If either that DLL or any of those certificates are not signed (highly unlikely, but worth checking), or if the DLL doesn't enforce the signature check (extremely unlikely), or if any of the certs include the private key or use a weak hash algorithm or a short key... maybe. I checked the certs, though; they at least are clean. Nothing useful that I saw.
Reverse engineering the DLL may be useful, but it's probably native code and therefore a pain to decompile.

aclegg2011 said:
I was also messing with fiddler and I noticed my phone access two different places when a phone update is selected. One of the pages is: http://ds.download.windowsupdate.com/wp8/MicrosoftUpdate/Redir/duredir.cab . In that cab is this file wuredir.xml and consists of:
<?xml version="1.0"?>
<WuRedir xmlns="http://schemas.microsoft.com/msus/2002/12/wuredir" redirectorId="1002">
<Protocol
elementVersion="1"
clientServerUrl="https://fe1.update.microsoft.com/v6/"
reportingServerUrl="http://statsfe1.update.microsoft.com/" />
</WuRedir>
the second page accessed is: http://fe1.update.microsoft.com/WP8/MicrosoftUpdate/Selfupdate/5_UssDetection.dll
I hexed the .dll after download and found some download links to some cert files, which are:
Microsoft Windows Phone Production PCA 2012.crt
http://www.microsoft.com/pkiops/certs/Microsoft Windows Phone Production PCA 2012.crt
MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
MicTimStaPCA_2010-07-01.crt
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt
can any of this info help us?
Click to expand...
Click to collapse
Those are the first steps in the update process. Basically, it gets the certs that it will use for validation and server communication. then the CAB file contains the info on what servers are used for Windows Update communications. It then logs that a request has been made to the tracking server. After that, it gets a list of updates from the v6 address. If there are no updates, Once the update process is complete, it logs the result to the tracking server.

Do you guys think I could use this to fix the problems I seem to have when trying to stream or download music from Xbox Music? I get a lot of errors, or this song can't be played on your device and some times the app crashes. I have had this problem since I switch from my Windows Phone 7 device to my Nokia Lumia 920, and I am on my 4th 920. I think for some reason the Music store is getting botched certificates or something.

Kind of on the same subject. anyways i extracted around 140 Certificated from a HTC 8x Ruu. then installed them to my pc. Which is windows 7. The cool part was i was able to install windows phone sdk 8 and 8.1 with emulators and visual studio 2013. which i though all of these were not possible to run on windows 7. all because of certificates from a rom.

Related

Possible to modify versionCode in compiled APK AndroidManifest.xml?

I made a mistake and formatted the hard drive of my old computer and sold it, without backing up my keystore for my app published in the Android Market.
My attempted solution:
Take the version from the market signed with the original key (key A), sign it again with my new key (key B) and upload it to the market. Then I will be able to upload another version signed only with key B.
I successfully signed the application with both keys, the problem is that I can't upload the same application again because the version code is still 10, I need to change it to 11. I've opened the AndroidManifest.xml and found that I can change the irrelevant versionName, but can't find the versionCode in there.
Anyone have any ideas? I would really prefer not to unpublish the application because I rely on the income I make from advertisements in it and I don't want to compromise my downloads/rating/position in the market.
Thanks in advanced to all who provide constructive feedback.
Nexeo said:
Take the version from the market signed with the original key (key A), sign it again with my new key (key B) and upload it to the market. Then I will be able to upload another version signed only with key B.
Click to expand...
Click to collapse
I think Market will require signing by key A in every new version of an app. Otherwise signing would make no sense, because anyone could hack it using above technique.
Second, even if you modify AndroidManifest.xml, then signature for key A will be invalid.
If you have lost your key then you're screwed. I don't think you can do anything, but release new versions of your app as new app - with different package name. Even Google can't help you.
I could try to modify version number in your AndroidManifest.xml file if you really want, but I don't see any sense in this.
Brut.all said:
I could try to modify version number in your AndroidManifest.xml file if you really want, but I don't see any sense in this.
Click to expand...
Click to collapse
The sense/hope was that I could take version 1.9 (currently in the market signed with the now lost key) and sign it again with the new key, then upload it with both signatures as version 1.9.1 so therefore I could upload version 2.0 signed only with the new key. If I had both keys this would be a successful way of switching between keys, but because I do not have both I was hoping to modify the compiled/signed app to change the versionCode (not versionName) from 10 to 11 (so the android market would accept it as a new version) and then sign it with the new key, and somehow make it so the signature with the old key was still valid.
The more I work on this and try the more I realize it's probably not possible. I've tried inserting new MD2 hashes for everything that has changed after I've tried modifying files and such but I always get that the application failed to install on my device...
Nexeo said:
The sense/hope was that I could take version 1.9 (currently in the market signed with the now lost key) and sign it again with the new key, then upload it with both signatures as version 1.9.1 so therefore I could upload version 2.0 signed only with the new key. If I had both keys this would be a successful way of switching between keys, but because I do not have both I was hoping to modify the compiled/signed app to change the versionCode (not versionName) from 10 to 11 (so the android market would accept it as a new version) and then sign it with the new key, and somehow make it so the signature with the old key was still valid.
The more I work on this and try the more I realize it's probably not possible. I've tried inserting new MD2 hashes for everything that has changed after I've tried modifying files and such but I always get that the application failed to install on my device...
Click to expand...
Click to collapse
I was just in a similar situation and emailed Google directly. Surprisingly, I received a personally written response. So I can tell you with 100% confidence that you are out of luck: to update a published application you HAVE to use the same digital signature as the original. Otherwise, you'll have to publish the update under a new package name. There is absolutely nothing Google can do. Of course, if you were Angry Birds I'm sure they'd make an exception, but small timers like us are out of luck.
Nexeo said:
The sense/hope was that I could take version 1.9 (...)
Click to expand...
Click to collapse
Yeah, you said that already and I gave you two reasons, why you can't do that:
invalid signatures for key A
requirement for key A in all future versions of your app
Chalup said:
Of course, if you were Angry Birds I'm sure they'd make an exception, but small timers like us are out of luck.
Click to expand...
Click to collapse
Google can't do anything even if they want - it's technically impossible. They could replace your app with new one with different package name, then copy all ratings, comments, etc. from old one, but they simply can't change key for existent package name.
Been there, done that...lost keystores of 3 published apps. Wrote Google too...no joy.
You are puckered As am I because I can not post an update to my apps without a new package name. Which of course, leaves all current users unable to get the update without repurchasing.
I wish there was a better way.... we all lose files from time to time. Why not make part of the publish process an upload of your keystore to the Google servers? Seems like a solution to me
In the meantime, I now have at least 5 copies of my keystores saved on various medium: e-mails to myself, file server, CD etc. Just have to deal with it I guess
Sending the hard drive off to a data recovery company who seems to be pretty confident. Hopefully they can find .keystore files.
I GOT MY KEYSTORE BACK!!!
I used the best f-ing software in the universe to restore the file (it truly is amazing): http://www.ntfs.com/boot-disk.htm
Nexeo said:
I GOT MY KEYSTORE BACK!!!
I used the best f-ing software in the universe to restore the file (it truly is amazing): http://www.ntfs.com/boot-disk.htm
Click to expand...
Click to collapse
Sweet find, I have all my stuff backed up on an IronKey flash drive. But it's a lot more than just my Keystores, it's also all of my work files and such. If you have some extra money I would recommend one. The only bad thing is the highest model's capacity is 32GB.
Rootstonian said:
Why not make part of the publish process an upload of your keystore to the Google servers? Seems like a solution to me
Click to expand...
Click to collapse
I think you don't understand what is this signing for. Its purpose is to make sure you're installing application from original author, not some hacked or infected version. And you want to open some backdoor for installing an application created by different author (no keys = different author). Your "solution" would make signing totally useless.
Chalup said:
Of course, if you were Angry Birds I'm sure they'd make an exception, but small timers like us are out of luck.
Click to expand...
Click to collapse
I don't think that's true. Recently, the wildly popular app "Vignette" suffered from pretty much the same issue and had to republish.

WP8 SYSTEM registry files from FFU

I found where the system registry files are stored inside the ffus. This is from my Lumia 928 factory ffu.
Code:
\Windows\System32\config - DEFAULT, DRIVERS, FP, ProvisionStore, SAM, SECURITY, SOFTWARE, SYSTEM
\Windows\System32\config\MOUNTMGR - SYSTEM
\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
\EFIESP(Different Partition)\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
All of these files contain regf as the first few characters in hex. Beyond that, the files are mostly garbage looking at them in Notepad++.
I haven't been able to find any registry editors yet that can edit them, including ones built for Windows CE/Mobile or even Win7/8.
Anyone know of something that can display it in a normal fashion? (without needing a WP8 device to attempt to edit it on.)
EDIT: The files from \Windows\System32\config have been zipped for simplicity reasons (for those of you who don't have a ffu handy)
EDIT2 (August 22): The files from the GDR2/Amber update from my phone's rom have been added.
WalkingCat said:
OK, this is a reply to this thread, but apparently I can't post in that forum yet.
So, you've found registry file inside \Windows\System32\config, and this is the way to open and edit it.
No third-party tools needed, just use regedit.exe in your Windows system
1. Run regedit.exe
2. Click on any root key, like HKEY_LOCAL_MACHINE
3. Open File menu, select Load Hive
4. Select a file in your mounted ROM \Windows\System32\config, like SOFTWARE or SYSTEM, open it
5. In the dialog asking for a name, input any text, like WP8Software
6. Registry is now loaded under HKEY_LOCAL_MACHINE\WP8Software, you can edit it.
7. Open File menu, select Unload Hive, then its written back to disk.
reference: http://technet.microsoft.com/en-us/library/cc732157.aspx
Click to expand...
Click to collapse
Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file
vivekkalady said:
Check this post : http://forum.xda-developers.com/showpost.php?p=44312736&postcount=41
I used 7zip to extract the file
Click to expand...
Click to collapse
That works fine for .wim or a .zip, but these files are the complete registry store that's same format that Windows 2000, XP, Vista, ect. uses to store the settings for hardware/drivers, windows itself, and other apps that have that kind of access (e.x. Tier3 Applications)
If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.
GodlikePL said:
If it's same format as XP/Vista type it should be easy openable, look for the application on the internet.
Click to expand...
Click to collapse
Apparently it isn't. I used RegistryEditorPE, that's supposed to work with offline registries for 2000 to 7, but it kept erroring out.
Sent from my RM-860 (Lumia 928) using the OFFICIAL Tapatalk app.
This is good stuff to know. Something that should be good to note is that while I decompiled the .NET for a few of the Verizon Xaps from the 928 ROM, I discovered some Nokia-specific COM Interop that interfaces with the registry. I'm hoping I can try something out and put up a test program within the next few days and make some registry changes.
Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
GoodDayToDie said:
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
Click to expand...
Click to collapse
Hmmm, which phone do you have?
Edit: I tried to deploy just a sample app with one of the .winmds referenced, and got the 0x81030120 error
Holy fuzzle.. ANOTHER EDIT: I was able to do it. I had to remove all the damn Capabilities that I added from the Nokia Maps xap though.
I referenced the NokiaRegistryUtils.winmd and just ran this sample code
MessageBox.Show(NokiaRegistryUtils.Registry.IsChinaFirmware().ToString());
It returned "false" as expected.
I'm going to try something else now.
Something to note, in the WMAppManifest.xml, the following needs added after the <Tokens> declaration
<ActivatableClasses>
<InProcessServer>
<Path>NokiaRegistryUtils.dll</Path> <-- or whatever dll you're adding
<ActivatableClass ActivatableClassId="NokiaRegistryUtils.Registry" ThreadingModel="both" />
</InProcessServer>
</ActivatableClasses>
vivekkalady said:
Hi
I found a registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003
this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??
something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
Click to expand...
Click to collapse
Where did you find that key?
in ffu file
location <ffu mount>\Windows\Packages\RegistryFiles\Microsoft.Office.Word.reg
Perfect. That's what I'm doing now, but just from my 920 ROM dump. I can access the registry sections that Nokia provides in their app, but I can't from the one you provided me. I'm going to do more tests to see if this is using HKCU rather than HKLM. It could also be that the registry keys have permissions placed on them.
Hmm,
I'm able to get the value of SOFTWARE\Classes\MIME\Database\Codepage\1254 -> BodyCharset
I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
found these things dont know it is of any use
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3]
"DefaultId"="{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
Click to expand...
Click to collapse
http://support.microsoft.com/kb/287547
vivekkalady said:
found these things dont know it is of any use
http://support.microsoft.com/kb/287547
Click to expand...
Click to collapse
I did find THIS..
Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=dword:7FFFFFFF"
That translates to the value of InterOp unlock by default which means we should be able to sideload more than 10 apps at a time.
I also found these within policy xml files
Code:
Microsoft.BaseOS.SecurityModel.policy.xml
<Capability ElementID="2EF45E94A01864DE3387212D6E73AEA885E709AD0F24FB97FE2E84728CB09D14" AttributeHash="49B8EC80A54998B68D7F65A44A340FD28B535494B7A41D650FD94851E38A6B6B" Id="ID_CAP_DEVELOPERUNLOCK" AppCapSID="S-1-15-3-1024-2489250862-3731101856-757172019-2830005102-2903107461-2549818383-1921265406-345878668" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1443" FriendlyName="Enable bearing chamber to load unsigned modules" Visibility="Internal" />
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>
<Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
<CapabilityRules>
<Rules>
<RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
</Rules>
</CapabilityRules>
</Capability>
Need a Nokia Device?
snickler said:
I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
Click to expand...
Click to collapse
Thats great! If anyone needs a Nokia device to test on, Nokia has Remote Device Access to those who need it. Its a free service to anyone who has a Nokia DEVELOPER account, which is separate but free as well. The devices they mostly have are Lumia 820s, but the have a few others (620, 720, 920 and the 928.) The great thing about them, you can deploy an xap and run the apps. Some of those phones have sims in them and some of them have a "Nokia On-Device Diagnostic Tool". The only drawback, is that the connection can be SLOW.
Huh, you had to add the InProcServer manually? That may be the problem, then. I'm not sure why they're using COM - it works just fine to simply use the native Win32 APIs (add references to ADVAPI32LEGACY.LIB and/or KERNELBASE.LIB; that's what my NativeAccess library does and it works fine) - but it's good to know that COM is, in fact, usable.
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
GoodDayToDie said:
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.
One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
Click to expand...
Click to collapse
The best part is that the Nokia CityLens uses ID_CAP_INTEROPSERVICES, but I can't find anything that references it.
The winmds use System.Runtime.InteropServices though.
The Nokia app I got the RegistryRT from didn't use the INTEROP Capability at all, but I did notice that I had to add that extra stuff in the AppManifest.

[Q] Anyone know that the "Lexicon Update" is?

While browsing the registry, I found a key referencing a "Lexicon Update". It is a packed .SDC file, and therefore impossible to open (They are used internally by MS and are encryped strongly). This raises suspicion that this is something MS does not want us to see, as otherwise it would not use the .SDC format, only used for encrypting unreleased software (For example, this was used for pre-release windows 7. I highly doubt this is pre-release software, as it is installed as a registry key, but if we could open this file somehow, it might come of some kind of interest.
You can download it from here:, or you can find the key yourself at:
DOWNLOAD:
https://go.microsoft.com/fwlink/?LinkID=254910&clcid=0x804
KEY LOCATION:
SOFTWARE\MICROSOFT\LEXICONUPDATE
Wrong thread. This should be moved to the Windows Phone 8 Q&A, Help & Troubleshooting area.

Fix - Apps and websites not working after certificates expire

As identified in this post http://forum.xda-developers.com/showpost.php?p=65344931&postcount=10 lots of apps and websites have stopped working over the past year or so (depending maybe on your ROM). This has been traced to the root certificates (used to trust websites and set up secure ssl connctions) becoming out of date. Modern devices also have many more root certificates installed by default.
Note that this doesn't fix the google market on the nook touch, nor the kindle book store. It does fix the kindle app for syncing books purchased elsewhere.
I'll port the instructions over into this post later (see the link above for now). It requires root (so is slightly risky).
If you identify any more failing sites, please provide an https link which fails to open on the nook (but does work on a PC) and I'll add the root authority to my files. Anyone working on ROMs is welcome to redistribute my cacerts.bks
<reserved>
Aargh!
tshoulihane said:
As identified in this post http://forum.xda-developers.com/showpost.php?p=65344931&postcount=10 lots of apps and websites have stopped working over the past year or so (depending maybe on your ROM). This has been traced to the root certificates (used to trust websites and set up secure ssl connctions) becoming out of date. Modern devices also have many more root certificates installed by default.
Note that this doesn't fix the google market on the nook touch, nor the kindle book store. It does fix the kindle app for syncing books purchased elsewhere.
I'll port the instructions over into this post later (see the link above for now). It requires root (so is slightly risky).
If you identify any more failing sites, please provide an https link which fails to open on the nook (but does work on a PC) and I'll add the root authority to my files. Anyone working on ROMs is welcome to redistribute my cacerts.bks
Click to expand...
Click to collapse
I've been using your updated cacerts.bks file and it is great. In January another certificate expired and I'm fairly confident it's the reason a news app (News Republic) started throwing up security certificate errors and refused to connect with the server. I think I need to be able to do the certificate updates, but I am trying to avoid going down the SDK road (a massive download I will never use for anything else) and all those complexities.
Except, nothing else seems to work. There is an ancient thread in which people discuss various ways to update pre-ICS cacerts. Unfortunately, none of them work--I've tried them all. The browser idea seems promising and Opera Mobile responds as described, but then nothing happens to the cacerts.bks file.
Portecle looks really promising (images below). It can obviously open and inspect the cacerts.bks file (password: changeit). It shows the additions you made and also indicates the expired certificate.
So I went searching for a replacement and found something that seems like the right thing (attached as a zip). It imported easily into Portecle and then appeared along with the new ones you added.
Then I returned the file to the NST and made the permissions the same as the old file. A reboot put me in a loop out of which I just barely managed to recover by inserting my NookManager card at just the right moment.
So I don't get it. The bouncycastle files recommended in the CAcerts wiki for this task are too old to be available. Surprise.
I'm tempted to NOT fix the permissions on the cacerts.bks file when I return it to the NST because I once had a similar problem with a settings.db file and it turned out that restoring the "correct" permissions resulted in a bootloop while leaving them as they were when the file was copied back made it all work just fine. But I'm too timid to try that just now.
Any insights?
From my linked thread,
Download http://www.bouncycastle.org/download...dk15on-146.jar - this is used locally on your PC to manipulate the certificates and needs to be version 146 or 147 to work with android (or old android at least)
Click to expand...
Click to collapse
It seems that when I used a different version, I got a bootloop. Although the link I referenced seems to have died, the filename still turns up plenty of hits. http://polydistortion.net/bc/download/ for example (version 1.47).
I agree its a lot of pain, and I'm not sure I still have the toolchain download that I used for this work. I'll have a dig around...
tshoulihane said:
From my linked thread,
It seems that when I used a different version, I got a bootloop. Although the link I referenced seems to have died, the filename still turns up plenty of hits. http://polydistortion.net/bc/download/ for example (version 1.47).
I agree its a lot of pain, and I'm not sure I still have the toolchain download that I used for this work. I'll have a dig around...
Click to expand...
Click to collapse
Yipes. Well, I downloaded the jar file (many thanks...I did search on the file name and came up empty) and followed your example on the other thread. Everything behaved as it should. Except for the boot loop....... This time it was even harder to get out of it.
Two possibilities come to mind. My JDK is 1.8.0_73. Maybe that's too new to work properly. The other is that the certificate, despite playing nicely as far as console feedback went, is of the wrong format, although this does not show up in the feedback or in Portecle.
Anyway, I'm sufficiently intimidated now that I'm not going back there unless I have a better way of getting out of boot loops (since I'm doing ADB over Wi-Fi).
Edit: temptation... So I went back to the CAcerts Wiki and noticed they suggest Java 6. Now, of course, the Wiki is old, but so is the Java underlying the NST, so I found an install of Java 6 and put it on the laptop we have attached to the TV (which runs Kodi and very little else). Then I repeated the entire procedure with--supposedly--all the right components. Same dreaded bootloop. So either the certificate I have has an incompatible format, or I am just hopeless at this. Maybe both
all of the old bouncy castle api releases are archived on their ftp server under ftp://ftp.bouncycastle.org/pub. i managed to find the .jar files referenced in the other thread on there and updated my cacerts.bks using the cacerts wiki instructions a few days ago. hope it helps you. using the newer release gave me a bootloop as well, but once i grabbed the older version from their ftp all was good!
shadylady said:
all of the old bouncy castle api releases are archived on their ftp server under ftp://ftp.bouncycastle.org/pub. i managed to find the .jar files referenced in the other thread on there and updated my cacerts.bks using the cacerts wiki instructions a few days ago. hope it helps you. using the newer release gave me a bootloop as well, but once i grabbed the older version from their ftp all was good!
Click to expand...
Click to collapse
Which java version were you running?
Edit: Hmm....I'm not having any luck with the link you provided. Using an FTP client I am asked for a logon and in my browser (Firefox) it never connects.
Here we go: http://www.bouncycastle.org/archive/
Remains to be seen if that will do the trick for me...
the bootloop version was whatever bouncycastle.org has as their latest release.
the one i downloaded from the ftp that didn't bootloop was this one: bcprov-jdk16-146.jar
you'll need to ftp in and use the password "anonymous" and some bogus email to get onto the ftp. from that web version of the archive it should be this package: http://www.bouncycastle.org/archive/146/bcprov-jdk16-146.tar.gz
i'm running mac, so my default java was 1.6. i updated to 1.8 but that happened after i got this all up and running already. this was the version that was default:
$ /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Commands/java -version
java version "1.6.0_65"
Java(TM) SE Runtime Environment (build 1.6.0_65-b14-468-11M4833)
Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-468, mixed mode)
so jdk 1.6 + API 146 (or 147?) seems to be the proper mix.
at first i thought it wasn't working, because although i updated the cacerts.bks, the amazon kindle app kept saying "incorrect email/password". took me a while before i read the entire thread and realized that amazon now does two-step authentication so i had to enter the one time passcode they had sent to my email.
nmyshkin said:
Which java version were you running?
Edit: Hmm....I'm not having any luck with the link you provided. Using an FTP client I am asked for a logon and in my browser (Firefox) it never connects.
Click to expand...
Click to collapse
Well....progress, or at least I think so. This may be an easier method.
Go to http://www.bouncycastle.org/archive/ and download bcprov-jdk15on-146.jar
Go to https://sourceforge.net/projects/portecle/ and download potecle (an executable jar)
Unzip portecle. Rename the bcprov-jdk15on-146.jar to simply bcprov.jar and copy that into the unzipped portecle folder (overwrite the newer version already present).
To run portecle, just double-click on portecle.jar. You will get a statement about the 146 file being out of date, resulting in not everything working, but enough works for our purposes.
Copy cacerts.bks from your NST (system/etc/security) to your PC, open portecle and import your cacerts file (password is "changeit"). You now have a nice graphical interface for perusing and updating your certificates! If you have a *.cer certificate to update, rename the "cer" to "crt" and use the import function. It's really that simple. I tried it, copied the file back onto my NST, fixed the permissions and.......{drumroll}.......no bootloop I'm running jdk 1.8.x
That's the good news. The bad news is that I did not succeed in updating the entrust certificate. I added three from their website and while they did not break cacerts, they did not restore functionality to NewsRepublic, which is what I was hoping to do
So....this may work. It's certainly easy, but clearly you need to have the correct updated certificate to get the desired result. Duh.
Edit: OK, it's ALL bad news
Don't do any of this. It seems to go OK but yesterday I found I could not successfully open the NPR app. I thought, "well, another one bites the dust", but I was curious so I used SearchMarket to see if the app was still listed for the NST. It was. So maybe it got corrupted somehow? Anyway, I uninstalled it and was going to reinstall from the Market but suddenly I got messages about the download failing. Oh no, not another function going south?!
Well, it's all fine, but the problem was the cacerts.bks file that I had made using the method above. Although there is no bootloop on restart, there is bad ju-ju nonetheless. Restoring my backup of cacerts.bks fixed NPR and SearchMarket. So....don't go there (and the two people who thanked me, feel free to unthank me )

[NST/G] FBReader "My personal catalog" and sync--cacerts update

cacerts.bks file updated 12-6-20
On May 30, 2020 another certificate in our ancient cacerts.bks file expired. This was one of the certificates used by FBReader to sync with a Google Drive directory of your designation (see books.fbreader.org). I'm assuming at this point that it was the critical certificate in the link because not long ago it was possible to work around login issues as described in my earlier post here: https://forum.xda-developers.com/nook-touch/general/setting-sync-fbreader-t3957311
I was contacted by another XDA member about this issue and noticed in a logcat that the certificate had expired. I have never had any luck updating certificates, despite the description of the process by XDA member @tshoulihane. It took many a year for the basics to penetrate my thick skull and I finally decided to look at it again. I will prepare a post on this topic in a bit so the information won't die with me
Meanwhile, I have updated both certificates in a cacerts file I extracted from a Honeycomb ROM and have been using on all my NST devices. It also includes the updated Amazon certificate so the Kindle app still functions. It contains many more certificates than the file that came with the NST (some expired). At least now I see a way forward.
To update your file, download the zip below and extract the cacerts.bks file. Transfer to the SD card of your NST and then use a file manager with root privelages to copy it into /system/etc/security, overwriting the file that is already there. If you feel queasy about this, first rename the old cacerts.bks file to cacerts.bak, then move the new one in place. File permissions should be rw-r-r
Reboot.
No need for the workaround I wrote about in the earlier post now. I tried this with both Opera Mobile and Opera Mini, signed in on both browsers before starting. Opera Mini failed. Opera Mobile, with the appropriate settings for TLS 1.2 etc. as I have described in another post, balked a little but succeeded. And once you are signed in, you never need to go back to the browser (I think).
Here's what may happen:
1. You may sail through the sign-in process from FBReader (Network Library>FBReader book network) and see your file information appear. Done.
2. More likely than not you will get an "unable to establish a secure connection" or similar. This is a sadly common occurrence in Opera Mobile these days and has been roundly trounced on old Opera discussion boards. There appears to be no fix for it except to access the "Settings" window (from the "O" button). Then go to "Privacy" and then "Clear cache". Now back out of the Settings windows (Back button) and finally hit the "refresh" icon. Voila. This is a general "fix" for pages which don't want to load properly even though you have a valid certificate. I've tried running a script to delete the Opera cache before opening Opera but to no avail. Sometimes you are lucky (especially if you have not encountered any errors in a session before exiting), sometimes you are not. Like I say, once you get past this with FBReader, you should not need to go through it again. Just remember, you want to be signed in with your email, etc. on the Google homepage (the same account for your Google drive you set up with FBReader) before you go through all this.
I tested this with FW 1.2.2, but not 1.2.1
Hello!
Thanks a lot for this information, I was struggling with exactly this yesterday and came here to post this issue, but you already have a solution.
I installed Opera Mini v7.6.4 but couldn't connect to FBReader, so I tried to use the default browser and voilĂ . Now it's working again.
Thanks again, I really thought it was impossible to fix lol.
I haven't checked if kindle app is working, but it surely does.
Thank you!
How does one install or enable a file manager with root access? I've been googling for hours now and it's such a broad topic that I just can't for the life of me figure it out
xrupa said:
How does one install or enable a file manager with root access? I've been googling for hours now and it's such a broad topic that I just can't for the life of me figure it out
Click to expand...
Click to collapse
If your device is rooted, then you just need a "good" file manager. The version of ES File Explorer I use has an option for enabling root access. Attached.
Ah, that's the release version I have installed, I'll try and find the option, couldn't spot it earlier but that gives me hope
many thanks
Cheers, that's got me on a step or two, I think I just need to disable two step verification next as opera or the standard browser is repeatedly doing the 'failed connection' thing you mention at that stage, lightly infuriating, but at least I'm getting closer to getting my fbreader library back, many thanks!
xrupa said:
Cheers, that's got me on a step or two, I think I just need to disable two step verification next as opera or the standard browser is repeatedly doing the 'failed connection' thing you mention at that stage, lightly infuriating, but at least I'm getting closer to getting my fbreader library back, many thanks!
Click to expand...
Click to collapse
The stock browser is useless. For Opera Mobile don't neglect to make the TLS 1.2 change and, of course, update cacerts.bks
Ah great thanks, I've found that TLS thread, I'll do that and hopefully that'll be it!
nice one @nmyshkin
OMG It's done, im back into the network library on my ancient nook!
thanks so much, months of trying allsorts, nice one, thank you!

Categories

Resources