Microsoft offering free unlocks, 2 app sideload limit - Windows Phone 8 Development and Hacking

Microsoft just announced today that Windows Phone developers can now unlock their devices for free, with a 2-app sideload limit. Those needing higher limits can grab an account for cheap during the summer ($19 USD).
Just use your Microsoft account with the Windows Phone Developer Registration tool and you should be off and running.
Beginning today we are simplifying the developer phone registration process. Now, any developer can unlock and register 1 phone to load up to 2 apps. Registered developers with Dev Center accounts continue to have the option to unlock up to 3 phones and upload up to 10 apps on each.
Click to expand...
Click to collapse

WithinRafael said:
Microsoft just announced today that Windows Phone developers can now unlock their devices for free, with a 2-app sideload limit. Those needing higher limits can grab an account for cheap during the summer ($19 USD).
Just use your Microsoft account with the Windows Phone Developer Registration tool and you should be off and running.
Click to expand...
Click to collapse
Thats awesome news! That gets rid of the need for Chevron mods for all those WP7 people and that makes it easy to test WP8 apps.

thals1992 said:
thats awesome news! That gets rid of the need for chevron mods for all those wp7 people and that makes it easy to test wp8 apps.
Click to expand...
Click to collapse
this is great news!

This whole thing got me thinking, there might be someway to "abuse" the XAP installer that processes the XAP, since the XAP is downloaded straight from the browser.
Hopefully there's some vulnerabilities in the installer.

IzaacJ said:
This whole thing got me thinking, there might be someway to "abuse" the XAP installer that processes the XAP, since the XAP is downloaded straight from the browser.
Hopefully there's some vulnerabilities in the installer.
Click to expand...
Click to collapse
I think you're on to something here....

Not sure what you mean by "the XAP is downloaded straight from the browser" - Store apps are downloaded over HTTP (HTTPS actually, with cert pinning to boot) but the only apps I've seen actually install if they were downloaded from a web browser (or via email attachment, or sent using Bluetooth) are company / LOB apps, not store apps or unsigned (homebrew/development) apps.
That said, the XAPs do get processed by the installer (and rejected) anyhow. It's possible there's a vulnerability in that check process; is that what you're thinking of? If so, I don't believe it has anything to do with the news in this thread in particular (although it *might* help to have dev-unlock enabled) but it's a worthwhile path of exploration anyhow. The XAP installer is one of the relatively few parts of the system that has fairly high permissions but is easily attackable. Of course, that means MS will have reviewed and fuzz tested the hell out of it, but we can hope...

GoodDayToDie said:
Not sure what you mean by "the XAP is downloaded straight from the browser" - Store apps are downloaded over HTTP (HTTPS actually, with cert pinning to boot) but the only apps I've seen actually install if they were downloaded from a web browser (or via email attachment, or sent using Bluetooth) are company / LOB apps, not store apps or unsigned (homebrew/development) apps.
That said, the XAPs do get processed by the installer (and rejected) anyhow. It's possible there's a vulnerability in that check process; is that what you're thinking of? If so, I don't believe it has anything to do with the news in this thread in particular (although it *might* help to have dev-unlock enabled) but it's a worthwhile path of exploration anyhow. The XAP installer is one of the relatively few parts of the system that has fairly high permissions but is easily attackable. Of course, that means MS will have reviewed and fuzz tested the hell out of it, but we can hope...
Click to expand...
Click to collapse
The XAP's developed in App Studio are downloaded in the browser on the phone, not from the store, which could prove to be a vulnerability, but there might be cert pinning since App Studio apps require you to install a certificate first. Hopefully someone with more knowledge, like you, could look at it. Just prep a simple app in App Studio and go through the process and see what you'll be able to find.
Maybe Fiddler might help to determinate if any cert pinning is done?

Ah sorry, I wasn't looking at App Studio. I will investigate... but unless they're giving us access to the signing key, or raw access to the XAP, it probably won't work for anything *too* exciting. Still, if it's a way to install signed apps that we write ourselves (to any meaningful degree), there's hope...

GoodDayToDie said:
Ah sorry, I wasn't looking at App Studio. I will investigate... but unless they're giving us access to the signing key, or raw access to the XAP, it probably won't work for anything *too* exciting. Still, if it's a way to install signed apps that we write ourselves (to any meaningful degree), there's hope...
Click to expand...
Click to collapse
If I've understood it correctly, there is possibility to do changes to the XAP.
Note this tool is browser driven - no Windows 8 machine required - if you're not going to modify the source code that is. There are plans on the way for more goodies, so keep posted.
Click to expand...
Click to collapse
- Source

Cool. Looks like I need to send a request to get into the beta. I should do that... see what I get back. If the XAPs aren't signed, they probably won't be useful for breaking anything but the interaction with the browser might be interesting. If they are signed...

GoodDayToDie said:
Cool. Looks like I need to send a request to get into the beta. I should do that... see what I get back. If the XAPs aren't signed, they probably won't be useful for breaking anything but the interaction with the browser might be interesting. If they are signed...
Click to expand...
Click to collapse
I didn't have to sign up for the beta, think I could use it right away since I'm a registered dev. Just signed in with my dev account and tried it out right away.

IzaacJ said:
I didn't have to sign up for the beta, think I could use it right away since I'm a registered dev. Just signed in with my dev account and tried it out right away.
Click to expand...
Click to collapse
Awwman! I sent the request more than 24 hours ago and I still haven't received any emails. Also I'm a registered dreamspark dev, but that expired March.

@IzaacJ: Thanks for the tip, I'll try that then.
EDIT: Nope! Still demanding an "invitation code".

How the Windows Phone App Studio deploys
thals1992 said:
Awwman! I sent the request more than 24 hours ago and I still haven't received any emails. Also I'm a registered dreamspark dev, but that expired March.
Click to expand...
Click to collapse
Finally got mine a few hours ago. Haven't got very deep in it yet, but the templates are convenient.
---------- Post added at 10:49 PM ---------- Previous post was at 10:35 PM ----------
IzaacJ said:
The XAP's developed in App Studio are downloaded in the browser on the phone, not from the store, which could prove to be a vulnerability, but there might be cert pinning since App Studio apps require you to install a certificate first. Hopefully someone with more knowledge, like you, could look at it. Just prep a simple app in App Studio and go through the process and see what you'll be able to find.
Maybe Fiddler might help to determinate if any cert pinning is done?
Click to expand...
Click to collapse
Here's the output of an almost empty app.
First things first
Remember you have to install the Certificate we sent you via Email.
Click to expand...
Click to collapse
links to dowappdiagnostics.blob.com/aet/AET.aetx
Code:
<wap-provisioningdoc>
<characteristic type="EnterpriseAppManagement">
<characteristic type="5342258">
<parm datatype="string" name="EnrollmentToken" value="PEFFVD48RW50ZXJwcmlzZUlkIFZhbHVlPSI1MzQyMjU4IiAvPjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMjAwMS9SRUMteG1sLWMxNG4tMjAwMTAzMTUiIC8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+PFJlZmVyZW5jZSBVUkk9IiI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxEaWdlc3RWYWx1ZT5qbVBocDJSTjAydEoxWkJILzVyS0kzVk9tWjNDTmVHOG02bVVIbCtNNkNvPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5OcXlEQ3Qvb0RUb3JIOFBrYlJHNDZNRFpVcTNreWhod1ZEQW5ocUtoYTYxSzhhcEk3SzNkNEJTcmQ1SXFaQVdraEMvRTFmNThRWWF4QWhRaEtPajRhdUxNNG5RaHowNis2OU96em84Q1RYMERjYUxJNHJWWXh4VGdvdXRWSzBnVkc1bVU4c0trZjQ3VmhGSnd4ZndPRHNwdGp1cmZyODNUVFN6OEJjZDlydW9ORGpZV25QWU9wTU9rRnZuNEFVb3hBdzE5M3BjYWsrZmV5c29udEN0cUw2OUNVRUEwTXhTczBXdGVxVkdLVWphd3JPSlJ5SVE3UkFLV1hxZnl3RDVQUS91M0h0REZBRDBGVXgxRDlkZ2VYWlQyZzZIZUxxZkVmdkxCcXY0cHA2ZjZFVXJ4RDVFNkNIV1lXWE9FZnVSbmZVaUFNS2dwZnIrMTBHMUJRZlphQUE9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5U3ViamVjdE5hbWU+Q0E8L1g1MDlTdWJqZWN0TmFtZT48WDUwOUNlcnRpZmljYXRlPk1JSUVTRENDQXpDZ0F3SUJBZ0lRTWYyNzRvTTRBRDkvS09ZV1lCWDB6akFOQmdrcWhraUc5dzBCQVFzRkFEQmtNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhOakEwQmdOVkJBTVRMVk41YldGdWRHVmpJRVZ1ZEdWeWNISnBjMlVnVFc5aWFXeGxJRkp2YjNRZ1ptOXlJRTFwWTNKdmMyOW1kREFlRncweE1qQXpNVFV3TURBd01EQmFGdzB5TnpBek1UUXlNelU1TlRsYU1JR1NNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhMakFzQmdOVkJBc1RKVmRwYm1SdmQzTWdVR2h2Ym1VZ1JXNTBaWEp3Y21selpTQkJjSEJzYVdOaGRHbHZibk14TkRBeUJnTlZCQU1USzFONWJXRnVkR1ZqSUVWdWRHVnljSEpwYzJVZ1RXOWlhV3hsSUVOQklHWnZjaUJOYVdOeWIzTnZablF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3lhVWxNM1VLUW1QNnF5RzdwM0g1bjh0MXpnb3BhUUMrMTVlQlhDaUdXZVJQelIzNFlWeHpvODBSWVlpMHJmMEt0TzlmazVlbTk3ZUw0Y3pRT2hVUE1xK3d0OXQwTEREZjBCcFM3OVlXK0N2SFZwazNCaHlEZTZMai9MaUJSSWY2RWMrRUdjMXNhLy84NVE1eUlxT1RkMU5RQWJBY1oxeDlHOTI1a2RYS24zajZUNTdqNWErNXlQQng5elo0SnNCdm0rc0F6SnI0Mzd5Y2hrK2pwd3BONUJMTFdGMkdLbkVGWGxjSllQYmVvSXlJZkZxa3cxYUpQVGd1cmswWEpnVklXWmozVE1IdHcrcms0dEgxMGIwTmVscFJaRndhLzQ4c1ZmTHE1b1BIS2ZpNFNrUjZmcjRiQWZqQ2R1Z0pyOGJ5NHlpL3dxWUVGMm4zVDJiKzJwZGtsQWdNQkFBR2pnY1l3Z2NNd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQkZCZ05WSFI4RVBqQThNRHFnT0tBMmhqUm9kSFJ3T2k4dlkzSnNMbWRsYjNSeWRYTjBMbU52YlM5amNteHpMMjF6Wm5SbGJuUnRiMkpwYkdWeWIyOTBZMkV1WTNKc01CWUdBMVVkSlFRUE1BMEdDMkNHU0FHRytFVUJDRFFCTUE0R0ExVWREd0VCL3dRRUF3SUJCakFkQmdOVkhRNEVGZ1FVWENwa0cxa1NEdXB3Z0NFVU9GS3RDTW5wbG9Bd0h3WURWUjBqQkJnd0ZvQVVUZXpmSmdiY0pCREF0cG4wMXpuSGJ4bjRKaWd3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUR4V0dkVTB5dHpOd2ZZbEhmMy8rTDNoYkJNZG1XTnNnNktBS2pDQnY4a2d2SDk3b0xXZTE1c01mSG1RNGo5ZVErMDJpdVpFV1FRU0ZZV0xTd0gxTm5WbHpIK1MzMDV4bFFlTVFEVWxVMWxoZGpOeUpXYlFlR0J0OFZZa09JQ005L1pUdm5yMm1YdVpsVHR4eHE4V2U4WTUyK2VaK0Y1R2QrSjBIYmZkYmF3YVhVYXF4L1FnQ3d6TTM4cW9pQld4d2JQZXRXbk83OHhjMmdlYjdSMzBia3hTUXJMTTRFVGNTanhIb3AwaC9JQVdVZUhIcHh3Y29tWkt5NzV1UEllLzJlTnZtcFZLb0dEb0pJOHB6YlNOaDZDMUxLMUZ5ZDNrYXhiQVZKcGVLcFVJSk9Ka0RubzM0bG9hOStZa1BRc1ZIRjI2TVVLQ1BRMHYxdTdqNGY1V3c0cz08L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjxYNTA5RGF0YT48WDUwOUNlcnRpZmljYXRlPk1JSUVMekNDQXhlZ0F3SUJBZ0lDQWFFd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pJeEN6QUpCZ05WQkFZVEFsVlRNUjB3R3dZRFZRUUtFeFJUZVcxaGJuUmxZeUJEYjNKd2IzSmhkR2x2YmpFdU1Dd0dBMVVFQ3hNbFYybHVaRzkzY3lCUWFHOXVaU0JGYm5SbGNuQnlhWE5sSUVGd2NHeHBZMkYwYVc5dWN6RTBNRElHQTFVRUF4TXJVM2x0WVc1MFpXTWdSVzUwWlhKd2NtbHpaU0JOYjJKcGJHVWdRMEVnWm05eUlFMXBZM0p2YzI5bWREQWVGdzB4TXpBMk1EZ3hOalE1TXpoYUZ3MHhOREEyTVRJd09URTNOVGRhTUZreEhqQWNCZ05WQkFzVEZVMXBZM0p2YzI5bWRDQkRiM0p3YjNKaGRHbHZiakVlTUJ3R0ExVUVBeE1WVFdsamNtOXpiMlowSUVOdmNuQnZjbUYwYVc5dU1SY3dGUVlLQ1pJbWlaUHlMR1FCQVJNSE5UTTBNakkxT0RDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVJ3RG1kQzBkM1lGUXNON2FVZnd3WHA1T2RINGYrYlVmWlJMZHlrS2tUS3MyZVFGTHRRL3pUSElobkxEVlYxR2djbGtNeUNGdXFYNk1qZUVWVXlCNFJxS1JvYkI1MTRxa21ZSGdSdUx6emdLcnRSMFdFSy9wMUFwejZRT1RSb05GMVhGK0Y2aitESjBqRFhaV0xveHl0V1hrTjJ4cUJiVmRjNXVGTEE0d1U2L2dFYWp5ZWJTOWFyaDRuWTBNWThsUHBxRE1KTVlRNVQxNVUwdGprdVk3UWtXTnIvMGhGelZneWRaRFRyb2puY2FpSmd1Wm5kRGhjK2NUS3V1OEdKanlkUW9BcUJ5WGNSbnBIS0s0Y3lYZ2JUNjJFUllqVUtYcVVFWmFURlh0dGdyanR5Y2Q5VTM0L3k0dG5TUTYybS9vanIvUjJLaDE4cnhpSTRCWjY5ZitFQ0F3RUFBYU9CeGpDQnd6QWZCZ05WSFNNRUdEQVdnQlJjS21RYldSSU82bkNBSVJRNFVxMEl5ZW1XZ0RBT0JnTlZIUThCQWY4RUJBTUNCNEF3SUFZRFZSMGxCQmt3RndZSUt3WUJCUVVIQXdNR0MyQ0dTQUdHK0VVQkNEUUJNRUVHQTFVZEh3UTZNRGd3TnFBMG9ES0dNR2gwZEhBNkx5OWpjbXd1WjJWdmRISjFjM1F1WTI5dEwyTnliSE12YlhObWRHVnVkRzF2WW1sc1pXTmhMbU55YkRBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlFKQk1lRmYvdUIxeFZHcTVESTluYm9ZTnE2bXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUhRV0dzQmpjcWRoK2F6QjJ0MGxXREJJMWFJRTZVZlQ5cjJUYktBN2pkdjRzdk5KRGIrcy9mTit2ZXMydFJqV25YaDZIS0xacVNkbFpUT3NodzIxV1UxNEE1bUlNNnRMNVdGL1F6dll5aU5HTHAwU1VNa2pSdXpFRDlaT0RrSElkV21Ca0FDS1pGWE92ajQ2TWxPVGZLYVJQdXZPR1NEYktkbGRVY3dWalR3UWpnbHpTY05hUjROL3l0M2FsRUUxQ01jZXJjYUpFZ2xITmpsc0svUFZkMGFTU1YzeHRhNmNvTHBURFlFVlB4bjJ4QnVQd21JeHJ6VHh1QkhUMmNSakN3WDhobC9kRkFxSC94YzBQWFQzbEFVbzZDMDY2b2lEZ3JTQ1gwYUhGcVlTZjROZVNselQ5NFdZTWsrblEwdFBLclVvV2p2N1d1UTlWSUsrMzhmQm5HUT09PC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PC9BRVQ+"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Link to app
http://bit.ly/19fnUyO
It also offers the source code:
http://apps.windowsstore.com/DashBo...4ab6a18?version=59091.elpplk&resource=sources
The file is named WPAppStudio.xap
THIS JUST ADDS MICROSOFT CORPORATION AS A COMPANY ACCOUNT AND DEPLOYS AN XAP BASED ON IT.
So, this isn't really good news. Back to looking at a company account exploit?

thals1992 said:
Finally got mine a few hours ago. Haven't got very deep in it yet, but the templates are convenient.
---------- Post added at 10:49 PM ---------- Previous post was at 10:35 PM ----------
Here's the output of an almost empty app.
links to dowappdiagnostics.blob.com/aet/AET.aetx
Code:
<wap-provisioningdoc>
<characteristic type="EnterpriseAppManagement">
<characteristic type="5342258">
<parm datatype="string" name="EnrollmentToken" value="PEFFVD48RW50ZXJwcmlzZUlkIFZhbHVlPSI1MzQyMjU4IiAvPjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvVFIvMjAwMS9SRUMteG1sLWMxNG4tMjAwMTAzMTUiIC8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiIC8+PFJlZmVyZW5jZSBVUkk9IiI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxEaWdlc3RWYWx1ZT5qbVBocDJSTjAydEoxWkJILzVyS0kzVk9tWjNDTmVHOG02bVVIbCtNNkNvPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5OcXlEQ3Qvb0RUb3JIOFBrYlJHNDZNRFpVcTNreWhod1ZEQW5ocUtoYTYxSzhhcEk3SzNkNEJTcmQ1SXFaQVdraEMvRTFmNThRWWF4QWhRaEtPajRhdUxNNG5RaHowNis2OU96em84Q1RYMERjYUxJNHJWWXh4VGdvdXRWSzBnVkc1bVU4c0trZjQ3VmhGSnd4ZndPRHNwdGp1cmZyODNUVFN6OEJjZDlydW9ORGpZV25QWU9wTU9rRnZuNEFVb3hBdzE5M3BjYWsrZmV5c29udEN0cUw2OUNVRUEwTXhTczBXdGVxVkdLVWphd3JPSlJ5SVE3UkFLV1hxZnl3RDVQUS91M0h0REZBRDBGVXgxRDlkZ2VYWlQyZzZIZUxxZkVmdkxCcXY0cHA2ZjZFVXJ4RDVFNkNIV1lXWE9FZnVSbmZVaUFNS2dwZnIrMTBHMUJRZlphQUE9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5U3ViamVjdE5hbWU+Q0E8L1g1MDlTdWJqZWN0TmFtZT48WDUwOUNlcnRpZmljYXRlPk1JSUVTRENDQXpDZ0F3SUJBZ0lRTWYyNzRvTTRBRDkvS09ZV1lCWDB6akFOQmdrcWhraUc5dzBCQVFzRkFEQmtNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhOakEwQmdOVkJBTVRMVk41YldGdWRHVmpJRVZ1ZEdWeWNISnBjMlVnVFc5aWFXeGxJRkp2YjNRZ1ptOXlJRTFwWTNKdmMyOW1kREFlRncweE1qQXpNVFV3TURBd01EQmFGdzB5TnpBek1UUXlNelU1TlRsYU1JR1NNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2hNVVUzbHRZVzUwWldNZ1EyOXljRzl5WVhScGIyNHhMakFzQmdOVkJBc1RKVmRwYm1SdmQzTWdVR2h2Ym1VZ1JXNTBaWEp3Y21selpTQkJjSEJzYVdOaGRHbHZibk14TkRBeUJnTlZCQU1USzFONWJXRnVkR1ZqSUVWdWRHVnljSEpwYzJVZ1RXOWlhV3hsSUVOQklHWnZjaUJOYVdOeWIzTnZablF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3lhVWxNM1VLUW1QNnF5RzdwM0g1bjh0MXpnb3BhUUMrMTVlQlhDaUdXZVJQelIzNFlWeHpvODBSWVlpMHJmMEt0TzlmazVlbTk3ZUw0Y3pRT2hVUE1xK3d0OXQwTEREZjBCcFM3OVlXK0N2SFZwazNCaHlEZTZMai9MaUJSSWY2RWMrRUdjMXNhLy84NVE1eUlxT1RkMU5RQWJBY1oxeDlHOTI1a2RYS24zajZUNTdqNWErNXlQQng5elo0SnNCdm0rc0F6SnI0Mzd5Y2hrK2pwd3BONUJMTFdGMkdLbkVGWGxjSllQYmVvSXlJZkZxa3cxYUpQVGd1cmswWEpnVklXWmozVE1IdHcrcms0dEgxMGIwTmVscFJaRndhLzQ4c1ZmTHE1b1BIS2ZpNFNrUjZmcjRiQWZqQ2R1Z0pyOGJ5NHlpL3dxWUVGMm4zVDJiKzJwZGtsQWdNQkFBR2pnY1l3Z2NNd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQkZCZ05WSFI4RVBqQThNRHFnT0tBMmhqUm9kSFJ3T2k4dlkzSnNMbWRsYjNSeWRYTjBMbU52YlM5amNteHpMMjF6Wm5SbGJuUnRiMkpwYkdWeWIyOTBZMkV1WTNKc01CWUdBMVVkSlFRUE1BMEdDMkNHU0FHRytFVUJDRFFCTUE0R0ExVWREd0VCL3dRRUF3SUJCakFkQmdOVkhRNEVGZ1FVWENwa0cxa1NEdXB3Z0NFVU9GS3RDTW5wbG9Bd0h3WURWUjBqQkJnd0ZvQVVUZXpmSmdiY0pCREF0cG4wMXpuSGJ4bjRKaWd3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUR4V0dkVTB5dHpOd2ZZbEhmMy8rTDNoYkJNZG1XTnNnNktBS2pDQnY4a2d2SDk3b0xXZTE1c01mSG1RNGo5ZVErMDJpdVpFV1FRU0ZZV0xTd0gxTm5WbHpIK1MzMDV4bFFlTVFEVWxVMWxoZGpOeUpXYlFlR0J0OFZZa09JQ005L1pUdm5yMm1YdVpsVHR4eHE4V2U4WTUyK2VaK0Y1R2QrSjBIYmZkYmF3YVhVYXF4L1FnQ3d6TTM4cW9pQld4d2JQZXRXbk83OHhjMmdlYjdSMzBia3hTUXJMTTRFVGNTanhIb3AwaC9JQVdVZUhIcHh3Y29tWkt5NzV1UEllLzJlTnZtcFZLb0dEb0pJOHB6YlNOaDZDMUxLMUZ5ZDNrYXhiQVZKcGVLcFVJSk9Ka0RubzM0bG9hOStZa1BRc1ZIRjI2TVVLQ1BRMHYxdTdqNGY1V3c0cz08L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjxYNTA5RGF0YT48WDUwOUNlcnRpZmljYXRlPk1JSUVMekNDQXhlZ0F3SUJBZ0lDQWFFd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pJeEN6QUpCZ05WQkFZVEFsVlRNUjB3R3dZRFZRUUtFeFJUZVcxaGJuUmxZeUJEYjNKd2IzSmhkR2x2YmpFdU1Dd0dBMVVFQ3hNbFYybHVaRzkzY3lCUWFHOXVaU0JGYm5SbGNuQnlhWE5sSUVGd2NHeHBZMkYwYVc5dWN6RTBNRElHQTFVRUF4TXJVM2x0WVc1MFpXTWdSVzUwWlhKd2NtbHpaU0JOYjJKcGJHVWdRMEVnWm05eUlFMXBZM0p2YzI5bWREQWVGdzB4TXpBMk1EZ3hOalE1TXpoYUZ3MHhOREEyTVRJd09URTNOVGRhTUZreEhqQWNCZ05WQkFzVEZVMXBZM0p2YzI5bWRDQkRiM0p3YjNKaGRHbHZiakVlTUJ3R0ExVUVBeE1WVFdsamNtOXpiMlowSUVOdmNuQnZjbUYwYVc5dU1SY3dGUVlLQ1pJbWlaUHlMR1FCQVJNSE5UTTBNakkxT0RDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVJ3RG1kQzBkM1lGUXNON2FVZnd3WHA1T2RINGYrYlVmWlJMZHlrS2tUS3MyZVFGTHRRL3pUSElobkxEVlYxR2djbGtNeUNGdXFYNk1qZUVWVXlCNFJxS1JvYkI1MTRxa21ZSGdSdUx6emdLcnRSMFdFSy9wMUFwejZRT1RSb05GMVhGK0Y2aitESjBqRFhaV0xveHl0V1hrTjJ4cUJiVmRjNXVGTEE0d1U2L2dFYWp5ZWJTOWFyaDRuWTBNWThsUHBxRE1KTVlRNVQxNVUwdGprdVk3UWtXTnIvMGhGelZneWRaRFRyb2puY2FpSmd1Wm5kRGhjK2NUS3V1OEdKanlkUW9BcUJ5WGNSbnBIS0s0Y3lYZ2JUNjJFUllqVUtYcVVFWmFURlh0dGdyanR5Y2Q5VTM0L3k0dG5TUTYybS9vanIvUjJLaDE4cnhpSTRCWjY5ZitFQ0F3RUFBYU9CeGpDQnd6QWZCZ05WSFNNRUdEQVdnQlJjS21RYldSSU82bkNBSVJRNFVxMEl5ZW1XZ0RBT0JnTlZIUThCQWY4RUJBTUNCNEF3SUFZRFZSMGxCQmt3RndZSUt3WUJCUVVIQXdNR0MyQ0dTQUdHK0VVQkNEUUJNRUVHQTFVZEh3UTZNRGd3TnFBMG9ES0dNR2gwZEhBNkx5OWpjbXd1WjJWdmRISjFjM1F1WTI5dEwyTnliSE12YlhObWRHVnVkRzF2WW1sc1pXTmhMbU55YkRBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlFKQk1lRmYvdUIxeFZHcTVESTluYm9ZTnE2bXpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUhRV0dzQmpjcWRoK2F6QjJ0MGxXREJJMWFJRTZVZlQ5cjJUYktBN2pkdjRzdk5KRGIrcy9mTit2ZXMydFJqV25YaDZIS0xacVNkbFpUT3NodzIxV1UxNEE1bUlNNnRMNVdGL1F6dll5aU5HTHAwU1VNa2pSdXpFRDlaT0RrSElkV21Ca0FDS1pGWE92ajQ2TWxPVGZLYVJQdXZPR1NEYktkbGRVY3dWalR3UWpnbHpTY05hUjROL3l0M2FsRUUxQ01jZXJjYUpFZ2xITmpsc0svUFZkMGFTU1YzeHRhNmNvTHBURFlFVlB4bjJ4QnVQd21JeHJ6VHh1QkhUMmNSakN3WDhobC9kRkFxSC94YzBQWFQzbEFVbzZDMDY2b2lEZ3JTQ1gwYUhGcVlTZjROZVNselQ5NFdZTWsrblEwdFBLclVvV2p2N1d1UTlWSUsrMzhmQm5HUT09PC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PC9BRVQ+"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Link to app
http://bit.ly/19fnUyO
It also offers the source code:
http://apps.windowsstore.com/DashBo...4ab6a18?version=59091.elpplk&resource=sources
The file is named WPAppStudio.xap
THIS JUST ADDS MICROSOFT CORPORATION AS A COMPANY ACCOUNT AND DEPLOYS AN XAP BASED ON IT.
So, this isn't really good news. Back to looking at a company account exploit?
Click to expand...
Click to collapse
It might be possible to find an exploit in the XAP installer that installs the XAPs from the browser, and use that to install an app with higher privileges, and accessing the filesystem and/or the registry with full access?

Actually, that's pretty good. Company apps have lower restrictions, and are easier to install. Also, that's a provxml document... we should see if we can modify it and get it to do anything else interesting for us!

@GoodDayToDie, I was thinking the same thing of the provxml document. That would be EPIC if we could modify it to change registry...

@GoodDayToDie, @snickler I'm gonna try to use fiddler to redirect that request to my own server with an edited file and see what happens. Going to start with setting the MaxUnsignedApp value. Wish me luck

IzaacJ said:
@GoodDayToDie, @snickler I'm gonna try to use fiddler to redirect that request to my own server with an edited file and see what happens. Going to start with setting the MaxUnsignedApp value. Wish me luck
Click to expand...
Click to collapse
Ohhh please tell me how this works out! I wanted to do the same thing, but I have to wait for MS to get back with my invitation code.
Best of luck!

@snickler No matter how I do, it ends up showing the AET.aetx as a text file. Doesn't matter if it's the original one or the edited one.
Original one is available at: http://www.izz0.eu/AET.aetx
Edited one is available at: http://www.izz0.eu/AET2.aetx
Feel free to try on your own.
@GoodDayToDie, you've got any ideas? You're like a walking knowledgebase ;D

Related

Anyone tried the "jailbreak" yet?

has anyone tried this yet...
http://www.chevronwp7.com/post/1679668269/windows-phone-7-unlocker-released#disqus_thread
i did it to mine but now need some 3rd party apps to try.. the hello world app is the only one ive found...
kawgirlval69 said:
has anyone tried this yet...
http://www.chevronwp7.com/post/1679668269/windows-phone-7-unlocker-released#disqus_thread
i did it to mine but now need some 3rd party apps to try.. the hello world app is the only one ive found...
Click to expand...
Click to collapse
More importantly, anyone else getting a virus hit on the file by the name of WS.Reputation.1?
I posted on this subject in the development thread.
I wasn't sure if this subject belongs here or there.
Now comes an article raising the possibility of the phone being blacklisted on the marketplace when MS detects the unlock has taken place:
http://www.mobiletechworld.com/2010/11/25/windows-phone-7-unlocker-released/
Worse than a virus hit. I actually got it. It changed my host file by adding a couple localhost redirects... Every time I clicked on a Google seach result, it would redirect me to some crappy excuse of a search engine. Relatively easy to fix though.
no virus hit and havent encountered the redirect problem... am wondering the same with the blacklist issue but i guess it will be a wait and see as with most unlock/jailbreak issues...
n8huntsman said:
Worse than a virus hit. I actually got it. It changed my host file by adding a couple localhost redirects... Every time I clicked on a Google seach result, it would redirect me to some crappy excuse of a search engine. Relatively easy to fix though.
Click to expand...
Click to collapse
LOL...man, is this typical or what? I can see this Windows Phone business is going to be an uphill struggle every step of every way. Swell.
wildbilll said:
I posted on this subject in the development thread.
I wasn't sure if this subject belongs here or there.
Now comes an article raising the possibility of the phone being blacklisted on the marketplace when MS detects the unlock has taken place:
http://www.mobiletechworld.com/2010/11/25/windows-phone-7-unlocker-released/
Click to expand...
Click to collapse
While MS might know if you unlock your phone to sideload apps I don't think they'll take the step of banning a user completely from the marketplace. Doing so would backfire because there is no way this user is ever going to pay for an app; he'll be forced to look for cracked ones, not something MS would want.
Also from this message, it doesn't seem they are taking this sideloading business too seriously, which is good. Now XDA, please bring on some goodies. I need a File Explorer and a Media Player like free version of old Core Player
rexian said:
While MS might know if you unlock your phone to sideload apps I don't think they'll take the step of banning a user completely from the marketplace. Doing so would backfire because there is no way this user is ever going to pay for an app; he'll be forced to look for cracked ones, not something MS would want.
Also from this message, it doesn't seem they are taking this sideloading business too seriously, which is good. Now XDA, please bring on some goodies. I need a File Explorer and a Media Player like free version of old Core Player
Click to expand...
Click to collapse
i THINK THAT WOULD DEPEND ON JUST HOW MANY PEOPLE UNLOCK THEIR PHONES... KILLING A FEW THOUSAND TO SEND A MESSAGE MIGHT JUST BE WHAT MS DOES..

angry birds update

yay
Sent from my PC36100 using XDA App
jmollabi said:
yay
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
^thanks a bunch!
I'm pretty sure it's for the superbowl commercial thing.
Sent from my PC36100 using XDA App
watch it permissions has changes it wants to read your sms and mms in and out
Now that makes absolutely no sense at all. WTF would Angry Birds want to read your SMS and MMS messages. REMOVING!
This is from Android Cemtral
Update: You might well have noticed that the app now says it needs/has permission to access your SMS messages. The developer, Rovio Mobile, tells us on Twitter that it "Must be a mistake in some permission file. Will get it sorted on Monday."
To be on the safe side, probably won't download until Monday when he fixes it. Is there a changelog to see what all changed?
androidcentral.com/angry-birds-update-brings-30-new-levels
Looks like new levels. And some easter eggs with unlock codes coming in a Super Bowl commercial.
Yeah, let's see here... The permissions say it is reading/sending SMS's, and for a company's flagship $1M+ product to have such a bug in it, I think someone would be called in to fix it on the weekend. After all, it'd take only a few minutes to edit the XML file which declares permissions, sign the APK, then send it to the Market.
I reckon the Superbowl "easteregg" is going to be using SMS's without users' knowledge/consent, and that's why they're waiting until Monday.
drmacinyasha said:
Yeah, let's see here... The permissions say it is reading/sending SMS's, and for a company's flagship $1M+ product to have such a bug in it, I think someone would be called in to fix it on the weekend. After all, it'd take only a few minutes to edit the XML file which declares permissions, sign the APK, then send it to the Market.
I reckon the Superbowl "easteregg" is going to be using SMS's without users' knowledge/consent, and that's why they're waiting until Monday.
Click to expand...
Click to collapse
Editing the xml to not say that is one thing, but what if the app was actually reading/sending sms? It would take time to remove that bit of code. I would rather check to see what it is doing than rely on what it says it is or isnt doing.
Oh, come on people! This is XDA afterall.
You unpack the apk, edit the xml yourself, repackage and sign. Then you beat all then new levels over the weekend at make fun of the people who are waiting until monday.
I saw a $22 angry birds t-shirt at the mall today. Cute but maybe $10 at max.
posted via the xda app with my Evo
Solution: Dont DL angry birds. At least not on YOUR phone!!! In any event. Its too addictive anyway. I had to force myself to uninstall it!!!!
iconoclastnet said:
Oh, come on people! This is XDA afterall.
You unpack the apk, edit the xml yourself, repackage and sign. Then you beat all then new levels over the weekend at make fun of the people who are waiting until monday.
Click to expand...
Click to collapse
You do realize that when a program apk is compiled that programs access is determined according to what it does and what it uses and not manually listed by the devs in an xml file.
The fact that the xml file says it means that apk does in fact use or do some actions that involve sms.
I can make a simple apk that stores numbers in a db for the user at their execution and when compiled the xmls will be automatically updated by eclipse to display the type of permissions it requires along with the actions and access it has to your system.
You can edit the xml like you said but it doesn't remove that bit of code that interacts with the sms operations.
lovethyEVO said:
You do realize that when a program apk is compiled that programs access is determined according to what it does and what it uses and not manually listed by the devs in an xml file.
Click to expand...
Click to collapse
You do realize that you're completely wrong.
http://developer.android.com/guide/topics/manifest/manifest-intro.html#perms
bkrodgers said:
You do realize that you're completely wrong.
http://developer.android.com/guide/topics/manifest/manifest-intro.html#perms
Click to expand...
Click to collapse
So you're telling me that you have personally compiled a program apk in eclipse and you had to manually specify what permissions and access it needs in the android manifest? Your eclipse somehow does not automatically update the manifest as your code changes?
if you can edit whats in their manually.. whats stopping you from falsifying permissions.. i call false.
rovio.com/index.php?mact=Blogs%2Ccntnt01%2Cshowentry%2C0&cntnt01entryid=57&cntnt01returnid=58
I guess its not a bug.
"SMS payment coming to Android devices
We are bringing Angry Birds players on Android the option of purchasing the Mighty Eagle and other cool new content in the future using our brand new payment system, Bad Piggy Bank!
Bad Piggy Bank purchases will be paid through operator billing. No credit card is required, you simply select the content you want to purchase in the game, and select the Bad Piggy Bank icon. You confirm your purchase, the payment is made via SMS, and you will be charged in your phone bill.
The Android version of Angry Birds asks for SMS permission because this mobile payment capability has been added in version 1.5.1.
Angry Birds does not use the SMS functionality of the device for any other purpose than Bad Piggy Bank payments.
If the Bad Piggy Bank is not available for your operator, no purchases can be made, and you cannot be charged for anything.
Right now, the system will be available only in Finland for Elisa customers, with more countries and carriers following later. We are working globally with operators on bringing Bad Piggy Bank to all of our users worldwide - ask your mobile carrier or operator for more details!"
aimbdd said:
if you can edit whats in their manually.. whats stopping you from falsifying permissions.. i call false.
Click to expand...
Click to collapse
The point is that just because you can edit the manifest to stop the permissions after the program has been compiled the bit of code that needed those permissions still exists in the program.
If the developer really wanted their code to run they would/could find a loophole/exploit to have their code run regardless if the program is allowed the permissions.
It's just like rooting our devices. It was possible through the exploit of a flaw in the system.
If rovio (for whatever reason) was really intent on interfacing with the sms functions they would have tried to circumvent the simple permissions in the manifest.
I'm not saying rovio is trying to be malicious with their code but once the program is compiled editing xmls doesn't really change the actual code, just parameters of the program such as strings, values, etc.
Who uses sms anyway?

How homebrew can be achieved in WP8

Windows Phone 8 technically only allows apps to be installed from the marketplace.
However, Microsoft pretty much has left us with an avenue that would allow us to easily create our own custom 3rd party marketplaces.
With Windows Phone 8, Microsoft has introduced the "company app store" concept. This is originally intended to allow companies to easily distribute LOB applications to its employees.
http://www.windowsphone.com/en-US/business/custom-hub?wa=wsignin1.0
Note how the whole system pretty much relies on a certificate. Anyone with the certificate can sideload applications signed with said certificate.
Now this gives me the idea, why can't the homebrew community purchase their own certificate, and use it to create a 3rd party homebrew marketplace?
the_tyrant said:
Windows Phone 8 technically only allows apps to be installed from the marketplace.
However, Microsoft pretty much has left us with an avenue that would allow us to easily create our own custom 3rd party marketplaces.
With Windows Phone 8, Microsoft has introduced the "company app store" concept. This is originally intended to allow companies to easily distribute LOB applications to its employees.
http://www.windowsphone.com/en-US/business/custom-hub?wa=wsignin1.0
Note how the whole system pretty much relies on a certificate. Anyone with the certificate can sideload applications signed with said certificate.
Now this gives me the idea, why can't the homebrew community purchase their own certificate, and use it to create a 3rd party homebrew marketplace?
Click to expand...
Click to collapse
Let's bump this up, shall we? (Since I'm not going to bother making my own thread, if nobody is going to reply to it)
Here's what I've learned through my evaluation of the company app system. The requirements are simple:
-Company Dev Center account
--Requires that you have a legally registered company (e.g. an LLC), which is verified by Symantec
--$99 plus whatever fees are associated with the LLC
-Symantec Signing certificate
--Requires the company dev center account
--$299
This is actually much less than I thought, as I was expecting this to be limited to the enterprise. Rather, anyone with chump change and some legal papers can get a certificate that allows anyone to sideload apps.
The legal papers is where it gets complicated, unfortunately. If it were just the money, I'd honestly consider a fundraiser to start a homebrew store. The certificate simply needs to be used to sign the enrollment tokens (which are just provxml documents with the cert in them), the enrollment token needs to be distributed to the masses, and then the cert is used to sign all the 'brew. It could be setup pretty easily with an online system for registering devs, uploading xaps, and having them signed, for example.
But the requirement that I have an actual company makes things really complicated; I'm not sure how much verification Symantec does, but I'm under the impression a security firm like expects legal registration, which is not something I personally have, nor something I particularly want (LLC taxes are pretty steep these days)
So, here's the question. Does anyone out there have a "company" dev center account, or has played with "company apps", and is willing to experiment to see if this system would be at all useful for homebrew?
Curious to see if there's any interest. In theory, a WP8 Cydia-like app could be developed very easily
this sounds very interesting, though I do not have a company...yet. Does it have to be an LLC? I am thinking of starting an IT/computer repair company here in my town as a side business, not 100% sure yet, but considering it.
Jaxbot, you sly fox .
That's a great idea.
A couple issues to consider...
Might want to read through the WP Store T&C carefully. While those may very well be the only requirements to get a company account, I wouldn't be surprised if there are much more in the terms to keep one. In other words, distributing your app to non-employees could get your company account banned/disabled/revoked. I haven't done the leg work on this so not sure.
The VeriSign cert you get will likely have requirements to be maintained by a single person or group. Publishing the private key would almost certainly (and quickly) get this revoked. So you would either need to someone to manually sign/publish all the apps or figure out an automated process. That should be possible but would likely take a good bit of work to get going.
My $.02.
Jaxbot, did you get a WP8 device and if so, what model did you get ? I know you were trying to get one.
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
DavidinCT said:
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
Click to expand...
Click to collapse
I believe there are a few things you can do with corp apps that can't be done with regular ones but there's not much. Definitely not full interop unlock (at least not directly).
No. It's not tied to AD at all.
I don't think there's a "test" version. The $400 it would cost is chump change for any legit company. Microsoft could waive the $99 fee for someone they're working with but you'll still need the $299 cert and Symantec/VeriSign isn't gonna give that to you for free.
I'm just an end-user, but YEAH! Dev-unlock: $99. Full unlock: priceless. Definitely would pay a bit.
piaqt said:
I'm just an end-user, but YEAH! Dev-unlock: $99. Full unlock: priceless. Definitely would pay a bit.
Click to expand...
Click to collapse
This wouldn't be a full unlock. It would just allow devs to publish apps to an alternate marketplace and users that are not dev unlocked could easily download them.
RustyGrom said:
A couple issues to consider...
Might want to read through the WP Store T&C carefully. While those may very well be the only requirements to get a company account, I wouldn't be surprised if there are much more in the terms to keep one. In other words, distributing your app to non-employees could get your company account banned/disabled/revoked. I haven't done the leg work on this so not sure.
The VeriSign cert you get will likely have requirements to be maintained by a single person or group. Publishing the private key would almost certainly (and quickly) get this revoked. So you would either need to someone to manually sign/publish all the apps or figure out an automated process. That should be possible but would likely take a good bit of work to get going.
My $.02.
Click to expand...
Click to collapse
Correct. The ToS needs to be really well understood. Some people seem to imply that users outside the company are okay to enroll, but I'm not sure. However, I'm not really sure if the enrollment even touches MSFT's servers at all, and if T&C violations would cause a problem. Something that needs to be looked into. If it's a definite breach of T&C, I say it's not worth it. My $0.02
DavidinCT said:
Jaxbot, did you get a WP8 device and if so, what model did you get ? I know you were trying to get one.
Click to expand...
Click to collapse
Unfortunately no, all my research has been on the emulator. All my attempts to get my hands on a WP8 have proven fruitless so far.
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Click to expand...
Click to collapse
No, definitely not full unlock. Interop, I'm not sure. The apps are signed and installed, so I have no idea if ID_CAPs are limited. An app like Folders could definitely be deployed, though, with the new WP8 apis.
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Click to expand...
Click to collapse
No, you can enroll within active directory, it says that in the instructions.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
Click to expand...
Click to collapse
RustyGrom said:
This wouldn't be a full unlock. It would just allow devs to publish apps to an alternate marketplace and users that are not dev unlocked could easily download them.
Click to expand...
Click to collapse
What he said. Basically, it would give us homebrew apps that fit into the limitations of the SDK, but not necessarily the limitations of the certification requirements. Folders, Themes, etc. could likely be built. Apps such as CacheClearer and Tweaks, probably not, but again, I have no experimental research on this yet.
This presentation from BUILD (http://channel9.msdn.com/Events/Build/2012/2-014) should answer most of your questions. The phone does 'phone home' to Microsoft to check the publishers and apps installed. Also, capabilities are limited to "same as standard marketplace apps" however the 'company store' app can install apps and manage apps that have been published through it.
RustyGrom said:
This presentation from BUILD (http://channel9.msdn.com/Events/Build/2012/2-014) should answer most of your questions. The phone does 'phone home' to Microsoft to check the publishers and apps installed. Also, capabilities are limited to "same as standard marketplace apps" however the 'company store' app can install apps and manage apps that have been published through it.
Click to expand...
Click to collapse
55 minutes, exciting Thanks for that, though, clarifies a lot. In that case, then, it sounds like the company store app won't really have much useful information for us, as it sounds almost more restricted than I had originally hoped. In that case, then, "company apps" is probably not a worthwhile route to peruse. My 2 cents.
Terms and conditions for a company account
a. Internal Distribution. Subject to the terms of this Addendum and the Application Provider Agreement,
you may make Enterprise Applications internally available to your Employees. Enterprise Applications
may not be made available to consumers, other companies or the general public, except for vendors or
companies that are under contract with you to develop or test any Enterprise Applications. You are
responsible for any unauthorized distribution of the Certificate Software and Enterprise Applications
outside of the terms and conditions of this Addendum.
b. No Alternative Marketplace. You will not use the Certificate Software to: (i) make paid Applications that
are offered in the general Windows Phone Store available to your Employees; and (ii) make available
Enterprise Applications in a manner that harms the Windows Phone Store as determined by Microsoft
Yeah, MSFT thought about that idea WAY ahead already.
Termination. If you breach the terms of this Addendum and/or the Application Provider Agreement, Microsoft
may (a) revoke the certificates provided by Certificate Software; and/or (b) terminate your Enterprise Account immediately.
If that happens, every app installed will fail to work a day later.
Well it was a good thought guys. A damn good thought..
Since WP8 supports MMC, can we side load any temporary OS to read or execute from anything from it!?
nitin88g said:
Since WP8 supports MMC, can we side load any temporary OS to read or execute from anything from it!?
Click to expand...
Click to collapse
MMC? And seriously, go start another thread! Do NOT thread hijack! I can't stand it, seriously
MMC - Multimedia Card.
I am a MCSE, I wounder if there is a verson to learn how use it. Maybe they have a traning version so I could learn how to get it working on domain. This would be nice if I can try this and get a interop unlock by setting it up on my own domain..
DavidinCT said:
I am a MCSE, I wounder if there is a verson to learn how use it. Maybe they have a traning version so I could learn how to get it working on domain. This would be nice if I can try this and get a interop unlock by setting it up on my own domain..
Click to expand...
Click to collapse
Not possible. The apps you deploy will not get interop privileges.

WP8: change marketplaces (glitch found) ?

Possable hack or glitch, that is why I am posting here.
According to a few sites, a glitch has been discovered by setting a proxy, you can make your non-nokia phone be able install apps from Nokia's apps.
Sites for info...
http://www.microsofttranslator.com/...n&a=http://www.wpdang.com/archives/98835.html
http://www.wpdang.com/archives/98835.html
http://www.wpcentral.com/glitch-spotted-windows-phone-store-lumia-apps
Does anyone have clear directions on this so everyone knows how to do it?
Also, I am hoping this would allow us to get to the point of a Marketplace Changer like we used to have for WP7 devices.. I personally would like some HTC apps on my Nokia...and a LG app too.
Figured this would be a great place to start a discussion on this.
The basic "hack" is dead simple, actually. In a way, this is easier than the old Marketplace Switching apps; those worked by changing some configuration files on the phone; this works by editing the communication between the phone and the Marketplace servers *as if* those files had been changed.
It's probably worth the time to write up a small utility to do this yourself, rather than relying on a third party proxy (never a good plan if you don't have to do it). It might even be possible to make the proxy run as an app on the phone itself (it would need to be sideloaded, since there's no way MS would permit such a thing, and you'd probably still need to be on WiFi, but it might be possible).
DavidinCT said:
Possable hack or glitch, that is why I am posting here.
According to a few sites, a glitch has been discovered by setting a proxy, you can make your non-nokia phone be able install apps from Nokia's apps.
Sites for info...
http://www.microsofttranslator.com/...n&a=http://www.wpdang.com/archives/98835.html
http://www.wpdang.com/archives/98835.html
http://www.wpcentral.com/glitch-spotted-windows-phone-store-lumia-apps
Does anyone have clear directions on this so everyone knows how to do it?
Also, I am hoping this would allow us to get to the point of a Marketplace Changer like we used to have for WP7 devices.. I personally would like some HTC apps on my Nokia...and a LG app too.
Figured this would be a great place to start a discussion on this.
Click to expand...
Click to collapse
Guyz, I've tried this on my Huawei W1 but its says, cannot connect,,,,,,,,,, ive also tried changing the region but nothing happens, does anyone tried this already, and successfully installed those nokia exclusive apps?
Thank you,
jakelq said:
Guyz, I've tried this on my Huawei W1 but its says, cannot connect,,,,,,,,,, ive also tried changing the region but nothing happens, does anyone tried this already, and successfully installed those nokia exclusive apps?
Thank you,
Click to expand...
Click to collapse
it is time based. I mean, sometimes it happens. sometime it doesnt. keep trying is all I can say.
GH0ST DR0NE said:
it is time based. I mean, sometimes it happens. sometime it doesnt. keep trying is all I can say.
Click to expand...
Click to collapse
yup, i tried this at home and it worked..
It runs smooth with huawei w1 and i dont experience any missed swipes.
Why does it wasnt released for 512 mb ram?
tnx.
GoodDayToDie said:
The basic "hack" is dead simple, actually. In a way, this is easier than the old Marketplace Switching apps; those worked by changing some configuration files on the phone; this works by editing the communication between the phone and the Marketplace servers *as if* those files had been changed.
It's probably worth the time to write up a small utility to do this yourself, rather than relying on a third party proxy (never a good plan if you don't have to do it). It might even be possible to make the proxy run as an app on the phone itself (it would need to be sideloaded, since there's no way MS would permit such a thing, and you'd probably still need to be on WiFi, but it might be possible).
Click to expand...
Click to collapse
I would gladly test (I am dev unlocked) anything you can come up with here.
Anything that could help progress towards a hack on WP8, even if it's a marketplace changer of some type
aclegg2011 said:
Man, we really need to find a way to dev unlock our phones. :/
Sent from my RM-917_nam_usa_100 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
The same process (dreamspark EDU account, etc) that worked for WP7 works on WP8 but, the limits of 3 apps are still there... So I can sideload 3 apps..
DavidinCT said:
The same process (dreamspark EDU account, etc) that worked for WP7 works on WP8 but, the limits of 3 apps are still there... So I can sideload 3 apps..
Click to expand...
Click to collapse
I have an edu account activated since december 2011. I had on my Omnia W (WP 7.5) only the possibility to sideload 3 apps, but now on my lumia 820 i DONT have this limit of 3 apps..
gipfelgoas said:
I have an edu account activated since december 2011. I had on my Omnia W (WP 7.5) only the possibility to sideload 3 apps, but now on my lumia 820 i dont have this limit of 3 apps..
Click to expand...
Click to collapse
I have a Lumia 928, and I dev unlocked it(got one of those free EDU accounts that was going around, I log in 2 times a year), I put on 3 apps and it gives me an error if I try to add more.
I would like to add more but, No biggie because there is not 3rd party tools or hacks for WP8....YET.
DavidinCT said:
I have a Lumia 928, and I dev unlocked it(got one of those free EDU accounts that was going around, I log in 2 times a year), I put on 3 apps and it gives me an error if I try to add more.
I would like to add more but, No biggie because there is not 3rd party tools or hacks for WP8....YET.
Click to expand...
Click to collapse
I dont mind but it seems that my account has a bug..?!?
GoodDayToDie said:
The basic "hack" is dead simple, actually. In a way, this is easier than the old Marketplace Switching apps; those worked by changing some configuration files on the phone; this works by editing the communication between the phone and the Marketplace servers *as if* those files had been changed.
It's probably worth the time to write up a small utility to do this yourself, rather than relying on a third party proxy (never a good plan if you don't have to do it). It might even be possible to make the proxy run as an app on the phone itself (it would need to be sideloaded, since there's no way MS would permit such a thing, and you'd probably still need to be on WiFi, but it might be possible).
Click to expand...
Click to collapse
Here is a question on this. Is there a list of "proxies" for different carriers/OEMS ? I could not find anything besides this one. Do you know how I can access HTC, Samsung, LG, etc list ?
How does one access the marketplace of another OEM than Nokia ? (I have a Nokia so that is not an issue for me)
It's just a matter of changing the ID string for the phone when it's talking to the Marketplace servers. I'll look into writing a tool to do it.
GoodDayToDie said:
It's just a matter of changing the ID string for the phone when it's talking to the Marketplace servers. I'll look into writing a tool to do it.
Click to expand...
Click to collapse
Awsome, I look forward to something ! Thanks !
GoodDayToDie said:
It's just a matter of changing the ID string for the phone when it's talking to the Marketplace servers. I'll look into writing a tool to do it.
Click to expand...
Click to collapse
Hi ,GoodDayToDie
Try fiddler2 to modify the request send by the phone when talking to the Marketplace servers.
I have made some research and it's intresting.....
@Mattemoller90: Yes, but I can't promise that the app will install correctly afterward. Apps identify, in their manifests, the resolutions they support. If the app requires resolution that the phone doesn't have, the phone will most likely simply refuse to install it.
@GoodDayToDie
How can I cheat the Marketplace with Fiddler2 (for change the resolution) I want try
You are the best
Eh, I'm not going to write a full tutorial right now. Short version is install Fiddler, set it to proxy external connections (will need to be let through your firewall), set your phone to use your PC's IP address and Fiddler's listening port as the proxy, set Fiddler to intercept requests, and then open the Marketplace. You'll see an HTTP GET request from the phone to Microsoft's servers, and the URL will contain a bunch of details about your phone (manufacturer, model, version info, region, etc.) including resolution. Replace the resolution string with the one you want to pretend to have, then have Fiddler "Run to completion".
Note: You'll probably have to do this multiple times. It's OK to not do it for things like partial searches, but you'll of course need to do it for the final search query. It can be scripted, but that's outside the scope of what I'm going to tell you to do here. Look at how @xdevilium does it in his app: http://forum.xda-developers.com/showthread.php?t=2362165
Can fiddler be used for other things? Like seeing where server updates are coming from, and how are phones interacts with developer registration?
Sent from my RM-917_nam_usa_100 using XDA Windows Phone 7 App
In theory, yes it can (or any other HTTP/HTTPS proxy; there are several of them available). However, the functions you describe use HTTPS. To intercept SSL traffic, the proxy needs to forge certificates for the sites you connect to (unless it somehow got ahold of the site's private key). To have your phone trust the forged certificates, the proxy (including Fiddler, if you choose to enable it) can sign the forged certificates using its own private key; if the corresponding public key is trusted by the phone (which can be done just by sending the public key to the phone using email or bluetooth or something, and installing it) then the forged signatures will be trusted.
However, that's only true for the general case. For specific OS functionality, Microsoft (and all the other big mobile vendors) use a technique called "certificate pinning" where the SSL certificate must either exactly match a known certifiacte, or must be signed by an exact match. In this case, it doesn't work to install your proxy's certificate and have it be trusted; a feature using cert pinning doesn't even check the OS's trust store. Therefore, we can't intercept those specific communications.
It's frustrating.
I've never scripted Fiddler, I just re-wrote the requests by hand. It's easy enough; there aren't very many. I could tell you how to do it in a couple other proxy programs.
GoodDayToDie said:
I could tell you how to do it in a couple other proxy programs.
Click to expand...
Click to collapse
I Really Appreciate That

Parental Control Settings Problem

Hi folks, I have a problem. I wanted to set up a parental control for my brother, and when I go to App restriction to restrict apps, it pop-up a C++ Library error. I don't know why this happen. Pictures bellow.
First is the Error, second is the Installed Visual C++ (they are installed from games)
Kir3 said:
Hi folks, I have a problem. I wanted to set up a parental control for my brother, and when I go to App restriction to restrict apps, it pop-up a C++ Library error. I don't know why this happen. Pictures bellow.
First is the Error, second is the Installed Visual C++ (they are installed from games)
Click to expand...
Click to collapse
You either need to reinstall the C++ runtimes (see on microsoft's website)
or windows is FUBAR and needs reinstall.
mcosmin222 said:
You either need to reinstall the C++ runtimes (see on microsoft's website)
or windows is FUBAR and needs reinstall.
Click to expand...
Click to collapse
OK, I'll try, but what the hack is FUBAR
I'd suggest using this Internet thingy you're on to look up what is obviously an acronym (a well-known one in this case) but your parental controls are probably blocking you... I can't for the life of me understand why anybody would "use" such things (they are almost entirely useless; kids at my school bypassed them whenever they felt like it).
GoodDayToDie said:
I'd suggest using this Internet thingy you're on to look up what is obviously an acronym (a well-known one in this case) but your parental controls are probably blocking you... I can't for the life of me understand why anybody would "use" such things (they are almost entirely useless; kids at my school bypassed them whenever they felt like it).
Click to expand...
Click to collapse
Aye.
Setting up a different user count is a cleaner and more elegant solution.
mcosmin222 said:
Aye.
Setting up a different user count is a cleaner and more elegant solution.
Click to expand...
Click to collapse
EEhh, I have a different user account for that. I created a Standard account for my brother and set it up the Parental Control for it.
Kir3 said:
EEhh, I have a different user account for that. I created a Standard account for my brother and set it up the Parental Control for it.
Click to expand...
Click to collapse
Ummm....then what you use the parental control for? This is like trying to do the same thing twice. A properly set up account should be enough. Or are you trying to restrict his access to video games/internet? In my experience, limiting never works, unless you make him understand why it there should be a limit. And he will probably find a way to bypass it sooner or latter.
As GoodDayToDie mentioned, your parental settings are probably messing up with windows up to the point where windows goes FUBAR. So if you can't get this to work, deleting his account and recreating it should help fix the issue.
Well, removing the Visual C++ Redistributables and creating a new account didn't work, I reinstalled them, still no luck
Kir3 said:
Well, removing the Visual C++ Redistributables and creating a new account didn't work, I reinstalled them, still no luck
Click to expand...
Click to collapse
There's always the posibility to repair/reinstall windows.
try running this in the command prompt (with admin rights)
sfc/scannow
you should preferably have an internet connection active while this is happening.
mcosmin222 said:
There's always the posibility to repair/reinstall windows.
try running this in the command prompt (with admin rights)
sfc/scannow
you should preferably have an internet connection active while this is happening.
Click to expand...
Click to collapse
Code:
C:\Windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some
of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.
I cannot post the log becuase it has logs since I installed Windows.
Kir3 said:
Code:
C:\Windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some
of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.
I cannot post the log becuase it has logs since I installed Windows.
Click to expand...
Click to collapse
Then you are left with repair/reinstall windows.
Well, it seems that it was corrupted Windows. I upgrade it to 8.1 and now is working, no errors Thanks again.

Categories

Resources