Found these in my dump files and was wondering if they would be of any use in "jailbreaking" the Lumia phones? At the very least would it be possible to rewrite the ffuloader.efi in order to use it to modify .ffu files?
tonbonz said:
Found these in my dump files and was wondering if they would be of any use in "jailbreaking" the Lumia phones? At the very least would it be possible to rewrite the ffuloader.efi in order to use it to modify .ffu files?
Click to expand...
Click to collapse
I'm not an expert but I think it's not possible, since there's a signature check system in uefi..so even if someone would be able to modificy the ffuloader file in the correct way, without a SIGNED .ffu the system couldn't boot anyway. And, as far as I know, nobody is able to generate a valid signature. And, of course, disabling the signature-check system is something unknown.
It isn't really Nokia - FFU is Microsoft reference format. There is currently no way to edit anything serious except Data partition
Your hope would be that there is a private key embedded in one of those files inside the ffu...then we'd be home free! ffu in of itself isn't really anything special..think of it as a zip file.
I have been doing way too much reading into the bootlaoders and how they work. I found the following quote interesting (taken from
http://forum.xda-developers.com/showpost.php?p=37245426&postcount=21):
any current qualcomm chipset with blown secure fuses require valid signature in order to execute loader from flash ( emmc,nor,nand ) or from peripheral boot ( emergency loader )
every phone producer ( sony, htc, nokia, zte, etc ) have own OEM ID number, which is blown on hardware level, so every phone model can have specific loader ( but usually manufacturers using same OEM ID for all phones on same chipset )
some manufacturer for unknown reasons use unsecure chipsets ( which accept unsigned loaders ) - perfect example nokia lumia series until 9xx
Click to expand...
Click to collapse
What I was curious about was if you edit the .ffu file with a hex editor at all it changes the CRC that the .vpl from the NCS packages looks for and when flashing you get a corrupt .ffu warning. Changing the CRC in the .vpl gets a corrupt .vpl error. What I noticed was if I unmount the .ffu, mounted using the image mounting tool from another thread,using disk manager the temp virtual disk file stays the same size as the.ffu file (4.12G). However I didn't know about the CRC check at this time. So now I remounted the .ffu, changed nothing but the registry key for interop unlock, and unmounted the disk. Once again the temp virtual disk file created is the the same size as the rom .ffu.Upon checking the CRC of the virtual disk it also remained the same as the rom's .ffu file. However you can not simply change the file name back to rm-860blahblahblah.ffu. So thought maybe these could be used in some way to open or mount the rom so when unmounted you were left with original .ffu. I'm sure there is more than the CRC that is being checked. As i've stated many times before I am still learning as I go but am highly interested in learning and spend tons of free time reading and exploring files. Just now getting around to trying to understand the boot process.
There are integrated hashtables in the FFU.
I thought about this too, but any editing to the ffu, without resiging the ffu will result in an error when you flash it, because the boot loader won't install unsigned .ffus. From what I've heard anyways.
Sent from my Nokia 521 using XDA Windows Phone 8 App
These were in the secure boot policy Certificates seen in the pictures from the first post.
Related
I've noticed that some update.zips include patch files. I've done quite a bit of reading up on what these patches are and how they work... I just can't find anywhere to explain how to create them. It would be extremely useful for myself and I'm sure others to make our own patch files (i.e. someapp.apk.p) to, lets say change a few graphics in several apk's in a single zip file. Anyone able to shed some light on this before i start trying to reverse engineer the applypatch code from Google?
Does anyone have any insight?
Sent from my DROIDX using Tapatalk
Do you have an example update.zip file with a patch that I could look at?
Gene Poole said:
Do you have an example update.zip file with a patch that I could look at?
Click to expand...
Click to collapse
Thanks for the reply, here is an update.zip. all of the patches I've looked at start with "IMGDIFF2" and most have some "BSDIFF4##" mixed in there as well.
http://www.megaupload.com/?d=AOFCEKLW
Here is a imgdiff.c file in which the commented section sheds a little light on it. Although i believe that after 2.1 IMGDIFF1 was replaced with IMGDIFF2.
http://www.netmite.com/android/mydroid/2.0/build/tools/applypatch/imgdiff.c
Well, thanks for providing me the info, but looking into it, it looks like this has little value beyond OEM updates and so forth where it can be guaranteed that the ROM is pristine as it seems that this does diffs directly on the flash image itself.
Thanks for taking the time to look into it for me. theoretically however, couldn't you use this for individual apk's? It appears that the directory structure in the zip would allow you to patch anything. The reason i am looking into this is to change an icon in a group of apk's and then just flash a small update.zip of patches. I know that there may be other ways of doing this but I'd like to try if for no other reason to prove to myself it can be done.
Sorry if I'm incorrect in this, just trying to learn.
My take on reading the referenced file is that this patches a raw disk image. This would only work if the image is pristine (not been added to or changed in anyway). The first paragraph reads:
/*
* This program constructs binary patches for images -- such as boot.img
* and recovery.img -- that consist primarily of large chunks of gzipped
* data interspersed with uncompressed data. [...]
I don't see anyway to patch individual files in this way, and especially in an image such as the data partition that will be completely different on users' devices.
I took that from it as well. However if that was the case the update.zip would only have one patch file for the entire image and not a separate patch file for each apk / script / img / file that is being patched, which it does. It runs the applypatch command for each file being patched.
Gene Poole said:
I don't see anyway to patch individual files in this way, and especially in an image such as the data partition that will be completely different on users' devices.
Click to expand...
Click to collapse
This method that they used in the update.zip could only update individual files because running this update only updated certain apps and no user data was lost. I realize that they could have just updated the image that /system is on. Could it be a possibility that they would break the image up on the phone patch only the files necessary then rebuild the image?
After reading this thread http://forum.xda-developers.com/showthread.php?t=2632814 posted by @hutchinsane_ I mounted my Lumia's .ffu with ImgMount and used the Raw Disk Tool from OSForensics to check out some of the partition files. In doing so I came across the ACPI and SMBios files which I hadn't seen before when using ImgMount. Not sure if these are any use to the devs and haven't really looked at them(not that I'd know what to do with them anyways) but here are some screenshots of the partitions I was able to mount and the files inside. The files from screenshot G are contained in the DATA folder from screenshot F and the files from screenshot I are contained in the EFIESP folder. The ACPI/SMBIOS files are here http://www.mediafire.com/download/q1vx7g6b7523xvf/Lumia_ACPI_SMBios.zip.
Another screenshot of the partitions listed. Partition 25 seems to be encrypted...
tonbonz said:
After reading this thread http://forum.xda-developers.com/showthread.php?t=2632814 posted by @hutchinsane_ I mounted my Lumia's .ffu with ImgMount and used the Raw Disk Tool from OSForensics to check out some of the partition files. In doing so I came across the ACPI and SMBios files which I hadn't seen before when using ImgMount. Not sure if these are any use to the devs and haven't really looked at them(not that I'd know what to do with them anyways) but here are some screenshots of the partitions I was able to mount and the files inside. The files from screenshot G are contained in the DATA folder from screenshot F and the files from screenshot I are contained in the EFIESP folder. The ACPI/SMBIOS files are here http://www.mediafire.com/download/q1vx7g6b7523xvf/Lumia_ACPI_SMBios.zip.
Click to expand...
Click to collapse
The ACPI and SMBIOS files are in the PLAT partition, at least this is the case on the HTC 8S. Didn't know about the Raw Disk Viewer, looks interesting. Will try it on my HTC Rom though once I'm at home (school, duh.. ) Do you have any idea what could possibly be the content of partition 25?
hutchinsane_ said:
The ACPI and SMBIOS files are in the PLAT partition, at least this is the case on the HTC 8S. Didn't know about the Raw Disk Viewer, looks interesting. Will try it on my HTC Rom though once I'm at home (school, duh.. ) Do you have any idea what could possibly be the content of partition 25?
Click to expand...
Click to collapse
Thanks for checking this out. Congrats on your work with the HTC rom!!! I wasn't sure which section to post in but I didn't wanna jack your thread and the devs didn't seem to want us "Nokia owners" there I'm assuming because the security on the Lumia roms is so damn tight you can't do anything without breaking the signature. I was just looking for another way to poke around the rom I'm a total noob so have no idea what could be on partition 25 but some of the partitions that claim to be empty still have data on them I just couldn't get them to mount or figure out how to extract it. Oh totally off topic but could you posssibly post the harware ID for an HTC device here http://forum.xda-developers.com/showthread.php?t=2636111 so
@bruce142 can create a script? Thanks in advance!!!
I'll get my hardware ID once I get my device back I guess so, since at least one guy tried it (I think) and it didn't work so well. Bummer that the MAINOS on the HTC 8S Rom is Bitlocker encrypted, the header looks messed up anyway. I think they used some kind of different encryption in addition to bitlocker, even if it's only spliting up the headers.
Or they may be using a different type or protocol or revision of bitlocker, I think you get the idea.
hutchinsane_ said:
I'll get my hardware ID once I get my device back I guess so, since at least one guy tried it (I think) and it didn't work so well. Bummer that the MAINOS on the HTC 8S Rom is Bitlocker encrypted, the header looks messed up anyway. I think they used some kind of different encryption in addition to bitlocker, even if it's only spliting up the headers.
Or they may be using a different type or protocol or revision of bitlocker, I think you get the idea.
Click to expand...
Click to collapse
I was able to read partition 25 by saving the whole disk as an image then when mounting the image with OSMount it asks which partition. These are the files contained in the MMOS folder in screenshot G at the beginning of this thread. I'll see about mounting the others when I have more time.
the smbios is identical to the ones in the htc 8x ruu. have you seen any files with keyboard shortcut configurations and explanation how the windows meta button in any of the lumias
grilledcheesesandwich said:
the smbios is identical to the ones in the htc 8x ruu. have you seen any files with keyboard shortcut configurations and explanation how the windows meta button in any of the lumias
Click to expand...
Click to collapse
do you about this menu on 8x
?
on my phone changed imei. pictured designated place soldering red circle.
do you think that there for track passes?
Finally de-brand AT&T Lumia 1020 (RM-877) successfully, this method may also work on any other Lumia Windows Phone!
Warning: This method is not fully tested, may brick your phone! Back up all data, and do not use this method to flash any incompatible ROMs!
Method A
Update your AT&T Lumia 1020 to Windows 10 mobile and interop unlock it.
Change the registry value of “DataStore” to “C:\EFIESP\efi\Nokia” in “HKLM\SOFTWARE\Microsoft\MTP”.
Connect the phone to PC, open “Phone\PCONF”, copy “config.pcn” to your HDD and use a HEX editor to open it.
Change P5217_ATT (HEX: 50 35 32 31 37 5F 41 54 54) to P5217 (HEX: 50 35 32 31 37 00 00 00 00) at offset 0x10, then save it.
Copy modified “config.pcn” back to “Phone\PCONF” and overwrite it.
Restart your phone and use flashing tools like “thor2.exe” to flash unbranded RM-875 rom!
Method B
Download the update cab (Lumia 1020 ONLY)
Then copy the cab file to an empty folder, e.g. “c:\cab”.
Download and install the tools (Thanks WojtasXda!)
Connect the phone to PC, then run cmd and go to “iutool.exe” folder (default: Program Files (x86)\Windows Phone Kits\8.1\Tools\bin\i386), type
Code:
iutool.exe -p c:\cab -V
The phone should restart and install updates automatically (ignore ERROR: 0x8024a110)
Flash unbranded RM-875 rom!
My AT&T Lumia 1020 is carrier unlocked, the method does not relock my phone.
We knew AT&T changed the Platform ID (P5217_ATT) to avoid flashing RM-875 rom (P5217). The flashing tools check the platform info values of the phone and the DevicePlatformID string from the rom. Lumia 635/820 has SD card, and the device info in the registry can be changed. After the phone checking and installing updates, it is unbranded. Thus the updates can change the Platform ID info of the phone. (Thanks pankaj981 for this guide)
I find the update cabs of an unbranded RM-876 phone (flashed RM-875 rom). Then using the iutool.exe to update AT&T RM-877 manually. After that, I flashed RM-877 with RM-875 rom successfully (Method B). Finally, I find “config.pcn” contains Platform ID. Thus for an interop unlocked phone, Method A may be easier.
Post here if you have any questions!
Lumia 640 AT&T
I can't seem to find the config.pcn on Lumia 640 AT&T, but I got access to EFIESP by using "C:\EFIESP" or "\EFIESP" (both work) for the DataStore.
I see from another forum users can edit the xml files found in "Windows Phone\Phone\Windows\Packages\DsmFiles", so is there anything else I can edit to remove the _ATT for Lumia 640 AT&T?
qodexc said:
I can't seem to find the config.pcn on Lumia 640 AT&T, but I got access to EFIESP by using "C:\EFIESP" or "\EFIESP" (both work) for the DataStore.
I see from another forum users can edit the xml files found in "Windows Phone\Phone\Windows\Packages\DsmFiles", so is there anything else I can edit to remove the _ATT for Lumia 640 AT&T?
Click to expand...
Click to collapse
I've download the AT&T 940 rom (RM1073_059X0B8), and I find file "pconf.bin" in "PLAT" partition has the infomation about platform ID; but i'm not sure whether the modified file takes effect.
Code:
NAME=P6204_ATT
SWVERSION=02177.00000.15184.36000
To access "PLAT" partition ,the drive letter may need to be assigned. The information about mounted drive is in registry "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices"
But the registry editors like vcREG have the limit:
binary: when you read, the app will return 20 bytes, regardless of how long the binary is.
Click to expand...
Click to collapse
The key is stored in binary and may be longer than 20 bytes.
The "PLAT" partition is FAT12, I don't know if W10M were able to read it.
If you have an international Lumia 940 and it have a lower ROM version, you could use Fiddler to find all the update cabs like this.
If there is one which has the Platform ID, you could use iutool to update your AT&T 640 with that cab. This may be a lot work to do.
If just using the way here then updating to W10M?
Lumia 640 has SD card, and the DeviceTargetInfo can be edited in WP8.1. If the edited AT&T 640 was updated to W10M, the Platform ID may be changed. I'm not sure, but this seems easy to try.
e-Pig said:
I've download the AT&T 940 rom (RM1073_059X0B8), and I find file "pconf.bin" in "PLAT" partition has the infomation about platform ID; but i'm not sure whether the modified file takes effect.
Code:
NAME=P6204_ATT
SWVERSION=02177.00000.15184.36000
To access "PLAT" partition ,the drive letter may need to be assigned. The information about mounted drive is in registry "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices"
But the registry editors like vcREG have the limit:
The key is stored in binary and may be longer than 20 bytes.
The "PLAT" partition is FAT12, I don't know if W10M were able to read it.
If you have an international Lumia 940 and it have a lower ROM version, you could use Fiddler to find all the update cabs like this.
If there is one which has the Platform ID, you could use iutool to update your AT&T 640 with that cab. This may be a lot work to do.
If just using the way here then updating to W10M?
Lumia 640 has SD card, and the DeviceTargetInfo can be edited in WP8.1. If the edited AT&T 640 was updated to W10M, the Platform ID may be changed. I'm not sure, but this seems easy to try.
Click to expand...
Click to collapse
It's definitely that pconf.bin values that needs to be edited. That plat partition is preventing me from flashing other roms, I'm getting "image targeting check failed Device: Nokia.MSM8926.P6204_ATT.1.1, Image: Nokia.MSM8926.P6204". I tried updating to Windows 10 with modified DeviceTargetInfo, but I still get this error when I try to flash a CV rom.
I don't think I can edit the registry for "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices", it showed something like "system.[]" for value. I think the only way is for someone to provide an international 640 platformid cab and use iutool.
qodexc said:
It's definitely that pconf.bin values that needs to be edited. That plat partition is preventing me from flashing other roms, I'm getting "image targeting check failed Device: Nokia.MSM8926.P6204_ATT.1.1, Image: Nokia.MSM8926.P6204". I tried updating to Windows 10 with modified DeviceTargetInfo, but I still get this error when I try to flash a CV rom.
I don't think I can edit the registry for "HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices", it showed something like "system.[]" for value. I think the only way is for someone to provide an international 640 platformid cab and use iutool.
Click to expand...
Click to collapse
It seems that this registry editor can read/write binary values. But I don't have W10M phone now to test it.
PS. I tested the ffu vhd on PC. The Plat partition is hidden, it is not work even if you write the information about assigning drive letter in HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices. The drive letter will not appear until the hidden attribute been clear. It is hard to edit partition attribute on a phone. Maybe the only way is getting a cab that updating the Platform ID.
Thanks for testing and confirming the registry method doesn't work. Well there is nothing to do but wait for a .cab file.
Don't **** with the PLAT partition unless you know what you are doing.
I know someone who applied an update to PLAT partition that wasn't for their device, and doing that hard bricked it.
One thing you could try is modifying the exact same registry keys for the RM-977 as mentioned in my thread here. Now the only reason the update will kick in is if the OS/firmware version is lower than what's on your device.
Hello! When using method # 2 I get the message:
[1] Started device **********************************
[1] Transferring files started
[1] Transferred file 1/4
[1] Transferred file 2/4
[1] Transferred file 3/4
[1] Transferred file 4/4
[1] Transferring files complete: 4 files
[1] Update started
[1] Installation failed (HRESULT = 0x801882c1)
[1] Failed (0x801882c1)
ERROR: 0x801882c1
Command failed. (HRESULT = 0x801882c1)
Using Windows 10 Pro. On Windows phone 8.1 update 1
Help in this issue please
Please, explain me this method with one Nokia Lumia 1520 AT&T ?
Thank you.
someone can upload the PCONF file from a lumia 1520 NON at&T?
regards
It works.
Just wanted to say thanks to e-Pig, and let people know that this works (at least on my machine). I have an AT&T Lumia 1020, 32gb version:
I used the cab method (Method B) as described.
For flashing, I used this tutorial http://forum.xda-developers.com/showthread.php?t=2515453. Disabling driver signing in Windows 10 is a pain, so for flashing I instead emulated Windows 7 in VirtualBox. This required using the USB passthrough feature when connecting the phone to the PC.
The ROM I used was RM875_3051.50009.1424.0003_RETAIL_eu_euro1_211_03_447991_prd_signed.ffu , which I obtained from the mr.crab site mentioned in the flashing tutorial http://www.mrcrab.net/nokia.html. So, no need for Naviform+.
Everything good so far.
Fantastic, thank you!
First try using the cab file method to unbrand my ATT RM-877.
The "tools" when I install them, I don't get an i386 folder where the iutool should be. I got a zip of the i386 folder and used that. Everything I tried to do generated ERROR: 0x80070490. It was a driver issue. I tried it on a different machine, successfully unbranded an ATT 1020 and flashed it with unbranded US CV 059W473. I tried a repair of the Lumia USB drivers from Programs and Features on the original machine, tools work there now.
Question: Do you happen to have the ATT-branded cab file, in case someone wanted to reverse the process?
nunzio1961 said:
Please, explain me this method with one Nokia Lumia 1520 AT&T ?
Thank you.
Click to expand...
Click to collapse
I don't have Lumia 1520. I downloaded the RM940 rom (059V5B2) and find the Platform ID is the same as Lumia 640. It's in pconf.bin located in "PLAT" partition.
Code:
NAME=P6081_ATT
PKEY=3
SWVERSION=02540.00019.14484.37000
I haven't found a way to modify this file manually. An update cab to modify this file is needed, just as Lumia 640.
Sorry for not helping.
tyler200298 said:
someone can upload the PCONF file from a lumia 1520 NON at&T?
regards
Click to expand...
Click to collapse
This is from RM938 (059V3K8).
Code:
NAME=P6081
PKEY=3
SWVERSION=1028.3534.9200.10517
e-Pig said:
This is from RM938 (059V3K8).
Code:
NAME=P6081
PKEY=3
SWVERSION=1028.3534.9200.10517
Click to expand...
Click to collapse
Hello, thanks
so this is config.pcn code from a no brand lumia 1520.
i'll try to modify one inside the phone
---------- Post added at 06:46 PM ---------- Previous post was at 06:38 PM ----------
e-Pig said:
This is from RM938 (059V3K8).
Code:
NAME=P6081
PKEY=3
SWVERSION=1028.3534.9200.10517
Click to expand...
Click to collapse
hello, can you zip this file and upload? so i can see complete hex
tyler200298 said:
Hello, thanks
so this is config.pcn code from a no brand lumia 1520.
i'll try to modify one inside the phone
---------- Post added at 06:46 PM ---------- Previous post was at 06:38 PM ----------
hello, can you zip this file and upload? so i can see complete hex
Click to expand...
Click to collapse
Of course.
From here I find the Platform ID update cab of ATT 1520. A non-ATT 1520 is still needed to find the cab to debrand.
e-Pig said:
Of course.
Click to expand...
Click to collapse
thanks my friend
ATT L925
Hello, will it be possible to de-brand a AT&T Lumia 925 RM-893 using method B? Where can i find the cab file?
Mine is sim unlocked.
Thank you in advance.
Lumia 625
Is this same for lumia 625
Edited - Added A new procedure and no more reset anymore.
:good::good::good::good::good::good::good::good:
people who have audio problem after "root unlock" can use this trick temporary.in this trick there is no issue in audio..and i think the audio fix option will come soon.
ok here is The latest trick for interop unloking listed lumia devices.i will write the post shortly.the 60% work will do the wpinternal app.so u have to read the post.
Device supported:
Lumia 520,521,525,620,625,810,820,822,920,925,1020,720 (Other devices is not suported in WPINternals that's why those devices owner have to wait).
**1st a big thanks to "Heathcliff74" for his awesome tool.and 2nd Big thanks to "AndroidXsK" for the SBL3 partitions.
ok here is the procedure.
1st follow this link to unlock ur bootloader.The wpinternals app has all Answers of ur questions.
http://forum.xda-developers.com/windows-phone-8/development/windows-phone-internals-unlock-t3257483
1st download the tool and read the getting started section carefully. (don't do anything just read).
2nd download the SBL3 Partion files from this link. --- http://forum.xda-developers.com/showpost.php?p=64100811&postcount=267
now with the Wpinternals app unlock ur bootloader with the supported SBL3 partitions.
here u have to choose exact partition which match with ur phone..
well if u have a same cpu which matches with sbl3 partion supported phone u can use that for ur phone also..suppose u r using lumia 521/525 but there is no sbl3 partition for those phone then u can use 520 sbl3 partition .bcz 520 has the same processor.i think u understood.
after unlocking bootloader ur phone will reboot to normal mode..keep connected ur phone with pc by USB ..now from the wpinternal app go to manual mode and select "mass storage mode" in the app.the phone will boot again and will go black(unresponsive) ..don't worry.then u will find a new mounted drive partition in ur pc.it's ur phone mainos partition.
go to that drive and u will se some folders .if u don't know pls don't play with those folders.just go to (windows>packages>registry files) folders..u will find many reg files just copy the "Software.reg" file in ur desktop.we will work with that file.
now open 7zip file manager (don't have just download or install)
select the software reg file from desktop.
after clciking on software reg u will see a file named software without any extension.
right click on the file and click "edit".
now a notepad tab will open with many lines..
now add these quoted(add without quotes) lines from the attachment at the end of the software file lines.
View attachment 3566593
now save the file by pressing "Ctrl+S"
now a msg box will appear on 7z file manager just click yes...
after that put/replace the modified software.reg files in the (new mounted drive>windows>packages>registry files) folder.
now soft reset ur phone by clicking "volume down+power button" for 10 second.
then the phone will boot up normally..now u have to must give a hard reset ur phone to get the new capabilities unlocked...
2nd Procedure(No reset anymore) :
Thanks to @_wook_
There's easier way, no need fot 7zip at all
Just switch device to the mass storage mode, go to [MainOS mount point]:\windows\system32\config\ and copy SOFTWARE to some location on PC, then make duplicate just in case you mess up with some registry entry.
Open RegEdit.exe and click on HKLM > File> Load Hive and select file you copied from your MainOS partition drive, then type in the name - anything like lumiaSofware...
Edit what you want (probably capabilities... or something) and unload hive by selecting the lumiaSoftware > File > Unload Hive.
Close RegEdit (no need for it anymore); copy your SOFTWARE file to the place where you got it from (There will be more files, with LOG or similar extension, disregard them). Eject device and hold down power button for 10 seconds (or at least until it vibrates) and voila, you edited your registry with success.
Important notes:
You can mess up your System, but probably you will be able to repair it by re-flashing ffu again - not tested.
Maybe I skipped some step in tutorial and you will be confused what to do next, so, just in case you don't have clue what I am talking about, then this is no good tutorial for you, no good at all!
In case Explorer.exe tells you that you don't have permission to access to [MainOS MP]:\windows\system32\config just press enter (it will be ok I think). Maybe this will cause an issue for some path, or for some devices, not causing any issue to me.
I have crazy phone and a lot of things works on it...
I am using Win10 and Win 10 Mobile.
In case you don't know who is the guy named Explorer.exe forget everything you read in this post and go to some place else.
Best regards and be safe
//edit:
Uploaded attachment for detailed instructions.
attachment Link - forum.xda-developers.com/attachment.php?attachmentid=3563171&d=1449110333
Remember, this works on my device, there might be some issues with it I don't know and I haven't found any so far. Maybe it will brick your phone, mine is working good so far...
Zip file contains screenshots with steps from 0001 to 0031.
And, please, If i had nerve to write entire post, have nerve to read it too...
N.B.-
somethings u must be remembered that the unlock will be parmanent.and i will not responsible for any kind of harm in ur phone.and devices which (like 720) doesn't have sbl3 partitions,u can also unlock ur device by dumping ur phone partition.for this u have to read WPinternals getting started section.
******Sorry for my bad english**************
audio working?
reksden said:
audio working?
Click to expand...
Click to collapse
Yes..thats why i said temporary solution..
Riyad_ said:
Yes..thats why i said temporary solution..
Click to expand...
Click to collapse
okay, but i have lumia 720(((
The version of 7z that you use ?
reksden said:
okay, but i have lumia 720(((
Click to expand...
Click to collapse
No rpoblem..u can try this by dumping ur phone mainos partition.check wpinternals.net
titi66200 said:
The version of 7z that you use ?
Click to expand...
Click to collapse
version 9.34..also works with version 9.20
Thanks
Riyad_ said:
No rpoblem..u can try this by dumping ur phone mainos partition.check wpinternals.net
Click to expand...
Click to collapse
okay, this instruction is older, i get interop unlock with oem setting and system and other reg(huawei w1 with 8.0 05420). but i flashed dump with interop unlock.
Why not writing reg values directly here ?
"C:\Windows\System32\Config"
Thank you so much Riyad_,
this a great notice and I will use now the toturial in my lumia 520
Riyad_ said:
:good::good::good::good::good::good::good::good:
people who have audio problem after "root unlock" can use this trick temporary.in this trick there is no issue in audio..and i think the audio fix option will come soon.
ok here is The latest trick for interop unloking listed lumia devices.i will write the post shortly.the 60% work will do the wpinternal app.so u have to read the post.
Device supported:
Lumia 520,521,525,620,625,810,820,822,920,925,1020,720 (Other devices is not suported in WPINternals that's why those devices owner have to wait).
**1st a big thanks to "Heathcliff74" for his awesome tool.and 2nd Big thanks to "AndroidXsK" for the SBL3 partitions.
ok here is the procedure.
1st follow this link to unlock ur bootloader.The wpinternals app has all Answers of ur questions.
http://forum.xda-developers.com/windows-phone-8/development/windows-phone-internals-unlock-t3257483
1st download the tool and read the getting started section carefully. (don't do anything just read).
2nd download the SBL3 Partion files from this link. --- http://forum.xda-developers.com/showpost.php?p=64100811&postcount=267
now with the Wpinternals app unlock ur bootloader with the supported SBL3 partitions.
here u have to choose exact partition which match with ur phone..
well if u have a same cpu which matches with sbl3 partion supported phone u can use that for ur phone also..suppose u r using lumia 521/525 but there is no sbl3 partition for those phone then u can use 520 sbl3 partition .bcz 520 has the same processor.i think u understood.
after unlocking bootloader ur phone will reboot to normal mode..keep connected ur phone with pc by USB ..now from the wpinternal app go to manual mode and select "mass storage mode" in the app.the phone will boot again and will go black(unresponsive) ..don't worry.then u will find a new mounted drive partition in ur pc.it's ur phone mainos partition.
go to that drive and u will se some folders .if u don't know pls don't play with those folders.just go to (windows>packages>registry files) folders..u will find many reg files just copy the "Software.reg" file in ur desktop.we will work with that file.
now open 7zip file manager (don't have just download or install)
select the software reg file from desktop.
after clciking on software reg u will see a file named software without any extension.
right click on the file and click "edit".
now a notepad tab will open with many lines..
now add these quoted(add without quotes) lines from the attachment at the end of the software file lines.
View attachment 3562770
now save the file by pressing "Ctrl+S"
now a msg box will appear on 7z file manager just click yes...
after that put/replace the modified software.reg files in the (new mounted drive>windows>packages>registry files) folder.
now soft reset ur phone by clicking "volume down+power button" for 10 second.
then the phone will boot up normally..now u have to must give a hard reset ur phone to get the new capabilities unlocked...
N.B.-
somethings u must be remembered that the unlock will be parmanent.and i will not responsible for any kind of harm in ur phone.and devices which (like 720) doesn't have sbl3 partitions,u can also unlock ur device by dumping ur phone partition.for this u have to read WPinternals getting started section.
******Sorry for my bad english**************
Click to expand...
Click to collapse
I get the black screen with sad face reboot loop.
into the ffu ? How ?
There's easier way, no need fot 7zip at all
Just switch device to the mass storage mode, go to [MainOS mount point]:\windows\system32\config\ and copy SOFTWARE to some location on PC, then make duplicate just in case you mess up with some registry entry.
Open RegEdit.exe and click on HKLM > File> Load Hive and select file you copied from your MainOS partition drive, then type in the name - anything like lumiaSofware...
Edit what you want (probably capabilities... or something) and unload hive by selecting the lumiaSoftware > File > Unload Hive.
Close RegEdit (no need for it anymore); copy your SOFTWARE file to the place where you got it from (There will be more files, with LOG or similar extension, disregard them). Eject device and hold down power button for 10 seconds (or at least until it vibrates) and voila, you edited your registry with success.
Important notes:
You can mess up your System, but probably you will be able to repair it by re-flashing ffu again - not tested.
Maybe I skipped some step in tutorial and you will be confused what to do next, so, just in case you don't have clue what I am talking about, then this is no good tutorial for you, no good at all!
In case Explorer.exe tells you that you don't have permission to access to [MainOS MP]:\windows\system32\config just press enter (it will be ok I think). Maybe this will cause an issue for some path, or for some devices, not causing any issue to me.
I have crazy phone and a lot of things works on it...
I am using Win10 and Win 10 Mobile.
In case you don't know who is the guy named Explorer.exe forget everything you read in this post and go to some place else.
Best regards and be safe
//edit:
Uploaded attachment for detailed instructions.
Remember, this works on my device, there might be some issues with it I don't know and I haven't found any so far. Maybe it will brick your phone, mine is working good so far...
Zip file contains screenshots with steps from 0001 to 0031.
And, please, If i had nerve to write entire post, have nerve to read it too...
_wook_ said:
There's easier way, no need fot 7zip at all
Just switch device to the mass storage mode, go to [MainOS mount point]:\windows\system32\config\ and copy SOFTWARE to some location on PC, then make duplicate just in case you mess up with some registry entry.
Open RegEdit.exe and click on HKLM > File> Load Hive and select file you copied from your MainOS partition drive, then type in the name - anything like lumiaSofware...
Edit what you want (probably capabilities... or something) and unload hive by selecting the lumiaSoftware > File > Unload Hive.
Close RegEdit (no need for it anymore); copy your SOFTWARE file to the place where you got it from (There will be more files, with LOG or similar extension, disregard them). Eject device and hold down power button for 10 seconds (or at least until it vibrates) and voila, you edited your registry with success.
Important notes:
You can mess up your System, but probably you will be able to repair it by re-flashing ffu again - not tested.
Maybe I skipped some step in tutorial and you will be confused what to do next, so, just in case you don't have clue what I am talking about, then this is no good tutorial for you, no good at all!
In case Explorer.exe tells you that you don't have permission to access to [MainOS MP]:\windows\system32\config just press enter (it will be ok I think). Maybe this will cause an issue for some path, or for some devices, not causing any issue to me.
I have crazy phone and a lot of things works on it...
I am using Win10 and Win 10 Mobile.
In case you don't know who is the guy named Explorer.exe forget everything you read in this post and go to some place else.
Best regards and be safe
Click to expand...
Click to collapse
Have you tested this?.
Rivo17 said:
Have you tested this?.
Click to expand...
Click to collapse
Of course, but, i recommend you to try first post. As I wrote, I have a crazy phone...
In that case, you must better edit your post for avoid confusion. Just saying.
_wook_ said:
There's easier way, no need fot 7zip at all
Just switch device to the mass storage mode, go to [MainOS mount point]:\windows\system32\config\ and copy SOFTWARE to some location on PC, then make duplicate just in case you mess up with some registry entry.
Open RegEdit.exe and click on HKLM > File> Load Hive and select file you copied from your MainOS partition drive, then type in the name - anything like lumiaSofware...
Edit what you want (probably capabilities... or something) and unload hive by selecting the lumiaSoftware > File > Unload Hive.
Close RegEdit (no need for it anymore); copy your SOFTWARE file to the place where you got it from (There will be more files, with LOG or similar extension, disregard them). Eject device and hold down power button for 10 seconds (or at least until it vibrates) and voila, you edited your registry with success.
Important notes:
You can mess up your System, but probably you will be able to repair it by re-flashing ffu again - not tested.
Maybe I skipped some step in tutorial and you will be confused what to do next, so, just in case you don't have clue what I am talking about, then this is no good tutorial for you, no good at all!
In case Explorer.exe tells you that you don't have permission to access to [MainOS MP]:\windows\system32\config just press enter (it will be ok I think). Maybe this will cause an issue for some path, or for some devices, not causing any issue to me.
I have crazy phone and a lot of things works on it...
I am using Win10 and Win 10 Mobile.
In case you don't know who is the guy named Explorer.exe forget everything you read in this post and go to some place else.
Best regards and be safe
//edit:
Uploaded attachment for detailed instructions.
Remember, this works on my device, there might be some issues with it I don't know and I haven't found any so far. Maybe it will brick your phone, mine is working good so far...
Zip file contains screenshots with steps from 0001 to 0031.
And, please, If i had nerve to write entire post, have nerve to read it too...
Click to expand...
Click to collapse
Loading hive and searching for capabilities i think it's more complicated...just adding some line is much more easier .but ur tut is good too.
djamol said:
Why not writing reg values directly here ?
"C:\Windows\System32\Config"
Click to expand...
Click to collapse
i was confused about it that's why i used software.reg. ..
Rivo17 said:
I get the black screen with sad face reboot loop.
Click to expand...
Click to collapse
i also got this 1st time. try again resetting or flash the ffu again.
Hi,
I've been able to use vcREG 1.5 on a 950XL to execute any exe file via services.exe, except it's getting stopped by Code Integrity. That's also why putting older NdtkSvc.dll doesn't work on the newer phone (aside from the fact that it has to be in c:\windows). I thought oh maybe any valid arm executable signed by microsoft would be enough, so I copied some executables from the Raspberry Pi Windows 10 IoT image, but I could only get them to run inside the app sandbox because they weren't in the system catalog :'(
Example:
21-March-2016 15:04:08.339601 0x000003D4 0x00000F88 Verbose Microsoft-Windows-CodeIntegrity Code Integrity completed validating file hash. Status 0xC0000428.
21-March-2016 15:04:08.339631 0x000003D4 0x00000F88 Error Microsoft-Windows-CodeIntegrity Code Integrity determined that a process (\Device\HarddiskVolume37\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume39\WPSystem\ftpd.exe that did not meet the Windows signing level requirements.
So now the trick is to find an executable on the system that currently exists, that can be used to gain further access... I've been trying various things like OOBE stuff etc without any luck so far.
Hoping someone else has some ideas... maybe even executing a dll function to import registry from a file or something directly, then we could unlock interop on 950's..
Thanks
Great work
maybe you can MTP your 950/950xl and look for the files in the \windows folder
micheal
Can you tell me how to execute a exe via services.exe ? Thanks?
naiple said:
Can you tell me how to execute a exe via services.exe ? Thanks?
Click to expand...
Click to collapse
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
megasounds said:
Great work
maybe you can MTP your 950/950xl and look for the files in the \windows folder
micheal
Click to expand...
Click to collapse
Actually using MTP isn't the best thing for that, because you are missing out on more than half of the available executable files as they are not viewable via MTP on 950/XL due to permissions. It's best to mount the FFU image and look around that way.
I have already looked and tested most of them, thus why I was asking if anyone else had some ideas.
darkfires said:
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
Click to expand...
Click to collapse
Thanks! I will try it on my lumia
darkfires said:
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
Click to expand...
Click to collapse
I can't find NlpmService because my lumia730 don't have a Glance screen ... is there any way else to run a exe?
naiple said:
I can't find NlpmService because my lumia730 don't have a Glance screen ... is there any way else to run a exe?
Click to expand...
Click to collapse
I only decompiled the NdtkSvc on 950XL, the one on 730 might be different. But to answer your question there is only one other way, and it will kill USB so you won't be able to connect to it via PC at all until you reverse the change. If you post your NdtkSvc.dll I can check it for you.
HKLM\SYSTEM\ControlSet001\Services\NokDeviceHubSvc\ImagePath
darkfires said:
I only decompiled the NdtkSvc on 950XL, the one on 730 might be different. But to answer your question there is only one other way, and it will kill USB so you won't be able to connect to it via PC at all until you reverse the change. If you post your NdtkSvc.dll I can check it for you.
HKLM\SYSTEM\ControlSet001\Services\NokDeviceHubSvc\ImagePath
Click to expand...
Click to collapse
Ahh, i find the Nlpmservice. Don't know why i cant find it yesterday... And if you need any thing(unlocked bootloader, uefi...) from 730 or 540 i can post it, both are prototype and can enter massStorage. Hope i can help you. Thank you for the answer
naiple said:
Ahh, i find the Nlpmservice. Don't know why i cant find it yesterday... And if you need any thing(unlocked bootloader, uefi...) from 730 or 540 i can post it, both are prototype and can enter massStorage. Hope i can help you. Thank you for the answer
Click to expand...
Click to collapse
I'm trying to do something different and I found this topic so if you still have these devices can you extract NlpmService.dll file from System32 and upload it here for me?