I know that during the installation process, xaps are scanned for any "illegal" capabilities in the WMAppManifest.xml file. Does anyone know what purpose this file serves after an xap has been installed on the device?
My thought is this:
Install an app with a non-elevated WMAppMAnifest.xml. Then when you launch the installed app, it updates the xml file with additional capabilities (Interop Services, for example) and exits. Then when the app is relaunched, it will have access to the new capabilities in the xml file?
What do you guys think? Has this been done before? is that xml file only used during installation?
compu829 said:
I know that during the installation process, xaps are scanned for any "illegal" capabilities in the WMAppManifest.xml file. Does anyone know what purpose this file serves after an xap has been installed on the device?
My thought is this:
Install an app with a non-elevated WMAppMAnifest.xml. Then when you launch the installed app, it updates the xml file with additional capabilities (Interop Services, for example) and exits. Then when the app is relaunched, it will have access to the new capabilities in the xml file?
What do you guys think? Has this been done before? is that xml file only used during installation?
Click to expand...
Click to collapse
i think i tried this way and app returned failure error
i'm sure about that any app have to check capabalities during installation but in launch times i don't know that phone check caps again or no.
best work to test is changing this file in an interop unlock full fs phone and see the re-action
Caps are written to package manager database & global account database. WMAppManifest isn't used after installation is finished.
Yeah, this method was tried long, long ago.
Besides, even if it worked and the file was checked later, all that would mean is that you couldn't launch the app anymore. The capabilities-vs.-unlock-level appears to be checked at every startup, not just at install.
@GoodDayToDie @ultrashot I figured as much, thanks for the info.
On a semi-related note, I just received a completely different HTC 8x (T-Mobile branded) back from HTC (5th time in for repair). If this one really works, maybe I can have some fun with my Lumia 521 and/or try to figure out how to unbrand/mod the 8x. I really want to add WiFi calling to the 8x, but I need to add some certs, a missing dll, and some reg keys.
Related
I've been looking for a way to do this for the past couple days with no luck. Just to get any suspicions out of the way, I am not using this to steal someone else's work, it's for a workaround for a game that I'm trying to accomplish using two save files. I've tried going into the android manifest, editing the package name, and then resigning the apk with no luck (i just get parsing errors when I try to install). Is there any way that this can be done? or am I missing something?
It is not a simple matter.
APKs are managed by package name, not by file name, but you can't simply change the package name in the manifest of a compiled APK.
Even assuming you manage to do it without messing up the file, which is not a simple task, there will still be code referring to the package name, so the app will crash.
To put it simply, you would be better off getting your device rooted (if you don't already have root) and playing with the application data files if you want to cheat at some game.
Hey guys,
I am wondering, if it is possible to write to the wmappmanifest.xml file within the app.. I searched on the net,but i didnt find some anwer. The only thing i found was how to read this file: http://www.developer.nokia.com/Comm..._Manifest_(WMAppManifest.xml)_file_at_runtime
If it would be possible we could,try to implement the capability INTEROPSERVICES programmatically..
Two problems with that.
First of all, the app's install directory is read-only to the app permissions. You can't create, delete, or modify any file there from within the app (without some sort of "jailbreak" at least).
Second, and possibly more importantly, the permissions sandbox (or "appcontainer") that the phone uses to restrict an app is created at app install. Modifying the manifest is unlikely to have any benefit whatsoever (it certainly didn't help on WP7).
A good idea, though. Always glad to see people checking for such things.
GoodDayToDie said:
Two problems with that.
First of all, the app's install directory is read-only to the app permissions. You can't create, delete, or modify any file there from within the app (without some sort of "jailbreak" at least).
Second, and possibly more importantly, the permissions sandbox (or "appcontainer") that the phone uses to restrict an app is created at app install. Modifying the manifest is unlikely to have any benefit whatsoever (it certainly didn't help on WP7).
A good idea, though. Always glad to see people checking for such things.
Click to expand...
Click to collapse
I searched on the msdn network and saw that artikle:http://msdn.microsoft.com/en-us/lib...?cs-save-lang=1&cs-lang=csharp#code-snippet-2
Examples
Use the file APIs, such as Windows.Storage.StorageFolder.CreateFileAsync | createFileAsync and Windows.Storage.FileIO.WriteTextAsync | writeTextAsync, to create and update a file in the local app data store
Click to expand...
Click to collapse
Requirements
Minimum supported client
Windows 8
Minimum supported server
Windows Server 2012
Minimum supported phone
Windows Phone 8
DLL
Windows.Storage.ApplicationData.dll
Click to expand...
Click to collapse
maybe it would be possible... I tried to implement it to a sample app, but i failed at the system.io stream...
The app data store and the app install location are completely different things. The data store is a per-app read/write location that is initially empty. The install location is a read-only location that contains the contents of the XAP file (including the manifest and executable code). They are located in different parts of the file system (I could tell you the paths if you want), they have different permissions, they are accessed using different APIs, and they are not interchangable.
even in case of root access, I highly doubt WMAppManifest is ever used after app is installed.
ultrashot said:
even in case of root access, I highly doubt WMAppManifest is ever used after app is installed.
Click to expand...
Click to collapse
Yep, I did some experiments a long time ago: WMAppManifest and/or WPInteropManifest are used on deployment only.
gipfelgoas said:
Hey guys,
If it would be possible we could,try to implement the capability INTEROPSERVICES programmatically..
Click to expand...
Click to collapse
And what does this capability give? (useful for)
I did run native api calls from w8 app, but the file system and process restrictions don't allow anything useful to do (like other than own or system32/ files browsing; registry is readable only; also no useful privileges present)
p.s. 2all: is it possible somehow to install original .xap files (taken from Market) via
\Microsoft SDKs\Windows Phone\v8.0\Tools\XAP Deployment\XapDeploy.exe"
or VS (on dev unlocked device)?
ID_CAP_INTEROPSERVICES is a Windows Phone app "capability" flag that tells the OS to allow the app to access (specifically, create handles to) drivers by device name. This is useful because drivers run outside the security context of the OS, so they are not sandboxed, and thus if they offer IOCTLs (on Windows, DeviceIoControl codes) that can do useful things for us, we can use those IOCTLs to our own benefit.
This is the standard way that OEM apps do stuff which would normally not be possible, like controlling the cellular radios or accessing parts of the filesystem that are outside the app sandbox. Each OEM includes one or more drivers in their ROMs which support these operations.
On WP7, this was the way that early homebrew worked. Access to the filesystem (TouchXplorer, Advanced Explorer) and write access to the registry (Advanced Explorer, Registry Editor, Advanced Config, and others) were made possible by OEM-provided COM DLLs which in turn opened device handles and invoked IOCTLs to obtain the required access. Later, WP7 Root Tools worked by directly accessing the drivers and exploiting security vulnerabilities within them that Heathcliff74 had discovered to gain arbitrary code execution in the kernel. That will be harder on WP8 (assuming we even get that far) because of the many exploit mitigations in the NT6.2 kernel, but it's worth a shot. Even if we can't pull that off, though, there's a decent chance we could get something like the Windows RT "jailbreak" to work, and a good chance that we could get something like the old Advanced Explorer to work.
GoodDayToDie said:
ID_CAP_INTEROPSERVICES is a Windows Phone app "capability" flag that tells the OS to allow the app to access (specifically, create handles to) drivers by device name. Each OEM includes one or more drivers in their ROMs which support these operations...
were made possible by OEM-provided COM DLLs .
Click to expand...
Click to collapse
Thanks for explanations!
Basically i don't see any app using ID_CAP_INTEROPSERVICES in 820.ffu/nokia820 image(having in manifest) . Am i missing something?
As far as i understand If we don't have ID_CAP_INTEROPSERVICES we can't load or properly use OEM-provided COM DLLs? (not enough rights) Am i right?
NB: can anybody suggest such COM-DLL (name) to explore? (as example) from wp8? (as i understand there are no such dlls in WP8 x86 emulator from SDK?)
Thanks again!
smx06 said:
Thanks for explanations!
Basically i don't see any app using ID_CAP_INTEROPSERVICES in 820.ffu/nokia820 image(having in manifest) . Am i missing something?
As far as i understand If we don't have ID_CAP_INTEROPSERVICES we can't load or properly use OEM-provided COM DLLs? (not enough rights) Am i right?
NB: can anybody suggest such COM-DLL (name) to explore? (as example) from wp8? (as i understand there are no such dlls in WP8 x86 emulator from SDK?)
Thanks again!
Click to expand...
Click to collapse
If you want to see a OEM app which uses ID_CAP_INTEROPSERVICES look at this: https://rapidshare.com/files/4165178711/825962362f3144b7a1115d0bb6a3935b.xap Its a app from the Nokia RM860 with product code 059r225 in ncs. In this xap file are also used some other caps, with a "normal" developer cant access.
If we don't have this (or other) capabilities, our app runs in a sandbox and cant access to system features, such as file system ...
If you want to see a COM-DLL, download a ffu file, mount it with this and go then in the windows/system32 directory..
gipfelgoas said:
If you want to see a OEM app which uses ID_CAP_INTEROPSERVICES look at this: https://rapidshare.com/files/4165178711/825962362f3144b7a1115d0bb6a3935b.xap
If you want to see a COM-DLL, download a ffu file, mount it with this and go then in the windows/system32 directory..
Click to expand...
Click to collapse
Thanks for the xap! (if You have some researches on it, it could be also great; to start from already explored stuff)
About COM-DLL i mean not ordinary ones (which i can see in /system32/ of wp8 SDK emulator or /system32/ on my phone), but those DLLs (or +drivers?) which are used by ID_CAP_INTEROPSERVICES apps (to do somthing like reg writing; FS access, etc.)
Thanks!
On WP7, COM DLLs were needed to access the drivers (because WP7 apps couldn't use C++ directly and don't have APIs to wrap CreateFile (for getting the driver handle) or DeviceIoControl (to call IOCTLs). On WP8, COM DLLs (or something like them) may or may not be used; I think it's possible to do what needs to be done using the official C++ SDK but I haven't checked.
In any case, the COM DLLs were just wrappers around the driver IOCTLs. The drivers are the ones that do all the heavy lifting, because they're the things that have the required permissions. Also, I guarantee you that there are some high-permission drivers on the Lumias; you can't do an app like the storage checker/cleanup or whatever it is without them. That requires filesystem access well in excess of what an app is normally allowed to have.
GoodDayToDie said:
Also, I guarantee you that there are some high-permission drivers on the Lumias; you can't do an app like the storage checker/cleanup or whatever it is without them. That requires filesystem access well in excess of what an app is normally allowed to have.
Click to expand...
Click to collapse
Ok. The simplest way to check is to search such apps (with interop cap) in the registry (afair all apps are registered there with listed caps)
shall try on my 820. also the registry viewer could be useful to search somth else..
But i doubt they really are (as there were nothing similar inside the image).
p.s. and as i understand there are no chances of finding somth like this (DLL or sys) in wp8 x86 emulator (that could be much easier to review in IDA)
p.p.s. i think all people know that is possible to mount vmdk disk of wp emulator and reverse all system modules (x86).
How to keep signature after modify apk?
Google said just replace the classes.dex and some files.
But I cant install the apk.
You cannot. And that limitation is there for a reason! That way nobody else than the developer himself can insert code and therefore malware into an app's code. The user will be notified that there's something wrong with the apk. It's more secure for the user and for the developer.
If you want to install your app though, uninstall the app and then you'll be able to install the new, modified apk.
If you happen to be using Eclipse, there is a setting to automatically uninstall the old app if they have different signatures. As somebody who bounces back and forth between computers (each use a different signature when running debug), as well as the live version of my app, this is incredibly helpful, as it saves about 20 seconds of having to go into settings and uninstalling.
You can keep the signature bynot modyfying the manifest. Also theres an window app taht called VTS. that can preserve the signature sir.
Hi,
I've been able to use vcREG 1.5 on a 950XL to execute any exe file via services.exe, except it's getting stopped by Code Integrity. That's also why putting older NdtkSvc.dll doesn't work on the newer phone (aside from the fact that it has to be in c:\windows). I thought oh maybe any valid arm executable signed by microsoft would be enough, so I copied some executables from the Raspberry Pi Windows 10 IoT image, but I could only get them to run inside the app sandbox because they weren't in the system catalog :'(
Example:
21-March-2016 15:04:08.339601 0x000003D4 0x00000F88 Verbose Microsoft-Windows-CodeIntegrity Code Integrity completed validating file hash. Status 0xC0000428.
21-March-2016 15:04:08.339631 0x000003D4 0x00000F88 Error Microsoft-Windows-CodeIntegrity Code Integrity determined that a process (\Device\HarddiskVolume37\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume39\WPSystem\ftpd.exe that did not meet the Windows signing level requirements.
So now the trick is to find an executable on the system that currently exists, that can be used to gain further access... I've been trying various things like OOBE stuff etc without any luck so far.
Hoping someone else has some ideas... maybe even executing a dll function to import registry from a file or something directly, then we could unlock interop on 950's..
Thanks
Great work
maybe you can MTP your 950/950xl and look for the files in the \windows folder
micheal
Can you tell me how to execute a exe via services.exe ? Thanks?
naiple said:
Can you tell me how to execute a exe via services.exe ? Thanks?
Click to expand...
Click to collapse
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
megasounds said:
Great work
maybe you can MTP your 950/950xl and look for the files in the \windows folder
micheal
Click to expand...
Click to collapse
Actually using MTP isn't the best thing for that, because you are missing out on more than half of the available executable files as they are not viewable via MTP on 950/XL due to permissions. It's best to mount the FFU image and look around that way.
I have already looked and tested most of them, thus why I was asking if anyone else had some ideas.
darkfires said:
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
Click to expand...
Click to collapse
Thanks! I will try it on my lumia
darkfires said:
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
Click to expand...
Click to collapse
I can't find NlpmService because my lumia730 don't have a Glance screen ... is there any way else to run a exe?
naiple said:
I can't find NlpmService because my lumia730 don't have a Glance screen ... is there any way else to run a exe?
Click to expand...
Click to collapse
I only decompiled the NdtkSvc on 950XL, the one on 730 might be different. But to answer your question there is only one other way, and it will kill USB so you won't be able to connect to it via PC at all until you reverse the change. If you post your NdtkSvc.dll I can check it for you.
HKLM\SYSTEM\ControlSet001\Services\NokDeviceHubSvc\ImagePath
darkfires said:
I only decompiled the NdtkSvc on 950XL, the one on 730 might be different. But to answer your question there is only one other way, and it will kill USB so you won't be able to connect to it via PC at all until you reverse the change. If you post your NdtkSvc.dll I can check it for you.
HKLM\SYSTEM\ControlSet001\Services\NokDeviceHubSvc\ImagePath
Click to expand...
Click to collapse
Ahh, i find the Nlpmservice. Don't know why i cant find it yesterday... And if you need any thing(unlocked bootloader, uefi...) from 730 or 540 i can post it, both are prototype and can enter massStorage. Hope i can help you. Thank you for the answer
naiple said:
Ahh, i find the Nlpmservice. Don't know why i cant find it yesterday... And if you need any thing(unlocked bootloader, uefi...) from 730 or 540 i can post it, both are prototype and can enter massStorage. Hope i can help you. Thank you for the answer
Click to expand...
Click to collapse
I'm trying to do something different and I found this topic so if you still have these devices can you extract NlpmService.dll file from System32 and upload it here for me?
cacerts.bks updated 12-6-20
When the original search was on to repair the aging cacerts.bks file in order to get the Kindle app working again, one of the things I came across was a remark from a fellow who had located a Honeycomb ROM (Android 3.2...last stop before the format of the security certificate storage was changed) and copied the cacerts.bks file from it to his Android 2.2 device which was having problems with websites, etc.
I still can't get the method described by @tshoulihane in this thread to work for me. But his edited cacerts.bks file works really well in solving the problem.
Yesterday I managed to locate a CM 7 ROM (Honeycomb). It contains a largish cacerts.bks file (compared to ours) with 127 certificates, 17 of which have expired. These seem to be mostly for central/eastern European and Asian entities, so perhaps not that critical. Well, it's only 10 years old
It has worked for me with the Kindle app and perhaps will help with some of the websites that complain about a secure connection even though I have enabled TLS 1.2 in Opera Mobile. More testing is needed there.
For anyone who wants to try it out, it is attached below. To use, rename your current cacerts.bks file (that's in /system/etc/security) to cacerts.bks.bak or similar. Then move the new file (unzip) into the same place. Check permissions. They should be rw-r-r. Reboot.
This looks great... though when I tried to rename and copy the new cacerts file, I am getting blocked due to the lack of root permissions.
I'm running the 1.2.1 tweaked/modded rom so I thought it wouldn't be an issue. I also tracked down the supersu3.1.3 apk and sideloaded it, but it didn't help either. Wondering if you had any ideas?
xrayd2 said:
This looks great... though when I tried to rename and copy the new cacerts file, I am getting blocked due to the lack of root permissions.
I'm running the 1.2.1 tweaked/modded rom so I thought it wouldn't be an issue. I also tracked down the supersu3.1.3 apk and sideloaded it, but it didn't help either. Wondering if you had any ideas?
Click to expand...
Click to collapse
So was your SU app missing? Or did your file manager just not have root access?
Hard to know where to start. From my experience, the best-behaving SU for the NST/G is the one that comes with NookManager (attached below). It's old and the binaries are probably out of date, but you don't need anything better for the device.
You can try removing the one you have now, reboot, and install the one below. Then check that your file manager has root acccess. In ES File Explorer, for example, you have to go into settings and tick the selection for root access. It's not automatic. And even with that, you have to tick an additional box to mount /system as rw while you're working in it.
At one time the superuser app was included -- but is no longer linked, and I had overlooked it after initially flashing the rom.
Unfortunately, the su app you provided also doesn't work. When I try to delete the old cacerts.blk it looks like it's doing something, but then the file still remains. If I instead try to rename the file, I get "operation failed".
I tried to delete or rename using an app called "root browser", and also the file manager in "super manager" suite. When I try to enable the root explorer function in ES file manager , I get "sorry, test failed. This feature cannot run on your device."
When I go under Device info, the ROM name does indeed say "Tweaked Modded ROM". I assume this should mean it's rooted but I'll have to dig deeper.
I appreciate your help though!
xrayd2 said:
When I go under Device info, the ROM name does indeed say "Tweaked Modded ROM". I assume this should mean it's rooted but I'll have to dig deeper.
Click to expand...
Click to collapse
Mmm.... so the ROM came "rooted"? I've attached a root check app which I've tried on my NST. This should answer the question of root.
If root has been lost somehow, it might be possible to salvage what you have by running NookManager. If you don't want the various additions like Relaunch, you can remove those apps from the data/app folder once you've written the card and then make the other needed changes as described here: https://forum.xda-developers.com/nook-touch/development/nst-g-updating-nookmanager-t3873048
Or, you could just use NM as-is and uninstall unwanted material afterwards. The important thing is root and a functioning SU.
Okay... turns out my device was NOT rooted after all; I had assumed the binaries were already installed. Fortunately, I was able to find a superSU 0.93 binary and root through CWM. I replaced cacerts.blk with yours, and now the kindle app works! At first I had difficulty logging in, but turns out Amazon was emailing me a one time password after every attempt. After entering the OTP I am now up and running.
My next issue is getting Pocket working -- I installed Read it Later 1.0.1 but it's not syncing.
Thanks for the link to your other post. I will sideload the apk's you recommended.
xrayd2 said:
My next issue is getting Pocket working -- I installed Read it Later 1.0.1 but it's not syncing.
Click to expand...
Click to collapse
Might not be possible. Chatter here: https://forum.xda-developers.com/showthread.php?t=1604661&page=2 goes back to 2013.
I found reference to a functioning version in 9/2016. Had hoped it was a cacerts issue but maybe pocket changed their api.
https://forum.xda-developers.com/showpost.php?p=68600731&postcount=54
Would this be what's causing my Nook to not load certain https sites?
I can get to gmail fine, but I can't for the life of me load the todoist website
Tried loading your cacerts.bks, doesn't seem like it changed anything
I had no problem getting the Todoist home page. Logging in may be another matter.
Are you using Opera Mobile and did you make the settings change for TLS 1.2?