Related
Hey guys,
I am wondering, if it is possible to write to the wmappmanifest.xml file within the app.. I searched on the net,but i didnt find some anwer. The only thing i found was how to read this file: http://www.developer.nokia.com/Comm..._Manifest_(WMAppManifest.xml)_file_at_runtime
If it would be possible we could,try to implement the capability INTEROPSERVICES programmatically..
Two problems with that.
First of all, the app's install directory is read-only to the app permissions. You can't create, delete, or modify any file there from within the app (without some sort of "jailbreak" at least).
Second, and possibly more importantly, the permissions sandbox (or "appcontainer") that the phone uses to restrict an app is created at app install. Modifying the manifest is unlikely to have any benefit whatsoever (it certainly didn't help on WP7).
A good idea, though. Always glad to see people checking for such things.
GoodDayToDie said:
Two problems with that.
First of all, the app's install directory is read-only to the app permissions. You can't create, delete, or modify any file there from within the app (without some sort of "jailbreak" at least).
Second, and possibly more importantly, the permissions sandbox (or "appcontainer") that the phone uses to restrict an app is created at app install. Modifying the manifest is unlikely to have any benefit whatsoever (it certainly didn't help on WP7).
A good idea, though. Always glad to see people checking for such things.
Click to expand...
Click to collapse
I searched on the msdn network and saw that artikle:http://msdn.microsoft.com/en-us/lib...?cs-save-lang=1&cs-lang=csharp#code-snippet-2
Examples
Use the file APIs, such as Windows.Storage.StorageFolder.CreateFileAsync | createFileAsync and Windows.Storage.FileIO.WriteTextAsync | writeTextAsync, to create and update a file in the local app data store
Click to expand...
Click to collapse
Requirements
Minimum supported client
Windows 8
Minimum supported server
Windows Server 2012
Minimum supported phone
Windows Phone 8
DLL
Windows.Storage.ApplicationData.dll
Click to expand...
Click to collapse
maybe it would be possible... I tried to implement it to a sample app, but i failed at the system.io stream...
The app data store and the app install location are completely different things. The data store is a per-app read/write location that is initially empty. The install location is a read-only location that contains the contents of the XAP file (including the manifest and executable code). They are located in different parts of the file system (I could tell you the paths if you want), they have different permissions, they are accessed using different APIs, and they are not interchangable.
even in case of root access, I highly doubt WMAppManifest is ever used after app is installed.
ultrashot said:
even in case of root access, I highly doubt WMAppManifest is ever used after app is installed.
Click to expand...
Click to collapse
Yep, I did some experiments a long time ago: WMAppManifest and/or WPInteropManifest are used on deployment only.
gipfelgoas said:
Hey guys,
If it would be possible we could,try to implement the capability INTEROPSERVICES programmatically..
Click to expand...
Click to collapse
And what does this capability give? (useful for)
I did run native api calls from w8 app, but the file system and process restrictions don't allow anything useful to do (like other than own or system32/ files browsing; registry is readable only; also no useful privileges present)
p.s. 2all: is it possible somehow to install original .xap files (taken from Market) via
\Microsoft SDKs\Windows Phone\v8.0\Tools\XAP Deployment\XapDeploy.exe"
or VS (on dev unlocked device)?
ID_CAP_INTEROPSERVICES is a Windows Phone app "capability" flag that tells the OS to allow the app to access (specifically, create handles to) drivers by device name. This is useful because drivers run outside the security context of the OS, so they are not sandboxed, and thus if they offer IOCTLs (on Windows, DeviceIoControl codes) that can do useful things for us, we can use those IOCTLs to our own benefit.
This is the standard way that OEM apps do stuff which would normally not be possible, like controlling the cellular radios or accessing parts of the filesystem that are outside the app sandbox. Each OEM includes one or more drivers in their ROMs which support these operations.
On WP7, this was the way that early homebrew worked. Access to the filesystem (TouchXplorer, Advanced Explorer) and write access to the registry (Advanced Explorer, Registry Editor, Advanced Config, and others) were made possible by OEM-provided COM DLLs which in turn opened device handles and invoked IOCTLs to obtain the required access. Later, WP7 Root Tools worked by directly accessing the drivers and exploiting security vulnerabilities within them that Heathcliff74 had discovered to gain arbitrary code execution in the kernel. That will be harder on WP8 (assuming we even get that far) because of the many exploit mitigations in the NT6.2 kernel, but it's worth a shot. Even if we can't pull that off, though, there's a decent chance we could get something like the Windows RT "jailbreak" to work, and a good chance that we could get something like the old Advanced Explorer to work.
GoodDayToDie said:
ID_CAP_INTEROPSERVICES is a Windows Phone app "capability" flag that tells the OS to allow the app to access (specifically, create handles to) drivers by device name. Each OEM includes one or more drivers in their ROMs which support these operations...
were made possible by OEM-provided COM DLLs .
Click to expand...
Click to collapse
Thanks for explanations!
Basically i don't see any app using ID_CAP_INTEROPSERVICES in 820.ffu/nokia820 image(having in manifest) . Am i missing something?
As far as i understand If we don't have ID_CAP_INTEROPSERVICES we can't load or properly use OEM-provided COM DLLs? (not enough rights) Am i right?
NB: can anybody suggest such COM-DLL (name) to explore? (as example) from wp8? (as i understand there are no such dlls in WP8 x86 emulator from SDK?)
Thanks again!
smx06 said:
Thanks for explanations!
Basically i don't see any app using ID_CAP_INTEROPSERVICES in 820.ffu/nokia820 image(having in manifest) . Am i missing something?
As far as i understand If we don't have ID_CAP_INTEROPSERVICES we can't load or properly use OEM-provided COM DLLs? (not enough rights) Am i right?
NB: can anybody suggest such COM-DLL (name) to explore? (as example) from wp8? (as i understand there are no such dlls in WP8 x86 emulator from SDK?)
Thanks again!
Click to expand...
Click to collapse
If you want to see a OEM app which uses ID_CAP_INTEROPSERVICES look at this: https://rapidshare.com/files/4165178711/825962362f3144b7a1115d0bb6a3935b.xap Its a app from the Nokia RM860 with product code 059r225 in ncs. In this xap file are also used some other caps, with a "normal" developer cant access.
If we don't have this (or other) capabilities, our app runs in a sandbox and cant access to system features, such as file system ...
If you want to see a COM-DLL, download a ffu file, mount it with this and go then in the windows/system32 directory..
gipfelgoas said:
If you want to see a OEM app which uses ID_CAP_INTEROPSERVICES look at this: https://rapidshare.com/files/4165178711/825962362f3144b7a1115d0bb6a3935b.xap
If you want to see a COM-DLL, download a ffu file, mount it with this and go then in the windows/system32 directory..
Click to expand...
Click to collapse
Thanks for the xap! (if You have some researches on it, it could be also great; to start from already explored stuff)
About COM-DLL i mean not ordinary ones (which i can see in /system32/ of wp8 SDK emulator or /system32/ on my phone), but those DLLs (or +drivers?) which are used by ID_CAP_INTEROPSERVICES apps (to do somthing like reg writing; FS access, etc.)
Thanks!
On WP7, COM DLLs were needed to access the drivers (because WP7 apps couldn't use C++ directly and don't have APIs to wrap CreateFile (for getting the driver handle) or DeviceIoControl (to call IOCTLs). On WP8, COM DLLs (or something like them) may or may not be used; I think it's possible to do what needs to be done using the official C++ SDK but I haven't checked.
In any case, the COM DLLs were just wrappers around the driver IOCTLs. The drivers are the ones that do all the heavy lifting, because they're the things that have the required permissions. Also, I guarantee you that there are some high-permission drivers on the Lumias; you can't do an app like the storage checker/cleanup or whatever it is without them. That requires filesystem access well in excess of what an app is normally allowed to have.
GoodDayToDie said:
Also, I guarantee you that there are some high-permission drivers on the Lumias; you can't do an app like the storage checker/cleanup or whatever it is without them. That requires filesystem access well in excess of what an app is normally allowed to have.
Click to expand...
Click to collapse
Ok. The simplest way to check is to search such apps (with interop cap) in the registry (afair all apps are registered there with listed caps)
shall try on my 820. also the registry viewer could be useful to search somth else..
But i doubt they really are (as there were nothing similar inside the image).
p.s. and as i understand there are no chances of finding somth like this (DLL or sys) in wp8 x86 emulator (that could be much easier to review in IDA)
p.p.s. i think all people know that is possible to mount vmdk disk of wp emulator and reverse all system modules (x86).
I know that during the installation process, xaps are scanned for any "illegal" capabilities in the WMAppManifest.xml file. Does anyone know what purpose this file serves after an xap has been installed on the device?
My thought is this:
Install an app with a non-elevated WMAppMAnifest.xml. Then when you launch the installed app, it updates the xml file with additional capabilities (Interop Services, for example) and exits. Then when the app is relaunched, it will have access to the new capabilities in the xml file?
What do you guys think? Has this been done before? is that xml file only used during installation?
compu829 said:
I know that during the installation process, xaps are scanned for any "illegal" capabilities in the WMAppManifest.xml file. Does anyone know what purpose this file serves after an xap has been installed on the device?
My thought is this:
Install an app with a non-elevated WMAppMAnifest.xml. Then when you launch the installed app, it updates the xml file with additional capabilities (Interop Services, for example) and exits. Then when the app is relaunched, it will have access to the new capabilities in the xml file?
What do you guys think? Has this been done before? is that xml file only used during installation?
Click to expand...
Click to collapse
i think i tried this way and app returned failure error
i'm sure about that any app have to check capabalities during installation but in launch times i don't know that phone check caps again or no.
best work to test is changing this file in an interop unlock full fs phone and see the re-action
Caps are written to package manager database & global account database. WMAppManifest isn't used after installation is finished.
Yeah, this method was tried long, long ago.
Besides, even if it worked and the file was checked later, all that would mean is that you couldn't launch the app anymore. The capabilities-vs.-unlock-level appears to be checked at every startup, not just at install.
@GoodDayToDie @ultrashot I figured as much, thanks for the info.
On a semi-related note, I just received a completely different HTC 8x (T-Mobile branded) back from HTC (5th time in for repair). If this one really works, maybe I can have some fun with my Lumia 521 and/or try to figure out how to unbrand/mod the 8x. I really want to add WiFi calling to the 8x, but I need to add some certs, a missing dll, and some reg keys.
So atlast I permanent interop unlocked my lumia 525 and still able to install windows 10 update
Thanks to
@vcfan for the tip that we can add interop unlock files in any .reg files in windows\packages\registryfiles folder and also for his live interop unlcker..... (BTW after modifying my software.reg and interop unlocking my phone I am still able to install windows 10)
@WojtasXda for the additional_entries.reg file whick I used to unlock my phone
.And others....
BTW @vcfan I've attached my software.reg file which I used to interop unlock my phone can you add the additional capabilities unlock that you unlocked by your app other than those unlocked by WojtasXda
OTHERS DON'T USE THIS BECAUSE THIS NOT A TUTORIAL OF PURMANENT INTEROP UNLOCKING LUMIA 525 OR ANY OTHER PHONES
IF YOU USE THIS THEN I'M NOT RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOUR PHONE
Hi there, great discovery, I am also a user that has one of the phones that have the OEMSettings.reg file read-only and I have been trying to add the lines to lots of reg files and always got a on herd reset so would like to ask if you did a hard reset after editing the software.reg file (you probably did) and if it worked right, and if you are sure you kept your interop unlock after the reset?
Ranomez said:
Hi there, great discovery, I am also a user that has one of the phones that have the OEMSettings.reg file read-only and I have been trying to add the lines to lots of reg files and always got a on herd reset so would like to ask if you did a hard reset after editing the software.reg file (you probably did) and if it worked right, and if you are sure you kept your interop unlock after the reset?
Click to expand...
Click to collapse
Thnx dude and ya same thing happened to me 5 days ago when I tried to modify the language.reg files and failed but today when I used the software.reg file it worked
@souma_rox , im happy you got it working. sorry, I've been busy with another project so I didn't have enough time to try all the different files and see which one is the optimal one to use, but im glad you've found it.
im attaching a text file with all the reg entries to unlock all the capabilities that are programmed in a stock wp 8.1 rom. also included are some other tweaks such as full fs access.
vcfan said:
@souma_rox , im happy you got it working. sorry, I've been busy with another project so I didn't have enough time to try all the different files and see which one is the optimal one to use, but im glad you've found it.
im attaching a text file with all the reg entries to unlock all the capabilities that are programmed in a stock wp 8.1 rom. also included are some other tweaks such as full fs access.
Click to expand...
Click to collapse
so if i just paste all of these lines at the end of software.reg file like the additional_entries.reg file of wojtas it will work right?????
souma_rox said:
so if i just paste all of these lines at the end of software.reg file like the additional_entries.reg file of wojtas it will work right?????
Click to expand...
Click to collapse
it should as these are the exact entries my app appends to the end of OEMSettings.reg for the permanent unlock, and that works.
will this work on a 520 from at&t?
@vcfan it seems the lines you provided prevent the phone from getting updated to windows 10 mobile, the phone always getting stuck in the update and requiring a re-flash of the ROM,, on the other hand the lines @WojtasXda provides for his ROM Rebuilder seem to work just fine, do you happen to know what lines might cause that?
Also sorry for posting so late but I didn't want to post before testing everything (slow and fast ring) and also trying to remove the full mtp access lines from your file, it seems to not be related to that.
I updated to wm10 after vcfan permanent interopunlock.... 3 times I used vcREG templates.
augustinionut said:
I updated to wp10 after vcfan permanent interopunlock.... 3 times I used vcREG templates.
Click to expand...
Click to collapse
So the file "C:\Windows\Packages\RegistryFiles\OEMSettings.reg" is kept as is when updating the phone? From 8.0 to 8.1, too?
I think so...
The files run in LUmia 520
??
thanks..
i just replace the reg file of my stock rom with this reg file..but nothing happened..
Riyad_ said:
i just replace the reg file of my stock rom with this reg file..but nothing happened..
Click to expand...
Click to collapse
I think that only works with live unlock.
Rivo17 said:
I think that only works with live unlock.
Click to expand...
Click to collapse
No bro...i just interop unlocked my phone again..though i tried so many times..finally i got this..all i have to do is just unlock bootloader of my phone with sbl3 partition.then in mass storage mode i get software.reg file from that then i modified the file with capabilities.then put the file again in my mass storage then resetted my phone and it works ... i will write a tutorial on this. soon..
Hi,
I've been able to use vcREG 1.5 on a 950XL to execute any exe file via services.exe, except it's getting stopped by Code Integrity. That's also why putting older NdtkSvc.dll doesn't work on the newer phone (aside from the fact that it has to be in c:\windows). I thought oh maybe any valid arm executable signed by microsoft would be enough, so I copied some executables from the Raspberry Pi Windows 10 IoT image, but I could only get them to run inside the app sandbox because they weren't in the system catalog :'(
Example:
21-March-2016 15:04:08.339601 0x000003D4 0x00000F88 Verbose Microsoft-Windows-CodeIntegrity Code Integrity completed validating file hash. Status 0xC0000428.
21-March-2016 15:04:08.339631 0x000003D4 0x00000F88 Error Microsoft-Windows-CodeIntegrity Code Integrity determined that a process (\Device\HarddiskVolume37\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume39\WPSystem\ftpd.exe that did not meet the Windows signing level requirements.
So now the trick is to find an executable on the system that currently exists, that can be used to gain further access... I've been trying various things like OOBE stuff etc without any luck so far.
Hoping someone else has some ideas... maybe even executing a dll function to import registry from a file or something directly, then we could unlock interop on 950's..
Thanks
Great work
maybe you can MTP your 950/950xl and look for the files in the \windows folder
micheal
Can you tell me how to execute a exe via services.exe ? Thanks?
naiple said:
Can you tell me how to execute a exe via services.exe ? Thanks?
Click to expand...
Click to collapse
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
megasounds said:
Great work
maybe you can MTP your 950/950xl and look for the files in the \windows folder
micheal
Click to expand...
Click to collapse
Actually using MTP isn't the best thing for that, because you are missing out on more than half of the available executable files as they are not viewable via MTP on 950/XL due to permissions. It's best to mount the FFU image and look around that way.
I have already looked and tested most of them, thus why I was asking if anyone else had some ideas.
darkfires said:
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
Click to expand...
Click to collapse
Thanks! I will try it on my lumia
darkfires said:
use vcREG1.5 to edit HKLM\SYSTEM\ControlSet001\Services\NlpmService\ImagePath
Change it to whatever executable you want, reboot and it will run as LOCAL SYSTEM, provided that it is signed correctly.
NOTE: Changing this will stop your Glance screen from working, so take note of the original value and restore it after you are done if you use glance.
Click to expand...
Click to collapse
I can't find NlpmService because my lumia730 don't have a Glance screen ... is there any way else to run a exe?
naiple said:
I can't find NlpmService because my lumia730 don't have a Glance screen ... is there any way else to run a exe?
Click to expand...
Click to collapse
I only decompiled the NdtkSvc on 950XL, the one on 730 might be different. But to answer your question there is only one other way, and it will kill USB so you won't be able to connect to it via PC at all until you reverse the change. If you post your NdtkSvc.dll I can check it for you.
HKLM\SYSTEM\ControlSet001\Services\NokDeviceHubSvc\ImagePath
darkfires said:
I only decompiled the NdtkSvc on 950XL, the one on 730 might be different. But to answer your question there is only one other way, and it will kill USB so you won't be able to connect to it via PC at all until you reverse the change. If you post your NdtkSvc.dll I can check it for you.
HKLM\SYSTEM\ControlSet001\Services\NokDeviceHubSvc\ImagePath
Click to expand...
Click to collapse
Ahh, i find the Nlpmservice. Don't know why i cant find it yesterday... And if you need any thing(unlocked bootloader, uefi...) from 730 or 540 i can post it, both are prototype and can enter massStorage. Hope i can help you. Thank you for the answer
naiple said:
Ahh, i find the Nlpmservice. Don't know why i cant find it yesterday... And if you need any thing(unlocked bootloader, uefi...) from 730 or 540 i can post it, both are prototype and can enter massStorage. Hope i can help you. Thank you for the answer
Click to expand...
Click to collapse
I'm trying to do something different and I found this topic so if you still have these devices can you extract NlpmService.dll file from System32 and upload it here for me?
So I want to access the root files under /data/data/~ and modify the files to my liking (delete/rename/etc), is that possible? I've tried a number of file explorers and they don't even let me view the files that are in it, let alone modify them.
SnipeySnake said:
So I want to access the root files under /data/data/~ and modify the files to my liking (delete/rename/etc), is that possible? I've tried a number of file explorers and they don't even let me view the files that are in it, let alone modify them.
Click to expand...
Click to collapse
As far as I know you cannot access root files and/or modify them without rooting your device.
DiMilo said:
As far as I know you cannot access root files and/or modify them without rooting your device.
Click to expand...
Click to collapse
Even having a KNOX license won't work?
SnipeySnake said:
Even having a KNOX license won't work?
Click to expand...
Click to collapse
I don't really know about Knox licence but my guess is that since file management and access isn't just Knox's matter in the first place but rather the whole android's system matter you won't be able to access sensitive files even if you have that license.
But anyway that is just my guess.