Database Users

Trusted Applications on WM5

Hello,
I have problems with different applications under Windows Mobile 5.0. When i try to run them i get the following error.
Code:
The file 'foo' cannot be opened. Either it is not signed with a trusted certificate, or one of its components cannot be found. You might need to reinstall or restore this file.
Is there anyway of disabling the checks for trusted applications in Windows Mobile 5.0 on the Wizard?
Does this help? (From Windows Mobile Blog)
Code:
This post will be a quick reference to the application security model in WM 2005. I'll gloss over some fine details in order to cover the broad points.
For CreateProcess() or running any executable
First, examine the signature on the binary. The three possibilities are that it is signed privileged, signed unprivileged, or unsigned. (determined by checking the Authenticode signature)
If signed by cert that chains to Privileged Execution Authorities store:
App runs privileged(CeGetCurrentTrust() == 2)
Else if signed by cert that chains to Unprivileged Execution Authorities store:
If device is one-tier (policy 4123 == 1)
App runs privileged.
else (two-tier)
App runs unprivileged. (CeGetCurrentTrust() == 1)
Else if app is unsigned
If unsigned apps are blocked (policy 4102 == 0)
App fails to load. (returns NTE_BAD_SIGNATURE).
Else if the device prompts, and the prompt times out or the user presses No
App fails to load.
Else if we are configured not to prompt (policy 4122 == 1) or the user accepts the prompt
If device is one-tier
App runs trusted.
else (two-tier)
App runs untrusted.
Greetings,
Brezel

This is from the wiki. It works on the Universal, should work on WM5 generally I guess:
Code:
Allow the unsigned app from installing for everything.
HKEY_LOCAL_MACHINE\Secutiry\Policies\Policies] Change value 0000101a from 0 to 1
Do a soft reset.
I think that's just for installing, not running. Tell me if it works.
V

On my Wizard that key already has a value 1, perhaps I should change it to 0 to get this effect? have no app to install right now, but will try if I install next time.

because..
..wizard has much older version of ROM than Universal. The old ROMs of Universal has the value 1 too..

I changed the following registry values
Code:
HKLM\Security\Policies\Policies\00001001 = 1 (RAPI)
HKLM\Security\Policies\Policies\00001005 = 40 (Cert)
HKLM\Security\Policies\Policies\00001017 = 144
HKLM\Security\Policies\Policies\0000101B = 1
HKLM\Security\Policies\Policies\0000101B = 0
HKLM\Security\Policies\Policies\00001006 = 1
Those values change nothing at all. The only difference is that i am not asked to allow installation of non certified applications. My problem, however, is not the installation, which works, but the application. Whenever i try to run it i get the error mentioned above. It is just not possible to run certain applications without certificate.
Greetings,
Brezel

I got the exact error and have asked for help on this forum and on HowardForum without any luck

You could re-sign the application using your own code signing certificate and add your certification authority certificate to trusted root certificate authorities on your WM5 device. :wink:

V-Ger said:
You could re-sign the application using your own code signing certificate and add your certification authority certificate to trusted root certificate authorities on your WM5 device. :wink:
Click to expand...
Click to collapse
I tried this, but without success. I already have my own root cert installed on the device (for SSL Activsync) and that works fine, but the app still won't work as a "signed app" :-(
Have you got this working?

Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device

V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
I did create a code-signing cert in Certsrv, but I must have cocked something up. I will try again this afternoon and let you know.
Thanks for the help

V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
Ok, this is what I did (and it still didn't work):
1) Installed my own trusted-root CA onto my Mini S by opening the .cer file. This bit definately works as I'm able to sync my email with Exchange over SSL and this doesn't work unless the correct root cert is installed
2) Added a code-signing template in certservices with default settings. (Custom templates are not allowed in my Windows Std edition :-( )
3) Using IE, create a code-signing cert with default settings. Also export the private keys into a PVK file.
4) Using cert2spc, convert the cer file to an spc file
5) run signcode -spc cert.spc -v privkeys.pvk filetosign.exe ("Result successful with warning about file not being timestamped)
6) Copy .exe to device and run - still whinges about unknown publisher
Bah. Any suggestions as to what I'm doing wrong?
Daern

I have the same very irritating problem.
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
How do I do that ?

daern said:
V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
I did create a code-signing cert in Certsrv, but I must have cocked something up. I will try again this afternoon and let you know.
Thanks for the help
Click to expand...
Click to collapse
Ah. More success now. I've switched to using "signtool.exe signwizard" and that has enabled me to get it working...

daern said:
Ah. More success now. I've switched to using "signtool.exe signwizard" and that has enabled me to get it working...
Click to expand...
Click to collapse
Bugger. Too quick off the mark. It's still not working. Arrrrrgh!

easycure1974 said:
I have the same very irritating problem.
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
How do I do that ?
Click to expand...
Click to collapse
[WIN2k3 Server]
START/All Programs/Administrative Tools/Certification Authority
SERVER/Certificate Templates/New/Certificate Template to Issue
http://servername/certsrv
-Request a Certificate
-advanced certificate request
-Create and submit a request to this CA
-Certificate Template: Code Signing
[leave default settings]
-SUBMIT

Thank you - shall try and if that could help me solve this annoying problem !

V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
Are you *absolutely* sure that this works? I am now sure that I am doing this right, but I don't believe that apps signed against a certificate that only exists in the public root store (i.e. the one used for SSL connections) will be accepted as "valid". I've tried every way I can think of getting this to work, but with no success :-(
When I posted to say that it was working, what I actually saw was PPC recognising a file with a different file name, but the same CRC as a file that I had already said "Yes, I know it's unsigned. Run it anyway". Even though the new file was a different name, WM2005 ran it anyway without comment, as it assumed (correctly) that it was the same file with a different name... As I haven't yet found a way to make WM2005 forget the exes that I have accepted (I assume it's in the reg somewhere) I have now resorted to recompiling the same exe each time, but with different resource data, thus ensuring it's always different!
What device are you using to test this? I wonder if your derivative of the HTC Wizard has different certs installed than mine (UK O2 XDA Mini S)
Would it be possible for you to send me a sample .exe and your own root cert for me to test on my device. At least then I'll know if it's my device or my technique that is causing me problems ;-)
Thanks
Daern

Yes, I am positive it works. I am using Universal (Qtek 9000), but that shouldn't make any difference.

Besides the error message after each soft reset.
I can still install many software and use it smoothly.
Haven't seen any other problem yet.
What is the certificate about?

At the risk of appearing as a heretic..is there any way that this problem (which I get when clicking on any hyperlink) is related to the SdkCerts.CAB installed as part of ozVGA?
Dumb idea I know however I have no idea of what that CAB did. Can I somehow remove its effects just to prove it isn't the cause? ..hope this isn't off topic.
J

Ignoring certifications

Is there a way via registry editing or otherwise to set up a device to ignore the requirement to have certified dll's and executables.
This would be temporary just for trying out programs extracted from other roms without having to worry about certifying everything just to see if it works.
Thanks

the policies that control this can be viewed here:
http://msdn.microsoft.com/library/d.../wce51conwindowsmobiledevicesecuritymodel.asp
the "unsigned applications policy" should already be 1.
change the "Unsigned Prompt Policy" to 1 also. I.e. change the following registry entry to 1.
HKLM\Security\Policies\Policies\101a
Note that the web page says that this policy is 4122, but 4122 is 101a in hex.
You may also want to set "unsigned cabs" to 16
(HKLM\Security\Policies\Policies\1005 to 16)
Also, this will not work for drivers that are loaded during booting. I'm pretty sure they must be signed. It's not that difficult to create a certificate, install it on your device, then sign the driver dll so it will work.
you can also change this using the "SecurityPolicy Configuration Service" see
http://msdn.microsoft.com/library/d...lesdk5/html/wce51samsettingsecuritypolicy.asp

Thanks a bunch! good info.

Auto updates of software - how to?

Hi,
I need auto update functionality for my application. I.e., the new exe/dll shall be downloaded by GPRS and existing program files shall be replaced. Now I wonder, how this could be done in an easy way.
The problem is, that the application is continuously running and updates shall be done more or less "on the fly". Currently, the application is automatically started on boot through registry settings in HKLM/init
So my idea was the following: Creating a "starter programme" for the application: When the device (HTC ARTEMIS) is booted, the starter programme is first launched (through HKLM/init), looks into a pre-defined directory if there are any files. If there are, these files are copied into the directory of the application. Afterwards, the starter programme launches the main application. Do you think that could work? Or are there any better ways (maybe even supported by the OS) to perform SW-updates?
Günther

I have auto update functionality in my commercial application.
1) When data is replicated to server, main appliation also check availability of new version. If new version is available a and upgrade is mandatory, application launch new process - updater.exe.
2) Updater waiting to main application correct exit (saving data on dirty forms etc.)
3) After main application exit updater download new version descriptor (list of files with targer location, install scripts (dll with well known special interface which can be used for many special tasks - create shortcuts, delete file, modify registry, install new certificate). Updater downloads all files, process install scripts and then launch main application again. New install CAB file is usually stored to extended ROM (autoinstall after HARD Reset).
As a server component is used web service with some methods (GetDescriptor, DownloadFile).

ma_gu said:
Hi,
I need auto update functionality for my application. I.e., the new exe/dll shall be downloaded by GPRS and existing program files shall be replaced. Now I wonder, how this could be done in an easy way.
The problem is, that the application is continuously running and updates shall be done more or less "on the fly". Currently, the application is automatically started on boot through registry settings in HKLM/init
So my idea was the following: Creating a "starter programme" for the application: When the device (HTC ARTEMIS) is booted, the starter programme is first launched (through HKLM/init), looks into a pre-defined directory if there are any files. If there are, these files are copied into the directory of the application. Afterwards, the starter programme launches the main application. Do you think that could work? Or are there any better ways (maybe even supported by the OS) to perform SW-updates?
Günther
Click to expand...
Click to collapse
Seems to be a good idea. This way, you can update the application while it's running and changes become active when the device is rebooted or the application is exited and started again. It's just excellent.
My needings were more simple, so the update feature I designed works as following:
1. The program is divided into a launcher, an updater library and the true application.
2. When the program is started, the launcher copy the update library call such a copy (just call it updlibcpy).
3. updlibcpy uses http to check if an update is available. The check is performed by downloading an "update manifest" containing the MD5 hash of each file of the updated application and checking it against the MD5 hashes of the current program files.
4. If one or more files need to be updated, updlibcpy does the task. Since only updated files are downloaded, no bandwidth is wasted. The only file that cannot be updated is the launcher, but it is so simple that it should never need an update.
5. When updlibcpy has ended, the control is passed back to the launcher, which invokes the true application executable.
The main difficulty was handling the high packet loss that the HTC devices I used has shown. This caused frequent application hang-ups during start-up, unless the GPRS connection was terminated and started again. Once I solved this problem by giving a timeout to the update (using threads), all worked perfectly.
The only improvement I'm thinking about is some sort of "transactionality" of the update, so that if one file updates correctly while another doesn't, the succesfully updated files roll back to the not updated version.

Xtrons Android 8.1 HU - Remote Access Via AnyDesk?

Hello - I have a very specific remote access requirement, however I’m a total novice with regards to Android. I wanted to provide the instructions I have been given to see if anyone in the know could simply summarise or advice how I can achieve this please?
I need remote access of my Android 8.1 Xtrons HU however am finding that all Android Apps fail to allow ‘clicking’ when accessing the device remotely (ie. TeamViewer/ VNC install and allow a connection, however ‘clicking’ can not be done remotely). I believe this could be a security and/or accessibility issue/function, however the closest solution I have found has been advised by both the App publisher and the Xtrons support team below.
Although technical, I don’t know what the exact steps are, or if this approach will even work, however I wanted to post it here to see if anyone could make sense of it please?
Advise from Xtrons (HU Manufactuer):
"After entering "adbon "in the factory set and opening ADB ,you can apply on the machine by yourself directly."
Advice from AnyDesk Development Team:
"For the manufacturer of the Android's ROM there is a process to get the APK signed, so that remote control for that ROM is possible.
This is our Control Plugin Creation Process:
1. Run AnyDesk on the destination device and send the trace file to [email protected]<mailto:[email protected]> or as reply to this mail.
- Open Anydesk on Android
- Open the menu
- Open about panel
- Click on: Send Support Information
2. Please tell us the name you would like for your plugin and whether you want it to be available in the app store.
3. We can extract the system signature hash from the trace files and will build a plugin for this system.
4. We will send you this plugin APK file.
5. You have to sign the plugin with the platform key of your ROM.
apksigner sign --ks YOUR_PLATFORM_KEY_STORE --out YOUR_ANYDESK_PLUGIN-signed.apk YOUR_ANYDESK_PLUGIN-unsigned.apk
6. Send us the signed plugin back.
7. If possible provide us with one of your devices for testing.
8. We will send you the updated anydesk.apk for testing, you will have to install the updated anydesk.apk as well as the signed plugin manually on the test device.
9. After your ok we will publish it with our next android release.
10. Once the plugin and the updated AnyDesk app are released, your devices can be remote-controlled by AnyDesk."

Install Unsigned APPX / UWP

Hi,
Situation \ Case
I was facing a problem with some apps because some of them
Without certificate or expired
The minimum target system is higher than my system
Related Errors
Failure text: A Prerequisite for an install could not be satisfied
The app package must be digitally signed for signature validation
Solution
Export Signed Certificate with private key
Open Manage Computer Certificates by searching for it in Start Menu
Find any certificate with long expiry date in the available folders, you may start with
Personal
Only the certificate with key icon will work so be sure there is a key icon at the top-left corner
Right Click-> Tasks -> Export
Click Next -> Choose "Yes, export the private key"
Click Next -> Keep the options as it is
Click Next -> Activate Password Option -> Enter any password you need
Click Next -> Select Any Location to save the certificate
Click Next -> Review -> Finish
Why you need this certificate?
When you edit any appx file using the MSIX Tool you will lose the original certificate
also this certificate will be helpful to install any appx with expired certificate.
(If you didn't find any certificate let me know)
On your PC
Download and install MSIX Packaging Tool
https://www.microsoft.com/en-us/p/msix-packaging-tool/9n5lw3jbcxkf​​Prepare your appx:
Some times your app could be packed as appxbundle
In this case just open the file using 7-Zip or any archive software
Extract the appx that Named at the end "ARM" (based on your system)
Exam. extract APP.UWP_2.1.0.0_ARM.appx
If you sure that you have the right file which is for "ARM" and ".appx" Move To the next step
Edit the package using MSIX Packaging Tool:
Select "Package Editor"
Select Your appx file
Assign new certificate
In "Signing preference" Select Sign with a certificate (.pfx)
Select the certificate and enter the password
Edit Manifest file
Scroll Down and click on "Open file" In "Manifest file"
A Text Editor will appear with the Manifest file content
You will edit "MinVersion" value Inside "TargetDeviceFamily"
Set MinVersion="10.0.1.0" (Lower than you device target absolutely)
Save the changes and close the file
The changes will be assigned automatically to package
Click Save -> Choose to keep the same version or to Increase it
Now before you save change the extension from "msix" to "appx"
Done.
Installing
To Install the appx you need to install the same certificate (assigned by MSIX tool) before.
On mobile: Just open the certificate, click install.
On PC:
Open the certificate
Click "Install Certificate"
Select "Local Machine" then click "Next"
Select "Place all the certificates in the following store"
Click "Browse"
Select "Trusted People" then click "OK"
Click "Next" then click "Finish"
Hope this will help.

@astifan Thank you for this. Do you think i will be able to install PC UWP apps on Mobile using this ? For example i want to install Slack on my Lumia 950 with Latest Jan 2020 Update,

warriorvibhu said:
@astifan Thank you for this. Do you think i will be able to install PC UWP apps on Mobile using this ? For example i want to install Slack on my Lumia 950 with Latest Jan 2020 Update,
Click to expand...
Click to collapse
Most welcome , sadly no you can't, the app should for ARM devices only and desktop apps only for x86-x64
You can force it to install by change the architect in "Manifest file" from x86-x64 to arm but it will not work for sure

astifan said:
Most welcome , sadly no you can't, the app should for ARM devices only and desktop apps only for x86-x64
You can force it to install by change the architect in "Manifest file" from x86-x64 to arm but it will not work for sure
Click to expand...
Click to collapse
Yeah true, I was hoping that they already have them arm ready with all Windows X news and now it seems that not coming anymore. Such amazing OS (Windows Phone) just wasted.

warriorvibhu said:
Yeah true, I was hoping that they already have them arm ready with all Windows X news and now it seems that not coming anymore. Such amazing OS (Windows Phone) just wasted.
Click to expand...
Click to collapse
Right, Microsoft wasted many important projects for no reason
If you are looking for real PC experience and you are not using you phone as main phone
try to flash one of the recent builds from WOA project
Release Version 2105.22 · WOA-Project/Lumia-Drivers
Lumia Drivers BSP - Version 2105.1 Released: 05/08/2021 11:00 PM UTC+2 Quality: Preview Important installation notes Please make sure your battery is fully charged before installing this driver pa...
github.com
Now it's really good and provide better performance
+Disabling Windows Defender will solve a lot of performance issues.
or check this channel for Fadil Fadz which contains many good solutions to use WOA even boot from SD card if you want to keep your W10M

Than you for sharing i recently bought Lumia 950 for experimentation and projects .. Only challenge is i heard WOA is performing extremely poorly on Lumia 950, Nevertheless worth a try. I will take up that project today and keep you posted.

@astifan So I went through the cycle of flashing Windows 10 and getting all the updates. I even got 21H1 feature update. Sadly its very slow and unusable.
I also tried multiple methods to try to retain Windows Phone and still keep development / developer menu but was unsuccessful.
Do you know how I can flash just the developer / development Menu that lets me booth into USB Mass storage Mode without Flashing the whole WOA. Sorry if its common knowledge or dumb question.
A link to WOA SD Card Installer will also help.

I cannot find any certificate, could you share some?

Rechard Jack 1229 said:
I cannot find any certificate, could you share some?
Click to expand...
Click to collapse
Use the attached certificate,
Password: w10mgroup

astifan said:
Use the attached certificate,
Password: w10mgroup
Click to expand...
Click to collapse
Thank you. I will try it.