Goodbye S60 Platform Security, Hello CAPABILITIES!
Somebody asked about the .sisx file installation restrictions (aka Platform Security), so here's a similar solution for that. It's similar hack to midlet permissions, please see previous entry how to run updater first and where the image files stay.
The S60 image contains policy file, which enforces the capabilities and signatures when installing applications. Luckily, it allows defining the user granted permissions easily (it's all documented!). The actual offset of this SWIPOLICY.INI file varies, so this is not a complete solution (not taking account flash sector data, but you probably know better what you are doing)
At offset 28251550 of image, my phone's contents of the "SWIPOLICY.INI":
Note the UserCapabilities field. Now, in my phone this fragment is exactly 648 bytes in size, so we have exactly that much bytes to fit our new policy.
First, extract the original text using dd (the famous unix tool). Replace skip offset and count bytes with suitable values:
Next, edit the capabilities you want into the file. If you run out of space, see for Symbian's documentation for defaults, you might want to remove some. For reference, here are my own modest capabilities for self-signed executables - I chose to remove AlternativeBullshitOID (I have no idea what it does):
(padded to 648 bytes using empty lines)
Verify that the result fits into 648 bytes (or whatever) and then insert it into the same spot in ROM image:
Finally, update the phone. After that, you should be getting much more capabilities with self-signing, actually more than you get with "standard" developer certificates. This even saves some $$$, because you don't have to buy ACS Bullshit ID to get these more "sensitive" capabilities.
I have verified this hack by compiling an EXE with all above capabilities, installing it in a self-signed sisx and checking RThread::HasCapability() for those capabilities. And don't worry, WE ARE CERTIFIED!
The S60 image contains policy file, which enforces the capabilities and signatures when installing applications. Luckily, it allows defining the user granted permissions easily (it's all documented!). The actual offset of this SWIPOLICY.INI file varies, so this is not a complete solution (not taking account flash sector data, but you probably know better what you are doing)
At offset 28251550 of image, my phone's contents of the "SWIPOLICY.INI":
AllowUnsigned = false
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
DRMEnabled = true
DRMIntent = 3
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
AllowOrphanedOverwrite = true
UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment
AllowPackagePropagate = true
SISCompatibleIfNoTargetDevices = false
RunWaitTimeoutSeconds = 600
AllowRunOnInstallUninstall = false
DeletePreinstalledFilesOnUninstall = true
AlternativeCodeSigningOID = 1.3.6.1.4.1.94.1.49.1.2.2.1 1.3.6.1.4.1.94.1.49.1.2.2.5
PhoneTsyName = phonetsy
Note the UserCapabilities field. Now, in my phone this fragment is exactly 648 bytes in size, so we have exactly that much bytes to fit our new policy.
First, extract the original text using dd (the famous unix tool). Replace skip offset and count bytes with suitable values:
dd if=phonemodel.C01 of=some.txt skip=28251550 bs=1 count=648
Next, edit the capabilities you want into the file. If you run out of space, see for Symbian's documentation for defaults, you might want to remove some. For reference, here are my own modest capabilities for self-signed executables - I chose to remove AlternativeBullshitOID (I have no idea what it does):
AllowUnsigned = false
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
UserCapabilities = AllFiles DiskAdmin NetworkServices LocalServices ReadUserData WriteUserData ReadDeviceData WriteDeviceData UserEnvironment PowerMgmt MultimediaDD TrustedUI ProtServ NetworkControl SwEvent Location SurroundingsDD CommDD
AllowPackagePropagate = true
SISCompatibleIfNoTargetDevices = false
RunWaitTimeoutSeconds = 600
DeletePreinstalledFilesOnUninstall = true
PhoneTsyName = phonetsy
(padded to 648 bytes using empty lines)
Verify that the result fits into 648 bytes (or whatever) and then insert it into the same spot in ROM image:
dd if=some.txt of=phonemodel.C01 seek=28251550 bs=1 count=648
Finally, update the phone. After that, you should be getting much more capabilities with self-signing, actually more than you get with "standard" developer certificates. This even saves some $$$, because you don't have to buy ACS Bullshit ID to get these more "sensitive" capabilities.
I have verified this hack by compiling an EXE with all above capabilities, installing it in a self-signed sisx and checking RThread::HasCapability() for those capabilities. And don't worry, WE ARE CERTIFIED!
posted by manko at
Wednesday, October 10, 2007
22 Comments:
I found a following code in my 'rm43_v2.20.008.core':
AllowUnsigned = false..MandatePolicies = false..MandateCodeSigningExtension = false..Oid = 1.2.3.4.5.6..Oid = 2.3.4.5.6.7..DRMEnabled = true..DRMIntent = 3..OcspMandatory = false..OcspEnabled = true..AllowGrantUserCapabilities = true..AllowOrphanedOverwrite = true..UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment ..AllowPackagePropagate = true..SISCompatibleIfNoTargetDevices = false..RunWaitTimeoutSeconds = 600..AllowRunOnInstallUninstall = false..DeletePreinstalledFilesOnUninstall = true..
and changed it with (Size is the same)
AllowUnsigned = false..MandatePolicies = false..MandateCodeSigningExtension = false..Oid = 1.2.3.4.5.6..Oid = 2.3.4.5.6.7..OcspMandatory = false..OcspEnabled = true..AllowGrantUserCapabilities = true..UserCapabilities = AllFiles DiskAdmin NetworkServices LocalServices ReadUserData WriteUserData ReadDeviceData WriteDeviceData UserEnvironment PowerMgmt MultimediaDD TrustedUI ProtServ NetworkControl SwEvent Location SurroundingsDD CommDD..SISCompatibleIfNoTargetDevices = false..DeletePreinstalledFilesOnUninstall = true.. ..
During the flashing with NSU there was a sound of plugging out/in the USB device, and flashing stopped.
NSU said to check the connection, and finally, the N91 is dead.
What I did wrong?
PS: Trying to flash my dead phone :(
Well, as I mentioned it's not totally safe operation. Supposedly some firmwares have extra checks for validity. I'll post more details later on.
So if the result is an expensive flashlight, there needs to be some other modification to the runtime checks as well.
Dead phones can be reflashed in Nokia service points, tell them that the NSU failed :-)
This is awesome!
Great work, I had the idea myself to look through the nokia firmware image to enable AllFiles but I had no idea how to actually do it.
Could anyone verify if this works on an N95? There's already been two guys post with bricked phones so I'm not that keen to try it yet. Maybe there is a CRC but only on N-series phones?
Hello manko,
I'm surprised, afaik, the firmware content is certified and the device should detect modified firmware.
It would be usefull to know which models will accept the modified firmware.
Anyway, you can simply use
UserCapabilities = All
to include the full capability-set.
Hello, when you say self-sign the sis file, it is with a devcert of what?
Very good work.
self-sign means with a self cert!! a cert created without any particoular capability....as the one used for sign themes ;)
btw someone following this tutorial now can access in system folders of his n73... :P
http://www.quellicheilcell.it/index.php?s=&showtopic=19040&view=findpost&p=206387
so it works....!!
Ps. i've traslated your post...u are the best ;)
http://www.quellicheilcell.it/index.php?showtopic=19040
Here's a swipolicy.ini related document:
http://www.symbian.com/developer/techlib/v9.2docs/doc_source/ToolsAndUtilities/Installing-ref/swipolicy.html#Installing%2dref%2eswipolicy%2eini%2dsyntaxsyntax
marco, I'm as surprised as you are.
"UserCapabilities = All" doesn't work, I guess the installer doesnt know what that "All" means :)
I did it on a N80, this was the original file
AllowUnsigned = false
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
DRMEnabled = true
DRMIntent = 3
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
AllowOrphanedOverwrite = true
UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment
AllowPackagePropagate = true
SISCompatibleIfNoTargetDevices = false
RunWaitTimeoutSeconds = 600
AllowRunOnInstallUninstall = false
DeletePreinstalledFilesOnUninstall = true
i replaced it with this
AllowUnsigned = false
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
UserCapabilities = AllFiles DiskAdmin NetworkServices LocalServices ReadUserData WriteUserData ReadDeviceData WriteDeviceData PowerMgmt TrustedUI ProtServ SwEvent Location SurroundingsDD
AllowPackagePropagate = true
SISCompatibleIfNoTargetDevices = false
RunWaitTimeoutSeconds = 600
DeletePreinstalledFilesOnUninstall = true
I downloaded Activefile 1.25, the allfiles unsigned version, and I signed it with a cert from makekeys.exe, and it said "application access not allowed". What have I done bad?
Thanks
I don't know about ActiveFile, never used that, but I suppose it's from the signed UID range if it also comes as a signed version.
For selfsigning to work, you need to use UIDs from unprotected range, just like Y-Browser does.
Ok, I'll try it. Can you say if my modification of SWIPOLICY.INI is good? (some posts up)
I deleted some capabilities because I haven't enought space. It is possible to delete any other default sentence to set these capabilities too?
Thanks, sorry for my english.
Confirmed on E61 (3.0633.09.04 20-11-06 rm-89).
Added AllFiles capability to Y-browser. Everything works smoothly.
Had a bit of problem modifying swipolicy.ini correctly, got file corrupt error messages from installer. After couple tries got it working.
I just did it with my N76.
Offset is 34566196 for RM135_30.0.015.
Please add conv=notrunc to the dd insert command. Otherwise your resulting firmware image may be (will be?) corrupted.
Not tried to install something so far, but everything went smoothly.
Will be interesting to see if a similar procedure works on my P1i as well...
It worked on E65
hier my ini file:
AllowUnsigned = true
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
AllowOrphanedOverwrite = true
UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment MultiMediaDD NetworkControl CommDD ReadDeviceData WriteDeviceData
SISCompatibleIfNoTargetDevices = false
AllowRunOnInstallUninstall = true
AllowPackagePropagate = true
DeletePreinstalledFilesOnUninstall = true
"Had a bit of problem modifying swipolicy.ini correctly, got file corrupt error messages from installer. After couple tries got it working."
Me too, i noticed that if I pad the file with 0s at the end, i get the "file corrupt" message if I try to install apps.
so this configuration is exactly 536 bytes.
cheers
Doesn't work with the N80 - NSU just downloads the files again and overwrites the modified firmware.
How are you people actually doing this?
I'm running NSU through once, browse for the firmware file and hit it with a hex editor to replace UserCababilities with the ones that are suggested, follwoing this I run NSU again, check swipolicy.ini and find that my changes didn't hold.
to my earlier post, i forgot to give the offset in the swipolicy.ini file.
so for E65 offset is 31343976 file size 536 bytes
corrige errata: should be space-padded and not zero.
"Nobody Special", read my comment on the NSU fixed post, I have written a very short tutorial to do it.
Thanks 'blankname' - all sorted now. Just as an aside, "UserCapabilities = All" does not work for me (N80), have to use the long list instead.
Anyone tested this on N95 firmware 20.0.015? It would be interesting to know if they've fixed this wonderful loophole or if we can continue to have DRM-free phones..
i have n95 v 20.0.015, i just opened RM-159_20.0.015_PR.cor with winhex. After searching in offset 0425F860, if i edit "allowunsigned=true"
.................." will it install unsigned apps or not?
dpsingh: No, this firmware modification does not work on the N95. The phone looks to be using several checksums and quite probably a signature of some kind. After uploading the firmware the handset promptly dies and needs to be flashed back to life using a box like JAF.
There are a few people working on it, but it's slow going.
Post a Comment
Subscribe to Post Comments [Atom]
Links to this post:
Create a Link
<< Home