Hacking S60 3rd edition firmware - Unlimited permissions for untrusted midlets
By default, Nokia S60 3rd Edition phones install midlets mostly with "oneshot" or "session" permissions, which force user to accept permission everytime a network connection is made or file is opened. If you don't have signing key (which costs $$$), you cannot even modify these permissions, because the phone only allows "ask everytime" option for e.g. file write.
So, here's the hacking alternative - proceed at your own risk. By replacing some strings, we can give equals permissions to untrusted applications with the manufacturer signed applications.
First, update your S60 phone normally using Software Update tool from Nokia. It downloads updates to your harddrive, storing binary images to
C:\Documents and Settings\All Users\Application Data\Nokia\Nokia Service Layer\A\nsl_service_module_00001\www.dsut.online.nokia.com.oti.caresuite\Products\<phonemodel>
Directory contents look interesting and for my phone there is about 50 MB rom image there. Simple strings scan on rom image shows contents some fragments of text based java permission file, which by closer look very interesting (at around 0x2310000 in my case):
Now, all you need to do is to open up your favourite hex editor and write "MaximumMode: Blanket" to permissions you want to allow, and if you feel risky you can change the DefaultMode as well.
Now re-run the software update, force re-runing and phone will be flashed with your new permissions. After installing midlet, you should see more permission options in the application manager (select midlet, click open). If you try it, please post success with different phone models to comments.
So, here's the hacking alternative - proceed at your own risk. By replacing some strings, we can give equals permissions to untrusted applications with the manufacturer signed applications.
First, update your S60 phone normally using Software Update tool from Nokia. It downloads updates to your harddrive, storing binary images to
C:\Documents and Settings\All Users\Application Data\Nokia\Nokia Service Layer\A\nsl_service_module_00001\www.dsut.online.nokia.com.oti.caresuite\Products\<phonemodel>
Directory contents look interesting and for my phone there is about 50 MB rom image there. Simple strings scan on rom image shows contents some fragments of text based java permission file, which by closer look very interesting (at around 0x2310000 in my case):
# midp2_rp.xpf
# Copyright (c) 2004-2005 By Symbian Software Ltd. All rights reserved.
# This file defines one possible interpretation of the MIDP2 Security RP security policy,
# but with a JTWIr1 compliant policy for untrusted MIDlet suites
FormatVersion: 1.0
[...]
# MIDlets in untrusted MIDlet suites need user permission before doing anything
DomainBindings: [UNTRUSTED]
FunctionGroupBinding: "Application Auto Invocation"
Permission: User
DefaultMode: Session
MaximumMode: Session
EndFunctionGroupBinding
FunctionGroupBinding: "Landmark"
Permission: User
DefaultMode: Session
MaximumMode: Session
EndFunctionGroupBinding
[...]
Now, all you need to do is to open up your favourite hex editor and write "MaximumMode: Blanket" to permissions you want to allow, and if you feel risky you can change the DefaultMode as well.
Now re-run the software update, force re-runing and phone will be flashed with your new permissions. After installing midlet, you should see more permission options in the application manager (select midlet, click open). If you try it, please post success with different phone models to comments.
posted by manko at
Wednesday, October 03, 2007
12 Comments:
Works great with E90!
very interesting approach! do you think it is possible to hack the sis installer in similar way?
did not work for me. I tried it for nokia n95. suddenly the nokia software update alerted "connection lost". phone can not be used anymore. I will try to bring it to a nokia shop hoping they will help me out.
did it work for anybody with the n95?
maybe there is kind of a crc check?
There's a crc in the file but looks like its not used, of course this might vary between different models, variants etc.
It does not work on my E61.
I have edited the image file on my PC and the flashing has finished without any error message, but the edited files in the ROM (z:\system\data\midp2\security\policy\*) have not changed :(
I don't know if I edited the wrong files? Or the flashing fails, but does not show error message?
At first I edited the wrong image file of E61, but I have found ROM image file in another diretory. But after editing this file, flashing failed with "Connection lost" error message...
Great work!
thank you for info!
I tired with E65 by Phoneix flash.
modding these entry is also interesting.
NegativePortFilter:
EndNegativePortFilter
I cant it to work...
I did replace the modded Firmware-file and NSU jumps to 47MB of downloading....
But the firmware,that it is downloading is ~70MB in size.
And when the update was successful, i can't see any advantages!
I cant get it to work...
I did replace the modded Firmware-file and NSU jumps to 47MB of downloading....
But the firmware,that it is downloading is ~70MB in size.
And when the update was successful, i can't see any advantages!
NSU says that "Software update complete", but phone won't turn on. It was 6120 Classic. :'-(
same as the above guy. I tried it on a Nokia 6120 classic but now the phone doesn't turn on.
I brought it to a Nokia Care Center to fix it.
Post a Comment
Subscribe to Post Comments [Atom]
Links to this post:
Create a Link
<< Home