Hacking S60 3rd edition firmware - Unlimited permissions for untrusted midlets
By default, Nokia S60 3rd Edition phones install midlets mostly with "oneshot" or "session" permissions, which force user to accept permission everytime a network connection is made or file is opened. If you don't have signing key (which costs $$$), you cannot even modify these permissions, because the phone only allows "ask everytime" option for e.g. file write.
So, here's the hacking alternative - proceed at your own risk. By replacing some strings, we can give equals permissions to untrusted applications with the manufacturer signed applications.
First, update your S60 phone normally using Software Update tool from Nokia. It downloads updates to your harddrive, storing binary images to
C:\Documents and Settings\All Users\Application Data\Nokia\Nokia Service Layer\A\nsl_service_module_00001\www.dsut.online.nokia.com.oti.caresuite\Products\<phonemodel>
Directory contents look interesting and for my phone there is about 50 MB rom image there. Simple strings scan on rom image shows contents some fragments of text based java permission file, which by closer look very interesting (at around 0x2310000 in my case):
Now, all you need to do is to open up your favourite hex editor and write "MaximumMode: Blanket" to permissions you want to allow, and if you feel risky you can change the DefaultMode as well.
Now re-run the software update, force re-runing and phone will be flashed with your new permissions. After installing midlet, you should see more permission options in the application manager (select midlet, click open). If you try it, please post success with different phone models to comments.
So, here's the hacking alternative - proceed at your own risk. By replacing some strings, we can give equals permissions to untrusted applications with the manufacturer signed applications.
First, update your S60 phone normally using Software Update tool from Nokia. It downloads updates to your harddrive, storing binary images to
C:\Documents and Settings\All Users\Application Data\Nokia\Nokia Service Layer\A\nsl_service_module_00001\www.dsut.online.nokia.com.oti.caresuite\Products\<phonemodel>
Directory contents look interesting and for my phone there is about 50 MB rom image there. Simple strings scan on rom image shows contents some fragments of text based java permission file, which by closer look very interesting (at around 0x2310000 in my case):
# midp2_rp.xpf
# Copyright (c) 2004-2005 By Symbian Software Ltd. All rights reserved.
# This file defines one possible interpretation of the MIDP2 Security RP security policy,
# but with a JTWIr1 compliant policy for untrusted MIDlet suites
FormatVersion: 1.0
[...]
# MIDlets in untrusted MIDlet suites need user permission before doing anything
DomainBindings: [UNTRUSTED]
FunctionGroupBinding: "Application Auto Invocation"
Permission: User
DefaultMode: Session
MaximumMode: Session
EndFunctionGroupBinding
FunctionGroupBinding: "Landmark"
Permission: User
DefaultMode: Session
MaximumMode: Session
EndFunctionGroupBinding
[...]
Now, all you need to do is to open up your favourite hex editor and write "MaximumMode: Blanket" to permissions you want to allow, and if you feel risky you can change the DefaultMode as well.
Now re-run the software update, force re-runing and phone will be flashed with your new permissions. After installing midlet, you should see more permission options in the application manager (select midlet, click open). If you try it, please post success with different phone models to comments.
posted by manko at
Wednesday, October 03, 2007
12 Comments
Links to this post
