Security policies - 8125, K-JAM, P4300, MDA Vario ROM Development

Alright, I havent seen this posted, but lets see if we can figure this out as a team. What do each of these do? I know one of them.
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001017"=dword:94
"00001032"=dword:1
"00001031"=dword:1
"00001030"=dword:0
"0000102f"=dword:c80
"0000102e"=dword:c80
"0000102d"=dword:c80
"0000102C"=dword:0
"0000102B"=dword:0
"0000102A"=dword:1
"00001029"=dword:1
"00001028"=dword:1
"00001026"=dword:1
"00001025"=dword:1
"00001024"=dword:1
"00001021"=dword:c00
"0000101f"=dword:1
"0000101e"=dword:1
"0000101d"=dword:1
"0000101b"=dword:1
"0000101a"=dword:1 - Disable Certification check for application installation.
"00001019"=dword:8c
"00001018"=dword:10
"00001011"=dword:1
"0000100f"=dword:e94
"0000100e"=dword:40
"0000100d"=dword:c00
"0000100c"=dword:800
"00001009"=dword:3
"00001008"=dword:1
"00001007"=dword:40
"00001006"=dword:1
"00001005"=dword:10
"00001001"=dword:2
"00001000"=dword:8
"00001023"=dword:1
"00001027"=dword:1

Related

[Updated 12/08/2009]:Web Based CAB Creator for Common Registry Settings

Hi Everyone,
I, like many of you, spend way to much time setting phones up over and over again. Since a big part of this is registry edits, I have built a web site that allows you to check off the registry options you want, which it then uses to create a downloadable CAB file to install that will contain all of those registry tweaks. This makes things completely reversible by uninstalling the CAB file.
Notes:
This is Beta. While I have used it, and it's a very basic process, it isn't commercial software by any means.
If you would like to add a new feature, post in this thread.
You may install more than one cab file created with this tool. Just use different names at the bottom of the form.
Without further delay, here's the site:
<edit> The tool has now moved to nowsci.com. If you have any issues, please let me know. </edit>
http://nowsci.com/registry-changer/
Thanks,
Ben
* hold for updates *
Update 1: HTML now renders mobile friendly, so you can use this straight from your device.
Update 2: Edit feature added.
Update 3: Can now manually specify string or integer.
Update 4 [11/17/2008]: Can now specify the app name for install, allowing the user to have more than one Registry Changer cab installed at any point in time.
Update 5 [03/27/2009]: Fixed some character flaws for input. Preparations for move to a new host.
Update 6 [04/22/2009]: Added a filter option.
The site now has the ability for the end user to add registry entries to the database.
Thank you very much. I believe the "Camera Enhancements" entry is mis-titled. Shouldn't it be Rotate Picture 90 degrees, not 180 degress?
Doh! I will fix that.
Also, just added all the registry entries from the Diamond Tweaks post.
What about the Bluetooth DUN profile adding to the list? - Mike
What's the registry entries for that? Happy to add them, or you can add them yourself now through the site.
What happens if you tweak a registry entry that does not exist on your specific device or rom?
Good question. For the most part, I would guess nothing. If there is nothing on your system looking for the registry entry, then it won't effect anything. That being said, that doesn't mean WM doesn't look for registry entries that aren't there. For instance, the following tweak:
Enable Vision Duration/Disconnect Popup
HKLM\ControlPanel\Phone\Flags2=16
Flags2 doesn't exist by default on most any WM6 phone. Adding it in, enables the disconnect.
Who added the "Mighty" tweaks? Is that a phone? Many of those seem like they should go in Misc. I might clean that up if those aren't specific to a phone.
Would it be possible to have a wiki of descriptions for each of these options? I know I could Google them one by one but I'm sure users would appreciate a single source.
Hmm, not a bad idea. I wonder if there was a spot on the xda wiki I could use for it since I don't have my own. I may end up integrating a detailed description field for each item with a question mark next to it. Unfortunatly I won't be able to define them all since people have added one's I've never used.
OK I have a request. I don't' so much mind tweaking the settings when I flash. However what does drive me nuts and keeps me from flashing is knowing I will have to reconfigure all my email accounts. I just use the default mail program, but what a pain going through and adding my 7 yes Seven email accounts every time I flash my phone. Is there a way to make a cab that would auto input all my account settings? The reason for so many accounts, is I have personal accounts, business accounts, email list accounts, car club accounts, and forum subscription accounts.
It would be awesome to be able to go to a site, or run an app where I could plunk in all my account settings, then create a cab store it to my SD card and whenever I flash, just run the cab and POOF all my accounts are setup.
Unfortunately, probably wouldn't be easy to make a cab. However, programs like Sprite Backup will do this for you. You can selectively restore your mail using SB, however I generally back up my phone once I get things the way I like it, then if anything goes sour, I hard reset, then restore.
any1 made an ultimate tweak.cab? maybe make your diamond seem as fast as a custom rom?????????????
then any hardreset.......
dewey1973 said:
Would it be possible to have a wiki of descriptions for each of these options? I know I could Google them one by one but I'm sure users would appreciate a single source.
Click to expand...
Click to collapse
+1 on descriptions of each cab
Wow very nice! Thanks!
I suggest a field to make a *.cab regarding to any registry path/setting the user wishes (if the user is more technical).
without having to actually add to the public entry list.
This will allow the ability to:
1. not have to wait for the admin to add the specific entry
2. allows the author of the new *.cab to distribute their new edit on the fly.
3. give the admin to log & analyze the entries in the custom field to and determine more of the common *custom* entries the ppl may want. Thus not having to depend on explicit user input and emails all the time.
First - thanks for putting this together!
Quick question - I had it "enable" GPS coded photos...but I don't think it did? Shouldn't I have an option somewhere in my camera menu to activate this once I've installed the .cab? Additionally, I don't believe "enable landscape pictures" and "sport mode" worked - how do I know?
Many thanks!
Oh, and I forgot to mention (not that it matters???) that I'm on an HTC Touch Pro with Sprint - stock ROM. I'm new to all this, so I apologize if this is basic stuff.

Installing MIDlet on Samsung Omnia

Hi, I recently bought an Omnia and decided I would have a go at writting my own JavaME applications for it.
The application that I have in mind requires access to the file system and, in the future, the ability to make HTTP connections. Since these parts of the API are restricted I added file read and write privilages to the JAD file and copied the JAD and JAR to my phone. When I tried to install the application it gave me the error message "error 910: application authorization failed".
I guessed the error was due to the fact that the code wasn't signed. I don't want to have to go to the expense of getting a real trusted certificate for a piece of code I will probably never release so I've set up my own root CA and installed the CA certificate on the phone. I then created my own code signing certificate and signed my applicaiton with it*. I now get the error message:
"The authentication of certificate is failed. Contact your application provider to correct this situation"
when I try to install my application. I think, therefore, that the code is signed but for some reason the trust chain isn't working. I can't tell if my code signing certificate is the problem or whether the phone isn't recognizing my CA certificate. The CA certificate shows up fine in the Certificates application (Settings > System > Certificates).
Is what I am trying to do even possible on the Omnia or is is too locked down? I have to assume it is possible as I can't believe that every devopler that wants to test their MIDlet idea is buying a certificate. Out of interest does anyone know what KVM the Omnia is using?
One option I haven't tried yet is installing JBed as described in this post (http://forum.vodafone.co.uk/index.php?showtopic=8896). I'm not exactly thrilled by this idea though as I have a nicely working (recently flashed to the latest version) phone at the moment.
Any help greatly appreciated (and if I get it working I'll write it up so others can use the information).
* Personal CA Setup Etc...
http://browndrf.blogspot.com/
http://www.mobilefish.com/tutorials/java/j...de_keytool.html
http://www.mobilefish.com/developer/openss...gn_request.html
As a follow up. Perhaps it's not possible to install a MIDlet using a self signed certificate but what about the posibility of turning the security checking off for the MIDlet manager on the Omnia.
There is a menu option for java settings which doesn't provide any useful settings (just something about the backlight) but there is also an appilcation menu which has an entry called permissions. The permissions options is always greyed out though. I wonder if this could be turned on via the registry or somthing?
Not sure whether it works in your case (haven't tested this on the Omnia): see my related bible: http://forum.xda-developers.com/showthread.php?t=339579
Cheers Menneisyys, great article btw, I had a read of it before posting. From what I've read most phones seem have some way of getting unsigned MIDlets running fairly eaisly. Looks like this phone is the exception to the rule.
I think I'll have to just give up and install JBed unless someone can come up with any ideas. Your article seems to imply it's a pretty simple and painless process to have more than one MIDlet manager running on the same phone (before reading the article I assumed you could only have one on a phone).
I've been a Java developer for years (server side) but this is my first foray into JavaME, I should have guessed that the security system would make it more trouble that it was worth!

[PATCH]Security SSL - fixed DigiNotar certificate problem

Install this via CWM recovery.
This removed the DigiNotar certificates. (hacked certificates)
Install this update if you have Android 2.3.4 or lower or beta Android 2.3.6
Download: View attachment certs-update.zip
certificates file is from Motrorola Defy + rom 4.5.2-109-DHT-22 build date Nov. 7. 2011
Out of curiosity , whats is this for any way? noob on this certificate thing
Diginotar has been breached so their certificates are a security problem for android roms.
its good to hear this...i tought it was just forgotten...this is one more reason why i m not installing the gapps pack before.(though i dont have any to be hacked)
I seem to have a problem (that could be) related to this bogus certificate problem. Looking at the age of this post I would hope this isn't still an issue. I would like to think that things this problematic would be fixed by now. However I've found certs in my Google account dated back as far as 2014, many of them seem to be obviously bogus. I have a few questions about this issue.
Is this something that could sync across devices?
Other than the removal of obviously bogus certificates are there steps I should take to avoid this happening in the future?
Have the bigger software companies done anything about this issue and/or has the issue been through the appropriate disclosure? Should it?
Is there more up to date information related to this issue?
I am a newbie and fighting some sort of bug or malware that seems to be related, I do appreciate any help available. Thanks.

[Q] Is it possible to use MS.Internal somehow in a normal app?

Is it possible to somehow use classes from the MS.Internal namespace, things like MS.Internal.TextBoxView which is the type of a sub-object of the ContentControl of a textbox?
I mean use them in a "normal" app on a locked end-user phone, and getting away with it as far as certification is concerned so it can appear normally in the Marketplace?
The Visual Studio debugger is able to display information about such objects somehow, that's where I got the knowledge of the existence of this TextBoxView class in the first place, but of course that does not mean that a normal app can do likewise.
Googling for "WP7 reflection" showed me hits in other places like StackOverflow with info that probably this will just run into security exceptions anyway, because MS does not want devs to use "undocumented APIs", but I am curious whether somebody here has tried to "hack" this and can report first-hand.
rbrunner7 said:
Is it possible to somehow use classes from the MS.Internal namespace, things like MS.Internal.TextBoxView which is the type of a sub-object of the ContentControl of a textbox?
I mean use them in a "normal" app on a locked end-user phone, and getting away with it as far as certification is concerned so it can appear normally in the Marketplace?
The Visual Studio debugger is able to display information about such objects somehow, that's where I got the knowledge of the existence of this TextBoxView class in the first place, but of course that does not mean that a normal app can do likewise.
Googling for "WP7 reflection" showed me hits in other places like StackOverflow with info that probably this will just run into security exceptions anyway, because MS does not want devs to use "undocumented APIs", but I am curious whether somebody here has tried to "hack" this and can report first-hand.
Click to expand...
Click to collapse
I highly doubt.. more towards no for this. Microsoft pretty much will deny anything in the low level APIs from being accepted in the Marketplace. A way to check this is to use the Marketplace Test Kit in VS 2010 (Project -> Open Marketplace Test Kit). It will tell you if something you're using will fail as it does the same type of quick test that happens when you upload a XAP for submission.

dSploit/cSploit continuation

Hello, if you know what cSploit is you also probably knows that it's buggy and outdated.
I have taken time to rebrand the software, mixing versions, and modifying code.
My goal was to fix the login cracker which was not giving status output since the C regex was broken, so I re implemented the original dSploit 1.0 fashion - each tried passwords are shown - and the progress bar is effective. Also did modify the java code and res to be able to fully use hydra (more options, and most importantly being able to pass http related plugins parameters).
Metasploit is outdated, and ruby 1.9 cannot run the lattest version; so I switched to version 2.7, which is running: we can install gems.
Issue is that when downloading the MSF and setting it up, the bundle doesn't return, and gives no output. I don't know what is happening here, there may be a prompt for administrator's password so I run 'bundle install' as root, but it doesn't change anything.
gem install bundler does succeed, but not bundle install, showing forever "downloading gems". This part is tricky and I need people to look upon it with fresh eyes (I spent too much time on the code).
I'm calling the project eSploit and renamed a lot of things like package name, since I have been working alone and that the cSploit project is utterly abandoned, but still is delivered on platforms like nethunter store despite the bugs and EOF notice. So don't judge me on taking it over since no one cares.
Status is:
Nmap: fully functionnal
Hydra: restore not working (restore file's path issue)
Exploit finder: Not working since the MSF doesn't update yet -see above- , and that is the milestone.
MITM: not tested, might just get rid of it.
There is a change of strategy in the way we will retrieve exploits, instead of contacting outbound server and pass it the result of the inspector, then seeking in the metasploit database for the CVE, we will just pass the inspector's result to metasploit. No difference, and the thing will be working on local networks without internet connection,
To be honest this is a bit like pinning a nail with a bulldozer, but for now there is no alternative.
Submodules are removed from git, instead there's a big working tree with all the dependencies.
Note that the openssl library originaly shipped with the package doesn't 'work' with most newer software, hence are we using 1.1.1l for ruby, and will either stick to the lattest for older softwares (like hydra 8.8) or update the programs, so now only nmap is working.
So you tell me what you think of it, and don't hesitate to report bugs on github, ask me questions about the architecture of the software (originally designed by simone margaritelly), and help me finding a solution to the main issue.
GitHub - e2002e/eSploit: cSploit - The most complete and advanced IT security professional toolkit on Android.
cSploit - The most complete and advanced IT security professional toolkit on Android. - GitHub - e2002e/eSploit: cSploit - The most complete and advanced IT security professional toolkit on Android.
github.com
This is very cool. It would be really cool if this is working. I hope that you can fix these Problems
cSploit, dSploit.. now eSploit i really like this program.
Any similarities with zANTI ?
I am very interested in this project! But the github page is offline Are you still working on this?
Hi people, I got to some reasoning that this was not needed, though being cool to have the metasploit framework for android, I remember now how younger I tried to hack into things without a proper vulnerability scanner. This results in frustration. You can't know just from an nmap scan what exploit to launch. This thing would be awesome with (for instance) greenbone. But as is it is like attacking tanks with guns.
So I dropped it and deleted the repository.
Thanks for your reactions.
What happen it's not available

Categories

Resources