Hi,
As per the subject, I have been given a Windows Phone 7 device and been tasked to see if a root/user certificate can be extracted from the phone.
We install certificates onto mobile devices such as iPhones, to allow IPSEC VPN tunnels and secure access to exchange servers.
Using the tools I found on this site, I have managed to unlock my test WP7 device, installed the root and user certificates on my WP7 (I downloaded it from our test site) and I also install Advanced File Explorer on WP7 phone.
Based on my rudimentary research, the Certificate Store is not accessible on a WP7 device and the only to remove a certificate from the store is to reset the phone to factory settings.
In the root of the WP7 phone, there is a file called drmstore.dat. I have used Advanced File Explorer to copy this file to my desktop and using NotePad++ see that it does have some MS root certicates in there. But is this the file that would contain the user installed certificates?
My WP7 experience is limited to 3 days so far, so was hoping somebody could point me in the right direction wrt to file location. From what I've read, the OS does seem to be designed really well, so I am hoping that it is indeed impossible to extract the certificate from the device.
The only reason we are doing this test is to work out if the new phone is secure as it is getting difficult to get hold of Windows mobile 6.5 phones as the days progress. The problem is that WP7 phone dont support disk encryption yet (or so I believe) hence the worry ...
Many thanks in advance for your help and pointers.
if the phone is locked then it is really impossible to get it off the phone.
after the update from MS we aren't able to unlock the phone again so I think it is pretty save.
maybe you could look at a dump of a rom to find out where the serts are stored.
Thanks for your reply.
There are interesting times ahead.
The Chevron WP7 exploit will be closed but hte Touchxplorer developer claims that his solution will still allow full file access to system, so I am waiting with bated breadth to see how it all pans out. And who knows, we may have Nokia announcing that they will be using WP7 as an OS for their Nokia hardware on Friday.
Since I am not to au fait with the structure of WP7 phone (and I don't even know why I was given this job considering my hacking skills are about 5%) would you have an inkling as to where they sort of could be kept or how to read or even create a dump of the ROM?
Many thanks. I will search on the forums to see if I can get more information.
Thanks again.
Related
Do you think it's possible to unlock mango via oem.cab file ?
I know one can rollback, unlock and reupgrade but this cab way would be easier
Sent from my OMNIA7 using Board Express
Can't. Unless you could sign the cab with Microsoft's certificates.
Unless for some reason they made an official cab to do this for manufacturers that got leaked.
Xboxmod cabs only work if the certs are cooked into a rom... And if your flashing custom roms you wouldn't need to do this anyway.
Sent from my HD7 T9292 using XDA Windows Phone 7 App
Incorrect. xboxmod has created a WP7 Cab Builder that you can create your own WP7 Cab Updates. I'm 95% complete. I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon. Once signed, it should be able to be sent to all devices. Providing Interop unlock for ALL devices, regardless of generation. Keep your eyes open. I MAY complete it this month or July. I'll need help from xboxmod and Heathcliff74.
AlvinPhilemon said:
I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon. Once signed, it should be able to be sent to all devices.
Click to expand...
Click to collapse
Well, that will be the problem. You don't have the necessary password, so you can't sign it. And all devices will just reject the cab. (just like reeg420 said) Sry, but the odds are against you.
AlvinPhilemon said:
Incorrect. xboxmod has created a WP7 Cab Builder that you can create your own WP7 Cab Updates. I'm 95% complete. I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon. Once signed, it should be able to be sent to all devices. Providing Interop unlock for ALL devices, regardless of generation. Keep your eyes open. I MAY complete it this month or July. I'll need help from xboxmod and Heathcliff74.
Click to expand...
Click to collapse
You asked me for help. I replied to you, but you didn't get back to me. I am reticent about this, but I always keep an open mind. Tell me what you need and I hope I can help.
Ciao,
Heathcliff74
I just need to find a way on the tool to set the password for my MIcrosoft Windows Mobile Firmware Installation PCA.pfx which I will do soon.
Click to expand...
Click to collapse
This tool is called SignTool.exe, but... Do you know the Microsoft master password for MS certificate??? How come? Do you own a 10 millions PC botnet working two years, brute-forcing MS cert?..
P.S. Seems like you don't understand what are you talking about...
So... I actually had a silly little thought about this. Not sure if it'll work for CABs, but it might work for other areas where we need a MS cert.
Anybody read about how the Flame malware was able to spoof a Windows Update package for PCs? It used a cert produced by a Microsoft tool. The tool is supposed to produce certs used for allowing PCs to connect to a Remote Desktop server, but for some reason the certs were also marked to allow code signing and other useful things. These certs also chain back to the Microsoft root certificate (meaning they are trusted as though issued by MS itself).
Now, for WP7 CABs, I don't know that this will work, because the CABs may need to be signed with a *specific* cert, not just one that chains to the same root. However, it's possibly worth checking...
GoodDayToDie said:
So... I actually had a silly little thought about this. Not sure if it'll work for CABs, but it might work for other areas where we need a MS cert.
Anybody read about how the Flame malware was able to spoof a Windows Update package for PCs? It used a cert produced by a Microsoft tool. The tool is supposed to produce certs used for allowing PCs to connect to a Remote Desktop server, but for some reason the certs were also marked to allow code signing and other useful things. These certs also chain back to the Microsoft root certificate (meaning they are trusted as though issued by MS itself).
Now, for WP7 CABs, I don't know that this will work, because the CABs may need to be signed with a *specific* cert, not just one that chains to the same root. However, it's possibly worth checking...
Click to expand...
Click to collapse
Don't you think that microsoft has learnt its lesson after Flame? Would be reat though
GoodDayToDie said:
Anybody read about how the Flame malware was able to spoof a Windows Update package for PCs?
Click to expand...
Click to collapse
Actually (according to Kaspersky Lab report), Flame malware isn't a simple worm/malware by black-hats but kinda "cyber-weapon" written by professionals from some kind of intelligence/security service (with unknown origin). And of course, some of (by unknown origin ) intelligence/security services have enough computer/human power to obtain a MS certs (by brute force attack with supercomputers or by traditional spy methods - I believe these methods are much more effective than computer-based attack).
I don't think this AlvinPhilemon is genius enough to overcome all mathematicians and security experts in the world. Probably he just has no idea what he's talking about (may be he's just discovered ability to push provisioning file via .cab files on the full unlocked handsets ).
Bah... this is why, even though I actually work in the computer security world, I don't like to even mention Flame; it's been hyped through the roof and seems to trigger some kind of "go crazy" circuit in people. Government-created malware has existed for decades, at least. No need to get all excited about it. In security terms, it is infact just a malicious worm written by blackhats (the "malicious" and "blackhat" parts are redundent; malice is how you define a blackhat). They might be "good guy" blackhats, but they're blackhats all the same.
Getting back on topic, did you actually read the rest of what I wrote? It's possible to get Microsoft-trusted certs, ready for code signing, out of a MS tool. On the PC, MS has pushed a patch that breaks the authorization chain those certs were using, so that it no longer looks like things signed by it are signed by MS itself. However, WP7 has received no such update yet. It's a long-shot, but it's a possibility.
EDIT: Agreed that trying to either brute-force the private key or find a hash collision (which apparently the Flame developers did, but they probably used massive computations resources to do it) is impractical for any individual on this forum.
Good morning! I was wondering if anyone would know of any resources that contain info on the trusted root ca's (certificate authorities) for Android, BlackBerry, Symbian, and Windows mobile devices? I am working on a project that involves choosing a new SSL Certificate signer but I want to make sure that the one we choose is trusted on all of the devices. I appreciate any help! Info about iOS is readily available, but that doesnt appear to be the case for the other smartphone players.
Thanks!!
Matt
Me also want..to know
Please help
*Quick bump
Bummer... must not be much out there in regards to this.
This may help for rooted Android devices. The others, I'm not so sure about. In the aftermath of the DigiNotar debacle several months ago, there were articles about removing their root CA from the CA database. If you have a rooted android phone (why else would you be here) you can rebuild the cacerts.bks database. Some instructions for Windows are here in this blog. The instructions are just for removing one but can be adapted for adding one and can certainly be adapted for running under Linux, if you're like me:
(The forum won't let me post links yet so you'll have to be creative here with cut and paste...)
securitymusings.com -> article/3001/removing-trusted-certificates-from-android
The Guardian project also has a CACertMan tool that may do what you want on Android.
guardianproject.info -> 2011/09/05/cacertman-app-to-address-diginotar-other-bad-cas
Blackberry, Symbian, and Windows, I suspect you are on your own there.
Hey mates.
Im looking for a wm 7 alternative to the quite nice app protector android app called Smart App Protector.
What i need is the functionality to restrict my wm7 devices so the users cant enter IE, Settings and other functions than those i want them to.
When a user tries to open the browser on a android device with the smart app protector installed, they get prompted for a password, which is exactly what im looking for.
If there isnt an app that does what im looking for, does anyone know a way to restrict at least internet trafic in IE, i still need data connections, but the users wont be allowed to use data except for 1 app.
My first impression of the wm7 - 7.5 is that its very restricted compared to Android devices :S
Thanks a lot for your help.
A quick for-the-record: No such thing as WM7. Windows Mobile is dead. Although some of the underlying code got re-used in WP7, the upper part of the Windows Phone stack is completely new, and the low-level stuff has changed considerably as well. What you're asking for would probably have been quite easy on WinMo.
On WP7, it's a lot harder. There are three ways I can think of. The first and simplest would be a well-modified custom ROM. Another is to modify the policy system to prevent launching iexplore, settings3, and similar programs, but have an app that (once the password is provided) allows changing those policies. Note that we don't yet have full control over the policy system (as a community; Heathcliff74 knows quite a bit but is busy with his Root Tools project). The third would be to try modifying the registry entries for certain operations. The effectiveness of this depends on whether apps are launched directly (by executable) or indirectly (by GUIDs in the registry). If it's the latter, the launch request could be routed through an authorization app first.
Bear in mind, the only one of these changes that is permanent is a custom ROM. Otherwise, the user could hard-reset the phone (losing all data on it but bringing it back to factory default configuration). It's possible to hard-reset just using the buttons; you don't even need to use the touchscreen.
Thanks for the correction, WP7 ofc
Im rather impressed by the performance of the OS so far, but it has many unforseen restrictions for my needs.
Since i only had the windows phone 7 for 1 day so far, i dont have much knowledge about changing what you are suggesting.
I know what you mean, but no idea how to do on WP7.
A custom ROM would be great indeed, but i dont have any experience in that field. Would be great to get a nice configuration tool with a gui to make the needed changes and then a tool to upload the new ROM to the phone...in that simple order
Im also looking for a solution to install software that was supported by windows mobile. Im checking out cheronwp7 at the moment to see if that can do the trick.
It seems a lot like WP7 is 99% consumer minded than business minded compared to old WM, a bit shame imo.
Hi guys,
I´ve got one question, is it possible to create file transfer on wifi? I want create wifi network something like family group in Windows 7. And if its possible do this betwen WP and android phone or WP and windows 7 PC.
Thanks a lot.
No, not possible; but you can try DFT Bluetooth file transfer if you have a fully unlocked or rooted phone and see if that works. Currently there is no way of doing what you are asking via email, MMS or Wifi.
It doesn´t working via e-mail too ?
Root Webserver (see my sig) allows easily taking files off (or putting them on) a Windows phone via WiFi. It's not the most elegant approach, but it's easy to use.
There has been talk of somebody implementing SMB (the network protocol that is used for Windows networking) using the sockets APIs in WP7, but I'm not even sure the official APIs are complete enough and even if they are, it'll be quite a bit of work to implement (the SAMBA project has been trying on Linux for years, and is only mostly there).
I'm quite certain it's possible to attach arbitrary files to email, but nobody has found the way *yet* so that's not currently possible. Also, the email client isn't going to let you save attachments to arbitrary locations, because it's designed to work with the very low permissions of the OS by default.
Yeah, is there any file explorer for non-HTC phones out there? I'm tempted to get a lumia 800.
Several (and most don't rely on device-specific code the way TouchXplorer does). Hell, WP7 Root Tools has been out for over a year, though it used to be Samsung-only. However, all of the file browsers require at least interop-unlock, and most require root-unlock (or full-unlock). Only a very few Lumia 800s can be unlocked that far; it requires an older bootloader that new models don't come with anymore,a nd nobody has found a way to flash the old bootloader back onto them (the Lumia 710 can be reverted, but not yet the 800; the 900 and 610 never used the relevant bootloader).
Aside from the Lumia 710, two of the gen2 HTC phones (Titan and Radar) can be full-unlocked using custom ROMs. Currently there are no custom ROMs for the gen2 Samsungs, but if you get one with old enough firmware (unlikely, but you may get lucky) you can use WindowBreak and then install Root Tools.
Meh, so my best bet is to wait and see what WP8 comes up with?
The only reason is mostly using other formats (e.g. PDF) for different things. I'm not a huge internet user, and I'm not too jolly that I gotta move some files in the cloud and then download them to my phone.
I wouldn't hold my breath for a WP8 file browser. Microsoft does not seem to be interested in giving anyone this capability. Furthermore, it could take very long time until there will be any WP8 unlock, due to the inclusion of Secure Boot (if there will be any at all - in case Microsoft implements proper bottom-up validation it could be possible that no application can run on SYSTEM privileges unless signed).
Be that as it may, why is a file browser so important to you? I don't find it too helpful in WP (except for hacking/developmental purposes) as you have IsolatedStorages (which are a mess to dig in from a file explorer), other folders like Windows and the Zune content store (of which the latter could be accessed per USB if wanted).
Anyways, the HTC Titan is a very nice phone to have, and so is the Lumia 800. I wouldn't purchase too much after what is unlocked yet, but rather after what you find best value in.