Unleash the power of Windows Phone

Latest News

Twitter



Hi all! I haven't been really communicative lately. The reason is that I was working on a project and I found that I was not able to focus very well due to an influx of questions from social media, etc. In April of this year, I received my Lumia 920 and wished to unlock it to its fullest potential. I soon discovered that Windows Phone 8 was a whole new beast and wasn't really having any success in hacking it. I decided to stop using twitter, mail and forums for a while, at least until I made some significant progress. Sorry to all people who I haven't answered over the last period of time. It wasn't because I'm an arrogant prick; I just needed to focus on my project. I will try to go through my inboxes and answer the most important questions sometime soon.

At this moment, I can't really say I have big news yet, but I do want to share some of the things that I worked on so far. I first decided to target the Windows Phone 8 Emulator, because the emulator has many of the same security features as retail devices have and the emulator is easier to test with. All this research has resulted in the fact that I have now root access on the emulator. That is a little break-through for me, because that means that I already understand and defeated a big part of the Windows Phone 8 security features. Please note that there are still a couple of big steps that need to be taken to accomplish the same on retail devices.

During my quest for root access on the emulator, I encountered an overwhelming amount of security routines. It's really clear that this kernel has been under development for about 20 years now. Windows Phone 8 has now the same Windows NT kernel as new desktop PC's have and now uses the advanced NTFS file-system security. A part of the Windows Phone 7 security engine has been ported to Windows Phone 8, but it has now been glued to the security features of the Windows NT kernel. The new security engine is like a hybrid version of the old Windows Phone security engine and the Windows NT security engine. The Windows NT kernel has been extended with a sandboxing mechanism and a capability mechanism. While at kernel-level the security-tokens and NT privileges are still used, towards user-mode the far more extended capability-system is exposed.

By default all applications are launched in a sandbox. The sandbox can be decorated with capabilities. Other than that, it is normally not possible to step outside the sandbox to view or change data on the phone or use system functions from the phone. Everytime a secured object (like file or registry-value) is accessed, all security-token-attributes like Access Control List, Lowbox-state, Restriction-state, Privileges and capabilities are checked. Furthermore, everytime code is loaded, it's integrity is checked. Simple hacks are often not possible, because everything is checked and double-checked and many OS features depend on it. For example, if you completely disable the sandboxing mechanism, many apps won't launch anymore because the sandbox also defines the identity of the application. Without that identity, it's not possible to load COM-objects and Windows Runtime Components or have cross-process-communication. This results in many crashing or hanging applications. So, to get unlimited access to secured objects and APIs, you need to gently circumvent the systems that check the integrity of the code, the Access Control Lists, the privileges and the capabilities. You also need to be able to impersonate other, non-lowboxed accounts. Therefore, I studied the processes that build the security tokens, restricted and sandboxed them, then used that to create new processes and I studied all the runtime security checks. It took me quite a while, but I think I understand most of these mechanisms now.

During my research, other people have been working on Windows Phone 8 too. For example GoodDayToDie and -W_O_L_F- from the XDA forums have found a way to get Interop Unlock on the Samsung Ativ S. I've been asked if it is now possible to create WP8 Root Tools now, but unfortunately: not yet. Interop Unlock is not the same as root access. Interop Unlock can potentially provide privilege escalations, but it still needs hacks to do further modifications to the Windows Phone OS in order to get root access. On Windows Phone 7 I developed the Policy Unlock, which is a very complex mechanism that can be used on most of the Interop Unlocked Windows Phone 7 devices to get root access. This process also requires a complex installation to achieve that so this functionality was built-in to WP7 Root Tools. For Windows Phone 8 I would need to create a similar mechanism, but Windows Phone 8 security is completely different from Windows Phone 7 security and the process would need to be created from scratch. You could say that my root access for the Windows Phone 8 emulator is an approach from the kernel-side and Interop Unlock is an approach from the application-side, but they still need to meet in the middle. So far, that hasn't happened for Windows Phone 8 yet and this will need a lot more research.

Since I have root access on the emulator now, I can work on the implementation of WP8 Root Tools. I already have implemented some core-parts and I am porting UI stuff from WP7 Root Tools to Windows Phone 8. In the meantime, I'm also looking for new exploits that can be used to deploy my root access hacks to retail devices. During my previous research, I already found some weak spots in the implementation of the OS, which definitely need a closer look at. I hope to bring more news on Windows Phone 8 as my research will continue.

- Heathcliff74 -

Add a comment

As of now the Disqus commenting system will be used on this website. I choose for this system, because it is evolved to a mature global commenting system and it is easier to use for website-visitors. The old commenting system has been disabled. That means that all old comments will not be visible anymore. This is not a real problem, because most of those comments were from happy users or from users with questions which have already been answered.

Ciao,
Heathcliff74

Add a comment

Hi again! Spamming you all with another release ;-) This is WP7 Root Tools 1.2. This is a list of the changes in this version:

  • Added color values to Accent Color editor.
  • 3G toggle tweak improved.
  • Added Internet Connection Sharing unlock. If your operator has blocked Internet Sharing, WP7 Root Tools can attempt to configure Internet Sharing and bypass the barrier that is installed on the phone. This probably won't work on LG devices, because their drivers don't support Internet Sharing. This unlock is only meant to unlock the operator barrier.
  • Added Automatic Data Configuration function. This will attempt to automatically setup the configuration for your mobile operator in case your mobile internet settings are somehow screwed up.
  • Added shell-handler in Explorer for provxml-files.
  • Removed wrong buttons on Device tab.
  • Disabled cache for filesystem and searches. Caching mechanism was implemented back when old exploits were used, which were much slower. Disabling caching shows better browsing and search-results.
  • Added two languages: Serbian and Albanian. These versions can be downloaded in separate packages, because they are not officially supported by Windows Phone 7. Thanks to all people who helped with the translations!
  • Removed ads for better Root Tools experience ;)

WP7 Root Tools can be downloaded from the Download section.

Have fun!
Heathcliff74

Add a comment

This time I have 2 updates for you:

  • New version of Interop Unlock for 2nd generation Samsung WP7 devices. The last version worked for most people. The unlock for 2nd generation devices was downloaded 8852 times. And there was a hand full of people who were unable to successfully unlock their device. The new unlock adds an alternative unlock method, which should work for these people too. You can read more about the previous release of this unlock here. You can download the package for this unlock from the Download section. The instructions are inside the package.
  • WP7 Root Tools SDK 1.1 is a minor update. It fixes a bug in registry access and the documentation was improved to reflect changes from the version 1.0 release. This is also available from the Download section.

I'm also very close to a release of WP7 Root Tools 1.2. I'm only waiting on some translations and test-results. The key-change in this version is "Internet Sharing unlock".

One final note: Google Adsense has disabled my account, so this website currently has no ads. I appealed to their decision. From what I understand now, I am accused of illegal click-activity. This means they think I route traffic to my site to generate extra income or something. I don't know how they get that idea, but I know I only serve ads to generate a little money to compensate the costs of this website and I strictly comply with their policies. I've tried to explain that in my appeal. So I hope to stay a "partner" of Google Adsense and keep this website running.

- Heathcliff74 -

Update: Google reviewed the situation and enabled the ads again. Thanks Google.

Add a comment

Hi all. Nice day today :-) I have some stuff to release:

  • New unlocks for Samsung WP7 devices! Including 2nd generation devices, like Focus S and Omnia W, etc.
  • WP7 Root Tools 1.1
  • WP7 Root Tools SDK 1.0

The unlocks for the Samsung devices will help you to Interop Unlock them. It should also work on fully updated phones! WP7 Root Tools will help you with further unlocks. Read the instructions thoroughly! Especially the instructions for 2nd generations Samsung devices are quite complex. But after these steps you will finally be able to run homebrew-apps :-)

WP7 Root Tools 1.1 has a new Accent Color editor and some more small extra's and fixes. Not all languages are completely translated. I will arrange that as soon as possible.

The new SDK has new functions for setting the Power State and also a few important bug-fixes.

Thanks to Dennis Wilson for doing initial tests with me. And thanks to ManelScout4Life for sending me his Samsung Focus S!! This was of invaluable help finding the unlocks.

All new stuff can be found in the download-section. Have fun!

Heathcliff74

Update 1: From the amount of problem reports about the Samsung 2nd generation unlock, I conclude that I probably made a mistake somewhere in the guide or files. I will retrace my steps and I promise a fix soon! Excuse me for the confusion.

Update 2: Problem found. Solution found. While looking for the problem I found an even better combination of exploits, which also makes the unlock process slightly easier. The new guide is inside the download-package. Make sure you follow the NEW guide, not the guide from the old archive. Especially notice the order in which you need to tap on the attachments! Get the new version of the unlock in the Download-section. Please let me know the results!

Update 3: I'm getting a lot of success stories now. All seems to be working as expected :-) Sorry for the initial confusion. I did so many tests that I had mixed up some test-results. But quickly fixed now!

Update 4: From people who are still not able to unlock, I'd like to collect more detailed information, so I can attempt to fix that for you. Please post the following:

  • Phone Model
  • OS version
  • Firmware revision
  • Were you developer- or student-unlocked when you attempted the unlock?
  • Did you interop-unlock the phone before and what method did you use then?
  • What error-code do you get when you try to try to deploy WP7 Root Tools using, the official Application Deployment tool from the WP7 SDK?

Many people who didn't succeed the first time, have been able to unlock later attempts. They reported various steps that they did, which may have resulted in finally being able to unlock. I've tested most of these steps, but I've not been able to identify the reason possible failures, because at my end, it always succeeds when I follow the guide. I will list here some of my own ideas and some of the ideas that people posted in the comments. You can try this, if you were not able to unlock by just following the guide:

  • Make sure you really didn't exit the mail-app before you restart your phone, as stated in the guide.
  • Make sure you have the mail-attachment opened only once, when you are opening the other attachments. Press-and-hold back-button to verify that.
  • Try to uninstall and reinstall the Wireless Manager. This might actually be a plausible reason for the unlock to start working.
  • If you had official developer- or student-unlock, try to relock your phone and sync with Zune at least once, before you start to follow the Interop Unlock guide.
  • You can try to remove your SIM card before you attempt to unlock the phone.
  • At some point in the guide it states to restart your phone. When you do this, hold power-button and keep holding it. It will show the wallpaper with a message to slide down. Just keep holding the power-button and wait for it to power off. So DON'T release the power-button to slide-down.
  • If you have a linked mailbox, then unlink it, restart your phone and send the mail again to your account. From there on follow the guide.
  • As a final resort, you can try to hard-reset your phone. Some people reported that the unlock did work after a hard-reset, other people reported that it still did not work after a hard-reset. A hard-reset will wipe your apps, data and settings, but you can restore your backup. Sync with Zune at least once, before you start the unlock procedure.

If you manage to unlock your phone after trying the above steps, then please report back, so I can improve the guide.

Add a comment