Progress report on Nokia Lumia 800 interop unlock research

Tags: nokia, windows-phone, mobile, tools, how-to, hack

Jan 13 2012 12:25 AM

Today I received a Nokia Lumia 800 from Justin Angel and the first task I decided to tackle with it is find a way to perform the interop unlock, that would allow me to use ID_CAP_INTEROPSERVICES. I found a possible vector, but there is a significant limitation to what I can do with it because of the absence of write permissions in the Windows folder.

First thing I did was dump the RGU (registry update) files. I stumbled across e90e08b4-bb0a-4d01-bcb8-ecc476fdcdc6.rgu that contained the following:

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\FieldTest]
"ManufacturingProvXmlPath"="\\windows\\Nokia_ServiceTools_01.provXML"
"ManufacturingAppTaskUri"="app://810a0b71-dd45-4bdf-84d0-df0584575fcb/_default"
[HKEY_LOCAL_MACHINE\Drivers\BuiltIn\Oddt]
"Dll"="OddtDriver.dll"
"Prefix"="NOD"
"Index"=dword:1
"Order"=dword:64
"Flags"=dword:10
"IClass"=multi_sz:"{4619249B-6362-4520-B700-984C8E7BC7A4}"
"AccountSid"="SID_UDEVICE_TCB"

The Nokia Diagnostics app is listed here under the 810a0b71-dd45-4bdf-84d0-df0584575fcb GUID. It can still be accessed through ##634#. The idea here is the following – when the application is being installed (the command is invoked through the dialer), the provisioning file is being executed. The Nokia_ServiceTools_01.provXML contents are the following:

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="AppInstall">
<characteristic type="{810a0b71-dd45-4bdf-84d0-df0584575fcb}">
<parm name="InstallInfo" value="\Windows\OddtApplication_Retail.xap;\Windows\OddtApplication_Retail_License.xml;{eec6eba9-f001-442c-a0dd-aa560ca0b093};{7d0894d3-59c2-4fc2-98cc-255d2b6e8d08};FALSE" />
</characteristic>
</characteristic>
</wap-provisioningdoc>

So there is a hook. The catch is editing this provisioning file to modify a registry setting – MaxUnsignedApp. Overall, it should look something like this:

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="AppInstall">
<characteristic type="{810a0b71-dd45-4bdf-84d0-df0584575fcb}">
<parm name="InstallInfo" value="\Windows\OddtApplication_Retail.xap;\Windows\OddtApplication_Retail_License.xml;{eec6eba9-f001-442c-a0dd-aa560ca0b093};{7d0894d3-59c2-4fc2-98cc-255d2b6e8d08};FALSE" />
</characteristic>
</characteristic>

<characteristic type="HKLM\Software\Microsoft\DeviceReg\Install">
<parm datatype="integer" value="2147483647" name="MaxUnsignedApp"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>

Currently, I tried modifying and replacing the file in various ways, so far unsuccessfully. I analyzed the Diagnostics app and it indeed has registry get/set methods, implemented through OddtCom.dll. However, the application itself has no provisioning mechanism whatsoever that would allow me to pass specific settings to the registry other than those that are hardcoded. Research still in progress.

6 Comments

ChrisK said on Feb 6 2012 at 10:44 AM

Did you try to move the files into teh windows folder via provisioning?
Den Delimarsky said on Feb 6 2012 at 5:12 PM

There is no access to the Windows folder via provisioning. Either way, currently we don't even have direct provisioning access.
Zdblshf said on Feb 6 2012 at 8:30 PM

Have u tried just use another os,like Mac to visit the same file and change it??
dennis said on Feb 12 2012 at 9:49 AM

It's not about the OS you use to access the phone. There are internal Windows Phone restrictions.
xSacha said on Mar 1 2012 at 5:05 PM

If the file is sent through an update.. what stops you from modifying the file by pretending to be the update server and providing a modified file?
Alex Adekola said on Apr 7 2012 at 9:36 PM

Did you make any progress on this? Thanks for listing the free Windows phone deal.