Why I love my E71 and the S60 Platform

10 09 2009

With a slew of new devices constantly being released, it’s hard to stay with one platform and with one manufacturer. A few phones that have caught my attention enough to draw me away? The Palm Pre and Pixi, Motorola’s Cliq and HTC’s Touch Pro 2 are the main contenders.

There’s a reason I haven’t gone back to Windows Mobile. There’s a reason I haven’t gone over to Android. There’s numerous reasons I haven’t switched to an iPhone and the *only* reason I haven’t tried WebOS is because the only available device is on a CDMA carrier.

What are the other reasons? Here are the top 5, in no particular order.

1). SMB/SAMBA support.

I run Windows and Linux at home. I have an 802.11 network with WDS. I have multiple routers feeding my home location for seamless hand-offs anywhere. I can step inside my garage, and access any computer on the network via SMB. I can lounge on the deck and access my main workstation, my laptops or my audio server. This of course isn’t native, but it is done with the very intuitive software from Telexy Networks called SymSMB. Not free, and it’s also been officially discontinued but it’s worth every penny and it’s a first install on any of my S60 devices.

2). Intelligent Profile Switching.

Just like many people, I sleep. I also wake up. I go to school (or work) and I have other daily activities. I don’t want my phone interrupting me when I’m busy. A ringer switch isn’t smart enough to know when to enable itself (I’m looking at you, iPhone). I want to have my phone work itself around me. When I walk into a theater – go to vibrate/silent mode and turn the brightness down to 5% just incase I need to use it. When I’m sleeping – silence all SMS, MMS and e-mail, switch the ringer to a lower volume and play a more soothing tone to wake me up, and while you’re at it let’s also drop the brightness down to 20% and turn on bluetooth so I can answer with my headphones since I’ve been known to fall asleep with them on. Oh, and I want it to happen only on week-nights between 10 PM and 7 AM. But, I’d also like you to know when I’m in class and switch to Offline mode since I don’t always get a signal and when I’m done, switch back Online and retrieve my messages for me.

Doesn’t sound possible does it? It is and my E71 does everything I’ve mentioned, thanks to SmartphoneWare Best Profiles. It has the ability to switch profiles based on GSM LAC-ID (location based), calendar entries (fully customizable search) and time of day.

3). WiFi Sharing/Tethering.

Oh hi, I’m on the VIA train with my friends. We’re all on laptops, doing work, checking our favorite websites or just playing games. We didn’t need to pay an extra $15 for WiFi access. When we get to our hotel, we don’t need to use the insecure pipeline they provide. When my home connection goes down, I don’t have to switch to dial-up just to stay online. Why, thank you JoikuSpot. Using JoikuSpot, I can share my 3G/UMTS connection with 254 clients. That’s right, 254 people. I don’t have to pay an extra $10 to my provider for a “tethering SOC”. I don’t have to buy a new device to do so (I see you, MiFi). I can simply fire up the software, which does all the work of configuring a DHCP server, enabling WiFi and setting it into EITHER Ad-hoc mode or full Infrastructure with the option of using WEP (I know, I know). I give my friends the SSID and key, and before you can punch Mahatma Ghandi in the solar-plexus – we’re all online consuming the internet best as we can.

4). Hardware Changes.

Another easy reason? I can make subtle changes to the hardware on my device. I bought my E71 as a gray steel. I purchased a white keyboard and a black housing after the fact. I can change them out at anytime I feel like it. This might be trivial, but after a few months of using one color, swapping makes it feel like a whole new device at times. I can match my dark themes with the black housing and my lighter themes with the white housing.

5). Open Platform.

I like S60 and Symbian. I like how Nokia has put it all together. I like their integration. I like their beta applications (ImageExchange). I like their officially released applications (SportsTracker, Share Online, Nokia Maps). I like the ability to have Python on my device. I like the ability to have Ruby on my device. I can write full MS Word, Excel and and PowerPoint compatible documents. I can get instant push email via numerous 3rd party providers or via IMAP Idle. I can access the filesystem. I can torrent. I can download podcasts directly to my device, and play them in almost any format at my leisure. I have A2DP with AVRCP. I have full OBEX-FTP.

Okay, so the last item was a bit of cheating, but as you can see, S60 on the E71 and comparable hardware is just simply the bee’s knee’s to me. Android is bringing some great changes to the mobile platform world, same goes for WebOS. Hopefully Symbian Foundation can step up to the plate. As for me, I’ll be sticking with S60 and my E71 until something that can fulfill the above needs comes out. The E72 does it, but too many little changes and not enough larger ones, such as the screen.


Comments : 8 Comments »

Categories : Technical, Tips & Tricks

BB Connect on E71

19 02 2009

So BB Connect for E90 will install on the E71 – with a few slight modifications. It will not properly submit a registration and PIN request. So to install BB Connect on your E71, you can follow these directions.

Firstly, you’ll need full FS access+patched installserver on the E71. You can do this using HelloCarbide on original firmware or HelloOx on 200.xx firmware. Sign it and install it, it’s really that simple. You will need a certificate with 17 levels of TCB access to sign it; email me your IMEI or visit http://cer.s603rd.cn/

Next you will need ROMPatcher with autorun feature and the C2Z patch. Move the C2Z patch to E:patches. You will also need to move sw.txt into C:RESOURCEversions – this will identify your device an as “E90″ when the BB Connect installation is being completed.

Now that you have completed this, you can install BB Connect for E90 by using ROMPatcher to enable C2Z which will cause a re-direct of certain files normally stored in Z: to C: which you now have full RW access to.

Open the BBConnect SISX and install it. It will complete and ask you to turn on BB Connect. Do so. Check your HRT and enable that you have access to the BB backhaul and a blackberry.net APN. Attempt to register by selecting the left soft key and clicking “Register Now”. Nothing will happen. This is being investigated.

If any of you have an E90, wifi and know how to work a packet sniffer, I’d appreciate if you contacted me to see if we can force a request packet to be processed.

http://www.mediafire.com/?sharekey=b0a9396d79079a53d2db6fb9a8902bda has a zip with all required files.


Comments : 10 Comments »

Categories : Technical

S60/E71 Hacking. Demystified.

5 02 2009

Got bored tonight. Decided to write this up.

After a little time with my E71, I found it was lacking something. I felt restricted. Held down a bit. I come from a life of open-ness. I like choice. I have a background of Unix and Linux administration. I wear button down shirts and my pet koala’s are gay. I am open to choice!

While S60 is an ‘open’ platform, it is still locked down. No access to specific folders. No access to ROM and RAM sections. Obfuscated API and system calls. Certificate requirement and platform security. There has to be a way out. Windows Mobile has cookable ROM and single user, the iPhone has a root jailbreak, Sony Ericsson has FW RAM patches. There has to be something for S60…

First let’s start with installserver. A small daemon that looks over the installation of compiled packages. It checks integrity, entirety, security and installability. ZoRn and FCA are the main characters who lead in the development of the tools used for exploiting the Symbian platform.

I can only assume with my limited knowledge that the best possible ways of patching installserver would be to either forge the key and certificate of every requested header. Modify the data stream and replace it with a spoofed one. This would make it seem that every file is legit and signed.

Another way would be to jump the exceptions that would stop a package from being installed. The latter being the “easiest” to pull off. Decompile, jump all functions leading to denial, recompile. Done.

Now you have to get your modified file into the protected filesystem. I have no idea how HelloCarbide accomplishes this. Essentially it is a root jail/cage break that allows code to be run at a higher TCB level. Only applications that are signed with a valid certificate with high enough privileges are allowed jump parent folders. A possible stack smash or overflow can achieve this, NOP sled to your code in heap that can now do a priv-escalation and you have full capabilities and can run around with scissors.

Another method is the way that BinPDA and SecMan take; AppTrk which is an on-device debugger can set privileges to an application running in kernel memory. You can install a forged root certificate signed and keyed by BinPDA. Now you can install anything signed with a BinPDA cert.

Moving the patched file is relatively easy once the firmware has been compromised to allow you to access the “private” folders of the filesystem. Now I can access system folders, I can access every built-in application, copy it over to a workstation and run it through a decompiler.I can look at every call in every application. I can fuzz it for further exploitation. But what if I don’t want to pooch the device by modifiying a required file that can’t be replaced?

Enter ROMPatcher. ROMPatcher works on the principle that code can be directly injected into memory, completely on the fly. Patch a section of memory to point to an empty buffer and then insert your code. When that part of the stack is hit by whichever application you’re exploiting, your code gets run. ROMPatcher works this way for files. It will allow you to replace certain sections of a file with your own entry. Let’s look at a very simple patch by ‘microx256′:

rel:sysbinToDoPlugin.dll:00000003:10:00
rel:sysbinToDoPlugin.dll:00000000:79:00

No idea what rel is short for, probably replace location. snr is search and replace. These 2 tags differ in the fact that rel can take an address to replace, while snr seems to replace recursively.

Looking at the patch, firstly it’s telling ROMPatcher it will be expecting a file, a specific location in that file, a value to replace and the replacing value. ROMPatcher will open c:sysbinToDoPlugin.dll which is responsible for housing the information for the Memo/To-do plugin on the ActiveStandby screen. It will go to offset ’00000003′ and replace the value of ’10′ with ’00′. It will then go to offset ‘00000000′ and replace ’79′ with ’00′.

Next time this DLL is polled, it will pass the patched information and whatever changes were made will be applied.

Most files require the C2Z patch. This patch moves the contents of the Z: which is uneditible, to section of C: that can be edited. This allows you to redirect file access, instead of an application look for Z:resourceblah.blah it will now look at C:resourceblah.blah that you have access to. This however is not the case in tthe E71. C: seems to take complete precedence over the Z: for some reason. Copy a file from Z: to any directory that does not exist on the C: and forces you to make it – you can make on the fly changes to the file in C: and they are immediately effective.

I currently employ this ‘feature’ to give blanket permissions to all Java midlets. By replacing the MIDP assumed security policy file with one that indicates that all untrusted applications are to be treated as trusted, you no longer require ‘signed’ midlets or ones that have specific capabilities. You can now set permissions to any and all java midlets. Excellent.

That’s it for now! Any questions or comments, please post them up!


Comments : 3 Comments »

Categories : Technical