BB Connect on E71

19 02 2009

So BB Connect for E90 will install on the E71 – with a few slight modifications. It will not properly submit a registration and PIN request. So to install BB Connect on your E71, you can follow these directions.

Firstly, you’ll need full FS access+patched installserver on the E71. You can do this using HelloCarbide on original firmware or HelloOx on 200.xx firmware. Sign it and install it, it’s really that simple. You will need a certificate with 17 levels of TCB access to sign it; email me your IMEI or visit http://cer.s603rd.cn/

Next you will need ROMPatcher with autorun feature and the C2Z patch. Move the C2Z patch to E:patches. You will also need to move sw.txt into C:RESOURCEversions – this will identify your device an as “E90″ when the BB Connect installation is being completed.

Now that you have completed this, you can install BB Connect for E90 by using ROMPatcher to enable C2Z which will cause a re-direct of certain files normally stored in Z: to C: which you now have full RW access to.

Open the BBConnect SISX and install it. It will complete and ask you to turn on BB Connect. Do so. Check your HRT and enable that you have access to the BB backhaul and a blackberry.net APN. Attempt to register by selecting the left soft key and clicking “Register Now”. Nothing will happen. This is being investigated.

If any of you have an E90, wifi and know how to work a packet sniffer, I’d appreciate if you contacted me to see if we can force a request packet to be processed.

http://www.mediafire.com/?sharekey=b0a9396d79079a53d2db6fb9a8902bda has a zip with all required files.


Comments : 10 Comments »

Categories : Technical

S60/E71 Hacking. Demystified.

5 02 2009

Got bored tonight. Decided to write this up.

After a little time with my E71, I found it was lacking something. I felt restricted. Held down a bit. I come from a life of open-ness. I like choice. I have a background of Unix and Linux administration. I wear button down shirts and my pet koala’s are gay. I am open to choice!

While S60 is an ‘open’ platform, it is still locked down. No access to specific folders. No access to ROM and RAM sections. Obfuscated API and system calls. Certificate requirement and platform security. There has to be a way out. Windows Mobile has cookable ROM and single user, the iPhone has a root jailbreak, Sony Ericsson has FW RAM patches. There has to be something for S60…

First let’s start with installserver. A small daemon that looks over the installation of compiled packages. It checks integrity, entirety, security and installability. ZoRn and FCA are the main characters who lead in the development of the tools used for exploiting the Symbian platform.

I can only assume with my limited knowledge that the best possible ways of patching installserver would be to either forge the key and certificate of every requested header. Modify the data stream and replace it with a spoofed one. This would make it seem that every file is legit and signed.

Another way would be to jump the exceptions that would stop a package from being installed. The latter being the “easiest” to pull off. Decompile, jump all functions leading to denial, recompile. Done.

Now you have to get your modified file into the protected filesystem. I have no idea how HelloCarbide accomplishes this. Essentially it is a root jail/cage break that allows code to be run at a higher TCB level. Only applications that are signed with a valid certificate with high enough privileges are allowed jump parent folders. A possible stack smash or overflow can achieve this, NOP sled to your code in heap that can now do a priv-escalation and you have full capabilities and can run around with scissors.

Another method is the way that BinPDA and SecMan take; AppTrk which is an on-device debugger can set privileges to an application running in kernel memory. You can install a forged root certificate signed and keyed by BinPDA. Now you can install anything signed with a BinPDA cert.

Moving the patched file is relatively easy once the firmware has been compromised to allow you to access the “private” folders of the filesystem. Now I can access system folders, I can access every built-in application, copy it over to a workstation and run it through a decompiler.I can look at every call in every application. I can fuzz it for further exploitation. But what if I don’t want to pooch the device by modifiying a required file that can’t be replaced?

Enter ROMPatcher. ROMPatcher works on the principle that code can be directly injected into memory, completely on the fly. Patch a section of memory to point to an empty buffer and then insert your code. When that part of the stack is hit by whichever application you’re exploiting, your code gets run. ROMPatcher works this way for files. It will allow you to replace certain sections of a file with your own entry. Let’s look at a very simple patch by ‘microx256′:

rel:sysbinToDoPlugin.dll:00000003:10:00
rel:sysbinToDoPlugin.dll:00000000:79:00

No idea what rel is short for, probably replace location. snr is search and replace. These 2 tags differ in the fact that rel can take an address to replace, while snr seems to replace recursively.

Looking at the patch, firstly it’s telling ROMPatcher it will be expecting a file, a specific location in that file, a value to replace and the replacing value. ROMPatcher will open c:sysbinToDoPlugin.dll which is responsible for housing the information for the Memo/To-do plugin on the ActiveStandby screen. It will go to offset ’00000003′ and replace the value of ’10′ with ’00′. It will then go to offset ‘00000000′ and replace ’79′ with ’00′.

Next time this DLL is polled, it will pass the patched information and whatever changes were made will be applied.

Most files require the C2Z patch. This patch moves the contents of the Z: which is uneditible, to section of C: that can be edited. This allows you to redirect file access, instead of an application look for Z:resourceblah.blah it will now look at C:resourceblah.blah that you have access to. This however is not the case in tthe E71. C: seems to take complete precedence over the Z: for some reason. Copy a file from Z: to any directory that does not exist on the C: and forces you to make it – you can make on the fly changes to the file in C: and they are immediately effective.

I currently employ this ‘feature’ to give blanket permissions to all Java midlets. By replacing the MIDP assumed security policy file with one that indicates that all untrusted applications are to be treated as trusted, you no longer require ‘signed’ midlets or ones that have specific capabilities. You can now set permissions to any and all java midlets. Excellent.

That’s it for now! Any questions or comments, please post them up!


Comments : 3 Comments »

Categories : Technical

Handy Shell & Handy Weather Review

4 02 2009

Here’s a review of Handy Shell 3.02 and Handy Weather 6.05 running on the E71 with original factory firmware v100.07.76. I only include the versions and firmware release because there are a few niggles I have with it, that stop me from using it daily which may be fixed on newer versions. Anyways, let’s go!

After an install of Handy Weather and Handy Shell, configuration and executing – which is rather long I might add, you are presented with a new screen.

Lots of information compared to Active Standby. Let’s break it down;

These are the plugins you can manipulate.

You can move them up and down and set the order. You can customize which applications are show in your shortcuts and what is launched when you select one of the plugins.

In addition to the 5 shortcuts on the main screen, you have an ‘Applications’ page. Pushing the right soft key will move you to a new page and display 12 applications that you can select and execute.

You can pick from every third party application that you have installed to your device and has an proper menu entry accessible as regular. To quickly change an item, simply select it and push your backspace button.

You’ll see a blank space, select it and you will be prompted for a new entry that is searchable. Neato.

Click on the right soft key will take you to your ‘Contacts’ page. You have 12 contacts just like the previous one, changing contacts is a breeze. Pictures show up if you have any stored. Nice touch.

From here you can select a contact by using the d-pad. Pushing the center d-pad button will bring up a menu to Dial or Create Message, while directly pushing the Green Call key will initiate a call to the default number stored.

You also have the ability to disable these pages should you not want to see Contacts or Applications.

You can also set key behaviors for Active Standby and Handy Shell. These are annoying. There is no way to completely shut Handy Shell down without uninstalling it.

One of the reasons I liked Handy Shell, was the ability to view a FULL incoming text message directly from the main screen…

AND the ability to mark it as read by pressing the backspace key. The same goes for incoming e-mails.

Now for the bugs/issues I had with it.

1). It took ridiculously long to initialize my device after a reboot.

2). While it has a very small footprint, my device feels a tad slower with it running.

3). I can’t background sending a text message with Conversation, and return to the main shell screen. I can with Active Standby.

If those things changed, I would be using it. The only thing I can recommend or hope for in future changes would be;

1). More plugin customization. Especially with listing what is shown in the “Phone ind./settings” section. More plugins as well, one for Music Player should have been included.

2). A page for Gallery/Pictures. More pages for applications and contacts if wanted. The ability to switch pages by “edging” the cursor. When at the end of the plugin row, moving left or right will move left or right into the next page.

3). The ability to show more depth of upcoming appointments. Let’s see a week in advance – I have a feeling this is a restriction of S60.

So, there you have it. Is it worth $44.95 for the suite? I wouldn’t recommend is as it currently sits, once they add the ability to set multiple pages and more customizations to the plugins, it will definitely be worth investing some money in.


Comments : 7 Comments »

Categories : Software Reviews

No Updates

4 02 2009

Long time since I’ve had a new post. Expect a review of Handy Shell + Handy Weather on E71 since I haven’t really seen too many. I was request by a friend to do a review of S60Ticker so, I’ll do that too, but not the NewsReader Ticker, since I despise it.

I’ll also make a length post of the in-depth customizations on my E71 that makes a heck of a device for me. I’m also working on a patch for ROMPatcher that will replace the Active Standby SMS envelope indicator and allow it to directly open Conversations.


Comments : Leave a Comment »

Categories : Uncategorized

Tip & Themes

9 12 2008

A quick customization I have on my E71 – using SmartSettings and MagicKey, I can lock my device using the PTT button on the right side between the volume keys and I can unlock using a double tap on the UP-UP dpad. Here’s how it’s done;

In SmartSettings, set your “Easy lock” to the Red Call End button, push it twice and wait for the timeout. Set your “Easy unlock” to the UP button on the dpad, again push it twice and wait for the timeout. Save and next step. Open MagicKey. Create a new Application and select as “Home Screen” from the list.

Hit right on the dpad and create a new keymap. Add a new keypair, press the Green Call button then the PTT button, hit Ok. Now press the Green Call button and the Red Call End button, push Ok. You should now have this;

null

Now when ever you tap twice on your PTT button while on the home screen, your device will lock.

I’d also like to share with you some screenshots of my favorite and most used themes with links of where to get them. The theme above is what I am obviously currently using;


Nokia Neon Noise


S60 Estro


Zune Everglade


Zune Phyta


Comments : 5 Comments »

Categories : Updates

N82 Aftermath.

29 11 2008

Here’s my take on the N82 that I received from the S60 Ambassador program.

I received the packge from DHL;

DHL Box

I quickly tore into it like David Hasselhoff at the beach revealing the N82 all tip top ‘n’ boxed up. It had a much nicer cover than my E71. I like the sliding cover that gives details about the device and the hipster background pictures;

n82-003-small

Opening up the box, I’m hit again with the pop culture pictures on the inside, no big deal. It actually makes me feel as if I have a device that might be useful for being a social butterfly. Who can argue with that;

n82-005-small

The device is covered with a plastic shield force-field to confuse you as you paw for it. Can’t…get…oh, there’s plastic around it. Lifting the flap helps to reveal the accessories and gives you access to the phone, and here it is;

n82-007-small

Buttons are small, screen is large. Housing is very plasticy and has a cheap feel – but it looks good from the front and sides. The back has a liney design on it that looks like it should be indented for grip, but alas it is not and I simply don’t like it. The upper d-pad and soft key area is very cluttered; the media/gallery key should be done away with. I often found myself smashing the raised button when attempting to select the right soft key or removing an incorrectly predicted text with the ‘C’ button. I’ll address the T9 implementation later! The one aspect I do appreciate about the N82 hardware – is the flat button. I hate raised buttons on the sides of a device as they tend to get snagged when removing or inserting it into a pocket or case. The buttons are flush and still provide solid feedback indicating that they have been pressed.

Inside the box there are a slew of cables and cords. I got an 2mm EU charger with mine for some reason, tangled up in the box is a TV-OUT/composite cable, microusb data cable, 3.5mm headphones with in-line mic and media controls.;

n82-010-small

Yes those are my pants, and yes they have newsprint on them. Be jealous.

Getting back to the device, it ships with a BP-6MT battery which is rated at 1050mAH, plenty of power for this device in my opinion…that is if you can get the battery cover off. There’s a small nub that must be depressed while sliding the cover, remember those lines that you imagine would be useful for grip if they were indented into the cover? Yeah, those useful ones. The cover is smooth and slippery, you might as well coat your fingers in crisco while trying to remove it.

On the software side, the N82 is like any other N-series S60v3FP1 device. Confusing but powerful. Customizable yet limited. The first thing I did? Update to the newest firmware and get to installin’ apps. I decided to give it a quick try-out before I loaded it down, everything ran fast…dare I say faster than my E71. Yes. Tasks with the system and menu loading was actually faster than my E71. I had tons of apps on the E71 and I never noticed any degraded performance. So I decided to do the same with the N82. I tossed on my regular needed applications which include Psiloc Font Magnifier (I actually only decrease font size with it), SEVEN, Conversation and loaded a map for Nokia Maps. I did performed a reboot –  up it came and it was disgustingly slow. System tasks were still quick and snappy but navigating through SMS and emails was a pain. I hard reset and everything was fine again.

I decided to leave it at that and try out the camera. I flicked open with shutter button with enough pizazz to put David Copperfield to shame and started snapping one offs. It was clean. Shots were clear, they weren’t grainy or out of focus or blurry like 90% of the camera phones out there. Neat-o! I’m sure you’ve all used the camera and are very happy with it. I, myself, am not a big picture kinda guy so that’s the extent of my N82 camera usage.

I really enjoyed the accellerometer in the device, however I found it a bit too sensitive – often times I was holding the device at waist level and it would auto-rotate. I also wonder if there’s an issue with battery life as the screen also rotates when the device is in power saver mode. I absolutely despise the T9 implementation. Almost every other device I have used without a QWERTY has had a pop-up drop-down with a suggestions of words for selection. Either I am a complete fool and was unable to find it or it doesn’t exist. I can’t understand the reasoning behind this. C’mon, Sony Ericsson has had this on their “feature phones” for ages now. Anyways, that’s all.

The N82 will be going back in the box and back to the Amby team well before my trial is over. The bad T9 in S60, tiny navigational d-pad area and mini-me chiclet 12 key have effectively stopped me from using the device. No matter how good the camera is, I can barely use it as a mobile phone. If I find myself ‘oot-n-aboot’ on leisure; I take the N82 to give it a chance for the device to grow on me.


Comments : 2 Comments »

Categories : Hardware Reviews

N82 Arrives

27 11 2008

My N82 has finally arrived.

My initial impressions are ‘ho hum’. E71 has really spoiled me with full QWERTY. The numerical keys on the 82 are very small. The soft keys, d-pad and media+menu keys are horribly placed. I don’t have large hands by any means so I know it’s not me, but I can not get used to using those keys. The d-pad is also much flatter and gives less feedback than I am used to. The screen is nice and large for a handset of this size.

I will give it a try for a few weeks and try to get used to Nokia’s T9 (again) and the subtle differences between N and E-series devices (again).


Comments : Leave a Comment »

Categories : Uncategorized

:( N82 & New Nokia Maps

21 11 2008

Still waiting for my new N82 from the S60 Team. I haven’t written any S60 Ambassadors reports recently, been busy. New Nokia Maps is out, no visual changes or anything – I did experience quicker lock times on my E71 however. That alone is worth installing the new one. Just a direct install and it will over-write the previous version. Here’s the link;

http://nds1.nokia.com/files/support/global/phones/software/Nokia_Maps_2.0_4503_3.1_u.sis


Comments : Leave a Comment »

Categories : Uncategorized

New service? Emoroom?

17 11 2008

I stumbled across emoroom.com which is a weird service touted for “couples”. It documents calls, messages and such between your two handsets. It can also remotely vibrate and turn on/off display of the handsets. . Here’s an excerpt from their FAQ which is pretty damn weird.

“All of the partners phone conversations, all of the text messages, MMS-es, e-mails and tunes they exchange will be stored on a private web page no one but them will have access to.”

“Our calendar was inspired by a Buddhist prayer book and is supposed to remind you how important it is to be together and to care about one another.”

I guess if you want to run patterns of your communication and time spent ‘together’ while physically apart it might be useful?

I am also still waiting for my N82. Was a small hold up with DHL shipping but it’s been cleared up. I’m also told it’s not pre-loved.


Comments : 1 Comment »

Categories : Uncategorized

HandWave BETA

14 11 2008

HandWave BETA is out – currently only available to those who donate. I tried it on my E71 however it only supports portrait screen orientation! If my N82 arrives today I’ll be giving it a thorough run-through. I have an unsigned release which is not IMEI tied, from a testing dev. Send me an email if you think you deserve it.


Comments : 1 Comment »

Categories : Uncategorized

« Previous Entries Next Entries »