picard_beta

GAPI to GDI wrapper for 8390

141 posts in this topic

> these will require two certificates. One to work at all, second for GAPI to work.

question is, can we sign our app with both...?

> Regarding automatic provisioning, all there is to it is to execute this at dos prompt:

RapiConfig.exe /p sdktestcerts.xml

Yes, I understand how you can provision the device from the desktop, but that was not my question.

My question was, can we do it automatically when our CAB is installed. I think yes, I think it's possible to include some provisionning xml in CAB files, but we've never done that.

> (which I don't like!! ANY application can silently sign itself on a PC and install its cert on the phone??? WITHOUT user knowledge...)

yes, I agree, it's strange that it does not prompt on the phone when a cert is installed.

BTW I have signed PocketTV Classic 0.14.15 (latest version) with Picard's cert, so if anyone care to test and confirm that it works, you can get it from there: http://www.pockettv.com/bin/PocketTVSmartp...tphoneSetup.exe

thanks!

0

Share this post


Link to post
Share on other sites

Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one...

Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature".

I will try.

And yes, your signed PocketTV worked right after I installed it :)

0

Share this post


Link to post
Share on other sites

All right, something is still not clear to me.

What should the average mio 8390 user do, after downloading our signed PocketTV ?

Do they need to get the "GAPI Solution - Signing Pack.zip" from http://smartphone.modaco.com/viewtopic.php...p=418650#418650 ?

And then, do they just need to run the following command on the DOS prompt:

RapiConfig.exe /p sdktestcerts.xml

I think this is a bit too complicated for the average dumb user who don't know what the DOS prompt is...

Can we make this simpler ? Like just installing something ?

0

Share this post


Link to post
Share on other sites
Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one...

Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature".

I will try.

Well, we don't use the interactive version, we use the batch version (i.e. signcode.exe with some options) to sign our exe...

0

Share this post


Link to post
Share on other sites

Yes, user needs to download signing pack, BUT:

1. there is manual with screenshots included

2. no need for DOS, there is just a sign.bat file to double-click :)

so it's not that bad...

and while Mitac promised to release ROM update in upcoming weeks/months, I think it's best to use the signing pack as it is and wait for ROM update.

0

Share this post


Link to post
Share on other sites

Even if Mitac published a ROM upgrade, only a few percent mio 8390 users will upgrade their phone.

So I propose to make the installation of the certificate even simpler.

I think that can be done by including the sdktestcerts.xml in our CAB file, using the /prexml of CabWizSP.

If we do that, do you have a way to test that it works ?

I.e. do you have a way to remove the cert from your Smartphone, and check that our CAB file installs it ?

0

Share this post


Link to post
Share on other sites
Ok... now, one more question: wasn't possible to figure out the address of the raw frame buffer on the 8390 ?

it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help)

so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate) and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools.

and ofcourse adding the certifcate to the store only possible with "unlocked" phones!

0

Share this post


Link to post
Share on other sites

> it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help)

I see... too bad!

> so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools. and ofcourse adding the certifcate to the store only possible with "unlocked" phones!

yes, i understand... but the weird thing there is that if you make a .cpf file to install your cert (i made one), then the cpf file must be signed with the microsoft root privileged cert (probably because that's needed to add a provileged cert, see http://msdn.microsoft.com/library/default....iceProvider.asp ).

so what's really strange is that you can do that using

RapiConfig.exe /p sdktestcerts.xml

from the desktop...

this looks like a security hole !!!

does that mean that you can easiely run any application in totally privileged mode (i.e. allowing use of privileged API's) on all un-signed smartphones ?

if true, that would be fun :)

0

Share this post


Link to post
Share on other sites

it's only works with unlocked phones and unlocking is quite a security hole :)

but you are right. being able to add your priv. cert. to the phone is different level.

0

Share this post


Link to post
Share on other sites

When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate.

0

Share this post


Link to post
Share on other sites
When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate.
That's because the "Settings" applet does not have enough privileges to look in the certificate store :)
0

Share this post


Link to post
Share on other sites

You're serious? :)

Anyway, the Root folder is not empty...

0

Share this post


Link to post
Share on other sites
it's only works with unlocked phones and unlocking is quite a security hole :)

but you are right. being able to add your priv. cert. to the phone is different level.

but normally, unlocked phone do not let applications use privileged API's. except the MPx200, which is "completely" unlocked.

so i'm surprised that there is a security hole that allows accessing privileged API's on unlocked phones.

i wonder is MSFT is aware of that hole...

0

Share this post


Link to post
Share on other sites

last question:

only the app needs to be signed with Picard's privileged cert, correct ? need to sign gx.dll or to install anything else than:

1) the signed app

2) the privileged cert in the cert store on the device

correct ?

0

Share this post


Link to post
Share on other sites

If the application comes with other files, like DLLs, then these files usually should be signed as well.

So basically yes: signed app with its DLLs and a cert on device.

0

Share this post


Link to post
Share on other sites
If the application comes with other files, like DLLs, then these files usually should be signed as well.

So basically yes: signed app with its DLLs and a cert on device.

but i didn't sign tgetfile.dll, and you told me that pockettv was working fine... so apparently it is not necessary to sign all the dll's with Picard's cert. and i don't see why this would be necessary either.

that still does not answer my question:

pockettv uses gx.dll . will the fix work just by signing pockettv.exe, or does the user also need to sign gx.dll ?

in other words, is what we say here sufficient, or should the user do something more, e.g. install a signed gx.dll on the phone ?

0

Share this post


Link to post
Share on other sites
no need to sign or do anything with gx.dll

ok... just install the privileged cert on the device and sign the .exe with that same cert... ?

0

Share this post


Link to post
Share on other sites

i'am not sure about the .dll files. maybe priviledged programs not allowed to use non priviledged dll

0

Share this post


Link to post
Share on other sites

If you sign exe and not sign dlls that come with that exe you will get some "priviledges" errors, I can confirm that.

0

Share this post


Link to post
Share on other sites
If you sign exe and not sign dlls that come with that exe you will get some "priviledges" errors, I can confirm that.

So do you get errors when you select "Select MPEG file" in the PocketTV menu ?

this uses tgetfile.dll, which is not signed.

0

Share this post


Link to post
Share on other sites

No, the signed PocketTV forks just fine as I wrote few posts ago. But there are other applications, which come in a form of exe and dll and when you sign only exe, that app won't load at all (or would throw an error when it tried to load that dll), because when exe is signed, it sometimes also requires that dll to be signed.

I never had to sign any dlls that are already on the phone (I mean files that are on the phone after you for example hard reset).

0

Share this post


Link to post
Share on other sites

> There are other applications, which come in a form of exe and dll. When you sign only exe, that app won't load at all (or would throw an error when it tried to load that dll), because when exe is signed, it also requires that dll to be signed.

but PocketTV comes in a form of an exe and a dll.

have you really been able to open a file from PocketTV, using the PocketTV menu ?

because this uses the dll that is part of PocketTV, and not signed.

sorry, i'm really confused by what you say, as this seems to be contradictory...

0

Share this post


Link to post
Share on other sites

you once provided a link with PocketTV signed with Picard's cert. I installed that, opened file and it played. I didn't have to do (sign) anything.

I can verify that this evening if you wish (I'm at work right now).

I mentioned other applications because Picard said: "i'am not sure about the .dll files. maybe priviledged programs not allowed to use non priviledged dll" - and this is usually correct. I wanted other users to be aware of that too.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2016. MoDaCo uses IntelliTxt technology.