Jump to content

GAPI to GDI wrapper for 8390


Guest picard_beta

Recommended Posts

Guest The PocketTV Team

> these will require two certificates. One to work at all, second for GAPI to work.

question is, can we sign our app with both...?

> Regarding automatic provisioning, all there is to it is to execute this at dos prompt:

RapiConfig.exe /p sdktestcerts.xml

Yes, I understand how you can provision the device from the desktop, but that was not my question.

My question was, can we do it automatically when our CAB is installed. I think yes, I think it's possible to include some provisionning xml in CAB files, but we've never done that.

> (which I don't like!! ANY application can silently sign itself on a PC and install its cert on the phone??? WITHOUT user knowledge...)

yes, I agree, it's strange that it does not prompt on the phone when a cert is installed.

BTW I have signed PocketTV Classic 0.14.15 (latest version) with Picard's cert, so if anyone care to test and confirm that it works, you can get it from there: http://www.pockettv.com/bin/PocketTVSmartp...tphoneSetup.exe

thanks!

Link to comment
Share on other sites

Guest schriss

Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one...

Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature".

I will try.

And yes, your signed PocketTV worked right after I installed it :)

Link to comment
Share on other sites

Guest The PocketTV Team

All right, something is still not clear to me.

What should the average mio 8390 user do, after downloading our signed PocketTV ?

Do they need to get the "GAPI Solution - Signing Pack.zip" from http://smartphone.modaco.com/viewtopic.php...p=418650#418650 ?

And then, do they just need to run the following command on the DOS prompt:

RapiConfig.exe /p sdktestcerts.xml

I think this is a bit too complicated for the average dumb user who don't know what the DOS prompt is...

Can we make this simpler ? Like just installing something ?

Link to comment
Share on other sites

Guest The PocketTV Team
Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one...

Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature".

I will try.

Well, we don't use the interactive version, we use the batch version (i.e. signcode.exe with some options) to sign our exe...

Link to comment
Share on other sites

Guest schriss

Yes, user needs to download signing pack, BUT:

1. there is manual with screenshots included

2. no need for DOS, there is just a sign.bat file to double-click :)

so it's not that bad...

and while Mitac promised to release ROM update in upcoming weeks/months, I think it's best to use the signing pack as it is and wait for ROM update.

Link to comment
Share on other sites

Guest The PocketTV Team

Even if Mitac published a ROM upgrade, only a few percent mio 8390 users will upgrade their phone.

So I propose to make the installation of the certificate even simpler.

I think that can be done by including the sdktestcerts.xml in our CAB file, using the /prexml of CabWizSP.

If we do that, do you have a way to test that it works ?

I.e. do you have a way to remove the cert from your Smartphone, and check that our CAB file installs it ?

Link to comment
Share on other sites

Guest picard_beta
Ok... now, one more question: wasn't possible to figure out the address of the raw frame buffer on the 8390 ?

it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help)

so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate) and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools.

and ofcourse adding the certifcate to the store only possible with "unlocked" phones!

Link to comment
Share on other sites

Guest The PocketTV Team

> it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help)

I see... too bad!

> so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools. and ofcourse adding the certifcate to the store only possible with "unlocked" phones!

yes, i understand... but the weird thing there is that if you make a .cpf file to install your cert (i made one), then the cpf file must be signed with the microsoft root privileged cert (probably because that's needed to add a provileged cert, see http://msdn.microsoft.com/library/default....iceProvider.asp ).

so what's really strange is that you can do that using

RapiConfig.exe /p sdktestcerts.xml

from the desktop...

this looks like a security hole !!!

does that mean that you can easiely run any application in totally privileged mode (i.e. allowing use of privileged API's) on all un-signed smartphones ?

if true, that would be fun :)

Link to comment
Share on other sites

Guest picard_beta

it's only works with unlocked phones and unlocking is quite a security hole :)

but you are right. being able to add your priv. cert. to the phone is different level.

Link to comment
Share on other sites

Guest schriss

When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate.

Link to comment
Share on other sites

Guest The PocketTV Team
When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate.
That's because the "Settings" applet does not have enough privileges to look in the certificate store :)
Link to comment
Share on other sites

Guest The PocketTV Team
it's only works with unlocked phones and unlocking is quite a security hole :)

but you are right. being able to add your priv. cert. to the phone is different level.

but normally, unlocked phone do not let applications use privileged API's. except the MPx200, which is "completely" unlocked.

so i'm surprised that there is a security hole that allows accessing privileged API's on unlocked phones.

i wonder is MSFT is aware of that hole...

Link to comment
Share on other sites

Guest The PocketTV Team

last question:

only the app needs to be signed with Picard's privileged cert, correct ? need to sign gx.dll or to install anything else than:

1) the signed app

2) the privileged cert in the cert store on the device

correct ?

Link to comment
Share on other sites

Guest schriss

If the application comes with other files, like DLLs, then these files usually should be signed as well.

So basically yes: signed app with its DLLs and a cert on device.

Link to comment
Share on other sites

Guest The PocketTV Team
If the application comes with other files, like DLLs, then these files usually should be signed as well.

So basically yes: signed app with its DLLs and a cert on device.

but i didn't sign tgetfile.dll, and you told me that pockettv was working fine... so apparently it is not necessary to sign all the dll's with Picard's cert. and i don't see why this would be necessary either.

that still does not answer my question:

pockettv uses gx.dll . will the fix work just by signing pockettv.exe, or does the user also need to sign gx.dll ?

in other words, is what we say here sufficient, or should the user do something more, e.g. install a signed gx.dll on the phone ?

Link to comment
Share on other sites

Guest The PocketTV Team
no need to sign or do anything with gx.dll

ok... just install the privileged cert on the device and sign the .exe with that same cert... ?

Link to comment
Share on other sites

Guest The PocketTV Team
If you sign exe and not sign dlls that come with that exe you will get some "priviledges" errors, I can confirm that.

So do you get errors when you select "Select MPEG file" in the PocketTV menu ?

this uses tgetfile.dll, which is not signed.

Link to comment
Share on other sites

Guest schriss

No, the signed PocketTV forks just fine as I wrote few posts ago. But there are other applications, which come in a form of exe and dll and when you sign only exe, that app won't load at all (or would throw an error when it tried to load that dll), because when exe is signed, it sometimes also requires that dll to be signed.

I never had to sign any dlls that are already on the phone (I mean files that are on the phone after you for example hard reset).

Link to comment
Share on other sites

Guest The PocketTV Team

> There are other applications, which come in a form of exe and dll. When you sign only exe, that app won't load at all (or would throw an error when it tried to load that dll), because when exe is signed, it also requires that dll to be signed.

but PocketTV comes in a form of an exe and a dll.

have you really been able to open a file from PocketTV, using the PocketTV menu ?

because this uses the dll that is part of PocketTV, and not signed.

sorry, i'm really confused by what you say, as this seems to be contradictory...

Link to comment
Share on other sites

Guest schriss

you once provided a link with PocketTV signed with Picard's cert. I installed that, opened file and it played. I didn't have to do (sign) anything.

I can verify that this evening if you wish (I'm at work right now).

I mentioned other applications because Picard said: "i'am not sure about the .dll files. maybe priviledged programs not allowed to use non priviledged dll" - and this is usually correct. I wanted other users to be aware of that too.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.