Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 > these will require two certificates. One to work at all, second for GAPI to work. question is, can we sign our app with both...? > Regarding automatic provisioning, all there is to it is to execute this at dos prompt: RapiConfig.exe /p sdktestcerts.xml Yes, I understand how you can provision the device from the desktop, but that was not my question. My question was, can we do it automatically when our CAB is installed. I think yes, I think it's possible to include some provisionning xml in CAB files, but we've never done that. > (which I don't like!! ANY application can silently sign itself on a PC and install its cert on the phone??? WITHOUT user knowledge...) yes, I agree, it's strange that it does not prompt on the phone when a cert is installed. BTW I have signed PocketTV Classic 0.14.15 (latest version) with Picard's cert, so if anyone care to test and confirm that it works, you can get it from there: http://www.pockettv.com/bin/PocketTVSmartp...tphoneSetup.exe thanks! Link to comment Share on other sites More sharing options...
Guest schriss Posted August 21, 2004 Report Share Posted August 21, 2004 Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one... Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature". I will try. And yes, your signed PocketTV worked right after I installed it :) Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 All right, something is still not clear to me. What should the average mio 8390 user do, after downloading our signed PocketTV ? Do they need to get the "GAPI Solution - Signing Pack.zip" from http://smartphone.modaco.com/viewtopic.php...p=418650#418650 ? And then, do they just need to run the following command on the DOS prompt: RapiConfig.exe /p sdktestcerts.xml I think this is a bit too complicated for the average dumb user who don't know what the DOS prompt is... Can we make this simpler ? Like just installing something ? Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one... Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature". I will try. Well, we don't use the interactive version, we use the batch version (i.e. signcode.exe with some options) to sign our exe... Link to comment Share on other sites More sharing options...
Guest schriss Posted August 21, 2004 Report Share Posted August 21, 2004 Yes, user needs to download signing pack, BUT: 1. there is manual with screenshots included 2. no need for DOS, there is just a sign.bat file to double-click :) so it's not that bad... and while Mitac promised to release ROM update in upcoming weeks/months, I think it's best to use the signing pack as it is and wait for ROM update. Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 Even if Mitac published a ROM upgrade, only a few percent mio 8390 users will upgrade their phone. So I propose to make the installation of the certificate even simpler. I think that can be done by including the sdktestcerts.xml in our CAB file, using the /prexml of CabWizSP. If we do that, do you have a way to test that it works ? I.e. do you have a way to remove the cert from your Smartphone, and check that our CAB file installs it ? Link to comment Share on other sites More sharing options...
Guest picard_beta Posted August 21, 2004 Report Share Posted August 21, 2004 Ok... now, one more question: wasn't possible to figure out the address of the raw frame buffer on the 8390 ? it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help) so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate) and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools. and ofcourse adding the certifcate to the store only possible with "unlocked" phones! Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 > it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help) I see... too bad! > so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools. and ofcourse adding the certifcate to the store only possible with "unlocked" phones! yes, i understand... but the weird thing there is that if you make a .cpf file to install your cert (i made one), then the cpf file must be signed with the microsoft root privileged cert (probably because that's needed to add a provileged cert, see http://msdn.microsoft.com/library/default....iceProvider.asp ). so what's really strange is that you can do that using RapiConfig.exe /p sdktestcerts.xml from the desktop... this looks like a security hole !!! does that mean that you can easiely run any application in totally privileged mode (i.e. allowing use of privileged API's) on all un-signed smartphones ? if true, that would be fun :) Link to comment Share on other sites More sharing options...
Guest picard_beta Posted August 21, 2004 Report Share Posted August 21, 2004 it's only works with unlocked phones and unlocking is quite a security hole :) but you are right. being able to add your priv. cert. to the phone is different level. Link to comment Share on other sites More sharing options...
Guest schriss Posted August 21, 2004 Report Share Posted August 21, 2004 When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate. Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate.That's because the "Settings" applet does not have enough privileges to look in the certificate store :) Link to comment Share on other sites More sharing options...
Guest schriss Posted August 21, 2004 Report Share Posted August 21, 2004 You're serious? :) Anyway, the Root folder is not empty... Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 it's only works with unlocked phones and unlocking is quite a security hole :) but you are right. being able to add your priv. cert. to the phone is different level. but normally, unlocked phone do not let applications use privileged API's. except the MPx200, which is "completely" unlocked. so i'm surprised that there is a security hole that allows accessing privileged API's on unlocked phones. i wonder is MSFT is aware of that hole... Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 21, 2004 Report Share Posted August 21, 2004 All right, here is the announcement: http://smartphone.modaco.com/viewtopic.php?t=113069 Thanks to all of you! Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 22, 2004 Report Share Posted August 22, 2004 last question: only the app needs to be signed with Picard's privileged cert, correct ? need to sign gx.dll or to install anything else than: 1) the signed app 2) the privileged cert in the cert store on the device correct ? Link to comment Share on other sites More sharing options...
Guest schriss Posted August 23, 2004 Report Share Posted August 23, 2004 If the application comes with other files, like DLLs, then these files usually should be signed as well. So basically yes: signed app with its DLLs and a cert on device. Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 23, 2004 Report Share Posted August 23, 2004 If the application comes with other files, like DLLs, then these files usually should be signed as well. So basically yes: signed app with its DLLs and a cert on device. but i didn't sign tgetfile.dll, and you told me that pockettv was working fine... so apparently it is not necessary to sign all the dll's with Picard's cert. and i don't see why this would be necessary either. that still does not answer my question: pockettv uses gx.dll . will the fix work just by signing pockettv.exe, or does the user also need to sign gx.dll ? in other words, is what we say here sufficient, or should the user do something more, e.g. install a signed gx.dll on the phone ? Link to comment Share on other sites More sharing options...
Guest picard_beta Posted August 23, 2004 Report Share Posted August 23, 2004 no need to sign or do anything with gx.dll Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 23, 2004 Report Share Posted August 23, 2004 no need to sign or do anything with gx.dll ok... just install the privileged cert on the device and sign the .exe with that same cert... ? Link to comment Share on other sites More sharing options...
Guest picard_beta Posted August 23, 2004 Report Share Posted August 23, 2004 i'am not sure about the .dll files. maybe priviledged programs not allowed to use non priviledged dll Link to comment Share on other sites More sharing options...
Guest schriss Posted August 23, 2004 Report Share Posted August 23, 2004 If you sign exe and not sign dlls that come with that exe you will get some "priviledges" errors, I can confirm that. Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 23, 2004 Report Share Posted August 23, 2004 If you sign exe and not sign dlls that come with that exe you will get some "priviledges" errors, I can confirm that. So do you get errors when you select "Select MPEG file" in the PocketTV menu ? this uses tgetfile.dll, which is not signed. Link to comment Share on other sites More sharing options...
Guest schriss Posted August 23, 2004 Report Share Posted August 23, 2004 No, the signed PocketTV forks just fine as I wrote few posts ago. But there are other applications, which come in a form of exe and dll and when you sign only exe, that app won't load at all (or would throw an error when it tried to load that dll), because when exe is signed, it sometimes also requires that dll to be signed. I never had to sign any dlls that are already on the phone (I mean files that are on the phone after you for example hard reset). Link to comment Share on other sites More sharing options...
Guest The PocketTV Team Posted August 23, 2004 Report Share Posted August 23, 2004 > There are other applications, which come in a form of exe and dll. When you sign only exe, that app won't load at all (or would throw an error when it tried to load that dll), because when exe is signed, it also requires that dll to be signed. but PocketTV comes in a form of an exe and a dll. have you really been able to open a file from PocketTV, using the PocketTV menu ? because this uses the dll that is part of PocketTV, and not signed. sorry, i'm really confused by what you say, as this seems to be contradictory... Link to comment Share on other sites More sharing options...
Guest schriss Posted August 23, 2004 Report Share Posted August 23, 2004 you once provided a link with PocketTV signed with Picard's cert. I installed that, opened file and it played. I didn't have to do (sign) anything. I can verify that this evening if you wish (I'm at work right now). I mentioned other applications because Picard said: "i'am not sure about the .dll files. maybe priviledged programs not allowed to use non priviledged dll" - and this is usually correct. I wanted other users to be aware of that too. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now