Jump to content


Photo

GAPI to GDI wrapper for 8390

- - - - -

  • Please log in to reply
140 replies to this topic

#101
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA
> these will require two certificates. One to work at all, second for GAPI to work.

question is, can we sign our app with both...?

> Regarding automatic provisioning, all there is to it is to execute this at dos prompt:
RapiConfig.exe /p sdktestcerts.xml

Yes, I understand how you can provision the device from the desktop, but that was not my question.

My question was, can we do it automatically when our CAB is installed. I think yes, I think it's possible to include some provisionning xml in CAB files, but we've never done that.

> (which I don't like!! ANY application can silently sign itself on a PC and install its cert on the phone??? WITHOUT user knowledge...)

yes, I agree, it's strange that it does not prompt on the phone when a cert is installed.

BTW I have signed PocketTV Classic 0.14.15 (latest version) with Picard's cert, so if anyone care to test and confirm that it works, you can get it from there: http://www.pockettv....tphoneSetup.exe

thanks!

  • 0

#102
schriss

schriss

    Addict

  • Members
  • PipPipPipPipPip
  • 548 posts
  • Gender:Male
  • Location:Dublin
  • Devices:HTC One X Tegra 3
Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one...
Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature".
I will try.

And yes, your signed PocketTV worked right after I installed it :)

  • 0

#103
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA
All right, something is still not clear to me.

What should the average mio 8390 user do, after downloading our signed PocketTV ?

Do they need to get the "GAPI Solution - Signing Pack.zip" from http://smartphone.mo...p=418650#418650 ?

And then, do they just need to run the following command on the DOS prompt:
RapiConfig.exe /p sdktestcerts.xml

I think this is a bit too complicated for the average dumb user who don't know what the DOS prompt is...

Can we make this simpler ? Like just installing something ?

  • 0

#104
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA

Signing with two should be possible, when you right click signed exe or dll, go to "Digital Signatures" it says "Signature List", list would suggest more that one...
Besides, when you select "custom" when signing with Wizard, it says: "You decide which certificates to include in the digital signature".
I will try.

Well, we don't use the interactive version, we use the batch version (i.e. signcode.exe with some options) to sign our exe...

  • 0

#105
schriss

schriss

    Addict

  • Members
  • PipPipPipPipPip
  • 548 posts
  • Gender:Male
  • Location:Dublin
  • Devices:HTC One X Tegra 3
Yes, user needs to download signing pack, BUT:
1. there is manual with screenshots included
2. no need for DOS, there is just a sign.bat file to double-click :)
so it's not that bad...

and while Mitac promised to release ROM update in upcoming weeks/months, I think it's best to use the signing pack as it is and wait for ROM update.

  • 0

#106
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA
Even if Mitac published a ROM upgrade, only a few percent mio 8390 users will upgrade their phone.

So I propose to make the installation of the certificate even simpler.

I think that can be done by including the sdktestcerts.xml in our CAB file, using the /prexml of CabWizSP.

If we do that, do you have a way to test that it works ?

I.e. do you have a way to remove the cert from your Smartphone, and check that our CAB file installs it ?

  • 0

#107
picard_beta

picard_beta

    Regular

  • Members
  • PipPip
  • 148 posts

Ok... now, one more question: wasn't possible to figure out the address of the raw frame buffer on the 8390 ?

it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help)

so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate) and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools.

and ofcourse adding the certifcate to the store only possible with "unlocked" phones!

  • 0

#108
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA
> it's protected. only privileged signed application can access it. so even gx.dll is in rom, which means privileged level access (i think) the application itself won't be able to use the returned frame buffer address (SetKMode doesn't help)

I see... too bad!

> so the signing solution is this: you add a privileged certificate to the phones's privileged store (this is the "trick". you are allowed to add certificates to the store. so you don't have to get/buy a real privileged certificate and use this privileged certificate to sign all your files. btw the certificate in the pack is the one used in EVC and the developer tools. and ofcourse adding the certifcate to the store only possible with "unlocked" phones!

yes, i understand... but the weird thing there is that if you make a .cpf file to install your cert (i made one), then the cpf file must be signed with the microsoft root privileged cert (probably because that's needed to add a provileged cert, see http://msdn.microsof...iceProvider.asp ).

so what's really strange is that you can do that using
RapiConfig.exe /p sdktestcerts.xml
from the desktop...

this looks like a security hole !!!

does that mean that you can easiely run any application in totally privileged mode (i.e. allowing use of privileged API's) on all un-signed smartphones ?

if true, that would be fun :)

  • 0

#109
picard_beta

picard_beta

    Regular

  • Members
  • PipPip
  • 148 posts
it's only works with unlocked phones and unlocking is quite a security hole :)

but you are right. being able to add your priv. cert. to the phone is different level.

  • 0

#110
schriss

schriss

    Addict

  • Members
  • PipPipPipPipPip
  • 548 posts
  • Gender:Male
  • Location:Dublin
  • Devices:HTC One X Tegra 3
When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate.

  • 0

#111
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA

When I get into: Settings - Certificates, I see 1. Personal, 2. Root. But funny thing is that Personal is empty, so I can not delete our certificate.

That's because the "Settings" applet does not have enough privileges to look in the certificate store :)

  • 0

#112
schriss

schriss

    Addict

  • Members
  • PipPipPipPipPip
  • 548 posts
  • Gender:Male
  • Location:Dublin
  • Devices:HTC One X Tegra 3
You're serious? :)
Anyway, the Root folder is not empty...

  • 0

#113
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA

it's only works with unlocked phones and unlocking is quite a security hole :)

but you are right. being able to add your priv. cert. to the phone is different level.

but normally, unlocked phone do not let applications use privileged API's. except the MPx200, which is "completely" unlocked.

so i'm surprised that there is a security hole that allows accessing privileged API's on unlocked phones.

i wonder is MSFT is aware of that hole...

  • 0

#114
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA
All right, here is the announcement:
http://smartphone.mo...ic.php?t=113069

Thanks to all of you!

  • 0

#115
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA
last question:

only the app needs to be signed with Picard's privileged cert, correct ? need to sign gx.dll or to install anything else than:

1) the signed app
2) the privileged cert in the cert store on the device

correct ?

  • 0

#116
schriss

schriss

    Addict

  • Members
  • PipPipPipPipPip
  • 548 posts
  • Gender:Male
  • Location:Dublin
  • Devices:HTC One X Tegra 3
If the application comes with other files, like DLLs, then these files usually should be signed as well.
So basically yes: signed app with its DLLs and a cert on device.

  • 0

#117
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA

If the application comes with other files, like DLLs, then these files usually should be signed as well.
So basically yes: signed app with its DLLs and a cert on device.

but i didn't sign tgetfile.dll, and you told me that pockettv was working fine... so apparently it is not necessary to sign all the dll's with Picard's cert. and i don't see why this would be necessary either.

that still does not answer my question:

pockettv uses gx.dll . will the fix work just by signing pockettv.exe, or does the user also need to sign gx.dll ?

in other words, is what we say here sufficient, or should the user do something more, e.g. install a signed gx.dll on the phone ?

  • 0

#118
picard_beta

picard_beta

    Regular

  • Members
  • PipPip
  • 148 posts
no need to sign or do anything with gx.dll

  • 0

#119
The PocketTV Team

The PocketTV Team

    Addict

  • Members
  • PipPipPipPipPip
  • 911 posts
  • Location:San Francisco, CA

no need to sign or do anything with gx.dll


ok... just install the privileged cert on the device and sign the .exe with that same cert... ?

  • 0

#120
picard_beta

picard_beta

    Regular

  • Members
  • PipPip
  • 148 posts
i'am not sure about the .dll files. maybe priviledged programs not allowed to use non priviledged dll

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users