|
登录 用户中心() [退出] 后台管理 注册 |
|
热门搜索: |
| 您的位置:首页 >> 软/硬件使用知识 >> 软/硬件使用知识 >> 主题: 另外一种方法破解S60 V3系统,不用刷机(附中文翻译)[zt] |
| 标题 | 另外一种方法破解S60 V3系统,不用刷机(附中文翻译)[zt] |
| clq |
浏览(1125)
2008-06-03 17:23:06 发表
编辑
关键字: http://www.cnpda.com.cn/thread-89807-0-1-1.html 另外一种方法破解S60 V3系统,不用刷机(附中文翻译) 目前XX v3有通过刷机,修改刷机文件方法,不过这个有一定难度,而且不是所有机子都可以,国外论坛看到的帖子,可以软件方法实现,N80已经通过测试,大家有条件的可以试试看~ 引用42楼leftup 引用: nokia E50 测试成功 注意看红色的部分(第5点) 不知理解是否正确: 用软件写手机内存,改变值,使系统不校验权限 原文摘自fca00000 中文翻译: 引用: [Fbox=翻译说明] 大家都说希望看到中文版,我自己翻译了一下。由于自己是symbian开发的小白,有不对的地方,希望大家能够多多原谅:-) 翻译出自CnPDA翻译组Flox 转载请您注明 [/Fbox] 好消息:我仅使用软件方法设法破解了我的n80,移除了所有的限制。 我可以浏览c:\sys和private文件夹 现在,我希望其他人也能尝试一下 只要你有nokia 3rd的手机,一根USB数据线和时间,请尝试一下。 如果你有CodeWarrior和MetroTRK,那就更好 首先,请下载附件的文件 1.当前状态: 在S60 3rd中,由于symbian的安全机制:安装程序必须签名才能使用手机权限。 开发者可以自签名自己的程序,但是许多关键的权限必须签入更高权限的证书,这样一 来,就不能让所有的用户使用。 比方说:你无法进入c:\sys文件夹新建文件。虽然这不重要,但不少的用户还是希望自己 能够对手机随心所欲的操作。 2.原理: 当你签名和安装程序以后,程序权限储存在内部文件夹中。程序执行后,就会试图访问 手机权限,这个时候就会进行权限检测。如果不匹配,程序就无法执行并提示错误。这 是由一种叫EPOC.ini的文件所控制。如:PlatSecEnforcement 关闭这些在手机中,是 无法直接修改的。高权限一般有:DProcess::DoHasCapability(TCapability , char const) 在我的n80中,存在于F80478BC F8047968 BL log_missing_capabilities (F80458D8) .... Look at F80458D8: .... F8045930 LDR R0, =pSuperPage F8045934 LDR R0, [R0] F8045938 LDR R0, [R0,#0x148] F804593C TST R0, #2 F8045940 BEQ loc_F804597C F8045944 ADR R1, aError F8045948 MOV R0, R1 .... 最主要的数据还在存在于 [pSuperPage+0x148] 并校验。 如果进行设置,任何缺省的权限都将显示错误。 如果没有,就会产生一个log,但是程序将会执行。 所以,你需要做的就是修改这一段数值。 在我的手机中,pSuperPage的数值为0x60000000,所以数据储存在0x60000148 3.破解: 需要用到的程序: Carbide.c++ v1.2(包括s60_3_0_app_trk_2_7.sisx 这个文件) 同时需要CodeWarrior Pro for Symbian,尽管版本为S60_App_TRK_2_5.sisx 这个文件是一个设备调试器,常用于手机和PC得数据交换。 按照我的经验,CodeWarrior更容易调试。 它主要用于程序注册,手机储存,进程和修改数据。 0x60000148 在储存器的数值保存在0x0000001E,意味着PlatSecEnforcement必须打 开。 所以,修改从0x0000001E 到 0x00000010,你就能够获得最高权限。 4.工具: 需要你有S60 3rd的手机 你最好有多种方式连接电脑,如蓝牙或者USB数据线,但是红外是无法使用的。 下一步就是利用MetroTRK. 如果你有CodeWarrior,那这就是个首选的解决方案。如果没有,你可以使用一个 python程序来效仿它。 如果你有IDA-disassembler,你必须调查清楚是否能够使用。 5.手机: 我的n80已经通过测试,我猜测这个方法适用所有的s60v3手机 我唯一修改了手机内存。这意味着手机关机,这种破解方式就失效了。手机重启后,必 须重复这些步骤。我知道这个方法具有局限性,永久的解决方案不久将会出来。 另一方面,对你的手机来说,至少这个是一个风险很小的破解方法。 当然,所有的风险都由你自己承担,造成的后果一些和我无关。 6.连接: 我使用的数据线是CA-42连接电脑 连接后,手机会询问你选择连接模式:我选择“PC套件模式” 我的操作系统是Windows-XP,连接后会自动搜索驱动并安装,如:'Nokia N80 USB modem' 如果没有反应,请到http://www.nodevice.es/driver/CA-42/get37496.html 下载CA- 42的驱动。 安装好PC套件后,打开PC套件。但是请一定记得在PC终止PC套件的运行。 你可以选择一个新的串行端口: 控制面板->系统->硬件->设备管理器->端口 应该会显示'Nokia N80 USB (COM6)' 同样也可能显示COM6和COM7,你最好都试一下。 7.Metro TRK: 这个一个安装在手机中的调试器。它的证书权限非常高,允许读取和写入储存。 把s60_3_0_app_trk_2_7.sisx传到手机并安装。 你就能看到一个叫做TRK的新程序,点击运行。 默认的是使用蓝牙,所以可能会显示错误因为端口不可用。 Options->Settings->Connection=USB Options->Settings->Port=1 Options->Settings->Baud Rate=115200 Options->Connect should tell: Welcome to TRK for Symbian OS Status: Connected PDD: NONE LDD: EUSBC CSY: ECACM Port Number: 1 Baud rate: 115200 这是一个比较难步骤,如果你看到'Failed to open port.Error Code: -21' ,表示你的电 脑无法和手机连接,出现这样的情况一般是由于驱动程序没有完全安装。 7.1:你必须有一个叫HelloCarbide的程序。它是一个简单小实例,安装在C盘。 你也可以使用SExplorer等文件管理器传送HelloCarbide.exe到C盘根目录下。 8.破解: 如果你有CodeWarrior,就进入步骤8.2,没有的话继续往下看8.1 8.1我自己写了个py程序hack_perms_s60v3.py,你必须安装python25 没有安装从www.python.org下载 它使用串行端口,所以你必须安装pyserial 下载地址 http://sourceforge.net/projects/pyserial (可选安装pywin32 http://sourceforge.net/projects/pywin32) 下载后运行,如下列操作: 我的程序使用COM6端口 ser = serial.Serial(5) 如果你使用其他端口,请修改 COM6 = port 5 运行我的py程序 hack_perms_s60v3.py 将会产生一个信息日志,如果有问题,请查看. I _might_ try to help. 如果显示serial.serialutil.SerialException: could not open port: 表示系统无法找到文 件清单,意味着端口不存在。 如果显示serial.serialutil.SerialException: could not open port: 表示进程无法访问文 件,因为已被其他进程使用。意味着其他程序正在使用这个端口,请用COM7替换 COM6 如果显示 sendFrame=00 sendFrame=FF sendFrame=7E 表示手机没有运行Metro TRK 如果上面一切顺利,等待40秒左右你在最下面一行可以看到: Close End+Exit 一路看,你可能会看到: Read Memory 60000148=1E 00 00 00 candidate!!! 好消息,这意味着已经找到并可以进行修改了。 8.2 如果你有CodeWarrior并且知道如何使用,那样更好。 [quote] CodeWarrior使用有点难度,有不懂的地方多搜索 然后,你需要用刀Nokia SDK FP2下载地址: http://www.forum.nokia.com/info/sw.nokia.com/id/4a7149a5-95a5-4726-913a- 3c6f21eb65a5/S60-SDK-0616-3.0-mr.html CodeWarrior下载地址 http://www.forum.nokia.com/info/sw.nokia.com/id/204ab18e-410c-4c59-bcd4- dda936c8a79b/CodeWarrior_On_Device_Debug_Kit_for_Series_60_3rd_Edition.htm l 启动CodeWarrior,选择从.mmp文件导入工程,然后选择SDK,并载入 hellowrld.mmp 在窗口中选择目标=ARMI并点击"Debug" 你可以载入任何程序并开始用手机调试(最好载入helloworld.mmp) 接下的目标是GCCE UDEB settings->Remote Debugging->Connection = Symbian Metro TRK Same window->Edit Connection->Connection Type=Serial ; Port = COM6 Same window->Remote dowload path = c:\ settings->Remote Download-> Remove any file here 请记住,由于安全原因,程序无法下载c:\sys\bin , 所以在这个步骤之前必须手动安装。 更多内容: http://www.mobilenme.com/content/view/41/26/ http://mikie.iki.fi/wordpress/?p=33#comment-6299 http://www.newlc.com/topic-5398 http://discussion.forum.nokia.com/forum/showthread.php?t=72632 http://discussion.forum.nokia.com/forum/showthread.php?t=80807 现在你可以调试程序了。 你可能在'Metro TRK Communication Log' 中看到更多信息。 选择stack Menu->Data->View Memory 忽略错误,显示0x60000000 看到0x60000148,很可能出现的数值是0x1E 双击,把0x10输入进去并运行程序,关闭线程窗口。 9.高级步骤: 你可以使用IDA-disassembler,你可以看到实际代码。 这是一个工作量非常大的任务,但是主要文件是ekern.exe 你可以使用Symbian code查找: RFs fileSession; fileSession.Connect(); RFile file; file.Replace(fileSession, _L("e:\\F8000000.bin"), EFileWrite); TBuf8<0x200> buf; TUint8 *p =(TUint8*)0xF8000000; // (TUint8*)0xF8000000; TUint8 *pEnd = (TUint8*)0xFA000000; // (TUint8*)0xFA000000; TUint8 iVal = 0; for(;p < pEnd;p++) { iVal = *p; buf.Append(iVal); if(buf.Length() == buf.MaxLength()) { file.Write(buf); buf.Zero(); } } file.Close(); fileSession.Close(); 然后Syminternals使用ROMTool解压文件,如果你没有,我可以提供给你。 10.测试 用任意程序进行测试。我用的是 SExplorer和TrueExplorer,测试通过,我可以访问 C:\sys,但是SExplorer无法进入Z:\sys,TrueExplorer无法查找C:\sys\bin里的文件。 该方法在作者的n80通过测试,同样也期待在其他手机通过测试 你测试成功了吗?请回复告诉我结果。 [/quote] Good news: I managed to hack my Nokia-N80 using a software-only solution, and remove all permissions limitation. I was able to browse c:\sys and private directories. Now I need someone else to try. So, if you have a Nokia with S60v3 , a connecting USB cable, and some time, please reply. If you have CodeWarrior and MetroTRK up and running, much better. First of all: needed files 1) Current state: In S60v3, Symbian implemented a security mechanism: applications need to be signed in order to access some services. A developper can self-sign his own applications, but the most critical services need a powerful certificate, which not everyone can afford. For example, you can not make a file browser able to access c:\sys . This is not very important, but some people feels that they should be able to do anything they want. 2) The theory: When a program is signed and you install it, its privileges are stored in a internal folder. When the program is executed and tries to access a service, the privileges are checked. If they don't match, the service can not be executed, and gives an error. In the PC emulator for Symbian, it is possible to overrride this, so that missing privileges give a warning, not an error. This is controlled through a file called EPOC.INI that includes a line like PlatSecEnforcement OFF In the phone, this is not modifiable directly. The routine controlling this is called DProcess::DoHasCapability(TCapability , char const) In my Nokia N80, this is at F80478BC and says .... F8047968 BL log_missing_capabilities (F80458D8) .... Look at F80458D8: .... F8045930 LDR R0, =pSuperPage F8045934 LDR R0, [R0] F8045938 LDR R0, [R0,#0x148] F804593C TST R0, #2 F8045940 BEQ loc_F804597C F8045944 ADR R1, aError F8045948 MOV R0, R1 .... Basically, this looks at the data at [pSuperPage+0x148] and checks bit 2. If it is set, any missing capability will give an error. If not, it will log the problem, but the check will succeed. So, all you need to do is to change this value. In my mobile, pSuperPage has value 0x60000000, so the data is stored at 0x60000148 3) the hack: The programming enviroment Carbide.c++ v1.2 includes a file called s60_3_0_app_trk_2_7.sisx It also comes with CodeWarrior Pro for Symbian, although it is version S60_App_TRK_2_5.sisx This file is a On-Device-Debugger, used to run programs inside the phone, and see the flow and data in the PC. In my experience, CodeWarrior is easier to use for debugging. It allows to look at the program registers, phone memory, processes, and change the data. At memory address 0x60000148 the value stored is 0x0000001E , which means that PlatSecEnforcement is ON So, change it from 0x0000001E to 0x00000010 and you get all the permissions ! 4) The tools: You need a Nokia phone using Symbian 9 . You also need some way to connect it to a PC, for example USB or bluetooth. Infrared is not valid. Next step is the MetroTRK. If you have CodeWarrior, it is the preferred solution. If not, I made a Python program to emulate it. If you have IDA-disassembler a a ROM dump, then you can investigate in case it doesn't work. 5) The phone: I have tested with Nokia-N80. I suppose it works with any phone using S60v3. The changes I make are only in memory. This means that when the phone is switched-off, the hack dissapears. You need to run it again after a restart. I know this is a limitation, but a permanent solution will come later. On he other hand, this is good: there is (almost) no risk on permanently breaking your phone. Of course, do it under your own risk. I take no responsability 6) The connection: I use a USB cable labelled CA-42 which is a simple data cable; no fancy stuff. Connect the phone to the PC. The phone asks the mode you want to use: 'PC Suite' My operating system is Windows-XP and my PC detects automatically the driver, installing something called 'Nokia N80 USB modem'. If not, drivers are available in many places, for example http://www.nodevice.es/driver/CA-42/get37496.html If you have PC-Suite, you probably have the driver already. But remember that you need to disable in the PC: stop the program. At this point, you probably have a new serial port: Control Panel->System->Hardware->Device Manager->Ports should show 'Nokia N80 USB (COM6)' It might happen that you have both COM6 and COM7 . You will need to try both. 7) The MetroTRK: This is a debugger that installs in the phone. It has powerfull permissions and a strong certificate, which allows to read/write memory. Transfer the file s60_3_0_app_trk_2_7.sisx into your mobile, and install it. You should see a new application called 'TRK'. Run it. By default it tries to use BlueTooth, so it might give an error because no available ports. Options->Settings->Connection=USB Options->Settings->Port=1 Options->Settings->Baud Rate=115200 Options->Connect should tell: Welcome to TRK for Symbian OS Status: Connected PDD: NONE LDD: EUSBC CSY: ECACM Port Number: 1 Baud rate: 115200 This is the most difficult step. If you get 'Failed to open port.Error Code: -21' this means that your PC is not talking to the mobile. This is the case when the driver is not installed. 7.1) You need another program called HelloCarbide . It is a simple example. Install it in c: You also need to transfer HelloCarbide.exe directly under c:\HelloCarbide.exe using any FileBrowser, ex: SExplorer 8) The hacker: If you have CodeWarrior, go to 8.2 . If not, go to 8.1 8.1) I made a program called hack_perms_s60v3.py It is written in pyhton, so you need Python25 from www.python.org It uses the serial port, so you also need pyserial (http://sourceforge.net/projects/pyserial) and probably pywin32 (http://sourceforge.net/projects/pywin32) Download the binaries and execute them. As simple as that. My program uses COM6 at line ser = serial.Serial(5) If you have another port, change this number. COM6 = port 5 Run my program by typing hack_perms_s60v3.py It logs a lot of information. In case of problems, investigate. I _might_ try to help. If you get serial.serialutil.SerialException: could not open port: ... The system cannot find the file specified. this means that the port doesn' exist. If you get serial.serialutil.SerialException: could not open port: ... The process cannot access the file because it is being used by another process. this means that there is another program using the port. Most probably you are trying COM7 instead of COM6. If it hangs after sendFrame=00 sendFrame=FF sendFrame=7E this means that MetroTRK is not running in the mobile. If everything goes OK, it takes 40 seconds and the last line are: Close End+Exit Look at the trace: you should see 2 lines like: Read Memory 60000148=1E 00 00 00 candidate!!! This is good. It means that it found the correct address and patched it. 8.2) If you have CodeWarrior and know how to use it, it is better. 引用: CodeWarrior is a bit difficult. Let's suppose you already have if (emule is your friend). Then, you need a SDK from nokia. choose S60_3rd_FP2 from http://www.forum.nokia.com/info/sw.nokia.com/id/4a7149a5-95a5-4726-913a-3c6f21eb65a5/S60-SDK-0616-3.0-mr.html In case you need the MetroTRK, get from http://www.forum.nokia.com/info/sw.nokia.com/id/204ab18e-410c-4c59-bcd4-dda936c8a79b/CodeWarrior_On_Device_Debug_Kit_for_Series_60_3rd_Edition.html Start CodeWarrior, and choose Import Project from .mmp file then, choose the SDK (if you have more than 1) And load any example, let's say HelloWorld.mmp In the window, choose target = ARMI and click 'Debug' Load any program you have (HelloWorld.mmp is perfect) and start a mobile debugging session: The target should be GCCE UDEB . In its settings->Remote Debugging->Connection = Symbian Metro TRK Same window->Edit Connection->Connection Type=Serial ; Port = COM6 Same window->Remote dowload path = c:\ settings->Remote Download-> Remove any file here Remember that, because of security, applications can't be downloaded into c:\sys\bin , so they need to be installed before. I do this manually. See: http://www.mobilenme.com/content/view/41/26/ http://mikie.iki.fi/wordpress/?p=33#comment-6299 http://www.newlc.com/topic-5398 http://discussion.forum.nokia.com/forum/showthread.php?t=72632 http://discussion.forum.nokia.com/forum/showthread.php?t=80807 Now, start debugging the program. You should see the 'Metro TRK Communication Log' with lots of information. Break the program. Select the stack. Menu->Data->View Memory . Ignore the error Display 0x60000000 Look at 0x60000148. Probably has value 0x1E Double-click, and type 0x10. Hit enter. Run program. Close Thread window. Resume. 9) Advanced: If you have IDA-disassembler and a ROM dump, you can see the actual code. This is a heavy task, but the main file is ekern.exe You can get a full Dump using this Symbian code: RFs fileSession; fileSession.Connect(); RFile file; file.Replace(fileSession, _L("e:\\F8000000.bin"), EFileWrite); TBuf8<0x200> buf; TUint8 *p =(TUint8*)0xF8000000; // (TUint8*)0xF8000000; TUint8 *pEnd = (TUint8*)0xFA000000; // (TUint8*)0xFA000000; TUint8 iVal = 0; for(;p < pEnd;p++) { iVal = *p; buf.Append(iVal); if(buf.Length() == buf.MaxLength()) { file.Write(buf); buf.Zero(); } } file.Close(); fileSession.Close(); And then extract files using ROMTools from Syminternals. If you can't get it, I can provide it. To use IDA, get the Symbian SDK, and process through ROMTools . Name the routines and study the disassembled code. 10) Test: Start any application which needs pivileges. I tried SExplorer and TrueExplorer, and I was able to browse c:\sys , although: 10.1) SExplorer can not access Z:\sys 10.2) TrueExplorer can not find files under c:\sys\bin It works in my Nokia-80, and I expect to work also in other models. Did it work for you? Please post results. |
Copyright © 2005-2012 CLQ工作室, All Rights Reserved CLQ工作室 版权所有 |