The privileges framework in Symbian 9 is broken

Hi all 

I got it: All permissions are gone ! The privileges framework in Symbian 9 is broken.

1) Current state:
In S60v3, Symbian implemented a security mechanism: applications need to be signed in order to access some services.
A developper can self-sign his own applications, but the most critical services need a powerful certificate, which not everyone can afford.
For example, you can not make a file browser able to access c:\sys . This is not very important, but some people feels that they should be able
to do anything they want.

2) The theory:
When a program is signed and you install it, its privileges are stored in a internal folder. When the program is executed and
tries to access a service, the privileges are checked. If they don't match, the service can not be executed, and gives an error.
In the PC emulator for Symbian, it is possible to overrride this, so that missing privileges give a warning, not an error.
This is controlled through a file called EPOC.INI that includes a line like
PlatSecEnforcement OFF
In the phone, this is not modifiable directly.
The routine controlling this is called
DProcess::DoHasCapability(TCapability , char const)

In my Nokia N80, this is at F80478BC and says
....
F8047968                 BL      log_missing_capabilities (F80458D8)
....

Look at F80458D8:
....
F8045930                 LDR     R0, =pSuperPage
F8045934                 LDR     R0, [R0]
F8045938                 LDR     R0, [R0,#0x148]
F804593C                 TST     R0, #2
F8045940                 BEQ     loc_F804597C
F8045944                 ADR     R1, aError
F8045948                 MOV     R0, R1
....


Basically, this looks at the data at [pSuperPage+0x148] and checks bit 2.
If it is set, any missing capability will give an error.
If not, it will log the problem, but the check will succeed.

So, all you need to do is to change this value.

In my mobile, pSuperPage has value 0x60000000, so the data is stored at 0x60000148

3) the hack:
The programming enviroment Carbide.c++ v1.2 includes a file called s60_3_0_app_trk_2_7.sisx
It also comes with CodeWarrior Pro for Symbian, although it is version S60_App_TRK_2_5.sisx
This file is a On-Device-Debugger, used to run programs inside the phone, and see the flow and data in the PC.
In my experience, CodeWarrior is easier to use for debugging.
It allows to look at the program registers, phone memory, processes, and change the data.
At memory address 0x60000148 the value stored is 0x0000001E , which means that
PlatSecEnforcement is ON
So, change it from 0x0000001E to 0x00000010 and you get all the permissions !

4) The tools:
You need a Nokia phone using Symbian 9 .
You also need some way to connect it to a PC, for example USB or bluetooth. Infrared is not valid.
Next step is the MetroTRK.
If you have CodeWarrior, it is the preferred solution. If not, I made a Python program to emulate it.
If you have IDA-disassembler a a ROM dump, then you can investigate in case it doesn't work.

5) The phone:
I have tested with Nokia-N80. I suppose it works with any phone using S60v3.
The changes I make are only in memory. This means that when the phone is switched-off, the hack dissapears.
You need to run it again after a restart. I know this is a limitation, but a permanent solution will come later.
On he other hand, this is good: there is (almost) no risk on permanently breaking your phone.
Of course, do it under your own risk. I take no responsability

6) The connection:
I use a USB cable labelled CA-42 which is a simple data cable; no fancy stuff. 
Connect the phone to the PC.
The phone asks the mode you want to use: 'PC Suite'
My operating system is Windows-XP and my PC detects automatically the driver, installing
something called 'Nokia N80 USB modem'.
If not, drivers are available in many places, for example
http://www.nodevice.es/driver/CA-42/get37496.html
If you have PC-Suite, you probably have the driver already. But remember that you need to disable in the PC: stop the program.
At this point, you probably have a new serial port:
Control Panel->System->Hardware->Device Manager->Ports
should show
'Nokia N80 USB (COM6)'
It might happen that you have both COM6 and COM7 . You will need to try both.

7) The MetroTRK:
This is a debugger that installs in the phone. It has powerfull permissions and a strong certificate, which allows to read/write memory.
Transfer the file s60_3_0_app_trk_2_7.sisx into your mobile, and install it.
You should see a new application called 'TRK'.
Run it.
By default it tries to use BlueTooth, so it might give an error because no available ports.
Options->Settings->Connection=USB
Options->Settings->Port=1
Options->Settings->Baud Rate=115200
Options->Connect should tell:
Welcome to TRK for Symbian OS
Status: Connected
PDD: NONE
LDD: EUSBC
CSY: ECACM
Port Number: 1
Baud rate: 115200

This is the most difficult step.
If you get
'Failed to open port.Error Code: -21'
this means that your PC is not talking to the mobile. This is the case when the driver is not installed.

7.1) You need another program called HelloCarbide . It is a simple example. Install it in c:
You also need to transfer HelloCarbide.exe directly under c:\HelloCarbide.exe using any FileBrowser, ex: SExplorer

8) The hacker:
If you have CodeWarrior, go to 8.2 . If not, go to 8.1
8.1) I made a program called hack_perms_s60v3.py
It is written in pyhton, so you need Python25 from www.python.org
It uses the serial port, so you also need pyserial (http://sourceforge.net/projects/pyserial)
and probably pywin32 (http://sourceforge.net/projects/pywin32)
Download the binaries and execute them. As simple as that.

My program uses COM6 at line
ser = serial.Serial(5)
If you have another port, change this number. COM6 = port 5

Run my program by typing
hack_perms_s60v3.py

It logs a lot of information. In case of problems, investigate. I _might_ try to help.

If you get
serial.serialutil.SerialException: could not open port: ... The system cannot find the file specified.
this means that the port doesn' exist.

If you get
serial.serialutil.SerialException: could not open port: ... The process cannot access the file because it is being used by another process.
this means that there is another program using the port. Most probably you are trying COM7 instead of COM6.

If it hangs after
sendFrame=00
sendFrame=FF
sendFrame=7E
this means that MetroTRK is not running in the mobile.

If everything goes OK, it takes 40 seconds and the last line are:
Close
End+Exit

Look at the trace: you should see 2 lines like:
Read Memory 60000148=1E 00 00 00
candidate!!!

This is good. It means that it found the correct address and patched it.

8.2) If you have CodeWarrior and know how to use it, it is better.
Load any program you have (HelloWorld.mmp is perfect) and start a mobile debugging session:
The target should be GCCE UDEB .
In its settings->Remote Debugging->Connection = Symbian Metro TRK
Same window->Edit Connection->Connection Type=Serial ; Port = COM6
Same window->Remote dowload path = c:\
settings->Remote Download-> Remove any file here
Remember that, because of security, applications can't be downloaded into c:\sys\bin , so they
need to be installed before. I do this manually.
See:
http://www.mobilenme.com/content/view/41/26/
http://mikie.iki.fi/wordpress/?p=33#comment-6299
http://www.newlc.com/topic-5398
http://discussion.forum.nokia.com/forum/showthread.php?t=72632
http://discussion.forum.nokia.com/forum/showthread.php?t=80807

Now, start debugging the program.
You should see the 'Metro TRK Communication Log' with lots of information.
Break the program.
Select the stack.
Menu->Data->View Memory . Ignore the error
Display 0x60000000
Look at 0x60000148. Probably has value 0x1E
Double-click, and type 0x10. Hit enter.
Run program.
Close Thread window. Resume.

9) Advanced:
If you have IDA-disassembler and a ROM dump, you can see the actual code.
This is a heavy task, but the main file is ekern.exe
You can get a full Dump using this Symbian code:
     RFs fileSession;
     fileSession.Connect();
 
     RFile file;
     file.Replace(fileSession, _L("e:\\F8000000.bin"), EFileWrite);
 
     TBuf8<0x200> buf;
 
     TUint8 *p =(TUint8*)0xF8000000; // (TUint8*)0xF8000000;
     TUint8 *pEnd = (TUint8*)0xFA000000; // (TUint8*)0xFA000000;
     TUint8 iVal = 0;
     for(;p < pEnd;p++)
     {
         iVal = *p;
         buf.Append(iVal);
 
         if(buf.Length() == buf.MaxLength())
         {
             file.Write(buf);
             buf.Zero();
         }
     }
 
     file.Close();
     fileSession.Close();
And then extract files using ROMTools from Syminternals. If you can't get it, I can provide it.
To use IDA, get the Symbian SDK, and process through ROMTools . Name the routines and study the disassembled code.

10) Test:
Start any application which needs pivileges. I tried SExplorer and TrueExplorer, and I was able to
browse c:\sys , although:
10.1) SExplorer can not access Z:\sys
10.2) TrueExplorer can not find files under c:\sys\bin



It works in my Nokia-80, and I expect to work also in other models.

Did it work for you? Please post results.





Please try it, and we will notify Nokia about it.
I would like to publish it under full-disclosure, but let's give it some time.

Download :hack_perms_s60v3

Thanks
source:
http://www.symbian-freak.com/forum/viewforum.php?f=6
http://forum.oslik.ru/viewtopic.php?p=266890#266890
http://rom.reversing.in.t-h-i-s.biz/index.php?act=idx