How to grant any capability to self signed applications

[Leviathan2040]

I wonder how Nokia would react to the fact that it is so easy to actually give ANY capabilty to an executable using standard tools that come with the SDK (please note: THIS IS NOT A HACK or CRACK)

1) Create your application using any of the S60 3rd Edition SDK, using a UID grabbed from the unprotected range (see: http://www.symbiansigned.com to have yours allocated)
2) Compile for GCCE/ARMV5
3) Before packing your application into SIS use this command for every EXE/DLL that your application is composed of:

elftran -capabilities [capabilties set] drive:\sdkpath\yourapp.exe

i.e.:

elftran -capabilities WriteUserData+AllFiles+TCB S:\Symbian\9.1\S60_3rd_MR\Epoc32\release\GCCE\UREL\myApp.exe

Remember to grant same capabilities to all your application components (DLLs, plugins etc). that composes the app not just the main exe, otherwise it won't work

4) Create you own self certificate with makekeys
5) Create the SIS file with makesis
6) Sign the SIS using your self certificate

Install.... even if the user will be still adviced that he/she is installing an application from an untrusted source, once done, the application has access to everything, even to manufacturer granted only capabilities (I'm sure you have already noticed the TCB and AllFiles I have put in the example).

If I knew it before, this would have saved me around 12.000 $US in signing fees, counteless days waiting for something to be tested and a lot of frustation.

Cheers,
Lev

[wizard_hu_]

Yeah, however it is more "powerful" if you simply put

Code:

CAPABILITY All

into the .mmp file.
It might be a tiny problem that your code will never run, but who cares :-)

[Leviathan2040]

Yeah, however it is more "powerful" if you simply put

Code:

CAPABILITY All

into the .mmp file.
It might be a tiny problem that your code will never run, but who cares :-)

You should probably read this one before laughing too loud:

http://www.symbaali.info/


Cheers,
Lev

[antonypr]

This is really strange.

In which devices are you testing this? I cannot install SISX that has manufacturer capabilities signed with self-signed certificate to my device. It always says "Required application access not granted" -> and I think this it the right behavior.

Are you using one of the prototype devices? I know that some prototype devices disable Platform Security.

Also, even if you are able to install the SISX files, are you able to call any APIs that have manufacturer capabilities?

[antonypr]

You should probably read this one before laughing too loud:

http://www.symbaali.info/


Cheers,
Lev

The one in symbaali.info requires "special firmware modification". I believe he disables Platform Security on this special firmware.

[Nokia Ron]

Hi Lev,

This is just an initial statement to let you know we are taking action.

Nokia is aware of the claims presented in Symbaali.info and we are currently investigating the issue. Nokia takes all security issues seriously. We are determined to be active in the development of security controls and preventive measures.

Ron

[wizard_hu_]

Sorry, I just have not found this thread in the last few days - probably it was quarantined. However note that "Exploring S60 with AllFiles" entry is not independent from "Goodbye S60 Platform Security, Hello CAPABILITIES!":

Symbian Signed says they won't accept any file explorer tools with AllFiles capabilities. As a result of firmware modification, they really don't need to do that, we can self-sign those!

So it is obviously possible to hack the firmware updater, and the firmware itself, but this approach is only a devcert-replacement. You cannot expect customers to all hack their devices.

If I knew it before, this would have saved me around 12.000 $US in signing fees, counteless days waiting for something to be tested and a lot of frustation.

I do not know, do you really pay for every single occasion when you sign something with your devcert???