Join Now

Software architect working in Symbian/S60 area since 2000 and still being enthusiastic about mobility. Please visit my introduction page on Forum Nokia Champions web page.

Another hack for Symbian Platform Security

tote_b5 | 09 March, 2008 23:35

One of my articles that has gained lots of attention was written about hacking Symbian Platform Security. Although it turned out that reproducing the workaround found by Symbiaali is laborous, requires strong technical knowledge and its wide-spread use is very unlikely, it clearly showed me that people were interested in this topic.

Today I found another post at Symbian Freak that describes just another way to turn Symbian operating system's well-known permission checking feature off. Although I don't agree with the title of the article (good-bye?? S60??), I think at least it's worth a few words.

What is this crack about? How can we cheat Platform Security capability checking so that it does not care if our program really has the capability being checked or not? Well, in a very special way:

  • Take a development environment for Symbian, like CodeWarrior Pro or Carbide.C++ Pro. Please note that you will need the ability of on-device debugging, that's why CodeWarrior Personal/Carbide.C++ Express is not enough. I'm unsure if Carbide.C++ Developer Edition was enough (this is between Express and Professional), but I doubt that. More on this later.
  • Prepare everything for on-device debugging (connect phone to PC, install MetroTRK to phone, etc.).
  • Start any program from within the development environment (aka IDE) in debug mode.
  • Change some bits in the kernel stack responsible for security enforcement. This is the most critical place, where you can really turn everything upside-down. And since you can do that, I believe it's Carbide.C++ Professional Edition that you need and not Developer - latter is less expensive, but in turn it provides only on-device application debugging in contrast with Pro's system debugging.
  • Voilà, we're done - we have access basically to anything.
Disadvantages
  • The crack is temporary, since everything is done in RAM.
  • Required tools are expensive: CW Pro was available at ~$1.700 (the product is discontinued and cannot be bought officially), Carbide.C++ Pro can be purchased for $1.300.
  • Break is limited to one device.
  • Proved to work only on Nokia N80, on other "hotter" devices (like the N95) it does not work or at least nobody has been able to make it work so far.

What kind of damage can a cracker still do?
  • Explore file system, discover what is stored where and how (as if you had AllFiles and/or TCB capability) and exploit it.
  • Access to DRM-protected content (as if you had DRM capability). This might be more dangerous as you can download e.g. DRMed music once and sell it multiple times later on.

To sum up this post, this new way of cheating Platform Security is the traditional way of cracking. I'm not surprised that it had been discovered and published, I just wonder why it has taken so long? And finally, I don't think that it would cause major problems in Symbian ecosystem.

What do you think?

Tote

Update: Corrected the name of Carbide.C++ edition to Express. Thanks Lucian!

Symbian C++, Mobile OS, Platform Security | Next | Previous | Comments (14) | Trackbacks (1)

Comments

Re: Another hack for Symbian Platform Security

ltomuta | 10/03/2008, 06:52

ltomuta

Once more a bad news to start the day with. Not necessarily for what this crack does but because we are reminded that PlatSec is needed, that the world is not full of innocent developers looking for the best solution to a end-user's problem but there are also lot of people who start the day with the revelation that there's something stupid to be done today, let's do it. And they do.

I don't read that forum and I am not about to register on it just to read about the hack. The whole finding is useless to any decent developer, and I claim to be one of those.

Tote, the Carbide.c++'s free edition is called Express. It is the developer that uses it that is the Expert ;)

Back to sleep

Sorcery-ltd | 10/03/2008, 10:01

Sorcery-ltd

For a second there I thought you were about to reveal some major security breach.

So, you can make the software do something it wasn't supposed to with system level debugging. No surprises there.

I don't completely agree with ltomuta on this one though. People trying to hack a really good security architecture is like people trying to climb a really high mountain. They do it because it's there and they like a challenge.

I think PlatSec as implemented on the devices is good and needed. I'm not so convinced about the system for who gets what certificates and how and confusing the qualtiy certification program with the security mechanism.

Back to sleep for now - hopefully there'll be some good news in this area sometime soon.

Mark

It's not too bad

tote_b5 | 10/03/2008, 10:29

tote_b5

Hi there,

I agree with Mark that only good software gets cracked and this is actually something we could already calculate with. This solution is very limited and I think the damage that can be done is not too big, either.

Life goes on, :)

Tote

More than meets the eye?

mgroeber9110 | 10/03/2008, 16:26

I believe that there could be a bit more to it than what the immediate disadvantages you list here make it look like.

To me, the interesting point seems to be that MetroTRK apparently has sufficient capabilities to compromise platform security in principle - keep in mind that it is only a remote "agent" that normally does the bidding of the Carbide server on the PC, but it could just as well get its commands from another source.

So the interesting question is whether the severity of this would change if, say, someone managed to give MetroTRK the "right" commands from an application running on the phone itself (simulating what otherwise Carbide would send, after analyzing the protocol in the same way that other over-the-wire formats were reverse-engineered).

But as you say, it is indeed surprising how long it took for people to try these kinds of attacks, compared to how quickly the first iPhones were "jailbroken". 3rd Edition has been on the market for much longer and in much greater numbers, and yet this is still miles away from any kind of "turnkey" solution...

Re: Another hack for Symbian Platform Security

major77 | 10/03/2008, 18:55

Don't you think that symbiansigned changes have something to do with it?

One door is closed, another one will open. It's inevitable.

New strike

truf | 11/03/2008, 11:44

truf

They already made an X-plore ver for installing into \sys\ folder. That ver have enouth capabilities for browsing protected folders and work even after phone reboot. They say what they soon will be able to patch software directly on device. Looks like this is the end of Symbian shareware?

Source: http://forum.sgh.ru/topic26966s120.html#

I register blank user for everyone who whant get attached files from that thread.
User: temp_reg
Password: temp_reg

Won't believe until I can see with my own eyes

tote_b5 | 11/03/2008, 12:07

tote_b5

@Marcus: you hit the nail on the head. I could not imagine that such a software exist that can have access to very sensitive resources. Perhaps it does not expose such an API that enables 3rd-party software to make use of the API *on the device*, not to mention that even if it does, then accepted sw must pass a strict security check.

@truf: it would help if the article (discussion board topic) you were referring to was not in Russian.

@truf

dchky | 27/03/2008, 07:12

It's not a new version of xplore, just a change in capabilities assigned to the exe and a new hash. This is how the AllFiles capability survives the reboot - but it's not the best solution since you can no longer write to /sys - for that you need TCB which means a server. Once that is done, then it really is bye bye symbain signed.

More info, please

tote_b5 | 27/03/2008, 15:39

tote_b5

@truf: Please, provide more information *in English*. I don't know anything about the solution as long as it's described in Russion.

Re: Another hack for Symbian Platform Security

weibsvolk | 27/03/2008, 20:19

(yes, I'm commenting under an account from bugmenot.com since I can't be arsed to register just to comment on this)

Personally I think this is really good news. After all the user should have the final say in what they do with their own device which they paid good money for. I do agree that most users are clueless, but that shouldn't be a reason enough to restrict those who really know what they're doing (and make money via the certification process while at it).

It would be great if there was, say, a physical jumper in the phone's mobo which would enable a special "developer mode" in which the phone allows all capabilities to be granted by the user. Accessing this jumper would require you to disassemble at least a bit of the phone's casing which should keep away most of the clueless, especially if it voided your warranty. This way the whole system would not reek simply of a giant money-making scheme.

I for one will not be updating my E90's firmware until it's sure the next version can be hacked too.

Re: Another hack for Symbian Platform Security

fuckthelogins112 | 28/03/2008, 16:24

Also, it doesn't require expensive tools anymore, and it works for FP1 phones too now (my E90 v7.40.1.2 for example).

The person who discovered the hack wrote a Python script which emulates the PC debugging interface so you don't need the CodeWarrior or Carbide IDE on your PC, and the TRK SIS package which you install to your phone is available for free from: http://tools.ext.nokia.com/agents/index.htm

I don't know if you're allowed to install and use those linked SIS packages without being properly licensed, though.

I think I'll write a C program based on the Python script so that people on Windows will not have to bother with installing Python + the 2 required add-ons (users on *nix systems are much more likely to already have it).

What can I say?

tote_b5 | 28/03/2008, 16:37

tote_b5

It's really kind of you to take care of Symbian crackers. Hope you can feel the irony from my words.

Hacked ... bugmennot account

fuckthelogins112 | 29/03/2008, 15:14

Damn, now I realize how stupid I am. My hacked phone just started crashing. Is is because of the new software update messing with the hack or have I got a virus? How do I solve this? Is my phone warranty void now? I'm f***ed.

Re: Another hack for Symbian Platform Security

navy_3dfx | 29/03/2008, 18:26

...It seems you really can't understand the issue... These "Symbian crackers" are the legal owners of their legally bought mobile phones. And being their own property they are allowed to handle them in the way they want to - and this implies using phones' full capabilities - without being forced to pay someone (Symbiansigned) to allow these capabilities.

You must login to post comments. Login
 
 
Powered by LifeType