Windows Mobile Application Security – Part I
We need access to internal storage of device to proceed with security testing, however,Windows devices don’t allow users access to its internal storage. Naturally, for accessing internal storage we need unlocked Windows device. In this article, we will learn to unlock bootloader of Windows Nokia Lumia device followed by gaining root access to internal storage.
Unlocking Windows Mobile Device (Lumia)
Below is the prerequisite for the same:
- Windows Lumia Phone Device
- Windows Phone Recovery Tool (Download URL)
- Qualcomm Emergency Download drivers (Download URL)
- Windows Phone Internal
- Download FFU Image from your Lumia mobile device http://www.lumiafirmware.com/
(Note: Before you start please make sure you download all above prerequisite.)
Unlocking devices with Windows Phone Internal is only possible for devices below with mentioned Firmware Versions:
Currently these models are supported for unlocking the bootloader:
OS versions are currently supported for enabling Root Access:
HeathCliff has released a tool called “Windows Phone Internals” that allows Windows phone owners to unlock their smartphone’s bootloaders, gain root access, and even create and run custom ROMs.
Below are the steps which has to performed Unlocking Windows Device. For this tutorial, we’ll be using Window’s Lumia 920 Device.
Step 1: Installing Lumia Driver
This is mandatory steps which allows user to download windows firmware specific to your windows mobile phone devices.Install windows phone recover tool from Microsoft Site. Download Link
Installing Qualcomm Emergency Download driver is optional but I would recommend to performing this step as my mobile phone was not detected by Window Phone Recovery Tool.
Installing Qualcomm Emergency Download drivers
Extract and place the Qualcomm folder on your desktop.
Tricky Part: Installing the certificate file to download Qualcomm Driver. Windows 10 does not allow users to install third party driver certificate in “Trusted Root Certification Authorities” category
To disable certificate driver signature verification, please follow below steps:
- Run Command prompt as Administrator and enter below command
shutdown /r /o /t 0
- Then go to Troubleshoot Startup Setting option
- You will be given a list of startup settings, which includes “Disable driver signature enforcement” as shown below screenshot.
To choose the setting, you need to press F7 key.
- System will restart now you can install third party certificate in “Trusted Root Certification Authorities” category
- Disable Driver Signature Enforcement Permanently and Completely
bcdedit /set testsigning on
- Now install third party driver certificate in “Trusted Root Certification Authorities” category
- To install certificate, click certificate file resides on <path>
After the completion of Certificate installation proceed with downloading Qualcomm Emergency drivers.
Follow below steps:
- Open Command prompt and go to the directory where Qualcomm Emergency driver’s folder is located
cd C:\Users\ ..\Desktop\Qualcomm CDMA Technologies MSM\Drivers
- Then type below commands which will install the Qualcomm Emergency drivers
PnPUtil -i -a msmdm.inf
PnPUtil -i -a qcmdm.inf
PnPUtil -i -a qcser.inf
- Reboot your PC
Next, Verify if your windows phone device is detected by Windows phone recovery tool. If yes, you can proceed as below.
Step 2: Flash Windows Phone device with Original FFU
- Open “Windows Phone Internal Tool”
- Go to Flash “Flash original FFU”
- Select FFU downloaded from http://www.lumiafirmware.com/ for your device. To find out exact FFU image check the “info” section in Windows Phone Internal.
- For my device its “RM-821 VAR IMEA INDIA CV BLACK”
- Click Continue and Phone will restart after some time
Step 3: Download firmware for your Mobile Device using Windows phone recovery Tool
- Connect your Windows phone device using USB
- Windows phone recovery will detect your phone
- Click Install Firmware Button it will download latest firmware available for your windows phone
The downloaded FFU image and all the file can be found below location:
Step 4: Generating HEX file which allows Windows Phone to go into windows emergency Mode
- Extract gtp0.bin from FFU Image
Cd C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool
thor2 -mode ffureader -ffufile ” C:\ProgramData\Microsoft\Packages\Products\RM-821\XXX.ffu” -dump_gpt -filedir G:\MobilePentest\LUMIA920
Destination Folder: “G:\MobilePentest\LUMIA920”
Output will be “Exited with Success” Message as shown in below screenshot
- Above command will create gpt0.bin and rename it as msimage.mbn
- Generating HEX file for Binary file using bin2hex (Download bin2hex)Download bin2Hex file and placed in “G:\MobilePentest\LUMIA920” directoryCd G:\MobilePentest\LUMIA920 bin2hex gpt1.bin
Step 5: Final Step Unlock Boot Loader Setting using Windows Phone Recovery Tool
(Make Sure Windows Device is Connected via USB)
- Go to Unlock Boot Loader
- Windows Phone internal will ask user to “switched to flash-mode” click “OK” and Phone will reboot in to flash mode
- Resource for Flashing” screen will appear once device enters into flash mode
- Select FFU image which was downloaded in “C:\ProgramData\Microsoft\Packages\Products\RM-821”
- Select Emergency folder located at “G:\MobilePentest\LUMIA920”
- Select SBL3 file for your phone device (SBL3 Download)
- Click Continue this will unlock you Windows phone device.
Accessing Internal Storage using Windows Phone Internal
- Launch windows phone internal with connected windows phone device
- Go to Root Access à “Enable Root Access Directly on Phone”
- Click “Unlock Phone”
- This will mount the internal storage on your OS
Viola!! We have access to internal storage of device with root privileges.
Stay tuned for Windows Mobile Application security part II 🙂