S60 3rd Edition Unlimited! [ENG]

 Saxen noticed me some good news for S60 3rd Edition owners, it seems there is possibility to change file permission and to see what is contained in hidden folders on the phone. Here is the tutorial made by manko from symbaali, so all credits are not mine, i’m just going to report how to do. Obviously, i’m not responsible for any damages you can do on your phone…

manko wrote:

FIRST PART: updating Firmware:

Somebody asked about the .sisx file installation restrictions (aka Platform Security), so here’s a similar solution for that. It’s similar hack to midlet permissions, please see previous entry how to run updater first and where the image files stay.

The S60 image contains policy file, which enforces the capabilities and signatures when installing applications. Luckily, it allows defining the user granted permissions easily (it’s all documented!). The actual offset of this SWIPOLICY.INI file varies, so this is not a complete solution (not taking account flash sector data, but you probably know better what you are doing)

At offset 28251550 of image, my phone’s contents of the "SWIPOLICY.INI":

AllowUnsigned = false
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
DRMEnabled = true
DRMIntent = 3
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
AllowOrphanedOverwrite = true
UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment
AllowPackagePropagate = true
SISCompatibleIfNoTargetDevices = false
RunWaitTimeoutSeconds = 600
AllowRunOnInstallUninstall = false
DeletePreinstalledFilesOnUninstall = true
AlternativeCodeSigningOID = 1.3.6.1.4.1.94.1.49.1.2.2.1 1.3.6.1.4.1.94.1.49.1.2.2.5
PhoneTsyName = phonetsy

Note the UserCapabilities field. Now, in my phone this fragment is exactly 648 bytes in size, so we have exactly that much bytes to fit our new policy.

First, extract the original text using dd (the famous unix tool). Replace skip offset and count bytes with suitable values:

dd if=phonemodel.C01 of=some.txt skip=28251550 bs=1 count=648

Next, edit the capabilities you want into the file. If you run out of space, see for Symbian’s documentation for defaults, you might want to remove some. For reference, here are my own modest capabilities for self-signed executables – I chose to remove AlternativeBullshitOID (I have no idea what it does):

AllowUnsigned = false
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
UserCapabilities = AllFiles DiskAdmin NetworkServices LocalServices ReadUserData WriteUserData ReadDeviceData WriteDeviceData UserEnvironment PowerMgmt MultimediaDD TrustedUI ProtServ NetworkControl SwEvent Location SurroundingsDD CommDD
AllowPackagePropagate = true
SISCompatibleIfNoTargetDevices = false
RunWaitTimeoutSeconds = 600
DeletePreinstalledFilesOnUninstall = true
PhoneTsyName = phonetsy

(padded to 648 bytes using empty lines)

Verify that the result fits into 648 bytes (or whatever) and then insert it into the same spot in ROM image:

dd if=some.txt of=phonemodel.C01 seek=28251550 bs=1 count=648

Finally, update the phone. After that, you should be getting much more capabilities with self-signing, actually more than you get with "standard" developer certificates. This even saves some $$$, because you don’t have to buy ACS Bullshit ID to get these more "sensitive" capabilities.

I have verified this hack by compiling an EXE with all above capabilities, installing it in a self-signed sisx and checking RThread::HasCapability() for those capabilities.

SECOND PART: changing applications headers

Symbian Signed says they won’t accept any file explorer tools with AllFiles capabilities. As a result of firmware modification, they really don’t need to do that, we can self-sign those!

Here’s couple of screenshots of Y-Browser running with AllFiles capability:

By default, Y-Browser comes with standard set of capabilities, so we need to add AllFiles capability to the set.

You’ll need the fabulous sisinfo tool to unpack the sisx, elftran (from sdk) to modify executable headers and of course makesis and signsis to create new sisx.

Extract .sisx contents:

sisinfo.py -f Y_Browser_082_16_3rdEd.SISx -e .

Adjust capabilities:

elftran -capabilities NetworkServices+LocalServices+ReadUserData+WriteUserData+UserEnvironment+AllFiles sys\bin\YuccaBrowser.exe

Finally, run makesis, signsis – you know the drill for selfsigning. For makesis you need .pkg file, you I made a simplified version for you – ybrowser.pkg