Bypass Symbian Signed & Install UnSigned SISXJ2ME Midlets on Nokia S60 v3

Here is some breaking news for Nokia S60 mobile users. The very much frustrating Symbian Signed security platform v9.2 has been exposed to hacks. No longer do you need to use tools such as SignSIS & DevCertRequestControl to get a certificate for installing applications. Users can now bypass the Symbian Signed certification check and install any unsigned or self-signed applications or software.

When installing native Symbian OS packages (.SISX files) onto a Nokia S60 mobile device, the code performing the installation (the Software Installer, sometimes referred to as SWI) first reads the settings in a policy file in the ROM (swipolicy.ini) to determine how the installation should proceed. Swipolicy.ini is configured by a device manufacturer prior to device shipping. On a phone, swipolicy.ini is located in z:\system\data\.

Click Read More to read full post.

This hack involves modifying the swipolicy.ini in the ROM image when you do a firmware upgrade using a HEX Editor and then re-flashing the device with the altered permissions. You can read all about it at the Symbaali blog.

Important Note: This hack is not for the faint hearted and is known to brick a few models that perform a CRC check. Anything that you do following the article below is at your own risk and responsibility.

+ First update your S60 mobile phone using the software update tool.

+ It will download the binary image to C:\Documents and Settings\All Users\Application Data\Nokia\Nokia Service Layer\A\nsl_service_module_00001\

+ Open the ROM image in a HEX editor such as WinHex

+ For Java J2ME midlets, look for the following text/string (can be found using search string midp2_rp.xpf near offset 0×2310000):

# midp2_rp.xpf
# Copyright (c) 2004-2005 By Symbian Software Ltd. All rights reserved.
# This file defines one possible interpretation of the MIDP2 Security RP security policy,
# but with a JTWIr1 compliant policy for untrusted MIDlet suites

FormatVersion: 1.0

# MIDlets in untrusted MIDlet suites need user permission before doing anything
DomainBindings: [UNTRUSTED]

FunctionGroupBinding: “Application Auto Invocation”
Permission: User
DefaultMode: Session
MaximumMode: Session
EndFunctionGroupBinding

FunctionGroupBinding: “Landmark”
Permission: User
DefaultMode: Session
MaximumMode: Session
EndFunctionGroupBinding
[…]

+ Change MaximumMode field for each permission you want to add such as Application Auto Invocation, Landmark, Local Connectivity, Messaging, etc to Blanket. If you want, you can also change the DefaultMode to Blanket and save the image.

+ Now run the software update again and it should re-flash the S60 device with your new, unrestricted permissions. You can test if the hack was successful by installing a Java J2ME midlet. You should see more permission options in the application manager (Select the midlet and Click Open).

+ For Nokia S60 SISX files, locate the swipolicy.ini in the ROM image (can be found using search string UserCapabilities, near offset offset 28251550):

AllowUnsigned = false
MandatePolicies = false
MandateCodeSigningExtension = false
Oid = 1.2.3.4.5.6
Oid = 2.3.4.5.6.7
DRMEnabled = true
DRMIntent = 3
OcspMandatory = false
OcspEnabled = true
AllowGrantUserCapabilities = true
AllowOrphanedOverwrite = true
UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment
AllowPackagePropagate = true
SISCompatibleIfNoTargetDevices = false
RunWaitTimeoutSeconds = 600
AllowRunOnInstallUninstall = false
DeletePreinstalledFilesOnUninstall = true
AlternativeCodeSigningOID = 1.3.6.1.4.1.94.1.49.1.2.2.1 1.3.6.1.4.1.94.1.49.1.2.2.5
PhoneTsyName = phonetsy

+ Next you need to download a free dd tool for windows such as one from here

+ Then extract the original text using dd by running the following command:

dd if=phonemodel.C01 of=filename.txt skip=28251550 bs=1 count=648

+ Remember to replace if, skip and count variables with the values of your own ROM image. The count variable is the size of the swipolicy.ini in your flash ROM image starting from AllowUnsigned till phonetsy.

+ Open the filename.txt and edit the UserCapabilities with

AllFiles DiskAdmin NetworkServices LocalServices ReadUserData WriteUserData ReadDeviceData WriteDeviceData UserEnvironment PowerMgmt MultimediaDD TrustedUI ProtServ NetworkControl SwEvent Location SurroundingsDD CommDD

As per one of the comments, you can also set UserCapabilities = All to include the full capability-set.

Ensure that the swipolicy.ini fragment matches the original byte count size that you had earlier. If it is more in size, you may have to remove some non-important attribute such as Oid = 1.2.3.4.5.6 at your own risk to ensure that the byte count matches. Hint: check the size of filename.txt in Windows explorer before importing.

+ Import the filename.txt back into the ROM image by running the following command:

dd if=filename.txt of=phonemodel.C01 seek=28251550 bs=1 count=648

Again remember to replace the of, seek and count variables for your ROM.

+ Now re-flash your mobile phone with NSU as you did earlier. You will find more functionalities that you don’t even get with a developer certificate.

After your phone is unlocked, you can add the AllFiles capability to Y-Browser that enables you to browse and view system and private files on your smartphone’s mobile file system.