Recently, I got a couple j2me-capable phones on ebay as test devices for some development work that I'm doing for an NGO based in West Africa. I'm developing a literacy-education tool that is intended to be deployed on low-cost j2me devices because this is the technology platform with the greatest market penetration in the area. Most people in the region do not have laptops, desktops, OLPCs, tablets, android phones or iPhones. Many people do have low-cost j2me-capable phones manufactured by nokia, samsung, LG, etc.
To test my j2me code on real hardware (not just emulators), I purchased a couple second-hand mobile phones on eBay.
I do not use this type of device day to day. I have a much fancier android phone that operates on a CDMA network. My test devices are gsm.
One is a samsung C3050 and the other is a nokia 5130 XM. Both are relatively cheap devices. My C3050 isn't totally locked-down/crippled because it does not have a T-Mobile firmware. The guy who sold it to me on eBay shipped it from NY, and he left an old T-Mobile USA SIM card in the phone, but the firmware version code indicates that it was originally sold by "China Mobile Communications Corporation".
The nokia came with a T-Mobile USA firmware. On nokia s40 phones (and maybe other j2me phones), T-Mobile modifies the core manufacturer firmwares to disallow running apps that would otherwise run in the "trusted third party" j2me security domain. The phone contains Thawte and VeriSign root x509 certificates, but T-Mo does not allow you to run apps signed with code-signing certs. I learned this from developer.nokia.com.
In any case, (many? some?) nokia s40 phones do not allow you to install your own certificates for code signing. If you do a web search, you will find several other blogs lamenting the developer-unfriendly "security model" (in scare quotes because it has more to do with securing revenue than with device security) on j2me mobile devices.
It took way too much binary diffing, staring at hex dumps, and trial + error, but I reverse engineered enough of the file format of nokia's internal binary cert DB file to figure out how to install a self signed cert that runs in what I believe is the operator protection domain. The partial analysis of the nokia ext_info.sys file on this page by Thomas Zell helped a lot.
I created a github project called dustbowl to alter ext_info.sys files.
I also posted this analysis of the ext_info.sys file format.
- Here are some really great tools that enabled my analysis:
- gammu:
- This is a fantastic project that implements the nokia FBUS protocol to support accessing the filesystem on supported nokia phones.
- vbindiff:
- This is a nice, lightweight console-based binary diff program
- hexdump:
- a good tool for a quick traditional hex-editor formatted view of a binary file.
update
Since I wrote this, I found an open source project called nokicert that also supports installing code-signing certificates on nokia s40 phones. I was able to build and run it, but I haven't tried to use it to install certs on my own phone. I confirmed that the feature to read the cert DB on my phone works fine.
Nokicert installs certs to your phone's auth certificate DB not to the user certificate DB. On my firmware/device (T-Mobile USA/nokia 5130c2), it is sufficient to install certs to the user certificate DB, and doing so incurs less risk of possibly bricking your phone.
I reached out to Francois Kooman, the developer of nokicert, and he graciously shared his notes on reverse engineering the security model of nokia phones. He managed to figure out several things about the security model that I had not figured out from my tinkering.
No comments:
Post a Comment