Sunday, March 9, 2008

Another hack for Symbian Platform Security

One of my articles that has gained lots of attention was written about hacking Symbian Platform Security. Although it turned out that reproducing the workaround found by Symbiaali is laborous, requires strong technical knowledge and its wide-spread use is very unlikely, it clearly showed me that people were interested in this topic.

Today I found another post at Symbian Freak that describes just another way to turn Symbian operating system's well-known permission checking feature off. Although I don't agree with the title of the article (good-bye?? S60??), I think at least it's worth a few words.

What is this crack about? How can we cheat Platform Security capability checking so that it does not care if our program really has the capability being checked or not? Well, in a very special way:

  • Take a development environment for Symbian, like CodeWarrior Pro or Carbide.C++ Pro. Please note that you will need the ability of on-device debugging, that's why CodeWarrior Personal/Carbide.C++ Express is not enough. I'm unsure if Carbide.C++ Developer Edition was enough (this is between Express and Professional), but I doubt that. More on this later.
  • Prepare everything for on-device debugging (connect phone to PC, install MetroTRK to phone, etc.).
  • Start any program from within the development environment (aka IDE) in debug mode.
  • Change some bits in the kernel stack responsible for security enforcement. This is the most critical place, where you can really turn everything upside-down. And since you can do that, I believe it's Carbide.C++ Professional Edition that you need and not Developer - latter is less expensive, but in turn it provides only on-device application debugging in contrast with Pro's system debugging.
  • Voilà, we're done - we have access basically to anything.
  • The crack is temporary, since everything is done in RAM.
  • Required tools are expensive: CW Pro was available at ~$1.700 (the product is discontinued and cannot be bought officially), Carbide.C++ Pro can be purchased for $1.300.
  • Break is limited to one device.
  • Proved to work only on Nokia N80, on other "hotter" devices (like the N95) it does not work or at least nobody has been able to make it work so far.

What kind of damage can a cracker still do?
  • Explore file system, discover what is stored where and how (as if you had AllFiles and/or TCB capability) and exploit it.
  • Access to DRM-protected content (as if you had DRM capability). This might be more dangerous as you can download e.g. DRMed music once and sell it multiple times later on.
To sum up this post, this new way of cheating Platform Security is the traditional way of cracking. I'm not surprised that it had been discovered and published, I just wonder why it has taken so long? And finally, I don't think that it would cause major problems in Symbian ecosystem.

What do you think?


1 comment:

-miniME- said...


as i said earlier when the firmware hack was out - it is necessary that nokia opens the phone to access all it's content ! btw. the current hack is far more easy than explained here ! more - btw the firmware hack earlier is still not solved as one can still hack the java security !

to have drm on music one can put all into the music file no need to separate drm and content !

and it is not dangerous to have the phone open - not more than having full access to all files on your computer !

symbian signed and drm just slows down development time ! so keep the hack alive !

one advantage to the hack is - i can backup what i want and dont need to rely on buggy nokia backup tool which forgets to backup my calendar data :(((