Unleash the power of Windows Phone

Latest News

Twitter



There are quite a few different types of unlocks. There unlocking mechanisms have evolved over time. And not all unlocking-mechanisms are available for all devices. You have to choose the best method for your device.

Developer Unlock

A developer unlock will allow you to sideload a restricted amount of apps on your device. If you buy an AppHub account ($99 / yr) you can sideload up to 10 apps (and also submit your own apps to the marketplace). For students there's a free AppHub account which allows 3 sideloaded apps on your device. On the earlies releases of WP7 (RTM 7.0.7004 and 7.0.7008) there was a vulnerability in the certificate-verification for AppHub-accounts. The ChevronWP7 team exploited this by creating a tool that would spoof the Microsoft server and let the WP7 device unlock. From the earliest NoDo builds (7.0.7355) Microsoft had patched this vulnerability and it was no longer possible to use the ChevronWP7 tool. Downgrading a device to an older ROM would still allow this type of developer unlock. Recent devices don't have these ROM versions, so this is only possible with First Genereation WP7 devices. After the unlock the device could be updated with Zune. Currently the certificate that is used in the original ChevronWP7 tool is also expired. So downgrading is not enough. You would also need to set the date of the WP7 device and the PC to somewhere late 2010 to allow the tool to unlock. The ChevronWP7 team later came to an agreement with Microsoft to develop a legitimate unlock tool that would allow users to buy an unlock-token for $9 that would allow 10 sideloaded apps. This project has now unfortunately been discontinued. Personally I think Microsoft is making a mistake here, because they should do a better effort for Homebrew-developers and -users in finding a solution for homebrew without compromising security and infringement of intellectual property. Mainly because I think that Homebrew developers are the most enthusiastic users there are and any platform needs these kinds of developers and users. A normal developer unlock is now only possible with an AppHub account. But then you are still very limited. The apps will still run within their own sandbox and the apps are not allowed to tweak the system. Back when we were still on RTM / NoDo, a developer unlock would allow unrestricted access to the drivers. Many OEM drivers could be easily exploited to gain elevated privileges to the registry and filesystem. Using those methods is was possible to apply tweaks, remove the limit on the number of sideloaded apps and apply tweaks to prevent the device from relocking when a server from Microsoft was contacted.

Native Code

An app on WP7 is usually written in C# (or VB.NET) and runs on top of the managed .NET framework. As a result the app is usually more stable than apps that are written in C++. This has however a small performance-penalty. It is also more difficult for Microsoft to validate an app for Marketplace approval. Therefore only a few selected partners of Microsoft (like Adobe) are allowed to publish apps with native code in Marketplace. But it is possible on WP7 to compile and run native code. A few succesfull attempts were already made. But when Mango came, this code did not work anymore. People assumed it had to do with certificate-signing-restrictions. I did research on this topic and I found out that it was still possible to compile and run native homebrew code, but there were restriction on the architectures you could use. I wrote a guide for writing your own native code libraries for WP7. Even though you have a lot more API's at your disposal, you will still be restricted to the policies of your sandbox. For example, you can try to copy a file in managed code. You will only have access to the Isolated Store of your app. If you use COM interop to call native code and you try to use the FileCopy() API, you can still only copy files in your Isolated Store.

Interop Unlock

Since the earliest WP7 Mango builds (7.10.7661) a new type of lock was introduced. This lock restricts access to the drivers. An app would need the ID_CAP_INTEROPSERVICES capability to gain access to the drivers, but sideloading an app with that capability was no longer allowed with a developer unlock and would result in error 0x81030120. With this lock, the most obvious method for accessing the filesystem and registry with elevated privileges was abandoned. I did some tests with Contable and Marvin_S and we came to the conclusion that changing the registry-value for MaxUnsignedApp could allow the device to remove this restriction. I did more research and I found the code that was responsible for this lock and it showed that giving that value a number of 300 or higher, would unlock the restriction of sideloading apps with the ID_CAP_INTEROPSERVICES capability and allow them to access drivers. Therefore I called this type of unlock "Interop Unlock". But then there is still a dilemma. How can we change that registry value, if there is no access to the registry (chicken and egg)? The solutions lies in the apps that already have Interop access. Apps that are legitimate downloaded from the marketplace can have access to drivers. For example, the network configuration tools from the OEM's have access to the drivers. If these apps can be exploited in such a way that they will configure the device to write to the MaxUnsignedApp value, that would allow Interop Unlock. I have developed such exploits for SAMSUNG- and HTC-devices. LG devices can also be unlocked because they have a built-in high-privileged registry-editor. SAMSUNG and HTC already patched the vulnerabilities that I initially found, in their latest updates. HTC devices with SPL 5 or higher can not be Interop Unlocked (unfortunately all second generation HTC WP7 devices have these drivers). For SAMSUNG I have found new exploits. Currently all first and second generation SAMSUNG's can be unlocked. At the time of writing there are exploits in the bootloaders of the NOKIA Lumia 710 and some NOKIA Lumia 800 devices (exploit found by biktor_gj). Unfortunately my own NOKIA Lunia 800 has a locked bootloader. The exploit allows to flash custom ROM's on these devices (using Linux!!!). Interop Unlock has already been achieved. Furher customization and unlocking should be possible. But WP7 Root Tools is still not compatible, because Interop Unlock is not enough for WP7 Root Tools. Interop Unlock does allow WP7 Root Tools to be side-loaded, but it can not operate yet. More about that later on. If you want more detailed information on how to get Interop Unlock, read this guide.

Full Unlock

Cotulla has created modified bootloaders for first and second generation HTC devices and first generation SAMSUNG devices. This allows custom ROM's to be flashed. That allows a high factor of unlocking and customization. Cotulla and Ultrashot have created Full Unlock packages that can be used on custom ROM's. Full Unlock patches binaries of the operating system, to remove the policy-checks and allow full access to the filesystem and the registry through out the system. Although many people welcome this, there's also a downside: not only legitimate apps have access to your device, but also potential malware can access your data. As more ROM's with Full Unlock are being released, this will attract malware-makers, because an unprotected device is easy to attack! This is a very important fact to remember if you use Full Unlock. WP7 Root Tools detects Full Unlock and will run on these devices. In the latest versions of Full Unlock Ultrashot has build an App-list, based on the App-list of WP7 Root Tools, which now also allows to switch Root Access on a per-app basis.

Policy Unlock

There are still a lot of devices that do not have unlocked bootloaders. Also, there are a lot of people that do not have big enough balls to flash custom bootloaders and ROM's, with the chance of bricking their device. Fortunately WP7 Root Tools can ALSO use a different approach to get access to your device, which has been made compatible for a lot of devices already. As said, WP7 Root Tools will run on devices with Full Unlock. But WP7 Root Tools also has a lot of extra built-in exploits. If your device is Interop Unlocked you can deploy WP7 Root Tools. WP7 Root Tools will then detect if there are drivers that can be exploited. If so, WP7 Root Tools will use these exploits to gain access to your device. WP7 has a very well-designed policy-engine, based on the Least-Privilege-principle. In the past I have done research on the policy-engine with Fiinix and YukiXDA. WP7 Root Tools will modify the policy-database to get true root access to the device. A lot of exploits are needed, because there are also hard-coded restrictions in WP7 that need to be bypassed. Once installed, WP7 Root Tools will allow you to change to policies to unlock other apps too. I could have implemented a full policy unlock, but I don't like the idea of an unprotected device. So I implemented a policy-editor in WP7 Root Tools which allows you to control which apps are trusted to break out of their sandbox (Least Privileged Chamber) and get root access. This will prevent malware from getting immediate access to your device.

"Which unlock should I use?"

As I explained, different brands, different OS versions and different OEM firmware versions all have certain unlocks methods available. There are only a few devices which have multiple unlock possibilities. For example the Samsung Omnia 7 and Focus. Cotulla made an unlocked bootloader, so it is possible to flash custom ROM's on it with Full Unlock. But Interop Unlock and WP7 Root Tools Policy Unlock will work too. But if you hard-reset the phone all the unlocks are gone. This is both an advantage and a disadvantage. The advantage is that there is no risk of bricking the phone and you do not void any warranty. The disadvantage is that if you needed to hard-reset for some reason you will always need to re-apply all unlocks. The current technique of Full Unlock is theoretically build in such way, that the phone is still updatable. But in practice this may fail. For example, all phones with custom ROM's and Full Unlock can update to Tango, when the update is rolled out, but it will break Marketplace access due to incompatible patches. You will need to flash a new Tango ROM in order to restore Marketplace access. Phones that are Interop Unlocked and Policy Unlocked are also updatable. But the problem here is that when vulnerabilities are patched, you may loose the ability to unlock your phone once it get a hard-reset. You would need to unlock, but the necessary vulnerabilities may not be available anymore. So, either way, after unlocking you should always pay close attention to which updates you use! The latest version of WP7 Root Tools also allows you to run Homebrew Native Executables, just like Full Unlock does. But there's one last difference between Full Unlock and Policy Unlock. Full Unlock allows you to to install custom drivers, like the Bluetooth drivers. This is not yet possible with Policy Unlock. So, for some devices you have a choice between Policy Unlock and Full Unlock (like SAMSUNG first generation devices). For other devices there is only Policy Unlock available (like SAMSUNG second generation devices) and for other devices there is only Full Unlock (like second generation HTC devices). The unlock methods will evolve over time. And current exploits will probably be patched by Microsoft and OEM's. So you should always be aware of changes in unlocking-mechanisms and choose the best method for your device.

"I have a new NOKIA. Now what?"

Some NOKIA's are shipped with an unlocked bootloader. Some other NOKIA's can be flashed with an unlocked bootloader. Read about that on XDA. If you have such bootloader, you can flash custom ROM's. For NOKIA Lumia 800 devices there is a new method to unlock the bootloader, but it involves using extra hardware and disassembling the device. Read more about that here. When you have an unlocked bootloader, you can follow this guide from yobbo135 to flash a custom ROM on your NOKIA. The NOKIA drivers are not vulnerable (yet), so WP7 Root Tools and other tweak-tools will still not run on ROM's with only Interop Unlock. If you have a NOKIA with an unlocked bootloader you should wait for custom ROM's with Full Unlock before you can use WP7 Root Tools. In the mean while I'm working hard on exploits for Interop Unlock and WP7 Root Tools compatibility. I'm trying to use exploits in apps and drivers for that. If that succeeds, it can also be used on new NOKIA's that do not have unlocked bootloaders. There is no way to predict an ETA on any of these unlocks, so it is useless to ask about that. As soon as there are enough exploits to run WP7 Root Tools on NOKIA I will announce that on twitter and on XDA.