Archive for December 2010

Reading IMEI on Windows Phone 7 Devices (Samsung Only)

This is a short post showing how to read IMEI (and other stuff if you want to walk alone over the code) on Samsung devices running Windows Phone 7.

This simple code uses the Samsung native DLLs for Windows Phone 7, so they (surely?) won’t work on LG or HTC devices.


If you are new to WP7 hacking, you may need some research on how to get started executing native code calls on Windows Phone 7, here are the requirements in a quick recap:

  • <Capability Name="ID_CAP_INTEROPSERVICES" /> inside the <Capabilities> tag in the WMAppManifest.xml file.
  • a WPInteropManifest.xml file in the root of your solution containing:
       1: <?xml version="1.0" encoding="UTF-8"?>
       2: <Interop>
       3: </Interop>

  • The Samsung native DLLs, a hint for where to find them? Hack the Marketplace, or just download them from here :D
  • A reference to Microsoft.Phone.InteropServices.dll, you can grab it from here and then add it to the Windows Phone 7 SDK.
  • In case you forgot to strong name the DLL above, here’s the last step you need (the Visual Studio command prompt must be started with admin rights)

       1: SN -Vr "PATH-TO-DLL\Microsoft.Phone.InteropServices.dll"

Code :

After setting up everything, you can read the IMEI as following:

   1: public partial class MainPage : PhoneApplicationPage
   2: {
   3:     // Constructor
   4:     public MainPage()
   5:     {
   6:         InitializeComponent();
   7:         this.Loaded += new RoutedEventHandler(MainPage_Loaded);
   8:     }
  10:     void MainPage_Loaded(object sender, RoutedEventArgs e)
  11:     {
  13:         ComBridge.RegisterComDll("COMRilClient.dll", new Guid("A18F6B1A-924E-4787-AA82-19F98B49CF5D"));
  14:         COSecRilControl cls = new COSecRilControl();
  15:         ISecRilControl intrfc = (ISecRilControl)cls;
  18:         //READING THE IMEI
  19:         string imei;
  20:         intrfc.GetIMEI(out imei);
  21:     }
  22: }
  24: [ComImport, Guid("A18F6B1A-924E-4787-AA82-19F98B49CF5D"), ClassInterface(ClassInterfaceType.None)]
  25: public class COSecRilControl
  26: {
  27: }
  29: [ComImport, InterfaceType(ComInterfaceType.InterfaceIsIUnknown), Guid("A5857C17-04C2-49c5-A460-05A21660588F")]
  30: public interface ISecRilControl
  31: {
  32:     void Init();
  33:     void Deinit();
  34:     void Run(int mode);
  35:     void End();
  36:     void SetInput(int type);
  37:     void Back();
  38:     void GetDispInfo(out uint svcMode, [MarshalAs(UnmanagedType.SafeArray)] out byte[] info);
  39:     void GetEvent(int type, out int pEvent);
  40:     void SetEventCOM(string name);
  41:     void LaunchExe(string exe, string arg);
  42:     void DoHiddenKey(int hashcode);
  43:     void GetLockingStatus(out uint m_dwLockFacility, [MarshalAs(UnmanagedType.SafeArray)] out byte[] pPasswd);
  44:     void SetLockingStatus(out uint m_dwLockFacility, string data, out uint m_dwStatus, [MarshalAs(UnmanagedType.SafeArray)] out byte[] result);
  45:     void GetIMSI(out string IMSI);
  46:     void GetIMEI(out string IMEI);
  47:     void DoHiddenKeyWithResult(int hashcode, out string jobName);
  48:     void WaitNamedEvent(int timeout, string name);
  49:     void RegSetDWORD(uint HKEY, string pwszPath, string valueName, uint value);
  50:     void RegGetDWORD(uint HKEY, string pwszPath, string valueName, out uint value);
  51:     void RegSetString(uint HKEY, string pwszPath, string valueName, string value);
  52:     void RegGetString(uint HKEY, string pwszPath, string valueName, out string value);
  53:     void ReadTextFile(string path, out string result);
  54: }

This is a great read about Windows Phone 7 hacking [link].

Posted in , , |

Windows Phone 7 hacks, all the diagnosis codes you need, Part 2

As promised in part 1, here is the rest of the Samsung diagnosis codes for Windows Phone 7. If you don’t know how to use them, refer to part 1 for more information.

*#05# Main tests : Camera, sensors, proximity, battery, acceleration, light …
*#9908# GPRS manager/Gumi test Bed/ Suwon2G / Suwon3G
*#9909# -
*#9911# Debug mode for chg/bat
*#9920# -
*#32489# Ciphering control
*#32589# Camera FW update
*#94765# Disable AutoSim settings
*#99732# The (Java) Build script
*#99785# PVK Key
*#232331# Bluetooth RF Test Mode
*#232332# Bluetooth Audio
*#232333# Bluetooth Search Test
*#232337# Bluetooth Mac
*#232338# WLAN Mac
*#232339# WLAN Test – Change channel – Datarange etc..
*#737425# -
*#914789# Apps launcher / List of EXE files
*#997856# PVK File name
*#1472365# Black Swan GPS location services
*#4238378# GCF / GSM
*#7465625# Lock status/ network lock / Subset, SP lock/ CPLOCK
20652609 Disable Bluetooth log
20652619 Enable Bluetooth log (you can copy the file use wpget.exe)
20652629 SSP debug on
20652639 SSP debug off
*#22558463# Call time logs
35190718 Erasing IMEI (seriously?)
35190728 Bluetooth stuff
61709124 =
61709134 Bluetooth log
61709144 SSP
61709154 SSP
71671835 Factory Reset (careful while testing this one)
76247233 Factory Reset
76247243 Factory Reset
*#99867247# -

Posted in , |

Windows Phone 7 hacks, all the diagnosis codes you need, Part 1

Lately I have been working on some hacks for the Windows Phone 7, and was interested especially in the Samsung diagnosis app that uses different codes to debug their devices.
I’ve succeeded to extract more than 60 codes that I will show in this post and the next one, and their basic functionality/use in the diagnosis app.
The following codes were tested on a real Samsung Omnia 7, I’ll be happy if you can confirm their use on other devices as well.
To enter the diagnosis app, type ##634# and press call, the application should now be placed on the list of apps.

*#80# Touch Debug stuff
*#526# Wifi factory test
*#745# -
*#780# SR test
*#1111# FTA SW version
*#1234# WIFI / Bluetooth mac
*#1575# Gps test mode
*#1793# Micro usb / sync / modem / tethering
*#2222# FTA HW version
*#2263# WCDMA, GSM band
*#2470# Camera FWUpdate
*#2580# Integrity control
*#2663# Touch Screen Version
*#7284# Micro USB Test
*#7298# GPRS settings, auto pwr on/off
*#7353# Self Diagnosis tool
*#7450# Error report Off
*#7451# Error report on
*#9090# USB Diag / DBG msg on/off
*#9900# Debug Dump
*#9906# Debug Dump + Ril log
*#770# Vphone tests 0
*#771# =
*#772# =
*#773# =
*#774# =
*#775# =
*#776# =
*#777# =
*#778# =
*#779# Vphone tests 9

Posted in |

Windows Phone 7: why you should obfuscate your code

A while back Microsoft sent some warning emails to the registered Windows Phone 7 developers about the threats their apps might face once published on the Marketplace. The apps on the Marketplace are available for download without any authentication required. What you need to get an app is simply the direct link to the .xap file, something of the form, which contains the DLL that can be disassembled very easily with Reflector for example. More info here.

Here’s an excerpt from the email :

It is important to note that because of the leak containment steps Microsoft takes applications obtained outside of Marketplace will not run on consumer retail devices. Modified files would only run on a limited number of “unlocked” phones, such as those that have been registered by Marketplace developers on App Hub….

One powerful tool for protecting your apps and games is code obfuscation, which is a long standing best practice for managed code. Obfuscation is available tools like the Dotfuscator product recently announced for Windows Phone 7 applications. Microsoft has partnered with PreEmptive Solutions to make this tool, as well as a robust application analytics solution, available to Windows Phone developers for free through March 31st, 2011.

Right now, it seems that the only option to protect your app, is to use a code obfuscator, since anyone is allowed to download it from Microsoft servers without any restriction, whether they are using a real Windows Phone 7 or they are sniffing the traffic made by the Zune software (yes, I’m not going to tell you how to do it! you need to figure it out yourself).

For demonstration purposes, here is what Reflector shows when applied on an obfuscated DLL and on a non obfuscated one:


1. Obfuscated


2. Clear

As you can see, on the obfuscated version, Reflector shows either a message saying that the code was obfuscated and it cannot be disassembled, or a bunch of unreadable variable names with a lot of “goto” instructions.

On the other hand, the non obfuscated version is disassembled to (almost) the original source code, only the comments are missing.

Last word, if you are developing anything for Windows Phone 7, do not forget to obfuscate your code before publishing your app on the market.

Posted in , , |

Swedish Greys - a WordPress theme from Nordic Themepark. Converted by