ChevronWP7 is an application that gives the ability for anyone to unlock a WP7 device without a Marketplace developer account.
There have been a lot of fuss about the tool, with Microsoft taking serious moves against the developers of the tool till they took it down (available on xda though).
About a week ago we started a thread on xda forums in order to try to disassemble the code of the ChevronWP7 and try to understand how it works, personally I was totally impressed how they are doing the communication with the phone, and especially how did they discover the series of bytes to send to the device that translates into commands etc.., it was unlikely to be discovered just out of the blue, and with further digging in the obfuscated code, I started to be skeptical about it and the fact that Microsoft could have a hand in this in order to advertise for its brand new phone OS.
But 2 days ago, I discovered that within the WP7 SDK, there is program called Windows Phone Developer Registration, I opened it with reflector, and there was the code as if it is the original source code.
The thing is that the similarities with the (weakly) obfuscated ChevronWP7 and the original MS tool are too evident, the same absolute structure of code, and it turns out that the chevronWP7 tool is just that Windows Phone Developer Registration without the authentication to live services!
What the ChevronWP7 guys did, was redirect requests to developerservices.windowsphone.com to the a local address of the computer and start a http service to send a faked response to the phone when it makes the request to check if it should be unlocked!
Basically the application works as following :
It uses a TcpClient to communicate with the phone over port 27077
1: this.client = new TcpClient();
2: this.client.SendTimeout = 2000;
3: this.client.ReceiveTimeout = 2000;
4: this.client.LingerState.Enabled = true;
5: this.client.LingerState.LingerTime = 0;
6: this.client.NoDelay = true;
7: this.client.Connect("127.0.0.1", 27077);
To check the status of the phone:
it sends this byte array
1: byte[] buffer = new byte[4];
2: buffer[0] = 16; 3: buffer[1] = 1; 4: this.commandData = buffer;
To Unlock the phone :
it sends this byte array
1: List<byte> list = new List<byte>();
2: ASCIIEncoding encoding = new ASCIIEncoding();
3: ushort num = (ushort)(((authToken.Length + 3) + 2) + 3);
4: list.AddRange(new byte[] { 16, 3 });
5: list.AddRange(BitConverter.GetBytes(num)); 6: list.Add(1); 7: list.AddRange(BitConverter.GetBytes((ushort)authToken.Length));
8: list.AddRange(encoding.GetBytes(authToken)); 9: list.Add(2); 10: list.AddRange(BitConverter.GetBytes((ushort)2));
11: ushort num2 = isInt ? ((ushort)0) : ((ushort)1);
12: list.AddRange(BitConverter.GetBytes(num2)); 13: this.commandData = list.ToArray();
An http server is made to listen for any requests that come from the phone (which were redirected in the system\hosts file to 127.0.0.1) and returns as a response :
1: <ResponseOfRegisteredDeviceStatus xmlns="Microsoft.WindowsMobile.Service.Marketplace" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><ResponseCode>0x00000000</ResponseCode>
2: <ResponseMessage i:nil="true"/>
3: <Entity xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.WindowsMobile.Service.Marketplace.BLLDevPortal.Entities">
4: <a:DaysLeft>365</a:DaysLeft>
5: <a:AppsAllowed>10</a:AppsAllowed>
6: </Entity>
The number <a:AppsAllowed> is the number of allowed apps, discussed here in the changed version without the side limit.
To lock the phone :
1: internal LockCommand(string authToken)
2: { 3: List<byte> list = new List<byte>();
4: ASCIIEncoding encoding = new ASCIIEncoding();
5: ushort num = (ushort) (authToken.Length + 3);
6: list.AddRange(new byte[] { 16, 2 });
7: list.AddRange(BitConverter.GetBytes(num)); 8: list.Add(1); 9: list.AddRange(BitConverter.GetBytes((ushort) authToken.Length));
10: list.AddRange(encoding.GetBytes(authToken)); 11: this.commandData = list.ToArray();
12: } Although the guys over ChevronWP7 have done an amazing job with this tool, it sounds a little weird that Microsoft have done a lot of fuss around it when they leave their original “unlocker” in the wild for anyone to check out, also, Chevron guys should have been a little honest about how they took all the internal code of communication with the phone from the original register program.
