Bypass signature requirement for COD files

Actually it didn’t work as we had expected. We still cannot bypass signature control, but results, in fact, quite interesting.

After many unsuccessful experiments and reviews of both – SignatureTool and rapc , we decided to try another approach – net_rim_api. Our assumption was that any API call should be mapped to particular function prototype in net_rim_api library. If we can learn how it was done then the next step would be to create our own “prototypes” of system functions and try to bypass needs for application signing. Our assumption was “almost” correct. Why “almost” I’ll explain later.

What we did, we used information dumped from cod files, namely – class names and methods definitions, to create prototype java files. An example:

// ##########################################
// Decompiled by : coddec
// Module : XXXXXXXXXXXXXX.cod
// Module version : 4.2.1.89
// #########################################
package net.rim.vm;

public class Process
{

native public int getLastIdleCounter();
}

The trick is just simple to declare a function as native. Then the file was compiled using standard java compilator. The resulting class file was slightly corrected by JavaBite tool to remove constructor code, but I am not quite sure that it was strictly required. Anyway you are free to experiment.

Next step is to add our class file to ne_rim_api.jar file. This task is very-very simple. We used 7-Zip to accomplish that.

Well, that’s it. If in your project you call getLastIdleCounter(), rapc will compile your project without any signature warning. Why was it cool ? getLastIdleCounter() is just an example, using the same approach is possible to call system functions not using protected RIM API.

Unfortunately, it only worked on emulator. There was additional signature requirement we weren’t aware of. Signer ID for this one is 33 and it appears as “Secure API” in the error message. We couldn’t find any useful information regarding that, but it seems it is related to so called “Secure Device” flag and it works the same way as firewall rule – “Deny All”.

If it would be possible to turn the flag off … We are trying to figure out how …

By the way, the public key for Signer ID ( 33 ) is the same for all devices and BB emulator, it begins with 0x8F A7 61 CA 6E B6 94 5E 28 86 … the length is 128 bytes (1024 bits). It is physically located in rim*.sif file.

Another possibility would be replace this key with own public key, but it would be necessary to re-sign all system libraries using own private key as well. And we are not quite sure if it would be possible to patch sfi file at all as it might be signed too.

17 Responses to Bypass signature requirement for COD files

  1. kuhasu says:

    nice try!
    continue pls
    I’ll continue to wait for my reversed code of calculator
    :P

  2. Randy says:

    Was the message you got from the device some along the lines of “no sig from 0x33 or RBA and 3rd party app install not allowed”?

  3. sp00nix says:

    Wow – a lot of work and a lot of progress! Keep it up, the payoff will be worth it :-)

  4. percepticon says:

    i’m wondering how to disable the restrictions the carriers put on the jsrs…do you know where i can begin looking for that?

  5. igor says:

    Is it possible to write some code in assebly, then wrap as java native method and “inject” it into cod file?

    Thanks!

  6. Dr. {B0lsen} says:

    igor,

    no, it is not possible. first, any code injection will require re-signing of cod file, and second there is no such a thing as in-built assembler in java.

  7. Dr. {B0lsen} says:

    percepticon,

    steal RIM’s private keys :) just joking. The entire problem is that cod files are digitally signed. If we would be able bypass it than disabling things wouldn’t be more difficult than doing it for java files.

  8. Shadow says:

    Looking forward to you guys figuring out the code signing, but in the meantime is there any hope of getting a copy of the cod decompiler? I promise not to give it out :)

  9. iberry says:

    Hi, I read some of posted message here. I’m interesting to join or help.
    I’m developer of commercial application for Blackberry and use OO trick to gain what I want from RIM api which not available.

    I think if developer know blueprint of classess in net_rim_api.jar and if can use that is good enough.

    For by pass, if I have more experiment I think it’s possible.

    My application access weak point in native BB app, and that access point is my application core :)

  10. DonGato says:

    I hope you succeed. I only want it to change some application icons for something more pretty. :P

  11. inode says:

    hmm hmm, I think the only way to run unsigned apps it’s exploiting the JVM (java virtual machine) and change the keys on the fly and/or directly execute code.

    DrBolsen, did you tried to decompile net_rim_api cod on “protected” API (like PhoneCallLogID) and recreate one with low level function?

    For who is working on rapc.jar another java deobfuscator (seem to work fine) can be found at: http://www.fileoffset.com/jd.php

  12. Al says:

    Please send me the link to download coddec.

  13. tiger2wander says:

    I’m very interesting with this blog, i’ve walk around from first to last post entry(and top here). I’m a java developer and i’ve interest to join and discuss about this.

    I think we can try start from reverse RIM engine inside simulator. Maybe to do that we can look more information about runtime decompile and loading from jvm.

  14. Mi says:

    Someone Knows the link to download coddec? Thanks

  15. plug-in says:

    Is there any way to convert JASM, which we get after decompiling, to java code ??

  16. mini bypass says:

    Hi, Neat post. There is an issue with your site in internet explorer, may test this?
    IE nonetheless is the market chief and a big portion of other folks will leave out your
    fantastic writing due to this problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: