midlet permissioning

[xml780]

I'd like to try out the GPS (JSR 179) location API but have read that it requires a Motorola signature. After a quick look around the filesystem and some googling, it appears that /ezxlocal/download/java/.policy/._policy.txt contains the "manufacturer domain" certificate that would allow a midlet to be signed with the permissions to access the GPS. It doesn't seem to be likely that this file can just be replaced since there is another file in the same directory called ._hmac.txt which presumably protects it. /usr/lib/ezx/lib/libezxjaid-xscale-r.so.1.0.0 looks like it is the library that processes these files and applies permissions on the location api methods:

javax.microedition.location.Location
javax.microedition.location.Orientation
javax.microedition.location.ProximityListener
javax.microedition.location.LandmarkStore.read
javax.microedition.location.LandmarkStore.write
javax.microedition.location.LandmarkStore.category
javax.microedition.location.LandmarkStore.management

Has anyone looked into replacing these certificates?

[xml780]

After some searching and looking around the filesystem it seems that there may be various ways of affecting the permissions that a midlet has.
/usr/lib/ezx/lib/libezxjaid-xscale-r.so.1.0.0 looks like it controls this access and has the following permissions specified

javax.microedition.io.Connector.http
javax.microedition.io.Connector.socket
javax.microedition.io.Connector.https
javax.microedition.io.Connector.ssl
javax.microedition.io.Connector.serversocket
javax.microedition.io.Connector.datagram
javax.microedition.io.Connector.datagramreceiver
javax.microedition.io.Connector.comm
javax.microedition.io.PushRegistry
javax.microedition.io.Connector.sms
javax.wireless.messaging.sms.send
javax.wireless.messaging.sms.receive
javax.microedition.io.Connector.cbs
javax.wireless.messaging.cbs.receive
javax.microedition.media.control.RecordControl
javax.microedition.media.control.VideoControl.getSnapshot
com.motorola.file.readaccess
com.motorola.file.writeaccess
com.motorola.phonebook.readaccess
com.motorola.phonebook.writeaccess
com.motorola.phone
javax.microedition.location.Location
javax.microedition.location.Orientation
javax.microedition.location.ProximityListener
javax.microedition.location.LandmarkStore.read
javax.microedition.location.LandmarkStore.write
javax.microedition.location.LandmarkStore.category
javax.microedition.location.LandmarkStore.management
javax.microedition.io.Connector.mms
javax.wireless.messaging.mms.send
javax.wireless.messaging.mms.receive

The untrusted domain appears to have access to all of these according to
/usr/setup/.policy/_devdomain.txt except:

javax.microedition.media.control.RecordControl
javax.microedition.media.control.VideoControl.getSnapshot
com.motorola.file.readaccess
com.motorola.file.writeaccess
com.motorola.phonebook.readaccess
com.motorola.phonebook.writeaccess

which need to be accessed from the Trusted Third Party or Manufacturer domains.

If I nfs mount 192.168.1.1:/tmp/test /usr/setup to be able to modify _devdomain.txt, it doesn't seem to make any difference what I put in there, so I'm not convinced it's used.

Alternatively, someone also mentioned that you can alter the midlet's registry.txt, so I took a midlet that uses an http connection:
# . /home/native/.profile
[snip output]
# PATH=/usr/SYSjava:$PATH
# kvm -launch 520
[snip]
{1} J2ME_JAID_APIs.cpp:2411 <J2ME_JAID_IsTrusted> It's untrusted MIDlet suite!
[snip]
# cd diska/.system/java/DownloadApps/MIDlet00520
# grep -i trust registry.txt
Is-Trusted: 0
Domain: untrusted
# cp registry.txt foo.txt;sed 's/Is-Trusted: 0/Is-Trusted: 1/' foo.txt > registry.txt
# grep -i trust registry.txt
Is-Trusted: 1
Domain: untrusted
# kvm -lanch 520
[snip]
{1} J2ME_JAID_APIs.cpp:2405 <J2ME_JAID_IsTrusted> It's trusted MIDlet suite!
[snip]

So that makes it appear to be trusted, but I'm not sure what it has achieved, I still get prompted to allow an http connection. Also, if I change the domain to Manufacturer or Trusted Third Party I get the same result.

The last thing I've read is that permfile.txt makes a difference, but I haven't seen anything to decode that yet.

So, does anyone have a definitive answer on what controls what?

Additionally, can anyone point me at some midlets that require extended permissions such as filesystem access so that I can see how they behave if I alter things? I'd also really like to see some signed midlets too, anyone got any of those?

[xml780]

Hmmm, after all that I actually try some code to read the current location and find that it works fine. It just asks me if I want to allow access to the location api and after saying yes, gives me my current position. oh well...

[xml780]

It appears that permfile.txt is "MotorolaJ2me" repeated plus 1 byte (I used 03), xored with the permission for each api. 0101 seems to allow all access without question, so 100 bytes of 01 xored with "MotorolaJ2me" produces a permfile.txt that has all access to everything as far as I can see. I tried a few unsigned midlets that require http access and gps access and was granted access without question.

Thanks everyone for their input to my thread

permfile attached

[asmatic]

outstanding work without doubt.

Still I don't got the exact way in which to use this permfile.txt. to be able to acces restricted apis from unsigned midlets.

regards

[xml780]

$ telnet 192.168.1.2
root
# . /home/native/.profile
# PATH=/usr/SYSjava:$PATH
# cd /diska/.system/java/DownloadApps
# grep GPS */registry.txt
MIDlet00544/registry.txtescription: GPS Monitor

Ok, that's my midlet that I've just installed, let's run it from the phone so I can see all the debug messages and System.out.println stuff:

# kvm -launch 544
On the phone it asks "This application wants to read the landmarkstore. Is this OK? I click "Yes, this running", and the following appears in the telnet session:
MIDP_NotifyPermissionUpdate(): invoked with ID=26, value=8, cookie=/diska/.system/java/DownloadApps/MIDlet00544/permfile.txt
next is the one for access to the location service:
MIDP_NotifyPermissionUpdate(): invoked with ID=23, value=8, cookie=/diska/.system/java/DownloadApps/MIDlet00544/permfile.txt
and finally the request to authorise access to http:
MIDP_NotifyPermissionUpdate(): invoked with ID=2, value=8, cookie=/diska/.system/java/DownloadApps/MIDlet00544/permfile.txt

I've uploaded my permfile.txt to /diska/.system/java/DownloadApps
# pwd
/diska/.system/java/DownloadApps
# cp permfile.txt MIDlet00544
# kvm -launch 544
(no more questions)

There now should be access to everything including com.motorola.file.writeaccess that allows access to the filesystem.

[lurker]

xml780

Can I have binaries and source code of your test midlet?

[rpconnect]

nice work!!! would this give us access to system calls as well as filesystem access?

[xml780]

It only gives you access to the restricted apis listed above, i.e:j
avax.microedition.media.control.RecordControl
javax.microedition.media.control.VideoControl.getSnapshot
com.motorola.file.readaccess
com.motorola.file.writeaccess
com.motorola.phonebook.readaccess
com.motorola.phonebook.writeaccess

I was going to post the source to my midlet when I got it working properly. It's just going map your position in google maps. It'll probably take me a few more days to finish as I haven't got much free time at the moment. If you really want a copy of the current "proof of concept" stuff then drop me a mail at paul AT xml780.sbrk.co.uk. I'm compiling on linux.

[rpconnect]

@xml780
thanks for the update, i guess i should have looked more closely at your previous postings.

i was hoping to get access to the bluez utils from w/in java, but file access is a huge improvement; at least now java can read/write directly from/to device nodes. thanks for sharing!!!