Unlocked PAT files for E1000?, there is any way? Поделиться Опции

[thenext1]

Hi!!
I followed the interesting discussion about creating the java file manager (obviously [poorly] translated with babelfish)...

I've seen that PAT file trick (fooling the permissions) to gain full access to phone devices... I need one of these to unlock GPS access on E1000 thru "location://" (Guess what!! It's locked!!) ..........
Unfortunately E1000's pat files are 20 bytes longer than that of the E398/Vxxx, therefore E398 unlocked files they don't work on E1000...

I've tried to modify them on my own, to make them look like E398 ones ....
but for EVERY modification I made - even those in the permission array (changing from 0x01 to 0x02 at the beginning of file), then the phone says that i'm no more allowed to run the app (application's time ended (help me i'm not english ;) ))...
If I go into the permission menu for that app, i'm kicked back to the apps menu...

Could anyone give me an hint!!

Thanks!!
bye bye

[Osta]

thenext1, We yet did not break for Е1000
fasten here PAT , they will look it

[thenext1]

I've tried with PAT files of Digital Audio Player that requires certification on the E1000, but it doesn't work. It always says that I no more have the right to use the application...

There must be some sort of checking...
In fact I found that, the file "J2MEST" contains the SHA-1 hash of every JAR file - look at the hex values in the highlighted part of the screen below.
These are exactly the hex values forming the SHA1 of Digital Audio Player (always calculated by WinHex, the program i'm using)


Moreover, bytes from offset 0x46 to offset 0x59 change every installation ... I had reinstalled the same digital audio player, and it used the same "information slot" in J2MEST, and that bytes were completely changed...

SO, there is the possibility that more data in that range are checksums, hashes, etc .... I haven't searched more deeply, I should do whenever I have time...

Here I attach all the files I used for comparison...

THANKS!!

file 1:
the PAT file that should have worked with "Digital audio player".
A member on another forum gave me this saying its copy of DAP is working.

file 2:
The midlet: "Digital audio player" for E1000

file 3:
ZIP file containing two copies of J2MEST:
"J2MEST OLD" - after first installation of DAP
"J2MEST NEW" - after deletion of DAP and its reinstallation

I would be very happy if you help me!!!

thanks again!!

[Osta]

work on E1000 here midlet ?
install only Midway (146.79 Kb) https://motofan.ru/board/index.php?act=down...ownload&id=1550

[thenext1]

It installs correctly via midway, it accept the certificate, but doesn't work (application error)...

I got the unlocked PAT file, but, as I said before, it doesn't work when copied, as on E398 ...
If I change the restricted PAT of another application with this unlocked PAT, the telephone doesn't allow me to use that application, and I can't see permissions from within the phone. There must be a checksum, into J2MEST or into the PAT file, that is used by the phone to check if the PAT file is the original from installation, or if it has been changed.

I noticed a thing in my J2MEST file after MP3 player installation: right after the application name (in the file), there's a byte with value 0x81 ... all other applications have got 0x01 ... this may have something to do with permissions...

Could you attach another signed application from motorola E398?? FotoFunPack, for instance!! I need to compare the PAT files generated by my own phone...

I here attach J2MEST file (after MP3 player installation) and MP3 Player's PAT file for investigation!!

Thanks for your patience!!
bye bye

[Osta]

On the files PAT to you is necessary the user JenFA https://motofan.ru/board/index.php?showuser=7633
It will be from 4 August.
Write to it https://motofan.ru/board/index.php?act=Msg&CODE=4&MID=7633

[Osta]

Topic PAT here PAT File - All inclusive

[thenext1]

Hey Osta!
I didn't notice your new posts ... because of forum email notification stopping to come ...

Did you break the PAT file for E1000?
I noticed a couple of discussions about E790 ... is it similar to the E1000?
I would be very happy if you can make me a short summary because, even translated, it's really difficult to me to read entire pages written in russian!!!

Many thanks!!

[Inlined]

thenext1,
I've checked your files (J2MEST and PAT) from E1000.
It seems that PAT signing method's similar to ones used in e790/e1.
Unfortunatelly, they're not fully identical. I've tried to calcualte SHA1 hash for PAT file with the same approach as for e790, but with no luck. I guess something was changed in E1000.

14 bytes in J2MEST from offset 0x46 to offset 0x59 are SHA1 hash footprint for PAT file + some additional data.
In E790 4 bytes were added - suiteId dword value.

To get deeper into this, I need following:
1) install simple midlet (any, better without sign ever) using midway and run it one time
2) save complete midway log into file
3) post it here along with J2MEST file and PAT file for this midlet