Friday, November 11, 2005

Solution for adding own root certificates to Windows Mobile 5 devices - Updated

Per and I just received our new Qtek 8310 mobile devices today and got into trouble when we tried to add our own root certificate.

On Pocket devices and in Windows Mobile 2003 SE you just copy the certificate to the device and doubleclick it from File Explorer. But on the Qtek 8310 we got the error "Security permission was insufficient to update your device". In desperation, we also tried to use the SPAddcert.exe utility for Windows Mobile 2002 and 2003 Smartphone edition and received the message "The phone may be locked".

The problem were due to changes in the security model in Windows Mobile 5. Although it is very interesting/innovative in terms of mobile device security (Protecting from malicious software) it isn’t something we like when we want our new gadgets to work with WPA and Exchange Server ActiveSync.

Using Google intensively, I finally found the direction for solving the problem (the first version of this post) and using MSDN I found a better solution as follows -

First you need to get a copy of regeditSTG.exe (Apparently a HTC signed registry editor with an issuer CN that equals HTCCanary) zip it and move it to your device (You get an error if you copy the .exe directly). Now unzip it by double clicking it from File Explorer (on your device) and run the program. Then change the Grant Manager Policy registry key (Remember to note the old value) -

HKLM\Security\Policies\Policies\00001017 = 144

After setting the registry key above reboot your device, copy your root certificate to the File Explorer and click to install it (There’s no feedback that the operation was successful – check settings, security, certificates, root certificates for the existence of your certificate).

Before proceeding, we choose to set the registry setting back to the original values so the Phone was once again protected and finally Exchange ActiveSync and WPA worked like a charm ;-)

The solution apparently works on several different devices like i-Mate, C550, Qtek 8310 (Thats the only one we tested - don't ask about the others but do feel free to comment on those that works ;-) and probably most Windows Mobile 2005 Smartphone devices.

A utility called SDA_ApplicationUnlock.exe can also be found on the Internet but our testing shows us that it does the same as the Grant Manager Policy registry key. The problem with this application is that it only has a "Remove Lock" feature and no "Enable Lock" feature. Different posts/websites show the solution for other phones that include the use of SDA_ApplicationUnlock.exe utility; so if you run into problems you might want to try it.

Disclaimer - We don't know the copyrights on the mentioned utilities - so this posting is only meant for informational purposes and be sure to get correctly licensed versions of these!

23 comments:

Ant Drewery said...

It may be slightly different for the Smartphone flavour of Windows Mobile 5.0 but we've successfully used the following process for the K-Jam and the XDA Exec:

http://www.drewery.net/blog/2005/11/10/windows-mobile-50-activesync/

Colin Walker said...

Excellent stuff! Thanks.

Using this method I have successfully managed to unlock my SPV C550 when the tools provided by Orange were unable to do so.

I can now use ActiveSync without the need to disable certificate checking.

Martin said...

This is great. I unlocked my Qtek 8310 and installed the root cert from http://cert.startcom.org/. I didn't even need to reboot the phone. Thanks.

Michel said...

Working with a full-price, carrier-independent i-mate SP5 (bought from smartphoneshop.nl), I was not able to install the certificate using the workaround recommended here (changing the value of 00001017 to 144). I got the "phone may be locked" message.

However, I WAS able to install it after running SDA_ApplicationUnlock.

This indicates to me that SDA_ApplicationUnlock does something other than the change mentioned.

On the positive side, I now have air sync with Exchange working!

On the less positive side, as aptly noted in the post above, there has now been a change made to my phone and I have no idea what it is! So if anyone has any ideas what changes are really made by SDA_ApplicationUnlock, I'd love to hear about it.

Dennis Lundtoft Thomsen said...

Hi Michel, Thanks for your question. I'm curious did you reboot the device before trying to install the certificate ?

I do agree with your comment on SDA_ApplicationUnlock - maybe we could convince Mark to write a regmon version for WM5 ;-)

Anonymous said...

Hi, one question, where in the registry do I find the grant manager policy? I tried searching for it but didn't find it.
//Erik

Erik Ö said...

Oups, sorry for my last question, was a bit too fast there, I guess I'm just not that used to working with the registry!
//Erik

cy said...

Hi, thanks for the tip. But I got mine working a bit differently.
If I reboot the device after I made the reg change, it will be set back to the old restricted value. All I did was to make the reg change and run the certificate file and it imported sucessfully. I don't event need to use the HTC reg editor.
I am doing this on Dopod 818 pro (aka HTC prophet)

Dennis Lundtoft Thomsen said...

Hi cy,

Thanks for your comment. It seems to work differently depending on the phone and version of Windows Mobile. With AKU2 on the Qtek 8310 device I only need to set the Grant Manager registry key to 144 and then install the certificate (Without booting).

Anonymous said...

Thanks for your help.. Although it couldn't get my SPV C600 Orange phone to unlock using the key below:-

KLM\Security\Policies\Policies\00001017 = 144

I left this value at 128 and changed a different key.

I changed the value from 0 to 1 as below:-

Privileged Apps Policy
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"0000101b"=dword:1

I then did a restart and installed the certificate without any problems.

I then changed the key value back to 0 to protect the phone.

Cheers

Ebby said...

Thanks for your help.. Although it couldn't get my SPV C600 Orange phone to unlock using the key below:-

KLM\Security\Policies\Policies\00001017 = 144

I left this value at 128 and changed a different key.

I changed the value from 0 to 1 as below:-

Privileged Apps Policy
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"0000101b"=dword:1

I then did a restart and installed the certificate without any problems.

I then changed the key value back to 0 to protect the phone.

Cheers

Kieran said...

I had this issue with an o2 Atom when trying to install a custom root certificate. Resolved it by changing the value of 00001017 to 144 but the trick was NOT to reboot before installing the certificate. 9When I rebooted the device it seemed to reset the registry keys back to the original settings)

Sam said...

One of my users has an O2 XDA Atom - a very sweet WM5 phone indeed - to which we needed to add the root CA cert for a cert server on our local network in order to enable Active Sync 4.1 for exchange 2003 using HTTPS.
I discovered that the RegeditSTG didn't work: i.e. the registry keys remained locked. Scratching around abit more, I found a link to Resco Explorer, a shareware Windows Mobile 2Kx package that bundles a signed registry viewer that DOES work with the Atom.
http://www.resco.net/pocketpc/explorer/default.asp
Changed Security keys as instructed and installed the certs for the CA and the Exch 2K3 server without a problem. Reset the keys and tested ActiveSync - all good!

Chris said...

For my Dopod 818 Pro
and the error: "security permission was insufficient to update your device"

After emailing with dopodasia, they sent me a CAB file that updated the device and allowed me to import my cert for IEEE 802.1x PEAP tunnled EAP-MSCHAP-2 WiFi

See fix/cab file in my Blog

Hope it helps atleast someone!

Morten said...

I have been googling around to find regeditSTG.exe - but didn't succeed.
Could you tell me where to find it...

Per Østergaard said...

Sure - I found it at http://www.modaco.com/INFO_Decert_SIM_Unlock_C550-t222786.html

Davide said...

THANKS A LOT
With your description I was able to set-up ActivSync on my new Qtek 8500!!

Oddvar said...

Thanks for a useful link. This made my day.

Anonymous said...

This link was VERY useful...I spent nearly 7 hours trying to get a Treo 700w to sync w/o any success. After unlocking reseting and installing the certificate it worked like a charm.

It is a shame that this feature doesn't work out of the box or that better help isn't provided by the vendors!

Thanks for sharing your findings.

Anonymous said...

Very helpful post. It works on a Motorola Q from Verizon.

Matthew Sharlot said...

Brilliant! A solution that actually works! SPV C550 - worked first time, after 2 days messing around with other "solutions" that were not nearly as simple as this one. Thank you soooooo much!

Anonymous said...

I had hours of problems trying to get this working. I had replaced my imate JasJam because of intermitent, unrelated problems. I then attempted to connect to my exchange server again.

The solution I had forgotten I had used previously was to use

http://certserver/CertSrv/

to create the certificate. Worked first go. On my network, the certificate server and the exchange sverver are on the same machine.

Chad said...

Give http://www.digitallabs.net/mcb a try for building your certificate for both ActiveSync and code / cab signing. Even includes a standalone installer for deploying to the end users.