Stickin' it to the man
My wife just got a new cellphone, the LG 8600 (ChocolateFlip)
She lost her cellphone charger and her contract was up so it made a bit of financial sense to buy a new phone rather than replace the charger.
She wanted to get a "cool" phone because she's tired of me getting all the good toys. It was a good deal as it came with a 1GB memory card and reader.
Once we got it home, I immediately started trying to hack it. I don't have a data cable but I was inspired to see that a bluetooth connection was enough to hack it. Most phones with a qualcomm chipset have a file system onboard that can be read by a data cable or by bluetooth if the appropriate serial port profile exists. After messing around with an open source program called Bitpim for a while I was able to get access to the file system.
All the data for the phone is stored in this file system. All the ringtones, media, applications, phone book data, etc. The first thing I tried was to copy an MP3 ringtone into the ringtone folder and see if that works. I had some success with that: the ringtone was visible in the right area on the phone but when I attempted to set it I got the following error: "Unable to set non-DRM media as ringtone". This error was specially added by our provider, Telus, and doesn't exist on other versions of this phone. Bastards.
Some enterprising people online had already found a workaround: Download a (really crappy) sample ringtone from Telus and then replace that file with the MP3 you want using the same name. So I downloaded "tocatta.mid" from Telus (costing the 50c download fee -- bastards) and promptly replaced that file with my MP3 (the "Wii Sports Theme"). It worked perfectly. I also downloaded the binary files that describe the ringtones on the phone before and after the download. It's a pretty simple format: a fixed-length record containing a few words, a null-padded filename, some more words, and then the next record. Somewhere in there is the bit-flag indicating whether the file is protected. However, the exact details of the format don't really matter; I should be able to copy the records over and over without even knowing their contents and just change the filename part. So, in effect, I've broken their stupid copy protection.
I'm looking forward to seeing if I can install arbitrary Java applications. There are some instructions on the web but I've already noticed that this phone uses a slightly different format for all the data files that describe the apps. Sadly what were nice text files in older phones are binary files on this phone. On quick glance, however, they do appear to contain all the same information. It shouldn't be too hard to figure it all out.
Some people have already posted instructions how to skin the built in Java applications (like the media player). Just download the .jar, unzip, change the png files, rezip, and upload the .jar back onto the phone. Pretty easy.
I should probably try and get as much hacking in as I can in the next month. If I really fuck it up, we can always return it as defective. ;)
BTW, does anyone have a really good hex editor they can recommend? Something appropriate for trying to understand an unknown binary format?
April 30th, 2007 9:05pm
> BTW, does anyone have a really good hex editor they can recommend? Something appropriate for trying to understand an unknown binary format?
I've been able to deploy signed applications to this device using only JAD and JAR files. I don't know what you're talking about when you say binary descriptor file?
April 30th, 2007 9:12pm
Wayne, you have WAY, WAY too much time on your hands.
Still, kudos for inventiveness!
April 30th, 2007 9:12pm
I thought you said Sanyo, not LG.
April 30th, 2007 9:13pm
Signed applications, you say.
Deploying applications the normal way is locked down by my provider. You have to buy their apps and only their apps.
Anyway, on the phone there are two files "contentInfo" and "executionInfo". They are pretty common files and exist on a wide range of phones. On most phones they are text files in a simple format that describe the name of the application, which menu it appears under, what class to run, etc. Once installed on the phone, most of the metadata about the application is stripped off. For example, the media player is installed in directory called 11/ and contains 11.jar, 11.jad, etc. So the actual name of the application and other details is stored in those two files.
April 30th, 2007 9:16pm
Are you sure you mean Java applications?
CDMA+BREW devices are usually anti-Java.
(Sprint seems to be an exception)
April 30th, 2007 9:19pm
I really ought to read your entire posts carefully before I respond.
April 30th, 2007 9:20pm
Yeah and if you fuck it up, you can blame the provider and make them suffer the financial hit. Hooray for ethics.
April 30th, 2007 9:23pm
"Wayne, you have WAY, WAY too much time on your hands."
I had some time on my hands. It's kinda fun to tinker around in things you aren't supposed to be able to do. I actually like these sorts of projects because it's so different from the usual high-level web application stuff I do for my day job. There's not a lot of fun in that.
My very first cellphone had a simple WAP browser. If you paid $5 a month, you could get access to a small walled garden of WAP tools (weather, news, etc). I didn't like being constrained like that so I never subscribed until I heard, one day, about a hack. One of the WAP sites had a bug in it that would lead you to a built-in "Go to any site" page where you could type in a URL. After you got to that page, you could bookmark it. With that knowledge, I signed up and did that hack. At one point, I built a small WAP site that connected to my computer so I could check my local email from my phone.
Eventually, I even purchased a data cable and was able to use that network connection with my laptop. It was pretty cool to be sitting in class with my laptop using ICQ over a cellular network a few years before it was commonly available. It was slow as hell (ICQ was the only reasonable thing you could do) but it worked and I got a bit of attention with it.
April 30th, 2007 9:25pm
"Are you sure you mean Java applications?"
Telus is a bit weird in that their applications are Java instead of BREW. There are BREW apps on the phone but they seem to be default apps. Everything else is Java including the MP3 player.
April 30th, 2007 9:28pm
> I had some time on my hands. It's kinda fun to tinker around in things you aren't supposed to be able to do. I actually like these sorts of projects because it's so different from the usual high-level web application stuff I do for my day job. There's not a lot of fun in that.
This is pretty much what I've been doing every day for the last two and a half years.
I laugh when I hear the DRM and net neutrality debates rage on. In mobile device land there is no debate, the consumer is over a barrel and has been since day one.
April 30th, 2007 9:29pm
> Telus is a bit weird in that their applications are Java instead of BREW. There are BREW apps on the phone but they seem to be default apps. Everything else is Java including the MP3 player.
Qualcomm usually sells BREW and CDMA like they're somehow technologically inseparable. It's surprising to see a carrier choose CDMA but say no to BREW.
April 30th, 2007 9:33pm
"I really ought to read your entire posts carefully before I respond."
Why should we start doing this now?
April 30th, 2007 9:35pm
"In mobile device land there is no debate, the consumer is over a barrel and has been since day one."
Except with smartphones. We briefly looked at a flip Windows Mobile smartphone but it wasn't worth it.
I have a UTStarcom 6700 PDA phone and they don't have me over a barrel. I can set my own ringtones and download my own applications. Of course, you *must* purchase a data plan to get a smartphone -- so they do get you that way.
I've also hacked my 6700. There have been several upgrades to Windows Mobile 5.0 over the last year or so but Telus has only provided one. But I was able to install a custom ROM onto my phone with the latest software version. Works great: some minor new features, less crashes, and it's faster. I can even cook my own custom ROM with the applications and settings that I want and save some of the device storage.
April 30th, 2007 9:37pm
"I'm beginning to think your phone runs a BREW based Java environment."
Yeah, that's what I think it is too. This is a good thing, BREW would be impossible to do anything with but I think I might have some success adding or changing the Java applications.
April 30th, 2007 9:39pm
On the otherhand, it takes a second or so to launch the applications.
April 30th, 2007 9:40pm
> Except with smartphones. We briefly looked at a flip Windows Mobile smartphone but it wasn't worth it.
Microsoft becoming the de facto platform is the best thing that could happen to the mobile industry, but this is a fantasy scenario for the time being. The carriers are not stupid. They only want to work with small players that they can control, not big companies that can diminish their brand.
April 30th, 2007 9:40pm
The number of smartphones (both Windows Mobile and Blackberry) are growing rapidly. Our provider, Telus, sells 9 different PDA/Smartphones which is quite a lot given that they don't usually have a large selection.
Could pass for a regular phone easily enough.
April 30th, 2007 9:46pm
Yes, it's growing here in the U.S. too, but it's still not a large enough installed base for most developers to justify making it their primary target (unless their market is PDA apps).
April 30th, 2007 9:49pm
"Yeah and if you fuck it up, you can blame the provider and make them suffer the financial hit. Hooray for ethics."
Fucking a telco is about as ethical as it gets.
May 1st, 2007 10:32am
Okay, my Motorola Razr V3 or whatever has a hex editor called XVI32. You download a 'seem' from your phone, read it with XVI32, edit it with XVI32, and upload it back to your phone.
I assume your phone has something similar.