<div class='os_post_top_link'><a href='http://www.smartphone.net/smartphonethoughts/software_detail.asp?id=950' target='_blank'>http://www.smartphone.net/smartphonethoughts/software_detail.asp?id=950</a><br /><br /></div><i>"HTTPMail Provider is an add-on software for smartphone outlook that allows you to download e-mail from Hotmail, MSN or Lycos accounts. There's no need to run separate software on your desktop to enable e-mail synchronization, the only requirement is that you have an internet connection. HTTPMail Provider offers enhanced NLS (National Language Support) by using the same internationalization engine as Internet Explorer and other Windows CE core applications. You can send and receive e-mails in most languages, including the ones with non-latin alphabets such as Japanese, Chinese and Russian."</i><br /><br /><img src="http://www.smartphonethoughts.com/images/Temporale-20041105-HttpMailSp.gif" alt="User submitted image" title="User submitted image"/> <br /><br />This application won't give you HTML based email. HTTPMail is a protocol that is very similar to IMAP, but it is considered a light weight version for web based email. HTTPMail Provider requires an unlocked 2002, 2003, or 2003 SE phone. You can download a trial version, or purchase the complete application for $6.99 <a href="http://www.smartphone.net/smartphonethoughts/software_detail.asp?id=950">here.</a> [Affiliate]

I was eagerly waiting for this application. :clap:

And MPx220 users should not bother trying it. Privileged mode execution is not unlocked on our phones. :-( I just tried it. And ran the CheckLock.exe, which reports our phone as locked. :-(

This lock should not be confused with the general application lock. Most of the applications still work. Only the ones that need to access core system routines will not work or need certificate for privileged execution.

Doesn't install on my i600 with WM2003 :cry: I guess I'll have to wait for them to get permissions from Verizon or for Pocket MSN to be released.

Anyone tried it on the SMT5600 yet?

Anyone tried it on the SMT5600 yet?

Yup, no luck. :(

And ran the CheckLock.exe, which reports our phone as locked. :-(


Is CheckLock.exe installed with HTTPMail? Where?
Edit - found it: http://www.smartphone.net/software_detail.asp?id=951

It confirms the Audiovox SMT5600 is locked. :x

Hi all,
I just updated the application on smartphone.net it sould work on your devices now. You might have to soft-reset the device after re-installing it.

Adrian

Hi all,
I just updated the application on smartphone.net it sould work on your devices now. You might have to soft-reset the device after re-installing it.

Adrian

I uninstalled the previous version. Reinstalled the new one. Rebooted the phone. This time when I launched the Mailbox, I did not get the "Failed to Register Dll" error like last time. It accepted all the settings. But the Hotmail account does NOT show up in the list of accounts. Even after rebooting for a second time. :-(

I might try again after doing a hard reset. But that will have to wait till Sunday.

i installed and registered the latest version (from SmartPhone.net) without issue. like Kris, my MSN account does not appear in the list of accounts. fyi, i'm using the MPx220.

any updates??? i too am having this problem with the new account not showing up. This is on an Audiovox Smt 5600 and an Msn premium account

Sorry everyone, I thought I had it figured-out but, apparently not. The problem is that this is an unsigned plug-in that needs to be loaded into pocket outlook which is a privileged application, this means that it will work on any smartphonephone model as along as it has an 'unrestricted' security policy otherwise the account will not show-up in pocket outlook. If you are not sure what kind of policy your phone has you can look-it up here: http://msdn.microsoft.com/mobility/windowsmobile/partners/mobile2market/smartphoneapps/default.aspx or ask your mobile operator.
I thought I'll go ahead and have it signed but, as it turns-out, the cost is prohibitive and would not work with all carriers anyway. For the ones that do have the phones locked sorry, for the rest of you try it out and post your thoughts or suggestions.

Regards,
Adrian

Sorry everyone, I thought I had it figured-out but, apparently not. The problem is that this is an unsigned plug-in that needs to be loaded into pocket outlook which is a privileged application, this means that it will work on any smartphonephone model as along as it has an 'unrestricted' security policy otherwise the account will not show-up in pocket outlook. If you are not sure what kind of policy your phone has you can look-it up here: http://msdn.microsoft.com/mobility/windowsmobile/partners/mobile2market/smartphoneapps/default.aspx or ask your mobile operator.
I thought I'll go ahead and have it signed but, as it turns-out, the cost is prohibitive and would not work with all carriers anyway. For the ones that do have the phones locked sorry, for the rest of you try it out and post your thoughts or suggestions.

Regards,
Adrian

Adrian, Thanks for the update.

Didn't know that you will have to get the app signed by for all carriers. :-( I was under the impression that one Mobile 2 Market certification is all that is needed for MPx220 and SMT5600.

smt5600 isnt listed

Sorry everyone, I thought I had it figured-out but, apparently not. The problem is that this is an unsigned plug-in that needs to be loaded into pocket outlook which is a privileged application, this means that it will work on any smartphonephone model as along as it has an 'unrestricted' security policy otherwise the account will not show-up in pocket outlook. If you are not sure what kind of policy your phone has you can look-it up here: http://msdn.microsoft.com/mobility/windowsmobile/partners/mobile2market/smartphoneapps/default.aspx or ask your mobile operator.
I thought I'll go ahead and have it signed but, as it turns-out, the cost is prohibitive and would not work with all carriers anyway. For the ones that do have the phones locked sorry, for the rest of you try it out and post your thoughts or suggestions.

Regards,
Adrian

Adrian, Thanks for the update.

Didn't know that you will have to get the app signed by for all carriers. :-( I was under the impression that one Mobile 2 Market certification is all that is needed for MPx220 and SMT5600.

Actually, Kris. You are right. The old method was to have each carrier sign the app. The new mobile2Market solution is a one signature for every device regardless of the carrier. Here's the link (http://www.smartphonethoughts.com/forums/viewtopic.php?t=6683) for more info.

Unfortunately that's not true, Verizon has its own root certificate as does Orange. Each carrier is free to choose the m2m root or deploy its own or have none at all. More troubling is that even if one decides to spend $400 to sign an app for privileged execution (multiple signing events would need to be consumed for each carrier root certificate so potentially the cost of signing may double), the application has to be MS Logo certified first which is an additional $500. I can't see that making any sense for a small ISV...

Adrian

Unfortunately that's not true, Verizon has its own root certificate as does Orange. Each carrier is free to choose the m2m root or deploy its own or have none at all. More troubling is that even if one decides to spend $400 to sign an app for privileged execution (multiple signing events would need to be consumed for each carrier root certificate so potentially the cost of signing may double), the application has to be MS Logo certified first which is an additional $500. I can't see that making any sense for a small ISV...

Adrian

I understand. I have never liked the high certification costs. And the worst part, the need to pay each time you want to get the app certified.

Even worse, if you want to release another build of your application to fix a bug, you have to get the app re-certified. :-(

Wish the payment was once per application. At the very least, one time payment for a given version for all carriers.

I may have found a way to bypass the restriction, this may be overly naive as it would prove that all that security achives nothig but it did work on my development device. To try it out copy the text bellow into a file named ResetSecurity.xml

&lt;wap-provisioningdoc>
&lt;characteristic type="SecurityPolicy">
&lt;parm name="4123" value="1"/>
&lt;/characteristic>
&lt;/wap-provisioningdoc>

and, with the device in the cradle open a command prompt and type:
rapiconfig /p ResetSecurity.xml
If this works the security policy is reset to a one-tier policy and which should allow running un-signed in priviledged mode, to verify run checklock.exe (www.smartphone.net/software_detail.asp?id=951), it should say the phone is un-locked.
rapiconfig is part of the smartphone sdk.

Adrian

Adrian - will this "tweak" affect any other application(s)? :crazyeyes:

It will cause the phone to make no difference between priviledged and unpriviledged execution so no, not really, your existing apps should continue to function.

Thanks! I'll try it tonite and post my results! :lol:

I may have found a way to bypass the restriction, this may be overly naive as it would prove that all that security achives nothig but it did work on my development device.
.....
Adrian

Adrian, you are a Genius! And folks at Microsoft...I will not comment about them.

I am surprised and shocked how easy it was to break the security on the Smartphone. I hope there is a simple explanation.

But happy that now I can get Homail. CheckLock.exe is reporting my phone as unlocked. And HTTPMail Provider downloaded all my mails. A.w.e.s.o.m.e.

You have got a customer...I am heading over to Smartphone.net.

Thanks :clap:

Adrian - will this "tweak" affect any other application(s)? :crazyeyes:


Public Service Announcement.

I must warn everyone that this "tweak" will reduce the security on your Smartphone. What it means is that now un-trusted applications (read viruses or trojans) can takeover the Smartphone and send SMS or E-Mails etc.

Microsoft had built in the concept of privileged mode so that unknown, untrusted, uncertified apps could not get access to core system and networking routines, and thereby cause havoc. They had built a fence around the key system routines.

This "tweak" essentially brings down the fence that provided protection. So users must use this "tweak" with CAUTION. It will not affect the functioning of other apps, but merely give the apps (good or bad) more power.

I am still having trouble figuring out why the fence designed by Microsoft is so weak. That one single command line brought it down.

Update: Corrected a typo. :-)

Kris - is there a way to reverse the tweak? Or in other words, after loading the software, can you re-apply the security setting?

Kris - is there a way to reverse the tweak? Or in other words, after loading the software, can you re-apply the security setting?

It is, all you have to do is change the value attribute to "0".

&lt;wap-provisioningdoc>
&lt;characteristic type="SecurityPolicy">
&lt;parm name="4123" value="0"/>
&lt;/characteristic>
&lt;/wap-provisioningdoc>

:-)

i applied "the tweak" installed HTTPMail, configured my account and it worked perfectly. next i changed the "1" to a "0", reapplied "the tweak", rebooted my phone and all is well! :D

now i need to find the checklock.exe program to see if my security settings show indicate the phone is application locked.

thanks adrian!

Well this works beautifully. I cant believe I'm looking at hotmail on my phone without the browser!!!! :rock on dude!:

I can't relock the phone though because when I do the plugin goes away. When I unlock it the plugin is back.

I can't relock the phone though because when I do the plugin goes away. When I unlock it the plugin is back.

I don't think you can relock your phone and have the app working. You will have to keep it unlocked to use this app.

I agree, this is one cool app, all my mails are in one place. Awesome. :-)

At first when I could not see the junk folder I was disappointed, but then I noticed that in the folders view, you have to select "show all folders". Now I am all set. Powerful Smartphone.

Yes it is a great application. I just went and bought it.
Now we seem to have unlocked phones dont we? 8)

Yes it is a great application. I just went and bought it.
Now we seem to have unlocked phones dont we? 8)

I bought it too. :-)

Still can't believe how simple it was to unlock the Smartphone. Microsoft, what were you thinking? This has to be the biggest loop hole.

Still can't believe how simple it was to unlock the Smartphone. Microsoft, what were you thinking? This has to be the biggest loop hole.

Well yes but.....

We did it with the SDK, not many users have that installed much less will go through all the hoops to do this. The average user perhaps needs this protection. You and I dont care if we blow up our phones and have to start over.
:beer:

This change only effects the application lock status, right? don't tell me you are able to carrier unlock your phone by doing this!?!

where can i find the checklock.exe program? i'd like to verify that my phone is/is not locked. thanks!

where can i find the checklock.exe program? i'd like to verify that my phone is/is not locked. thanks!

to verify run checklock.exe (www.smartphone.net/software_detail.asp?id=951 (http://www.smartphone.net/smartphonethoughts/software_detail.asp?id=951)), it should say the phone is un-locked.

Adrian pointed us to it way back on page 2! :wink: (This thread is getting long, you guys really like your hotmail, eh?)

( I changed the URL so that it's a affiliate link, and wrapped it in URL tags so it's clickable, also fixed the URL so it actually points to thr app. :D )

thanks Mike... i tried the URL in Adrian's initial message, but the progam link never appeared.

thanks Mike... i tried the URL in Adrian's initial message, but the progam link never appeared.

Ya, I didn't realize there was a typo in it. But it's fixed and running now!

ok so can someone gime a step by step on allying this tweak to my smt 5600 im sort of a newb

nevermind i got it. Has anyone managed to get an msn account working im getting a

Method Bot Allowed
(80042002)
Error Source: HTTP
Status:
Logging on


anyone have a solution?

This is the error httpmail gets back from the server. It usually indicates bad configuration, make sure you have set the user name to your complete e-mail address (i.e. include the @msn.com or @hotmail.com part), the incoming server is set to either hotmail or msn (just that, no spaces) depending on which service you are using and the network is set to "The Internet". Of course, this may also mean that you proxy is not allowing DAV (the underlying protocol used by httpmail) methods in which case you might have to set a different APN. T-Mobile USA, for instance, has three APN's: wap.voicestream.com, internet2.voicestream.com and internet3.voicestream.com and only the first and third allow DAV trafic.

Adrian

This change only effects the application lock status, right? don't tell me you are able to carrier unlock your phone by doing this!?!

I hope someone can answer that question.

Lock and unlock have been abused when it comes to smartphones. No, this has nothing to do with the SIM unlock.

Adrian

In case anyone is interested in finding out the extent of tweaks (or damage) that can be carried out using the XML provisioning file.

Check out this link...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sp_amo/html/conhowtomodifysecuritypolicyprovisioningdocument.asp

Caution: This should be used more as a reference material.

Update: Microsoft has taken the page of their servers. :-) Which makes sense. :-( I had bookmarked the link couple of days ago.

I'm not sure why the link was taken offline, I find it hard to bielieve that its somehow related to our discussion. Wap provisioning is a public standard and besides, although we all like the microsoft blame game, there's nothing wrong with the smartphone security as implemented by microsoft. If there's anyone to blame for this is the mobile operators and device manufacturers for the way it was deployed, if they would have configured it correctly you would not have been able to change such critical settings. The problem with microsoft is that they made all their core apps priviledged, if an exploit is found in IE for instance, malicious code is automatically granted priviledged status. HTTPMail Provider would not normally need priviledged trust if outlook would not run as a priviledged application (which, BTW, makes no sense as outlook also doesn't need privildged trust too function).

Adrian

I do admit that it was an off-topic reply. The primary reason for my posting it was (I should have made it clear) was to answer Mike's question. The document detailed the scope of changes that can be carried out. And that SIM lock was not on that list.

As for who goofed up on the security, I feel that it is an error on Microsoft's part. :-) The OS should accept a provisioning XML from only a certified/valid source. The desktop rapiconfig tool should not be considered as a trusted source.

But then I don't know much about security. And could be wrong. :wink:

Now that I have the 1.30 ROM I get the "method not allowed" error when I try to log on to hotmail. Any Ideas?

do you get this error using the HTTPMail app (and after you've reset security using the ResetSecurity.xml file)?

Check your settings and make sure the user name is set to your complete hotmail e-mail address, the password is correct, the incoming server name is set to hotmail and the network is set to 'The Internet'. However, this error comes from the hotmail server and sometimes I get it with outlook express on my desktop when the server is overloaded.

Adrian

whew! i was concerned that this might be due to a change associated with the 1.3 ROM.

whew! i was concerned that this might be due to a change associated with the 1.3 ROM.

That poor phone is going to be blamed for everything. I heard that the rain we had overnight, was caused by the MPx220.... :lol: :wink:

:drinking: :drinking: :drinking: :drinking: :drinking: :drinking: &lt;---me everytime i pick up this phone... (my apology for the off-topic post)

Everthing that I can see is exactly as it was on my 325 ROM phone. I set it up twice. Phone is unlocked.

I hear there is a 1.50 ROM with a BROWN sticker on the box........

:P

OK it works now. Must have been just a server issue as I changed nothing.

:rock on dude!:

To make the life easier for some guys :twisted: this trick has been included and is being tested in version 1.3 of Tweaks2k2 .NET!

Thanks Mike for the tip!

To make the life easier for some guys :twisted: this trick has been included and is being tested in version 1.3 of Tweaks2k2 .NET!

Thanks Mike for the tip!

Just to clarify, ctitanic is referring to the application lock trick found on page 2 (http://www.SmartphoneThoughts.com/forums/viewtopic.php?p=44328#44328) of this thread. ;)

And, no problem. I hope it works nicely!

To make the life easier for some guys :twisted: this trick has been included and is being tested in version 1.3 of Tweaks2k2 .NET!

Thanks Mike for the tip!

Looking forward to that one!

well, some of my betatesters are reporting back to me. It seems that once this trick is applied (2nd page) Tweaks2k2 gains control of the whole registry. That means that in a few phones where I could not change some registry keys (for example the Cleartype hack) now I can!!!!!!!

But I need some more tests about it. :twisted:

Still can't believe how simple it was to unlock the Smartphone. Microsoft, what were you thinking? This has to be the biggest loop hole.

Well yes but.....

We did it with the SDK, not many users have that installed much less will go through all the hoops to do this. :beer:

No anymore! :twisted: :wink: In a few minutes anyone will be able to do it ;)

Adrian - will this "tweak" affect any other application(s)? :crazyeyes:


Public Service Announcement.

I must warn everyone that this "tweak" will reduce the security on your Smartphone. What it means is that now un-trusted applications (read viruses or trojans) can takeover the Smartphone and send SMS or E-Mails etc.

Microsoft had built in the concept of privileged mode so that unknown, untrusted, uncertified apps could not get access to core system and networking routines, and thereby cause havoc. They had built a fence around the key system routines.

This "tweak" essentially brings down the fence that provided protection. So users must use this "tweak" with CAUTION. It will not affect the functioning of other apps, but merely give the apps (good or bad) more power.

I am still having trouble figuring out why the fence designed by Microsoft is so weak. That one single command line brought it down.

Update: Corrected a typo. :-)

Sorry, Chris, but MS idea was good until that moment when they with the help of other started to charge developers 1000 dollars or so to have an application signed. More than a fence to protect users it seems to me a tool to charge more money.

This fence is to protect us against what? ASAIK there are not any real virus for CE so far (the only one I have seen are some proof of concept). And anyway, what kind of virus is that when a hard reset is enough to have your phone back working ;) You need just a backup tool, you wont even need an antivirus.

Like I said, may be the idea of building the fence was a good idea, but the implementation of that project became an exploitation tool against developers and the same users because at the end developers will pass to the price of their programs the cost of having them signed (that's why signed programs cost 2.5 times more than unsigned programs ;))

I may have found a way to bypass the restriction, this may be overly naive as it would prove that all that security achives nothig but it did work on my development device. To try it out copy the text bellow into a file named ResetSecurity.xml

&lt;wap-provisioningdoc>
&lt;characteristic type="SecurityPolicy">
&lt;parm name="4123" value="1"/>
&lt;/characteristic>
&lt;/wap-provisioningdoc>

and, with the device in the cradle open a command prompt and type:
rapiconfig /p ResetSecurity.xml
If this works the security policy is reset to a one-tier policy and which should allow running un-signed in priviledged mode, to verify run checklock.exe (www.smartphone.net/software_detail.asp?id=951), it should say the phone is un-locked.
rapiconfig is part of the smartphone sdk.

Adrian

Ok, good news and bad news.

the bad news are that once you change this parameter other unsigned applications start to give an error message saying that they can´t run in your phone because they are unsigned (I got the error with resco registry after I turned on my phone today)

the good news is that I found a way to avoid this problem.
You have to apply the trick to the above mentioned policy and to this other one

&lt;wap-provisioningdoc>
&lt;characteristic type="SecurityPolicy">
&lt;parm name="4097" value="1"/>
&lt;/characteristic>
&lt;/wap-provisioningdoc>


the 4097 by default is 2

Also, I found that this policies are listed under

HKLM\Security\Policies\Policies

the 4097 is there 00001001
the 4123 is there 0000101b

I'm releasing in a few minutes version 1.3.1 where this changes are included.

I need to know what are the values under this key

Could you check in your registry and tell me what value do you see under

\HKEY_LOCAL_MACHINE\Security\Policies\Policies\

Each one of them.

And what is the status of the phone. I need to know that are the values in a really locked phone like the C500.

TIA

The C500 is a special beast. This trick will NOT work on the C500 until it has been de-cert from Orange. There is no way to get around this. The C500 is locked by certificate. You can request Orange to remove the certificate for free.

Once the phone has been de-cert, then you can reset the security using this hack.

The C500 is a special beast. This trick will NOT work on the C500 until it has been de-cert from Orange. There is no way to get around this. The C500 is locked by certificate. You can request Orange to remove the certificate for free.

Once the phone has been de-cert, then you can reset the security using this hack.

Mike, nothing is impossible in this small world. :twisted:

I would like to see these keys in a C500 Locked ;)

Just out of curiosity, can you tell us what 4097 does and how did you find it?

Just out of curiosity, can you tell us what 4097 does and how did you find it?

It's called RAPI Policy and normally is in Protected Mode.

BTW Mike, I'm about to unprotect the BEAST!

Ok, I just posted here
http://www.tweaks2k2.com/portal/forum/viewtopic.php?forum=11&amp;showtopic=171
the instructions about how to unlock the C500.

Orange is asking for the IMEI just to check that they are unlocking one of their phones but not because this is needed to application unlock the phone or anything like that.

Guys in working in a little tool to remove the restrictions in SP that do not allow users to run uncertified applications.

If anybody wants to test it, please send me an email to ctitanic at tweaks2k2.com

TIA