This project includes a collection of scripts to help you run j2me MIDlets of your choosing on j2me-capable phones without restrictions.
It seems that most firmwares on nokia s40 phones do not allow you to install your own code-signing certificates using the phone's provided user interface.
I discovered this after I bought a nokia phone with a TMobile-USA customized firmware on eBay. Furthermore, according to this page on the nokia developer website, T-Mobile does not even allow you to run MIDlets signed by code-signing certificates that are in-turn signed by popular certificate authorities (Thawte, VeriSign, etc).
It is possible to install your own MIDlets on these devices, but only MIDlets signed with the T-Mobile root certificates on the devices are allowed to access all the useful, protected j2me APIs that require specific permissions.
This project provides scripts to help you work around these restrictions.
- alter_ext_info_file:
- This will modify an
ext_info.sysfile, taken from the user certificates directory on your device, to give your user-installed x509 v3 CA certificate full code-signing permissions, thus enabling you to run MIDlets signed with a certificate of your choosing on your nokia phone. - gen_ca_v3_cert:
- A utility script to help you generate a certificate and a java keystore that you can use to sign MIDlets on your phone.
I have no idea if this works on all nokia S40 phones or firmwares. I think it probably works on many S40 phones and possibly some S60 phones (?). I have only tested this with a Nokia 5130 XM running T-Mobile USA-customized firmware.
Use gammu to print out the entire filesystem of your phone:
gammu getfilesystem -flatall
Find the location of the user certificates directory (grep for
ext_info.sysin the above). On my phone, this directory is (all commands below will assume this location):d:/predefhiddenfolder/certificates/user
Generate your own DER-formatted x509 code signing certificate. If this is a v3 certificate, it MUST include CA:true in the x509 v3 constraints (critical is optional) . You can verify that your cert is compliant by running:
openssl x509 -inform DER -in your_cert.cer -noout -text
you should see this in the output:
X509v3 Basic Constraints: critical CA:TRUE
You can use the gen_ca_v3_cert script to generate your x509 cert. Run it with
no arguments for usage information.
Use gammu to copy your cert to your user cert dir:
gammu addfile d:/predefhiddenfolder/certificates/user yourcert.cer
reboot your phone
Download the updated
ext_info.sysfile from your phone with gammu, and rename it:gammu getfiles d:/predefhiddenfolder/certificates/user/ext_info.sys mv ext_info.sys ext_info.sys.orig
Use
alter_ext_info_fileto escalate the permissions of your certificate, as defined in theext_info.sysfile:alter_ext_info_file ext_info.sys.orig ext_info.sys
Replace the ext_info.sys on the phone with your new file:
gammu deletefiles d:/predefhiddenfolder/certificates/user/ext_info.sys gammu addfile d:/predefhiddenfolder/certificates/user ext_info.sys
Reboot your phone
Copy your jad + jar to the phone (to the SD card or install them with
gammu nokiaaddfile APPLICATION AppName)
You can now run your MIDlet with any permissions that you declare in your jad file.
When I started experimenting with my nokia mobile and discovered gammu, I was
quickly able to find the core certificates installed on the phone. It was
immediately apparent that the ext_info.sys file contained metadata that
defined, among other things, the permissions granted to the certificates.
A web search for nokia certificate ext_info.sys brought me to this page
authored by Thomas Zell, in
which he wrote up his notes on installing certificates on nokia
phones. Zell cites that his notes are based on reverse engineering done
by some Russian guy who goes by the handle exp.
The solution posted by Zell to the nokia-certificate restriction, along with
the cert from exp, did not work on my mobile. I believe this is due to the
additional T-Mobile USA restrictions described above. I had to further study
the permissions associated in the core ext_info.sys file that are
associated with the T-Mobile certificates and encode those in my script that
fixes ext_info.sys. If you are using a nokia phone that does not have a
T-Mobile USA firmware, chances are you can use the solution described by Zell
along with exp's cert instead of generating your own cert and fixing the
ext_info.sys file with alter_ext_info_file.
So, thanks to Thomas Zell, exp.
Thanks to all the gammu-project developers for writing some awesome software to interface with these nokia handsets.
I'd also like to thank the developers of the nokia S40 mobile firmware. Aside from the annoying MIDlet lockdown, this is really a great platform for running j2me applications. I'm impressed with the obex support and lots of little miscellaneous capabilities of my nokia 5130 XM.
Generate a self-signed x509 v3 CA/code-signing certificate with the default configuration options. NOTE: to use a secure private key, you should copy the cert_config, edit the copy, change the private key password in the copy, and run gen_ca_v3_cert against your copy.:
out_dir=/tmp/certs mkdir -p "$out_dir" bin/gen_ca_v3_cert config/cert_config config/openssl.conf "$out_dir"
You can sign the certificate with something like this:: from this mynetcologne.de blog entry:
alias=dustbowl
KEYSTORE_PASS='mys3cr3tk3st0r3p@ss'
KEY_PASS='mypr1v@t3k3yp@ss'
java -jar JadTool.jar -addjarsig -alias "$alias" \
-storepass "$KEYSTORE_PASS" -keystore dustbowl.jks \
-keypass "$KEY_PASS" \
-inputjad midlet.jad -outputjad midlet.jad \
-jarfile midlet.jar
I personally use the excellent antenna ant plugin with apache ant to build and sign my MIDlet jad file. You can use the wtksign ant task to sign your jad with something like this:
<target name='sign' description='Sign the jar and jad files with our code signing certificate' if="${sign.app}">
<wtksign keystore="${keystore.file}"
jarfile="${jarfile}"
jadfile="${jadfile}"
storepass="${keystore.pass}"
certpass="${code_signing_key.pass}"
certalias="${code_signing_cert.alias}"/>
</target>