Windows Phone 7 Cloud Security Cracked, But There’s a Catch

A Windows Phone 7 security measure designed to perform real-time server authentication has indeed been bypassed, according to a person familiar with the situation, allowing cloud services like Xbox Live, Zune, and Marketplace to function on ported copies of the operating system, such as on an HTC HD2. However, since the method requires extracting what’s known as a unique private key (PVK) from the device provisioning partition (DPP) of an actual WP7 handset, it is far from ready for widespread deployment.

Specifically, Microsoft has apparently employed a variation of Windows Genuine Advantage on the new platform, so we’re told that its servers will only authorize three activations associated with a given PVK (four if you count the factory provisioning). Not only will further activation attempts fail to give those handsets cloud service access, but the initial devices using the now-blacklisted key actually lose their networked privileges as well — including what was presumably the retail WP7 unit.

Several different methods are being attempted to bypass the limitation, including the search for a so-called “corporate key,” which would essentially be a universal PVK for large-scale activations. Unfortunately, because all devices are security-flashed at the factory, such a key may not even exist. Secondly, overseas developers — beyond the reach of Microsoft legal, apparently — are said to be hacking the different bits of the device-side authentication piecemeal, but because of the unusually intricate security measures employed by Redmond, “it doesn’t really look good” according to our source.

At this point the most we can say is that Windows Phone 7 will almost definitely be coming to HD2 and possibly a few other well-spec’ed devices, but the capabilities of any services that “phone home” will probably be limited — if not because of the technical hurdles, then due to the fact that any use of cracked keys could be considered an attack on Microsoft’s servers; in other words, this seems to move beyond the “don’t ask, don’t tell” status quo with regards to Windows Mobile ROM flashing into territory that the company might consider actionable. So unless you’re handy with JTAG dumping methods and have a good friend willing to share their PVK, you’re probably better off just going out and buying a Windows Phone than waiting around for what might be forever to get full functionality on your legacy handset.

Discuss This Post

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Evan Blass
Evan is no longer associated with Pocketnow. The below contact form will redirect to a general mailbox.