.comment-link {margin-left:.6em;}
A Collection of Random Thoughts
Wednesday, March 08, 2006
Hacking your Windows Mobile 5.0 Registry
Sounds like a great start to a post, huh? OK, here's the deal. I've blogged a few times about my Jasjar (yes, I still love it and use it almost every day).

Devin Ganger at 3Sharp blogged about the inability to add Root SSL certificates on some WM 5.0 devices, which is true. What isn't mentioned much of anywhere (you have to look around pretty hard) is that you actually can still disable Certificate Checking - you just can't use the old DisableCertChk tool from Windows Mobile 2003. Microsoft doesn't recommend this, but it's a necessary evil in some situations. Two that I can think of are:

1. Your company uses a Wildcard SSL Certificate. (i.e. *.company.com). Windows Mobile 5.0 (or any other version for that matter) does NOT support wildcard certs. Why, I'm not sure, but it doesn't.
2. You have a manufacturer locked device that prevents you from adding additional Root Certificates. Again, WHY a manufacturer would prevent folks from adding additional root certificates is beyond me, but it happens.

So, on to the registry hacking.
First, you download my new favorite freeware Windows Mobile Registry editor, PHM registry editor, which I blogged about earlier. The ONLY catch with this program is that it may not install correctly on newer devices. What I ended up having to do was install the program on my desktop (which just extracts a bunch of cab files), then go to the install directory, grab the cab files and copy them to my device. The one that ended up working for me was the cab file named regedit_Mrln_ARM.cab. Simply click on the file from your windows mobile device, and it will install it. Once it is installed, you can delete all the cab files from the device.

Surprisingly (or not), the registry on Windows Mobile devices is very familiar if you have ever looked at the registry on a regular PC. Anyways, to disable Cert Checking, you navigate to the following location:


Here you should notice 2 sub-keys, both with a unique UID. One is set up for the ActiveSync Partnership with your PC, the other is set up for the partnership with your Exchange server. Fortunately, it is fairly easy to distinguish between the two. Simply highlight one of them, and look at the different values. You'll see pretty quickly which one is for your Exchange server. While the partner key for your Exchange server is highlighted, create a new value with the following parameters

Name: secure
Value: 0

That's all there is to it. You have now successfully disabled certificate checking on your device and can now have ActiveSync use SSL with wildcard certs and self-signed certs.
Well done!!! I couldn't solve this problem until I found this :)
Great tip. But people do have to understand that you are essentially disabling security!

Hackers can intercept messages that are exchanged between the client and the server if you apply this change.

More secure options:

* If you have a wildcard server certificate, replace it with a regular server certificate

* If you can afford it, get a server certificate from one of the 5 'standard' root CAs in the certificate store (Cybertrust, GlobalSign, Entrust, Thawte, Verisign)

* If you generated your own free certificates, use File Explorer to install the root cert on all your WM devices.

* If that fails because the root certificate store is locked, try to get an unlock utility from the device manufacturer.

* If that does not work, complain LOUDLY to the manufacturer. And complain to Microsoft too while you are at it.

* If they don't listen, get some other client software that bypasses Microsoft's certificate system, like the NetFront browser or Notifycorp.com's push e-mail client.

* If all else fails, vote with your feet.
You actually aren't disabling security. What you are doing is disabling Certificate checking. That means that you can still require SSL on your Exchange server for ActiveSync (our server requires SSL), and you can still set up your device to use SSL (mine is set this way). You simply don't check to make sure that the certificate is *valid*. If this disabled SSL period, then I would no longer be able to sync with my server. Hackers cannot intercept messages with this change because you can still use SSL.

The whole point of this registry entry was to enable WM devices to support wildcard certificates (for one) that are becoming increasingly common. I don't believe that replacing a wildcard certificate with a regular one is a valid option. The point of wildcard certificates is so that you can use the same certificate with multiple web servers.
You actually aren't disabling security.

I'm afraid you are. If you disable certificate checking, you are vulnerable to a "man-in-the-middle" attack. Sure, your connection is encrypted through SSL, but the server has not been authenticated so this man-in-the-middle can decrypt everything.

I am puzzled why Microsoft is not supporting wildcard certificates in Windows Mobile. Could be a technical reason, could be a financial reason (a monetary deal with the 5 standard CAs in Windows Mobile).
I'll agree that you are "in part" disabling some of the security mechanisms, and Microsoft doesn't recommend this, but they leave little choice. It is also nothing new and Microsoft even provided a native tool with Windows Mobile 2003 to disable certificate checking. If a MITM attack truly is possible in this scenario (I'm still not sure that it is), the risk is still very small in my opinion.

I too am a bit puzzled why wildcard certs aren't supported, but perhaps that support will be added in the future (hopefully).
Dude Thanks a lot,
I was looking for a good registry editor and PHM was not installing for me. Your trick with installing it from the CAB file worked. I love you man.
a monetary deal with the 5 standard CAs in Windows Mobile

Yet in all blogs they keep pretending certificate checking can not be disabled. Go MS, very transparent and honest to your customers
So, I installed this OK on my device but can't see how to run the registry editor? Am I missing something?
Please check what actually got installed - I doubt the program actually installed on your PPC - if it did install, you should find it in the programs group (Start, Programs). The PHM registry editor program seems to have an issue with the actual installation. For me, ALL it did was extract the .cab files onto the hard drive of my laptop. I had to manually copy the cab files to my PPC and click on each one to figure out which cab file worked for my device.
Thank you so much for this tip! This is huge for me because I was getting the certificate error during ActiveSync. Our email system uses a wildcard certificate by Digicert which we purchased to use on the various servers we have. Microsoft needs to support this now, but in the meantime, I'm very happy with the hack you provided. My email admin also seems to think that the risk is relatively low for a hacker to intercept messages.

Thanks again!
I have followed these instructions to edit the registry, and all seems to be well; however, when I sync I get prompted for my password. I have verified that I am using the correct pw, but it still prompts for the password again and again. Anyone have any ideas?
Scott - are you positive you edited the right partnership?

What happens if you hook your device up to your computer and run ActiveSync from there? Does it still prompt you for the password? Also, note that if the certificate you are using is not from one of the default certs installed on WM, then you still need to install the cert in addition to creating this registry key...
I imported our certificate into the phone. I am not a whiz at this stuff, so I have a buddy coming up to my office tomorrow to shadow me and make sure I am doing all of these steps correctly. However, I have read some other forums where others were having this same password problem, but never saw any correcting responses. I will double-check the registry and that I imported the correct certificate. You might check back tomorrow and I will let you know if I got it or not.

I am attempting to turn password required on ( changing the 0 to a 1 in my motorola Q registry. It won't let me and keeps giving me a error when I hit done. I suspect the carrier (Telus) in Canada has locked it as a read only area. Any ideas on how I might be able to change it? I need to do this to get at the connection settings username and password for the 1x during login as I am using a different carrier than Telus or Verizon. Thx for the help
Odds are that if you are getting an error when you try and save the changes, the registry is locked down on your device. Sorry I can't be of more help. I'm fortunate to have a completely unlocked device, but since Motorola has an exclusive agreement with Verizon to provide the Q (at least for now), I don't anticipate an unlocked version for a while.
I now have a Verizon Q that is unlocked so I would like to edit the registry area to set up the Data network settings. Do you know the locations for the # 777 number setting along with username and password and the data connection settings as they are also a bit different in Canada on the 1X and evdo setup. I know how to edit the registry but am not familiar with the various locations. A list or link plus any help is much appreciated Thx
Thank you for this entry, i think i'm very close to get it working. But there's one little step thats holding me back. It asks for my password all the time, just like Scott's problem!

I'm really SO close to buy a expensive Cybertrust, GlobalSign, Entrust, Thawte, Verisign certificate.

We don't use wildcars etc in our cert. But my Qtek 8310 is somehow locked against new certs. Can't install them manually nor with SpAddCert.exe

On Windows Mobile 5, you don't need the SPAddCert preogram to install the cert. Instead, simply copy the certificate to the device, and then use the File Explorer to go to the location where you copied the cert, and then simply click on the cert. You should be prompted to install the certificate. See if that works...
if you have a Q from telus check this out it worked for me
THANKS BEN. I was trying to get 'Direct Phus'/Activesync running using self signed certs both on the mailserver (selfSSL) and our apache reverse proxy (openSSL).

Ultimately I did not use your hack, but it proved to be a great tool troubleshooting and solving my problems.

MSDN blog detailing how to add root certs using a CAB file: http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx?CommentPosted=true#commentmessage

My post on the tek-tips forum detailing how I got it all to work for me: http://www.tek-tips.com/viewthread.cfm?qid=1276155&page=1

CHEERS - Chris.
Hello, I followed what you said about adding the Secure dword value and it seems to go through but it continually asks for my password. Any Ideas? If I turn SSL off then it works fine.
i'm experiencing the same excate symptoms as John regarding passwords. The server keeps asking for my password. Any thoughts?
For John and the last comment - there is literally only one reason that I've come across that you should ever have to disable certificate checking. That is for a wildcard certificate. The reason is that WM5.0 doesn't support wildcart certs. If you are disabling cert checking, and you do not have a wildcard cert, then you have an issue with the type of cert (i.e. it's a self-issued cert), or how it is installed. If you are using a self-issued cert, then you may need to invest in a public cert. They are cheap enough (less than $100) that cost shouldn't be an issue.
This worked for me. Every root certificate I tried it on.

Just as a note if you want to have Communicator Mobile use a Wildcard SSL certificate use the same PHM Edit, HKEY_CURRENT_USER\Software\Microsoft\Communicator\System Settings\DisableCRLCheck set this to 1 to disable SSL Certifcate Checking in Communicator Mobile.

Just as a note on my I-Mate JasJam I have to use the regedit.Mrln_ARM.CAB to install the editor.
I had been trying to either add a root cert or disable checking for half a day when I found this:

All you need to do is download the sslchain program and then run it against your exchange frontend web server. It creates the certificates you need and puts them in a folder. Copy them onto your device and then click on them by using the file explorer and this installs them. I have copied the instructions from the link above that helped me. The last point says to do it in order - im not sure if I did that but it works anyway.

Now if anyone knows a way to disable the proxy permanently (stupid activesync keeps reapplying it because my PC has it but I dont want this pda to use it) please email me at rosege@hotmail.com

4) Type sslchainsaver mail.yourdomain.com

5) All the certificates (root and intermediate) are extracted to a folder under C:\Test\bin\release named mail.yourdomain.com

6) Copy all the certificates to your device

7) Install them one by one on the device by tapping on them in the same order as listed on the actual certificate from File Explorer
I Love you man!
Very helpful post.
Got me one step further...
But I too have to type my password in again and again. And no syncro occur
I assume that your hack works without any cert installed on the windows mobile side : that's what I want to achieve.
Help would be very much appreciated

The main point of this registry key is so that you can use an unsupported certificate (i.e. wildcard cert). If your Exchange server is set to require SSL for mobile devices, then you will have to install a certificate on your mobile device, either by directly installing it, or by using a cert on the Exchange server that is already trusted by Windows Mobile. This registry key does not address not requiring a cert at all.

Thanks so much for your answer but I am afraid I don't fully understand it.
To make it clear : I've been doing OWA SSLed with a mobile device (WM 2003+ActiveSync) on my Exchange server. That server has a self created certificate using internal server name. All that stuff went great thanks to the CERTCHK tool that prevent cert install on the phone/pda : an issued cert that would identify the device I assume.
Today I get a brand new device WM 5.0 installed. And I (happily) run across your blog then apply the key hack.
But ActiveSync "keeps asking password"

So I ask a few more :
Does WM 5.0 use OWA or OMA
Do I have to install a certificate on the mobile device.
If so is it the server's one ?
Is there a naming issue : as for now my /server name/domain/cert server name/ trio is not homogeneous at all (but gives satisfaction on WM 2003 devices)

Thanks again in your efforts to make my users proud with their (hopefully soon) fully functionnal brand new PDA/Phone/Expensive little thing !
Hi There - Great pointers, and have read through your blog but did not see anything on my issue. I am running a JasJam as well, on WM5, and have manually moved my exhange issued cer over, and double clicked it, when I get the error message: "Cannot access certificate". Any clues as to what I am doing wrong here? This certificate has been used on an i-mate SP3 with cert checking disabled with problems apparenty.... Thanks.
Cedric - sorry I didn't see the reply comment come through.

1. Neither. WM5 accesses the activesync virtual directory, which in turn then accesses the Exchange vdir.
2. If you are using a self-signed certificate, then YES, you absolutely need to install the cert on your device, and yes it is the server cert (the one installed on the default web site). Even with the instructions in this blog, you still need to install the cert. As I mentioned before, this post only addresses if you have a wildcard cert (i.e. *.domain.com), which it doesn't sound like you have.
You need to export the certificate to a .cer file I believe, then copy that to the device and make sure it gets installed properly. There are some blogs from the Windows Mobile folks at Microsoft that cover other details of how to install certs.
Anonymous - I'm not sure exactly what you are doing wrong, but I would try exporting the certificate again and re-copying it to the device. Unless your device is locked down, you should be able to just copy the cert over and then click on it to install it. If this is a device from Verizon or Sprint, you can try using the spaddcert.exe, which can be found here:

Thanks again for your help, it was worth the wait!
I already copied the cert on the device. I think my pb comes from naming...
so i keep on tryin' and'll let you know!
Can I use this app to pull MP3 files from my SD card into my ringers selection? The internal memory is not large enough to store as many as I would like in the windows/rings folder, and if I store them in the SD card, I can't access them in the ringer selection screen. I've never used a registry editor before but understand it might be the answer to my problem. Feel free to email me at tnilson@daktronics.com
Finally I managed to make it work.
My pb was indeed a naming issue !
So nothing to do with this post.
Sorry for the "noise" on that board and thank you again for your answers.
Hi, Firstly, thanks for having such an informative blog. This has really helped out with troubleshooting WM 5.0 Active sync over GPRS.

I just wanted to add, that if your network runs through a ISA 2004 or 2006 Firewall...ensure the firewall rule allowing communication to the published mail server includes the following directories:-


As well as /Exchange (which should already be there if currently using OWA)

some admins only add the necessary directories to get OWA working (not OMA or Active-Sync)

thanks again!!

Adrian Ryan
Looks like wildcard certificates for Windows Mobile are now supported in the latest Windows Mobile 6.0 OS!!
RE: Typing password over and over again...

I had this same error and it frustrated me to no end. I verified that my certificate had valid date ranges and the issuing server name matched my mail server. Everything was FINE!

Then I replaced my certificate with a different one and it worked. I don't know what the difference in the certificates was other than the date ranges.

If you are having to enter your password over and over, try recreating your certificate to put on your device. It worked for me.
ok so... now what about WM6? I have a self signed cert on my Exchange Server and just upgraded my device to WM6. The regkey hack no longer appears to work for disabling authenticating certs with a CA.
Again - let me be clear. The Reg hack for disabling certificate checking is NOT for self-signed certs. It is ONLY needed for wildcard certs. That was specifically because wildcard certs weren't supported in WM5 (they are supported in WM6, BTW).

With a self-signed cert, as long as you install the cert on your device, you should have no issues. Export the cert, copy it to your device, then click on it to install it. That should be all you need to do.
Hoping you can help....
My corporate exchange server has a self signed certificate however it has expired.
my WM5 device (treo 750) will not connect to it saying "The server could not be reached. This can be caused by temporary network conditions."
Support code: 0x80072EFD

I cannot even get to Outlook Web Access either, it states the connection was lost.

I have made the assumption it is just due to the expired cert.
Any idea how i can get it to ignore the expired certificate?

(I have asked MIS to fix the website and they are getting to it.....will take a long time)

really apprecitate it if you can help.
Additional comment. Yes I can get to OUtlook WEb Access from a standard browser. It just warns me about the certificate and lets me through.
Same sort of issues here...got a new Moto Q from Sprint, finally got the root cert installed on the Q and when I try to sync with ActiveSync I get a message that:

The security certificate on the server is invalid.

Any help would be great appreciated!

Thanks, Ben and Co. Yours seems to be the only comprehensive info on the web on the problems encountered with phone security, cert checking and so on. I followed your actions and eventually got through the phone blocking and other issues and got cert checking, etc., disabled. Exchange ActiveSync is now working with wildcard certs.

I have to say, I think it's really strange that even with certificate checking disabled, you still need the certificates installed. Funny.

Many thanks everyone.

Re: "What happens if you hook your device up to your computer and run ActiveSync from there? Does it still prompt you for the password? Also, note that if the certificate you are using is not from one of the default certs installed on WM, then you still need to install the cert in addition to creating this registry key...
# posted by Ben Winzenz : 12:37 PM, May 23, 2006"

Glad this helped you. As far as the requirement to still install the cert, remember that this registry change doesn't turn off the SSL requirement, it just turns off checking whether the certificate is valid. Since wildcard certs aren't supported in WM5, they can't be checked anyways, hence the requirement for this workaround.
hello i just downloaded the programs for this and i cannot seem to get phm to work on my computer...it keeps saying that im missing a file in my windows installer package.. please help
I’m trying to find out about Unified Communication for a project but there doesn’t seem to be much information available. Is it the same as VoIP, and if not how is it different?
hi, thank you for this information i followed your directions however i still cannot sync. b4 i found you i could not access outlook exchange via sync or via web browser. However now i can access via web browser and still not via sync. If it takes the cert via browser shouldn't it take it via sync? any ideas?
Easiest way to change home page in IE in windows mobile? Stuck with sprint page now (on a samsung ace).
Post a Comment

<< Home

Powered by Blogger