OrigAMI: Taking back what's ours, or Unlocking B2G OWA installer in KaiOS
398 views
Skip to first unread message
Luxferre
Sep 18, 2020, 7:38:00 AM9/18/20
to comp.mobile.nokia.8110
Hi folks,
I was missing here for different reasons but now I'm back and with some damn good news.
As we all know, KaiOS was derived from Firefox OS, and Firefox OS had an awesome application installation mechanism that allowed to install the app from any trusted website, hence the name of these applications - OWA - Open Web Apps. They were open because they weren't tied to any centralized source. Anyone could publish their apps in their own places, and the way to do this was described here: https://developer.mozilla.org/en-US/docs/Archive/Mozilla/Marketplace/Options/Self_publishing
So, basically speaking, you have an app with full manifest, you have a mini-manifest, and you have a page invoking the necessary call (navigator.mozApps.install(manifestURL) for hosted apps or navigator.mozApps.installPackage(manifestURL) for packaged apps) that references the mini-manifest, performs all necessary checks and installs your app. This is the only correct and documented way of installation ever present in FFOS.
Well, what about KaiOS? Despite the aforementioned API calls are still present and available from Web context (as it should be!) contrary to the undocumented navigator.mozApps.mgmt object, they block all OWA installation from the non-KaiOSTech domains and return INSTALL_FROM_DENIED error. So, even from the Web context, the only valid installation source would still be KaiStore. But...
It turns out that this behavio(u)r is configurable and there is a special preference (do not confuse preferences with device settings or Android properties) called apps.serviceCenter.allowedOrigins that whitelists all the allowed installation sources. Unfortunately, it doesn't support wildcarding - I checked Webapps.jsm code and it explicitly looks for each root URL (remote or local) to match the app origin. By default, it looks like this:
https://kaios-plus.kaiostech.com,app://kaios-plus.kaiostech.com
So, it points to the Web and app versions of KaiStore. Just to test my theory, I appended a comma and https://robnyman.github.io/ to this value (in NewMoon's WebIDE), rebooted, went to the FFOS Boilerplate App page and... installed the app directly from the browser! So, it worked as expected. Normal OWA installer is still here, we just need to create a way of easy editing of this whitelist preference.
Well, there seems to be such a way (provided that masterExt is navigator.engmodeExtension or whatever we resolve it to). Read the property we need:
var origins = masterExt.getPrefValue('apps.serviceCenter.allowedOrigins','').split(',')
Append the value we need:
origins.push('https://store.bananahackers.net/')
Now, set the property back:
masterExt.setPrefValue('apps.serviceCenter.allowedOrigins', origins.join(','))
Since the last operation can't be done in KaiOS 2.5.2 for some reasons, we still need either WebIDE or an app with certified permission level to do this every time a new source appears, by directly patching the prefs.js file in your default Mozilla profile (requires root but perfectly update-safe since it doesn't affect system partition). So, let me introduce the app called OrigAMI - Origins of Application Marketless Installation.
Available here: https://gitlab.com/suborg/origami
This is just an app for easy editing of the apps.serviceCenter.allowedOrigins preference. It consists of the editable text area with origins loaded from the property on start. For convenience, each new origin URI is on a new line. You can save the property value with a single click and optionally reboot the phone right away to apply the change.
All this was tested on Nokia 2720 Flip but I'm sure it will work on any jailbroken KaiOS device, at least in privileged mode. The tool itself is released into public domain.
I hope thie discovery will pave a completely new way in how alternative stores for KaiOS can be organized. Have fun!
I was missing here for different reasons but now I'm back and with some damn good news.
As we all know, KaiOS was derived from Firefox OS, and Firefox OS had an awesome application installation mechanism that allowed to install the app from any trusted website, hence the name of these applications - OWA - Open Web Apps. They were open because they weren't tied to any centralized source. Anyone could publish their apps in their own places, and the way to do this was described here: https://developer.mozilla.org/en-US/docs/Archive/Mozilla/Marketplace/Options/Self_publishing
So, basically speaking, you have an app with full manifest, you have a mini-manifest, and you have a page invoking the necessary call (navigator.mozApps.install(manifestURL) for hosted apps or navigator.mozApps.installPackage(manifestURL) for packaged apps) that references the mini-manifest, performs all necessary checks and installs your app. This is the only correct and documented way of installation ever present in FFOS.
Well, what about KaiOS? Despite the aforementioned API calls are still present and available from Web context (as it should be!) contrary to the undocumented navigator.mozApps.mgmt object, they block all OWA installation from the non-KaiOSTech domains and return INSTALL_FROM_DENIED error. So, even from the Web context, the only valid installation source would still be KaiStore. But...
It turns out that this behavio(u)r is configurable and there is a special preference (do not confuse preferences with device settings or Android properties) called apps.serviceCenter.allowedOrigins that whitelists all the allowed installation sources. Unfortunately, it doesn't support wildcarding - I checked Webapps.jsm code and it explicitly looks for each root URL (remote or local) to match the app origin. By default, it looks like this:
https://kaios-plus.kaiostech.com,app://kaios-plus.kaiostech.com
So, it points to the Web and app versions of KaiStore. Just to test my theory, I appended a comma and https://robnyman.github.io/ to this value (in NewMoon's WebIDE), rebooted, went to the FFOS Boilerplate App page and... installed the app directly from the browser! So, it worked as expected. Normal OWA installer is still here, we just need to create a way of easy editing of this whitelist preference.
Well, there seems to be such a way (provided that masterExt is navigator.engmodeExtension or whatever we resolve it to). Read the property we need:
var origins = masterExt.getPrefValue('apps.serviceCenter.allowedOrigins','').split(',')
Append the value we need:
origins.push('https://store.bananahackers.net/')
Now, set the property back:
masterExt.setPrefValue('apps.serviceCenter.allowedOrigins', origins.join(','))
Since the last operation can't be done in KaiOS 2.5.2 for some reasons, we still need either WebIDE or an app with certified permission level to do this every time a new source appears, by directly patching the prefs.js file in your default Mozilla profile (requires root but perfectly update-safe since it doesn't affect system partition). So, let me introduce the app called OrigAMI - Origins of Application Marketless Installation.
Available here: https://gitlab.com/suborg/origami
This is just an app for easy editing of the apps.serviceCenter.allowedOrigins preference. It consists of the editable text area with origins loaded from the property on start. For convenience, each new origin URI is on a new line. You can save the property value with a single click and optionally reboot the phone right away to apply the change.
All this was tested on Nokia 2720 Flip but I'm sure it will work on any jailbroken KaiOS device, at least in privileged mode. The tool itself is released into public domain.
I hope thie discovery will pave a completely new way in how alternative stores for KaiOS can be organized. Have fun!
G Power
Sep 18, 2020, 8:12:01 AM9/18/20
to comp.mobile.nokia.8110
Great discovery but more tricky than FFOS
Farooq Karimi Zadeh
Sep 19, 2020, 12:16:26 AM9/19/20
to banana...@googlegroups.com
Very good and interesting :)
--
You received this message because you are subscribed to the Google Groups "comp.mobile.nokia.8110" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bananahacker...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/d2a2e593-310e-4e1d-9fba-03eacfd4677bn%40googlegroups.com.
perry
Sep 20, 2020, 6:21:32 AM9/20/20
to comp.mobile.nokia.8110
does that mean we can update apps without uninstalling them first?
Luxferre
Sep 20, 2020, 11:19:45 AM9/20/20
to comp.mobile.nokia.8110
Yes, as long as we update the app version in both full and mini manifests.
Message has been deleted
perry
Sep 20, 2020, 12:29:08 PM9/20/20
to comp.mobile.nokia.8110
how would you update an app?
At the moment the installation process looks like this:
Reply all
Reply to author
Forward
0 new messages