PDA/SmartPhone Licence File and Device ID

[Guest]

Hi all,

Not sure the best way to do this. I want to build a Windows Mobile
application using .NETCF2.0 that possibly ships on a Mini SD Card. This card
would contain some kind of encrypted licence file that could not be copied on
to another SD Card and be valid. What is the best way of acheiving this
using .NETCF2.0? Can the crypto API provide the encyption and is there an
API in order to ID the SD Card so the licence file would only be valid on the
SD Card that is was intended for?

I also want to make sure the SD Card only works in the device it was
intended for. I believe that you need a certificate in order to get the
required priviledges to access the API to retrieve a device ID. How secure
would using the TAPI to retrieve the telephone number and use it as a device
ID instead? Is this easily faked?

On the flipside would I be better of using a licence file tied to a device
(Using Device ID or Telephone Number) rather than an SD card? If so what
would be the best way of ID'ing the device in the licence file?

Finally and this is a daft question really. Can PDA's be used as phones or
is the SmartPhone the only way to use Mobile Networks with SIM cards? The
only reason I ask this is because this application needs to make use of a
Mobile Network. Does my project I choose in VS.NET 2005 be for a SmartPhone
device over a PDA/Windows CE device. Will the one project do?

I'm sorry if these are broad and complex questions. I've never attempted
this kind of licencing before and I've little experience on developing on
Windows Mobile Devices either. Any advice here would be greatly apreciated.

Thanks

 

[DJMatty]

Hi

We did some investigation into SDCard ID's and found that it depends on
the SD card manufacturer as to whether they implemented the DRM bits of
SD cards and so there didn't seem to be a standard API to allow for
restricting data to only work on the single card.

However you can use the device ID of the device to encrypt the data,
and thus the data would only decrypt if placed into the same device.

GetDeviceUniqueID (WM5.0 devices only) is not a privileged call,
because it hashes the real device id with an application specific
string and returns that data. So you don't need a signed application to
access it.

This is example code in C++ for fetching the device ID

#define DEVICE_ID_LENGTH 20
#define APPLICATION_DATA "APPLICATIONKEY"
#define APPLICATION_DATA_LENGTH 14

HRESULT hr = NOERROR;
BYTE rgDeviceId[DEVICE_ID_LENGTH];
DWORD cbDeviceId = sizeof(rgDeviceId);

hr = GetDeviceUniqueID(reinterpret_cast<PBYTE>(APPLICATION_DATA),
APPLICATION_DATA_LENGTH, GETDEVICEUNIQUEID_V1, rgDeviceId,
&cbDeviceId);

if(hr == S_OK)
{
// do something with the device id bytes
}

Sorry it's not in c#, but it should be relatively easy to p\invoke that
call to get the id... I had a quick look in the help for the managed
version but couldn't find it, so thought I'd post the c++ one anyway...
hope it helps and if anyone knows the managed version please let me
know!

Thanks

Matt

 

[DJMatty]

Hehe, I'll answer a few of your other questions as well...

There are windows mobile devices that contain phones as well, so you
can build a WM5 PocketPC application that will use GPRS etc, I guess it
more depends on what you want to do with the application as to what
platform would be best for you. Take a look at the HTC TyTn which is a
window mobile 5 pocket pc with built in 3G phone,
(http://europe.htc.com/products/htctytn.html), as opposed to the HTC
MTeoR which is a WM5 smart phone...
(http://europe.htc.com/products/htcmteor.html)

If you tie your application to the device id then it doesn't really
matter if it's on a storage card or not, it can still only be run if
it's in the device with the right id. The question then is how to make
the deviceid and licence secure... so that the user can't remove or
edit it so that it will then work in a different device...

Matt

 

[Gogy]

This works for me:

using System;

using System.Collections.Generic;

using System.Text;

using System.IO;

using System.Runtime.InteropServices;

namespace PPCSerial

{

class Serial

{

private Serial() { }

[DllImport("Coredll")]

public static extern UInt32 KernelIoControl(UInt32 dwIoControlCode, IntPtr
lpInBuf, UInt32 nInBufSize, byte[] buf, UInt32 nOutBufSize, [In, Out] uint
lpBytesReturned);

public const UInt32 IOCTL_HAL_GET_DEVICEID = 0x1010054;

public static string GetSerialNumber()

{

uint len = 256;

uint cb = 0;

//For some reason this is very important

byte [] buffer = new byte[256];

buffer[0] = 0;

buffer[1] = 1;

uint ret;

StringBuilder sb = new StringBuilder();

try {

ret = KernelIoControl(IOCTL_HAL_GET_DEVICEID, IntPtr.Zero, 0, buffer, len,
cb );

Int32 dwPresetIDOffsset = BitConverter.ToInt32(buffer, 4);

Int32 dwPlatformIDOffset = BitConverter.ToInt32(buffer, 0xc);

Int32 dwPlatformIDSize = BitConverter.ToInt32(buffer, 0x10);

sb.Append(String.Format("{0:X8}-{1:X4}-{2:X4}-{3:X4}-",

BitConverter.ToInt32(buffer, dwPresetIDOffsset),

BitConverter.ToInt16(buffer, dwPresetIDOffsset + 4),

BitConverter.ToInt16(buffer, dwPresetIDOffsset + 6),

BitConverter.ToInt16(buffer, dwPresetIDOffsset + 8)));

for (int i = dwPlatformIDOffset; i < dwPlatformIDOffset + dwPlatformIDSize;
i++)

{

sb.Append(String.Format("{0:X2}", buffer));

}

}

catch ( Exception ex )

{

sb.Append(ex.ToString());

}

return sb.ToString();

}

}

}

Then you can use:

string serial = Serial.GetSerialNumber();

Best regards

Gogy

Hi

We did some investigation into SDCard ID's and found that it depends on
the SD card manufacturer as to whether they implemented the DRM bits of
SD cards and so there didn't seem to be a standard API to allow for
restricting data to only work on the single card.

However you can use the device ID of the device to encrypt the data,
and thus the data would only decrypt if placed into the same device.

GetDeviceUniqueID (WM5.0 devices only) is not a privileged call,
because it hashes the real device id with an application specific
string and returns that data. So you don't need a signed application to
access it.

This is example code in C++ for fetching the device ID

#define DEVICE_ID_LENGTH 20
#define APPLICATION_DATA "APPLICATIONKEY"
#define APPLICATION_DATA_LENGTH 14

HRESULT hr = NOERROR;
BYTE rgDeviceId[DEVICE_ID_LENGTH];
DWORD cbDeviceId = sizeof(rgDeviceId);

hr = GetDeviceUniqueID(reinterpret_cast<PBYTE>(APPLICATION_DATA),
APPLICATION_DATA_LENGTH, GETDEVICEUNIQUEID_V1, rgDeviceId,
&cbDeviceId);

if(hr == S_OK)
{
// do something with the device id bytes
}

Sorry it's not in c#, but it should be relatively easy to p\invoke that
call to get the id... I had a quick look in the help for the managed
version but couldn't find it, so thought I'd post the c++ one anyway...
hope it helps and if anyone knows the managed version please let me
know!

Thanks

Matt

Hi all,

Not sure the best way to do this. I want to build a Windows Mobile
application using .NETCF2.0 that possibly ships on a Mini SD Card. This
card
would contain some kind of encrypted licence file that could not be
copied on
to another SD Card and be valid. What is the best way of acheiving this
using .NETCF2.0? Can the crypto API provide the encyption and is there
an
API in order to ID the SD Card so the licence file would only be valid on
the
SD Card that is was intended for?

I also want to make sure the SD Card only works in the device it was
intended for. I believe that you need a certificate in order to get the
required priviledges to access the API to retrieve a device ID. How
secure
would using the TAPI to retrieve the telephone number and use it as a
device
ID instead? Is this easily faked?

On the flipside would I be better of using a licence file tied to a
device
(Using Device ID or Telephone Number) rather than an SD card? If so what
would be the best way of ID'ing the device in the licence file?

Finally and this is a daft question really. Can PDA's be used as phones
or
is the SmartPhone the only way to use Mobile Networks with SIM cards?
The
only reason I ask this is because this application needs to make use of a
Mobile Network. Does my project I choose in VS.NET 2005 be for a
SmartPhone
device over a PDA/Windows CE device. Will the one project do?

I'm sorry if these are broad and complex questions. I've never attempted
this kind of licencing before and I've little experience on developing on
Windows Mobile Devices either. Any advice here would be greatly
apreciated.

Thanks

 

[DJMatty]

Yeah that's what we use for pre-wm5 devices, but that call is
privileged in WM5 (I think). GetDeviceUniqueID is not privileged and
works in much the same way...

Matt

This works for me:

using System;

using System.Collections.Generic;

using System.Text;

using System.IO;

using System.Runtime.InteropServices;

namespace PPCSerial

{

class Serial

{

private Serial() { }

[DllImport("Coredll")]

public static extern UInt32 KernelIoControl(UInt32 dwIoControlCode, IntPtr
lpInBuf, UInt32 nInBufSize, byte[] buf, UInt32 nOutBufSize, [In, Out] uint
lpBytesReturned);

public const UInt32 IOCTL_HAL_GET_DEVICEID = 0x1010054;

public static string GetSerialNumber()

{

uint len = 256;

uint cb = 0;

//For some reason this is very important

byte [] buffer = new byte[256];

buffer[0] = 0;

buffer[1] = 1;

uint ret;

StringBuilder sb = new StringBuilder();

try {

ret = KernelIoControl(IOCTL_HAL_GET_DEVICEID, IntPtr.Zero, 0, buffer, len,
cb );

Int32 dwPresetIDOffsset = BitConverter.ToInt32(buffer, 4);

Int32 dwPlatformIDOffset = BitConverter.ToInt32(buffer, 0xc);

Int32 dwPlatformIDSize = BitConverter.ToInt32(buffer, 0x10);

sb.Append(String.Format("{0:X8}-{1:X4}-{2:X4}-{3:X4}-",

BitConverter.ToInt32(buffer, dwPresetIDOffsset),

BitConverter.ToInt16(buffer, dwPresetIDOffsset + 4),

BitConverter.ToInt16(buffer, dwPresetIDOffsset + 6),

BitConverter.ToInt16(buffer, dwPresetIDOffsset + 8)));

for (int i = dwPlatformIDOffset; i < dwPlatformIDOffset + dwPlatformIDSize;
i++)

{

sb.Append(String.Format("{0:X2}", buffer));

}

}

catch ( Exception ex )

{

sb.Append(ex.ToString());

}

return sb.ToString();

}

}

}

Then you can use:

string serial = Serial.GetSerialNumber();

Best regards

Gogy

Hi

We did some investigation into SDCard ID's and found that it depends on
the SD card manufacturer as to whether they implemented the DRM bits of
SD cards and so there didn't seem to be a standard API to allow for
restricting data to only work on the single card.

However you can use the device ID of the device to encrypt the data,
and thus the data would only decrypt if placed into the same device.

GetDeviceUniqueID (WM5.0 devices only) is not a privileged call,
because it hashes the real device id with an application specific
string and returns that data. So you don't need a signed application to
access it.

This is example code in C++ for fetching the device ID

#define DEVICE_ID_LENGTH 20
#define APPLICATION_DATA "APPLICATIONKEY"
#define APPLICATION_DATA_LENGTH 14

HRESULT hr = NOERROR;
BYTE rgDeviceId[DEVICE_ID_LENGTH];
DWORD cbDeviceId = sizeof(rgDeviceId);

hr = GetDeviceUniqueID(reinterpret_cast<PBYTE>(APPLICATION_DATA),
APPLICATION_DATA_LENGTH, GETDEVICEUNIQUEID_V1, rgDeviceId,
&cbDeviceId);

if(hr == S_OK)
{
// do something with the device id bytes
}

Sorry it's not in c#, but it should be relatively easy to p\invoke that
call to get the id... I had a quick look in the help for the managed
version but couldn't find it, so thought I'd post the c++ one anyway...
hope it helps and if anyone knows the managed version please let me
know!

Thanks

Matt

Hi all,

Not sure the best way to do this. I want to build a Windows Mobile
application using .NETCF2.0 that possibly ships on a Mini SD Card. This
card
would contain some kind of encrypted licence file that could not be
copied on
to another SD Card and be valid. What is the best way of acheiving this
using .NETCF2.0? Can the crypto API provide the encyption and is there
an
API in order to ID the SD Card so the licence file would only be valid on
the
SD Card that is was intended for?

I also want to make sure the SD Card only works in the device it was
intended for. I believe that you need a certificate in order to get the
required priviledges to access the API to retrieve a device ID. How
secure
would using the TAPI to retrieve the telephone number and use it as a
device
ID instead? Is this easily faked?

On the flipside would I be better of using a licence file tied to a
device
(Using Device ID or Telephone Number) rather than an SD card? If so what
would be the best way of ID'ing the device in the licence file?

Finally and this is a daft question really. Can PDA's be used as phones
or
is the SmartPhone the only way to use Mobile Networks with SIM cards?
The
only reason I ask this is because this application needs to make use of a
Mobile Network. Does my project I choose in VS.NET 2005 be for a
SmartPhone
device over a PDA/Windows CE device. Will the one project do?

I'm sorry if these are broad and complex questions. I've never attempted
this kind of licencing before and I've little experience on developing on
Windows Mobile Devices either. Any advice here would be greatly
apreciated.

Thanks