none
Bootstrapping WM phones

    Question

  • First I apologies for posting to this forum, but I have not found another one af Microsoft TechNet Forums dealing with OMA in specific. My question is on using OMA with Windows Mobile phones, and not SCMDM.

    I'm working on a DM server that together with our server can bootstrap and install our client on mobile phones. Up till now we have had success on Nokia S60 and Sony Ericsson java phones and UIQ. Using OMA DM we can bootstrap a clean device and afterwards install our client. The only thing we now from the start is the phonenumber, and on the device you have to say 'yes' a couple of times. The bootstap is purely OTA.

    But working with WM our troubles began :( The same bootstrap message that worked on the other phones does not work on WM. I have been reading a lot on MSDN starting with Bootstrapping To Use An OMA DM Server. First I think that though the documentation is big, it tends to be a bit circular. Many times I find myself clicking on links and after a while getting back to where I started. Second the xml examples contains errors, not making it any easier for a WM beginner.

    The problems I have are very different, depending on the device. A HTC Touch Cruiser (PPC) I have only flashes the screen once, when receiving the message - nothing else happens. A Samsung Omnia (PPC) asks for the configuration password, and then failes when saving the configuration. Motorola Q8 (SP) is able to save the configuration, but does not callback (xml contains a <parm name="INIT"/>) or callback when sending initiator messages.
    If the xml contains something the phones does not like it reacts by asking for the configuration password three times, and then it fails.

    A problem is that the WM phones does not have any gui for Device Management. There is no where I can see what settings the phone received, and when it says that it can't save the configuration, it gives no reason why.

    I assume the problem has to do with security policies on WM, but not being a WM developer I think to many thinks are implicit for the WM developer when you read the MSDN documentation, eg. using RAPI or knowing what ROLE 24 is. Combined with errors like not being specific on how to add a certificate, only specifying where to add it, makes it anything than straight forward, to bootstrap a WM phone.

    Any suggestions on where to look or ask to get further in the right direction, are received with open arms.

    For example, I would like to know if anyone has been able to bootstrap a WM device OTA just knowing the phonenumber and not preparing the phone beforehand with a USB cable. Do there exist a simple step-by-step guide for that?
    Does it depend entirely on how the phone was configured by the OEM, or can we bootstrap any device just supplying the right certificate?
    Does WM devices answer to INIT messages or should it be done differently?
    Can we in any way see what DM settings the device has saved, either browsing the registry or installing a client?

    Any help is appreciated, and thanks to all in advance.

    Kind regards,
    Thomas

    The xml we are using on other phones and which is saved on the Motorola Q8 looks like the following:

    <!DOCTYPE wap-provisioningdoc PUBLIC "-//WAPFORUM//DTD PROV 1.0//EN" "http://www.wapforum.org/DTD/prov.dtd"> 
    <wap-provisioningdoc version="1.0"
       <characteristic type="APPLICATION"
          <parm name="APPID" value="w7"/> 
          <parm name="NAME" value="DME DM Server"/> 
          <parm name="PROVIDER-ID" value="dme dm"/> 
          <parm name="INIT" /> 
          <characteristic type="APPADDR"
             <parm name="ADDR" value="http://IP-ADDRESS/dm/DMServlet?bid=B683F7C1"/> 
             <characteristic type="PORT"
                <parm name="PORTNBR" value="8080"/> 
             </characteristic> 
          </characteristic> 
          <characteristic type="APPAUTH"
              <parm name="AAUTHLEVEL" value="APPSRV"/> 
              <parm name="AAUTHTYPE" value="syncml:auth-md5"/> 
              <parm name="AAUTHNAME" value="client-name"/> 
              <parm name="AAUTHSECRET" value="client-secret"/> 
              <parm name="AAUTHDATA" value="client-nonce"/> 
          </characteristic> 
          <characteristic type="APPAUTH"
             <parm name="AAUTHLEVEL" value="CLIENT"/> 
             <parm name="AAUTHNAME" value="server-name"/> 
             <parm name="AAUTHSECRET" value="server-secret"/> 
             <parm name="AAUTHDATA" value="server-nonce"/> 
          </characteristic> 
       </characteristic> 
    </wap-provisioningdoc> 

    Friday, January 16, 2009 9:38 AM

Answers

  • After a longer break working on other stuff, I got back to this task. The road has been cumbersome, and there has been no easy wins. But we are finally there, where we want to be. We can now install OTA using OMA DM.
    The two most important lessons learnt have been that the DM server has to use https and that the install file has to be a cab-file (or cpf), and it has to be signed.
    The bootstrap message should look more or less as the one above.

    So don't accept that things are not going to work (I guess that was a third lesson learnt). If it is MS it will just be that harder ;-)

    Thomas
    Wednesday, April 22, 2009 9:50 AM

All replies

  • Well, the right forum would possibly be http://social.msdn.microsoft.com/Forums/en-US/windowsmobiledev/threads/

    But I can try to answer some of your questions nonetheless since SCMDM is OMA-based.

    I take it that the DM server you are referring to is DMESync? Which I would agree works best on Nokia devices.

    If you want the short answer; don't waste any more time and just accept that you cannot get it to work.

    Windows Mobile allows bootstrapping/OTA, but there are some prerequisites. The device needs to be configured to allow wap-provisioning, and the device needs to trust the source of the provisioning. Microsoft has some default values for this in a Windows Mobile build but it's entirely up to the device manufacturer/OEM how this is configured. Your generic HTC device may or may not be enabled for provisioning. (Varies between device models.)  And is most likely not trusting any sources by default. If it's an operator-branded HTC it might be configured to trust provisioning from that specific operator. But there is no generic setting so you can never trust an untouched device to work other than testing it.

    If you can touch the contents of the ROM/Extended ROM of the device you can configure it to accept the provisioning and trust your server.

    You can browse the registry of the device to check the current settings, and if you install your own client you can also configure this. (Not sure, but I think you would need to have your client signed with a privileged certificate to modify these settings.)

    As a side-note; if you want to develop for Windows Mobile or code server solutions that work on WM I'd recommend picking up a book like "Mobile Development Handbook" by MS Press and become a WM-developer.
    Friday, January 16, 2009 5:30 PM
  • After a longer break working on other stuff, I got back to this task. The road has been cumbersome, and there has been no easy wins. But we are finally there, where we want to be. We can now install OTA using OMA DM.
    The two most important lessons learnt have been that the DM server has to use https and that the install file has to be a cab-file (or cpf), and it has to be signed.
    The bootstrap message should look more or less as the one above.

    So don't accept that things are not going to work (I guess that was a third lesson learnt). If it is MS it will just be that harder ;-)

    Thomas
    Wednesday, April 22, 2009 9:50 AM
  • I never said it was not possible - just that it was tricky :)

    OMA DM requires https yes, and the SSL certificate needs to be trusted as well. So with a generic device that means the cab/cpf must be signed with an M2M-issued certificate. But this doesn't really scale well if you are generating server-specific bootstrap code. They'll each need their own M2M-signed cab, alternatively you need to send out a stub bootstrap with a trusted cert, and use this stub to connect in to a generic server, and get the server-specific certificate sent out through OMA CP for instance. That however has other security implications.

    Now I don't know the specifics of how you implemented this, but if you have implemented something that works I'm happy for you (and your customers too) :)
    Wednesday, April 22, 2009 5:40 PM
  • Nice work Thomas... not an easy feat, congratulations are in order. How did you overcome the OMA trust bootstrapping issues ?

    If you prompted the user to manually enter the server name, or automatically "discovered" the server name, then you could get away with one Mobile-2-Market signed cab.
    You could use SMS as the server configurtion mechanism ! very interesting !

    Cheers Wayne
    Airloom
    Thursday, April 23, 2009 12:27 AM
    Moderator
  • Hi thomas,

    I'm trying to do the same with the Funambol Server. But when ever I try to save the settings I keep getting  the message :

     "System notification : Couldn't change phone settings - Your phone's settings couldn't be changed".

     

    I'm using the following XML  based on the example given here . (ref : http://msdn.microsoft.com/en-us/library/bb737552.aspx )

     

    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE wap-provisioningdoc PUBLIC "-//WAPFORUM//DTD PROV 1.0//EN" "http://www.wapforum.org/DTD/prov.dtd"> 
    <wap-provisioningdoc version="1.1">
    <characteristic type="APPLICATION">
    <parm name="APPID" value="w7"/>
    <parm name="PROVIDER-ID" value="funambol"/>
    <parm name="NAME" value="Funambol"/>
    <parm name="ADDR" value="https://funm.moota.com:8443/funambol/dm"/>
    <parm name="TO-NAPID" value="ppwap"/>
    <parm name="ROLE" value="24"/>
    <parm name="INIT"/>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="APPSRV"/>
    <parm name="AAUTHTYPE" value="DIGEST"/>
    <parm name="AAUTHNAME" value="funambol"/>
    <parm name="AAUTHSECRET" value="funambol"/>	
    <parm name="AAUTHDATA" value="79b84d9bd2402d64"/> 	
    </characteristic>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="CLIENT"/>
    <parm name="AAUTHTYPE" value="DIGEST"/>
    <parm name="AAUTHSECRET" value="srvpwd"/>
    <parm name="AAUTHDATA" value="a657103b57c13022"/> 
    </characteristic>	
    </characteristic>
    <characteristic type="NAPDEF">
    <parm name="NAPID" value="ppwap"/>
    <parm name="NAME" value="Dialog Internet"/>
    <parm name="BEARER" value="GSM-GPRS"/>
    <parm name="NAP-ADDRESS" value="ppwap"/>
    <parm name="NAP-ADDRTYPE" value="APN"/>
    </characteristic>
    <characteristic type="SecurityPolicy">
    <parm name="4119" value="128"/>
    <parm name="4141" value="3200"/>
    <parm name="4142" value="3200"/>
    <parm name="4143" value="3200"/>
    </characteristic>
    <characteristic type="CertificateStore">
    <characteristic type="ROOT">
    <parm name="EncodedCertificate" value="MIIEbzCCA1egAwIBAgIDAIJQMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NMIENBMB4XDTExMDQwMzE1MDg1MVoXDTEyMDcwNjAwMzY0N1owgYcxKTAnBgNVBAUTIGM0Szk5Y0lhMHZZRTdwUnkzY2Zyc3IzZWxxNG4yamVxMQswCQYDVQQGEwJOTzENMAsGA1UECBMET3NsbzENMAsGA1UEBxMET3NsbzEZMBcGA1UEChMQTW9vdGEgVGVsZWNvbSBBUzEUMBIGA1UEAwwLKi5tb290YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvkRQ6H4k2ngqDoQQCt1P+U5ccIUoByuKbcA5fYJ9/v4StITYEwMePvJRTBsLjV8DdByDjB4V0qKPoMK37pGjIEsJ4jQMT5i36CgwbiluHaUUiQJCdZDclx4rmdk3qa2OQfb5XDNG+z1nsz+mFcXJTBk0jfOesa3RqBxBWKxdOV+xa7wPiQym7SMFArnIL73WtxQvmml+tny5MUc1/xylUG4iRKLH3t+A3QUTnD3KuReJID+F+f5S4UHD1AfnNRSYfKkAquTvoNEdgo7+sXGi5NJSw3ApVDtvRNZoAoq/qLpPqJXFNk8GI4imYPJCaqmAK7UWZvopLT9HIR81+ZoI7AgMBAAGjggEoMIIBJDAfBgNVHSMEGDAWgBRCeVQbYc1VKz5j1TxIV/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCEGA1UdEQQaMBiCCyoubW9vdGEuY29tggltb290YS5jb20wPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2d0c3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9ndHNzbC5jcmwwHQYDVR0OBBYEFARmed8FGmP5lckvDg3A8p9cpetuMAwGA1UdEwEB/wQCMAAwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzAChidodHRwOi8vZ3Rzc2wtYWlhLmdlb3RydXN0LmNvbS9ndHNzbC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAFhuJQIxLknf5y+e3uCFGXPB+68SbsaG0ZCTKThtr57OqbsvJ/xByyiJcuFcJ/+EZ7KOjuP6BK8qCQLXR8vSqV1mcyMRiJMrkGM6fT7XUJpOXW485XYh7Dye1W8QEK43xY3wkr1JT9M7ryv0hHt2MmwgssmqsRZFxhy9WZk/XFxgNkxEff9WF91c+d/L+MUC3E79i0bCuyWQQ0BfuJ/6/G2Csny9Kx5CUdZM3F0DXu+BzjmsSp90U9Oqje5gh7Ekxnmx7OQyrbBnHNkjMpTwQ3WSjAPGrR745zkOFkaAAuAksFtliWlAzWSN4Cm/LQEb+bN28CSXkuq+NVY+w9wOjIk="/>
    </characteristic>
    </characteristic>
    </wap-provisioningdoc>
    

     

     Could you please help me as to where am I going wrong ?.

     

    BR,

    ./Ramesh


    ./Ramesh




    • Edited by M.S Ramesh Wednesday, February 01, 2012 9:44 AM
    Wednesday, February 01, 2012 9:30 AM