Using security holes to work around carrier lock-in #

I recently acquired a Samsung SCH-a990. The QVGA screen and Verizon's reasonably broad coverage for their EVDO network made it seem like a good choice, despite the carrier's tendency to cripple the phone's features (also, a decent camera seemed like a nice perk). Some of the crippling can be worked around, e.g. the lack of Bluetooth file transfer with a cheap MicroSD card, allowing pictures and songs to be moved around without incurring messaging costs.

Verizon HomepageUnfortunately, changing the homepage does not appear to be possible the way it was on my old v710. No one seems to have figured out how to edit the browser/WAP settings on this phone. Users are therefore stuck with the pre-set Verizon homepage (pictured to the left).

A limited amount of customization is allowed, in the form of bookmarks that can be added to the bottom of the page. The bookmarks appear to be pretty limited, allowing only 17 characters for the title, and the links cannot be bound to any access keys, requiring the user to scroll through all the other on-screen links to get to the bookmark ones.

In addition to setting these bookmarks on the phone, there is also a desktop-acessible website where the homepage can be customized. I decided to investigate if sloppy coding on Verizon's side could be used to work around the carrier lock-in.

Sure enough, it turned out that the bookmark editing form did not do any HTML sanitizing for the name field, and neither did the homepage output code. Better yet, the 17 character name limit was only enforced as a maxlength atttribute on the <input> node. By running the following snippet of JavaScript, it was possible to at least bind a bookmark to an access key:

var nameInput = document.forms.theform.tle;
nameInput.setAttribute("maxlength", 200);
nameInput.value='<a href="http://www.google.com/reader/m" accesskey="0">Reader</a>';

Encouraged by this, I tried to see if this hole could be used to hijack the homepage entirely. Unfortunately limitations of the OpenWave browser and the fact that these bookmarks were inserted below the built-in content meant that nothing else seemed to work. For the record, these are the things that I tried:

  • A <style> block that hid all of the images on the page (all of the built-in links appear to be created from images).
  • A <meta> tag to auto-refresh the page to my preferred start page.
  • Positioning the bookmark link absolutely so that it would be overlayed on top of the built-in content.
  • Modifying the item ID parameter in the edit form with those of the built-in links in case they could be edited too.

For now I'm at wits end.

7 Comments

Worth trying javascript tags? (I've forgotten all about WAP; maybe that doesn't make much sense.)
Thnaks for trying. Very curious to see how this turns out. Please keep us updated.
have you tried howardforums.com? there are usually hidden menus you can activate to change these settings, but it requires a data cable and "special" software.
I've looked around HowardForums, and all threads such as these lead nowhere:



http://www.howardforums.com/archive/topic/957369-1.html

http://www.howardforums.com/archive/topic/1010210-1.html



The a990 is probably too new or too expensive (and therefore not popular). It's also possible that Verizon has gotten better at locking down its phones, codes that used to work on the a950 no longer do.
Have you tried an alternative browser like Opera Mini?
akadruid, Verizon does not allow J2ME apps on their phones.
Mihai, I have the razr with verizon. A while back I added a single link at the bottom of my home page that I titled Portal. It automatically picked up the access key 9. I use it to jump quickly to a wap page on my own web server that has links to all the pages I use with other access keys assigned. I rarely use verizon's home page any more.

I hope this means, now that you have verizon, that a BREW version of Gmail and Google Maps is in the near future...

--Tom

Post a Comment