Help Center

Local Navigation

Updating the BlackBerry Device Software from an update web site

You can configure the IT policy rules that are included in the Wired Software Updates policy group to permit a user to update the BlackBerry® Device Software from an update web site using the BlackBerry® Desktop Manager or BlackBerry Application Web Loader. The user can use the update process to update the BlackBerry Device Software from a computer that is outside your organization’s network (for example, from home).

During the update process, a BlackBerry device activates itself automatically over the wireless network so that the user can use a computer that is outside your organization’s network to update the BlackBerry Device Software. When a user who does not use the BlackBerry Desktop Manager visits the update web site, the user must download and install Microsoft® ActiveX® components on the computer before the user can update the BlackBerry Device Software. The update process can take from 15 minutes to 2 hours, depending on the type of update, amount of BlackBerry device data, and number of applications that are installed on the BlackBerry device. A user cannot use the BlackBerry device or make emergency calls during the update process.

BlackBerry Device Software versions 5.0 and later, BlackBerry Desktop Manager versions 5.0.1 and later, and BlackBerry Application Web Loader versions 1.1.0 and later support BlackBerry Device Software updates from an update web site.

For more information about the IT policy rules that are included in the Wired Software Updates policy group, see the BlackBerry Enterprise Server Policy Reference Guide. For more information about the BlackBerry Application Web Loader, see the BlackBerry Application Web Loader Developer Guide.

Protecting cryptographic services data when updating the BlackBerry Device Software from an update web site

When a user updates the BlackBerry® Device Software from an update web site, the BlackBerry® Enterprise Solution backs up cryptographic services data (for example, cryptographic keys and service books) from a BlackBerry device to the user’s computer. To protect the cryptographic services data, the BlackBerry device encrypts the cryptographic services data using a BlackBerry services key.

The BlackBerry device stores the BlackBerry services key in the NV store in flash memory. Neither the user nor third-party applications can access the location in the NV store where the BlackBerry device stores the BlackBerry services key. If you or a user turns on content protection, the BlackBerry device also encrypts the BlackBerry services key using the content protection key.

After the BlackBerry device encrypts the cryptographic services data, the BlackBerry® Desktop Manager or BlackBerry Application Web Loader backs up the encrypted cryptographic services data to a database and stores the database on the user’s computer as an .ipd file.

When the update process completes, the BlackBerry Desktop Manager or BlackBerry Application Web Loader restores the cryptographic services data to the BlackBerry device. Only the BlackBerry device that encrypted the cryptographic services data can decrypt the cryptographic services data. The BlackBerry device can decrypt the cryptographic services data only once. The BlackBerry device deletes the BlackBerry services key from the NV store after the BlackBerry device decrypts the cryptographic services data.

The BlackBerry® Enterprise Solution does not back up or restore cryptographic services data except during the BlackBerry Device Software update process from an update web site. When the user backs up or restores BlackBerry device data by selecting the backup and restore options in the BlackBerry Desktop Manager, the back up and restore processes do not access cryptographic services data.

Process flow: Generating a BlackBerry services key that protects cryptographic services data

The BlackBerry® device uses an ephemeral AES-256 encryption key (called the BlackBerry services key) to encrypt the cryptographic services data. To generate the BlackBerry services key, the BlackBerry device performs the following actions:

  1. generates a random password from a random source of 32 bytes
  2. generates a random salt from a random source of 8 bytes
  3. concatenates the salt, password, and salt again into a byte array (for example, Salt|Password|Salt)
  4. hashes the byte array using SHA-256
  5. stores the resulting hash in a byte array that is called a key
    (key) =
    SHA256(Salt|Password|Salt)
    
  6. hashes the key 18 more times and stores the result in a key each time
    For example, for i=0 to 18, the BlackBerry device performs the following actions:
    (key) = SHA256(key)
     i++
     done
    
    The final hash creates the BlackBerry services key.
  7. stores the BlackBerry services key in a location of the NV store that third-party applications and the user cannot access

Process flow: Backing up cryptographic services data using the BlackBerry Desktop Manager

  1. A user connects a BlackBerry® device to the BlackBerry® Desktop Manager and selects the option to update the BlackBerry® Device Software.
  2. The BlackBerry Desktop Manager determines that cryptographic services data require backup during the update process. It sends the BlackBerry device a command to encrypt the cryptographic services data.
  3. The BlackBerry device performs the following actions:
    1. generates a BlackBerry services key and stores the BlackBerry services key in the NV store
    2. encrypts the cryptographic services data using the BlackBerry services key
    3. encrypts the BlackBerry services key using the content protection key if you or the user turns on content protection
  4. The BlackBerry Desktop Manager backs up the encrypted cryptographic services data in a database on the user’s computer as an .ipd file.

Process flow: Restoring cryptographic services data using the BlackBerry Desktop Manager or BlackBerry Application Web Loader

  1. After the update process completes, the BlackBerry® Desktop Manager or BlackBerry Application Web Loader determines that cryptographic services data must be restored to the BlackBerry device. The BlackBerry Desktop Manager or BlackBerry Application Web Loader sends a BlackBerry device a command to restore the cryptographic services data.
  2. The BlackBerry device performs the following actions:
    1. retrieves the BlackBerry services key and verifies that the BlackBerry services key was not used previously
    2. decrypts the BlackBerry services key if you or a user turn on content protection
  3. The BlackBerry Desktop Manager restores the encrypted cryptographic services data to the BlackBerry device.
  4. The BlackBerry device performs the following actions:
    1. decrypts the encrypted cryptographic services data using the BlackBerry services key
    2. restores the decrypted cryptographic data
    3. deletes the BlackBerry services key from the NV store

Was this information helpful? Send us your comments.