Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,730,714 Members 41,240 Now Online
XDA Developers Android and Mobile Development Forum

[Q] Hacking Windows RT to Run Desktop Apps?

Tip us?
 
netham45
Old
#221  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by samco08 View Post
cool !
Do you think that Microsoft can patch your exploit ?
You think we should stop Surface Update until you provide us a tool or something like that ?
I dont know if you foresee to do that
@+
They could, but since we can reinstall the OS from the recovery partition and there'll always be a copy of the unpatched recovery partition around we can revert any patches they throw out.

They could also ban MS accounts for doing this too, though I don't expect them to do that.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
 
mamaich
Old
(Last edited by mamaich; 7th January 2013 at 12:15 PM.)
#222  
Recognized Developer
Thanks Meter 212
Posts: 1,150
Join Date: Apr 2004

 
DONATE TO ME
Hmm, seems that there is already a working and very easy method that allows running unsigned apps on RT:
http://younsi.blogspot.ru/2012/10/no...dows-8-rt.html
Just create UMCIAuditMode=1 in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr ol\CI" and reboot.

Can someone confirm that it works? As far as I see - this really should work, as this sets in ci.dll the g_CiOptions|=0x40, that later sets g_CiDeveloperMode=6, which should allow unsigned apps in dir specified in "HKLM\System\CurrentControlSet\Control\CI\TRSD ata" "TestPath" key (see this post: http://forum.xda-developers.com/show...5&postcount=10).

So all greetings for finding a working and easy "desktop-unlocking" method should go to Thomas Younsi

Edited:
As far as I see - this effectively turns on the "CI Audit" mode, that does not block unsigned apps from running, but just logs them. So adding a path to the "TestPath" should not be necessary.
And yes, this can be blocked by MS in later updates. But I really don't think that they would do that soon (or ever).
 
clrokr
Old
#223  
Member
Thanks Meter 53
Posts: 69
Join Date: Aug 2009
@mamaich:
I can confirm that it doesn't work That would have been a nice way to do it though, very easy and scriptable.
 
mamaich
Old
#224  
Recognized Developer
Thanks Meter 212
Posts: 1,150
Join Date: Apr 2004

 
DONATE TO ME

But strange - I've decompiled ci.dll from a device dump, and see that it checks those registry keys. But his is THUMB, so I may have mislooked something.
 
netham45
Old
(Last edited by netham45; 7th January 2013 at 12:43 PM.)
#225  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME


Nesting VNC windows is fun.

(Also, yes, I misspelled the name on my tablet.)


The main issue I had with recompiling, other than the libs, was the SxS manifests. I couldn't get them to work, so I just disabled them. Also, TightVNC has /machine:x86 set statically a few times in their configs, though that was easy enough to fix.


Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.
Attached Files
File Type: zip TightVNC_ARM.zip - [Click for QR Code] (949.4 KB, 5723 views)
File Type: zip putty_arm.zip - [Click for QR Code] (296.3 KB, 979 views)
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following 4 Users Say Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
rheza02
Old
#226  
Senior Member
Thanks Meter 10
Posts: 459
Join Date: May 2006
i can't confirm it, none of your app works,

"windows cannot verify the digital signature ..."
oh, hello...
 
netham45
Old
#227  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by rheza02 View Post
i can't confirm it, none of your app works,

"windows cannot verify the digital signature ..."
Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.

Edit: Unless you were responding to mamaich, in which case ignore me.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
 
Dewinter
Old
#228  
Member
Thanks Meter 12
Posts: 53
Join Date: Dec 2009
Location: wuhan
Quote:
Originally Posted by netham45 View Post
Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.

Edit: Unless you were responding to mamaich, in which case ignore me.
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.


3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}

can you pls share your source code?i'm not familiar with the arm assembly
The Following User Says Thank You to Dewinter For This Useful Post: [ Click to Expand ]
 
lilstevie
Old
#229  
lilstevie's Avatar
Senior Recognized Developer
Thanks Meter 1020
Posts: 1,304
Join Date: Apr 2009

 
DONATE TO ME
Quote:
Originally Posted by Dewinter View Post
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.


3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}

can you pls share your source code?i'm not familiar with the arm assembly
You need to indent all opcodes.
 
peterdn
Old
(Last edited by peterdn; 7th January 2013 at 01:24 PM.)
#230  
Member
Thanks Meter 11
Posts: 35
Join Date: Sep 2010
Location: Oxford
Quote:
Originally Posted by netham45 View Post
Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.
What problems did you have with winspool? Only issue I had (couldn't find it at runtime) was resolved by putting a copy of it named winspool.dll in PuTTY's working directory.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes