cool !
Do you think that Microsoft can patch your exploit ?
You think we should stop Surface Update until you provide us a tool or something like that ?
I dont know if you foresee to do that
@+
They could, but since we can reinstall the OS from the recovery partition and there'll always be a copy of the unpatched recovery partition around we can revert any patches they throw out.
They could also ban MS accounts for doing this too, though I don't expect them to do that.
Don't PM me for help, post on the forums. I don't care if you don't have the 10 posts to post in a developer section, I won't respond to basic questions.
I wrote and maintain the jailbreak scripts for Windows RT.
Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Nokia Lumia 920
Hmm, seems that there is already a working and very easy method that allows running unsigned apps on RT: http://younsi.blogspot.ru/2012/10/no...dows-8-rt.html
Just create UMCIAuditMode=1 in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contr ol\CI" and reboot.
Can someone confirm that it works? As far as I see - this really should work, as this sets in ci.dll the g_CiOptions|=0x40, that later sets g_CiDeveloperMode=6, which should allow unsigned apps in dir specified in "HKLM\System\CurrentControlSet\Control\CI\TRSD ata" "TestPath" key (see this post: http://forum.xda-developers.com/show...5&postcount=10).
So all greetings for finding a working and easy "desktop-unlocking" method should go to Thomas Younsi
Edited:
As far as I see - this effectively turns on the "CI Audit" mode, that does not block unsigned apps from running, but just logs them. So adding a path to the "TestPath" should not be necessary.
And yes, this can be blocked by MS in later updates. But I really don't think that they would do that soon (or ever).
But strange - I've decompiled ci.dll from a device dump, and see that it checks those registry keys. But his is THUMB, so I may have mislooked something.
The main issue I had with recompiling, other than the libs, was the SxS manifests. I couldn't get them to work, so I just disabled them. Also, TightVNC has /machine:x86 set statically a few times in their configs, though that was easy enough to fix.
Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.
Don't PM me for help, post on the forums. I don't care if you don't have the 10 posts to post in a developer section, I won't respond to basic questions.
I wrote and maintain the jailbreak scripts for Windows RT.
Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Nokia Lumia 920
Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.
Edit: Unless you were responding to mamaich, in which case ignore me.
Don't PM me for help, post on the forums. I don't care if you don't have the 10 posts to post in a developer section, I won't respond to basic questions.
I wrote and maintain the jailbreak scripts for Windows RT.
Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Nokia Lumia 920
Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.
Edit: Unless you were responding to mamaich, in which case ignore me.
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.
3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}
can you pls share your source code?i'm not familiar with the arm assembly
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.
3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}
can you pls share your source code?i'm not familiar with the arm assembly
Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.
What problems did you have with winspool? Only issue I had (couldn't find it at runtime) was resolved by putting a copy of it named winspool.dll in PuTTY's working directory.
So you’re playing with your shiny new Windows 8 tablet PC, when one of your like-minded geeky … more
XDA Developers was founded by developers, for developers. It is now a valuable resource for people who want to make the most of their mobile devices, from customizing the look and feel to adding new functionality. Are you a developer?
Introducing XDA:DevCon – A Conference For Developers By Developers
>
[Q] Hacking Windows RT to Run Desktop Apps?
Print
Email
View Profile
View Forum Posts
Visit Homepage
That would have been a nice way to do it though, very easy and scriptable.
Follow on Twitter
Follow on Google+
View Facebook page
View GitHub profile
Linear Mode
