Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,806,018 Members 44,174 Now Online
XDA Developers Android and Mobile Development Forum

[Release] RT Jailbreak Tool

Tip us?
 
netham45
Old
(Last edited by netham45; 11th April 2013 at 06:55 PM.)
#1  
Recognized Developer - OP
Thanks Meter 540
Posts: 863
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Info 2 [Release] RT Jailbreak Tool

RT Jailbreak Tool
By Netham45, Version 1.20

An all-in-one program to jailbreak Windows RT tablets using the method recently released by clrokr

Usage
Boot your RT device and log in, allow it to sit on the desktop for about a minute.
Extract all files out of the latest version of the .ZIP attached to this post. To do this on Windows RT, right-click on the .zip, choose 'Extract all', and select the destination folder.
Run runExploit.bat. It'll prompt you to either install the jailbreak to run on login, uninstall it not to, or run the jailbreak once.
Choose an option and follow all subsequent prompts. They're all quite easy and self-explanatory.

FAQ
Q) What does this do, in layman's terms?
A) It allows non-Microsoft ARM-compiled .exes to run on the desktop. That is it.
Update (03/01/2013): The jailbreak now allows unsigned drivers to load.

Q) Can I use this to run Photoshop, Steam, AutoCAD, <Insert commercial product here>?
A) While it is -technically- possible for the companies to port their stuff over to Windows RT using the hack it is extremely unlikely. As a rule of thumb, if it's a commercial piece of software it won't run on the ARM.

Q) Can I use this to run PuTTY, VNC, X-Chat, <Insert open-source product here>?
A) Yes! Open-source programs are ones that you, having the source code, can recompile to work on the ARM. If it's not already available (A small but growing number of programs are) it's easy to get started. There are some useful threads in the Windows 8 Development and Hacking board on XDA-Developers.
Please note that not all programs can reasonably be ported over to ARM, due to either program complexity, overuse of inline assembly, or the current lack of a GNU Compiler

Q) Can I use this to run any random x86 app I find on the internet?
A) No. Apps must be recompiled for ARM. Stop asking why Chrome doesn't run.

Q) Can I use this to hack my Android tablet?
A) Not really. Most Android hacks require custom kernel-mode drivers (APX, Odin, ADB all require drivers that are unavailable), and this hack only allows us to run unsigned User-mode code.
If you don't know the difference between User-mode and Kernel-mode, I'm sure Wikipedia has a good article on the subject.

Q) Will Chrome/Firefox be ported over?
A) I don't see any major technical hurdles for those, but I probably won't be the one to do it.

Q) Are there any precompiled apps for this available?
A) Check out THIS THREAD for a list of all currently known compiled apps.

Q) I ran the jailbreak, now where can I download pirated apps from?
A) Nowhere. This jailbreak does not allow for pirated apps, and it is a long ways off from actually supporting pirated apps. If you manage to get pirated apps to run on Windows RT you will be doing the entire community a large disservice, along with ruining what credibility this hack may have in Microsoft's eyes.

Q) I don't know how to recompile code, can I get someone else to do it?
A) If it's a simple project you can likely find someone who will be more than happy to recompile it for you. If it's a large project with numerous dependencies, or a commercial project, I will be willing to take a look at it and quote a price to do it. (On that note, please realize that I am not affiliated with XDA-Developers at all.)

Q) I keep BSoD'ing! What's up?
A) I haven't managed to track down the cause of the BSoDs, except that they seem to happen when the exploit is ran within the first minute or so of the tablet booting and logging in. If you're getting BSoDs, boot your tablet to the desktop and wait 2 or 3 minutes before trying the exploit. Also, make sure that you're up to date with Windows Updates, as of 2/26/2013.

Q) I ran the .bat and it told me it couldn't find it's bin folder. What's wrong?
A) Extract the ZIP in entirety. Don't just open the ZIP and double-click on the runExploit.bat.

Q) It's not working! What do?
A) Post in this thread describing what you're doing and the issue you're having, do not PM me, even if you don't have the number of posts to post in the developer sections. I'll consider it spam and disregard it. Don't message me on Twitter either, the only place that I will provide support for this tool is in this thread.

Q) Is this persistent across reboots?
A) No, it resets every time the device reboots.

Q) Is this a tethered exploit?
A) No. Tethering is connecting the device to a computer, or other device to jailbreak it. This is done entirely on the device. It just has to be redone at reboot.

Q) Will this work with all the latest updates, as of 02/26/2013?
A) There was an updated .zip posted for the latest update (Patch Tuesday, Feburary 2013.) It should work.

Q) How do I compile apps for the Surface RT? It says I'm missing a bunch of .libs!
A) Visual Studio 2012 does not come with all the required ARM .libs for compiling most desktop apps. Please see THIS post by _peterdn for a useful utility for generating .libs and .exps from the .dlls on the tablet.

Q) Why would you want desktop apps? They suck for touch.
A) Mainly for the library of easily ported software, along with the things that metro apps just can't do. I agree, they're more inconvenient to use with touch, but that's the tradeoff for having a huge library of software. You also don't have to use desktop mode, the tablet still is quite good without it (Except the mail client). I also believe that since it's my device I should be able to do whatever I want with it, regardless of what MS says. Traditionally MS has leaned the same way with Windows, which makes it rather disappointing they chose to lock this platform down.

Q) Will this void my warranty?
A) Since it doesn't persist across reboots chances are the support center will never know, though it may be against the terms of your devices warranty.

Q) Is there any warranty for this program?
A) No express or implied warranty exists.

Q) Your hack caused the paint to chip off my tablet, the felt to peel off my type keyboard, the kickstand to fall off, and my tablet to display nothing but satanic messages while it's on! I want you to buy me a new one!
A) No it didn't, and see my warranty policy.

Q) Can Microsoft patch this?
A) Yes and no. They can patch it through Windows Update, but since we have the ability to reinstall from recovery partitions we can revert any Windows Updates they release.

Q) Will this allow people to run viruses on my tablet?
A) Yes and no, if something malicious is compiled and ran while jailbroken it could act like a virus, yes. Once you reset, though, it'll be gone.

Q) I came across a malicious RT application! Who do I tell?
A) If it's a jailbroken application then the most you can do is make a post informing about it. That's one downside to having unsigned code, there's no one regulating body who can decide what is and isn't available, and manage safety. If it's a store application then I suggest you contact Microsoft. If it's a Modern UI app that requires the jailbreak to run you still may have luck contacting Microsoft, as they can blacklist the developer's certificate.

Q) Can any random Store app do this?
A) No, this requires tools and privileges that Windows Store apps can't possess. The appcontainer model that MS uses is very strict and good at preventing things like this from happening. There's a number of things that flat-out aren't possible to do from a Store app that this uses, not to mention that it would get rejected by MS.

Q) Will I (The user) get my developer license banned?
A) It's possible, though I doubt that MS will do that.
Update: With the new payload (as of 1/18/2013) users no longer need to get their own developer certificate.

Q) Won't you (Netham45) get your developer license banned?
A) Time will tell, I knew the risk when I posted this. I suspect that their banning system is more geared towards piracy, though, which this doesn't really enable.
Update: With the new payload (as of 1/18/2013) my developer certificate is no longer required.

Q) I've got this great feature/idea for the jailbreak! Where can I tell you at?
A) Post it in this thread. Note that the area where we can script and such before the exploit is limited and restricted to pretty much batch scripts, and that I am under no obligation to implement a feature if you suggest it. And, seriously, do not PM me about it. If you don't have the prerequisite number of posts to post in the developer section then go get them.

Q) Can I throw money at you for writing the tool to automate this?
A) There's a donate link on the side of this post. (I'd love to get a Surface Pro. )

Q) Can I throw money at clrokr for documenting the exploit?
A) You'll have to talk to him about that.Here's his profile.

FAQ last updated 2/26/2013 10:17 PM MST

Thanks to clrokr for documenting the usage of the exploit, and to the numerous people who contributed positively in the [Q] Hacking Windows RT to Run Desktop Apps thread

Download is attached to this post.

Update log
Update 1.01(1/10/2013): Uncommented pause in the PS script to install the ModernUI app -- It was causing it not to prompt to install a developer license/my cert for some reason.
Update 1.02(1/10/2013): Fixed issue on non-English devices.
Update 1.03(1/11/2013): Fixed issue with usernames with spaces in them, fixed issue where the user running the jailbreak isn't the first user logged in
Update 1.1(1/18/2013): Redid functionality; it now gets the kernel base inside the payload, instead of requiring a Metro application. Added a startup folder that gets ran after jailbreak. Cleaned up output. Click for more info
Update 1.11(1/18/2013): Added commandline options, added a simple interface to handle creating scheduled tasks to run, added a powershell script to keep it from running if the system hasn't been up for two minutes, added missing startup folder, added sanity check so it doesn't freak out if the startup folder isn't there
Update 1.12(2/12/2013): Fixed the scheduled task to not require AC power to run, tweaked script to not crash on latest patches, Fixed startup folder not getting executed properly
Update 1.12a(2/12/2013): Fixed it to actually work on the latest updates. Oops.
Update 1.13(2/14/2013): Added the ability to dynamically get the signing level. It now requires internet on the first launch, and after an update changes ntoskrnl.exe. This version is slightly experimental, so if it doesn't work use one of the older versions.
Update 1.13a(2/15/2013): Tweaked the script to return from the hook in a way that seems more robust. If 1.12a or 1.13 work for you there's no need for an update.
Update 1.20(3/01/2013): Made the bat use registry keys instead of files in system32, added registry-based startup folder, altered payload to support unlocking kernel-mode code


Older versions may be downloaded here

(Note: If you wish to mirror this post please retain a link to it at http://forum.xda-developers.com/show....php?t=2092158 so users can always get the latest version.)
Attached Files
File Type: zip RT_Jailbreak-1-13a.zip - [Click for QR Code] (571.7 KB, 55799 views)
File Type: zip RT_Jailbreak-1.20.zip - [Click for QR Code] (571.7 KB, 217320 views)
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following 124 Users Say Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
GoodDayToDie
Old
(Last edited by GoodDayToDie; 10th January 2013 at 12:20 PM.)
#2  
Recognized Developer
Thanks Meter 2,699
Posts: 5,680
Join Date: Jan 2011
Location: Seattle
Nice job! Good to have an all-in-one. Is this tool using the decrement by 0x80000 or trying the option of a slightly lesser decrement?

Also, it would be good to have a unified selection of RT-compiled desktop apps. I'm working on porting Pidgin (the Windows Store IM clients kind of suck...) but it's not easy; the "build under Windows" instructions boil down to "make your Windows system as Unix-y as possible, then build it there". There may be a way to target RT from GCC, but I am not aware of it.

EDIT: What I meant to say is, perhaps a thread linking all the various apps that people have built (preferably with links to their source, for those of us mildly paranoid types who like to see what other peoples' code is doing on our systems) would be a good idea.
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.
The Following 3 Users Say Thank You to GoodDayToDie For This Useful Post: [ Click to Expand ]
 
netham45
Old
#3  
Recognized Developer - OP
Thanks Meter 540
Posts: 863
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by GoodDayToDie View Post
Nice job! Good to have an all-in-one. Is this tool using the decrement by 0x80000 or trying the option of a slightly lesser decrement?

Also, it would be good to have a unified selection of RT-compiled desktop apps. I'm working on porting Pidgin (the Windows Store IM clients kind of suck...) but it's not easy; the "build under Windows" instructions boil down to "make your Windows system as Unix-y as possible, then build it there". There may be a way to target RT from GCC, but I am not aware of it.
I'm decrementing by 0x7EFF0, it seems to not get the 0x18 bugcheck at all with that number. The one it gets if you run it too soon is a different bugcheck.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following 2 Users Say Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
merill
Old
#4  
merill's Avatar
Junior Member
Thanks Meter 2
Posts: 9
Join Date: Apr 2009
Location: Melbourne
Default Install Fails

Brilliant!

I tried running it but it keeps going in an endless cycle because the Metro app fails to install.

Using a Surface with the latest patches from Microsoft.
Microsoft Surface Lover
The Following User Says Thank You to merill For This Useful Post: [ Click to Expand ]
 
netham45
Old
#5  
Recognized Developer - OP
Thanks Meter 540
Posts: 863
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by merill View Post
Brilliant!

I tried running it but it keeps going in an endless cycle because the Metro app fails to install.

Using a Surface with the latest patches from Microsoft.
Does it give you any error messages when it fails to install?
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following User Says Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
sebmaster16
Old
(Last edited by sebmaster16; 10th January 2013 at 12:31 PM.)
#6  
Junior Member
Thanks Meter 1
Posts: 6
Join Date: Jul 2010
Quote:
Originally Posted by netham45 View Post
Does it give you any error messages when it fails to install?
When installing the metro app, the installation fails because the certificate isn't added to the cert-store by default and the batch just tries again.

I uncommented the #Pause in PrintMessageAndExit to read the error message and that made it possible to choose to install the certificate, the powershell just closed otherwise.

After that the metro app installs fine, and tries to start it. I can see the app start, though the cmd still doesn't recognize it and tries to install it again...

I wrote my own metro app for that today and installed it instead of yours and it worked fine with mine.
My App is just this:

Quote:
protected override void OnFileActivated(FileActivatedEventArgs args) {
WriteAddress((StorageFile)args.Files[0]);
}

private async void WriteAddress(StorageFile file) {
using (Stream s = await file.OpenStreamForWriteAsync()) {
using (StreamWriter wrt = new StreamWriter(s)) {
uint adr = GetKernelAddress.Address.Get() + 0x19FFBC;
await wrt.WriteAsync((adr & 255).ToString("X2") + " " + ((adr >> 8) & 255).ToString("X2") + " " + ((adr >> 16) & 255).ToString("X2") + " " + ((adr >> 24) & 255).ToString("X2"));
}
}

App.Current.Exit();
}
The Following User Says Thank You to sebmaster16 For This Useful Post: [ Click to Expand ]
 
netham45
Old
#7  
Recognized Developer - OP
Thanks Meter 540
Posts: 863
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by sebmaster16 View Post
When installing the metro app, the installation fails because the certificate isn't added to the cert-store by default and the batch just tries again.

I uncommented the #Pause in PrintMessageAndExit to read the error message and that made it possible to choose to install the certificate, the powershell just closed otherwise.

After that the metro app installs fine, and tries to start it. I can see the app start, though the cmd still doesn't recognize it and tries to install it again...

Having the same issue, uncommenting the pause seems to fix it all for me. I'll update the zip in the top in just a second.

Edit: New zip with that uncommented uploaded.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following User Says Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
merill
Old
#8  
merill's Avatar
Junior Member
Thanks Meter 2
Posts: 9
Join Date: Apr 2009
Location: Melbourne
Metro app failed to run. Trying to (re)install the metro app...

Found certificate: C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernU I_App\Get Kernel Base_1.0.

Before installing this package, you need to do the following:
- Install the signing certificate
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernU I_App\Add-AppDevPackage.ps1:497 char:9
+ $IsAlreadyElevated = ([Security.Principal.WindowsIdentity]::GetCurrent() ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ( [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
Microsoft Surface Lover
 
netham45
Old
#9  
Recognized Developer - OP
Thanks Meter 540
Posts: 863
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by merill View Post
Metro app failed to run. Trying to (re)install the metro app...

Found certificate: C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernU I_App\Get Kernel Base_1.0.

Before installing this package, you need to do the following:
- Install the signing certificate
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernU I_App\Add-AppDevPackage.ps1:497 char:9
+ $IsAlreadyElevated = ([Security.Principal.WindowsIdentity]::GetCurrent() ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ( [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
Try the new zip I just uploaded, I believe I fixed that.

Edit: I see what happened. The file that MS distributes has a signature at the bottom which allows it to make unrestricted system calls and when I commented out the pause I broke that.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following 2 Users Say Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
windowsrtc
Old
#10  
Member
Thanks Meter 31
Posts: 94
Join Date: Nov 2012
Very Nice job! Thank you again!

Tags
hack, jailbreak, windows, windows rt, winrt
THREAD CLOSED
Subscribe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes