[Release] RT Jailbreak Tool
RT Jailbreak Tool
By Netham45, Version 1.20
An all-in-one program to jailbreak Windows RT tablets using the method recently released by clrokr
Boot your RT device and log in, allow it to sit on the desktop for about a minute.
Extract all files out of the latest version of the .ZIP attached to this post. To do this on Windows RT, right-click on the .zip, choose 'Extract all', and select the destination folder.
Run runExploit.bat. It'll prompt you to either install the jailbreak to run on login, uninstall it not to, or run the jailbreak once.
Choose an option and follow all subsequent prompts. They're all quite easy and self-explanatory.
Q) What does this do, in layman's terms?
A) It allows non-Microsoft ARM-compiled .exes to run on the desktop. That is it.
Update (03/01/2013): The jailbreak now allows unsigned drivers to load.
Q) Can I use this to run Photoshop, Steam, AutoCAD, <Insert commercial product here>?
A) While it is -technically- possible for the companies to port their stuff over to Windows RT using the hack it is extremely unlikely. As a rule of thumb, if it's a commercial piece of software it won't run on the ARM.
Q) Can I use this to run PuTTY, VNC, X-Chat, <Insert open-source product here>?
A) Yes! Open-source programs are ones that you, having the source code, can recompile to work on the ARM. If it's not already available (A small but growing number of programs are) it's easy to get started. There are some useful threads in the Windows 8 Development and Hacking board on XDA-Developers.
Please note that not all programs can reasonably be ported over to ARM, due to either program complexity, overuse of inline assembly, or the current lack of a GNU Compiler
Q) Can I use this to run any random x86 app I find on the internet?
A) No. Apps must be recompiled for ARM. Stop asking why Chrome doesn't run.
Q) Can I use this to hack my Android tablet?
A) Not really. Most Android hacks require custom kernel-mode drivers (APX, Odin, ADB all require drivers that are unavailable), and this hack only allows us to run unsigned User-mode code.
If you don't know the difference between User-mode and Kernel-mode, I'm sure Wikipedia has a good article on the subject.
Q) Will Chrome/Firefox be ported over?
A) I don't see any major technical hurdles for those, but I probably won't be the one to do it.
Q) Are there any precompiled apps for this available?
A) Check out THIS THREAD
for a list of all currently known compiled apps.
Q) I ran the jailbreak, now where can I download pirated apps from?
A) Nowhere. This jailbreak does not allow for pirated apps, and it is a long ways off from actually supporting pirated apps. If you manage to get pirated apps to run on Windows RT you will be doing the entire community a large disservice, along with ruining what credibility this hack may have in Microsoft's eyes.
Q) I don't know how to recompile code, can I get someone else to do it?
A) If it's a simple project you can likely find someone who will be more than happy to recompile it for you. If it's a large project with numerous dependencies, or a commercial project, I will be willing to take a look at it and quote a price to do it. (On that note, please realize that I am not affiliated with XDA-Developers at all.)
Q) I keep BSoD'ing! What's up?
A) I haven't managed to track down the cause of the BSoDs, except that they seem to happen when the exploit is ran within the first minute or so of the tablet booting and logging in. If you're getting BSoDs, boot your tablet to the desktop and wait 2 or 3 minutes before trying the exploit. Also, make sure that you're up to date with Windows Updates, as of 2/26/2013.
Q) I ran the .bat and it told me it couldn't find it's bin folder. What's wrong?
A) Extract the ZIP in entirety. Don't just open the ZIP and double-click on the runExploit.bat.
Q) It's not working! What do?
A) Post in this thread describing what you're doing and the issue you're having, do not PM me, even if you don't have the number of posts to post in the developer sections. I'll consider it spam and disregard it. Don't message me on Twitter either, the only place that I will provide support for this tool is in this thread.
Q) Is this persistent across reboots?
A) No, it resets every time the device reboots.
Q) Is this a tethered exploit?
A) No. Tethering is connecting the device to a computer, or other device to jailbreak it. This is done entirely on the device. It just has to be redone at reboot.
Q) Will this work with all the latest updates, as of 02/26/2013?
A) There was an updated .zip posted for the latest update (Patch Tuesday, Feburary 2013.) It should work.
Q) How do I compile apps for the Surface RT? It says I'm missing a bunch of .libs!
A) Visual Studio 2012 does not come with all the required ARM .libs for compiling most desktop apps. Please see THIS
post by _peterdn for a useful utility for generating .libs and .exps from the .dlls on the tablet.
Q) Why would you want desktop apps? They suck for touch.
A) Mainly for the library of easily ported software, along with the things that metro apps just can't do. I agree, they're more inconvenient to use with touch, but that's the tradeoff for having a huge library of software. You also don't have to use desktop mode, the tablet still is quite good without it (Except the mail client). I also believe that since it's my device I should be able to do whatever I want with it, regardless of what MS says. Traditionally MS has leaned the same way with Windows, which makes it rather disappointing they chose to lock this platform down.
Q) Will this void my warranty?
A) Since it doesn't persist across reboots chances are the support center will never know, though it may be against the terms of your devices warranty.
Q) Is there any warranty for this program?
A) No express or implied warranty exists.
Q) Your hack caused the paint to chip off my tablet, the felt to peel off my type keyboard, the kickstand to fall off, and my tablet to display nothing but satanic messages while it's on! I want you to buy me a new one!
A) No it didn't, and see my warranty policy.
Q) Can Microsoft patch this?
A) Yes and no. They can patch it through Windows Update, but since we have the ability to reinstall from recovery partitions we can revert any Windows Updates they release.
Q) Will this allow people to run viruses on my tablet?
A) Yes and no, if something malicious is compiled and ran while jailbroken it could act like a virus, yes. Once you reset, though, it'll be gone.
Q) I came across a malicious RT application! Who do I tell?
A) If it's a jailbroken application then the most you can do is make a post informing about it. That's one downside to having unsigned code, there's no one regulating body who can decide what is and isn't available, and manage safety. If it's a store application then I suggest you contact Microsoft. If it's a Modern UI app that requires the jailbreak to run you still may have luck contacting Microsoft, as they can blacklist the developer's certificate.
Q) Can any random Store app do this?
A) No, this requires tools and privileges that Windows Store apps can't possess. The appcontainer model that MS uses is very strict and good at preventing things like this from happening. There's a number of things that flat-out aren't possible to do from a Store app that this uses, not to mention that it would get rejected by MS.
Q) Will I (The user) get my developer license banned?
A) It's possible, though I doubt that MS will do that.
Update: With the new payload (as of 1/18/2013) users no longer need to get their own developer certificate.
Q) Won't you (Netham45) get your developer license banned?
A) Time will tell, I knew the risk when I posted this. I suspect that their banning system is more geared towards piracy, though, which this doesn't really enable.
Update: With the new payload (as of 1/18/2013) my developer certificate is no longer required.
Q) I've got this great feature/idea for the jailbreak! Where can I tell you at?
A) Post it in this thread. Note that the area where we can script and such before the exploit is limited and restricted to pretty much batch scripts, and that I am under no obligation to implement a feature if you suggest it. And, seriously, do not PM me about it. If you don't have the prerequisite number of posts to post in the developer section then go get them.
Q) Can I throw money at you for writing the tool to automate this?
A) There's a donate link on the side of this post. (I'd love to get a Surface Pro.
Q) Can I throw money at clrokr for documenting the exploit?
A) You'll have to talk to him about that.Here's his profile.
FAQ last updated 2/26/2013 10:17 PM MST
Thanks to clrokr for documenting the usage of the exploit, and to the numerous people who contributed positively in the [Q] Hacking Windows RT to Run Desktop Apps
Download is attached to this post.
Update 1.01(1/10/2013): Uncommented pause in the PS script to install the ModernUI app -- It was causing it not to prompt to install a developer license/my cert for some reason.
Update 1.02(1/10/2013): Fixed issue on non-English devices.
Update 1.03(1/11/2013): Fixed issue with usernames with spaces in them, fixed issue where the user running the jailbreak isn't the first user logged in
Update 1.1(1/18/2013): Redid functionality; it now gets the kernel base inside the payload, instead of requiring a Metro application. Added a startup folder that gets ran after jailbreak. Cleaned up output. Click for more info
Update 1.11(1/18/2013): Added commandline options, added a simple interface to handle creating scheduled tasks to run, added a powershell script to keep it from running if the system hasn't been up for two minutes, added missing startup folder, added sanity check so it doesn't freak out if the startup folder isn't there
Update 1.12(2/12/2013): Fixed the scheduled task to not require AC power to run, tweaked script to not crash on latest patches, Fixed startup folder not getting executed properly
Update 1.12a(2/12/2013): Fixed it to actually work on the latest updates. Oops.
Update 1.13(2/14/2013): Added the ability to dynamically get the signing level. It now requires internet on the first launch, and after an update changes ntoskrnl.exe. This version is slightly experimental, so if it doesn't work use one of the older versions.
Update 1.13a(2/15/2013): Tweaked the script to return from the hook in a way that seems more robust. If 1.12a or 1.13 work for you there's no need for an update.
Update 1.20(3/01/2013): Made the bat use registry keys instead of files in system32, added registry-based startup folder, altered payload to support unlocking kernel-mode code
Older versions may be downloaded here
(Note: If you wish to mirror this post please retain a link to it at http://forum.xda-developers.com/show....php?t=2092158
so users can always get the latest version.)