Windows RT 8.1 anti-jailbreak differences

Search This thread

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
Some good news:
g5cr.png


There is a method of booting with any unsigned EFI file (for example Linux GRUB) on Asus VivoTab devices with the recent firmware.
This also allows loading a "cracked" bootmgfw.efi that does not check for signatures of Windows kernel modules, and after patching the ci.dll - you'll be able to run any app or load any unsigned driver (even the boot-mode driver, unlike the 8.0 jailbreak).

The limitations of my method:
- It works only on Asus VivoTab RT tablets. Surface is not supported due to differences in UEFI firmware modules.
- Bitlocker should be disabled (manage-bde.exe -protectors -disable c: )
- There would be a line stating that secureboot is incorrectly set up, you can see it in the lower-right corner of the screenshot.
- The most inconvenient thing: it requires a FAT32-formatted USB stick with a "hack" file to be inserted on boot.
And, obviously, the "hole" could be closed by Asus in one of the next firmware updates. So Windows Update should be switched to manual mode (8.1 allows to select this from GUI).

So this should be considered as a temporary method until something universal would be found. But it can be used to start developing Linux (or android) for Tegra3.
I'll publish the instructions after 8.1 would be released.
 
Last edited:

windowsrtc

Senior Member
Nov 21, 2012
94
35
Some good news:
g5cr.png


There is a method of booting with any unsigned EFI file (for example Linux GRUB) on Asus VivoTab devices with the recent firmware.
This also allows loading a "cracked" bootmgfw.efi that does not check for signatures of Windows kernel modules, and after patching the ci.dll - you'll be able to run any app or load any unsigned driver (even the boot-mode driver, unlike the 8.0 jailbreak).

The limitations of my method:
- It works only on Asus VivoTab RT tablets. Surface is not supported due to differences in UEFI firmware modules.
- Bitlocker should be disabled (manage-bde.exe -protectors -disable c: )
- There would be a line stating that secureboot is incorrectly set up, you can see it in the lower-right corner of the screenshot.
- The most inconvenient thing: it requires a FAT32-formatted USB stick with a "hack" file to be inserted on boot.
And, obviously, the "hole" could be closed by Asus in one of the next firmware updates. So Windows Update should be switched to manual mode (8.1 allows to select this from GUI).

So this should be considered as a temporary method until something universal would be found. But it can be used to start developing Linux (or android) for Tegra3.
I'll publish the instructions after 8.1 would be released.
would you please tell me how to patch the ci.dll?I want to lock my windows 8 pro for security reason.
 
  • Like
Reactions: philusb

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
would you please tell me how to patch the ci.dll?I want to lock my windows 8 pro for security reason.

My patch is for removing an enforced lock.
And you don't need to patch anything for "locking" Windows. The functionality is there since Windows XP. Google for "software restriction policies", there are even videos on this topic.
 
  • Like
Reactions: ausshir

windowsrtc

Senior Member
Nov 21, 2012
94
35
My patch is for removing an enforced lock.
And you don't need to patch anything for "locking" Windows. The functionality is there since Windows XP. Google for "software restriction policies", there are even videos on this topic.


software restriction policies doesnt work for me.I am running a testing environment that contains many virus.I want to lock the os first then trace the virus behaviour.
 

Myriachan

Senior Member
Feb 11, 2013
117
175
- There would be a line stating that secureboot is incorrectly set up, you can see it in the lower-right corner of the screenshot.

I know how to change that message to say whatever we want. =) I was thinking of naming it like, "Jailbreak Activated".

I'm going to write a kernel driver that smacks ci.dll and ntoskrnl.exe in the right places, and make a hack to change the watermark. The watermark can be hacked with either a kernel driver (obviously) or with an Explorer shell extension. These two tools can be loaded by whichever initial hack--it's looking like your hack will be the first. =)

I now know who I can ask to make the Russian translation of the message for me =^-^=

How do you change the Windows Update policy with the UI in 8.1? I don't see the Change Settings option that I do on my PC.
 
  • Like
Reactions: KalleEatingBrain

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
How do you change the Windows Update policy with the UI in 8.1? I don't see the Change Settings option that I do on my PC.

There is an option in "metro" control panel, that can allow you to select any setting and apply - but it always resets itself to "automatic updates" next time you open it, so I was wrong here. I hope that this is a bug :(
I've change this setting via MMC "group policy" console (run - mmc.exe - add snapin - group policy blablabla - computer - administrative templates - windows components - windows update). You can select option - "download and ask to install". I have not tested it as there are no updates to install now.
This is the same as editing registry - it sets the same key as a result, but unlike registry editing this setting would be regularly reapplied.
 

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,933
Seattle
"Probably." That is a pointless question to ask.

Does the current hack work on 8.1? No.
Is the exploit that the current hack uses fixed in 8.1? No.
Are there other attack vectors we could use? Yes.
Do we currently have a working exploit that works on all RT 8.1 devices? No.
Are we looking for one? Yes.
Do we currently have a working hack for at least one RT 8.1 device family? Yes.
Are any of these "bottom line" answers? No, of course not.
 
  • Like
Reactions: bigsnack

Myriachan

Senior Member
Feb 11, 2013
117
175
Is the exploit that the current hack uses fixed in 8.1? No.

A more accurate way to state this, for technically-minded people reading the thread:

The raw exploit used to attack the kernel has not been fixed, but access to the place where we need to be in order to make use of the exploit has been blocked off.
 

coluwyvurne

Member
Jan 21, 2009
6
0
A more accurate way to state this, for technically-minded people reading the thread:

The raw exploit used to attack the kernel has not been fixed, but access to the place where we need to be in order to make use of the exploit has been blocked off.

And the community here has faith that it will only be a matter of time before one of you discovers a workaround which enables you to use the exploit again...
...or that Microsoft will come to its senses after seeing the interest that has been generated in developing/recompiling desktop apps for Windows RT and provides the option allowing end users to run unsigned code at their own risk. (one can dream :angel:)

Anyways, thank you netham45, mamaich, and Myriachan for all your hard work!!
 

bigsnack

Senior Member
Feb 5, 2011
922
44
A bit related, but is the Vivo Tab the only one with that exploit, or do Lenovo's RT devices also have a similar exploit?
 

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
A bit related, but is the Vivo Tab the only one with that exploit, or do Lenovo's RT devices also have a similar exploit?
If you are talking about the ability to run any unsigned EFI module (like the Windows loader with removed signature checks) - than it was currently tested to work only on VivoTab devices and not to work on Surface. It is based on the Nvidia code, so devices based on other CPUs would not be supported.

But there would definitely be ways to jailbreak 8.1. For example I have several ideas to test, but currently don't have time for that.
 

jtg007

Senior Member
Jul 8, 2012
76
18
Well the Yoga 11 RT is also NVidia based like the Surface RT and Vivo RT.

What mamaich meant was that the current 8.1 exploit is specific to the Vivo Tab - that means no on the Yoga, for now. The 8.1 exploit has more to do with Asus's drivers than Nvidia's, to my knowledge.

Sent from my SCH-I535 using xda app-developers app
 
  • Like
Reactions: bigsnack
It looks like they locked out the jailbreak from 8.1 by invalidating all old signatures. Windows RT 8.1's ci.dll does not trust the "1.3.6.1.4.1.311.10.3.6" OID in certificates anymore, only a new "1.3.6.1.4.1.311.10.3.21" OID. Both are required now....
I was reading through Sideload Windows Store Apps. Is it possible to install the 8.0 certificate on an 8.1 device and then side load the needed tools (for example, the debugger)?
 

Myriachan

Senior Member
Feb 11, 2013
117
175
I was reading through Sideload Windows Store Apps. Is it possible to install the 8.0 certificate on an 8.1 device and then side load the needed tools (for example, the debugger)?

Sadly, no, for two reasons. The first is that Windows RT's enforcement of what is allowed to run is enforced by the same kernel driver that enforces what kernel drivers can run, ci.dll. ci.dll has a hard-coded list of certificates that it trusts and there is no way to add additional certificates.

The second is that the certificates aren't really the problem - the object identifiers (OIDs) are. Windows 8.1 didn't invalidate the 8.0 certificates in the ordinary certificate revocation sense; rather, they changed ci.dll to require that a new OID be present in any signature for it to be trusted in 8.1. None of the 8.0 signatures have this OID.

Windows Apps seem to use a different signature system overall. Unsigned Apps can be used if you have a developer certificate, and Apps installed by 8.0 are still valid in 8.1. Similarly, there is something special going on for sideloading. I don't personally know how any of that works, but I do know that sideloading isn't useful, because the privilege level of Apps is too low to be useful for much of anything.

By the way, progress on breaking 8.1:

https://twitter.com/Myriachan/statuses/365350790803619840
 

geniv

Member
Feb 10, 2010
22
2
I REALLY hope Microsoft pulls its head out of it's rear end and let user run 3rd party "non signed/MS app store" apps

I understand it is a security risk but look how android does it. there is a toggle to install apps outside of the ecosystem/store.

After switching from a Surface RT to a XPS10 and finding out it the jail break doesn't work. the table loses 50% of the usability for me.

MS STOP BEING JERKS AND LET US USE 3RD PARTY APPS.

it will really increase developers for your platform and customer by gettin it more apps.

I'm a big android fan but aftert trying the surface/xps10 I really like windows RT but this issue is keeping me away from buying any of the newer devices
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    It looks like they locked out the jailbreak from 8.1 by invalidating all old signatures. Windows RT 8.1's ci.dll does not trust the "1.3.6.1.4.1.311.10.3.6" OID in certificates anymore, only a new "1.3.6.1.4.1.311.10.3.21" OID. Both are required now. How it works is, if a certain configuration bit is not set in the call to CipMinCryptToSigningLevel, attempting to load an executable with a *10.3.6 OID on the certificate but not a *10.3.21, CipMinCryptToSigningLevel will explicitly fail with STATUS_INVALID_IMAGE_HASH--it won't even bother to consider it a 0 signing level.

    I bet that this time, they will not give device manufacturers anything but executables that require booting Windows in test mode, something only Microsoft and device manufacturers can accomplish due to Secure Boot.

    Microsoft Office's executables are signed with both the 2010 and 2011 keys, presumably so that it can run on both 8.0 and 8.1.

    Visual Studio 2012's remote debugger doesn't work anymore, either. I bet that they're working on further locking down the remote debugger to avoid letting us use it to jailbreak.

    The only good news I see is that NtUserSetInformationThread sub 7--the kernel exploit--has not been fixed.
    7
    Some good news:
    g5cr.png


    There is a method of booting with any unsigned EFI file (for example Linux GRUB) on Asus VivoTab devices with the recent firmware.
    This also allows loading a "cracked" bootmgfw.efi that does not check for signatures of Windows kernel modules, and after patching the ci.dll - you'll be able to run any app or load any unsigned driver (even the boot-mode driver, unlike the 8.0 jailbreak).

    The limitations of my method:
    - It works only on Asus VivoTab RT tablets. Surface is not supported due to differences in UEFI firmware modules.
    - Bitlocker should be disabled (manage-bde.exe -protectors -disable c: )
    - There would be a line stating that secureboot is incorrectly set up, you can see it in the lower-right corner of the screenshot.
    - The most inconvenient thing: it requires a FAT32-formatted USB stick with a "hack" file to be inserted on boot.
    And, obviously, the "hole" could be closed by Asus in one of the next firmware updates. So Windows Update should be switched to manual mode (8.1 allows to select this from GUI).

    So this should be considered as a temporary method until something universal would be found. But it can be used to start developing Linux (or android) for Tegra3.
    I'll publish the instructions after 8.1 would be released.
    3
    Is anyone else working on this?
    I dimly remember some other devs working on this before abandoning their efforts due to OP claiming to come out with a fix "soon" ... this obviously was all just a load of BS, so I thought it might be a good idea to circle back to some of the other devs ...
    3
    I upgraded foolishly thinking that there would be a way to jailbreak. Luckily, I was able to downgrade back to RT 8.0. I use my Surface RT as a second screen to my laptop on the road so I NEED Synergy. I also use SumatraPDF as my default PDF reader because the Windows Store readers are terrible. Microsoft just doesn't get it. I understand it is a security hole and must be fixed but at least provide a "DEVELOPER OPTION" that allows you to run applications in desktop mode that are unsigned. If you enable "DEVELOPER OPTION" a warning box comes up with disclaimers, etc. Google figured this out with Android. Why does Microsoft have to be so dense.
    3
    I was reading through Sideload Windows Store Apps. Is it possible to install the 8.0 certificate on an 8.1 device and then side load the needed tools (for example, the debugger)?

    Sadly, no, for two reasons. The first is that Windows RT's enforcement of what is allowed to run is enforced by the same kernel driver that enforces what kernel drivers can run, ci.dll. ci.dll has a hard-coded list of certificates that it trusts and there is no way to add additional certificates.

    The second is that the certificates aren't really the problem - the object identifiers (OIDs) are. Windows 8.1 didn't invalidate the 8.0 certificates in the ordinary certificate revocation sense; rather, they changed ci.dll to require that a new OID be present in any signature for it to be trusted in 8.1. None of the 8.0 signatures have this OID.

    Windows Apps seem to use a different signature system overall. Unsigned Apps can be used if you have a developer certificate, and Apps installed by 8.0 are still valid in 8.1. Similarly, there is something special going on for sideloading. I don't personally know how any of that works, but I do know that sideloading isn't useful, because the privilege level of Apps is too low to be useful for much of anything.

    By the way, progress on breaking 8.1:

    https://twitter.com/Myriachan/statuses/365350790803619840