[Q] Mod Windows RT to enable Remote Desktop

Search This thread
By:
Advanced…
T

TFGBD

Senior Member
Mar 9, 2005
91
23
I just came across this program called "RDP Wrapper Library"
http://stascorp.com/load/1-1-0-63
It patches the RDP API in ram so the system files aren't modified at all. In this sense it is similar to commercial solutions like Thinstuff XP/VS. It seems to be based on the ProductPolicy method that was mentioned earlier in this thread. It's also open source so maybe it can be compiled for ARM and run on jailbroken devices!
 
  • Like
Reactions: x86corez
X

x86corez

Member
Mar 27, 2011
6
3
TFGBD said:
I just came across this program called "RDP Wrapper Library"

It's also open source so maybe it can be compiled for ARM and run on jailbroken devices!
Click to expand...
Click to collapse
First of all, it's just not enough to port RDP Wrapper to ARM platform. As you can see in the source code, for Win 8 (as for Win RT) it's required to add internal function signature, which will be then intercepted.

I never had any dealings with ARM-based PE binaries, but I think it's very interesting. I will research it.

By the way, I'm the creator of RDP Wrapper Library project :)
 
Last edited:
X

x86corez

Member
Mar 27, 2011
6
3
Here is offsets for termsrv.dll [ARMv7, 6.2.9200.16384] from first post:

termsrv.dll+5F934 ; long __cdecl SLGetWindowsInformationDWORDWrapper(unsigned short const *, unsigned long *)
termsrv.dll+61D64 ; public: static long __cdecl CSLQuery::Initialize(void)

termsrv.dll+733FC ; private: static int CSLQuery::bFUSEnabled
termsrv.dll+73400 ; private: static long CSLQuery::lMaxUserSessions
termsrv.dll+73404 ; private: static int CSLQuery::bAppServerAllowed
termsrv.dll+73408 ; private: static int CSLQuery::bInitialized
termsrv.dll+7340C ; private: static int CSLQuery::bMultimonAllowed
termsrv.dll+73410 ; private: static int CSLQuery::bServerSku
termsrv.dll+73414 ; private: static unsigned long CSLQuery::ulMaxDebugSessions
termsrv.dll+73418 ; private: static int CSLQuery::bRemoteConnAllowed
Function SLGetWindowsInformationDWORDWrapper can be hooked for rewriting policy values in realtime.
Function CSLQuery::Initialize also can be hooked to write policy values directly into memory.

And the values offsets, here is default for RDP server:
Code: 
// Fast User Switching is enabled
*bFUSEnabled = 1;
// Unlimit user sessions
*lMaxUserSessions = 0;
// Allow application server
*bAppServerAllowed = 1;
// Initialize function is succeeded
*bInitialized = 1
// Multi monitor is allowed
*bMultimonAllowed = 1;
// Windows has Server edition (needs for RDP and other functions)
*bServerSku = 1;
// Unlimit debug sessions (I really don't know what is this)
*ulMaxDebugSessions = 0;
// Allow remote connections (to enable RDP listener session)
*bRemoteConnAllowed = 1;
But I don't know how to compile RDP Wrapper for ARM platform.

By the way, can anybody share termsrv.dll version 6.3.9600.16384 and 6.3.9600.17095 from RT 8.1 ?
 
Last edited:
  • Like
Reactions: coldbloc
X

x86corez

Member
Mar 27, 2011
6
3
I'm glad to present new release of the RDP Wrapper Library which now supports Windows 8.1 Basic!

Also I've added some comments about porting it to ARM platform in the C++ source code. Maybe someone will accept challenge... ;)
 
X

x86corez

Member
Mar 27, 2011
6
3
netham45 said:
I tried to enable one of the Remote Desktop vars last night, allowRemoteConnections I think it was called, but I didn't get anything from it.
Click to expand...
Click to collapse
I can guess, it's because TermService is not started and disabled by default on Windows RT (as on the Basic/Core edition).

Try to execute:

Code: 
sc config TermService start= auto
sc start TermService
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Of course, you will need to change policy values before executing these commands.
 
Last edited:
T

TFGBD

Senior Member
Mar 9, 2005
91
23
x86corez said:
First of all, it's just not enough to port RDP Wrapper to ARM platform. As you can see in the source code, for Win 8 (as for Win RT) it's required to add internal function signature, which will be then intercepted.

I never had any dealings with ARM-based PE binaries, but I think it's very interesting. I will research it.

By the way, I'm the creator of RDP Wrapper Library project :)
Click to expand...
Click to collapse


Sorry, I hadn't actually looked at the source code when I made the post. I just wanted to make people aware it existed. It was a real pain even finding the thing. :p

I'm glad you found the post here and may actually look into getting it working.

Oh, and thanks for the RDP Wrapper Library. It's a great program! :)
 
  • Like
Reactions: x86corez
K

kranjan

Member
Jan 14, 2007
9
1
x86corez said:
I can guess, it's because TermService is not started and disabled by default on Windows RT (as on the Basic/Core edition).

Try to execute:

Code: 
sc config TermService start= auto
sc start TermService
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Of course, you will need to change policy values before executing these commands.
Click to expand...
Click to collapse

Thanks for the post, I am end user trying to get this to work. I executed the command above successfully, but I don't know how to change policy values. Is this done through regedit or some other application? Sorry for the amateurish question, but I think it would be really cool to get this to work on my Surface2
 
X

x86corez

Member
Mar 27, 2011
6
3
kranjan said:
Thanks for the post, I am end user trying to get this to work. I executed the command above successfully, but I don't know how to change policy values. Is this done through regedit or some other application? Sorry for the amateurish question, but I think it would be really cool to get this to work on my Surface2
Click to expand...
Click to collapse
Hello!

I'm very glad to talk with an owner of a Windows RT device :D
About changing policy values, see this post:
http://forums.mydigitallife.info/threads/39411

I don't know will Product Policy Editor run on RT or not, so I think we can do this way:
1. Export this registry value to the .reg file
Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
Value Name: ProductPolicy
2. I'll try to edit this value with PPE
3. Then I'll send you modified value in a new .reg file
4. You'll need to reboot your device in Setup Mode (not to be confused with Safe Mode), start Command prompt (cmd.exe) and import that .reg file
5. Then after reboot try to use RDP

And also, if you have Windows RT 8.1, please share termsrv.dll file from system32 directory.

Thanks for your response!
 
Last edited:
X

x86corez

Member
Mar 27, 2011
6
3
It seems like everybody forgot about this thread...
But I'm not. ;)

I've commited some experimental patch codes for these builds:
6.2.9200.16384 (Windows RT)
6.3.9600.16384 (Windows RT 8.1)
6.3.9600.17095 (Windows RT 8.1 with KB2959626)

You can view it here:
https://github.com/stascorp/rdpwrap/blob/master/res/rdpwrap-arm-kb.ini

However RDP Wrapper C++ version still needs to be updated to support and to be compiled on ARMv7 architecture. Hope somebody will help with that.

I think, the most complex thing is to implement function hooking.
 
Last edited:
  • Like
Reactions: TristanLeBoss and ms_dont_forget_rt
M

ms_dont_forget_rt

New member
Mar 16, 2016
1
0
x86corez said:
It seems like everybody forgot about this thread...
But I'm not. ;)

I've commited some experimental patch codes for these builds:
6.2.9200.16384 (Windows RT)
6.3.9600.16384 (Windows RT 8.1)
6.3.9600.17095 (Windows RT 8.1 with KB2959626)

You can view it here:
...

However RDP Wrapper C++ version still needs to be updated to support and to be compiled on ARMv7 architecture. Hope somebody will help with that.

I think, the most complex thing is to implement function hooking.
Click to expand...
Click to collapse

Great!
I can compile your code with VS2013.
termservice seems not have port 3389 port open.
Some advice?
 
jb881122

jb881122

Member
Dec 28, 2022
31
20
Samsung Galaxy S III Mini
T-Mobile Samsung Galaxy S4
x86corez said:
It seems like everybody forgot about this thread...
But I'm not. ;)

I've commited some experimental patch codes for these builds:
6.2.9200.16384 (Windows RT)
6.3.9600.16384 (Windows RT 8.1)
6.3.9600.17095 (Windows RT 8.1 with KB2959626)

You can view it here:
https://github.com/stascorp/rdpwrap/blob/master/res/rdpwrap-arm-kb.ini

However RDP Wrapper C++ version still needs to be updated to support and to be compiled on ARMv7 architecture. Hope somebody will help with that.

I think, the most complex thing is to implement function hooking.
Click to expand...
Click to collapse
To resurrect a very old thread...

I've managed to get this modified and compiled on VS2017 targeting the ARM architecture. While the service seems to run and the hooks look right when I look at the memory in WinDbg (including 1 being added in one of the jumps to indicate Thumb instructions), there is nothing listening from the device. Also, stopping the service usually takes two or three attempts, which doesn't seem right.

To rule out the obvious stuff, I already set up the firewall to allow port 3389 and set fDenyTSConnections to 0. Later on, I even tried importing the entirety of the Rdp-Tcp registry key from an x86 Win8.1 installation.
Since I have zero clue on porting Delphi applications (like the installer) to ARM, I tried installing it manually by copying rdpwrap.dll and rdpwrap.inf (the ARM version) to the System32 directory and changing the TermService DLL to rdpwrap.dll.

The logs are attached (rdpwrap.txt.gz). There is a lot in there from the many times I tried fiddling with things, so the most relevant stuff is probably near the end of the log. Source code, binaries, and debug symbols are attached in rdpwrap_ARM-test.zip. The only source file I modified in there was rdpwrap_ARM-test\rdpwrap-master\src-x86-x64-Fusix\RDPWrap.cpp.

Hopefully, someone finds this helpful and can help get it working. Maybe I'm missing something yet, maybe the patch doesn't work, but either way, this is probably as close as we've come to getting this working so far.

EDIT - Here's what I'm for sure missing: Even if RDP Wrapper works fine on ARM, RDP itself still won't work because the code that would listen for connections is #ifdef'd out for the ARM32 architecture. Unless code can be adapted from build 8061 (where RDP works) or custom functionality is created, there will be no RDP on Windows RT, simply because the relevant code is absent.
 

Attachments

  • rdpwrap_ARM-test.zip
    43.5 MB · Views: 8
  • rdpwrap.txt.gz
    823 bytes · Views: 6
Last edited:
You must log in or register to reply here.

Similar threads

K
[Tutorial] Install Windows 10 for ARM32 on your Surface RT
Replies
239
Views
190K
itsmemario
itsmemario
A
Asus Vivo RT recovery files
Replies
214
Views
199K
Ruslan139
Ruslan139
S
Windows RT 8.1 downgrade?
Replies
41
Views
59K
M
mickel52
Myriachan
Extract Windows RT product key without jailbreak or PC
Replies
21
Views
61K
Oyemyk
Oyemyk
W
windows rt rtm
Replies
140
Views
37K
derausgewanderte
derausgewanderte

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 2
    S
    sionicion
    In the past, Windows has had editions for consumers that did not include Remote Desktop enabled. Usually there was a patch to enable it. Recently it has been proved how there is almost no difference between Windows 8 and Windows RT and that RT is just a port of Windows 8. So what about all the system files? They can be changed just like x86 Windows. So what about enabling Remote Desktop, so we don't need a ARM remote app that we need to unlock Windows for, and we can use what comes with Windows. In the past we modified the termsrv.dll file and changed some registry settings. I've included the Windows 8 and the Windows RT versions of termsrv.dll so that maybe some clever ones might try and crack a solution to enabling it on Windows RT. :)
    View
    2
    X
    x86corez
    It seems like everybody forgot about this thread...
    But I'm not. ;)

    I've commited some experimental patch codes for these builds:
    6.2.9200.16384 (Windows RT)
    6.3.9600.16384 (Windows RT 8.1)
    6.3.9600.17095 (Windows RT 8.1 with KB2959626)

    You can view it here:
    https://github.com/stascorp/rdpwrap/blob/master/res/rdpwrap-arm-kb.ini

    However RDP Wrapper C++ version still needs to be updated to support and to be compiled on ARMv7 architecture. Hope somebody will help with that.

    I think, the most complex thing is to implement function hooking.
    View
    1
    C
    clrokr
    Should be possible using the Remote Debugging Tools or, even better, cdb. Put it in a .cmd file in autorun and voila :)
    View
    1
    N
    netham45
    mamaich said:
    I've already posted a method that should enable RDP here: http://xdaforums.com/showpost.php?p=36386089&postcount=211 - no need to patch DLL, and would work on an a locked device. But you'll have to manually edit binary registry value, instead of using a provided tool.
    I have not tested RDP, but after using this method I was able to recover an option of joining device to Active Directory domain (it was blocked by the similar policies).
    Click to expand...
    Click to collapse

    I tried to enable one of the Remote Desktop vars last night, allowRemoteConnections I think it was called, but I didn't get anything from it.
    View
    1
    T
    TFGBD
    I just came across this program called "RDP Wrapper Library"
    http://stascorp.com/load/1-1-0-63
    It patches the RDP API in ram so the system files aren't modified at all. In this sense it is similar to commercial solutions like Thinstuff XP/VS. It seems to be based on the ProductPolicy method that was mentioned earlier in this thread. It's also open source so maybe it can be compiled for ARM and run on jailbroken devices!
    View

New posts