FORUMS
Remove All Ads from XDA

[Q] Mod Windows RT to enable Remote Desktop

75 posts
Thanks Meter: 14
 
By sionicion, Member on 11th January 2013, 07:02 AM
Post Reply Email Thread
11th January 2013, 06:04 PM |#11  
OP Member
Thanks Meter: 14
 
More
Quote:
Originally Posted by mamaich

I've already posted a method that should enable RDP here: http://forum.xda-developers.com/show...&postcount=211 - no need to patch DLL, and would work on an a locked device. But you'll have to manually edit binary registry value, instead of using a provided tool.
I have not tested RDP, but after using this method I was able to recover an option of joining device to Active Directory domain (it was blocked by the similar policies).

Wouldn't both methods work though? Your method works by enabling features from other editions by telling Windows that's what edition it is running. It disables it when the Software Protection service restores it to the original template according to the edition. By patching the DLL file, you could trigger Remote Desktop to work without it needing to check in with the kernel policies.

I mean unless you have a way to modify these policies without all the extra occuring, it would work. But Bitlocker and the Software Protection service getting involved...it just sounds like a lot of extra work for something much bigger in the end, and I know there must be an easier way to force Remote Desktop to work without listening to these policies because it has been done in the past.
 
 
11th January 2013, 07:12 PM |#12  
Inactive Recognized Developer
Flag Denver
Thanks Meter: 565
 
Donate to Me
More
Quote:
Originally Posted by mamaich

I've already posted a method that should enable RDP here: http://forum.xda-developers.com/show...&postcount=211 - no need to patch DLL, and would work on an a locked device. But you'll have to manually edit binary registry value, instead of using a provided tool.
I have not tested RDP, but after using this method I was able to recover an option of joining device to Active Directory domain (it was blocked by the similar policies).

I tried to enable one of the Remote Desktop vars last night, allowRemoteConnections I think it was called, but I didn't get anything from it.
The Following User Says Thank You to netham45 For This Useful Post: [ View ] Gift netham45 Ad-Free
21st January 2013, 04:08 PM |#13  
Quote:
Originally Posted by mamaich

I've already posted a method that should enable RDP here: http://forum.xda-developers.com/show...&postcount=211 - no need to patch DLL, and would work on an a locked device. But you'll have to manually edit binary registry value, instead of using a provided tool.
I have not tested RDP, but after using this method I was able to recover an option of joining device to Active Directory domain (it was blocked by the similar policies).

Again, please if you were able to join an RT to the domain. Please let me know what you did. Would love to not get prompted to log in into PowerShell.
22nd January 2013, 01:39 AM |#14  
Retired Recognized Developer
Thanks Meter: 225
 
Donate to Me
More
Quote:
Originally Posted by apatcas

Again, please if you were able to join an RT to the domain. Please let me know what you did. Would love to not get prompted to log in into PowerShell.

As I've already wrote - use this method: http://forum.xda-developers.com/show...&postcount=211
1. Edit registry:
Code:
HKEY_LOCAL_MACHINE\SYSTEM\Setup
SetupType=1
CmdLine="cmd.exe"
and reboot. You will enter the setup mode. You would not see the mouse cursor in this mode, and you'll need a hardware keyboard.
2. Open this reg_binary value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\ProductOptions\ProductPolicy. Look for unicode string "WorkstationService-DomainJoinEnabled", it is near offset 0x4000. Look at this screenshot:
http://imageshack.us/photo/my-images/526/35796208.png/
Select the "00" byte that follows the zero byte after the 64 (64 00 == unicode "d" letter) as you see on the screenshot. Overwrite it with 01. Be careful not to insert a byte, you need to overwrite the existing byte!
3. Rename sppsvc.exe to anything else so that it would not run on boot and reset ProductPolicy ("ren sppsvc.exe sppsvc.bak")
4. Reboot. Now the option to join the domain would be available.

I have not tried to add workstation to domain myself - try that and post here. After adding to domain you may try to rename sppsvc.bak back to sppsvc.exe as otherwise you'll get the "unactivated" Windows RT. I think that this would only remove the add to domain UI, but the RT would be still domain-joined.

I've tried to edit the remote desktop settings keys - this unblocked the corresponding options in the computer settings, but I was unable to connect. Maybe this is due to absence of RDP code in terminal server service - I don't see anyone listening port 3398 though TermServer service is running.
22nd January 2013, 01:29 PM |#15  
Quote:
Originally Posted by mamaich

As I've already wrote - use this method: http://forum.xda-developers.com/show...&postcount=211
1. Edit registry:

Code:
HKEY_LOCAL_MACHINE\SYSTEM\Setup
SetupType=1
CmdLine="cmd.exe"
and reboot. You will enter the setup mode. You would not see the mouse cursor in this mode, and you'll need a hardware keyboard.
2. Open this reg_binary value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\ProductOptions\ProductPolicy. Look for unicode string "WorkstationService-DomainJoinEnabled", it is near offset 0x4000. Look at this screenshot:
http://imageshack.us/photo/my-images/526/35796208.png/
Select the "00" byte that follows the zero byte after the 64 (64 00 == unicode "d" letter) as you see on the screenshot. Overwrite it with 01. Be careful not to insert a byte, you need to overwrite the existing byte!
3. Rename sppsvc.exe to anything else so that it would not run on boot and reset ProductPolicy ("ren sppsvc.exe sppsvc.bak")
4. Reboot. Now the option to join the domain would be available.

I have not tried to add workstation to domain myself - try that and post here. After adding to domain you may try to rename sppsvc.bak back to sppsvc.exe as otherwise you'll get the "unactivated" Windows RT. I think that this would only remove the add to domain UI, but the RT would be still domain-joined.

I've tried to edit the remote desktop settings keys - this unblocked the corresponding options in the computer settings, but I was unable to connect. Maybe this is due to absence of RDP code in terminal server service - I don't see anyone listening port 3398 though TermServer service is running.

Joined... Nice find.
22nd January 2013, 01:47 PM |#16  
Retired Recognized Developer
Thanks Meter: 225
 
Donate to Me
More
Quote:
Originally Posted by apatcas

Joined... Nice find.

Have it remained domain-joined after restoring the original sppsvc.exe?
You have to return it back, otherwise you'll be annoyed with the activation reminders.
22nd January 2013, 08:33 PM |#17  
Inactive Recognized Developer
Flag Denver
Thanks Meter: 565
 
Donate to Me
More
Quote:
Originally Posted by mamaich

Have it remained domain-joined after restoring the original sppsvc.exe?
You have to return it back, otherwise you'll be annoyed with the activation reminders.

We could possibly patch sppsvc to not check, then start the service up after jailbreaking it.

I'm honestly not sure if this would be considered piracy or not, though.

Edit: I used the program to set every value to 1 in setup mode (The latest jailbreak tool works in setup mode), and I didn't see any change for anything dealing with RDP.
Edit 2: Perhaps I shouldn't have set 'Disable' to 1. Regardless, I set it to 0 and the options popped up, but I can't get anything to go. As mamaich stated, I'm not seeing anything listening on port 3389. netstat -a -b on a desktop with it enabled says it's opened by CryptSvc, but I'm not seeing anything with CryptSvc that's not there on the tablet. That could just be netstat guessing which service running under svchost is actually running it, too.
23rd January 2013, 03:21 AM |#18  
Member
Thanks Meter: 34
 
More
Quote:
Originally Posted by netham45

We could possibly patch sppsvc to not check, then start the service up after jailbreaking it.

I'm honestly not sure if this would be considered piracy or not, though.

Edit: I used the program to set every value to 1 in setup mode (The latest jailbreak tool works in setup mode), and I didn't see any change for anything dealing with RDP.
Edit 2: Perhaps I shouldn't have set 'Disable' to 1. Regardless, I set it to 0 and the options popped up, but I can't get anything to go. As mamaich stated, I'm not seeing anything listening on port 3389. netstat -a -b on a desktop with it enabled says it's opened by CryptSvc, but I'm not seeing anything with CryptSvc that's not there on the tablet. That could just be netstat guessing which service running under svchost is actually running it, too.

I think we must hack the dll file.But I find when I edit a byte in the dll,the service was not able to start.
23rd January 2013, 03:25 AM |#19  
Junior Member
Thanks Meter: 6
 
More
Quote:
Originally Posted by apatcas

Joined... Nice find.

So is it true? that your device stays domain-joined after you restore sppsvc.exe?
25th November 2013, 11:21 AM |#20  
coldbloc's Avatar
Member
Thanks Meter: 8
 
More
Prompt
@ Netham45, you could try to open up W81x86 termsrv.dll and go to these hex locations to find out what functions needed patching.

Hashes
File: W81x86\termsrv.dll
CRC-32: 202cd912
MD4: a879d39b8fbcd968b525af05a66aaf2c
MD5: 7a8e1158291cf4c8d8474a2091b9bf6d
SHA-1: e10028b074d24605e05b5e0bafd42f6a93ac01ad


1550F-15520
17428
A1B29

Then go into WinRT termsrv.dll, jump to those functions by name (because offsets will be different between x86 and RT) and Jmp or Nop as needed for WinRT. Afterwords it could be added via CDB / KD on-the-fly.
6th June 2014, 05:42 AM |#21  
Member
Thanks Meter: 10
 
More
I just came across this program called "RDP Wrapper Library"
http://stascorp.com/load/1-1-0-63
It patches the RDP API in ram so the system files aren't modified at all. In this sense it is similar to commercial solutions like Thinstuff XP/VS. It seems to be based on the ProductPolicy method that was mentioned earlier in this thread. It's also open source so maybe it can be compiled for ARM and run on jailbroken devices!
The Following User Says Thank You to TFGBD For This Useful Post: [ View ] Gift TFGBD Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes