FORUMS
Remove All Ads from XDA
Honor 7x
Win an Honor 7X!

Windows RT 8.1 anti-jailbreak differences

117 posts
Thanks Meter: 175
 
By Myriachan, Senior Member on 27th June 2013, 10:04 AM
Post Reply Email Thread
8th July 2013, 08:36 AM |#21  
Myriachan's Avatar
OP Senior Member
Thanks Meter: 175
 
More
Quote:
Originally Posted by netham45

I believe everything in this thread is our own research.

Yes, confirming--almost everything, if not everything, in this thread is stuff we've figured out on our own through various means.
 
 
12th July 2013, 05:39 AM |#22  
Retired Recognized Developer
Thanks Meter: 222
 
Donate to Me
More
Some good news:


There is a method of booting with any unsigned EFI file (for example Linux GRUB) on Asus VivoTab devices with the recent firmware.
This also allows loading a "cracked" bootmgfw.efi that does not check for signatures of Windows kernel modules, and after patching the ci.dll - you'll be able to run any app or load any unsigned driver (even the boot-mode driver, unlike the 8.0 jailbreak).

The limitations of my method:
- It works only on Asus VivoTab RT tablets. Surface is not supported due to differences in UEFI firmware modules.
- Bitlocker should be disabled (manage-bde.exe -protectors -disable c: )
- There would be a line stating that secureboot is incorrectly set up, you can see it in the lower-right corner of the screenshot.
- The most inconvenient thing: it requires a FAT32-formatted USB stick with a "hack" file to be inserted on boot.
And, obviously, the "hole" could be closed by Asus in one of the next firmware updates. So Windows Update should be switched to manual mode (8.1 allows to select this from GUI).

So this should be considered as a temporary method until something universal would be found. But it can be used to start developing Linux (or android) for Tegra3.
I'll publish the instructions after 8.1 would be released.
The Following 7 Users Say Thank You to mamaich For This Useful Post: [ View ] Gift mamaich Ad-Free
12th July 2013, 06:21 AM |#23  
Member
Thanks Meter: 34
 
More
Quote:
Originally Posted by mamaich

Some good news:



There is a method of booting with any unsigned EFI file (for example Linux GRUB) on Asus VivoTab devices with the recent firmware.
This also allows loading a "cracked" bootmgfw.efi that does not check for signatures of Windows kernel modules, and after patching the ci.dll - you'll be able to run any app or load any unsigned driver (even the boot-mode driver, unlike the 8.0 jailbreak).

The limitations of my method:
- It works only on Asus VivoTab RT tablets. Surface is not supported due to differences in UEFI firmware modules.
- Bitlocker should be disabled (manage-bde.exe -protectors -disable c: )
- There would be a line stating that secureboot is incorrectly set up, you can see it in the lower-right corner of the screenshot.
- The most inconvenient thing: it requires a FAT32-formatted USB stick with a "hack" file to be inserted on boot.
And, obviously, the "hole" could be closed by Asus in one of the next firmware updates. So Windows Update should be switched to manual mode (8.1 allows to select this from GUI).

So this should be considered as a temporary method until something universal would be found. But it can be used to start developing Linux (or android) for Tegra3.
I'll publish the instructions after 8.1 would be released.

would you please tell me how to patch the ci.dll?I want to lock my windows 8 pro for security reason.
The Following User Says Thank You to windowsrtc For This Useful Post: [ View ] Gift windowsrtc Ad-Free
12th July 2013, 06:29 AM |#24  
Retired Recognized Developer
Thanks Meter: 222
 
Donate to Me
More
Quote:
Originally Posted by windowsrtc

would you please tell me how to patch the ci.dll?I want to lock my windows 8 pro for security reason.

My patch is for removing an enforced lock.
And you don't need to patch anything for "locking" Windows. The functionality is there since Windows XP. Google for "software restriction policies", there are even videos on this topic.
The Following User Says Thank You to mamaich For This Useful Post: [ View ] Gift mamaich Ad-Free
12th July 2013, 06:44 AM |#25  
Member
Thanks Meter: 34
 
More
Quote:
Originally Posted by mamaich

My patch is for removing an enforced lock.
And you don't need to patch anything for "locking" Windows. The functionality is there since Windows XP. Google for "software restriction policies", there are even videos on this topic.


software restriction policies doesnt work for me.I am running a testing environment that contains many virus.I want to lock the os first then trace the virus behaviour.
12th July 2013, 10:52 AM |#26  
Myriachan's Avatar
OP Senior Member
Thanks Meter: 175
 
More
Quote:
Originally Posted by mamaich

- There would be a line stating that secureboot is incorrectly set up, you can see it in the lower-right corner of the screenshot.

I know how to change that message to say whatever we want. =) I was thinking of naming it like, "Jailbreak Activated".

I'm going to write a kernel driver that smacks ci.dll and ntoskrnl.exe in the right places, and make a hack to change the watermark. The watermark can be hacked with either a kernel driver (obviously) or with an Explorer shell extension. These two tools can be loaded by whichever initial hack--it's looking like your hack will be the first. =)

I now know who I can ask to make the Russian translation of the message for me =^-^=

How do you change the Windows Update policy with the UI in 8.1? I don't see the Change Settings option that I do on my PC.
The Following User Says Thank You to Myriachan For This Useful Post: [ View ] Gift Myriachan Ad-Free
12th July 2013, 02:38 PM |#27  
Retired Recognized Developer
Thanks Meter: 222
 
Donate to Me
More
Quote:
Originally Posted by Myriachan

How do you change the Windows Update policy with the UI in 8.1? I don't see the Change Settings option that I do on my PC.

There is an option in "metro" control panel, that can allow you to select any setting and apply - but it always resets itself to "automatic updates" next time you open it, so I was wrong here. I hope that this is a bug
I've change this setting via MMC "group policy" console (run - mmc.exe - add snapin - group policy blablabla - computer - administrative templates - windows components - windows update). You can select option - "download and ask to install". I have not tested it as there are no updates to install now.
This is the same as editing registry - it sets the same key as a result, but unlike registry editing this setting would be regularly reapplied.
23rd July 2013, 04:08 AM |#28  
Senior Member
Thanks Meter: 14
 
More
Question
So, the bottom line, can 8.1 be jailbreaked?
23rd July 2013, 06:23 AM |#29  
Inactive Recognized Developer
Flag Seattle
Thanks Meter: 2,921
 
More
"Probably." That is a pointless question to ask.

Does the current hack work on 8.1? No.
Is the exploit that the current hack uses fixed in 8.1? No.
Are there other attack vectors we could use? Yes.
Do we currently have a working exploit that works on all RT 8.1 devices? No.
Are we looking for one? Yes.
Do we currently have a working hack for at least one RT 8.1 device family? Yes.
Are any of these "bottom line" answers? No, of course not.
The Following User Says Thank You to GoodDayToDie For This Useful Post: [ View ] Gift GoodDayToDie Ad-Free
24th July 2013, 09:18 PM |#30  
Myriachan's Avatar
OP Senior Member
Thanks Meter: 175
 
More
Quote:
Originally Posted by GoodDayToDie

Is the exploit that the current hack uses fixed in 8.1? No.

A more accurate way to state this, for technically-minded people reading the thread:

The raw exploit used to attack the kernel has not been fixed, but access to the place where we need to be in order to make use of the exploit has been blocked off.
25th July 2013, 08:01 PM |#31  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by Myriachan

A more accurate way to state this, for technically-minded people reading the thread:

The raw exploit used to attack the kernel has not been fixed, but access to the place where we need to be in order to make use of the exploit has been blocked off.

And the community here has faith that it will only be a matter of time before one of you discovers a workaround which enables you to use the exploit again...
...or that Microsoft will come to its senses after seeing the interest that has been generated in developing/recompiling desktop apps for Windows RT and provides the option allowing end users to run unsigned code at their own risk. (one can dream )

Anyways, thank you netham45, mamaich, and Myriachan for all your hard work!!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes