[GUIDE] Full FileSystem Access over SFTP / CMD over SSH on Windows 10 Mobile

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,131
0
Dub V
www.sinclairinat0r.com
Hi all,

This guide uses the built-in SSH server on the phone that gets activated once you enable Device Discovery to give us TRUE full file system access. MTP doesn't truly give full file system access as there are files and folders that aren't accessible still.

NOTE: The automation of the steps listed in this whole guide has been incorporated into an easy GUI within @gus33000 's app called Interop Tools. Big thanks to him for taking the time to simplify this whole process.



Many thanks to @gus33000 [For the simplification and guinea pig process ] and @black_blob [ For making me try the UMCIAuditMode trick again]!

Manual Steps for SFTP


Tools needed



Steps:

  • If you're using @djamol's Root Tool, use @vcfan's Lumia Registry Editor for this
  • The following keys should be set to the following string values under the Path of System\Currentcontrolset\control\ssh\sirepuser

    Represented in this guide as key: value

    stfp-home-dir : C:\
    default-home-dir : C:\
    sftp-mkdir-rex : .*
    sftp-open-dir-rex : .*
    sftp-read-file-rex : .*
    sftp-remove-file-rex : .*
    sftp-rmdir-rex : .*
    sftp-stat-rex : .*
    sftp-write-file-rex : .*
    auth-method : password
    user-pin : 1234
  • After you've verified that at least one of these keys have been set, exit the app
    [*] Go to the phone settings app and put your Windows 10 Mobile phone in Developer Mode, activate Device Discovery then turn on Pair mode
    [*] Pair to your phone using WConnect, either from usb connect mode ("wconnect usb") or IP (wconnect youripaddress) using the pin on your device
    [*] When this is complete, go to %USERPROFILE%\appdata\local\Microsoft\WConnectSrv. In this directory, you should see a privkey.pem file. Hold on to this
    [*] Open up PuttyGen, click on the Conversions menu and then click Import key. Point to the path that contains the privkey.pem file, then press Okay
    [*] Back in PuttyGen, click on the Save private key button and then save the .ppk file off somewhere that you'll remember.
    [*] Open Pagent, click Add key and point to the .ppk file you generated before. You'll want to make sure this is ALWAYS running.


If using Swish
  • Go to Windows Explorer, dbl-click on the Swish icon under Devices and Drives. Click on Add SFTP Connection at the top
  • Enter in a label that you wish to save the connection present as .
  • Under host your phone's IP as Host.
  • Enter in Sirepuser as the User.
  • Enter / as the Path.
  • Press Create
  • Go back to the Swish folder then click on the connection that you just created (YOU MUST HAVE PAGENT RUNNING FOR THIS TO WORK).
  • When prompted, enter "1234" as the password.


If using WinSCP:
  • Open WinSCP. Underneath of the Password box, click on Advanced.
    • Click on the SFTP menu item and set the Preferred SFTP protocol version to 2
    • Click on the SSH -> Authentication menu item. Click Allow agent forwarding, click on the ellipsis next to Private key file and choose the .ppk file you saved from PuttyGen
  • Press Ok to save the settings
  • Back on the WinSCP main screen, enter in your phone's Wi-Fi IP into host name and for the User name, type in Sirepuser. Press save and then save this session as a "Site" in WinSCP
  • Login. When prompted, enter "1234" as the password.
  • You'll receive an error initially about not being able to browse /C/ and blah blah. You can right-click and click on Goto Folder. /C/Data will be a nice folder to start at since that's where most of the goodies are.

Voila, you should know be able to have full file system access.

Now there are a FEW caveats to this..

  • If you're looking to modify/download any of the important files in the AOW folder, you won't be able to. For SOME REASON, it's returning "No such file or directory" if you try to download/modify some certain files. It will also return this if you try to do the same for the registry hives.
  • If you happen to remove all paired pins on your phone, you must add pin from the phone and use the pin as the password to your SFTP session


I'm tired of my SFTP access cutting out because the WiFi disappears when the screen goes to lock >_<. What do I do?!?!!?

Using the same Lumia Registry Editor from Djamol's Root Tool, Head to the \system\currentcontrolset\services\keepwifionsvc Path and set the following DWORD value

Start => 2

For some reason the service that keeps wifi running even while the screen is under lock is disabled on 10512. This enables it. Reboot and you'll have WiFi working under lock screen on 10512.




Manual Steps for running CMD over SSH (assuming you've done the SFTP steps above) Redstone builds required. 10586.XXX builds will NOT work


Tools Needed:

  • IoT Insider Preview ISO
  • Interop Tools - Download the latest arm package and all packages from the Dependencies directory. Install the dependencies first, THEN install the app.
  • Pageant
  • Putty

Steps:

First, you'll need to download the Windows IoT Core Insider Preview ISO. Mount it and then install the MSI. Next, you'll need to go into Disk Management (diskmgmt.msc) and create a new 4GB VHD by clicking Action-> Create VHD. Set the location to any place you wish for it to be, set the size to 4GB and keep the rest the same. Pay attention to the disk number shown in the Disk Management screen after you create and mount that VHD (They have a blue drive icon to the left of them).

When this is complete, open up an elevated command prompt. Go to C:\Program Files (x86\Microsoft IoT\FFU.
Run the following command:

Code:
dism.exe /Apply-Image /ImageFile:flash.ffu /ApplyDrive:\\.\PhysicalDriveN /SkipPlatformCheck
Where N is the disk number. At this point, you should start seeing a bunch of volumes created. The MainOS volume is the one we'll care about.
Go to that drive and copy the Windows\System32\cmd.exe and Windows\system32\en-us\cmd.exe.mui to your phone's Document's folder.

Next step is to open up the Interop Tools app, and tap on the Interop Unlock menu item from the hamburger menu. Select the option to restore NDTKSvc, reboot.
When the device comes back up, re-open Interop Tools and this time click on the Registry Editor from the hamburger menu.

Enter the following values, then press Write Data:

Registry Hive : HKEY_LOCAL_MACHINE
Registry Type: String
Registry Key Path: SYSTEM\Controlset001\Control\SSH\Sirepuser
Registry Value Name: default-shell
Registry Value Data: C:\Data\Users\Public\Documents\cmd.exe

Write this key tap on the hamburger menu and go to the Registry Browser. Travel to HKEY_LOCAL_MACHINE -> SYSTEM -> ControlSet001 -> Control -> Ci.

Tap the + button on the application bar and make sure the values are set to the following and then press Write:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Type: Integer
Registry Key Path: SYSTEM\ControlSet001\Control\CI
Registry Value Name: UMCIAuditMode
Registry Value Data: 1

This actually enables the execution of unsigned executables. This is how we end up making CMD and the other programs work ^_^.

Reboot your phone. Wait a good 3-5 minutes before you try doing anything because your phone will be acting very unstable (Some apps crashing, and others working).
While you have pageant open and the private key added, open up a putty SSH session to your phone using the username of Sirepuser. You should be delighted at this point (If you did everything correctly) to see a Command Prompt. You should be getting random resource string errors when you try typing DIR, etc and this is due to the fact that we don't have the mui string in the correct place. Let's fix that.

ONE BIG THING TO NOTE: running CMD in SSH is very sensitive to keystrokes. If you are typing a command and press backspace even once, then the command won't send at all. It will state that it doesn't recognize what you're doing, so be sure to type these things in FLAWLESSLY (yeah it's annoying)


What we want to do now is then copy the cmd.exe to C:\Windows\System32 and the cmd.exe.mui to C:\Windows\System32\en-US. Run the following commands:

copy c:\Data\Users\Public\cmd.exe c:\Windows\System32
copy c:\Data\Users\Public\cmd.exe.mui c:\Windows\System32\en-US

Back on your phone, go back to Interop Tools and click on the Registry Editor. Follow the same exact steps as you did for changing the default-shell key, but make one change:

Registry Value Data: C:\Windows\system32\cmd.exe

At this point, restart your putty session and then you'll be good to go with CMD running over SSH as SYSTEM!

Extra:

There was a reason I said to copy off the system32 folder somewhere... If you follow the same process to get the files to your Documents folder and move them over to system32, you can have quite a bit of exes to run from the command line. The easiest thing to do is to use xcopy to get everything there.

Extra #2:
You can run .NET Console apps in CMD if they are named the following 3 names: TailoredDeploy.exe, WConnectAgent.exe or WConnectAgentLauncher.exe.

Make a directory on your SD Card named "test" or put it in the test directory on your phone's C: drive and it should go. Beware that the runtime is weird on the phone and not ALL things are possible to do with a .NET Console app

PLEASE... For the love of god DO NOT add DefApps to the Administrators group if you don't want all of your apps to stop working



Have fun ^_^

Also...

USE THIS AT YOUR OWN RISK! I AM NOT RESPONSIBLE IF YOU BLOW UP YOUR PHONE ON PURPOSE OR BY ACCIDENT :)
 
Last edited:

mlleemiles

Senior Member
Jul 13, 2015
121
22
38
Hi, snickler! Can I have your permission to repost your tut? It's great and I wanna share with everyone since everyone's really hoping for a full fs access. Of course, i will link your post and add you and the others to the disclaimer.
 

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,131
0
Dub V
www.sinclairinat0r.com
@zetvn, did you follow ALL steps? Make sure Device Discovery is on and that your phone's WiFi is on. That message basically means you have a timeout. Also check your IP address and see if it is the correct WiFi address
 

ADeltaX

Senior Member
Feb 16, 2015
130
89
0
Somewhere
www.adeltax.com
:D. Have you gotten any closer to rooting AOW @ADeltaX?
70% yes.
Adb shell is now as root user.
SU binary works fine.
Busybox too.
Superuser app seems to work too.
BUT
Apps can't reference from superuser app because of limit of project astoria caused by some modified libs. (stderr stdout = null)
SU binary refernce from libc.so and it's also modified....
 
  • Like
Reactions: snickler

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,131
0
Dub V
www.sinclairinat0r.com
70% yes.
Adb shell is now as root user.
SU binary works fine.
Busybox too.
Superuser app seems to work too.
BUT
Apps can't reference from superuser app because of limit of project astoria caused by some modified libs. (stderr stdout = null)
SU binary refernce from libc.so and it's also modified....
Brilliant! Is it on your thread yet? If so, point me to it :p
 

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,131
0
Dub V
www.sinclairinat0r.com
Not yet, I need to upload these files and create a new thread.
I have a very slow connection, so probably will be ready within 2-4 hours :\

I'll mention you if i'll open the thread/the file is ready. :)
Awesome! Yeah, definitely make a new thread for this. BTW, I updated my OP to include a reg key change to enable WiFi under lock screen. It may not be useful for everyone connecting via USB, but for those on IP it will be VERY helpful
 
  • Like
Reactions: ADeltaX

AteBitDesigns

New member
Aug 26, 2015
2
0
0
Lost...

Hey there i am following the instructions as written, went to install the vcREG bootstrap and the instructions they give is to apply it to the reinstalled Extras+Info app on the SD card. well when i try to download it it says the app is no longer available? is there a work around?
 

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,131
0
Dub V
www.sinclairinat0r.com
Hey there i am following the instructions as written, went to install the vcREG bootstrap and the instructions they give is to apply it to the reinstalled Extras+Info app on the SD card. well when i try to download it it says the app is no longer available? is there a work around?
You didn't follow instructions. It states to use Djamol's root tool and use the Lumia Registry Editor within it that is vcReg's.
 
  • Like
Reactions: Leo_zodiac