Jailbreak exploit released

Search This thread

Myriachan

Senior Member
Feb 11, 2013
117
174
Microsoft's October 2015 Windows Update set contains a fix for my jailbreak exploit:
https://support.microsoft.com/en-us/kb/3096447
https://technet.microsoft.com/library/security/MS15-111

Specifically, the "Trusted Boot Security Feature Bypass Vulnerability – CVE-2015-2552" is my jailbreak exploit =( This is sooner than I would like, since it may hurt Windows Mobile 10 jailbreaking. I've decided to release the exploit details. Note that it's not very user-friendly at all right now.

The exploit itself is simple. Run an administrator PowerShell (can't be cmd), and execute the following command, then reboot:

bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

(The Ņ character is Unicode character U+0145, which you can find in Character Map if you need it.)

Your system will come up in "test signing" mode, along with a watermark on the desktop indicating this. While in test-signing mode, applications still have to be signed, but they can be signed by anyone, including your own self-signed certificates.

How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).

Someone I've been working with made a full jailbreak based upon this that doesn't require signing anything, like the RT 8.0 jailbreak was able to do. Stay tuned.

Details of why this works: http://pastebin.com/w5U2qTR0
 

acrossland

Member
Mar 6, 2013
17
6
Maynard, MA
How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).

Someone I've been working with made a full jailbreak based upon this that doesn't require signing anything, like the RT 8.0 jailbreak was able to do. Stay tuned.

Details of why this works: http://pastebin.com/w5U2qTR0

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?
 

domboy

Senior Member
Jul 10, 2013
147
22
Hopefully this update (KB3096447 I assume based on the link) can be uninstalled (if accidentally installed) and blocked like usual. And I also hope those of us that are still on RT 8.0 and upgrade will also be able to remove and block it... would it be automatically installed on an 8.1 upgrade at this point?

This is both exciting and annoying at the same time... exciting that the 8.1 jailbreak is finally being release, and annoying that the exploit is already being fixed. Once in test mode, if this update is then installed will it continue to run in test mode? Or is it possible for an update to put it back in normal (locked down) mode?

Edit:
My Surface running RT 8.0 just install KB3088195 that seems to refer to the same security bulletin MS15-111.
https://support.microsoft.com/en-us/kb/3088195

I see in the KB3096447 from the first post that it lists KB3088195 as the actual update. So if I understand this correctly then KB3088195 is the one that needs to be uninstalled and blocked...
 
Last edited:

mbjun

Member
Feb 10, 2006
34
11
About "latin_capital_letter_n_with_cedilla" char: :)
http://www.fileformat.info/info/unicode/char/0145/latin_capital_letter_n_with_cedilla.png
http://www.fileformat.info/info/unicode/char/0145/index.htm
You can enter it with this small tool:
http://www.fileformat.info/tool/unicodeinput/index.htm

I didn't succeded with entering to PowerShell:
bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

1. but I was successful, when I added [SPACE] here:
' /TŅSTSIGNING' like '[SPACE]/TŅSTSIGNING'

So this works:
bcdedit /set '{current}' loadoptions ' /TŅSTSIGNING'

It seems, that '/ can't be next to each other.

2. TWO updates will break that on WRT8-1 (and no others):
kb3088195 AND kb3084905-v2 (anything, what updates winload.efi to v6-3-9600-180066 or higher [-67 in 2nd case])

3. Instead kb3084905-v2 on WRT8-1, you can install v1 to be protected, if you don't have it (if you installed right v2 in past):
http://download.windowsupdate.com/d..._f44f1307b9a5448a87823796a6ad2bf3d93dfef0.msu

Now I had to make certificate thingies...
MakeCert is for making certificate and SignTool is for signing:

MakeCert -r -pe -sr localmachine -ss Root -n "CN=WRTJBCert" C:\Decomp\WRTJBCert.cer
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\notepad++.exe
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\boost_regex-mt.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\ComparePlugin.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\SciLexer.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\Scintilla.dll

4. If time stamp server fails, just repeat the command.

Now it works and watermark tells "TestMode":
http://www.technique.cz/storage/jailbreak.jpg

My post at MDL:
http://forums.mydigitallife.info/th...0-ARM/page26?p=1163347&viewfull=1#post1163347
 
Last edited:

mbjun

Member
Feb 10, 2006
34
11
Guys, who will compile C++ equivalent for this for ARM.
Ready to donate. :))
It is Lazarus PAS thingie for Shutdown menu:

program Shutdown;
{$apptype GUI}
{$mode objfpc}{$H+}

uses
{$IFDEF UNIX}{$IFDEF UseCThreads}
cthreads,
{$ENDIF}{$ENDIF}
ComObj
{ you can add units after this };

var
shell: Variant;

{$R *.res}

begin
shell := CreateOleObject('Shell.Application');
shell.ShutdownWindows;
end.
 

eisbaer82

Senior Member
Feb 17, 2006
53
14
38
Dortmund
Guys, who will compile C++ equivalent for this for ARM.
Ready to donate. :))
It is Lazarus PAS thingie for Shutdown menu:

program Shutdown;
{$apptype GUI}
{$mode objfpc}{$H+}

uses
{$IFDEF UNIX}{$IFDEF UseCThreads}
cthreads,
{$ENDIF}{$ENDIF}
ComObj
{ you can add units after this };

var
shell: Variant;

{$R *.res}

begin
shell := CreateOleObject('Shell.Application');
shell.ShutdownWindows;
end.

Why do you not use the build-in command line tool? Simply execute "shutdown -t 0 -s"

EDIT: Ah, it displays the menu thats reachable via alt+f4 on the taskbar. I'm not on my surface yet and never tried it: do vbs scripts work?
 
Last edited:

jesuslg123

Senior Member
Mar 8, 2011
161
32
Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?

You can sign the binary and share the signed one, it will work :) Tested.
 

mbjun

Member
Feb 10, 2006
34
11
You can sign the binary and share the signed one, it will work :) Tested.

Yep, but you have to share your certificate too (with pub and priv key), so user could add it to trusted root certificates inside his certificate storage.

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?

IMHO you should just tell the users the list of files, which need to be signed.
 
Last edited:

jesuslg123

Senior Member
Mar 8, 2011
161
32
Yep, but you have to share your certificate too (with pub and priv key), so user could add it to trusted root certificates inside his certificate storage.

I'm not sure about that, yesterday I got few signed games, shared by other person, and they work perfectly without his certificate.
 

mbjun

Member
Feb 10, 2006
34
11
Interesting...
...while all GUI win32 apps from WRT8-0 work (after signing), the text mode's ones (like FAR or OpenTTD installer) crash with ntdll.dll error.
 

mbjun

Member
Feb 10, 2006
34
11
Hi,
First really thanks for sharing this. I found out that if you remove KB3088195, Windows Update will install it automatically. So I decided to block Windows Update. I don't know how you guys are going to solve that, but permanently blocking Windows Update might be a good idea. So far I know, Windows RT 8.1 is very safe, so Windows Update isn't important (This is what I think). I posted some signed apps on XDA (accidentally in the wrong section), but I only want to know: Is that a smart thing to do? Or else, I will remove everything and wait for the jailbreak. Thanks in advance.
Regards,
OnbekendV

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000001
 

VNNGYN

Senior Member
Oct 16, 2015
204
181
Hi,
It looks like I wrote something wrong. Sorry for that. I know how to block Windows Update, but what I wanted to ask if it's a good idea to publish signed apps, so people can use them. Of course, until the jailbreak has been released. Sorry for being not clear. Thanks in advance.
Regards,
OnbekendV
 

danielcbit

Senior Member
May 15, 2013
87
22
Sorry for the noob question but does the signing process needs to be done in a X86 Windows or it can be done directly in the Win RT? I didn't managed to find MakeCert and signtool executables in my win rt (Lumia 2520).
Is there anything I need to install?
Thanks
 

Top Liked Posts

  • There are no posts matching your filters.
  • 12
    Microsoft's October 2015 Windows Update set contains a fix for my jailbreak exploit:
    https://support.microsoft.com/en-us/kb/3096447
    https://technet.microsoft.com/library/security/MS15-111

    Specifically, the "Trusted Boot Security Feature Bypass Vulnerability – CVE-2015-2552" is my jailbreak exploit =( This is sooner than I would like, since it may hurt Windows Mobile 10 jailbreaking. I've decided to release the exploit details. Note that it's not very user-friendly at all right now.

    The exploit itself is simple. Run an administrator PowerShell (can't be cmd), and execute the following command, then reboot:

    bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

    (The Ņ character is Unicode character U+0145, which you can find in Character Map if you need it.)

    Your system will come up in "test signing" mode, along with a watermark on the desktop indicating this. While in test-signing mode, applications still have to be signed, but they can be signed by anyone, including your own self-signed certificates.

    How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).

    Someone I've been working with made a full jailbreak based upon this that doesn't require signing anything, like the RT 8.0 jailbreak was able to do. Stay tuned.

    Details of why this works: http://pastebin.com/w5U2qTR0
    4
    Just a reminder to anybody who is having trouble getting stuff to launch: you have to sign *all* the binaries. That means signing the EXEs, the DLLs, the MUIs, etc. In fact, while it's not necessary, it won't hurt to simply sign every single file in your application, be they executable binaries or not.

    Also, some programs - especially installers - will unpack a file and then run it. The unpacked file will not be signed (unless it was signed before being packed), which will prevent it from loading. For these types of program, you may need to run the program once to unpack the file, then sign the unpacked files and run them manually. Alternatively, rebuild the program from source (if possible) and sign the components before they get packed, so when they get unpacked they're already signed.
    3
    About "latin_capital_letter_n_with_cedilla" char: :)
    http://www.fileformat.info/info/unicode/char/0145/latin_capital_letter_n_with_cedilla.png
    http://www.fileformat.info/info/unicode/char/0145/index.htm
    You can enter it with this small tool:
    http://www.fileformat.info/tool/unicodeinput/index.htm

    I didn't succeded with entering to PowerShell:
    bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

    1. but I was successful, when I added [SPACE] here:
    ' /TŅSTSIGNING' like '[SPACE]/TŅSTSIGNING'

    So this works:
    bcdedit /set '{current}' loadoptions ' /TŅSTSIGNING'

    It seems, that '/ can't be next to each other.

    2. TWO updates will break that on WRT8-1 (and no others):
    kb3088195 AND kb3084905-v2 (anything, what updates winload.efi to v6-3-9600-180066 or higher [-67 in 2nd case])

    3. Instead kb3084905-v2 on WRT8-1, you can install v1 to be protected, if you don't have it (if you installed right v2 in past):
    http://download.windowsupdate.com/d..._f44f1307b9a5448a87823796a6ad2bf3d93dfef0.msu

    Now I had to make certificate thingies...
    MakeCert is for making certificate and SignTool is for signing:

    MakeCert -r -pe -sr localmachine -ss Root -n "CN=WRTJBCert" C:\Decomp\WRTJBCert.cer
    signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\notepad++.exe
    signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\boost_regex-mt.dll
    signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\ComparePlugin.dll
    signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\SciLexer.dll
    signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\Scintilla.dll

    4. If time stamp server fails, just repeat the command.

    Now it works and watermark tells "TestMode":
    http://www.technique.cz/storage/jailbreak.jpg

    My post at MDL:
    http://forums.mydigitallife.info/th...0-ARM/page26?p=1163347&viewfull=1#post1163347
    3
    Hi guys,
    After a lot of hours (almost a day) I finally managed to get Chrome work, but it's very buggy. It's not for daily use now, but I will try to make some inprovements. Extensions doesn't work at all. So it's a browser that can't do a lot...
    Regards,
    OnbekendV
    3
    Hi,
    It looks like the recovery is done. My files are safe and Im copying everything to a SD Card. Thanks @MaliceX. Im not a person that stores everything (More a person that removes everything ). But now Chrome is crashing. Looks like I found a new error. Couldn't Microsoft just release everything that we need to hack Windows RT? Im getting tired now. I wont publish anything until it works fine. The reason that Im doing that is because it could let your Surface crash. So I decide to do some tests first before publishing.
    UPDATE: Project abandoned due the fact that it keeps crashing. There's no way to fix it.
    Regards,
    OnbekendV
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone