Jailbreak exploit released

[Myriachan]

Microsoft's October 2015 Windows Update set contains a fix for my jailbreak exploit:
https://support.microsoft.com/en-us/kb/3096447
https://technet.microsoft.com/library/security/MS15-111

Specifically, the "Trusted Boot Security Feature Bypass Vulnerability – CVE-2015-2552" is my jailbreak exploit =( This is sooner than I would like, since it may hurt Windows Mobile 10 jailbreaking. I've decided to release the exploit details. Note that it's not very user-friendly at all right now.

The exploit itself is simple. Run an administrator PowerShell (can't be cmd), and execute the following command, then reboot:

bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

(The Ņ character is Unicode character U+0145, which you can find in Character Map if you need it.)

Your system will come up in "test signing" mode, along with a watermark on the desktop indicating this. While in test-signing mode, applications still have to be signed, but they can be signed by anyone, including your own self-signed certificates.

How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).

Someone I've been working with made a full jailbreak based upon this that doesn't require signing anything, like the RT 8.0 jailbreak was able to do. Stay tuned.

Details of why this works: http://pastebin.com/w5U2qTR0

 

[comphilip]

Excellent. My surface 2 is going to have more fun.

 

[acrossland]

How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).

Someone I've been working with made a full jailbreak based upon this that doesn't require signing anything, like the RT 8.0 jailbreak was able to do. Stay tuned.

Details of why this works: http://pastebin.com/w5U2qTR0

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?

 

[domboy]

Hopefully this update (KB3096447 I assume based on the link) can be uninstalled (if accidentally installed) and blocked like usual. And I also hope those of us that are still on RT 8.0 and upgrade will also be able to remove and block it... would it be automatically installed on an 8.1 upgrade at this point?

This is both exciting and annoying at the same time... exciting that the 8.1 jailbreak is finally being release, and annoying that the exploit is already being fixed. Once in test mode, if this update is then installed will it continue to run in test mode? Or is it possible for an update to put it back in normal (locked down) mode?

Edit:
My Surface running RT 8.0 just install KB3088195 that seems to refer to the same security bulletin MS15-111.
https://support.microsoft.com/en-us/kb/3088195

I see in the KB3096447 from the first post that it lists KB3088195 as the actual update. So if I understand this correctly then KB3088195 is the one that needs to be uninstalled and blocked...

 

[mbjun]

About "latin_capital_letter_n_with_cedilla" char:
http://www.fileformat.info/info/unicode/char/0145/latin_capital_letter_n_with_cedilla.png
http://www.fileformat.info/info/unicode/char/0145/index.htm
You can enter it with this small tool:
http://www.fileformat.info/tool/unicodeinput/index.htm

I didn't succeded with entering to PowerShell:
bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

1. but I was successful, when I added [SPACE] here:
' /TŅSTSIGNING' like '[SPACE]/TŅSTSIGNING'

So this works:
bcdedit /set '{current}' loadoptions ' /TŅSTSIGNING'

It seems, that '/ can't be next to each other.

2. TWO updates will break that on WRT8-1 (and no others):
kb3088195 AND kb3084905-v2 (anything, what updates winload.efi to v6-3-9600-180066 or higher [-67 in 2nd case])

3. Instead kb3084905-v2 on WRT8-1, you can install v1 to be protected, if you don't have it (if you installed right v2 in past):
http://download.windowsupdate.com/d..._f44f1307b9a5448a87823796a6ad2bf3d93dfef0.msu

Now I had to make certificate thingies...
MakeCert is for making certificate and SignTool is for signing:

MakeCert -r -pe -sr localmachine -ss Root -n "CN=WRTJBCert" C:\Decomp\WRTJBCert.cer
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\notepad++.exe
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\boost_regex-mt.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\ComparePlugin.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\SciLexer.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\Scintilla.dll

4. If time stamp server fails, just repeat the command.

Now it works and watermark tells "TestMode":
http://www.technique.cz/storage/jailbreak.jpg

My post at MDL:
http://forums.mydigitallife.info/th...0-ARM/page26?p=1163347&viewfull=1#post1163347

 

[aq3e]

It's a start Thank You!

 

[mbjun]

Guys, who will compile C++ equivalent for this for ARM.
Ready to donate. )
It is Lazarus PAS thingie for Shutdown menu:

program Shutdown;
{$apptype GUI}
{$mode objfpc}{$H+}

uses
{$IFDEF UNIX}{$IFDEF UseCThreads}
cthreads,
{$ENDIF}{$ENDIF}
ComObj
{ you can add units after this };

var
shell: Variant;

{$R *.res}

begin
shell := CreateOleObject('Shell.Application');
shell.ShutdownWindows;
end.

 

[eisbaer82]

Guys, who will compile C++ equivalent for this for ARM.
Ready to donate. )
It is Lazarus PAS thingie for Shutdown menu:

program Shutdown;
{$apptype GUI}
{$mode objfpc}{$H+}

uses
{$IFDEF UNIX}{$IFDEF UseCThreads}
cthreads,
{$ENDIF}{$ENDIF}
ComObj
{ you can add units after this };

var
shell: Variant;

{$R *.res}

begin
shell := CreateOleObject('Shell.Application');
shell.ShutdownWindows;
end.

Why do you not use the build-in command line tool? Simply execute "shutdown -t 0 -s"

EDIT: Ah, it displays the menu thats reachable via alt+f4 on the taskbar. I'm not on my surface yet and never tried it: do vbs scripts work?

 

[jesuslg123]

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?

You can sign the binary and share the signed one, it will work Tested.

 

[mbjun]

You can sign the binary and share the signed one, it will work Tested.

Yep, but you have to share your certificate too (with pub and priv key), so user could add it to trusted root certificates inside his certificate storage.

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?

IMHO you should just tell the users the list of files, which need to be signed.

 

[jesuslg123]

Yep, but you have to share your certificate too (with pub and priv key), so user could add it to trusted root certificates inside his certificate storage.

I'm not sure about that, yesterday I got few signed games, shared by other person, and they work perfectly without his certificate.

 

[xsoliman3]

Nice. Although I was expecting the rumoured 'powershell exploit' to be more powershelly than that

 

[Jon4248]

Thanks Myriachan! It was fun playing Quake 2 on my Surface 2

 

[mbjun]

Interesting...
...while all GUI win32 apps from WRT8-0 work (after signing), the text mode's ones (like FAR or OpenTTD installer) crash with ntdll.dll error.

 

[VNNGYN]

[Removed]

 

[mbjun]

Hi,
First really thanks for sharing this. I found out that if you remove KB3088195, Windows Update will install it automatically. So I decided to block Windows Update. I don't know how you guys are going to solve that, but permanently blocking Windows Update might be a good idea. So far I know, Windows RT 8.1 is very safe, so Windows Update isn't important (This is what I think). I posted some signed apps on XDA (accidentally in the wrong section), but I only want to know: Is that a smart thing to do? Or else, I will remove everything and wait for the jailbreak. Thanks in advance.
Regards,
OnbekendV

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000001

 

[VNNGYN]

Hi,
It looks like I wrote something wrong. Sorry for that. I know how to block Windows Update, but what I wanted to ask if it's a good idea to publish signed apps, so people can use them. Of course, until the jailbreak has been released. Sorry for being not clear. Thanks in advance.
Regards,
OnbekendV

 

[danielcbit]

Sorry for the noob question but does the signing process needs to be done in a X86 Windows or it can be done directly in the Win RT? I didn't managed to find MakeCert and signtool executables in my win rt (Lumia 2520).
Is there anything I need to install?
Thanks

 

[VNNGYN]

[Removed]

 

[danielcbit]

Thank you OnbekendV !