Porting the WinRT "Jailbreak"

[ZaneKaminski]

I posted this question several months ago in the 8X forum and have decided to put this out for discussion again.

So, recently, an exploit has been developed for Windows RT devices that allows modifying the minimum signing level constant for the extent of the time that Windows is running. The exploit works on Windows RT devices to allow them to run unsigned native code, but interestingly enough, can also be used on regular x86 devices to change that same value. Since WP8 devices are built on the same NT kernel, it is likely that they enforce signature verification in much the same way, and we may be able to exploit this vulnerability on our devices.

For this to work, there are at least these prerequisites...

• The WP8 remote debugger needs to let us mess with the CSRSS process.
• There needs to actually be a CSRSS process, or something else we can exploit that makes a call to NtUserSetInformationThread.
• If this exploit works on WP8, an easy way (as in, on the start screen or something) to load unsigned/native applications on the device and execute them would be nice.

I don't know much about any of those things. Would someone more knowledgeable care to shed some light on the subject?

 

[ultrashot]

Remote debugger is disabled in retail devices. So, the first exploit should edit BCD and registry entries

 

[mousedl]

this is Cotulla reply:
there are two checkers.
user mode and kernel mode.

Kernel mode - driver SecMgr.sys and user mode - CI.dll.
I patched both of them already to disable signature checking on custom files.
I am talking about EXE/DLL/SYS.
Not sure who is checking XAP files in WP7.

I think these is important winload.exe,bootmgr,ci.dll,SecRuntime.dll

 

[netham45]

The Windows RT jailbreak won't work as-is on WP8, since WP8 uses a different version of win32k and csrss. It's possible the exploit is still there but it's not too likely we'll get the tools that leaked from MS like they did on RT to actually do it.