[RT] Windows RT 8.1 Jailbreak Discussion

Search This thread

netham45

Inactive Recognized Developer
Jun 24, 2009
886
568
Denver
From what I understand, that is just a way to bypass UAC. Because we already have full admin rights on our device, this isn't really useful. Maybe someone who knows a bit more can chime in.

It wouldn't run unsigned code, no. It's just an EoP from user to admin, nothing we can't already do.
 

valuxin

Member
Sep 24, 2011
35
12
Hm... It seems, I have my lumia 2520 tablet run without SecureBoot option... And all I want - is to find the way to make profit from it:)

UPD: After update, signature disappeared.
 
Last edited:

darkcroc

Senior Member
May 25, 2013
89
21
Hm... It seems, I have my lumia 2520 tablet run without SecureBoot option... And all I want - is to find the way to make profit from it:)

UPD: After update, signature disappeared.

I must know how? lol is it a wifi only version of Lumia 2520 or VZW/ATT LTE? I would love tohave the ability to install w/e I want on my Lumia
 

wcomhelp

Senior Member
May 1, 2012
107
16
Calgary
As above if someone remembers the method of disabling secure boot please post it. Thanks


Sent from board express on my Nokia Lumia 1020. Best phone ever!
 

infrag

Senior Member
Sep 3, 2008
1,723
4,557
Perth
If you have nothing to add to this discussion please do not post. Thanks

Im hoping that we can make a list of requirements for this jailbreak to happen. Please read along with us and if you have any ideas regarding any of the steps please help us out...

Thanks,

Toxickill.

Any progress on an ETA for releasing the jailbreak? (I'm not asking Toxickill specifically but Netham45 or anyone that already has a copy of it)
Theres plenty of us that have these devices and have had this carrot held out to us about one day receiving a jailbreak. Whenever the carrot appears within reach it gets pulled away again :(

Just want to know is the jailbreak ever going to be released or do we just dump our RT devices and move on?

Also let me make this clear.. I'm not complaining about people holding onto their exploits... just when you make the forum aware you have a jailbreak and then dont release it that is frustrating for all of us. Its like saying 'look at me I have this jailbreak that you all want but cant have it now but maybe one day'. Just give us a date when it will be released and do it then or dont do it at all and dont make us check all the time to see if you change your mind :(

E.G:

August 11th 2015
https://twitter.com/Myriachan/status/631146778755108865

"I'm debating when to release the Windows RT exploit. The problem is that when I do, the exploit could be burned for WinPhone."

@Myriachan Jun 20
@Myriachan This also applies to anyone who may know the details of my exploit by other means

The XDA WinPhone hackers have my permission to release my Secure Boot hack 1 week after #Windows10 release without further action from me.
 
Last edited:
  • Like
Reactions: georgehall123

HandyBesitzer

Senior Member
Jan 29, 2012
587
109
Köln
i need to admit, that i haven't read the whole thread. But i found the Jailbreak thread and noticed that it wasn't the right topic. I hope this is the right place.
I have my Surface up to date ( 8.1 and all updates installed). I would like to run Windows 10 on it and found a build that can be tested on an USB drive. Only problem my surface does not boot from the USB drive. So my idea was that maybe secureboot or something like that is the problem.
Question: Is there a jailbreak that i can boot from USB?? And where can i find it?

Thank you
 

black_blob

Senior Member
Feb 23, 2015
180
153
Paris
i need to admit, that i haven't read the whole thread. But i found the Jailbreak thread and noticed that it wasn't the right topic. I hope this is the right place.
I have my Surface up to date ( 8.1 and all updates installed). I would like to run Windows 10 on it and found a build that can be tested on an USB drive. Only problem my surface does not boot from the USB drive. So my idea was that maybe secureboot or something like that is the problem.
Question: Is there a jailbreak that i can boot from USB?? And where can i find it?

Thank you
All Surfaces can boot from USB. You can use both 10240 and 10586 with provisioning drivers
 
  • Like
Reactions: HandyBesitzer

TristanLeBoss

Senior Member
Dec 11, 2005
186
157
  • Like
Reactions: HandyBesitzer

Top Liked Posts

  • There are no posts matching your filters.
  • 23
    Myria told me her current method for jailbreaking the tablet, I've gotten the hardest part replicated. I think I see a way to get it automated, at least to an extent, too. It's not going to be as straightforward as the 8.0 exploit, sadly, but it should be persistent.
    20
    http://i.imgur.com/Y38fel5.png

    Edit: Did that bounty idea ever take off? :p

    Edit 2: PuTTY running: http://i.imgur.com/KGwAMo6.png
    19
    Just got Kernel-mode working.
    12
    Mmm. An attempt at this summary you ask for...
    1. RT devices boot with UEFI, which is firmware that runs at the same level as the old BIOS but is far more advanced, effectively being its own mini-OS (many x86 devices allow you to boot into an interactive UEFI shell, from which you can run UEFI programs, for example).
    2. Flashing UEFI is often possible, but requires either that the firmware image support it or that an UEFI program to do so is available (I think; don't take this part as gospel). RT devices do, I believe, support firmware updates... but as you'd expect, they check them for Microsoft's cryptographic signatures.
    3. UEFI supports a feature called Secure Boot. This feature checks the UEFI programs that are run (such as the bootloader for an OS) for cryptographic signatures. The list of allowed public keys might be stored in the firmware image, or in a hardware security chip called a Trusted Platform Module (TPM). I suspect the TPM but am not sure. All RT devices are required to implement Secure Boot, and to not allow the user to disable it or add their own certificates to the trust list. The Windows bootloader is of course signed.
    4. UEFI can also store named variables in firmware, typically for the use of the operating system. In the case of RT, a variable which controls what signing level the OS enforces is apparently stored in the UEFI, and is supposed to be read-only. I don't know how easy or hard it would be to change this value, assuming we have Admin-level arbitrary code execution in Windows.
    5. With Secure Boot enabled, the Windows bootloader disables certain options. In particular, the kernel debug and the "testsigning" boot options are prohibited. This restriction is enforced by the bootloader, which is either informed by the UEFI of the presence of Secure Boot or queries for it (not sure). If it was possible to cause the bootloader to think Secure Boot wasn't enforced, we could use these options to jailbreak with relative ease.
    6. The Windows bootloader verifies the cryptographic signature on the kernel before loading it. Thus, modifying the kernel on-disk would prevent a successful boot, unless we could modify the bootloader too (to remove this check), but doing that would break the bootloader's signature and Secure Boot wouldn't allow it to run.
    7. The Windows kernel checks various sources (boot parameters, registry, and UEFI variables) for what signature level to enforce. Lacking the "testsigning" or "debug" boot parameter, the kernel takes the more-restrictive policy from the registry or UEFI. On RT devices, this policy (as stored in a UEFI variable) requires Microsoft-signed programs. Binary images without a valid Microsoft signature will not load or run, unless they are in an "AppContainer" which is an app-specific sandbox with Low mandatory integrity control (a "lowbox").
    8. All "Windows Store" (Metro) apps run in AppContainers, and any processes they spawn will also be in an AppContainer. We can modify ACLs on many securable objects in the system, such as files and registry keys, to allow AppContainers to access them. However, we cannot actually elevate the privileges that an AppContainer has, and lowbox tokens have a number of restrictions that largely prevent them from carrying out any kind of Administrative tasks.
    9. However, we can probably get arbitrary code execution as Admin anyhow, by using a debugger on the OS and attaching to a (Microsoft-signed) process running as Admin, then injecting executable code into the process' address space and creating a thread to run it.
    10. In fact, this is how the 8.0 jailbreak works: there's a vulnerability in a system call that allows modification of arbitrary kernel memory. However, this system call can only be made by one process, the CSRSS.EXE process started at system bootup. In 8.0, this process can be debugged and the vulnerability exploited. In 8.1, this process is "protected" meaning you can't attach a debugger to it, even if you have SeDebugPrivilege.
    11. Another vector for arbitrary code execution in RT is PowerShell. Although PS is supposed to prevent running arbitrary code that isn't in a signed script, there have been exploits to bypass this restriction. The exploits that were known for 8.0 have been patched in 8.1, but I believe there are more (that still work).
    12. There is an additional level of protection in 8.1: the kernel flag that controls the signing level is "protected" by PatchGuard, a complicated kernel watchdog system that periodically checks protected memory (usually things like IRQ tables and ISRs) and, if a change from the expected values is detected, bugchecks the kernel (Blue Screen Of Death). Patchguard can only be disabled using boot flags that Secure Boot prohibits.
    13. To make the 8.0 jailbreak work again, two things are needed: a way to attach a debugger to CSRSS.EXE (probably means making it not run as a protected process somehow), and a way to avoid PatchGuard crashing the system when it checks the signing level value.
    14. Other avenues towards a jailbreak, such as disabling Secure Boot in UEFI (enables modifying the bootloader and would also permit loading different OSes) or in Windows (would allow using Testsigning mode, where non-Microsoft signatures can be fully trusted anyhow), or changing the UEFI variable that tells the kernel to enforce Microsoft signing level, or finding a way to take advantage of the ability to launch unsigned binaries in an AppContainer but without a lowbox, would also be of interest. There may be some possibilities not listed here, too.
    OK, that wound up longer than expected. At least it's all in one place. Please, those who know, correct me or add additional info as needed. I probably also ought to add links to forum threads where some of these points are discussed in more detail, but it's late.
    10
    ok someones got to say it ...

    Please can you release what you have or the work in progress
    even if Patchguard isn't disabled
    So can at least run something (then put the flags back so Patchguard doesn't notice) and accept the 1-2% chance it might blue screen

    So other can build on it and investigate other ideas
    (eg I have an idea for a driver that might help)

    Or do a limited release to a few of us who are really interested

    Thanks