Remove All Ads from XDA

[GUIDE] Full FileSystem Access over SFTP / CMD over SSH on Windows 10 Mobile

1,279 posts
Thanks Meter: 1,076
 
Post Reply Email Thread
Hi all,

This guide uses the built-in SSH server on the phone that gets activated once you enable Device Discovery to give us TRUE full file system access. MTP doesn't truly give full file system access as there are files and folders that aren't accessible still.

NOTE: The automation of the steps listed in this whole guide has been incorporated into an easy GUI within @gus33000 's app called Interop Tools. Big thanks to him for taking the time to simplify this whole process.



Many thanks to @gus33000 [For the simplification and guinea pig process ] and @black_blob [ For making me try the UMCIAuditMode trick again]!

Manual Steps for SFTP


Tools needed


Steps:
  • If you're using @djamol's Root Tool, use @vcfan's Lumia Registry Editor for this
  • The following keys should be set to the following string values under the Path of System\Currentcontrolset\control\ssh\sirepuser

    Represented in this guide as key: value

    stfp-home-dir : C:\
    default-home-dir : C:\
    sftp-mkdir-rex : .*
    sftp-open-dir-rex : .*
    sftp-read-file-rex : .*
    sftp-remove-file-rex : .*
    sftp-rmdir-rex : .*
    sftp-stat-rex : .*
    sftp-write-file-rex : .*
    auth-method : password
    user-pin : 1234
  • After you've verified that at least one of these keys have been set, exit the app
  • Go to the phone settings app and put your Windows 10 Mobile phone in Developer Mode, activate Device Discovery then turn on Pair mode
  • Pair to your phone using WConnect, either from usb connect mode ("wconnect usb") or IP (wconnect youripaddress) using the pin on your device
  • When this is complete, go to %USERPROFILE%\appdata\local\Microsoft\WConnectSrv. In this directory, you should see a privkey.pem file. Hold on to this
  • Open up PuttyGen, click on the Conversions menu and then click Import key. Point to the path that contains the privkey.pem file, then press Okay
  • Back in PuttyGen, click on the Save private key button and then save the .ppk file off somewhere that you'll remember.
  • Open Pagent, click Add key and point to the .ppk file you generated before. You'll want to make sure this is ALWAYS running.


If using Swish
  • Go to Windows Explorer, dbl-click on the Swish icon under Devices and Drives. Click on Add SFTP Connection at the top
  • Enter in a label that you wish to save the connection present as .
  • Under host your phone's IP as Host.
  • Enter in Sirepuser as the User.
  • Enter / as the Path.
  • Press Create
  • Go back to the Swish folder then click on the connection that you just created (YOU MUST HAVE PAGENT RUNNING FOR THIS TO WORK).
  • When prompted, enter "1234" as the password.


If using WinSCP:
  • Open WinSCP. Underneath of the Password box, click on Advanced.
    • Click on the SFTP menu item and set the Preferred SFTP protocol version to 2
    • Click on the SSH -> Authentication menu item. Click Allow agent forwarding, click on the ellipsis next to Private key file and choose the .ppk file you saved from PuttyGen
  • Press Ok to save the settings
  • Back on the WinSCP main screen, enter in your phone's Wi-Fi IP into host name and for the User name, type in Sirepuser. Press save and then save this session as a "Site" in WinSCP
  • Login. When prompted, enter "1234" as the password.
  • You'll receive an error initially about not being able to browse /C/ and blah blah. You can right-click and click on Goto Folder. /C/Data will be a nice folder to start at since that's where most of the goodies are.

Voila, you should know be able to have full file system access.

Now there are a FEW caveats to this..
  • If you're looking to modify/download any of the important files in the AOW folder, you won't be able to. For SOME REASON, it's returning "No such file or directory" if you try to download/modify some certain files. It will also return this if you try to do the same for the registry hives.
  • If you happen to remove all paired pins on your phone, you must add pin from the phone and use the pin as the password to your SFTP session


I'm tired of my SFTP access cutting out because the WiFi disappears when the screen goes to lock >_<. What do I do?!?!!?

Using the same Lumia Registry Editor from Djamol's Root Tool, Head to the \system\currentcontrolset\services\keepwifionsvc Path and set the following DWORD value

Start => 2

For some reason the service that keeps wifi running even while the screen is under lock is disabled on 10512. This enables it. Reboot and you'll have WiFi working under lock screen on 10512.




Manual Steps for running CMD over SSH (assuming you've done the SFTP steps above) Redstone builds required. 10586.XXX builds will NOT work


Tools Needed:
  • IoT Insider Preview ISO
  • Interop Tools - Download the latest arm package and all packages from the Dependencies directory. Install the dependencies first, THEN install the app.
  • Pageant
  • Putty

Steps:

First, you'll need to download the Windows IoT Core Insider Preview ISO. Mount it and then install the MSI. Next, you'll need to go into Disk Management (diskmgmt.msc) and create a new 4GB VHD by clicking Action-> Create VHD. Set the location to any place you wish for it to be, set the size to 4GB and keep the rest the same. Pay attention to the disk number shown in the Disk Management screen after you create and mount that VHD (They have a blue drive icon to the left of them).

When this is complete, open up an elevated command prompt. Go to C:\Program Files (x86\Microsoft IoT\FFU.
Run the following command:

Code:
dism.exe /Apply-Image /ImageFile:flash.ffu /ApplyDrive:\\.\PhysicalDriveN /SkipPlatformCheck
Where N is the disk number. At this point, you should start seeing a bunch of volumes created. The MainOS volume is the one we'll care about.
Go to that drive and copy the Windows\System32\cmd.exe and Windows\system32\en-us\cmd.exe.mui to your phone's Document's folder.

Next step is to open up the Interop Tools app, and tap on the Interop Unlock menu item from the hamburger menu. Select the option to restore NDTKSvc, reboot.
When the device comes back up, re-open Interop Tools and this time click on the Registry Editor from the hamburger menu.

Enter the following values, then press Write Data:

Registry Hive : HKEY_LOCAL_MACHINE
Registry Type: String
Registry Key Path: SYSTEM\Controlset001\Control\SSH\Sirepuser
Registry Value Name: default-shell
Registry Value Data: C:\Data\Users\Public\Documents\cmd.exe

Write this key tap on the hamburger menu and go to the Registry Browser. Travel to HKEY_LOCAL_MACHINE -> SYSTEM -> ControlSet001 -> Control -> Ci.

Tap the + button on the application bar and make sure the values are set to the following and then press Write:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Type: Integer
Registry Key Path: SYSTEM\ControlSet001\Control\CI
Registry Value Name: UMCIAuditMode
Registry Value Data: 1

This actually enables the execution of unsigned executables. This is how we end up making CMD and the other programs work ^_^.

Reboot your phone. Wait a good 3-5 minutes before you try doing anything because your phone will be acting very unstable (Some apps crashing, and others working).
While you have pageant open and the private key added, open up a putty SSH session to your phone using the username of Sirepuser. You should be delighted at this point (If you did everything correctly) to see a Command Prompt. You should be getting random resource string errors when you try typing DIR, etc and this is due to the fact that we don't have the mui string in the correct place. Let's fix that.

ONE BIG THING TO NOTE: running CMD in SSH is very sensitive to keystrokes. If you are typing a command and press backspace even once, then the command won't send at all. It will state that it doesn't recognize what you're doing, so be sure to type these things in FLAWLESSLY (yeah it's annoying)


What we want to do now is then copy the cmd.exe to C:\Windows\System32 and the cmd.exe.mui to C:\Windows\System32\en-US. Run the following commands:

copy c:\Data\Users\Public\cmd.exe c:\Windows\System32
copy c:\Data\Users\Public\cmd.exe.mui c:\Windows\System32\en-US

Back on your phone, go back to Interop Tools and click on the Registry Editor. Follow the same exact steps as you did for changing the default-shell key, but make one change:

Registry Value Data: C:\Windows\system32\cmd.exe

At this point, restart your putty session and then you'll be good to go with CMD running over SSH as SYSTEM!

Extra:

There was a reason I said to copy off the system32 folder somewhere... If you follow the same process to get the files to your Documents folder and move them over to system32, you can have quite a bit of exes to run from the command line. The easiest thing to do is to use xcopy to get everything there.

Extra #2:
You can run .NET Console apps in CMD if they are named the following 3 names: TailoredDeploy.exe, WConnectAgent.exe or WConnectAgentLauncher.exe.

Make a directory on your SD Card named "test" or put it in the test directory on your phone's C: drive and it should go. Beware that the runtime is weird on the phone and not ALL things are possible to do with a .NET Console app

PLEASE... For the love of god DO NOT add DefApps to the Administrators group if you don't want all of your apps to stop working



Have fun ^_^

Also...

USE THIS AT YOUR OWN RISK! I AM NOT RESPONSIBLE IF YOU BLOW UP YOUR PHONE ON PURPOSE OR BY ACCIDENT
The Following 31 Users Say Thank You to snickler For This Useful Post: [ View ]
 
 
25th August 2015, 12:15 AM |#2  
Member
Thanks Meter: 4
 
More
Hi, snickler! Can I have your permission to repost your tut? It's great and I wanna share with everyone since everyone's really hoping for a full fs access. Of course, i will link your post and add you and the others to the disclaimer.
25th August 2015, 05:21 PM |#3  
Senior Member
Flag Mashad
Thanks Meter: 370
 
More
OH My god . very good so fast . forget MTP Full FS for ever
The Following User Says Thank You to ngame For This Useful Post: [ View ] Gift ngame Ad-Free
25th August 2015, 07:54 PM |#4  
ADeltaX's Avatar
Senior Member
Flag Rovereto
Thanks Meter: 87
 
Donate to Me
More
Quote:
Originally Posted by ngame

OH My god . very good so fast . forget MTP Full FS for ever

"Theoretical Full FS" :P
25th August 2015, 08:26 PM |#5  
Junior Member
Thanks Meter: 5
 
More
I've tried, but failed
25th August 2015, 09:11 PM |#6  
snickler's Avatar
OP Forum Moderator / Recognized Developer
Flag Dub V
Thanks Meter: 1,076
 
Donate to Me
More
@zetvn, did you follow ALL steps? Make sure Device Discovery is on and that your phone's WiFi is on. That message basically means you have a timeout. Also check your IP address and see if it is the correct WiFi address
25th August 2015, 09:12 PM |#7  
snickler's Avatar
OP Forum Moderator / Recognized Developer
Flag Dub V
Thanks Meter: 1,076
 
Donate to Me
More
Quote:
Originally Posted by ADeltaX

"Theoretical Full FS" :P

It's full access until you want to modify any of the IMPORTANT files in the AOW directory lol. I'll see how I can get around that and post more, but yes this IS indeed full access.
25th August 2015, 09:27 PM |#8  
ADeltaX's Avatar
Senior Member
Flag Rovereto
Thanks Meter: 87
 
Donate to Me
More
Quote:
Originally Posted by snickler

It's full access until you want to modify any of the IMPORTANT files in the AOW directory lol. I'll see how I can get around that and post more, but yes this IS indeed full access.

I was replying about MTP, not about SSH access. lol
The Following User Says Thank You to ADeltaX For This Useful Post: [ View ] Gift ADeltaX Ad-Free
25th August 2015, 11:54 PM |#9  
snickler's Avatar
OP Forum Moderator / Recognized Developer
Flag Dub V
Thanks Meter: 1,076
 
Donate to Me
More
. Have you gotten any closer to rooting AOW @ADeltaX?
25th August 2015, 11:55 PM |#10  
Junior Member
Flag Samawah
Thanks Meter: 8
 
More
Is there any way to copy files to C:\Windows\Fonts in the phone without the PC?
26th August 2015, 12:04 AM |#11  
ADeltaX's Avatar
Senior Member
Flag Rovereto
Thanks Meter: 87
 
Donate to Me
More
Quote:
Originally Posted by snickler

. Have you gotten any closer to rooting AOW @ADeltaX?

70% yes.
Adb shell is now as root user.
SU binary works fine.
Busybox too.
Superuser app seems to work too.
BUT
Apps can't reference from superuser app because of limit of project astoria caused by some modified libs. (stderr stdout = null)
SU binary refernce from libc.so and it's also modified....
Attached Thumbnails
Click image for larger version

Name:	ida pro.jpg
Views:	1632
Size:	258.9 KB
ID:	3451552  
The Following User Says Thank You to ADeltaX For This Useful Post: [ View ] Gift ADeltaX Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes