FORUMS
Remove All Ads from XDA

Jailbreak exploit released

117 posts
Thanks Meter: 174
 
By Myriachan, Senior Member on 14th October 2015, 08:16 AM
Post Reply Email Thread
Microsoft's October 2015 Windows Update set contains a fix for my jailbreak exploit:
https://support.microsoft.com/en-us/kb/3096447
https://technet.microsoft.com/library/security/MS15-111

Specifically, the "Trusted Boot Security Feature Bypass Vulnerability – CVE-2015-2552" is my jailbreak exploit =( This is sooner than I would like, since it may hurt Windows Mobile 10 jailbreaking. I've decided to release the exploit details. Note that it's not very user-friendly at all right now.

The exploit itself is simple. Run an administrator PowerShell (can't be cmd), and execute the following command, then reboot:

bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

(The Ņ character is Unicode character U+0145, which you can find in Character Map if you need it.)

Your system will come up in "test signing" mode, along with a watermark on the desktop indicating this. While in test-signing mode, applications still have to be signed, but they can be signed by anyone, including your own self-signed certificates.

How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).

Someone I've been working with made a full jailbreak based upon this that doesn't require signing anything, like the RT 8.0 jailbreak was able to do. Stay tuned.

Details of why this works: http://pastebin.com/w5U2qTR0
The Following 12 Users Say Thank You to Myriachan For This Useful Post: [ View ] Gift Myriachan Ad-Free
 
 
14th October 2015, 10:16 AM |#2  
Junior Member
Thanks Meter: 0
 
More
Excellent. My surface 2 is going to have more fun.
14th October 2015, 02:18 PM |#3  
Junior Member
Maynard, MA
Thanks Meter: 6
 
More
Quote:
Originally Posted by Myriachan

How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).

Someone I've been working with made a full jailbreak based upon this that doesn't require signing anything, like the RT 8.0 jailbreak was able to do. Stay tuned.

Details of why this works: http://pastebin.com/w5U2qTR0

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?
14th October 2015, 03:20 PM |#4  
Senior Member
Thanks Meter: 22
 
More
Hopefully this update (KB3096447 I assume based on the link) can be uninstalled (if accidentally installed) and blocked like usual. And I also hope those of us that are still on RT 8.0 and upgrade will also be able to remove and block it... would it be automatically installed on an 8.1 upgrade at this point?

This is both exciting and annoying at the same time... exciting that the 8.1 jailbreak is finally being release, and annoying that the exploit is already being fixed. Once in test mode, if this update is then installed will it continue to run in test mode? Or is it possible for an update to put it back in normal (locked down) mode?

Edit:
My Surface running RT 8.0 just install KB3088195 that seems to refer to the same security bulletin MS15-111.
https://support.microsoft.com/en-us/kb/3088195

I see in the KB3096447 from the first post that it lists KB3088195 as the actual update. So if I understand this correctly then KB3088195 is the one that needs to be uninstalled and blocked...
14th October 2015, 07:16 PM |#5  
Junior Member
Thanks Meter: 5
 
More
About "latin_capital_letter_n_with_cedilla" char:
http://www.fileformat.info/info/unic...th_cedilla.png
http://www.fileformat.info/info/unic...0145/index.htm
You can enter it with this small tool:
http://www.fileformat.info/tool/unicodeinput/index.htm

I didn't succeded with entering to PowerShell:
bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'

1. but I was successful, when I added [SPACE] here:
' /TŅSTSIGNING' like '[SPACE]/TŅSTSIGNING'

So this works:
bcdedit /set '{current}' loadoptions ' /TŅSTSIGNING'

It seems, that '/ can't be next to each other.

2. TWO updates will break that on WRT8-1 (and no others):
kb3088195 AND kb3084905-v2 (anything, what updates winload.efi to v6-3-9600-180066 or higher [-67 in 2nd case])

3. Instead kb3084905-v2 on WRT8-1, you can install v1 to be protected, if you don't have it (if you installed right v2 in past):
http://download.windowsupdate.com/d/...f3d93dfef0.msu

Now I had to make certificate thingies...
MakeCert is for making certificate and SignTool is for signing:

MakeCert -r -pe -sr localmachine -ss Root -n "CN=WRTJBCert" C:\Decomp\WRTJBCert.cer
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\notepad++.exe
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\boost_regex-mt.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\ComparePlugin.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\SciLexer.dll
signtool sign /v /sm /s Root /n WRTJBCert /tr http://www.startssl.com/timestamp /ph /fd sha256 C:\Decomp\Scintilla.dll

4. If time stamp server fails, just repeat the command.

Now it works and watermark tells "TestMode":
http://www.technique.cz/storage/jailbreak.jpg

My post at MDL:
http://forums.mydigitallife.info/thr...=1#post1163347
The Following 3 Users Say Thank You to mbjun For This Useful Post: [ View ] Gift mbjun Ad-Free
15th October 2015, 04:24 AM |#6  
Member
Thanks Meter: 9
 
More
It's a start Thank You!
15th October 2015, 07:28 AM |#7  
Junior Member
Thanks Meter: 5
 
More
Guys, who will compile C++ equivalent for this for ARM.
Ready to donate. )
It is Lazarus PAS thingie for Shutdown menu:

program Shutdown;
{$apptype GUI}
{$mode objfpc}{$H+}

uses
{$IFDEF UNIX}{$IFDEF UseCThreads}
cthreads,
{$ENDIF}{$ENDIF}
ComObj
{ you can add units after this };

var
shell: Variant;

{$R *.res}

begin
shell := CreateOleObject('Shell.Application');
shell.ShutdownWindows;
end.
15th October 2015, 12:07 PM |#8  
eisbaer82's Avatar
Member
Flag Dortmund
Thanks Meter: 13
 
More
Quote:
Originally Posted by mbjun

Guys, who will compile C++ equivalent for this for ARM.
Ready to donate. )
It is Lazarus PAS thingie for Shutdown menu:

program Shutdown;
{$apptype GUI}
{$mode objfpc}{$H+}

uses
{$IFDEF UNIX}{$IFDEF UseCThreads}
cthreads,
{$ENDIF}{$ENDIF}
ComObj
{ you can add units after this };

var
shell: Variant;

{$R *.res}

begin
shell := CreateOleObject('Shell.Application');
shell.ShutdownWindows;
end.

Why do you not use the build-in command line tool? Simply execute "shutdown -t 0 -s"

EDIT: Ah, it displays the menu thats reachable via alt+f4 on the taskbar. I'm not on my surface yet and never tried it: do vbs scripts work?
15th October 2015, 05:32 PM |#9  
Senior Member
Thanks Meter: 22
 
More
Quote:
Originally Posted by acrossland

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?

You can sign the binary and share the signed one, it will work Tested.
16th October 2015, 12:27 AM |#10  
Junior Member
Thanks Meter: 5
 
More
Quote:
Originally Posted by jesuslg123

You can sign the binary and share the signed one, it will work Tested.

Yep, but you have to share your certificate too (with pub and priv key), so user could add it to trusted root certificates inside his certificate storage.

Quote:
Originally Posted by acrossland

Myria, I have ported much software for jailbroken RT, and I am wondering if I should sign the executables myself and the release signed binaries, or is this something that each individual RT user needs to do themselves?

Are both options available? I could sign the binaries that I have ported and self-sign the ones that other folks have ported?

IMHO you should just tell the users the list of files, which need to be signed.
16th October 2015, 08:23 AM |#11  
Senior Member
Thanks Meter: 22
 
More
Quote:
Originally Posted by mbjun

Yep, but you have to share your certificate too (with pub and priv key), so user could add it to trusted root certificates inside his certificate storage.

I'm not sure about that, yesterday I got few signed games, shared by other person, and they work perfectly without his certificate.
Post Reply Subscribe to Thread

Tags
jailbreak, windows 10 mobile, windows rt

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes