Jailbreak for Windows RT
After a little more than 2 months, the long-awaited jailbreak for Windows RT appeared on the network. A vulnerability was found in the Windows kernel that allowed the launch of unsigned Desktop applications. Unfortunately, this jailbreak is tied, because after a reboot, it turns into a pumpkin.
It's funny that the vulnerability was found on the desktop Windows 8, and from there it migrated to Windows RT. Read more about this process here .
Installation
The jailbreak process itself is nontrivial, you need a computer with Windows 8 and Visual Studio 2012. But a craftsman with XDA allowed you to do this directly on the device.
- Download the archive and unzip it on your device
- Run runExploit.bat
- Follow the onscreen instructions
- When “Please press VOLUME DOWN now.” Appears on the screen. press the volume down button
Let me remind you that Windows RT is a Windows 8 edition for ARM devices such as Microsoft Surface.
And how does it all actually work?
The text below is a
In the Windows kernel, the minimum required digital signature is set by the variable. In Windows 8, its value is 0 (Unsigned), i.e. Windows does not require a digital signature to run the application. But on Windows RT, its value is 8 (Microsoft). All jailbreak comes down to the banal zeroing of this variable. It looks simple.
In fact, it is very difficult to do, because Windows Store applications can only use signed binaries, and from such an application you cannot get the security context necessary for attaching to other processes.
But here Microsoft went to a meeting and released a remote debugger for Windows RT, which perfectly clings to Desktop applications. With it, you can cling to
CSRSS process and modify its memory directly. The latter, in turn, calls the vulnerable kernel function (NtUserSetInformationThread).
One of these calls (found in winsrv.dll):
TerminalServerRequestThread+0x230
MOVS R3, #0xC
ADD R2, SP, #0x58
MOVS R1, #9
MOV R0, 0xFFFFFFFE
BL NtUserSetInformationThread
Using a breakpoint, we can change the structure at R2, just before calling NtUserSetInformationThread.
A kernel base address is also required. It can be obtained by calling NtQuerySystemInformation. This function returns a list of all loaded drivers and their base address.
Now it remains only to make an injection into winsrv.dll (for this, use a half-empty page with an offset of 0 × 10800) and after the breakpoint is triggered, change the IP register to the beginning of our code.
That's all :)
Conclusion
For those who still read to the end, I give a link to a post with a collection of compiled for ARM programs. Notepad ++, 7-Zip and VNC client are already there.
You can also build software yourself, read this . If you need static libraries that are not in the Windows SDK, then you can use this tool .