Related
I've finally reach 10 unsigned app on my phone. Took way longer that I thought...
This is not new for anyone who's not spending time asking for unlock key, but I've made a small app to automate the process of pushing the limit to 100000.
Here it is: http://bit.ly/qpVyR4
Work on my HTC, may work on other device as well (let me know).
Warning: At least one person had problem deploying app on his Samsung after running this app.
Edit: Updated version with rollback button (which already exists but was hidden )
this has been out for like a month now..... but good job of creating one!
http://forum.xda-developers.com/showthread.php?t=875885
Exactly what I said... nothing new but packaged as a XAP
Advanced Configuration Tool for WP7 Beta
http://forum.touchxperience.com/viewtopic.php?f=11&t=590&p=2349
has an option to remove the limit, plus set as many colour schemes as you like, and add single registry keys directly.
Its still beta but works a treat so far on my HD2, and comes with about 50 colours for the theme, or input your own with hex codes.
This tools works only on HTC. Minne should work on Samsung too, maybe on LG.
But if you have an HTC, AdvConfig is probably easier to use.
I'm not spending much time making pretty app
I ran this earlier (along with setting the key manually before), and it doesn't work. I still was limited to 10 apps.
But now, frighteningly, I'm unable to deploy -some- apps from Visual Studio (limit reached). I have a real dev unlock, never messed with Chevron.
Thanks, (nico)! I've removed this (stupid!) limit on my Focus (officially unlocked), everything works fine including deployment/debug from VS 2010. Good job!
davux said:
I ran this earlier (along with setting the key manually before), and it doesn't work. I still was limited to 10 apps.
But now, frighteningly, I'm unable to deploy -some- apps from Visual Studio (limit reached). I have a real dev unlock, never messed with Chevron.
Click to expand...
Click to collapse
I'm also officially unlock.
Like with folks with Chevron, I think the limit will be reseted periodically by Zune.
What do you mean by "some" apps?
You can't install more than 10 apps?
Not sure what do you mean, but I'll try to answer.
Using (official) unlock method, you won't be able to deploy more than 10 unsigned apps. 3 if you have a student account.
Chevron also have the same 10 limit (because they intentionally keep MS limit).
This registry tweak try to remove that limit.
In either way, this don't modify the number of app you can install though Marketplace, which is not limited.
(nico) said:
I'm also officially unlock.
Like with folks with Chevron, I think the limit will be reseted periodically by Zune.
What do you mean by "some" apps?
Click to expand...
Click to collapse
I set the key manually in the code Rusty released for the Samsung devices the other day. I wasn't able to deploy the 11th app via VS. I continued dealing with it until I got your XAP, I ran that yesterday and now sometimes I have trouble deploying in VS, even with <10 apps. Restarting VS and the phone doesn't have any effect.
Not that I'm blaming you or anything - just figured I'd note my experience. Some projects will still deploy, not sure of the pattern yet.
Thanks, that the kind of feedback I'm looking for. I'll add this to the first post to warn people.
If you have more infos, please share so we can have something more stable.
Thanks!
* Works on [Europe] Omnia 7
Ah this is the tool that some XDA user was trying to pass off as his own tool.
The big Athiest said:
Ah this is the tool that some XDA user was trying to pass off as his own tool.
Click to expand...
Click to collapse
What are you talking about?
(nico) said:
What are you talking about?
Click to expand...
Click to collapse
Look up the RRTool in this forum that I wrote, he is basically saying I rebranded the Chevron Tool as my own, even though my Tool runs on the device not from desktop and only prevents relocking, it doesnt actually unlock a device like chevron does. He only has 2 posts and tried to ruin my credability! Not Happy!
He is a lame troll. Don't pay attention. Thank you both guys! Great job!
P.S. Just a small remark: after using your tools (first I've tried (nico)'s tool, later (toady) RRTool. Both works good but behavior of VS 2010 a little bit changed. Now I can't deploy project via Zune - must close it first and use WPConnect.
Did you try to restore the original value (probably 10 for most users) and see what happends?
Nope, I didn't. Just have no time to browse for Samsung's registry editor or reflect back your's or lyriquidperfection app. Could you add an option to restore back an original values? Anyway, it's not a real problem. MS limitation of 10 app (or 3 for student account) it's just stupid and unfair. What, if I have more than 10(3) homebrew projects to debug and run? What, if I want to recreate all apps I need by myself? But of course the "MS greediness sux!" is not a topic for this thread
sensboston said:
Nope, I didn't. Just have no time to browse for Samsung's registry editor or reflect back your's or lyriquidperfection app. Could you add an option to restore back an original values? Anyway, it's not a real problem. MS limitation of 10 app (or 3 for student account) it's just stupid and unfair. What, if I have more than 10(3) homebrew projects to debug and run? What, if I want to recreate all apps I need by myself? But of course the "MS greediness sux!" is not a topic for this thread
Click to expand...
Click to collapse
Sorry I thought I did it but the button was hidden
Here is an updated version with a restore button to 10 apps: http://bit.ly/gKZDgj
I want to do the following:
xboxmod said:
Google
Code:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="Google"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\Google]
"URL"="http://www.google.com/m?hl=en&gl=us&client=ms-hms-tmobile-us&q={searchTerms}"
Click to expand...
Click to collapse
I installed Registry Editor from TouchXperience on my Samsung Omnia 7. I went to:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
And changed DefaultScope's value to "Google" (without the quote obviously). For:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\Google]
I need to create a new key and name it Google in SearchScopes, right?
I tried to do that, but Registry Viewer could not create the new key. I tried multiple times, but it wouldn't work. I get the following error:
Unable to create registry key "Google".
I also accidentally created a new value called "a" but when I try deleting it, I get a similar error. I get the following error:
Unable to delete registry value "a".
TouchXperience registry editor uses the COMRilClient.dll from Samsung to get access to the registry on Samsung devices. This dll only allows read/write of dword and string values. It does not allow to create/delete keys and it does not allow to delete values. It is also restricted to keys that have permissions for Elevated Privileges. It has no access to key that need TCB permissions.
At the moment I am working on "WP7 Root Tools" which allows you to read and write to the entire registry. At the moment I am using a little part of the Samsung drivers, so for now it is only suitable for Samsung devices. I will try to make it work for all devices in time. With a work-around I have access to the phone with TCB privileges.
I have been working on it for quite a time now and I am close to releasing an alpha version. It has been delayed, because last month my grandpa died and now my mother is on Intensive Care because she had an aneurism and needed brain surgery. She is recovering in very little steps and I pray she will be fully recovered after rehabilitation.
So I am not fully committed to hacking at this moment, but I promise it won't be very long before I can release a working alpha version.
Thanks for the info, though does that mean I can't even remove the "a" value that I accidentally added?
I'm sorry to hear about your family situation. I hope your mother fully recovers sooner than later.
Chaoticaa said:
Thanks for the info, though does that mean I can't even remove the "a" value that I accidentally added?
Click to expand...
Click to collapse
Yes, that's right. But it probably won't do any harm. So don't bother.
Chaoticaa said:
I'm sorry to hear about your family situation. I hope your mother fully recovers sooner than later.
Click to expand...
Click to collapse
Thanks.
Heathcliff74 said:
But it probably won't do any harm. So don't bother.
Click to expand...
Click to collapse
Yeah, it doesn't even make sense for it to have any affect unless something is looking for that value name in my registry. I'm just a neat-freak that hates that extra accidental value a lot more than the fact that I can't do what I was trying to accomplish.
Chaoticaa said:
Yeah, it doesn't even make sense for it to have any affect unless something is looking for that value name in my registry. I'm just a neat-freak that hates that extra accidental value a lot more than the fact that I can't do what I was trying to accomplish.
Click to expand...
Click to collapse
You could always hard-reset your phone
Hahaha not that bothered by it.
As it is known that HTCUtility.dll will provide complete, unrestricted access to the TCB chamber on HTC devices, can this be used to unlock (at any level) the OS?
I have not heard anyone speaking of it and exists on my HTC Arrive. Seems to be a bypass for unrestricted access to anything within HTC devices.
I am looking at it myself, but thought I would share.
See details here...
http://labs.mwrinfosecurity.com/files/Advisories/mwri_htc-htcutility-kernmem_2011-11-10.pdf
Your link is down
very interesting but you link is down so please fix it so I can take a look. I too have a HTC arrive and have been working on an unlock.
Don't know what happened to the link.
Here is the link to the google docs version.
https://docs.google.com/viewer?a=v&...1C1HkN&sig=AHIEtbTwK-r8RyAyFmt1ai119m7EVAqsNA
-Paul
This looks promising, I'd like to know if what's written there is true ...
The paper is a couple months old, so it *could* have been patched by HTC... but hey, it also might not have been! This bears investigation post-haste.
It's easy enough to use this to execute some arbitrary code at high permissions, which is certainly useful as-is (do things like unrestricted registry and filesystem access). The real potential of it, though, is to turn off the security restrictions for specific apps. Essentially, get the benefits of a "fully unlocked" ROM but on a stock ROM, and only for the apps you specify.
One thing to note here: this is still going to require an interop-unlocked phone. It's opening a handle to a driver, and just like everything else that does so, it needs ID_CAP_INTEROPSERVICES. This is great news for owners of interop-unlocked/unlockabe phones (since this makes interop-unlock useful again) but probably doesn't help on 2nd-gen phones or on the Arrive (unless you want to roll back to NoDo, in which case this can probably be used to make an interop-unlock that works on Mango, though it wouldn't be easy).
I hope some one gets this working for the Arrive ASAP
Oh this was talked about a while back. It was patched back in NODO
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
GoodDayToDie said:
I'll try it out in any case, and report back.
Click to expand...
Click to collapse
Thank you
GoodDayToDie said:
Really? The paper is from only 3 months ago (assuming USA numeric date style, 2 months otherwise). You don't typically publish security advisories for things that were patched more than 6 months prior.
In any case, HTCUtility.dll still exists on my phone. No idea yet if that IOCTL still works, though. I'll try it out in any case, and report back.
For those asking about it for the Arrive though, you're likely out of luck even if this works. It is *not* a way to interop-unlock a phone, and it is *not* a way around interop-unlock. It's a way to do more things on an interop-unlocked phone. You can't even reach a driver (which is what HTCUtility.dll is) unless your app has ID_CAP_INTEROPSERVICES - that's what the capability is actually for, accessing drivers - and you can't install a homebrew app with that capability unless interop-unlocked (or on pre-Mango).
Click to expand...
Click to collapse
Yeah I think it was mentioned here on XDA and it was believed to already have been patched.
I think by "patch" they mean that Interop was restricted as of Mango, thereby securing this exploit, in Mango. But for those that are Interop unlocked, this should still grant full access to everything else.
Just my observations. I have an Arrive and am not Interop unlocked yet, so I can't test it.
Looking at the hand-free provisioning to see if I can find a way to leverage that....
-Paul
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
All the information looks like it is in the advisory. KDataStruct is what you want. That is equivalent to the PEB in Windows CE.
GoodDayToDie said:
It works. I successfully opened a handle, read a kernel-mode memory address, modified it, confirmed the modified value, and restored it.
Next trick: finding something really useful to change. Ideally, probably the process security info - if I can simply elevate a given process to full permissions, then I'm golden.
Will share code soon. If somebody knows where I can find the important part of the process info, let me know - I have a little familiarity with NT process contet blocks, but none with CE ones (if it even uses such a structure).
Click to expand...
Click to collapse
Can you confirm this works only on already Interop Unlocked device ?
Thx for your efforts.
Could htclv.dll be helpful in setting security on an app? It supports the following functions:
LVModInitialize LVModUninitialize LVModAuthenticateFile LVModRouting LVModAuthorize LVModGetPageHashData LVModCloseAuthenticationHandle LVModGetHash LVModProvisionSecurityForApplication LVModDeprovisionSecurityForApplication LVModGetSignerCertificateThumbprint LVModSetDeveloperUnlockState LVModAuthorizeVolatileCertificate LVModGetDeveloperUnlockState
In particular the "Deprovision Security for App" and "Get/set DeveloperUnlock" or maybe "Authorize Volatile Certificate"....
Or maybe htcpl.dll which seems to be the HTC policy engine interface. Supports:
GetFunctionTable PolicyCloseHandle PolicyEngineInit PolicyRuleAbortTransaction PolicyRuleAddRawData PolicyRuleBeginTransaction PolicyRuleBuildRawData PolicyRuleCommit PolicyRuleCommitTransaction PolicyRuleCreate PolicyRuleDelete PolicyRuleFindFirst PolicyRuleFindNext PolicyRuleGetInfo PolicyRuleOpen PolicyRuleParseRawData PolicyRuleReadRawData
These all look good to modify the security policies on HTC, assuming Interop-Unlocked.
-Paul
@dragonide: Confirmed, this requires interop-unlock since the very first step is opening a handle to a driver.
@Paul_Hammons: The LVMod functions look quite interesting indeed. Where are you getting these functions from (straight out of the DLLs, or some doc somewhere, or decompiled code, or...?), are they user or kernel entry points, and what permissions do they require? The ability to modify app security doesn't do as much good if you already have to be high-privileged to call it, though it might simplify my current goal.
@n0psl3d: Cool, I'll get to work on it.
@n0psl3d: KDataStruct contains kernel information, but I'm pretty sure what I need is in a PROCESS struct (such as is pointed to by pCurPrc). The problem is, I can't find any documentation for that struct. I'm searching online but so far coming up empty. CE doesn't seem to use PEBs or TEBs as I've seen them on NT (not terribly surprising, but annoying).
EDIT: I'm downloading the Embedded CE toolkit, which comes with source code. It'll take a while but hopefully that will have what I need.
OK, digging through the CE source I've found some interesting things. No idea if this will work yet; it'll be exciting just to make it compile.
PROCESS struct -> hTok (handle to a Token) -> phd (PHDATA, pointer to the handle data) -> pvObj (PVOID to the actual object, which is probably a TOKENINFO) -> psi (pointer to ADBI_SECURITY_INFO) -> contains the actual ACLs and privileges, and can be created from an account ID.
Probably the easiest option is to find a relatively high-privilege process and clone its token or some such. Token re-use (if I increment the reference count, this should work) may be easier. Modifying an existing token might also be doable.
Anyhow, I'm not going to have this finished tonight, but it'll get there. For those wondering wht you can do with this, it basically breaks you out of the sandbox entirely. You can call any function, access any resource, etc. that is available to a userland process (executing in kernel mode is also possible but trickier). Practically speaking, this makes all the other high-privilege COM DLLs useless - instead of ComFileRW, just use the file IO methods (anywhere you want), instead of DMXMLCOM just call ConfigProvXml directly. Even things like launching native EXEs directly should become possible (run those Opera ports on a stock ROM, for example).
I'm sorry, I still don't know what any of that means. But it sounds good! I wish I knew how to do this kind of stuff. Thanks for all of your work!
Tada. Here's a little stupid-simple something I made to cure my frustrations.
Whooo. New version, basically wiped up the whole post. Oops.
Anyway, here's orientation lock, an application that, well, locks your orientation. It does this by setting the accelerometer to power state D4, then back to D0 to revive it.
Using DllImport:
Code:
DllImportCaller.lib.StringIntIntCall("coredll", "SetDevicePower", "ACC1:", 1, (int)Phone.Network.WiFi.PowerState.D0);
Simple. Worked on my HD7, Lumia, and Focus. Lmk if you have any issues.
Oh, and known problem: HTC devices detect the accel sensor as active, even when it isn't. Weird. Toggling the button back and forth works, though.
Download: http://windowsphonehacker.com/articles/orientation_lock_release-02-06-12
Cheers!
DeactivateDevice() ACC1: on HTC device will make phone reboot.
ted973 said:
DeactivateDevice() ACC1: on HTC device will make phone reboot.
Click to expand...
Click to collapse
Is that from this application or when you do it using native APIs?
Jaxbot said:
Is that from this application or when you do it using native APIs?
Click to expand...
Click to collapse
oh, i try this before and your app is same result.
DeactivateDevice()
change registry "Dll"
ActivateDeviceEx()
Process above, sometimes works on HTC Device, but it is real "sometimes"!
ted973 said:
oh, i try this before and your app is same result.
DeactivateDevice()
change registry "Dll"
ActivateDeviceEx()
Process above, sometimes works on HTC Device, but it is real "sometimes"!
Click to expand...
Click to collapse
I know you can change it in the registry, but I was hoping for something a little more integrated. I wonder what the deal with HTC is.
Jaxbot said:
I know you can change it in the registry, but I was hoping for something a little more integrated. I wonder what the deal with HTC is.
Click to expand...
Click to collapse
does samsung & lg device have this in registry:
[HKLM\Drivers\BuiltIn\Accelerometer]
"ForegoundModule"="\Windows\TaskHost.exe"
ted973 said:
does samsung & lg device have this in registry:
[HKLM\Drivers\BuiltIn\Accelerometer]
"ForegoundModule"="\Windows\TaskHost.exe"
Click to expand...
Click to collapse
Samsung doesn't, nor does it have all the X Y Z values.
works on focus s, surprisingly....
ManelScout4Life said:
works on focus s, surprisingly....
Click to expand...
Click to collapse
Why wouldn't it? And I saw your comment on Wpcentral, thanks for that. I don't blame anyone, even I get confused with all these different devices and driver versions. Seems only the end consumer has a consistent experience
Jaxbot said:
Why wouldn't it? And I saw your comment on Wpcentral, thanks for that. I don't blame anyone, even I get confused with all these different devices and driver versions. Seems only the end consumer has a consistent experience
Click to expand...
Click to collapse
With all the changes in the gen2 software, I figured it wouldn't work. Just like none of the interop apps work so far I figured this would be on the same boat.
ManelScout4Life said:
With all the changes in the gen2 software, I figured it wouldn't work. Just like none of the interop apps work so far I figured this would be on the same boat.
Click to expand...
Click to collapse
Nah, they don't work because of other changes, but it's a good thought, and I was worried myself. Glad to see it does, though
More specifically, most homebrew interop apps don't work on Samsung Gen2 because they use OEM drivers that are specifically designed to allow apps to do high-privilege things their sandbox normally prevents. In gen2 firmware, Samsung crippled those drivers somehow, locking them down to their own apps only (bears more investigating, but that's the best explanation I've found so far).
This, on the other hand, is simply opening a driver that's built into the phone - all phones, apparently - and is an actual device driver, not a software driver intended forleaving the sandbox. Samsung can't cripple that, or it wouldn't be possible for any app to use the accelerometer. Interop unlock is still required, though - in simple terms, what ID_CAP_INTEROPSERVICES regulates is "Can the app open a direct handle to a driver?" and this app needs to do this.
Update for everyone:
No more interop unlock, now allows toggling. You're welcome =D
http://windowsphonehacker.com/articles/orientation_lock_release-02-06-12
Also a video with my sexy new phone (Lumia 800) in it ^^
http://www.youtube.com/watch?feature=player_embedded&v=7tNiDn-7Szw
Too bad that this can't be put in the Marketplace; it's the kind of app a lot of people have been asking for. All the more reason for Microosft to provide more Chevron Labs unlock tokens, I guess...
EDIT: I guess that having the Sensors capability gives enough permissions to call SetDevicePower on it? I would have expected ERROR_ACCESS_DENIED. In any case, well done. Works on my HD7. One minor bug is that it doesn't remember or detect when disabled, so to re-enable it I have to first toggle to Disabled, then back to Enabled, because when the app is launched it *always* says Enabled. Might be an HTC firmware oddity.
GoodDayToDie said:
Too bad that this can't be put in the Marketplace; it's the kind of app a lot of people have been asking for. All the more reason for Microosft to provide more Chevron Labs unlock tokens, I guess...
Click to expand...
Click to collapse
Exactly. It's harmless, stays at LPC level. Wish Microsoft would let in some more /dangerous/ applications.
Awesome, good job. I've been looking for this. Works well on optimus 7
SetDevicePower really nice solution!!!
One simple fix for HTC, if they always report the accelerometer as available: can you use GetDevicePower? The method signature is the same, except the third parameter is a pointer (which .NET will see as an "out" parameter, if you declare it as such). I'm not sure if DllImport supports those, but it could be done very easily using COM.
Actually, turns out the problem is more universal than I thought. I'll find a fix for it soon, should be simple enough.
Liking this update very much Looking forward to the toggle fix.
I'm posting this here because it says I need to get 10 posts in order to post on the Windows 8 development forums.
Why does the Windows RT jailbreak require that you press the volume button? As far as I can tell, pressing volume is used to trigger a code path in winsrv.dll on which a hook is placed. The hook jumps to the code cave between the .text and .data segments.
Reading the disassembly, the injected code uses the native API equivalent of EnumDeviceDrivers to get ntoskrnl.exe's base address, then calls the broken NtUserSetInformationThread subfunction 9 0x7EFF0 times to clear g_ciEnabled in the kernel. (I read the part about interlocked operations causing an exception in ARM if the target is unaligned, unlike x86 where it's merely not atomic.)
Instead of hooking an existing code path, why not inject a DLL into csrss.exe and create a thread in it? This seems like it would be much more stable, and wouldn't require pressing the volume button. CreateRemoteThread doesn't work with csrss.exe, because it tries to register the new thread with csrss.exe. Oops. However, RtlCreateUserThread *does* work, since native threads don't need to talk to csrss.
Where did cdb.exe come from? It doesn't come with the Visual Studio 2012 Remote Tools, so I'm guessing that it's a leak. In the absence of any other information, I'm going to guess that it's a leaked ARM version of Debugging Tools for Windows given to hardware developers who write drivers for Windows RT.
I'm working on a custom jailbreak that improves on a lot of issues. It's a single file, a .bat, that extracts everything needed, and a jailbreak program written in C. I've already gotten the custom C DLL loaded and executing, and am now looking into what I need to do to csrss.exe. Getting code executing inside csrss.exe won't be too hard, but I'm wondering what that code will need to do.
Moved here as not an Android related development issue, so was out of place in General forums.
You won't be able to inject .dll's. Windows will refuse to load the modules, unless the jailbreak has already ran.
As far as why it needs the volume button, you're correct in that it just executes an easily hooked code path in csrss.
netham45 said:
You won't be able to inject .dll's. Windows will refuse to load the modules, unless the jailbreak has already ran.
As far as why it needs the volume button, you're correct in that it just executes an easily hooked code path in csrss.
Click to expand...
Click to collapse
My DLL was linked with /filealign:4096, resulting in a perfect RVA to file offset mapping (assuming I don't create more than a small amount of zero-initialized global variables). With that, I can use NtMapViewOfSection without SEC_IMAGE to map it into csrss's memory without ci.dll getting in the way.
Once the DLL is mapped, I fix up its relocations, load the imports, and RtlAddFunctionTable. From there, the DLL is stable enough to do most things. All this works already - I'm just writing what to do next.
Does Tuesday's win32k.sys patch fix this bug? I saw that the patch had fixes for like 20 win32k bugs found by the Google guy who discovered the NtUserSetInformationThread 9 exploit.
Myriachan said:
I'm posting this here because it says I need to get 10 posts in order to post on the Windows 8 development forums.
Why does the Windows RT jailbreak require that you press the volume button? As far as I can tell, pressing volume is used to trigger a code path in winsrv.dll on which a hook is placed. The hook jumps to the code cave between the .text and .data segments.
Reading the disassembly, the injected code uses the native API equivalent of EnumDeviceDrivers to get ntoskrnl.exe's base address, then calls the broken NtUserSetInformationThread subfunction 9 0x7EFF0 times to clear g_ciEnabled in the kernel. (I read the part about interlocked operations causing an exception in ARM if the target is unaligned, unlike x86 where it's merely not atomic.)
Instead of hooking an existing code path, why not inject a DLL into csrss.exe and create a thread in it? This seems like it would be much more stable, and wouldn't require pressing the volume button. CreateRemoteThread doesn't work with csrss.exe, because it tries to register the new thread with csrss.exe. Oops. However, RtlCreateUserThread *does* work, since native threads don't need to talk to csrss.
Where did cdb.exe come from? It doesn't come with the Visual Studio 2012 Remote Tools, so I'm guessing that it's a leak. In the absence of any other information, I'm going to guess that it's a leaked ARM version of Debugging Tools for Windows given to hardware developers who write drivers for Windows RT.
I'm working on a custom jailbreak that improves on a lot of issues. It's a single file, a .bat, that extracts everything needed, and a jailbreak program written in C. I've already gotten the custom C DLL loaded and executing, and am now looking into what I need to do to csrss.exe. Getting code executing inside csrss.exe won't be too hard, but I'm wondering what that code will need to do.
Click to expand...
Click to collapse
Hello!
Glad to see here sensible Guru, who understand, that non-permanent JB, requiring "Vol -" pressing and hanging in RAM - is a vicious way! I can't understand reluctance of Netham45 to make a permanent JB (nothing personal). If you will develop your own JB with options, described above, it will be a breakthrough! Wish you good luck and fastest implementation of planned :fingers-crossed:
If you think netham45 is reluctant to make a permanent jailbreak, your lack of understanding is far greater than you know. A permanent jailbreak would be excellent, especially one that was active immediately at boot (instead of requiring a delay after booting, during which time the default restrictions are still in place).
However, there are some issues with the current jailbreak technique. In particular, it's dependent upon knowing the correct offset for the flag that needs changing, there's no way to know for certain the state of that flag before writing it, and the offset changes with updates. If the wrong offset is written to, or the wrong value written, the system crashes. Therefore, making a "permanent" jailbreak using this hack runs a very real and serious risk of putting the device into a bluescreen-reboot loop after an update, even one that isn't intended to break the jailbreak, just by accident.
In order to make a reasonably safe permanent jailbreak, a new jailbreak method will need to be discovered. That's not a trivial thing; the first one took some time to discover at all, and the effort on finding new methods has fallen off somewhat as many people are now looking for ways to use the existing one rather than looking for new ones. Additionally, even if a new method is found (which would be good; we should always have a backup), there's no guarantee that the new technique will any better-suited for being persistent or even automatic on bootup.
GoodDayToDie said:
However, there are some issues with the current jailbreak technique. In particular, it's dependent upon knowing the correct offset for the flag that needs changing, there's no way to know for certain the state of that flag before writing it, and the offset changes with updates. If the wrong offset is written to, or the wrong value written, the system crashes. Therefore, making a "permanent" jailbreak using this hack runs a very real and serious risk of putting the device into a bluescreen-reboot loop after an update, even one that isn't intended to break the jailbreak, just by accident.
Click to expand...
Click to collapse
I did put in some code to automatically find the offset (downloads the pdbs from MS and disassembles that chunk of code from ntoskrnl and parses it), though it still does make some heavy assumptions that I wish I could do without. It should be in 1.13a.
Note that it's still just assuming that csrss is perfect, though.
Denis_63 said:
Hello!
Glad to see here sensible Guru, who understand, that non-permanent JB, requiring "Vol -" pressing and hanging in RAM - is a vicious way! I can't understand reluctance of Netham45 to make a permanent JB (nothing personal). If you will develop your own JB with options, described above, it will be a breakthrough! Wish you good luck and fastest implementation of planned :fingers-crossed:
Click to expand...
Click to collapse
I'd love a persistent jailbreak, but we don't have an exploit for one yet. I'm not reluctant to make one, I don't presently have the ability to. The tool that Myriachan is talking about would have the same issue.
netham45
GoodDayToDie
Hey, guys, I bag pardon, if I were too harsh... I'm not the Guru as you are, and really had no notion about the level of complexity of the problem. Becose of that I wrote - "Nothing personal" Wish all of you GOOD LUCK in your important work!