back to article Windows RT jailbreak smash: Run ANY app on Surface slabs

The security mechanism preventing unauthorised software running on ARM-powered Windows RT tablets - such as Microsoft's Surface slabtops - can be easily defeated. The Redmond giant wanted only cryptographically signed executables, ideally those obtained from the official Windows application store, to run on its hardware. But, …

COMMENTS

This topic is closed for new posts.
  1. Dan 55 Silver badge
    Facepalm

    Genius

    You can't run unsigned code, unless you run it through the debugger, in which case you can.

    1. Anonymous Coward
      Anonymous Coward

      Re: Genius

      So if there are restrictions on what you can run then that's bad, but also if the restrictions aren't hard to skip then that is also bad is it?

      If you look at Android you'll find its protections are also very weak. Google tried to improve them but the change had a bug so they backed it off.

      Or would you like to see the tablet locked down massively so that you would need a mod chip to run "homebrew"?

      1. Dan 55 Silver badge

        Re: Genius

        I'd like to see a Windows RT with both desktop and touch mode which can run ARM executables and emulate x86 executables.

        The fact that MS have changed a flag to disable your own ARM executables indicates that this is an artificially nobbled operating system, and yes, the fact that you can run a short assembler program to change it back is just shoddy. I'm also pretty sure that deep in the bowels of Redmond they've got a x86 emulator ready for Windows 9 which runs most old x86 executables should Windows 8 prove to be an abysmal failure.

        1. dogged
          Flame

          Re: Genius

          You want to saddle an ARM chip with x86 emulation?

          Why? Is your lap cold for periods of less than two hours and then fine for periods of 5 hours while the device recharges?

          Hell, two hours is optimistic for ARM running x86 emulation.

          Icon- your lap.

          1. JEDIDIAH
            Linux

            Re: Genius

            What's the matter? All of the ARM fanboys like to claim how powerful new models of ARM CPUs are.

            If ARM is really all that then it certainly can handle a little emulation.

            It may not be good enough for T2F or WoW but it should be fine for those legacy office apps.

            Sometimes people need to do some work and excuses aren't going to get the job done.

            1. Phil W

              Re: Genius

              Power is a relatively term though.

              ARM CPUs are very powerful and effective running code compiled to run on them, not so much when emulating.

              It kind of works the other way to though, running ARM emulation on an x86/x64 CPU can also be rather sluggish.

              We're talking about translating two different instruction sets from one to the other here, which creates a surprising amount of overhead. If you want to see an example, try running Windows XP on a PowerPC G5 Mac under Qemu. Sure a 2.6GHz dual core CPU is more than enough to run Windows XP, but the time it takes for the instruction set translation reduces performance massively.

              As I like using analogies for everything, it's like saying a University lecturer is crap at teaching because he only speaks English, all his students only speak French and he needs a translator for everything so the students take twice as long to learn everything as English speaking ones would.

              1. Anonymous Coward
                Anonymous Coward

                Re: Genius

                @Phil W,

                Don't forget that you are emulating on Windows too, so there is a huge hit right there.

                1. Phil W

                  Re: Genius

                  Ha ok, well a slightly different scenario.

                  Install Debian PPC on the mac, install Qemu and emulate Debian ARM.

          2. Dan 55 Silver badge
            Boffin

            Re: Genius

            I see I'm going to have to spell it out. I'm not expecting Half Life 2 but something like Rosetta implemented on the Mac up to Snow Leopard, i.e. usable emulation for most legacy apps, those which sit in an event loop and do nothing apart from waiting for input events with possibly something strenuous for a short while when you hit the 'Go' button.

        2. Someone Else Silver badge
          Coat

          Re: Genius -- @ Dan 55

          I'm also pretty sure that deep in the bowels of Redmond they've got a x86 emulator ready for Windows 9 which runs most old x86 executables should Windows 8 prove to be an abysmal failure.

          "Should Windows 8 prove to be an abysmal failure." Don't you mean "When"?

      2. Anonymous Coward
        Anonymous Coward

        Re: Genius

        It's the worst of all worlds: a system which inconveniences the legitimate user of the device by preventing him/her from using it in the way they would like, but not actually giving any protection against malware.

        1. P. Lee
          Joke

          Re: Genius

          > It's the worst of all worlds: a system which inconveniences the legitimate user of the device by preventing him/her from using it in the way they would like, but not actually giving any protection against malware.

          The question is where is this effective from. If jailbroken devices could be made to run android, MS can't subsidise RT machines to gain market share because people will just pick them up as cheap android machines.

          Also, if sig's aren't checked, can you run RT on a different bit of ARM hardware?

          1. Euripides Pants

            Re: Genius

            "people will just pick them up as cheap android machines"

            Don't you mean expensive android machines?

    2. P. Lee

      Re: Genius

      rather like a text file is data until you pass it to a perl interpreter.

      Bad things happen when you allow self-modifying code!

  2. Blarkon

    It's also possible to side-load your own apps on RT anyway - you just install the sideloading product key.

    http://technet.microsoft.com/en-us/library/hh852635.aspx

    1. dogged
      Boffin

      That's actually a part of the process. This technique involves sideloading desktop applications, not Store apps.

      In theory, pretty much any WPF+.NET4.x+ based application should run since RT is equipped with full ports of the framework and first-time compile would - naturally - compile to ARM-ILDASM.

    2. Richard Plinston

      Re: sideloading

      > you just install the sideloading product key.

      You may be right if 'just' includes running a Windows Enterprise or 2012 server and being part of Volume Licensing.

  3. Anonymous Coward
    Anonymous Coward

    This assumes you want to use Win8 which most sane people don't. :-)

    1. Anonymous Coward
      Anonymous Coward

      On desktop then no, not good.

      On a tablet it is a bit more useful.

      1. Danny 14

        tablet win8 is pretty good. Using win8 on a laptop with a trackpad is hell on earth.

    2. Anonymous Coward
      Anonymous Coward

      Children please.....

      Didn't your Mummy teach to you try something new before saying you don't like it.

      All kidding aside. I've tried Win8 on a new laptop I bought for my brother as well as a AIO touch screen at the local shops. Win8 does have a learning curve, but if my brother and his wife (not computer savvy) can adapt to the new GUI, then it's just a matter of not whining and throwing ones hands up so quickly.

      It's part of human nature to resist change, regardless of the effort needed to adapt. I fully realize/expect most people to whine about the new GUI. My solution is for them to stop bitching/whining about it and just stick with what they like. It's not the end of the world and there are other options. Even MS gives new computer buyers the option of downgrading from Win8 to Win7 if desired.

      My suggestion is "Don't worry, Be Happy"

      Best wishes for the new year,

      1. Anonymous Coward
        Anonymous Coward

        "there are other options"

        Indeed there are other options. Several of them are Linux. Can anyone remind me why "lack of familiarity" was frequently used as an argument against Linux but is not allowed as an argument against Windows 8 (or Office 2010 or ...)?

        1. phr0g

          Re: "there are other options"

          "Lack of familiarity". Ha, more like when you Google for help on something you get a page full of Unix commands to execute. User friendly Linux isn't.

          1. Anonymous Coward
            Anonymous Coward

            Re: "there are other options"

            Linux is very user friendly.

            It's just very picky about who its friends are.

      2. Someone Else Silver badge
        Stop

        Re: Children please.....

        "If my Auntie Em can figure it out...."

        "People want to resist change...."

        Yadda yadda yadda.

        Look, all these old chestnuts may well be true, and well may be your own experience as well. I'm happy for you...I really am. However, most of those here on this forum are not causal web surfers and malware downloaders. We are, as the byline suggests, IT and/or software professionals, and I for one have many, many more important things to do than trying to figure where some wet-behind-the-ears Microsoft marketdroid thought it would be oh-so-k3wl to hide this feature here or that feature there this week. And that, much more than resisting change, is where the hue and cry about first the Ribbon, then Metro, is coming from. Microsoft has got to realize that, because they monopolized...er.. won such a large market share, that people actually use this stuff, and aren't much about oooh'ing and ahhh'ing about the shiny, shiny new interface-du-jour.

        1. jason 7
          Unhappy

          Re: Children please.....

          Well you can make excuses all you like but when you sit down and clear your mind of herd rage a lot of the changes are pretty minor in most cases. Really not worth all the spleen venting.

          It's like all my fave tech forums have been taken over by 14 year olds that have had their Steam accounts suspended or similar.

          If only all this anger and outrage could be used against something that really warrants it, like child poverty.

      3. jason 7
        Thumb Up

        Re: Children please.....

        I and the other half dozen I have rolled it out to havent struggled either.

        Quite easy once you stop moaning and following the herd rage.

        In fact I'm getting asked to supply other Windows 8 machines to those that see the ones I have put out there. They don't have a problem either.

        I think most of the issue was in the minds of all the tech journalists. I guess just using a iPad to do your work on for the past three years shrinks and weakens the brain?

    3. RICHTO
      Mushroom

      The US DoD just spent over $600 million on Windows 8!

  4. John Sanders
    Linux

    And this will be patched in no time

    Who cares.

    1. dogged

      Re: And this will be patched in no time

      It doesn't actually look patchable. Everything you need to perform this hack, you also need to develop software for the device. Patching that ability away would be massively self-harming.

      Anyway, this only effects the switch's in-memory value. Every time you reboot, the switch is reset to 8 (from my fallible memory, someone will correct me if I'm wrong) which is the Microsoft level of signage as opposed to 0, which is unsigned. So you're limited to rerunning the hack every time you boot the machine.

      It's an interesting curiosity but nothing more.

      1. Danny 14

        Re: And this will be patched in no time

        I imagine the apps used to inject the code will be patched is how I read it.

        1. dogged

          Re: And this will be patched in no time

          The Windows Debugger?

          I want "mind boggled" icon, please.

      2. Paul Shirley

        Re: And this will be dongled if Surface ever sells enough

        @dogged: "you're limited to rerunning the hack every time you boot the machine."

        Hackers have managed to break much harder protection on some console hardware with purely external dongles. In the unlikely event Surface sells enough units to justify building it, expect a tiny USB powered device able to do just that on sale in your favourite console hacking outlet.

        And like my hacked Wii, the Surface hack de jour will stay firmly ahead of Microsoft attempts to patch it ;)

  5. Anonymous Coward
    Anonymous Coward

    Windows RT apps

    As clearly it won't run "any" code, and there is a distinct lack of worthwhile WindowsRT apps (almost as bad as Windows Phone 8).

  6. Anonymous Coward
    Anonymous Coward

    Feels like a clandestine MS press release from their Skunkworks department?

    1. Anonymous Coward
      Anonymous Coward

      Err...

      There is already a KB article on their web site detailing how to install your own apps, so I doubt it...

  7. Anonymous Coward 15

    If you're a sufficiently serious dev

    Won't you legitimately need a debugger and the ability to run not-yet-signed code?

    1. El Andy

      Re: If you're a sufficiently serious dev

      You already can. Without jailbreaking the device.

  8. JeffyPooh
    Pint

    "...unlikely to be something most non-techie users could pull off..."

    "The hack is unlikely to be something most non-techie users could pull off as it requires knowledge of WinDbg."

    FAIL. Once the inevitable tool is released, then the average non-techie user follows the instructions and goes "click-click". It's ignoring history (e.g. cracking smart cards, ripping DVDs) to think otherwise.

    1. Anonymous Coward
      Anonymous Coward

      Re: "...unlikely to be something most non-techie users could pull off..."

      And how would they run the unsigned tool, without running the process detailed to allow them to run the unsigned tool, thus making it redundant. I believe the fail is yours.

      Also, MS already details how to sideload on their web site, so I'm not entirely sure I can see the point.

      1. Antony Riley
        Thumb Down

        Re: "...unlikely to be something most non-techie users could pull off..."

        You do not have to run your own code on a machine in order to modify memory, typically plugging in a device to the machine is enough.

        e.g. http://md.hudora.de/presentations/#firewire-pacsec

        I note that there are still DMA access to kernel memory over firewire issues in existence today on every operating system. If this is ever patched, there's a whole slew of badly written USB and Bluetooth device drivers left to target, reprogramming a USB/Bluetooth/Firewire client via an automated tool is well within the reach of most people on the street.

        Having said that if you can modify kernel memory then all bets are off regards any sort of signed executable protection anyway, so the news that modifying a single byte can turn it off isn't much to shout about.

    2. Charles 9
      FAIL

      Re: "...unlikely to be something most non-techie users could pull off..."

      FAIL FAIL. You're caught in a Catch-22. To paraphrase Spike Milligan, you're trying to unlock the program with the key you will find inside.

  9. DrXym

    If you want a rootable Windows tablet

    Buy one with Windows 8 on it. Asus already sell a Vivobook (low end ultrabook) for less than a Surface and it comes with 500GB storage, i3 processor, 4GB ram and touch screen too.

    Why hobble yourself with RT regardless of it being (temporarily) rootable or not? It's doubtful RT will be around for long if the apathy about it is anything to go by.

    1. Anonymous Coward
      Anonymous Coward

      Re: If you want a rootable Windows tablet

      What about the size, weight and battery life?

      It's pretty obvious that an ARM device can sit on your lap and not burn you, the same can't be said of an x86 tablet or laptop. They stopped calling them laptops for that reason, "notebook" being the replacement name.

      1. DrXym

        Re: If you want a rootable Windows tablet

        If size, weight and battery life are an issue, why bother with Windows RT at all? There are plenty of other tablets, which have their own office suites which import / export MS Office files.

        I just believe Windows RT is gimped, consumers know it, and it has little long term prospect without another overhaul. Also, as Intel goes to 32nm and 22nm this year that most of the concerns over power consumption will be largely redundant and you can have a tablet lasting 6-8 hours that runs genuine x86 code if that's what you want. Or buy some kind of ultrabook with a touchscreen. Either way you get a full Windows experience without resorting to some exploit or hoping RandomApp is ported to ARM and can be exploited.

      2. slightly-pedantic

        Re: If you want a rootable Windows tablet

        I remember an Intel guy bragging about how the point of the original ATOM processor was to make sure netbooks were sufficiently poor that they didn't have too much impact on volumes of expensive CPUs. However, with the new Atom Z2760 Clovertrail (when they are available in any quantities) you get ARM-type battery life and decent desktop performance- albeit not for games. That really does make Win RT seem a bit pointless as it runs Win 8 Pro nicely.

      3. Tom 13

        Re: laptops for that reason, "notebook" being...

        Laptops are bigger than notebooks, or at least were when reporters adopted the sexier marketing lingo. I remember that idiot who use to write opposite Dvorak at PC Magazine going on and on and on about how superior notebooks were to laptops and would therefore replace both laptops and desktops.

    2. Arctic fox
      Thumb Up

      RE: "Buy one with Windows 8 on it." I agree - I am about as likely to buy an RT tablet............

      ...................as I am to buy an iPad. For precisely the same reasons.

  10. Anonymous Coward
    Anonymous Coward

    Wrong way round

    Being able to run the ARM version of MS Office on an iPad would be a much more attractive thing to do.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wrong way round

      Why would you prefer to run Office on an iPad? An iPad is a lot more limited in terms of capabilities and a lot less secure.

  11. Ben Liddicott
    Pint

    It rather involved being on the other side of this airtight hatchway...

    If you can run arbitrary code, it is no surprise that this gives you the ability to run arbitrary code...

    http://blogs.msdn.com/b/oldnewthing/archive/2007/08/07/4268706.aspx

  12. Bob 18

    Yawn...

    Why would anyone bother to jailbreak a Windows RT tablet? If you want a tablet that you can run anything on, just get an Android. Nobody's forcing you to install dodgy software, but you can if you like.

  13. oldcoder
    Linux

    coming soon to any RT near you....

    A linux boot that uses Window RT as a boot loader...

  14. DS 1

    So what?

    The RT platform doesn't really have much software, even in its primary 'store'. Getting stuff from elsewhere when its a trickle isn't worth much.

    To be blunt, its as dead a platform as there is. No software, and pretty incomptible with previous windows systems. It was born dead. Good luck trying to revive it.

  15. Anonymous Coward
    Anonymous Coward

    Win RT Is A Dead Duck

    WTF were MS thinking ? Why didn't they just scale up Windows Mobile to tablet size.

  16. Mike Dimmick
    Boffin

    Not a jailbreak

    Come on, you have to connect with the kernel debugger and insert code to modify a byte to remove the certificate check? That's really not a practical jailbreak. In order to attach a kernel debugger, you have to boot into a kernel-debugging mode anyway. Microsoft's support threads say that you have to contact your 'ecosystem program manager' to do it on RT - Windows RT is not available to OEMs generally - as you can't modify the boot configuration data to enable kernel debugging. I'd be interested to know how he managed to enable kernel debugging in the first place!

  17. The Alpha Klutz

    i hope the store crashes and burns then i hope the ashes crash as well

    a store is just a unix repository but less useful because everything that costs money costs money and everything that doesn't is shit.

    1. Anonymous Coward
      Anonymous Coward

      Re: i hope the store crashes and burns then i hope the ashes crash as well

      At least you can get commercial software through the Windows/Apple app stores. This is a problem with Linux - there are many pieces of commercial software that I may want to run, but I'm not aware of any pay-for software available for RHEL/Fedora through a repo, it's all custom installer scripts.

      1. DJ Smiley
        Facepalm

        Re: i hope the store crashes and burns then i hope the ashes crash as well

        Shame for RHEL/Fedora then.

        On gentoo I can install UT2k3/2k4 quite happily, Quake3 as well - I know these work as I've done it. There's likely other commercial software too.

        1. Anonymous Coward
          Anonymous Coward

          Re: i hope the store crashes and burns then i hope the ashes crash as well

          UT 2k3 and 2k4 and Quake 3 are hardly pay-for commercial software though, are they?

      2. JEDIDIAH
        Linux

        Re: i hope the store crashes and burns then i hope the ashes crash as well

        Given what generally tends to be in "app stores", that's not much of a tragedy.

        RHEL is meant to run kilobuck commercial software with similarly expensive support contracts. They aren't your casual sort of end user thing. Contracts and haggling are involved.

        Lack of access to Adware versions of things that are better as user compiled Free Software is not such a tragedy.

  18. asdf
    FAIL

    fail by author

    >Windows RT has been deliberately locked down - the idea being to maintain performance and security, and blah blah

    No that is the excuses Microsoft PR and marketing give. The real reason is to get that fat cut from the devs like Apple does (who also use the same lie) if in the miraculous event WinRT doesn't fall flat on its face which it obviously already has (Ballmer can only channel stuff and hide things for so long). The only difference between both WinRT and the Surface and the Kin is Microsoft is willing to sink a more money into this lost cause to save face.

  19. b166er

    They could just do what Google are doing with Android, allow private Store's.

    1. asdf

      they won't

      Why then you give up complete control of your (l)users and the extortion money from the devs. After all someone has to vet that your fart app works correctly and isn't a security risk.

      1. dogged

        Re: they won't

        They do.

        Enterprises can have their own Stores.

  20. Herby

    First non-signed program to run?

    Me, I'd just run a program to re-flash the BIOS (or whatever they call it) to eliminate the signing of the OS image. Something perfectly good for me. Then install a version of Linux so it will be "Windows 8 or better".

    Sounds like a plan for me.

    1. RICHTO
      Mushroom

      Re: First non-signed program to run?

      You cant flash the BIOS unless its signed....chicken and egg...

  21. The Alpha Klutz

    in 2 years tablets in any architecture will be totally cheap

    coming out of china like industrial diarrhea. I laugh at how their air is so shitty, they probably fart it out cleaner. but i hope the toxins dont eventually effect me in my part of the world. anyway enjoy your tablets you toffs

    1. asdf
      Trollface

      Re: in 2 years tablets in any architecture will be totally cheap

      >the toxins dont eventually effect me in my part of the world.

      Have no fear its coming and it may well have been your part of the world that kicked off the whole business model (Industrial Revolution). As bad as China's air quality is I bet England's 120 years ago or so wasn't much better.

      1. The Alpha Klutz

        Re: in 2 years tablets in any architecture will be totally cheap

        "As bad as China's air quality is I bet England's 120 years ago or so wasn't much better."

        should have pointed that out 120 years ago when I might have cared

  22. MrT

    As easy as...

    ... POKE 35899,0 ...?

    <<- we need an 8-bit icon ;-)

  23. Anonymous Coward
    IT Angle

    The security mechanism?

    The security mechanism consisted of a single digit setting, and who was it here recently telling us that Windows RT was more secure as it couldn't run all that old insecure software.

    1. Anonymous Coward
      Anonymous Coward

      Re: The security mechanism?

      I believe it was an ignorant Microsoft basher....Microosft support for some legacy software has little to do with any security vulnerabilities these days....

  24. Anonymous Coward
    Anonymous Coward

    Hmmmm

    Creamed kernels

This topic is closed for new posts.

Other stories you might like