Windows tablets - easy, one-stop jailbreak now available for everyone. What should Microsoft do? [POLL]

Filed Under: Featured, Microsoft, Mobile, Security threats

Earlier this week, Chester wrote an article about what he referred to as the "jailbreaking" of Windows RT.

That "jailbreak" was a means of liberation that allowed you to run traditional desktop-style applications of your own choice, painstakingly worked out by a smart and well-organised hacker (in the benevolent and complimentary sense of the word) called @clrokr.

→ Windows RT, very loosely speaking, is Windows 8 ported to the ARM processor and locked down. You can't alter the bootloader (preventing you switching to, say, Android or Linux) and you can't install anything other than Windows-approved apps from the Windows Store. From a flexibility standpoint, Windows RT is to Windows 8 as iOS is to OS X.

The quotation marks around the word "jailbreak" were Chester's own, as it isn't a method for the fainthearted.

You need to: use the Windows RT remote debugger, assemble some ARM code, patch it into memory, find where KERNEL32 is loaded, and use it to help you find the location of an operating system component you'll need in a moment. (You can't guess where it is because of Address Space Layout Randomisation, or ALSR).

That's just the start of the "jailbreak".

Once you've located the needed system function (NtQuery­System­Information), you use it to locate a second system function (TerminalServer­RequestThread) that includes a call to a third function that is exploitable (NtUser­SetInformation­Thread).

Then you set a breakpoint to grab control just after the vulnerable function call, redirect execution to your previously-entered patch, and finally unset the breakpoint and let the operating system go back on its merry way.

Phew. Now you can draw breath.

All this to adjust a single byte in kernel memory: the place where the operating system remembers how much slack it will cut you in respect of code signing.

The lower the value, the more relaxed the system will be. Drop it to zero and you have effectively made Windows RT as liberal as Windows 8.

Despite the complexity, Chester guessed that "someone [would] create a tool to replicate @clrokr's efforts for those with less knowledge of a debugger."

And that's exactly what happened. A helpful coder called Netham45 has already released his RT Jailbreak tool.

In Netham45's own words, it's an "all-in-one program to jailbreak Windows RT tablets using the method recently released by clrokr."

Grab it today if you have a Windows RT tablet and you want the freedom to run desktop applications. A growing list of ported applications has already sprung up on the XDA website.

You can get software such as the TightVNC server and client (so you can do screen sharing), PuTTY (so you can run SSH and administer your UNIX boxen), various text editors popular with coders, and a Nintendo Gameboy emulator (because you know you want it).

That's good news. Isn't it?

→ Netham45's jailbreak won't survive a reboot. The secure bootloader ensures that the code signing level gets set back to 8 after a restart. But Netham45 wants you to know that this is not a tethered jailbreak. That would mean you'd need to connect (tether) your tablet to another device, usually a PC, to reboot it. This jailbreak runs from the tablet itself. Netham45 also reminds you that his tool is not intended to assist with piracy, and, for that matter, doesn't.

One question, of course, is, "What will Microsoft do?"

When Microsoft released the Kinect depth-sensing camera a couple of years ago for its gaming platform, the open source community immediately began to work on open-source drivers for it.

At first, Redmond was apparently unamused, to the point of bringing the cops into it:

Microsoft does not condone the modification of its products. With Kinect, Microsoft built in numerous hardware and software safeguards designed to reduce the chances of product tampering. Microsoft will continue to make advances in these types of safeguards and work closely with law enforcement and product safety groups to keep Kinect tamper-resistant.

Two weeks later, when the open source hackers had not only got the Kinect working for themselves, but already adopted it as a groovy technological darling, Redmond changed its mind just as quickly, with one Microsoft "experience creator" effusive with her praise:

I'm very excited to see that people are so inspired that it was less than a week after the Kinect came out before they had started creating and thinking about what they could do.

The issue of whether Microsoft would take legal action against Kinect hackers went from "working closely with law enforcement" to "absolutely not."

How do you think Microsoft will react this time?

Tell us what you think the Legal Beagles in Redmond ought to do by voting in our poll!

, , , , , ,

You might like

9 Responses to Windows tablets - easy, one-stop jailbreak now available for everyone. What should Microsoft do? [POLL]

  1. Freida Gray · 962 days ago

    No company condones the alteration of their product,but they do know that the product can & will be altered.That is why so many companies have a warranty disclaimer which says that if the product is altered it is no longer under warranty.Microsoft could do the same with Windows RT.

  2. Rohan Gray · 962 days ago

    I don't know if the poor little ARM chipset could handle the desktop apps.

    • JimboC_Security · 962 days ago

      Hi Rohan Gray,

      That’s a good point that you raise. In addition to not having the physical power/speed to run many desktop applications at a reasonable speed, surely all such desktop applications would also need to be re-compiled for the ARM CPU? This is because the applications would have been designed for x86 AMD/Intel CPUs. Please correct me if I am wrong.

      Thank you.

      • JimboC_Security · 961 days ago

        You're right Paul.

        This hack might also be used to run desktop apps on Windows RT rather than buying the Windows 8 Pro version of the Surface which is due for release in the coming months.

        If I am not mistaken, the Windows 8 Pro version of the Surface can run any application that Windows 8 can.

        • JimboC_Security · 960 days ago

          I should have mentioned that any such desktop apps running on Windows RT would first need to be re-compiled (ported) for the ARM CPU (unless an emulator is developed and used instead).

          Apologies for my mis-understanding.

    • Paul Ducklin · 961 days ago

      What about browsers? They're pretty heavyweight applications, and everyone expects ARM devices to handle those..

      And with a Microsoft Surface, unlike devices such as the iPad or the Google Nexus tablet, you have an as-good-as-built-in keyboard (OK, it isn't built in because it costs extra) that isn't a third-party add-on and was part of the design...seems ideal as a basis for desktop-style apps to me.

      Aynway, you do actually get desktop apps on Windows RT. It's just that you only get the ones built in by Microsoft when the OS ships. Without a jailbreak, you can't add desktop apps at all, not even from the Windows Store.

    • David Pottage · 961 days ago

      ARM chips might be underpowered compared with the latest intel desktop processors, but they are still quite powerfull compared with low power mobile processors, or desktop processorsof a few years ago.

      Many of the apps ported have been arround for many years. PuTTy for example has been avable for at least 10 years. I can report that it ran just fine the 600 MHz desktop I was using back then (with 128 Mb of RAM). I doubt it would give the 1.2 GHz Quad core processor in a surface tablet any trouble.

      In any case, it is not Microsoft's place to use performance as a reason to prevent users from running the apps they want on their systems. Users are smart enough to know that some heavyweight apps and games will run poorly on low spec systems, but sometimes they have their reasons to do it any way. They should be allowed to do so.

      In my view the best compromise would be to open up the windows store and code signing process to desktop applications compiled for ARM. If users want to download and install them they should be allowed to do so, but the motivation for most people to jailbreak will be removed, so keeping the security of the platform.

  3. Sootie · 960 days ago

    awesome non biased options for the quiz answers mate

  4. Microsoft has already realized the value of the tinkerer in providing innovation and development for a hardware platform.

    Apple realized early on that by not condoning, but not clamping down on applications that were developed outside their framework they could access ideas and gauge public response to functions and applications that can't exist within their ecosystem. From the developments in the jailbroken community apple picked up a lot of ideas that were integrated into subsequent releases of ios or apple apps. The illegitimate nature of the jailbroken apps makes the legal issues around integrating their ideas a little cheaper.

    Microsoft as a larger company, would do well to allow smaller operators to innovate on their platform and provide beta and market testing in a manner that costs the company nothing, and use the developments of that community to strengthen their offering.

    They managed to do that with the kinect, they can do it with the surface as well. They did say at the original release of the product that it was intended to inspire, why limit that inspiration ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog