Earlier this week, Chester wrote an article about what he referred to as the “jailbreaking” of Windows RT.
That “jailbreak” was a means of liberation that allowed you to run traditional desktop-style applications of your own choice, painstakingly worked out by a smart and well-organised hacker (in the benevolent and complimentary sense of the word) called @clrokr.
→ Windows RT, very loosely speaking, is Windows 8 ported to the ARM processor and locked down. You can’t alter the bootloader (preventing you switching to, say, Android or Linux) and you can’t install anything other than Windows-approved apps from the Windows Store. From a flexibility standpoint, Windows RT is to Windows 8 as iOS is to OS X.
The quotation marks around the word “jailbreak” were Chester’s own, as it isn’t a method for the fainthearted.
You need to: use the Windows RT remote debugger, assemble some ARM code, patch it into memory, find where KERNEL32 is loaded, and use it to help you find the location of an operating system component you’ll need in a moment. (You can’t guess where it is because of Address Space Layout Randomisation, or ALSR).
That’s just the start of the “jailbreak”.
Once you’ve located the needed system function (NtQuerySystemInformation), you use it to locate a second system function (TerminalServerRequestThread) that includes a call to a third function that is exploitable (NtUserSetInformationThread).
Then you set a breakpoint to grab control just after the vulnerable function call, redirect execution to your previously-entered patch, and finally unset the breakpoint and let the operating system go back on its merry way.
Phew. Now you can draw breath.
All this to adjust a single byte in kernel memory: the place where the operating system remembers how much slack it will cut you in respect of code signing.
The lower the value, the more relaxed the system will be. Drop it to zero and you have effectively made Windows RT as liberal as Windows 8.
Despite the complexity, Chester guessed that “someone [would] create a tool to replicate @clrokr’s efforts for those with less knowledge of a debugger.”
And that’s exactly what happened. A helpful coder called Netham45 has already released his RT Jailbreak tool.
In Netham45’s own words, it’s an “all-in-one program to jailbreak Windows RT tablets using the method recently released by clrokr.”
Grab it today if you have a Windows RT tablet and you want the freedom to run desktop applications. A growing list of ported applications has already sprung up on the XDA website.
You can get software such as the TightVNC server and client (so you can do screen sharing), PuTTY (so you can run SSH and administer your UNIX boxen), various text editors popular with coders, and a Nintendo Gameboy emulator (because you know you want it).
That’s good news. Isn’t it?
→ Netham45’s jailbreak won’t survive a reboot. The secure bootloader ensures that the code signing level gets set back to 8 after a restart. But Netham45 wants you to know that this is not a tethered jailbreak. That would mean you’d need to connect (tether) your tablet to another device, usually a PC, to reboot it. This jailbreak runs from the tablet itself. Netham45 also reminds you that his tool is not intended to assist with piracy, and, for that matter, doesn’t.
One question, of course, is, “What will Microsoft do?”
When Microsoft released the Kinect depth-sensing camera a couple of years ago for its gaming platform, the open source community immediately began to work on open-source drivers for it.
At first, Redmond was apparently unamused, to the point of bringing the cops into it:
Microsoft does not condone the modification of its products. With Kinect, Microsoft built in numerous hardware and software safeguards designed to reduce the chances of product tampering. Microsoft will continue to make advances in these types of safeguards and work closely with law enforcement and product safety groups to keep Kinect tamper-resistant.
Two weeks later, when the open source hackers had not only got the Kinect working for themselves, but already adopted it as a groovy technological darling, Redmond changed its mind just as quickly, with one Microsoft “experience creator” effusive with her praise:
I'm very excited to see that people are so inspired that it was less than a week after the Kinect came out before they had started creating and thinking about what they could do.
The issue of whether Microsoft would take legal action against Kinect hackers went from “working closely with law enforcement” to “absolutely not.”
How do you think Microsoft will react this time?
Tell us what you think the Legal Beagles in Redmond ought to do by voting in our poll!