Open Surface RT
Discord CommunityXDA Page
  • Open Surface RT Home
  • Get started
    • Secure Boot
    • Windows 10
    • Linux
    • Discord
  • Changelog
  • Common
    • Boot Process
      • Special Boot modes
      • Tegra SoC's
        • Fusée Gelée
          • APX Mode (USB Recovery Mode "RCM")
          • Payloads
            • Dump platform key (SBK)
      • UEFI
        • Secure Boot
          • Windows Bootmanager Exploit
          • Yahallo - Disable Secureboot
        • UEFI Boot Sequence
        • FAT32 isn't FAT32
    • Windows RT
      • Jailbreak Exploits
      • Recovery Toolkit
      • Recovery Images
    • Windows 10
      • Software Support
      • Fake Builds
      • Known Issues
  • Tools
    • Windows Media Builder
    • Surface RT & 2 Jailbreak USB
  • Surface RT
    • Linux
      • Devicetree
        • APX devicetree
        • UEFI devicetree
      • Kernel
        • Kernel source
          • grate-driver
          • Mainline
        • Configure & Build
          • Appended devicetree
        • Prebuilt binaries
      • Booting
        • Kernel parameters
        • UEFI boot
        • APX boot
          • Das U-Boot
          • Fusée Gelée
            • BCT Table
            • NvFlash (Modified)
          • Boot Linux
            • Binaries
            • Prepare SD Card
      • Root Filesystem
        • Distributions
          • postmarketOS
          • Raspberry Pi OS
        • Simple RootFS
      • Trouble Shooting
    • Hardware
      • Tegra3 - Technical Reference Manual
      • J14 OEM Debug Connector
      • UART
        • 1.8V UART with Voltage divider
        • Raspberry Pi UART-Setup
      • GPIOs
        • decode - Pin number to Letter
        • GPIOs in Linux
      • IC's
        • SPI Flash
        • MMC
          • 1 - μSD Card
          • 3 - WIFI SDIO: Marvell: 88W8797
          • 4 - eMMC
        • I2C devices
          • Bus 0 - MS HID
            • 0x00 - Microsoft: Type/Touch Cover
            • 0x28 - [WIP] Microsoft: ?SensorCollection?
              • TBC - Ambient Light Sensor
              • TBC - Kionix: KXTJ9 - Accelerometer
          • Bus 1 - 2nd Board
            • 0x2D
            • 0x39 - Display Panel ThermalZone
            • 0x5B - ATMEL: mXT1386E - TouchController
          • Bus 2 - CAMs
          • Bus 3 - HDMI DDC
          • Bus 4 - System
            • 0x0A - ACPI: Control Method Battery
            • 0x1A - Wolfson: WM8962 - AudioCodec
            • 0x2D - TI: TPS659110 - PMIC
            • 0x4C - onsemi: NCT1008 - Temperatur sensor
            • 0x60 - TI: TPS62361B - Processor Supply
        • LVDS Encoder
      • Display
      • Battery
    • Firmware
      • Extract Firmware
      • Decrypt Firmware
      • Encrypt Firmware
      • BCT
      • RPMB partition on EMMC
    • UEFI
      • ACPI Tables
        • DSDT
        • SSDT
        • WDSA
        • MADT / APIC
        • Not interesting (yet)
          • BGRT
          • CSRT
          • DBG2
          • FACP
          • FPDT
          • MSDM
          • RSDP
          • TMP2
          • XSDT
      • Memory Mapping
      • Device Tables
      • PinMux
      • Compiling GRUB2
  • Surface RT2
    • Hardware
      • Specifications
      • ACPI (DSDT) Tables
      • Memory Mapping
      • EFI System Tables
      • BCT Table
      • IC's
      • Display
      • Battery
  • Other devices
    • Lenovo Ideapad Yoga 11
      • Linux
  • Development
    • !!! PLEASE READ !!!
      • !TODO for everyone
      • CTS devNotes
        • initrd
        • !TODO
          • Surface RT
          • Surface 2
        • battery
        • TZ Exploit - CTS
        • tCover Linux support
          • Kernel module
        • Dump Bootrom
        • git for dummys [WIP!] (like me)
      • Leander devNotes
        • !TODO
        • UEFI Privilege Escalation Exploit Documentation
          • Yahallo: Free memory access
          • UEFI Privilege Escalation: Execute code in Secure mode
          • Removing trustzone
        • EFI linux booting
          • Configs we already tried
          • Qemu emulation
            • GDB Debugging
              • VSCode integration
        • EFI Signing / Secure Boot
      • GRUB2 Booting Notes
      • Cross Compiling
      • Interesting Repo's
      • Devicetree information
      • Do gifs work?
      • Uboot information
      • jwa4 Notes
        • Windows Media Builder
        • Surface RT & 2 Jailbreak USB
Powered by GitBook
On this page
  • What is Yahallo
  • How does it work
  • Executing Yahallo exploit
  • Quick explanation and multiple options
  • Full explanation and single option USB
  • Undo

Was this helpful?

Export as PDF
  1. Common
  2. Boot Process
  3. UEFI
  4. Secure Boot

Yahallo - Disable Secureboot

PreviousWindows Bootmanager ExploitNextUEFI Boot Sequence

Last updated 3 years ago

Was this helpful?

What is Yahallo

Refer to The exploit in the dev section to get further information about it.

How does it work

The Exploit starts in App.c. App.c transfers controll to DeviceLut.c It will compare the UEFI version to some entrys in a lookupTable In case of sRT it will apply a display fix first. DeviceLut.c transfers control to Exploit.c

We suggest to only apply this if you need it. In most cases it is not necessary. At the moment you gain no advantage.

Executing Yahallo exploit

Quick explanation and multiple options

You can easily disable secure boot by booting the . Just download the ZIP, extract it to your USB and boot it. Select the options with an USB keyboard. For further information how to setup the USB go to the more detailed explanation bellow.

More details can be found in the and in the .

Full explanation and single option USB

Prerequisites to start with the process!

  • Working USB drive formatted as FAT32

  • Surface RT/2 with 50% or more battery, can be plugged in

  • Yahallo files to boot from

  • Windows Boot Manager exploit, this one is important!!!

Prepare the USB drive and format as FAT32, doesn't matter if it's MBR or GPT. In my case I name the drives after their capacity.

Extracting the files, make sure the folder contents are on your USB drive's root directory (example: E:\ [stuff is here])

Once the files are copied over, unplug the drive from your PC and power off your Surface. Once powered off plug in the USB drive and boot from it by pressing power and holding volume down at the same time.

That's it! Exploit has been done and all you have to do is power off your tablet and turn back on. From my case at first it refused to display anything so I suggest leaving it for 5 minutes at most. Since SecureBoot is now disabled you can boot unsigned code like Linux, which is work in progress.

Undo

To re-enable secureboot replace the "Yahallo.efi" file on your USB with the file bellow, make sure the naming is correct.

Enabling secure boot brings you no advantage at all, you only restirct yourself with what you can do.

https://github.com/NekomimiRouter/yahallo
All-in-one Secureboot tool page
522KB
yahallo.zip
archive
Yahallo exploit
31KB
YahalloUndo.efi
YahalloUndo
Surface RT and a USB drive (this one has 1GB capacity and LED activity indicator)
USB drive
This should appear when holding volume down
All-in-one Secureboot tool
Secure Boot page