Open Surface RT
Discord CommunityXDA Page
  • Open Surface RT Home
  • Get started
    • Secure Boot
    • Windows 10
    • Linux
    • Discord
  • Changelog
  • Common
    • Boot Process
      • Special Boot modes
      • Tegra SoC's
        • Fusée Gelée
          • APX Mode (USB Recovery Mode "RCM")
          • Payloads
            • Dump platform key (SBK)
      • UEFI
        • Secure Boot
          • Windows Bootmanager Exploit
          • Yahallo - Disable Secureboot
        • UEFI Boot Sequence
        • FAT32 isn't FAT32
    • Windows RT
      • Jailbreak Exploits
      • Recovery Toolkit
      • Recovery Images
    • Windows 10
      • Software Support
      • Fake Builds
      • Known Issues
  • Tools
    • Windows Media Builder
    • Surface RT & 2 Jailbreak USB
  • Surface RT
    • Linux
      • Devicetree
        • APX devicetree
        • UEFI devicetree
      • Kernel
        • Kernel source
          • grate-driver
          • Mainline
        • Configure & Build
          • Appended devicetree
        • Prebuilt binaries
      • Booting
        • Kernel parameters
        • UEFI boot
        • APX boot
          • Das U-Boot
          • Fusée Gelée
            • BCT Table
            • NvFlash (Modified)
          • Boot Linux
            • Binaries
            • Prepare SD Card
      • Root Filesystem
        • Distributions
          • postmarketOS
          • Raspberry Pi OS
        • Simple RootFS
      • Trouble Shooting
    • Hardware
      • Tegra3 - Technical Reference Manual
      • J14 OEM Debug Connector
      • UART
        • 1.8V UART with Voltage divider
        • Raspberry Pi UART-Setup
      • GPIOs
        • decode - Pin number to Letter
        • GPIOs in Linux
      • IC's
        • SPI Flash
        • MMC
          • 1 - μSD Card
          • 3 - WIFI SDIO: Marvell: 88W8797
          • 4 - eMMC
        • I2C devices
          • Bus 0 - MS HID
            • 0x00 - Microsoft: Type/Touch Cover
            • 0x28 - [WIP] Microsoft: ?SensorCollection?
              • TBC - Ambient Light Sensor
              • TBC - Kionix: KXTJ9 - Accelerometer
          • Bus 1 - 2nd Board
            • 0x2D
            • 0x39 - Display Panel ThermalZone
            • 0x5B - ATMEL: mXT1386E - TouchController
          • Bus 2 - CAMs
          • Bus 3 - HDMI DDC
          • Bus 4 - System
            • 0x0A - ACPI: Control Method Battery
            • 0x1A - Wolfson: WM8962 - AudioCodec
            • 0x2D - TI: TPS659110 - PMIC
            • 0x4C - onsemi: NCT1008 - Temperatur sensor
            • 0x60 - TI: TPS62361B - Processor Supply
        • LVDS Encoder
      • Display
      • Battery
    • Firmware
      • Extract Firmware
      • Decrypt Firmware
      • Encrypt Firmware
      • BCT
      • RPMB partition on EMMC
    • UEFI
      • ACPI Tables
        • DSDT
        • SSDT
        • WDSA
        • MADT / APIC
        • Not interesting (yet)
          • BGRT
          • CSRT
          • DBG2
          • FACP
          • FPDT
          • MSDM
          • RSDP
          • TMP2
          • XSDT
      • Memory Mapping
      • Device Tables
      • PinMux
      • Compiling GRUB2
  • Surface RT2
    • Hardware
      • Specifications
      • ACPI (DSDT) Tables
      • Memory Mapping
      • EFI System Tables
      • BCT Table
      • IC's
      • Display
      • Battery
  • Other devices
    • Lenovo Ideapad Yoga 11
      • Linux
  • Development
    • !!! PLEASE READ !!!
      • !TODO for everyone
      • CTS devNotes
        • initrd
        • !TODO
          • Surface RT
          • Surface 2
        • battery
        • TZ Exploit - CTS
        • tCover Linux support
          • Kernel module
        • Dump Bootrom
        • git for dummys [WIP!] (like me)
      • Leander devNotes
        • !TODO
        • UEFI Privilege Escalation Exploit Documentation
          • Yahallo: Free memory access
          • UEFI Privilege Escalation: Execute code in Secure mode
          • Removing trustzone
        • EFI linux booting
          • Configs we already tried
          • Qemu emulation
            • GDB Debugging
              • VSCode integration
        • EFI Signing / Secure Boot
      • GRUB2 Booting Notes
      • Cross Compiling
      • Interesting Repo's
      • Devicetree information
      • Do gifs work?
      • Uboot information
      • jwa4 Notes
        • Windows Media Builder
        • Surface RT & 2 Jailbreak USB
Powered by GitBook
On this page
  • Restrictions
  • Exploits

Was this helpful?

Export as PDF
  1. Common
  2. Windows RT

Jailbreak Exploits

Discusses Microsoft's strict lock-down on running Win32 applications.

PreviousWindows RTNextRecovery Toolkit

Last updated 1 year ago

Was this helpful?

Restrictions

If you've used Windows RT for any length of time you have probably already realized that trying to run a traditional Windows executable is not possible under a stock configuration. If you do try and run one you will probably see a message like the following.

There are two reasons why this happens. The first reason is that Windows RT uses a completely different type of CPU architecture to the one used on standard Windows. Rather than using the x86/x64 from Intel or AMD, Windows RT instead uses the 32-bit ARMv7 architecture. So since almost every Windows executable on the internet is compiled for x86/x64 so do they all fail to work under Windows RT.

This may arguably have been trivial for software developers to solve were it not for the next major problem. If you do get your hands on an ARMv7 compiled executable and try to run it, you will see something like the next following message.

This is caused by another difference Windows RT has to standard Windows which is what is called the minimum signing level. This level is set in the kernel and cannot be changed as far as we know. It goes like this:

#

Level

Description

0

Unsigned

This is the value found on standard Windows machines. It allows any executable to be ran.

4

Authenticode

Would only allow for an executable to be ran if it were signed by a verified publisher. You could not run applications with a "Unknown Publisher".

8

Microsoft

This is what Windows RT is set to. Only code signed to run by Microsoft is able to be ran by a user.

12

Windows

Would lock any executable from running except those included with the Windows install.

Allowing only for Microsoft code to run in the context of Win32 completely cut off any third party support for the system in this area. Third party developers were instead expected to write their software for the Windows Store.

Exploits

Over the years there have been a couple of exploits for bypassing the aforementioned signing requirement. Since all are quite vaguely named, I shall refer to them only by their author. Here are all known exploits...

Exploit

Date

Description

January 10 2013

The earliest known exploit. Works by using Windows Symbolic Debugger (cdb.exe) to change the minimum signing level loaded in RAM. Requires two minute system up time to work properly and may sometimes cause a BSOD.

October 14 2015

bcdedit /set '{current}' loadoptions '/TŅSTSIGNING' enables test signing mode. Works around /testsigning option being blocked because blocked options are checked for before they are passed to ntoskernel.exe. Once passed ntoskernel.exe truncates unicode down to 8-bits and Ņ becomes E.

netham45's RT Jailbreak Tool
Myriachan's Jailbreak
This is what killed Windows RT.