Jailbreak for Windows RT

After a little over 2 months, the long-awaited jailbreak for Windows RT appeared on the network. A vulnerability was found in the Windows kernel that allows running unsigned desktop applications. Unfortunately, this jailbreak is tied, because after rebooting turns into a pumpkin.
It's funny that the vulnerability was found on the desktop Windows 8, and from there already migrated to Windows RT. Read more about this process here .

Installation

The jailbreak process itself is non-trivial, you need a computer with Windows 8 and Visual Studio 2012. But the craftsman with XDA allowed you to do it right on the device.

• Download the archive and unzip it on your device.
• Run runExploit.bat
• Follow the onscreen instructions.
• When “Please press VOLUME DOWN now.” Appears on the screen, press the volume down button.

Let me remind you that Windows RT is edited by Windows 8 for ARM devices, such as Microsoft Surface.

And how does all this actually work?

The text below is a free translation retelling of Circumventing Windows RT's Code Integrity Mechanism . I omitted a lot of details, because this is a Friday post :)

---

In the Windows kernel, the minimum required digital signature is set by a variable. In Windows 8, its value is 0 (Unsigned), i.e. Windows does not require a digital signature to run the application. But on Windows RT its value is 8 (Microsoft). The whole jailbreak is reduced to the banal reset of this variable. It looks simple.
In fact, it is very difficult to do, because Windows Store applications can use only signed binaries, and from such an application it is impossible to get the security context necessary for attaching to other processes.
But here, Microsoft went to the meeting and released a remote debugger for Windows RT, which perfectly clings to Desktop applications. With it, you can cling to
CSRSS process and directly change its memory. The latter, in turn, calls the vulnerable function of the kernel (NtUserSetInformationThread).
One of these calls (found in winsrv.dll):

TerminalServerRequestThread+0x230 MOVS R3, #0xC ADD R2, SP, #0x58 MOVS R1, #9 MOV R0, 0xFFFFFFFE BL NtUserSetInformationThread 

Using breakpoint, we can change the structure at R2, just before calling NtUserSetInformationThread.
The base address of the kernel is also required. You can get it by calling NtQuerySystemInformation. This function returns a list of all loaded drivers and their base address.
Now it remains only to make an injection in winsrv.dll (use a half-empty page for this purpose with an offset of 0 × 10800) and after triggering the breakpoint, change the IP register to the beginning of our code.
That's all :)
')

Conclusion

For those who still read to the end, I give a link to a post with a collection of programs collected for ARM. Notepad ++, 7-Zip and VNC client already exist.
You can also collect software yourself, read this . If you need static libraries that are not in the Windows SDK, then you can use this tool .