Windows RT Jailbroken to Run Unauthorized Apps
An enterprising tinkerer seems to have jailbroken Microsoft's Windows RT tablet operating system to run unauthorized applications — at least temporarily.
"Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible," wrote the hacker, who uses the online handle CLRokr, in a blog posting yesterday (Jan. 6).
But don't expect to run Photoshop on a Windows RT Microsoft Surface tablet anytime soon. CLRokr's hack must be performed from a tethered PC upon every reboot of the target tablet, and Intel-based applications won't run natively on the ARM chips that Windows RT (and other mobile operating systems) is written for.
CLRokr insists that he or she isn't trying to undermine the security of Windows RT, but rather trying to force Microsoft to open up the operating system to unauthorized apps and hence make Surface tablets more appealing to consumers and business clients.
(Sales of Surface and other Windows RT tablets have been underwhelming since their introduction in October. A Windows 8 version of the Surface tablet is expected this month.)
"The Surface is incredible," CLRokr wrote in a Reddit thread. "But the marketing is not very good."
Control, and lack of it
Microsoft lets any application run in desktop versions of Windows, including Windows 8. But it wanted more control over what ran in Windows RT.
So Microsoft took a cue from Apple's tight control of iOS and built Windows RT to run only apps that come from the official Windows Store. It called its system "Code Integrity."
"The minimum signing level determines how good an executable's signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12)," explained CLRokr. "The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8."
In Windows RT, that default value is built into the operating system's kernel, which can't be rewritten without bricking the tablet. But CLRokr was able to change it from 8 to 0 in running memory using Microsoft's own WinDbg code-debugging software.
We'll spare you the technical details, but CLRokr said the process was made much easier by the similarities between Windows 8 and Windows RT.
"Windows RT is a clean port of Windows 8. They are the same thing and MSFT enforces Code Integrity to artificially separate these platforms," CLRokr wrote. "It does not stop pirates from modifying store apps (and their license checks) because store apps are the only things that can actually run unsigned."
Peter Nelson, a graduate student in computer science at Oxford, saw CLRokr's blog posting and had a version of the simple terminal-emulation client PuTTY running on a Windows RT Surface tablet by the end of the day yesterday.
"ARM build of PuTTY running on Microsoft Surface RT! This alone will make the Surface 10x more usable for me," Nelson tweeted.
ARM chips are much slower than Intel chips, so it'd be a stretch to expect demanding software to be ported to Windows RT. But on Reddit, CLRokr expressed hope that someone would try.
"Win32 and WinRT apps are not as different as you might think," he or she wrote. "You can easily build a crappy, slow, unresponsive WinRT app. And there is no reason to believe that Win32 apps have higher requirements when it comes to processing power and memory."
And once again, CLRokr insisted that this hack would only help Windows RT and the Surface tablet.
"The reason I tried to disable Code Integrity has nothing to do with Win32 or WinRT. It has to do with choice," he or she wrote. "Microsoft wants devs to go through the Store and it is understandable from a money standpoint. But allowing Win32 apps could have helped the chicken-and-egg problem the Surface is going to die from."