Windows RT Jailbreak Tool Allows Users To Run Unsigned Apps

Earlier this week reports surfaced that a software creator known only by his handle "clrokr" created a work around for Windows RT which allowed users to download and install unsigned ARM-based desktop applications on Microsoft's closed Windows RT operating system. Following this report another programmer took things a bit further and has released a tool that automates this jailbreaking process on Windows RT.

At the heart of the hack is a simply value string. It was discovered that a single byte determines whether or not a Windows RT device will try to execute a given app. The minimum signing level value is present on both Windows 8 and Windows RT, and it’s the key to making an app launch on Windows RT. On a Windows 8 system the value is defaulted to 0 and thereby allows any x86 app to run, even unsigned ones. That’s why you can download any executable file or application and launch it.

On Windows RT, the value by default is set to 8. It is this setting that prevents devices like the Microsoft Surface from running anything other than what Microsoft approved and signed off on (Windows Store Apps). By performing a bit of code wizardry, Clrokr was able to flip the value and trick Windows RT into running an unsigned app.

Enter the software creator, known as "netham45". netham45 has released a batch file on the XDA Developers website that will automate the changing of this kernel string changing the minimum signing level to run unsigned apps on the OS. The exploit is limited by the fact that the setting needs to be changed each time the PC boots up (it can’t be permanently altered on devices enabled with Secure Boot), and it only works for unsigned ARM desktop apps. But it is a step to allowing outside third party apps which could allow for more creative uses down the road.

Microsoft has already issued a statement saying it does not consider the findings to be part of a security vulnerability, and applauded the hacker for his ingenuity. At this time it is uncertain whether Microsoft will issue a patch blocking this jailbreak or not, but netham45 says if they do you can simply revert back to the original OS provided on the recovery partition and re-install the patch as a work around.