Unleash the power of Windows Phone

Latest News

Twitter



Hi all! I haven't been really communicative lately. The reason is that I was working on a project and I found that I was not able to focus very well due to an influx of questions from social media, etc. In April of this year, I received my Lumia 920 and wished to unlock it to its fullest potential. I soon discovered that Windows Phone 8 was a whole new beast and wasn't really having any success in hacking it. I decided to stop using twitter, mail and forums for a while, at least until I made some significant progress. Sorry to all people who I haven't answered over the last period of time. It wasn't because I'm an arrogant prick; I just needed to focus on my project. I will try to go through my inboxes and answer the most important questions sometime soon.

At this moment, I can't really say I have big news yet, but I do want to share some of the things that I worked on so far. I first decided to target the Windows Phone 8 Emulator, because the emulator has many of the same security features as retail devices have and the emulator is easier to test with. All this research has resulted in the fact that I have now root access on the emulator. That is a little break-through for me, because that means that I already understand and defeated a big part of the Windows Phone 8 security features. Please note that there are still a couple of big steps that need to be taken to accomplish the same on retail devices.

During my quest for root access on the emulator, I encountered an overwhelming amount of security routines. It's really clear that this kernel has been under development for about 20 years now. Windows Phone 8 has now the same Windows NT kernel as new desktop PC's have and now uses the advanced NTFS file-system security. A part of the Windows Phone 7 security engine has been ported to Windows Phone 8, but it has now been glued to the security features of the Windows NT kernel. The new security engine is like a hybrid version of the old Windows Phone security engine and the Windows NT security engine. The Windows NT kernel has been extended with a sandboxing mechanism and a capability mechanism. While at kernel-level the security-tokens and NT privileges are still used, towards user-mode the far more extended capability-system is exposed.

By default all applications are launched in a sandbox. The sandbox can be decorated with capabilities. Other than that, it is normally not possible to step outside the sandbox to view or change data on the phone or use system functions from the phone. Everytime a secured object (like file or registry-value) is accessed, all security-token-attributes like Access Control List, Lowbox-state, Restriction-state, Privileges and capabilities are checked. Furthermore, everytime code is loaded, it's integrity is checked. Simple hacks are often not possible, because everything is checked and double-checked and many OS features depend on it. For example, if you completely disable the sandboxing mechanism, many apps won't launch anymore because the sandbox also defines the identity of the application. Without that identity, it's not possible to load COM-objects and Windows Runtime Components or have cross-process-communication. This results in many crashing or hanging applications. So, to get unlimited access to secured objects and APIs, you need to gently circumvent the systems that check the integrity of the code, the Access Control Lists, the privileges and the capabilities. You also need to be able to impersonate other, non-lowboxed accounts. Therefore, I studied the processes that build the security tokens, restricted and sandboxed them, then used that to create new processes and I studied all the runtime security checks. It took me quite a while, but I think I understand most of these mechanisms now.

During my research, other people have been working on Windows Phone 8 too. For example GoodDayToDie and -W_O_L_F- from the XDA forums have found a way to get Interop Unlock on the Samsung Ativ S. I've been asked if it is now possible to create WP8 Root Tools now, but unfortunately: not yet. Interop Unlock is not the same as root access. Interop Unlock can potentially provide privilege escalations, but it still needs hacks to do further modifications to the Windows Phone OS in order to get root access. On Windows Phone 7 I developed the Policy Unlock, which is a very complex mechanism that can be used on most of the Interop Unlocked Windows Phone 7 devices to get root access. This process also requires a complex installation to achieve that so this functionality was built-in to WP7 Root Tools. For Windows Phone 8 I would need to create a similar mechanism, but Windows Phone 8 security is completely different from Windows Phone 7 security and the process would need to be created from scratch. You could say that my root access for the Windows Phone 8 emulator is an approach from the kernel-side and Interop Unlock is an approach from the application-side, but they still need to meet in the middle. So far, that hasn't happened for Windows Phone 8 yet and this will need a lot more research.

Since I have root access on the emulator now, I can work on the implementation of WP8 Root Tools. I already have implemented some core-parts and I am porting UI stuff from WP7 Root Tools to Windows Phone 8. In the meantime, I'm also looking for new exploits that can be used to deploy my root access hacks to retail devices. During my previous research, I already found some weak spots in the implementation of the OS, which definitely need a closer look at. I hope to bring more news on Windows Phone 8 as my research will continue.

- Heathcliff74 -