It was only a matter of time, but it has happened, Windows RT has been jailbroken, kind of. Microsoft’s tablet OS, Windows RT is essentially Windows 8 for ARM but with some added restrictions, such as only being able to run Store applications despite having a desktop mode. It seems though that the beneath it all there is still a fully functional Windows core that is capable of running native desktop applications.
The hacker, clrokr, used a known vulnerability present in the Windows kernel to change how strict the OS is in preventing unwanted code from running. The Windows kernel has a single flag that decide how strict it is with the kind of executables it will run. Depending on the value of this flag the kernel will execute all executables, only signed executables, only executables signed by Microsoft, or only Windows executables.
Since the Windows RT process is locked due to the Secure Boot process, it is not possible to change this value permanently. However it can be changed in memory, thus unlocking Windows after it has booted. However if Windows cant run unsigned desktop apps, and Store apps don’t have enough privilege, how do you even change the value in memory? The hacker used a combination of debugging tools and clever hacks to get he job done; the details of which process you can read in this blog post.
This is a rather complex process and isn’t one that is suitable for the average tablet buyer. Even for those who can manage it, it will only remain unlocked till the device restarts.
What this does show is that Windows RT is simply an intentionally crippled version of Windows, just like Microsoft’s earlier Starter editions of Windows Vista and 7.
A Microsoft representative has commented on this, saying, “We applaud the ingenuity of the folks who worked this out and the hard work they did to document it.” Since this process isn’t something the average user could do, they do not consider it a security threat. Even so, they do not guarantee that this method will continue working, as Microsoft may plug the vulnerability in the future.
As Peter Bright from Ars argues, Microsoft should provide an official way to jailbreak the device rather than continually plug holes to prevent hacks. Having an official jailbreak soltion ensures that the average computer user still gets the advantage of code signing, while those who want to can still run unsigned code.
