Something interesting that I found out while thinking about how to interop Unlock WP8: The "PhoneReg.exe" app which is a signed app used for developer unlocking a device is written in un-obfuscated C#.net code!
If anyone has access a program such as Dis#, we should be able to reverse-engineer this and at least figure out what types of data are being passed back and forth between different account types (e.g. Student dev unlock, vs regular dev unlock). Then we can maybe guess at what needs to be passed to Interop-Unlock these devices!
Based on my understanding of how the WP7 interop unlock works, all the Developer unlock does is modify a registry value. As the value gets higher, the more "Development stuff" you can do.
I'll see if I can scare up a copy of that app. Decompiling .NET code is trivial - you don't even need a paid tool, there are many perfectly good free ones (I usually use JustDecompile) - assuming it's not obfuscated.
With that said, bear in mind that we can't currently modify the data that the app receives from the network. That was actually how the original ChevronWP7 unlocker for WP7 worked, but Intercepting (or in the case CWP7U, spoofing) the data was blocked when Microsoft added a feature commonly called "certificate pinning", where rather than checking whether the server's SSL certificate is trusted in general (which you could do by installing a cert manually), the phone now checks for a specific cert (Microsoft's).
However, it's possible (a bit unlikely, but possible) that we'll find a vulnerability in the app. For example, they may have slightly messed up the cert pinning in a way we can exploit (I checked for cert pinning, but I didn't check for ways they might have screwed it up), or they might have left in some debug code we can mess with (that's how HTC interop unlock on WP7 was achieved), or some other such weakness.
If there's some way to help out by testing and such tasks in willing to test on my Lumia 920, if any vulnerability is found Just send me a PM if so
Sent from my Lumia 920 using Board Express
Cool. Good to know. What was nice about the program I mentioned is that it supposedly decompiles everything and then builds it into a nice Microsoft C# project that can be imported into Visual Studio. (I was able to do that, but bits of code within some classes and methods are missing and just have a code comment called //trial)
Some of the interesting code bits I noticed include:
1. the wonderful "NativeMethods.cs" file. This is a wrapper that allows you to call functions within "PhoneREG.dll" such as "GetAuthToken" and "GetWinPhone8Port"
2. "connectionManager.cs" It opens up a session to the phone using port 27077 to pass data.
3. The files called "lockCommand.cs" and "unlockCommand.cs" The deal with passing and converting some kind of "authToken" to the phone.
4. The "SignInDialog.cs" code provides everything necessary to sign into widows Live. It has variables to store oAUTH tokens.
My thoughts are as follows:
1. we could maybe write a custom app that functions as normal, but edits the ByteArray before it gets sent to the phone. Basically you would need an MSDN developer account of some sort, but signing in with this app will give you Interop Privileges.
2. Maybe there will be something "hidden" if we can figure out what this app is talking to on the phone via port 27077.
That sounds interesting. I'll try to look at the data tomorrow before I head to work and see if I can find anything Hopefully I will
Sent from my Lumia 920 using Board Express
If we can actually bypass interop lock with a non-MS signature, that would be fantastic... and I'd be astonished. That wasn't possible in WP7 (Mango or later, when the interop-lock was present) and isn't possible in Windows RT either.
Can you either send the app, or post a link to where you got it from?
Hi guys,
just wanted to give you all a huge *thumbs up*! You're doing great work here!
I have a Lumia 920 for about 2 weeks now.
So, as i did some Lumia 800 and Lumia 900 custom roms, and became a little "bored" to WP7, i would be happy if i could help you by testing some stuff on my Lumia 920
If you need my help, just let me know
lordmaxey said:
Hi guys,
just wanted to give you all a huge *thumbs up*! You're doing great work here!
I have a Lumia 920 for about 2 weeks now.
So, as i did some Lumia 800 and Lumia 900 custom roms, and became a little "bored" to WP7, i would be happy if i could help you by testing some stuff on my Lumia 920
If you need my help, just let me know
Click to expand...
Click to collapse
I know your feeling I made WM6.5.x, Android and WinPho 7 roms for the HTC HD2 before I got my Lumia 920
Sent from my Lumia 920 using Board Express
I have a dev unlocked Lumia 820 and can do any testing if required
If you are running a Windows 8 PC and can install the Windows Phone 8 SDK, the PhoneReg tool can be found at C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\Phone Registration
There are some other tools that I haven't poked around at that could be interesting to try and decompile and "re-work" such as the XapSignTool. (I think this might be written in C++ though)
The SDK in its entirety can be downloaded from http://developer.windowsphone.com/en-us/downloadsdk. You want "SDK 8.0".
I'll get my dev unlock in a month. Will get it as a birthday gift So by then I'll be able to help out more.
Should've checked the USB port stuff this morning, but I didn't have time for it but will do it when I get home in 2 hours
Sent from my Lumia 920 using Board Express
EDIT: Can't seem to find a usable USB sniffer that works under Windows 8, or I've been configuring those I've tried wrong. Enabled TESTSIGNING in BCDEDIT and rebooted, so Test Mode is activated, but no tool seem to work
Regards
The phone itself can communicate with a Windows 7 PC, just not if you want to use the SDK. Perhaps try the same experiment under Windows 7? You might be able to copy the "Phone tools" directory off of Windows 8 onto Windows 7. It uses .net 4.5, so make sure the runtime is installed.
I have already gone down this road and can fairly confidently say it is a dead-end. The only interesting thing I found was the ability to switch a phone to use the internal Microsoft development authentication servers. Best of luck though - maybe I missed something.
SynergeTechSolutions said:
I have already gone down this road and can fairly confidently say it is a dead-end. The only interesting thing I found was the ability to switch a phone to use the internal Microsoft development authentication servers. Best of luck though - maybe I missed something.
Click to expand...
Click to collapse
Thats sad. Do you have any data collected from the communications on port 27077? That's what we're looking for right now.
Sent from my Lumia 920 using Board Express
SynergeTechSolutions said:
I have already gone down this road and can fairly confidently say it is a dead-end. The only interesting thing I found was the ability to switch a phone to use the internal Microsoft development authentication servers. Best of luck though - maybe I missed something.
Click to expand...
Click to collapse
bummer
Any details about what you found out?
Did you see if the internal (test, I assume) server mode used cert pinning? If not, we can spoof those servers and basically re-implement the original ChevronWP7 unlocker (in a more elegant form, too).
Not quite the Goal you want to move to but maybe what you have found out so far can be used to enable Dev Unlocking and XAP deployment to Dev Unlocked WP8 devices from Windows 7. I believe there are quite a lot of developers who would be happy to have that possibility.
I do know that when you activate dev unlock on WP8 devices, it does it using the Windows Phone IP over USB service ("C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe"). The IpOverUSBSvc is more or less just a .NET wrapper (I figured this would be the case). If anyone is good at x86 assembly and can get into the IpOverUsbPc.dll, we may get somewhere.
snickler said:
I do know that when you activate dev unlock on WP8 devices, it does it using the Windows Phone IP over USB service ("C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe"). The IpOverUSBSvc is more or less just a .NET wrapper (I figured this would be the case). If anyone is good at x86 assembly and can get into the IpOverUsbPc.dll, we may get somewhere.
Click to expand...
Click to collapse
several tools exists for decompiling DLLs to have a look at the source (which I assume will be .NET)
Reflector is one - commercial - solution, but in Adrian Banks blogs you will find alternatives that are free - and some commercial ones also.
http://www.adrianbanks.co.uk/?p=71
NielDK said:
several tools exists for decompiling DLLs to have a look at the source (which I assume will be .NET)
Reflector is one - commercial - solution, but in Adrian Banks blogs you will find alternatives that are free - and some commercial ones also.
http://www.adrianbanks.co.uk/?p=71
Click to expand...
Click to collapse
the DLL I mentioned is unfortunately a COM dll. I already ran ILSpy against the exe to find that out. We will need someone with x86 assembly experience
Related
Is there anything, besides codeproject, that has a repository for source code for windows mobile 5/6/6.1? I am looking for something similar to planetsourcecode.com/.net so I can learn from sourcecode.
Also, is there any development tool I can use to program today plugins besides Visual studio? I know of basic4ppc. But anything else? Anything similar to appforge out there?
Try embedded Visual C++/Basic from the MS Websites. (it's free)
...or ic#code if you intend to write managed code. Hey moderators what about a new forum here in XDA for open source code / class libraries / etc for windows mobile and HTC devices?
jdiperla said:
Is there anything, besides codeproject, that has a repository for source code for windows mobile 5/6/6.1? I am looking for something similar to planetsourcecode.com/.net so I can learn from sourcecode.
Also, is there any development tool I can use to program today plugins besides Visual studio? I know of basic4ppc. But anything else? Anything similar to appforge out there?
Click to expand...
Click to collapse
I recently went through this when making Manilla2D Customizer.
I found a lot of very useful information at the pocket pc developers network http://www.pocketpcdn.com/
Code project also has quite a few decent articles
When you get truly stuck with a problem the community over at stackoverflow.com will usually have an answer for you
Feel free to download the source for M2DC at http://code.google.com/p/manilla2dcustomizer/downloads/detail?name=M2DC_v0.11.133-src.zip&can=1&q=
As far as development tools... I was unable to find anything I was happy with other than Visual Studio. Microsoft has a 90 day trial of Visual Studio 2008 Professional for free download... and that is what I have been using for M2DC, it has worked well for me, but I know in 2 months I need to buy the full version (nearly $700 ) or convince my employer or contracting employer to buy it for me ( )
good luck
I have a similar issue. I can code command line, I am just bad at picking the "correct" compiler, worse at setting it up and I don't really care for Visual coding and IDEs (am perfectly happy with Notepad or Nano).
I was surprised that there is no sticky on these forums, not even in the roll-up, that discusses "recommended" tools (or available combinations) for writing mobile applications.
The only one I am aware of is Visual Studio et al described on MS' site here -
http://msdn.microsoft.com/en-gb/windowsmobile/bb264337.aspx
Now, obviously, I don't really like spending money, especially if I can do it for free (and legally, obviously), so I was pleasently surprised when I found that MS gives their tools away to students -
https://downloads.channel8.msdn.com/Products.aspx
So this gets Visual Studio (I elected for 2005 rather than 2008) and the rest of the tools as a developer environment. I just installed all of this and it seems to be working ok with minimum fuss, so I shall be bastardising some MS sample project in the near future to create a template program and then I should be away....
Beyond that, there's the option of embedded visual c++ 4 (download and service pack 4). Only problem was getting this to compile properly (as I said, I have problems with getting compilers to work. They a nemesis of mine, along with printers).
If there are other options (like ic#code, gcc etc...) that are also easy to set up, but not attached to Microsoft, I would love to be told about them especially if there is a walk-through about how to put the pieces in the right place or an IRC channel I can ask silly questions in (like what .
If you don't require C++, check out PellesC.
It's very straightforward to get it up and going, it's using lcc modified compiler.
I searched and got nothing in the forum about homebrew, so i figured i'd ask about it. Is it possible for us with this phone to do any of the homebrew stuff out there? I have been without my laptop so cannot really try anything yet, but I see articles about little apps and aesthetic changes people are doing to their Samsung and HTC wp7 phones and i want in on it too.
I loved that homebrew community when i had my Palm Pre back in the day and had it hacked to my liking. I really hope we can do this with our phones too. I have looked into it a little but, but i don't think the guys who have done the unlocking and developing for wp7 have used, tried or have access to our phone. I really hope I'm wrong and just haven't had any luck searching for answers, but so far i haven't really found anything specifically stating whether anything works on the DVP yet.
If they have, could someone point me in the right direction and i'll continue learning on my own? If not, then i hope we can some day.
Thanks for any help y'all can provide.
I'm looking to attack this problem from the other end. I'm the developer of one of those "little apps" you mentioned; specifically the one that lets you change the Search function in IE (when you hit the Search button or mis-type a URL).
I'm working with a homebrew library that more-or-less handles HTC, Samsung, and LG, but completely doesn't support Dell. I'd like to get it working with Dell so that
A) You all can use my app
B) More homebrew apps can be written for the DVP
Some questions that I have (answers to any are appreciated):
How can I programmatically identify a Dell phone? (On an HTC, you can check for HKLM\Software\HTC in the registry.)
Does anybody have ProvisionXML working on the Venue Pro yet? (This is a really handy way to make changes to the OS.)
Does anybody have a way to get access to the file system, even read-only, on the Venue Pro?
Thanks a bunch. In the meantime (and possibly helpful to this cause) there's a homebrew project called "Functional Webserver" in the WP7 Hacking forum. It should work on Dell phones (I think) and means you should have at least Socket (networking) APIs. It also gives (read-only) access to the \Windows directory, which may be very useful for getting other stuff...
GoodDayToDie said:
I'm looking to attack this problem from the other end. I'm the developer of one of those "little apps" you mentioned; specifically the one that lets you change the Search function in IE (when you hit the Search button or mis-type a URL).
I'm working with a homebrew library that more-or-less handles HTC, Samsung, and LG, but completely doesn't support Dell. I'd like to get it working with Dell so that
A) You all can use my app
B) More homebrew apps can be written for the DVP
Some questions that I have (answers to any are appreciated):
How can I programmatically identify a Dell phone? (On an HTC, you can check for HKLM\Software\HTC in the registry.)
Does anybody have ProvisionXML working on the Venue Pro yet? (This is a really handy way to make changes to the OS.)
Does anybody have a way to get access to the file system, even read-only, on the Venue Pro?
Thanks a bunch. In the meantime (and possibly helpful to this cause) there's a homebrew project called "Functional Webserver" in the WP7 Hacking forum. It should work on Dell phones (I think) and means you should have at least Socket (networking) APIs. It also gives (read-only) access to the \Windows directory, which may be very useful for getting other stuff...
Click to expand...
Click to collapse
I would like to submit my services to help you get that information... However, I'm not really sure how to get that to you. If you'd be happy to lay out directions so I can get you that information, I'll happily do it on my Dell Venue Pro.
Thanks for the help!
@nabiscuit Thanks for the offer. The first step is making sure your phone is developer-unlocked, so you can side-load (install directly, not from Marketplace) XAP application packages. All homebrew apps are distributed in this way. The official way to do this is to have a Microsoft developer account (http://create.msdn.com/) although for the next few weeks ChevronWP7 should also work.
For the first question, try installing a Registry Viewer or Registry Editor app - there are a number of them available, both on this site and on TouchXperience (I like the TouchXperience one a lot). Go poke around for anything that looks like a distinctive registry key or value. The most likely place is under HKLM. You could also just do a registry search (the better apps have at least some capability for such searches) for "Dell" as *anything* with that string is probably distinctive.
For the second, it will take access to native code. Using the "Functional Webserver" app you can download some file from the phone's /Windows directory. Checking them for useful COM exports would be helpful, although I'm not the person to ask about doing that - I can do NT drivers and I can do managed code, but COM is not my thing. Try asking for help with this in the general Windows Phone 7 Development and Hacking forum (http://forum.xda-developers.com/forumdisplay.php?f=606).
For the third question, I could actually whip up a small app that *might* work already. You could also try Advanced Explorer (XDA) or TouchXplorer (TouchXperience) although I don't think either is guaranteed to work outside of HTC phones. If you're willing to try running an app that will check for read and write in a number of harmless parts of the file system, I can code one up for you to run and report results back.
Thanks again!
I'd love to get some homebrew development going, is there anything I can do to help?
Try getting in touch with notebookgrail (http://forum.xda-developers.com/member.php?u=3174632) as he seems to be pulling apart the DVP native libraries and finding lots of cool stuff to do with their COM interfaces. I don't know if he has registry write yet - one of the core functions that a lot of homebrew apps want - but if so I can work on getting it integrated into a nice cross-device library for writing apps which (should... grrr Samsung) work on any phone.
GoodDayToDie said:
Try getting in touch with jessej (http://forum.xda-developers.com/member.php?u=3220709) as he seems to be pulling apart the DVP native libraries and finding lots of cool stuff to do with their COM interfaces. I don't know if he has registry write yet - one of the core functions that a lot of homebrew apps want - but if so I can work on getting it integrated into a nice cross-device library for writing apps which (should... grrr Samsung) work on any phone.
Click to expand...
Click to collapse
Did u mean to point it to me as i was the one who did pull apart the native libs.?
If not, sorry for the intrusion.
Yes, send your request to notebookgrail. I am not on his level for development purposes. But I do appreciate the comment.
Whoops, sorry about that notebookgrail! I must have looked at a response instead of the OP by accident. I've fixed my post above. Thanks a bunch for the work you've done. Any word on registry writing?
any progress?
My father was at the Microsoft HQ for 2 weeks, he sent me a text from there : "Félicité par ms..." ("Congratulated by Microsoft..."), we were talking about the exploit at this moment. This morning, he came back home after a long sleepy flight. Just ten minutes ago, he told me about how Microsoft "thanked" the exploit.
Mark Russinovich, co-founder of sysinternals (Acquired then by MS), made a demo on how to change the color of the bluescreen on a Surface. Using the kernel debugger, he first triggered a bluescreen to see where was the bluescreen display code located inside the kernel. After that, he seeked for the color code (My father didn't remember how) and asked the audience for what color they wanted instead of blue, a man answered pink. Then he made an unsigned driver that would change the code color inside the kernel hex/assembly (I don't know if he had access to the PDB for this exploit), and, thanks to the exploit, he installed the driver. Finally, he triggered a bluescreen that was actually a pinkscreen.
This demo couldn't have been possible without Netham's jailbreak, and Microsoft looks actually very grateful to him. This makes me think that the Surface is kind of a Kinect-like product. The Kinect has been hacked 3 hours after its commercialization, and Microsoft didn't fix it. They even published an SDK so devs can use it on PC for whatever they want. The Surface remembers me that case, and I think they actually waited for a jailbreak to be released.
Thanks Netham for this jailbreak.
Cool though that sounds... there are a few important points here.
0. Netham45 publishes a nice tool, but it's not really his exploit. The research that produced the jailbreak hack in its basic form was performed by another XDA-Devs member, clrokr.
1. Odd that you mention a kernel debugger. Clrokr's exploit, as published, doesn't enable kernel debugging. That's blocked by Secure Boot policies which aren't affected by this hack.
2. If Microsoft wants to enable a kernel debugger, they can do that easily without any external help. For that matter, it's known that development devices (i.e. non-production-models) come with a much less-restricted bootloader; it's not as if MS developed Windows RT or the drivers for various devices without having a kernel debugger already!
3. Similar to #2, if Microsoft wants to run arbitrary user-mode code on Windows RT outside of an AppContainter sandbox, they can do that already via three different methods: either enable TestSigning mode and install their own certificates (we can't do this due to Secure Boot, same as kernel debug block), sign the binaries with their own trusted keys (obviously they can do this, or none of the Windows RT desktop mode software would run!), or simply change the signature enforcement check in the kernel and re-compile it (it's just a flag they can set; Windows on x86 has the same flag but it defaults to no enforcement for user-mode code and they could change that on RT easily).
4. Going back to #1, the current exploit is for user-mode code. So far as I know, it doesn't enable installing custom drivers either. Again, that's probably done either by enabling Testsigning mode (on a non-secure-boot-locked system) or removing the signature enforcement entirely in a custom Windows RT build.
That said, whatever the oddities in your story, I hope this works out like you describe. I personally think MS shot themselves in the foot with the restrictions of RT, and I hope they come to their senses about it. I've actually met Russinovich, and he's a very cool dude. He doesn't strike me at all as the sort of person to support a lock-the-user-out-of-their-own-system policy like RT currently has. Unfortunately, his position at MS (Technical Fellow) is has influence but isn't actually managerial; if the people in charge of the RT project demand that the jailbreak be blocked, it will be and Mark might have very little to do with the decision.
He can't remember all the details. My father works on PDW not debugging, and the debugging tools Marc used are from Sysinternals as far as I remember. But yes the details may not be accurate.
Mark might have very little to do with the decision
Click to expand...
Click to collapse
Doesn't it sound like "politically incorrect" to make this kind of hack on a Surface if that goes against the opinion of the company ? I know Microsoft doesn't keep an eye on every single demonstration from their employees but that would sound odd if MS finally fixes it. It is true that they lock their Xbox products as hard as they can, but there is commercial argument in the case of the Surface. Official developers will still develop Metro apps if they want to aim at WinRT users.
Hello,
I have been searching high and low for a way to force my shiny new HTC 8x to accept a 512-bit Self-Signed Certificate. Our work email server is Lotus/IBM Domino. We have an EAS server (Notes Traveler) set up for our portable devices. MIcrosoft is the only OS that forces 1024-bit or greater certs. As a result, I cannot connect ot our EAS server.
More info can be found at support.microsoft.com/kb/2661254?wa=wsignin1.0
Through all the research I have been doing, I think it is possible to do this, since you can make it work with WIndows 8 by doing one of two things:
1.Add following in the registry:
reg add "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config" /v minRSAPubKeyBitLength /t REG_DWORD /d 0x00000200 /f
2. use the built-in certutil to modify the registry:
certutil -setreg chain\minRSAPubKeyBitLength 512
Any thoughts on how I can do this with Windows Phone 8? I am in the process of developer-unlocking my device. I just need to wait for the SDK to finish installing into my VM.
As far as I know, there's no way to edit the registry with developer unlock.
You need more elevated privileges (Interop Unlock) and, at this moment, there's no way to obtain that on Windows Phone 8.
I know this isn't the response you are looking for, but recommend to your company to update their SSL certificate to 1024 or 2048 bits. The reason your phone won't support the 512 bit certificate is simply because it is not secure, which Microsoft finally stopped allowing last year..
Since your company is using a self-signed certificate, it should only take them a few minutes to create and install a new one that modern operating systems would support.
klamation said:
I know this isn't the response you are looking for, but recommend to your company to update their SSL certificate to 1024 or 2048 bits. The reason your phone won't support the 512 bit certificate is simply because it is not secure, which Microsoft finally stopped allowing last year..
Since your company is using a self-signed certificate, it should only take them a few minutes to create and install a new one that modern operating systems would support.
Click to expand...
Click to collapse
My IT department was surprisingly open to this, once they realized all the Windows PCs couldn't log into the web interface anymore. It might take a couple of weeks/months of planning to put it into their maintenance cycle, though. Oh the joys of working for a large corporation!
Something else I discovered earlier:
In order to write Windows Phone apps, you need the Windows Phone 8 SDK. To Install the Windows Phone 8 SDK, you need Windows 8. When I have time to set up another DEV box with Windows 8 on it, I might revisit this.
Any thoughts on how the OEM apps always seem to get "enhanced" access? (The HTC Carrier Settings tool, for example). I haven't used Windows Phone since 6.0. Back then, we could do ANYTHING! lol
I didn't even notice the Win8 requirement for the SDK, since I was anxious to upgrade to Win8 once it came out. Hmm. But, I think you could use the older 7.x SDK on older versions of Windows, if you want to get used to dev for Windows Phone (as WP7 Apps should still work on WP8).
About why the OEM can do special things to the device, I think it's a simple matter of, they have the OS code, so they can modify it or access things we can't.
OEM Apps are given additional permissions. They request these using some entries in the App-manifest but even if we were able to set these the system would reject their deployment unless they had a proper certificate. It has been that way on WP7 as well.
As for developing on Win7 and deploying to a WP8 device: it won't work. You can run WP7 Apps on WP8 devices but the deployment tools of the WP7 SDK can't handle WP8 devices. So to deploy anything onto a WP8 device you need the WP8 SDK which in turn requires Windows 8 Pro.
I posted this question several months ago in the 8X forum and have decided to put this out for discussion again.
ZaneKaminski said:
So, recently, an exploit has been developed for Windows RT devices that allows modifying the minimum signing level constant for the extent of the time that Windows is running. The exploit works on Windows RT devices to allow them to run unsigned native code, but interestingly enough, can also be used on regular x86 devices to change that same value. Since WP8 devices are built on the same NT kernel, it is likely that they enforce signature verification in much the same way, and we may be able to exploit this vulnerability on our devices.
For this to work, there are at least these prerequisites...
The WP8 remote debugger needs to let us mess with the CSRSS process.
There needs to actually be a CSRSS process, or something else we can exploit that makes a call to NtUserSetInformationThread.
If this exploit works on WP8, an easy way (as in, on the start screen or something) to load unsigned/native applications on the device and execute them would be nice.
I don't know much about any of those things. Would someone more knowledgeable care to shed some light on the subject?
Click to expand...
Click to collapse
Remote debugger is disabled in retail devices. So, the first exploit should edit BCD and registry entries
this is Cotulla reply:
there are two checkers.
user mode and kernel mode.
Kernel mode - driver SecMgr.sys and user mode - CI.dll.
I patched both of them already to disable signature checking on custom files.
I am talking about EXE/DLL/SYS.
Not sure who is checking XAP files in WP7.
I think these is important winload.exe,bootmgr,ci.dll,SecRuntime.dll
The Windows RT jailbreak won't work as-is on WP8, since WP8 uses a different version of win32k and csrss. It's possible the exploit is still there but it's not too likely we'll get the tools that leaked from MS like they did on RT to actually do it.