Secure Boot key leaked?
Secure Boot key leaked?
https://rol.im/securegoldenkeyboot/
http://arstechnica.com/security/2016/08 ... olden-key/
I'm not 100% sure what this means but if I am correct it would mean other OSes on RT-based devices?
http://arstechnica.com/security/2016/08 ... olden-key/
I'm not 100% sure what this means but if I am correct it would mean other OSes on RT-based devices?
Any users with a KryoFlux in the UK: if you could dump some floppies if I send them to you, that'd be awesome. PM me.
Re: Secure Boot key leaked?
Yes.meagain wrote:https://rol.im/securegoldenkeyboot/
http://arstechnica.com/security/2016/08 ... olden-key/
I'm not 100% sure what this means but if I am correct it would mean other OSes on RT-based devices?
Re: Secure Boot key leaked?
I think there's supposed to be something to allows you to bypass the Secure Boot restrictions using a test binary. But I can see neither a key nor the binary anywhere, kind of confused about it.
Here are some twitter links:
https://twitter.com/Mythic_Beasts/statu ... 8935133186
https://twitter.com/neobiscuit/status/7 ... 6726564864
https://twitter.com/neobiscuit/status/7 ... 3638937604
Here are some twitter links:
https://twitter.com/Mythic_Beasts/statu ... 8935133186
https://twitter.com/neobiscuit/status/7 ... 6726564864
https://twitter.com/neobiscuit/status/7 ... 3638937604
Longhorn Packet 1.21 - Solves most of the problems with Longhorn Setup
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
-
The Distractor
Re: Secure Boot key leaked?
yes, hi.
If you can't find the binary, you're obviously not looking hard enough and this is not for you.
If you can't find the binary, you're obviously not looking hard enough and this is not for you.
Re: Secure Boot key leaked?
Hi.The Distractor wrote:yes, hi.
If you can't find the binary, you're obviously not looking hard enough and this is not for you.
I guess it really isn't, because I don't own a Windows RT tablet in the first place.
But if it works, that's cool.
Longhorn Packet 1.21 - Solves most of the problems with Longhorn Setup
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
-
The Distractor
Re: Secure Boot key leaked?
Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)Pwned wrote:Hi.The Distractor wrote:yes, hi.
If you can't find the binary, you're obviously not looking hard enough and this is not for you.
I guess it really isn't, because I don't own a Windows RT tablet in the first place.
But if it works, that's cool.
Re: Secure Boot key leaked?
That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
Longhorn Packet 1.21 - Solves most of the problems with Longhorn Setup
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
Re: Secure Boot key leaked?
What do you mean by early? 7600?Pwned wrote:That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
Re: Secure Boot key leaked?
To be honest "Secure Boot" shouldn't have existed in the first place.
Half-Life is a pretty good game.
Re: Secure Boot key leaked?
The idea was good at first, but MS abused it a bit...MrFreeman wrote:To be honest "Secure Boot" shouldn't have existed in the first place.
- valvedubstep
- Donator
- Posts: 110
- Joined: Sat Jan 25, 2014 1:30 am
- Location: Way out West
Re: Secure Boot key leaked?
FYI, you need to go to the leakers IRC to get a download link. Ive gone down the rabbit hole.
https:(SLANT)(SLANT)rol(DOT)im(SLANT)SecureBoot(DOT)zip
Obfuscation to eliminate bot link following.
https:(SLANT)(SLANT)rol(DOT)im(SLANT)SecureBoot(DOT)zip
Obfuscation to eliminate bot link following.
5000!
-
hounsell
Re: Secure Boot key leaked?
You do realise the Rye/slipstream part of the leaker is the BA moderator who goes by "The Distractor", right?valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link.
my123 is also in this thread.
- valvedubstep
- Donator
- Posts: 110
- Joined: Sat Jan 25, 2014 1:30 am
- Location: Way out West
Re: Secure Boot key leaked?
Actually no. I've been to busy to dig too deep into it. It exists, it unlocks the surface RT. Ive booted a modified Linux ROM on it.That's as far as ive gone. Otherwise i've focused on Pentesting IoT since i left DEFCON 24.hounsell wrote:You do realise the Rye/slipstream part of the leaker is the BA moderator who goes by "The Distractor", right?valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link.
my123 is also in this thread.
Last edited by valvedubstep on Fri Aug 12, 2016 5:13 pm, edited 1 time in total.
5000!
- Goldfish64
- Donator
- Posts: 491
- Joined: Mon Feb 02, 2015 6:20 pm
- Location: USA
Re: Secure Boot key leaked?
So I went ahead and applied the policy after removing the two updates that patches it. So I get this as expected:
Does anyone know if this overrides the earlier "jailbreak" used to run self-signed desktop apps on RT? I would assume it does.
EDIT: It does not allow unsigned desktop applications to run at the moment.
Does anyone know if this overrides the earlier "jailbreak" used to run self-signed desktop apps on RT? I would assume it does.
EDIT: It does not allow unsigned desktop applications to run at the moment.
Goldfish64
Re: Secure Boot key leaked?
The two updates do nothing, you can type bcdedit /set {default} testsigning on directly nowGoldfish64 wrote:So I went ahead and applied the policy after removing the two updates that patches it. So I get this as expected:
Does anyone know if this overrides the earlier "jailbreak" used to run self-signed desktop apps on RT? I would assume it does.
EDIT: It does not allow unsigned desktop applications to run at the moment.
(and also bcdedit /set {bootmgr} testsigning on)
- Goldfish64
- Donator
- Posts: 491
- Joined: Mon Feb 02, 2015 6:20 pm
- Location: USA
Re: Secure Boot key leaked?
Well before I had like 15 updates hidden because they disabled the earlier test signing jailbreak, but this one looks like it sticks (stays in test signing mode).my123 wrote:The two updates do nothing, you can type bcdedit /set {default} testsigning on directly nowGoldfish64 wrote:So I went ahead and applied the policy after removing the two updates that patches it. So I get this as expected:
~snip~
Does anyone know if this overrides the earlier "jailbreak" used to run self-signed desktop apps on RT? I would assume it does.
EDIT: It does not allow unsigned desktop applications to run at the moment.
(and also bcdedit /set {bootmgr} testsigning on)
Goldfish64
Re: Secure Boot key leaked?
Yeah that, or maybe 8xxx or 9xxx.my123 wrote:What do you mean by early? 7600?Pwned wrote:That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
Ah I see. I couldn't access the channel because I'm banned on that IRC.valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link. Ive gone down the rabbit hole.
https:(SLANT)(SLANT)rol(DOT)im(SLANT)SecureBoot(DOT)zip
Obfuscation to eliminate bot link following.
Longhorn Packet 1.21 - Solves most of the problems with Longhorn Setup
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
[GUIDE] How to dump clean/untouched images from CD discs
Longhorn Music Album (FLAC) | 523.31 MB | 17 tracks | Donators Discussion Forum
Re: Secure Boot key leaked?
For 8xxx, yes you can.Pwned wrote:Yeah that, or maybe 8xxx or 9xxx.my123 wrote:What do you mean by early? 7600?Pwned wrote:That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
Ah I see. I couldn't access the channel because I'm banned on that IRC.valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link. Ive gone down the rabbit hole.
https:(SLANT)(SLANT)rol(DOT)im(SLANT)SecureBoot(DOT)zip
Obfuscation to eliminate bot link following.
7600 was ARMv6 only, didn't have v7 support.
-
The Distractor
Re: Secure Boot key leaked?
Have you? So you managed to code your own "Windows Boot Application" shimloader that loads a real EFI application, did you? Before others working on the same thing, which includes myself?valvedubstep wrote:Ive booted a modified Linux ROM on it.
- valvedubstep
- Donator
- Posts: 110
- Joined: Sat Jan 25, 2014 1:30 am
- Location: Way out West
Re: Secure Boot key leaked?
I used the bootmanager to chainload the grub core. Currently ROFS exists on a disk image residing in the windows filesystem. I don't have working wireless as of yet. And i probably never will... Shorted USB cords are not a good thing. They will fry your surface. Either way, chainloading:The Distractor wrote:Have you? So you managed to code your own "Windows Boot Application" shimloader that loads a real EFI application, did you? Before others working on the same thing, which includes myself?valvedubstep wrote:Ive booted a modified Linux ROM on it.
https://wiki.linaro.org/LEG/Engineering ... GRUBonUEFI
https://osdir.com/ml/help-grub-gnu/2013 ... 00004.html
Im sure you could shim for GRUB2, however i never got that far. rootFS was from some tegra dev board. Kernel was compiled by me.
5000!
-
The Distractor
Re: Secure Boot key leaked?
Using bootsector-type stuff in EFI-land? Really?!valvedubstep wrote:I used the bootmanager to chainload the grub core. Currently ROFS exists on a disk image residing in the windows filesystem. I don't have working wireless as of yet. And i probably never will... Shorted USB cords are not a good thing. They will fry your surface. Either way, chainloading:The Distractor wrote:Have you? So you managed to code your own "Windows Boot Application" shimloader that loads a real EFI application, did you? Before others working on the same thing, which includes myself?valvedubstep wrote:Ive booted a modified Linux ROM on it.
https://wiki.linaro.org/LEG/Engineering ... GRUBonUEFI
https://osdir.com/ml/help-grub-gnu/2013 ... 00004.html
Im sure you could shim for GRUB2, however i never got that far. rootFS was from some tegra dev board. Kernel was compiled by me.
I'd like a picture. Or a binary and bcd settings.
- valvedubstep
- Donator
- Posts: 110
- Joined: Sat Jan 25, 2014 1:30 am
- Location: Way out West
Re: Secure Boot key leaked?
Once i pull the data off i'll post a binary dump. I know you can chainloader EFI programs through GRUB2, i don't know about bootmgr. If you can, you could chainloader grub.efi. The "boot sector" type stuff is having bootmgr chainloader GRUB2s core.efi To sum it up, Using a Windows UEFI loader to chainload, in a BOOTSECTOR style, the UEFI GRUB2 core directly. It's hacky as hell, but, eh.
5000!
-
The Distractor
Re: Secure Boot key leaked?
afaik, on EFI, the ONLY thing bootmgr can chainload are PE executables of subsystem 0x10 "Windows Boot Application", whose main() gets passed one big data structure containing various things including ImageHandle and SystemTable.valvedubstep wrote:Once i pull the data off i'll post a binary dump. I know you can chainloader EFI programs through GRUB2, i don't know about bootmgr. If you can, you could chainloader grub.efi. The "boot sector" type stuff is having bootmgr chainloader GRUB2s core.efi To sum it up, Using a Windows UEFI loader to chainload in a BOOTSECTOR style, the UEFI GRUB2 core directly.
- valvedubstep
- Donator
- Posts: 110
- Joined: Sat Jan 25, 2014 1:30 am
- Location: Way out West
Re: Secure Boot key leaked?
Which is why i had to chainload the GRUB2 core as a (BIOS) BOOTSECTOR application.The Distractor wrote:the ONLY thing bootmgr can chainload are PE executables of subsystem 0x10 "Windows Boot Application", whose main() gets passed one big data structure containing various things including ImageHandle and SystemTable.valvedubstep wrote:Once i pull the data off i'll post a binary dump. I know you can chainloader EFI programs through GRUB2, i don't know about bootmgr. If you can, you could chainloader grub.efi. The "boot sector" type stuff is having bootmgr chainloader GRUB2s core.efi To sum it up, Using a Windows UEFI loader to chainload in a BOOTSECTOR style, the UEFI GRUB2 core directly.
http://www.icpug.org.uk/national/linnwin/step2-7.htm
To be quite honest, i dont really understand what's going on on the BOOTMGR side of things. I just know you can boot a DOS boot sector with BOOTMGR, so you should be able to load a core image. Lowe and behold!
5000!
- Windows OS
- Posts: 455
- Joined: Tue Jul 08, 2014 9:43 pm
- Location: DLL Hell, United States
- Contact:
Re: Secure Boot key leaked?
Just to confirm: this key CAN be used to kill Secure Boot on a RT device? If so, then this is going to be interesting, to say the least.