Secure Boot key leaked?

Discuss Windows Vista/Server 2008 to Windows 10.
meagain
User avatar
Donator
Posts: 229
Joined: Mon Dec 07, 2015 6:04 pm
Contact:

Secure Boot key leaked?

Post by meagain »

https://rol.im/securegoldenkeyboot/

http://arstechnica.com/security/2016/08 ... olden-key/

I'm not 100% sure what this means but if I am correct it would mean other OSes on RT-based devices?
Any users with a KryoFlux in the UK: if you could dump some floppies if I send them to you, that'd be awesome. PM me.

my123
Posts: 8
Joined: Fri Aug 12, 2016 10:23 am

Re: Secure Boot key leaked?

Post by my123 »

meagain wrote:https://rol.im/securegoldenkeyboot/

http://arstechnica.com/security/2016/08 ... olden-key/

I'm not 100% sure what this means but if I am correct it would mean other OSes on RT-based devices?
Yes.

Pwned
Donator
Posts: 4268
Joined: Sat Aug 22, 2009 4:28 pm

Re: Secure Boot key leaked?

Post by Pwned »

I think there's supposed to be something to allows you to bypass the Secure Boot restrictions using a test binary. But I can see neither a key nor the binary anywhere, kind of confused about it.

Here are some twitter links:
https://twitter.com/Mythic_Beasts/statu ... 8935133186
https://twitter.com/neobiscuit/status/7 ... 6726564864
https://twitter.com/neobiscuit/status/7 ... 3638937604

The Distractor

Re: Secure Boot key leaked?

Post by The Distractor »

yes, hi.

If you can't find the binary, you're obviously not looking hard enough and this is not for you. :)

Pwned
Donator
Posts: 4268
Joined: Sat Aug 22, 2009 4:28 pm

Re: Secure Boot key leaked?

Post by Pwned »

The Distractor wrote:yes, hi.

If you can't find the binary, you're obviously not looking hard enough and this is not for you. :)
Hi. ;)

I guess it really isn't, because I don't own a Windows RT tablet in the first place. 8-) :?
But if it works, that's cool.

The Distractor

Re: Secure Boot key leaked?

Post by The Distractor »

Pwned wrote:
The Distractor wrote:yes, hi.

If you can't find the binary, you're obviously not looking hard enough and this is not for you. :)
Hi. ;)

I guess it really isn't, because I don't own a Windows RT tablet in the first place. 8-) :?
But if it works, that's cool.
Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)

Pwned
Donator
Posts: 4268
Joined: Sat Aug 22, 2009 4:28 pm

Re: Secure Boot key leaked?

Post by Pwned »

The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.

my123
Posts: 8
Joined: Fri Aug 12, 2016 10:23 am

Re: Secure Boot key leaked?

Post by my123 »

Pwned wrote:
The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.
What do you mean by early? 7600?

MrFreeman
Posts: 341
Joined: Fri May 09, 2014 12:22 am
Location: USA

Re: Secure Boot key leaked?

Post by MrFreeman »

To be honest "Secure Boot" shouldn't have existed in the first place.
Half-Life is a pretty good game.

my123
Posts: 8
Joined: Fri Aug 12, 2016 10:23 am

Re: Secure Boot key leaked?

Post by my123 »

MrFreeman wrote:To be honest "Secure Boot" shouldn't have existed in the first place.
The idea was good at first, but MS abused it a bit...

valvedubstep
User avatar
Donator
Posts: 110
Joined: Sat Jan 25, 2014 1:30 am
Location: Way out West

Re: Secure Boot key leaked?

Post by valvedubstep »

FYI, you need to go to the leakers IRC to get a download link. Ive gone down the rabbit hole.
https:(SLANT)(SLANT)rol(DOT)im(SLANT)SecureBoot(DOT)zip
Obfuscation to eliminate bot link following.
5000!

hounsell

Re: Secure Boot key leaked?

Post by hounsell »

valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link.
You do realise the Rye/slipstream part of the leaker is the BA moderator who goes by "The Distractor", right?
my123 is also in this thread.

valvedubstep
User avatar
Donator
Posts: 110
Joined: Sat Jan 25, 2014 1:30 am
Location: Way out West

Re: Secure Boot key leaked?

Post by valvedubstep »

hounsell wrote:
valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link.
You do realise the Rye/slipstream part of the leaker is the BA moderator who goes by "The Distractor", right?
my123 is also in this thread.
Actually no. I've been to busy to dig too deep into it. It exists, it unlocks the surface RT. Ive booted a modified Linux ROM on it.That's as far as ive gone. Otherwise i've focused on Pentesting IoT since i left DEFCON 24.
Last edited by valvedubstep on Fri Aug 12, 2016 5:13 pm, edited 1 time in total.
5000!

Goldfish64
User avatar
Donator
Posts: 491
Joined: Mon Feb 02, 2015 6:20 pm
Location: USA

Re: Secure Boot key leaked?

Post by Goldfish64 »

So I went ahead and applied the policy after removing the two updates that patches it. So I get this as expected:
Image

Does anyone know if this overrides the earlier "jailbreak" used to run self-signed desktop apps on RT? I would assume it does.

EDIT: It does not allow unsigned desktop applications to run at the moment.
Goldfish64

my123
Posts: 8
Joined: Fri Aug 12, 2016 10:23 am

Re: Secure Boot key leaked?

Post by my123 »

Goldfish64 wrote:So I went ahead and applied the policy after removing the two updates that patches it. So I get this as expected:
Image

Does anyone know if this overrides the earlier "jailbreak" used to run self-signed desktop apps on RT? I would assume it does.

EDIT: It does not allow unsigned desktop applications to run at the moment.
The two updates do nothing, you can type bcdedit /set {default} testsigning on directly now :)
(and also bcdedit /set {bootmgr} testsigning on)

Goldfish64
User avatar
Donator
Posts: 491
Joined: Mon Feb 02, 2015 6:20 pm
Location: USA

Re: Secure Boot key leaked?

Post by Goldfish64 »

my123 wrote:
Goldfish64 wrote:So I went ahead and applied the policy after removing the two updates that patches it. So I get this as expected:
~snip~

Does anyone know if this overrides the earlier "jailbreak" used to run self-signed desktop apps on RT? I would assume it does.

EDIT: It does not allow unsigned desktop applications to run at the moment.
The two updates do nothing, you can type bcdedit /set {default} testsigning on directly now :)
(and also bcdedit /set {bootmgr} testsigning on)
Well before I had like 15 updates hidden because they disabled the earlier test signing jailbreak, but this one looks like it sticks (stays in test signing mode).
Goldfish64

Pwned
Donator
Posts: 4268
Joined: Sat Aug 22, 2009 4:28 pm

Re: Secure Boot key leaked?

Post by Pwned »

my123 wrote:
Pwned wrote:
The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.
What do you mean by early? 7600?
Yeah that, or maybe 8xxx or 9xxx.
valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link. Ive gone down the rabbit hole.
https:(SLANT)(SLANT)rol(DOT)im(SLANT)SecureBoot(DOT)zip
Obfuscation to eliminate bot link following.
Ah I see. I couldn't access the channel because I'm banned on that IRC.

my123
Posts: 8
Joined: Fri Aug 12, 2016 10:23 am

Re: Secure Boot key leaked?

Post by my123 »

Pwned wrote:
my123 wrote:
Pwned wrote:
The Distractor wrote:Oh, it works. If any testsigned ARM builds leaked, then people would be able to run them on their RT tablets now (no need to get specific dev boards anymore!)
That's nice. I wonder if potentially some of the early ARM builds can work too, or just the ones that can be booted via this testing binary. But of course it's useful nonetheless.
What do you mean by early? 7600?
Yeah that, or maybe 8xxx or 9xxx.
valvedubstep wrote:FYI, you need to go to the leakers IRC to get a download link. Ive gone down the rabbit hole.
https:(SLANT)(SLANT)rol(DOT)im(SLANT)SecureBoot(DOT)zip
Obfuscation to eliminate bot link following.
Ah I see. I couldn't access the channel because I'm banned on that IRC.
For 8xxx, yes you can.
7600 was ARMv6 only, didn't have v7 support.

The Distractor

Re: Secure Boot key leaked?

Post by The Distractor »

valvedubstep wrote:Ive booted a modified Linux ROM on it.
Have you? So you managed to code your own "Windows Boot Application" shimloader that loads a real EFI application, did you? Before others working on the same thing, which includes myself?

valvedubstep
User avatar
Donator
Posts: 110
Joined: Sat Jan 25, 2014 1:30 am
Location: Way out West

Re: Secure Boot key leaked?

Post by valvedubstep »

The Distractor wrote:
valvedubstep wrote:Ive booted a modified Linux ROM on it.
Have you? So you managed to code your own "Windows Boot Application" shimloader that loads a real EFI application, did you? Before others working on the same thing, which includes myself?
I used the bootmanager to chainload the grub core. Currently ROFS exists on a disk image residing in the windows filesystem. I don't have working wireless as of yet. And i probably never will... Shorted USB cords are not a good thing. They will fry your surface. Either way, chainloading:
https://wiki.linaro.org/LEG/Engineering ... GRUBonUEFI
https://osdir.com/ml/help-grub-gnu/2013 ... 00004.html
Im sure you could shim for GRUB2, however i never got that far. rootFS was from some tegra dev board. Kernel was compiled by me.
5000!

The Distractor

Re: Secure Boot key leaked?

Post by The Distractor »

valvedubstep wrote:
The Distractor wrote:
valvedubstep wrote:Ive booted a modified Linux ROM on it.
Have you? So you managed to code your own "Windows Boot Application" shimloader that loads a real EFI application, did you? Before others working on the same thing, which includes myself?
I used the bootmanager to chainload the grub core. Currently ROFS exists on a disk image residing in the windows filesystem. I don't have working wireless as of yet. And i probably never will... Shorted USB cords are not a good thing. They will fry your surface. Either way, chainloading:
https://wiki.linaro.org/LEG/Engineering ... GRUBonUEFI
https://osdir.com/ml/help-grub-gnu/2013 ... 00004.html
Im sure you could shim for GRUB2, however i never got that far. rootFS was from some tegra dev board. Kernel was compiled by me.
Using bootsector-type stuff in EFI-land? Really?!

I'd like a picture. Or a binary and bcd settings.

valvedubstep
User avatar
Donator
Posts: 110
Joined: Sat Jan 25, 2014 1:30 am
Location: Way out West

Re: Secure Boot key leaked?

Post by valvedubstep »

Once i pull the data off i'll post a binary dump. I know you can chainloader EFI programs through GRUB2, i don't know about bootmgr. If you can, you could chainloader grub.efi. The "boot sector" type stuff is having bootmgr chainloader GRUB2s core.efi To sum it up, Using a Windows UEFI loader to chainload, in a BOOTSECTOR style, the UEFI GRUB2 core directly. It's hacky as hell, but, eh.
5000!

The Distractor

Re: Secure Boot key leaked?

Post by The Distractor »

valvedubstep wrote:Once i pull the data off i'll post a binary dump. I know you can chainloader EFI programs through GRUB2, i don't know about bootmgr. If you can, you could chainloader grub.efi. The "boot sector" type stuff is having bootmgr chainloader GRUB2s core.efi To sum it up, Using a Windows UEFI loader to chainload in a BOOTSECTOR style, the UEFI GRUB2 core directly.
afaik, on EFI, the ONLY thing bootmgr can chainload are PE executables of subsystem 0x10 "Windows Boot Application", whose main() gets passed one big data structure containing various things including ImageHandle and SystemTable.

valvedubstep
User avatar
Donator
Posts: 110
Joined: Sat Jan 25, 2014 1:30 am
Location: Way out West

Re: Secure Boot key leaked?

Post by valvedubstep »

The Distractor wrote:
valvedubstep wrote:Once i pull the data off i'll post a binary dump. I know you can chainloader EFI programs through GRUB2, i don't know about bootmgr. If you can, you could chainloader grub.efi. The "boot sector" type stuff is having bootmgr chainloader GRUB2s core.efi To sum it up, Using a Windows UEFI loader to chainload in a BOOTSECTOR style, the UEFI GRUB2 core directly.
the ONLY thing bootmgr can chainload are PE executables of subsystem 0x10 "Windows Boot Application", whose main() gets passed one big data structure containing various things including ImageHandle and SystemTable.
Which is why i had to chainload the GRUB2 core as a (BIOS) BOOTSECTOR application.
http://www.icpug.org.uk/national/linnwin/step2-7.htm
To be quite honest, i dont really understand what's going on on the BOOTMGR side of things. I just know you can boot a DOS boot sector with BOOTMGR, so you should be able to load a core image. Lowe and behold!
5000!

Windows OS
User avatar
Posts: 455
Joined: Tue Jul 08, 2014 9:43 pm
Location: DLL Hell, United States
Contact:

Re: Secure Boot key leaked?

Post by Windows OS »

Just to confirm: this key CAN be used to kill Secure Boot on a RT device? If so, then this is going to be interesting, to say the least.
Do Not Make Illegal Copies Of This Signature.
YouTube | Twitter | BA Wiki | BetaWiki

Post Reply