timamsk/WPinternals
1
0
Fork 0
mirror of https://github.com/ReneLergner/WPinternals.git synced 2026-06-14 03:16:40 +10:00
Code Issues Packages Projects Releases Wiki Activity
Files
patch_updates
WPinternals/Patcher/AutoPatcher/BootUnllockAndRootAccessPatchScript.pds
T
Gustave Monce e68ef38725 Backup
2024-12-23 15:13:36 +01:00

631 lines
22 KiB
Plaintext
Raw Permalink Blame History

// Copyright (c) 2018, Rene Lergner - @Heathcliff74xda
//
// Patch Definition Script for Boot Unlock and Root Access on Windows Mobile
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the "Software"),
// to deal in the Software without restriction, including without limitation
// the rights to use, copy, modify, merge, publish, distribute, sublicense,
// and/or sell copies of the Software, and to permit persons to whom the
// Software is furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
// DEALINGS IN THE SOFTWARE.
PatchDefinition Name="RootAccess-MainOS" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi"
PatchFile Path="Windows\System32\sspisrv.dll"
JumpToImport "RpcImpersonateClient"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "CheckLowboxAccess" // Optional here
PatchCode
MOVS R1, #1
STR R1, [R0]
MOVS R0, #0
BX LR
EndPatch
PatchChecksum
PatchFile Path="Windows\System32\NtlmShared.dll"
JumpToExport "MsvpPasswordValidate"
PatchCode
MOVS R0, #1
BX LR
EndPatch
PatchChecksum
PatchFile Path="Windows\System32\pacmanserver.dll"
FindFirstUnicode "GetMaxCountForDeployedApp"
JumpToReference
FindPreviousInstruction "PUSH.W"
PatchCode
LDR R1, =0x7FFFFFFF
STR R1, [R0]
MOVS R0, #0
BX LR
EndPatch
PatchChecksum
PatchFile Path="Windows\System32\mscoree.dll"
JumpToImport "GetModuleFileNameW"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "CompareWithWhiteList" // Optional here
PatchCode
MOVS R0, #0
BX LR
EndPatch
PatchChecksum
PatchFile Path="Windows\System32\DeploymentExt.dll"
FindFirstUnicode "MaxUnsignedApp"
JumpToReference
FindValue 0x800413A0
FindPreviousConditionalJump
MakeJumpUnconditional
PatchChecksum
PatchFile Path="Windows\System32\ntoskrnl.exe"
// Phase 1: find all kernel-functions
JumpToExport "SeAccessCheckWithHint"
CreateLabel "SeAccessCheckWithHint"
FindInstructionPattern "MOV R3, R?; MOV R1, R?; BL ?" InstructionIndex = 2
JumpToTarget
CreateLabel "SepMandatoryIntegrityCheck"
JumpToReference R0 = "ADDS R0, R?, #0x118"
FindPreviousInstruction "PUSH"
FindPreviousInstruction "PUSH"
CreateLabel "SeAccessCheckByType"
FindFunctionCall R0 = "ADDS R0, R?, #0x108" R1 = "MOV R1, R?" R2 = "LDR R2, [R?,#0x40]" R3 = "MOV R3, R?"
JumpToTarget
CreateLabel "SepConstrainByMandatory"
JumpBack // to SeAccessCheckByType
JumpBack // to SepMandatoryIntegrityCheck
JumpToReference R1 = "LDR R1, [R?,#8]"
FindPreviousInstruction "PUSH"
CreateLabel "SepCommonAccessCheckEx"
FindFunctionCall Result = "STR R0, [SP,#0x88]"
JumpToTarget
CreateLabel "SepAccessCheckEx"
JumpBack // to SepCommonAccessCheckEx
JumpBack // to SepMandatoryIntegrityCheck
JumpToReference R0 = "ADDS R0, R?, #0x170"
FindPreviousInstruction "PUSH"
FindPreviousInstruction "PUSH"
CreateLabel "SepAccessCheckAndAuditAlarm"
FindFunctionCall R0 = "ADDS R0, R?, #0x160" R1 = "MOV R1, R?"
JumpToTarget
CreateLabel "SepMandatoryToDiscretionary"
JumpBack
JumpBack // to SepMandatoryIntegrityCheck
JumpBack // to SeAccessCheckWithHint
FindFunctionCall R0 = "LDR R0, [SP, #0x84]" R1 = "MOVS R1, #0"
JumpToTarget
CreateLabel "SepAccessCheck"
JumpToExport "SePrivilegeCheck"
FindFunctionCall
JumpToTarget
CreateLabel "SepPrivilegeCheck"
JumpToExport "SeSinglePrivilegeCheck"
CreateLabel "SeSinglePrivilegeCheck"
JumpToExport "ObReferenceObjectByHandleWithTag"
CreateLabel "ObReferenceObjectByHandleWithTag"
// Phase 2: patches
JumpToLabel "SeAccessCheckByType"
// Patch 1:
FindNextValue 0xC0000022
FindPreviousConditionalJump
FindPreviousConditionalJump
FindPreviousConditionalJump
FindPreviousConditionalJump
MakeJumpUnconditional
FindNextValue 0xC0000022
// Patch 2:
FindNextValue 0xC0000022
FindStore
FindPreviousConditionalJump
MakeJumpUnconditional
// Patch 3:
FindNextValue 0xC0000022
FindPreviousConditionalJump
MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value.
// FindNextValue 0xC0000022
// Patch 4:
FindNextValue 0xC0000022
FindPreviousConditionalJump
MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value.
// FindNextValue 0xC0000022
// Patch 5:
FindNextValue 0xC0000022
FindNextInstruction "BNE"
JumpToTarget
CreateLabel "TargetPatch5"
JumpBack
FindPreviousInstruction "BEQ"
PatchCode
B TargetPatch5
EndPatch
// Patch 6:
FindNextValue 0xC0000022
FindNextConditionalJump
MakeJumpUnconditional
JumpToLabel "SepAccessCheckAndAuditAlarm"
// Patch 10:
FindNextValue 0xC0000022
FindPreviousConditionalJump
MakeJumpUnconditional
FindNextValue 0xC0000022
// Patch 11:
FindNextValue 0xC0000022
FindStore
CreateLabel "Patch11"
FindNextConditionalJump
JumpToTarget
CreateLabel "TargetPatch11"
JumpToLabel "Patch11"
PatchCode
B TargetPatch11
EndPatch
// Patch 12:
FindNextValue 0xC0000022
PatchCode
MOV.W R2, #0
EndPatch
JumpToLabel "SepCommonAccessCheckEx"
// Patch 13:
FindNextInstruction "TST"
FindNextInstruction "TST"
FindPreviousConditionalJump
ClearInstruction
JumpToLabel "SeAccessCheckWithHint"
// Patch 14:
FindNextInstruction "BEQ"
MakeJumpUnconditional
JumpToLabel "SeSinglePrivilegeCheck"
// Patch 15:
PatchCode
MOVS R0, #1
BX LR
EndPatch
JumpToLabel "ObReferenceObjectByHandleWithTag"
FindFunctionCall
JumpToTarget
CreateLabel "ObpReferenceObjectByHandleWithTag"
FindInstructionPattern "LDR R?, [R?,#0x74]; CMP R?, #0; BNE ?" InstructionIndex = 2
JumpToTarget
// Patch 16:
FindNextConditionalJump
MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is on the error-value.
// Patch 17:
JumpToReference
ClearInstruction
JumpBack
JumpBack
// Patch 18:
FindNextValue 0xC0000022
JumpToReference
ClearInstruction
JumpToLabel "SepPrivilegeCheck"
// Patch 19:
PatchCode
MOVS R0, #1
BX LR
EndPatch
JumpToLabel "SepAccessCheckEx"
// Patch 21:
FindNextValue 0x2000000
CreateLabel "Patch21"
FindNextInstruction "B"
JumpToTarget
CreateLabel "TargetPatch21"
JumpToLabel "Patch21"
PatchCode
B TargetPatch21
EndPatch
FindNextValue 0xC0000022
// Patch 22:
FindNextValue 0xC0000022
FindPreviousConditionalJump
MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value.
// FindNextValue 0xC0000022
// Patch 23:
JumpToReference 0
ClearInstruction
JumpBack
// Patch 24:
JumpToReference 1
ClearInstruction
JumpBack
// Patch 25:
JumpToReference 2
ClearInstruction
JumpBack
// Patch 26:
FindNextValue 0xC0000022
FindPreviousConditionalJump
MakeJumpUnconditional
FindNextValue 0xC0000022
// Patch 27:
FindNextValue 0xC0000022
FindPreviousConditionalJump
MakeJumpUnconditional
FindNextValue 0xC0000022
// Patch 28:
JumpToReference
ClearInstruction
JumpToLabel "SepAccessCheck"
// Patch 29:
FindFunctionCall R0 = "LDR R0, [SP,#0x28]"
JumpToTarget
CreateLabel "SepNormalAccessCheck"
JumpBack
FindNextInstruction "TST"
FindNextConditionalJump
ClearInstruction
// Patch 30:
FindFunctionCall R0 = "MOV R0, R?" R1 = "MOV R1, R?" R2 = "MOV R2, R?" R3 = "LDR R3, [SP,#0x38]"
JumpToTarget
CreateLabel "SepMaximumAccessCheck"
JumpBack
FindNextConditionalJump
ClearInstruction
// Patch 31:
FindNextConditionalJump
ClearInstruction
// Patch 32:
FindNextValue 0xC0000022
JumpToReference 1
ClearInstruction
JumpBack
// Patch 33:
JumpToReference 2
ClearInstruction
JumpBack
// Patch 34:
FindNextValue 0xC0000022
FindPreviousInstruction "MOVS"
FindPreviousInstruction "MOVS"
JumpToReference
ClearInstruction
JumpBack
FindNextValue 0xC0000022
// Patch 35:
JumpToReference CodePattern = "BEQ"
ClearInstruction
JumpBack
// Patch 36:
JumpToReference CodePattern = "MOVS; B"
FindPreviousInstruction "B"
JumpToTarget
CreateLabel "TargetPatch36"
JumpBack
FindPreviousInstruction "CMP"
PatchCode
B.W TargetPatch36
EndPatch
JumpBack
// Patch 37:
JumpToReference CodePattern = "STR; B"
FindPreviousConditionalJump
MakeJumpUnconditional
// Patch 38:
// Stay in function-chunk. Error-code is between previous two patches.
FindPreviousValue 0xC0000022
FindPreviousConditionalJump
MakeJumpUnconditional
JumpToLabel "SepConstrainByMandatory"
// Patch 39:
FindNextInstruction "BNE"
JumpToTarget
FindNextInstruction "CBNZ"
JumpToTarget
CreateLabel "TargetPatch39"
JumpBack
FindPreviousInstruction "BEQ"
PatchCode
B TargetPatch39
EndPatch
JumpBack
// Patch 40:
FindNextInstruction "B"
JumpToTarget
FindNextInstruction "CBNZ"
JumpToTarget
CreateLabel "TargetPatch40"
JumpBack
FindPreviousInstruction "BEQ"
PatchCode
B TargetPatch40
EndPatch
PatchChecksum
PatchDefinition Name="SecureBootHack-MainOS" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi"
PatchFile Path="Windows\System32\BOOT\winload.efi"
FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "ImgpValidateImageHash"
PatchCode
MOVS R0, #0
BX LR
EndPatch
PatchChecksum
PatchFile Path="Windows\System32\ci.dll"
JumpToImport "_wcsupr"
JumpToReference
CreateLabel "_wcsuprWrapper"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "CipReportAndReprieveUMCIFailure"
FindInstructionPattern "MOVS R?, #1; LDR R?, [R?]; TST R?, R?" InstructionIndex = 2
FindNextConditionalJump
MakeJumpUnconditional "BNE" // BNE -> B, BEQ -> NOP
PatchChecksum
PatchDefinition Name="SecureBootHack-V1-EFIESP" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" RelativePath="EFIESP" RelativeOutputPath="SecureBootHack-V1"
PatchFile Path="Windows\System32\boot\mobilestartup.efi" // Symbols taken from pdb from version 10.0.10586.107
FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "ImgpValidateImageHash"
PatchCode
MOVS R0, #0
BX LR
EndPatch
FindFirstUnicode "BootDebugPolicyApplied"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "ApplyBootDebugPolicy"
PatchCode // This patch is for the new unlock for Lumia Spec A
MOVS R0, #0
BX LR
EndPatch
PatchChecksum
PatchFile Path="efi\boot\bootarm.efi"
FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "ImgpValidateImageHash"
PatchCode
MOVS R0, #0
BX LR
EndPatch
PatchChecksum
PatchDefinition Name="SecureBootHack-V2-EFIESP" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" RelativePath="EFIESP"
PatchFile Path="Windows\System32\boot\mobilestartup.efi"
FindFirstAscii "MZ"
CreateLabel "ImageBase"
FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "ImgpValidateImageHash"
PatchCode
MOVS R0, #0
BX LR
EndPatch
FindFirstUnicode "BootDebugPolicyApplied"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "ApplyBootDebugPolicy"
PatchCode
MOVS R0, #0
BX LR
EndPatch
CreateLabel "EnterMassStorageModeShellCode" // Use the left-over space of the ApplyBootDebugPolicy-function to insert shell-code later on
FindFirstUnicode "MassStorageFlag"
CreateLabel "MassStorageName"
PatchUnicode "Heathcliff74MSM"
FindFirstBytes "41 E5 C1 A0 CE 73 7F 46 88 EC D4 4F 92 34 50 4A"
CreateLabel "MassStorageGuid"
JumpToLabel "MassStorageName"
JumpToReference
FindNextInstruction "BL"
JumpToTarget
CreateLabel "EfiGetVariableVolatile"
FindValue 2
FindNextConditionalJump
MakeJumpUnconditional "BEQ"
FindFirstUnicode "\Windows\System32\boot\ui\boot.ums.waiting.bmpx"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "EnterMassStorageMode"
JumpToReference
PatchCode
B.W EnterMassStorageModeShellCode
EndPatch
CreateLabel ReturnFromMassStorageMode
FindFirstValue 0x26000145
IfNotFoundGo PatchForSetErrorDone
FindPreviousInstruction "PUSH.W"
CreateLabel "SetError"
PatchCode
MOVS R0, #1
BX LR
EndPatch
PatchForSetErrorDone:
FindFirstUnicode "DeviceIDVersion"
JumpToReference
FindNextInstruction "BL"
JumpToTarget
CreateLabel "EfiSetVariable"
FindFirstAscii "charge: DisplayPowerState protocol successfully loaded"
JumpToReference
FindPreviousInstruction "PUSH.W"
CreateLabel "InitGraphicsSubsystem"
FindNextInstruction "BL"
JumpToTarget
CreateLabel "BlpArchQueryCurrentContextType"
JumpBack
FindNextInstruction "BL"
FindNextInstruction "BL"
FindNextInstruction "BL"
JumpToTarget
CreateLabel "BlpArchSwitchContext"
JumpBack
FindNextInstruction "LDR"
JumpToTarget
CreateLabel "EfiBS"
JumpToLabel "EnterMassStorageModeShellCode"
PatchCode
MOV R0, PC
LDR R1, =(ApplyBootDebugPolicy - ImageBase + 8) // Subtract (Offset of shell-code + 4)
SUB R0, R0, R1 // R0 = relocated base of mobilestartup.efi
PUSH {R4-R6}
SUB SP, SP, #4
MOV R4, R0 // R4 = relocated base of mobilestartup.efi
LDR R3, =(MassStorageName - ImageBase) // Offset of NV var name (which is patched to "Heathcliff74MSM")
ADD R0, R4, R3
LDR R3, =(MassStorageGuid - ImageBase) // Offset of NV var Guid
ADD R1, R4, R3
MOVS R2, #3 // Non-volatile, boot-services
MOVS R3, #0 // Data-size
STR R3, [SP] // Pointer to data-buffer = NULL
LDR R6, =(EfiSetVariable - ImageBase + 1) // Offset of SetVariable + 1
ADD R5, R4, R6
BLX R5 // EfiSetVariable -> Delete variable
LDR R1, =(BlpArchQueryCurrentContextType - ImageBase + 1) // Offset to first thread-function + 1
ADD R5, R4, R1
BLX R5
MOV R6, R0
CMP R6, #1
BEQ ContextSwitchDone1
MOVS R0, #1
LDR R1, =(BlpArchSwitchContext - ImageBase + 1) // Offset to second thread-function + 1
ADD R5, R4, R1
BLX R5
ContextSwitchDone1:
LDR R0, =(EfiBS - ImageBase) // Offset of pointer to BootServices function-table
ADD R1, R4, R0 // R1 = pointer to pointer to BootServices function-table
LDR R1, [R1] // R1 = pointer to BootServices function-table
LDR.W R5, [R1,#0xAC] // LocateProtocol
ADR R0, VarServicesGuid // This is relative, no need to relocate
MOVS R1, #0
MOV R2, SP
BLX R5 // LocateProtocol - pVarServices in [SP]
LDR R5, [SP] // R5 = Pointer to VariableServices interface
LDR R5, [R5,#4] // R5 = pointer to FlushVariableNV()
CMP R5, #0
BNE PointerFound
LDR R5, [SP] // R5 = Pointer to VariableServices interface
LDR R5, [R5,#8] // R5 = pointer to FlushVariableNV()
PointerFound:
BLX R5 // FlushVariableNV()
CMP R6, #1
BEQ ContextSwitchDone2
MOV R0, R6
LDR R1, =(BlpArchSwitchContext - ImageBase + 1) // Offset to second thread-function + 1
ADD R5, R4, R1
BLX R5
ContextSwitchDone2:
LDR R6, =(EnterMassStorageMode - ImageBase + 1) // Offset of EnterMassStorageMode + 1
ADD R5, R4, R6
BLX R5 // EnterMassStorageMode
LDR R6, =(ReturnFromMassStorageMode - ImageBase + 1) // Offset of return address + 1
ADD R0, R4, R6
ADD SP, SP, #4
POP {R4-R6}
BX R0
VarServicesGuid:
DCD 0xf9085b9d
DCW 0x9304, 0x40fb
DCB 0x8f, 0xe0, 0x4a, 0xee, 0x3b, 0x1a, 0x78, 0x4b
EndPatch
PatchChecksum
Reference in New Issue View Git Blame Copy Permalink