Hacking Windows RT Journal Part 1: The Jailbreak


A month ago, I wrote about why I’m sticking with the Surface RT over the Surface Pro (see here for previous article). Today I’m going to reiterate that stance and show you why Windows RT is an even more powerful operating system than we give it credit for, and is a solid investment for anyone. After all, at its core, Windows RT is still Windows. It operates and functions exactly like Windows 8 does. Welcome to Part 1 of our hacking journals and tutorial.

It’s nothing new that Windows RT has been ‘jailbroken,’ developers over at XDA did this quite a while ago, and it unlocked a whole slew of new possibilities for us, more on that later. Basically this jailbreak will allow us to run apps on our Windows RT devices that are not in the Windows Store, and more importantly, desktop apps. I haven’t released this information, because with any development, it is best to wait until the hack has matured (and that there is some useful apps to do it for, more on that later) and the development community has grown around it. The best part about this is Microsoft is not overreacting, unlike Apple, and has not moved to block the jailbreak yet, and has even praised it.

So how does jailbreaking benefit me? As mentioned earlier, you can run any app compiled for Windows RT that is not loaded into the Windows Store. This is particularly useful for older x86 apps that you need for day to day productivity tasks, and even some games like one of my personal favorites, Command and Conquer, but more on that later. This is a truly awesome feature set.

Today we’ll cover how to jailbreak your device. So first things first, the tool we’re going to discuss will jailbreak your device and then allow you to non-windows store apps on your Windows RT device. A few things about this. You cannot just run any x86 app on your device, it needs to be compiled to run on ARM first, or run through an emulator, but more on that later. Also, every time you reboot or shut down your device, you will need to re run the jailbreak after boot, unless you tell the tool to run at startup.

  1. First you need to download the tool. Here
  2. Extract the .zip file.
  3. Double Click runexploit.bat.
  4. It’ll prompt you to either install the jailbreak to run on login, uninstall it not to, or run the  jailbreak once.
  5. Follow the remaining prompts and hit the volume down button when it prompts you.
  6. That’s it, you’re now jailbroken
Screenshot (3)

This is what the tool looks like when you run it

It’s a rather painless experience and once it is done, the possibilities are opened up. Next time we’ll cover apps and what stuff is out there for you to take advantage of after jailbreaking.

Here’s a FAQ copied from over at XDA Forums, by netham45 the creator of the tool, on this jailbreak:

Q) What does this do, in layman’s terms?

A) It allows non-Microsoft ARM-compiled .exes to run on the desktop. That is it.

Q) Can I use this to run Photoshop, Steam, AutoCAD, <Insert commercial product here>?

A) While it is -technically- possible for the companies to port their stuff over to Windows RT using the hack it is extremely unlikely. As a rule of thumb, if it’s a commercial piece of software it won’t run on the ARM.

Q) Can I use this to run PuTTY, VNC, X-Chat, <Insert open-source product here>?

A) Yes! Open-source programs are ones that you, having the source code, can recompile to work on the ARM. If it’s not already available (A small but growing number of programs are) it’s easy to get started. There are some useful threads in the Windows 8 Development and Hacking board on XDA-Developers.

Please note that not all programs can reasonably be ported over to ARM, due to either program complexity, overuse of inline assembly, or the current lack of a GNU Compiler

Q) Can I use this to run any random x86 app I find on the internet?

A) No. Apps must be recompiled for ARM. Stop asking why Chrome doesn’t run.

Q) Can I use this to hack my Android tablet?

A) Not really. Most Android hacks require custom kernel-mode drivers (APX, Odin, ADB all require drivers that are unavailable), and this hack only allows us to run unsigned User-mode code.

If you don’t know the difference between User-mode and Kernel-mode, I’m sure Wikipedia has a good article on the subject.

Q) Will Chrome/Firefox be ported over?

A) I don’t see any major technical hurdles for those, but I probably won’t be the one to do it.

Q) Are there any precompiled apps for this available?

A) Check out THIS THREAD for a list of all currently known compiled apps.

Q) I ran the jailbreak, now where can I download pirated apps from?

A) Nowhere. This jailbreak does not allow for pirated apps, and it is a long ways off from actually supporting pirated apps. If you manage to get pirated apps to run on Windows RT you will be doing the entire community a large disservice, along with ruining what credibility this hack may have in Microsoft’s eyes.

Q) I don’t know how to recompile code, can I get someone else to do it?

A) If it’s a simple project you can likely find someone who will be more than happy to recompile it for you. If it’s a large project with numerous dependencies, or a commercial project, I will be willing to take a look at it and quote a price to do it. (On that note, please realize that I am not affiliated with XDA-Developers at all.)

Q) I keep BSoD’ing! What’s up?

A) I haven’t managed to track down the cause of the BSoDs, except that they seem to happen when the exploit is ran within the first minute or so of the tablet booting and logging in. If you’re getting BSoDs, boot your tablet to the desktop and wait 2 or 3 minutes before trying the exploit. Also, make sure that you’re up to date with Windows Updates, as of 2/12/2013.

Q) I ran the .bat and it told me it couldn’t find it’s bin folder. What’s wrong?

A) Extract the ZIP in entirety. Don’t just open the ZIP and double-click on the runExploit.bat.

Q) It’s not working! What do?

A) Post in this thread describing what you’re doing and the issue you’re having, do not PM me, even if you don’t have the number of posts to post in the developer sections. I’ll consider it spam and disregard it. Don’t message me on Twitter either, the only place that I will provide support for this tool is in this thread.

Q) Is this persistent across reboots?

A) No, it resets every time the device reboots.

Q) Is this a tethered exploit?

A) No. Tethering is connecting the device to a computer, or other device to jailbreak it. This is done entirely on the device. It just has to be redone at reboot.

Q) Will this work with all the latest updates, as of 02/12/2013?

A) There was an updated .zip posted for the latest update (Patch Tuesday, Feburary 2013.) It should work.

Q) How do I compile apps for the Surface RT? It says I’m missing a bunch of .libs!

A) Visual Studio 2012 does not come with all the required ARM .libs for compiling most desktop apps. Please see THIS post by _peterdn for a useful utility for generating .libs and .exps from the .dlls on the tablet.

Q) Why would you want desktop apps? They suck for touch.

A) Mainly for the library of easily ported software, along with the things that metro apps just can’t do. I agree, they’re more inconvenient to use with touch, but that’s the tradeoff for having a huge library of software. You also don’t have to use desktop mode, the tablet still is quite good without it (Except the mail client). I also believe that since it’s my device I should be able to do whatever I want with it, regardless of what MS says. Traditionally MS has leaned the same way with Windows, which makes it rather disappointing they chose to lock this platform down.

Q) Will this void my warranty?

A) Since it doesn’t persist across reboots chances are the support center will never know, though it may be against the terms of your devices warranty.

Q) Is there any warranty for this program?

A) No express or implied warranty exists.

Q) Your hack caused the paint to chip off my tablet, the felt to peel off my type keyboard, the kickstand to fall off, and my tablet to display nothing but satanic messages while it’s on! I want you to buy me a new one!

A) No it didn’t, and see my warranty policy.

Q) Can Microsoft patch this?

A) Yes and no. They can patch it through Windows Update, but since we have the ability to reinstall from recovery partitions we can revert any Windows Updates they release

Q) Will this allow people to run viruses on my tablet?

A) Yes and no, if something malicious is compiled and ran while jailbroken it could act like a virus, yes. Once you reset, though, it’ll be gone.

Q) I came across a malicious RT application! Who do I tell?

A) If it’s a jailbroken application then the most you can do is make a post informing about it. That’s one downside to having unsigned code, there’s no one regulating body who can decide what is and isn’t available, and manage safety. If it’s a store application then I suggest you contact Microsoft. If it’s a Modern UI app that requires the jailbreak to run you still may have luck contacting Microsoft, as they can blacklist the developer’s certificate.

Q) Can any random Store app do this?

A) No, this requires tools and privileges that Windows Store apps can’t possess. The appcontainer model that MS uses is very strict and good at preventing things like this from happening. There’s a number of things that flat-out aren’t possible to do from a Store app that this uses, not to mention that it would get rejected by MS.

Q) Will I (The user) get my developer license banned?

A) It’s possible, though I doubt that MS will do that.

Update: With the new payload (as of 1/18/2013) users no longer need to get their own developer certificate.


Hit up the source link if you would like to read the original thread over at XDA for the tool. And next time we’re going to talk about the apps.


[XDA Forums]

  • If the desktop apps need to be recompiled to run on the RT Arm processor, why don’t the developers just recompile and post directly into the Store themselves? Recompiling sounds easy, (but I have zero clue.)

  • Two reasons. First, the user interface must follow the new guidelines. Second, the apps are written as desktop apps, which are not only forbidden in the Windows store, but are also written differently than WinRT apps. Of course, I’m not a developer either, so someone feel free to correct me. However, that’s my understanding.

  • lawrence mcatee

    oh god… Total annihilation on my vivotab… Shirley not.

  • Billscarnage

    Sweet, I’ve been waiting for this