Windows
Open RT GitBook HomeOpen RT Community Discord
Search
⌃K
Links

Yahallo

Tegra 3 and Tegra 4 TrustZone UEFI variable services handler exploit and Secure Boot unlock tool
The Yahallo jailbreak is also included in the Surface RT & 2 Jailbreak USB

Requirements

  • A Surface RT with UEFI v3.31.500 or a Surface 2 with UEFI v4.22.500.
  • Golden Keys / Longhorn jailbreak applied to the target device.
  • 1GB+ USB Drive.

Download

Download the Yahallo jailbreak files from the link below.
Yahallo.zip
547KB
Binary
Yahallo USB Files

Extract

This will permanently delete any data stored on the USB drive.
  1. 1.
    Format a USB drive as FAT32.
  2. 2.
    Right click on the downloaded file and select "Extract All..."
  3. 3.
    Select a destination for the extracted files.
  4. 4.
    Click "Extract".
Selecting and formatting USB drive
Extracting Zip file to USB drive
Expected contents of USB drive after extraction

Apply Yahallo Jailbreak

The use of this Jailbreak is entirely at your own risk.
  1. 1.
    With the target device powered off, insert Jailbreak USB into the devices USB port.
  2. 2.
    Hold the Volume Down button and press the Power button.
  3. 3.
    Once the Surface logo appears release the Volume Down button.
  4. 4.
    Wait for confirmation and reboot device when prompted.
  5. 5.
    Assuming no errors have occurred Secure Boot is now disabled on your device, this can be verified by running msinfo32.exe once booted into Windows and looking at the "Secure Boot State" field.
msinfo32.exe showing Secure Boot is disabled

Troubleshooting

Digital Signature Error

If Status Code 0xc0000428 is displayed (Windows cannot verify the digital signature for this file.) then apply the Golden Keys / Longhorn jailbreak and try again.

Unsupported UEFI

Attempting to run Yahallo on a device with an unsupported UEFI will result in an error message when booting Yahallo, make sure the UEFI is up to date and try again.
To verify the currently installed UEFI version run msinfo32.exe and look at the "BIOS Version/Date" field.
msinfo32.exe showing BIOS Version/Date on Surface 2

USB Boot Failed

If the USB drive does not boot on the target device try the following steps:
  1. 1.
    Follow the instructions one the Format USB Drive page.
  2. 2.
    Extract again starting at Step 2.

Release Notes

Yahallo: Tegra 3 and Tegra 4 TrustZone UEFI variable services handler exploit and Secure Boot unlock tool

This tool exploits NVIDIA Tegra 3/Tegra 4 UEFI variable services and implements TrustZone takeover. In this way, users can permanently turn off Secure Boot on Tegra-based Windows RT devices without external devices' assistance (e.g. RCM Mode.)
This documentation is intentionally drafted in a professional way to discourage average device owners from messing up the system firmware.
Disclaimer: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. By using this tool, you acknowledge that you are intentionally turning off the device's security features. The author is not liable for any consequence, for instance, confidential data loss due to fTPM lockout, or warranty void.

Issue Disclosure

  • 2020/08: Discovery, initial prototype
  • 2020/09/22: Reported to MSRC (MSRC 61209)
  • 2020/10/07: MSRC confirmed wontfix since Surface RT and Surface 2 hardware are EOL
Unfortunately, you are correct - support for these versions of the Surface has ended, and no additional security updates will be offered. We appreciate the opportunity to review your research... - MSRC
  • 2020/10/19: Reported to NVIDIA PSIRT (3156921)
  • 2020/10/23: NVIDIA confirmed new Tegra SoC UEFI implementations don't reuse the old TZ code, old SoC are EOL and they think MS16-100 and MS16-140 fully addressed the prerequisite (but you can always install a BMR image and reset it...), wontfix
The development team has evaluated this report. The UEFI variable store for current versions of Tegra has changed - the UEFI variable store for Orin/Hopper is not what was used in TZ in previous targets and they do not believe it is affected by this issue.
Also, MS16-100 and MS16-140 appear to be both changes in MS code not system firmware, biggest potential piece would be for the bad images to be rejected from the UEFI secure boot. Likely, MS updated the main dbx file hosted here: https://uefi.org/revocationlistfile as that is the normal way for security issues to be handled in UEFI. - NVIDIA PSIRT

Usage

  • Install Secure Boot Golden Key Exploit first. If the device installed WU updates after Nov 2016, install the BMR to reset Secure Boot Key Storage.
  • Run this tool as Windows Boot Manager Boot Application.

Buildout

I've migrated the build system from Visual Studio (uefi-simple) to EDK2. To build it:
  • Place this repo under EDK2 tree, such as YahalloPkg
  • Apply the EDK2 build system patch. See Edk2Patches folder for details.
  • build -a ARM -p YahalloPkg/YahalloPkg.dsc -t GCC5
Launch this image as a Windows Boot Manager OS entry, with nointegritychecks on and testsigning on.

About Project Naming

"Yahallo" by Yui Yuigahama From Oregairu. No objections will be acknowledged.

License

Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved.
This tool is released under GPLv2.
Jailbreaks - Previous
UMCI Audit Mode
Next - Miscellaneous
Bare Metal Recovery
Last modified 3mo ago