License System (tokens.dat) and EditionID

Discussion in 'Windows 8' started by KNARZ, Oct 30, 2012.

  1. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #1 KNARZ, Oct 30, 2012
    Last edited: May 30, 2013
    I dived a little deeper into the license system since mircrosoft just restricts functions over this certificate based system.
    Many functions, like direct boot to Modern/Metro UI are only resticted by this system and their protected values.

    Unfortunatly nobody published any hacks about the policy system.

    I outguess that if someone would find a way to manipulate this system, this would comeup as one as the biggest Windows hacks. All started with Windows Vista but since Windows 8 there are many restrictions.

    I wanted to ask if anybody ever here had tried to manipulate the values?
    And if someone has an Idea how I can persistent change the EditionID (not over product keys) in a flexible way - This would be great and very helpfull. At least it would be interessting where those Information stored at all. It's not in registry anymore.
    -I mean the results of "WMIC.exe OS".
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,634
    2,143
    90
    Maybe you could tell us, what nice settings are in play, so we can consider if it is worth enough to dive into that. :)
     
  3. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #3 KNARZ, Oct 31, 2012
    Last edited: May 30, 2013
    (OP)
    I'm not sure, those are all guessings diverting based on the permission names

    • Activate Windows
    • Disable Notification Mode
    • Disable Evaluation Mode
    • Change Edition(ID)
    • Enable Media Center
    • Enable Several Codecs
    • Change Rearm count (may interessting for W7)
    • Disable Modern/Metro UI (official) during sign-in.
    • Disable Login Experience (Windows loads and you see ONLY desktp, no sign-in at all)
    • Disable all W8 Corners (flexibel)
    • Disable Welcome Screen after Setup ("Hello, do something with the corner" bla bla")
    • Run not signed Metro Apps (also hacked/cracked)
    • VHD-Boot (but i think this is already allowed)
    • Raid 5 support
    • Many TerminalServer things... Max User, Animations and so on.
    • Allow more Ram for x86 without patching system files.
    • Allow more than 2 physical processors.

    Interessting but I don't know what this could be:
    "twinui-EnableGestruePolicy"


    And there are many other settings I don't understand or I haven't researched at all.

    btw: hacking Token Based Activation (TBA) would be the very best at all ;)
    But this is some kind of combination of 2 certificates. The token is like the SLIC or OA 3.0 information which has to match with some OEM certificate. It's only lightly documented at all.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    In my past I played with registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductPolicy

    and managed to change amount of ram supported.
    Yes, if this key is changed then everything is changed.
    System kernel do not allow direct modification to that key but if you change

    HKEY_LOCAL_MACHINE\SYSTEM\Setup
    SetupType=1
    cmdline="cmd.exe"

    and reboot - system in this mode allow writing to the key.
    Some of Policy values are processed by the kernel itself - for example ram and cpu limitations.
    Others are for user mode proceses. Things like "Enable LOB sideloading" or "Can launch windows games" (yes,even it is in the system policy !)

    Main problem - key value is written back by sppsvc according to licensing tokens when sppsvc process them.
    My guess it uses special kernel call since it cannot write the key directly.
    If sppsvc is disabled - key content remain unchanged and have effects at least on kernel.
    (I successfully limited RAM to 2048 mb and it worked)

    But if sppsvc is disabled we have many other problems.
    Windows update dont work and some apps may want to call it and will fail.

    Right idea is to hack the SPPSVC NOT TO VERIFY SIGNATURES. BYPASS CRYPTOGRAPHY AT ALL. MAKE ALL SIGNATURES VALID.
    and then change C:\Windows\System32\spp\tokens\ppdlic\* as you wish
    then slmgr.vbs /rilc.

    I dig this direction for windows store service now. May be it can be done. Its very interesting to me
     
  5. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    I'm really a big fan of geoffchappell, so I know this post and the other related to the license system and many more from him. Thus I listed the point of more RAM. This is also only limited by policy, geoffchappell describes patching the system. But the best way would be just do change the policy values, or?! :biggrin:
    Yeah indeed and you're nearly about to repeat what I post a few minutes ago in another thread ^^. ;))(here)

    I know someone already did the job (vista or w7), but he won't provide any Information about his methode.

    Yes this won't be easy but I think it would be worth it. - Unfortunatly I can't help on this except testing.
    And remind, there are still more options I haven't listed.

    I guess the SPP-Reserved-LocalGenuie Value (or similar) gets changed on activated machines (i checked w8 (not acivated) = 0, w7 (activated) =1) so there might be a way to change values that maybe not rely on certificates (but other checks).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #7 KNARZ, Oct 31, 2012
    Last edited: Oct 31, 2012
    (OP)
    Very Interessting! I will give it a shot!
    Where did this info come from? How did you find out?
    What means SetupTyp=1?

    I guess it means something like 'setup-mode'?

    This is EXACTLY what I had in mind!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    Its my personal finding.
    I found it long time ago - 10 years ago or more.
    By analyzing stolen source of windows I learned how to change workstation to server and so on.
    Kernel check setuptype. If it is 0 then tampering protection activated on ProductOptions.
    types other than 0 are designed for windows setup purposes.
    They allow windows setup to write values.
    on modern system this key is also used for setup purposes.
    In setup press SHift+F10 and look at SetupType
     
  8. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    THIS IS SO GREAT!
    WE CAN MODIFY VALUES!
    It's not perfect, SPP has to be disabled which will cause (many/some) Problems but for testing purpose this is great!
    If someone want to programm a little I have some very cool Idea (PM).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #10 KNARZ, Oct 31, 2012
    Last edited: Oct 31, 2012
    (OP)
    Just to Inform: The tokens.dat holds all polices and activation, but the registy value is used for all further internal actions.

    sppsvc combines this information and creates periodically and on updates the productpolicy array which is used by the system all over.
    With disabled spp I can modify nearly everything I want. Even changing the personal screen from Metro/Modern UI is easy possible now without activation.

    Someone has some info (may from W7) what happens if SPP is disabled? (start=4 is enough).
    And it would be also interessting what the very first value is?!
    This one changes all the time on normal machines. Looks like some GUI and than with Binary Info as data.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,800
    90
    Not much development here, but if this can be explored further it could be by far the most interesting topic I've ever seen.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #12 KNARZ, Nov 26, 2012
    Last edited: Nov 26, 2012
    (OP)
    kost is actually working on analyzing spp. unfortunatly it seems he does it all alone. I wish CW2K would also investigate a little (great [german] guy!) ;) - Some kind of sourcecode is already done and is released in kosts wsservice package.

    more information -- here

    I promise you all in W9 we all get more and more restrictions.
    The System wasn't that much interessting for W7 (In Vista (the beginning) than it would be possible to enable aero, cut out the running application limitations and so on) little more interessing for e.g. starter edition)

    With his editor PPE
    It's easy manageable to change values. (Thanks again kost! ;)

    I'm running VMs ever since with changed values without any problems.
    If you type in the right date than your systems thinks it's activated and won't will bother you ever again.
    You can also remove Eval Timebomb with this methode, make you're KMS permanent and so on.

    This is because Windows querys all (normal running) Information from the protected Registryvalue.
    In the First place I tried to reenable Aero but it seems they really changed some source as I compared a few things.

    But:
    All querys that are based on sppsvc will fail - so in system informations and wmi activation status won't show correct ('not available' or something).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    • Removing Timebomb from Eval Versions.
    • Remote DX Support (only on Server Editions otherwise)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Fraggy

    Fraggy MDL Addicted

    Jun 13, 2011
    734
    389
    30
    By the way, you can also remove most of the restrictions by patching slc.dll (just like the Beta redpill). I guess slc.dll is less encrypted than sppsvc?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #15 KNARZ, Jul 2, 2013
    Last edited: Jul 2, 2013
    (OP)
    sppsvc should not verify any signature. bypass the whole cryptography - no signature checks at all.
    how to achieve this doesn't matter, but thanks to the hint to slc.dll that this might be enough.

    I still believe this will be the biggest hack for windows since vista release.
    (since 8.1 preview there are two new base64 encodes values within the token.)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...