License System (tokens.dat) and EditionID

Discussion in 'Windows 8' started by KNARZ, Oct 30, 2012.

  1. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
    #1 KNARZ, Oct 30, 2012
    Last edited: May 30, 2013
    I dived a little deeper into the license system since mircrosoft just restricts functions over this certificate based system.
    Many functions, like direct boot to Modern/Metro UI are only resticted by this system and their protected values.

    Unfortunatly nobody published any hacks about the policy system.

    I outguess that if someone would find a way to manipulate this system, this would comeup as one as the biggest Windows hacks. All started with Windows Vista but since Windows 8 there are many restrictions.

    I wanted to ask if anybody ever here had tried to manipulate the values?
    And if someone has an Idea how I can persistent change the EditionID (not over product keys) in a flexible way - This would be great and very helpfull. At least it would be interessting where those Information stored at all. It's not in registry anymore.
    -I mean the results of "WMIC.exe OS".
     
  2. moderate

    moderate MDL Guru

    Aug 31, 2009
    3,355
    2,479
    120
    Maybe you could tell us, what nice settings are in play, so we can consider if it is worth enough to dive into that. :)
     
  3. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
    #3 KNARZ, Oct 31, 2012
    Last edited: May 30, 2013
    (OP)
    I'm not sure, those are all guessings diverting based on the permission names

    • Activate Windows
    • Disable Notification Mode
    • Disable Evaluation Mode
    • Change Edition(ID)
    • Enable Media Center
    • Enable Several Codecs
    • Change Rearm count (may interessting for W7)
    • Disable Modern/Metro UI (official) during sign-in.
    • Disable Login Experience (Windows loads and you see ONLY desktp, no sign-in at all)
    • Disable all W8 Corners (flexibel)
    • Disable Welcome Screen after Setup ("Hello, do something with the corner" bla bla")
    • Run not signed Metro Apps (also hacked/cracked)
    • VHD-Boot (but i think this is already allowed)
    • Raid 5 support
    • Many TerminalServer things... Max User, Animations and so on.
    • Allow more Ram for x86 without patching system files.
    • Allow more than 2 physical processors.

    Interessting but I don't know what this could be:
    "twinui-EnableGestruePolicy"


    And there are many other settings I don't understand or I haven't researched at all.

    btw: hacking Token Based Activation (TBA) would be the very best at all ;)
    But this is some kind of combination of 2 certificates. The token is like the SLIC or OA 3.0 information which has to match with some OEM certificate. It's only lightly documented at all.
     
  4. kost

    kost MDL Member

    Jan 22, 2011
    116
    225
    10
    In my past I played with registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductPolicy

    and managed to change amount of ram supported.
    Yes, if this key is changed then everything is changed.
    System kernel do not allow direct modification to that key but if you change

    HKEY_LOCAL_MACHINE\SYSTEM\Setup
    SetupType=1
    cmdline="cmd.exe"

    and reboot - system in this mode allow writing to the key.
    Some of Policy values are processed by the kernel itself - for example ram and cpu limitations.
    Others are for user mode proceses. Things like "Enable LOB sideloading" or "Can launch windows games" (yes,even it is in the system policy !)

    Main problem - key value is written back by sppsvc according to licensing tokens when sppsvc process them.
    My guess it uses special kernel call since it cannot write the key directly.
    If sppsvc is disabled - key content remain unchanged and have effects at least on kernel.
    (I successfully limited RAM to 2048 mb and it worked)

    But if sppsvc is disabled we have many other problems.
    Windows update dont work and some apps may want to call it and will fail.

    Right idea is to hack the SPPSVC NOT TO VERIFY SIGNATURES. BYPASS CRYPTOGRAPHY AT ALL. MAKE ALL SIGNATURES VALID.
    and then change C:\Windows\System32\spp\tokens\ppdlic\* as you wish
    then slmgr.vbs /rilc.

    I dig this direction for windows store service now. May be it can be done. Its very interesting to me
     
  5. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
    #7 KNARZ, Oct 31, 2012
    Last edited: Oct 31, 2012
    (OP)
    Very Interessting! I will give it a shot!
    Where did this info come from? How did you find out?
    What means SetupTyp=1?

    I guess it means something like 'setup-mode'?

    This is EXACTLY what I had in mind!
     
  6. kost

    kost MDL Member

    Jan 22, 2011
    116
    225
    10
    Its my personal finding.
    I found it long time ago - 10 years ago or more.
    By analyzing stolen source of windows I learned how to change workstation to server and so on.
    Kernel check setuptype. If it is 0 then tampering protection activated on ProductOptions.
    types other than 0 are designed for windows setup purposes.
    They allow windows setup to write values.
    on modern system this key is also used for setup purposes.
    In setup press SHift+F10 and look at SetupType
     
  7. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
    THIS IS SO GREAT!
    WE CAN MODIFY VALUES!
    It's not perfect, SPP has to be disabled which will cause (many/some) Problems but for testing purpose this is great!
    If someone want to programm a little I have some very cool Idea (PM).
     
  8. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
    #10 KNARZ, Oct 31, 2012
    Last edited: Oct 31, 2012
    (OP)
    Just to Inform: The tokens.dat holds all polices and activation, but the registy value is used for all further internal actions.

    sppsvc combines this information and creates periodically and on updates the productpolicy array which is used by the system all over.
    With disabled spp I can modify nearly everything I want. Even changing the personal screen from Metro/Modern UI is easy possible now without activation.

    Someone has some info (may from W7) what happens if SPP is disabled? (start=4 is enough).
    And it would be also interessting what the very first value is?!
    This one changes all the time on normal machines. Looks like some GUI and than with Binary Info as data.
     
  9. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,818
    90
    Not much development here, but if this can be explored further it could be by far the most interesting topic I've ever seen.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
  11. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
    • Removing Timebomb from Eval Versions.
    • Remote DX Support (only on Server Editions otherwise)
     
  12. Fraggy

    Fraggy MDL Addicted

    Jun 13, 2011
    734
    389
    30
    By the way, you can also remove most of the restrictions by patching slc.dll (just like the Beta redpill). I guess slc.dll is less encrypted than sppsvc?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    895
    482
    30
    #15 KNARZ, Jul 2, 2013
    Last edited: Jul 2, 2013
    (OP)
    sppsvc should not verify any signature. bypass the whole cryptography - no signature checks at all.
    how to achieve this doesn't matter, but thanks to the hint to slc.dll that this might be enough.

    I still believe this will be the biggest hack for windows since vista release.
    (since 8.1 preview there are two new base64 encodes values within the token.)
     
  14. zrq

    zrq MDL Novice

    Jun 28, 2017
    6
    3
    0
    #16 zrq, Jan 3, 2019
    Last edited: May 17, 2020
    -1
     
  15. zrq

    zrq MDL Novice

    Jun 28, 2017
    6
    3
    0
    Somewhat offtopic:
    WindowsD (github.com->katlogic->WindowsD) looks like a interesting project and can (at least seems to be) unlock the ProductOptions key without reboot. But after some tests, it turned out changing this reg key would not have immediate effect, a reboot (with sppsvc off) is required to make them effective.
    geoffchappell ->/bugchecks/9a.htm also provides some useful (but old) information.

    (sorry for unable to post the links properly because I am a newbie)
     
  16. zrq

    zrq MDL Novice

    Jun 28, 2017
    6
    3
    0
    Little more Googling pointed out SLShim is a quite interesting project (solution?).