# [EXE/BINARIES] Some binaries from W10M OEM KIT



## djamol (Oct 8, 2016)

Some binaries from Window 10 Mobile OEM KIT. 
MobileOS-arm-fre.zip etc.

Included most of the great stuff, like icacls.exe for ARM too. That's great thing.
Developermenu.efi for Mass Storage Mode etc.

Notes:-
Don't fill-up MainOS with this stuff. (MainOS is less in size and need some space for update process. Another reason is, if your device is not secure boot unlocked then device will get bricked on Hard Reset. You need to flash FFU again.)
You can put it here "C:\Data\Test\Bin"
I.e. "C:\Data\Test\Bin\cmd.exe"
"C:\Data\Test\Bin\EN-US\cmd.exe.mui"

While dumping UEFI Variables from developermenu.efi need to create directory (LOGs) in efiesp. 
Like this:- "C:\EFIESP\LOGs"


----------



## augustinionut (Oct 8, 2016)

How to use ?


----------



## djamol (Oct 8, 2016)

augustinionut said:


> How to use ?

Click to collapse



Deploy tshell or sftp access or manually install booth service.
Or here is one of http://forum.xda-developers.com/windows-10-mobile/enable-bootshsvc-windows10mobile-t3455357


----------



## BastogneBas (Oct 9, 2016)

How do I use developermenu.efi? What should I do with it?


----------



## RandomWP (Oct 10, 2016)

djamol said:


> if your device is not secure boot unlocked then device will get bricked on Hard Reset.

Click to collapse



Will I get a brick if put cmd.exe (and some other .exe files) in C:/Windows/system32 and do a hard reset?


----------



## RandomWP (Oct 10, 2016)

djamol said:


> Developermenu.efi for Mass Storage Mode

Click to collapse



How to the enable Mass Storage Mode? What I should do with Developermenu.efi?


----------



## naiple (Oct 11, 2016)

RandomWP said:


> How to the enable Mass Storage Mode? What I should do with Developermenu.efi?

Click to collapse



You can replace the resetphone.efi with developermenu.efi. But you need disable uefi secure boot or provision test certificates first.
And i think you need copy the bmpx to EFIESP\Windows\System32\boot\ui.


----------



## naiple (Oct 11, 2016)

Some pictures about wp dev menu[emoji6] 
	

	
	
		
		

		
			








Sent from my E5823 using XDA-Developers mobile app


----------



## RandomWP (Oct 11, 2016)

naiple said:


> You can replace the resetphone.efi with developermenu.efi. But you need disable uefi secure boot or provision test certificates first.
> And i think you need copy the bmpx to EFIESP\Windows\System32\boot\ui.

Click to collapse



Is any brick risks? How to disable secure boot? Can i normally update system after disabling secure boot? Too many questions...


----------



## naiple (Oct 11, 2016)

RandomWP said:


> Is any brick risks? How to disable secure boot? Can i normally update system after disabling secure boot? Too many questions...

Click to collapse



You can disable secure boot on lumia x2x using wpinternals. I have no idea how to disable secure boot on other devices...  I already have 2 bricked phones when trying to disable secure boot.[emoji23] 

Sent from my E5823 using XDA-Developers mobile app


----------



## RandomWP (Oct 11, 2016)

naiple said:


> I have no idea how to disable secure boot on other devices...

Click to collapse



How you installed developermenu.efi on Lumia 650 (on photo) without disabling secure boot?


----------



## rejithkumar (Oct 11, 2016)

How can i enter mass storage mod on my Lumia 430


----------



## djamol (Oct 11, 2016)

RandomWP said:


> How you installed developermenu.efi on Lumia 650 (on photo) without disabling secure boot?

Click to collapse



Without Secure Boot Unlocked it won't work, unless device had test cert provisioned.

His 650 could be secure boot off or may he has custom secure boot policy as im not sure it's prototype or test device.


----------



## djtonka (Oct 12, 2016)

rejithkumar said:


> How can i enter mass storage mod on my Lumia 430

Click to collapse



Just tap on Wheather app


----------



## RandomWP (Oct 13, 2016)

djamol said:


> Some binaries from Window 10 Mobile OEM KIT.

Click to collapse



Where you find this files?
EFI has no digital signature, can we sign it using original efi's signature? Or this is impossible?


----------



## djamol (Oct 13, 2016)

RandomWP said:


> Where you find this files?
> EFI has no digital signature, can we sign it using original efi's signature? Or this is impossible?

Click to collapse



I found this on google search.

Just rename to "example.efi" then go properties, you will see test-signed cert under "digitalSignature".

Original efi means ?
Do you mean retail signed ? Like preview builds etc ?
That's not possible. Only and only Microsoft can sign anything's.


----------



## djamol (Oct 13, 2016)

@RandomWP well if you can factor this, then you can sign anything you want.
"18972448065962940139915565550429542544127483826779617872033880200805531383810112033519462923455689001184704988629643322320935626522386587923114029165693226888726219810642734784485492479939675930712071937232814450059618069452834633402428960910772103556325402321732401344147493693868867659352675032054708935329819089743015709265983846796758594535993753245690111237034446423120148054406212815847368448494321991594739699349012952561409940006424505666495664581055624281399729068036466219150359946643974593913874303450382131958280356742749034844934294785202092112687219434536744337659608947188429328662226650888351316620003"


----------



## RandomWP (Oct 13, 2016)

Secure boot blocks files without digital signature, right?


----------



## djamol (Oct 13, 2016)

RandomWP said:


> Secure boot blocks files without digital signature, right?

Click to collapse



Yes, exactly.
Retail Secure boot policy don't allowed any unsigned stuff or any other signed stuff (non-production certs).
We need stuff which are only signed by Microsoft digital certificates which contain in phone sb database. I.e pk,kek,db etc.

So why we need to disable secure boot to flash any unsigned rom or efi apps.


----------



## RandomWP (Oct 13, 2016)

djamol said:


> Yes, exactly.
> Secure boot don't allowed any unsigned stuff or any other signed stuff (non-production certs).
> We need stuff which are only signed by Microsoft digital certificates which contain in phone sb database. I.e pk,kek,db etc.
> 
> So why we need to disable secure boot policy to flash any unsigned rom or efi apps.

Click to collapse



And we can't sign our EFI apps using MS setificate :crying:
Or we can sign files using any setificate, but we can't get MS sertificate?


----------



## djamol (Oct 13, 2016)

@RandomWP yes. But there is 2 hack discovered on W10M.
1. "DebugPolicy" MS Vulnerability. Which is know as Golden Key.
If we applied that DebugPolicy (custom secure boot policy which is signed by Microsoft themselves and released it to public by accident and affected bootloaders) then we can test-signed or any other non-ms certs we can sign our custom efi apps. Secure boot policy will accept them. But hack has been patch for now and don't work anymore.

2. Another is "UMCIAuditMode" which is part of W10 development mode. If we enabled this on W10M we can run any unsigned stuff in WindowsOS (not bootloaders or efi apps) only exe after windowsOS Loaded. That's it.


----------



## RandomWP (Oct 13, 2016)

Wow, i find a cetificate file when randomly clicking on folders on C: for no reason, it matches with certificate on resetphone.efi, can we sign devmenu.efi with it and use?


----------



## djamol (Oct 13, 2016)

RandomWP said:


> Wow, i find a cetificate file when randomly clicking on folders on C: for no reason, it matches with certificate on resetphone.efi, can we sign devmenu.efi with it and use?

Click to collapse



No, we can't sign using those certs, because we don't have private key. 
Digital certificate and public key(which i put in previous post) is a public part and PRIVATE KEY is a "Secret Part".
To sign any stuff we need private key. 
You have to understand about RSA ecosystem.
Google it for RSA Cryptography or wiki.
Some blogs/website can also give you a better understandings.


----------



## RandomWP (Oct 13, 2016)

djamol said:


> No, we can't sign using those certs, because we don't have private key.

Click to collapse



We need only to hack Microsoft and steal private key. :laugh:
Or disable secure boot, it is easier.


----------



## vcfan (Oct 27, 2016)

RandomWP said:


> We need only to hack Microsoft and steal private key. :laugh:
> *Or disable secure boot, it is easier*.

Click to collapse



true 
(full sb unlock, not debug policy)


----------



## ngame (Oct 27, 2016)

vcfan said:


> true

Click to collapse



OMG . 
WP Security is all gone


----------



## vcfan (Oct 27, 2016)

ngame said:


> OMG .
> WP Security is all gone

Click to collapse



yes, all WPs, not just lumia


----------



## ngame (Oct 27, 2016)

vcfan said:


> yes, all WPs, not just lumia

Click to collapse



I know that vc ?
Here is my Lumia 950XL . Oh sh*t  how bad  I'm no longer able to sell my phone lol


----------



## gus33000 (Oct 27, 2016)

haha finally a secure boot exploit that works, good job @vcfan 
I guess I can say goodbye to the debug policies and the sad faces then 

Edit: out of curiosity, is it unlockable outside the phone, or that's required to have the phone OS working? Thinking about helping @snickler bricked phones


----------



## djamol (Oct 27, 2016)

Should i need to show my device or what ?  
Hey @vcfan that's bugger hack. I can play around with UEFI but you did everything.. That's wired. Great job !!!
Pleased check pm


----------



## snickler (Oct 27, 2016)

vcfan said:


> true
> (full sb unlock, not debug policy)

Click to collapse



This is awesome! Question @vcfan, is this a retail phone or eng phone? I do also see that you have an AT&T 1520 like I do (mine's the one that's in brick hell ). What's your product code? This is fascinating that you have the RDC, whereas mine doesn't have it.


----------



## ngame (Oct 27, 2016)

snickler said:


> This is awesome! Question @vcfan, is this a retail phone or eng phone? I do also see that you have an AT&T 1520 like I do (mine's the one that's in brick hell ). What's your product code? This is fascinating that you have the RDC, whereas mine doesn't have it.

Click to collapse



All of our phones are retail
950xl , 640XL and 1520
We also start testing on ativ s and more


----------



## vcfan (Oct 27, 2016)

gus33000 said:


> haha finally a secure boot exploit that works, good job @vcfan
> I guess I can say goodbye to the debug policies and the sad faces then
> 
> Edit: out of curiosity, is it unlockable outside the phone, or that's required to have the phone OS working? Thinking about helping @snickler bricked phones

Click to collapse



it may still be possible to flash test signed ffu with ffuloader with bricked debug policy phone (if debug policy is applied and boot to ffuloader loads). not totally positive on that one.



snickler said:


> This is awesome! Question @vcfan, is this a retail phone or eng phone? I do also see that you have an AT&T 1520 like I do (mine's the one that's in brick hell ). What's your product code? This is fascinating that you have the RDC, whereas mine doesn't have it.

Click to collapse



retail 059T5Z1. dont have real RDC, nokia boot manager is patched


----------



## snickler (Oct 27, 2016)

ngame said:


> All of our phones are retail
> 950xl , 640XL and 1520
> We also start testing on ativ s and more

Click to collapse



Hmm okay, I was just wondering. AFAIK, you can't unblow an eFuse. All retail phones have their eFuse blown. All of my phones, including the same 1520 model as shown in the screenshot have their eFuse blown.


----------



## snickler (Oct 27, 2016)

vcfan said:


> it may still be possible to flash test signed ffu with ffuloader with bricked debug policy phone (if debug policy is applied and boot to ffuloader loads). not totally positive on that one.
> 
> 
> 
> retail 059T5Z1. dont have real RDC, nokia boot manager is patched

Click to collapse



Ah I didn't see this post before I replied. So you patched the Nokia bootmanager to trick it into thinking that you have unblown efuses, etc?


----------



## snickler (Oct 27, 2016)

@vcfan, you actually got past all the UEFI integrity checks? Sorry I'm asking 8 million questions, but this is exciting to know.


----------



## ngame (Oct 27, 2016)

snickler said:


> Ah I didn't see this post before I replied. So you patched the Nokia bootmanager to trick it into thinking that you have unblown efuses, etc?

Click to collapse



Yeah patched boot manager trick the phone RDC found and etc.


----------



## djamol (Oct 27, 2016)

snickler said:


> @vcfan, you actually got past all the UEFI integrity checks? Sorry I'm asking 8 million questions, but this is exciting to know.

Click to collapse



if you flash original stock rom, you can flash custom unsigned rom immediately without changing even one thing


----------



## snickler (Oct 27, 2016)

djamol said:


> if you flash original stock rom, you can flash custom unsigned rom immediately without changing even one thing

Click to collapse



? That's WITH their SB Unlock?


----------



## Riyad_ (Oct 28, 2016)

vcfan said:


> true
> (full sb unlock, not debug policy)

Click to collapse



that's awesome ..take a bow man..btw is there will be any tutorial for this.??? Excited as Cocacola


----------



## Riyad_ (Oct 31, 2016)

djamol said:


> Some binaries from Window 10 Mobile OEM KIT.
> MobileOS-arm-fre.zip etc.
> 
> Included most of the great stuff, like icacls.exe for ARM too. That's great thing.
> ...

Click to collapse



is there any difference between the Microsoft Iot cmd.exe and the one u provided in attachment.??


----------



## djamol (Oct 31, 2016)

Riyad_ said:


> that's awesome ..take a bow man..btw is there will be any tutorial for this.??? Excited as Cocacola

Click to collapse





Riyad_ said:


> is there any difference between the Microsoft Iot cmd.exe and the one u provided in attachment.??

Click to collapse



That's nothing special, just latest compiled for ARM32. Which can be improved one or may be can added new feature's. 
Like new bcdedit.exe is support some w10M support. "Mfgmode" etc instead of customs etc.


----------



## A AJAY (Nov 5, 2016)

Can anyone give the link of developermanu.efi..this given link is down.



Sent from mTalk


----------



## jules67 (Jul 31, 2019)

*packages*

Do you have the packages ?

MobileOS-x86-fre.zip
MobileOS-arm-fre.zip


----------

