# BCDEDIT availability



## yochu20 (Sep 8, 2016)

For those looking to use BCDEDIT on their phone, it seems that the restrictions preventing us from doing so exist in the SSH server implementation.  If you install the Telnet server and execute BCDEDIT from there, it appears we can at least read the BCD store and enumerate parameters.  I have not yet tried to make changes, I am not ready to do so yet.  If anyone wants to give it a shot and report back go for it.  Careful though, this could result in a brick.







http://forum.xda-developers.com/windows-10-mobile/enable-bootshsvc-windows10mobile-t3455357

Thanks to naiple for uploading the files and method to get telnet running at boot


----------



## BlueTR (Sep 8, 2016)

Thanks for sharing but do we have to copy every file in the zip? There are 20 files and it is hard to type.
Op says copy the exe and mui but there are a lot of them and he didn't mention which one we need.


----------



## yochu20 (Sep 8, 2016)

BlueTR said:


> Thanks for sharing but do we have to copy every file in the zip? There are 20 files and it is hard to type.
> Op says copy the exe and mui but there are a lot of them and he didn't mention which one we need.

Click to collapse



You will want the bootsh files (dll, mui), enable.bat, enable_bootsh.reg, ftpd.exe, gwptcp.exe,mwstartnet.exe,startup.bsc,telnetd.exe, and telnetlogon.exe to get JUST telnet and ftp working at boot.  Follow naiples instructions to get this running.

You could optionally not use the files to run telnet and ftp at startup and just run them as needed, and this may be prudent since telnet does not require credentials to access.  Once telnet and ftp are running, you'll have a much easier time copying files across over ftp, like telnet it does not have the same restrictions sftp does.


----------



## BlueTR (Sep 8, 2016)

yochu20 said:


> You will want the bootsh files (dll, mui), enable.bat, enable_bootsh.reg, ftpd.exe, gwptcp.exe,mwstartnet.exe,startup.bsc,telnetd.exe, and telnetlogon.exe to get JUST telnet and ftp working at boot.  Follow naiples instructions to get this running.
> 
> You could optionally not use the files to run telnet and ftp at startup and just run them as needed, and this may be prudent since telnet does not require credentials to access.  Once telnet and ftp are running, you'll have a much easier time copying files across over ftp, like telnet it does not have the same restrictions sftp does.

Click to collapse



All of them are needed, just tried and got error.
I got it working but I'm afraid of trying to write 

---------- Post added at 12:16 AM ---------- Previous post was at 12:01 AM ----------

Nope.


----------



## yochu20 (Sep 8, 2016)

BlueTR said:


> All of them are needed, just tried and got error.
> I got it working but I'm afraid of trying to write
> 
> ---------- Post added at 12:16 AM ---------- Previous post was at 12:01 AM ----------
> ...

Click to collapse



Yeah, I am nervous about writing to the store as well.  If anyone decides to YOLO this, please post your results 






I decided since I posted, I should give it a try.  Seems some values can be edited, notice my bootmenupolicy changed in the new screen.  Other values are protected by Secure Boot, which is expected.  Good luck!


----------



## BlueTR (Sep 8, 2016)

yochu20 said:


> Yeah, I am nervous about writing to the store as well.  If anyone decides to YOLO this, please post your results

Click to collapse



I updated my post and added a screen shot. It says "The process cannot access the file because it is being used by another process"


----------



## yochu20 (Sep 8, 2016)

BlueTR said:


> I updated my post and added a screen shot. It says "The process cannot access the file because it is being used by another process"

Click to collapse



I managed to get a value to update after I saw your updated post, posted the screen after the change.  Try it again with the active store, that could be the difference.


----------



## svaethier (Sep 8, 2016)

I followed the directions by copying the files you said we'll need to their spots but when calling enable.dat I get reg is not recognized as an internal or external command

Edit:
I got it to work but now I get a 10048 error when trying to run ftpd.exe or telnet one


----------



## BlueTR (Sep 8, 2016)

yochu20 said:


> I managed to get a value to update after I saw your updated post, posted the screen after the change.  Try it again with the active store, that could be the difference.

Click to collapse



You are right. I did and it worked but there is a problem. I enabled boot menu but I don't have a camera button 
If I press the volume up key, phone goes into ffu mode. If I press the volume down key, exclamation mark appears. If I press power key it selects windows loader and disables countdown then just waits.


----------



## ninjaofbacon (Sep 9, 2016)

BlueTR said:


> You are right. I did and it worked but there is a problem. I enabled boot menu but I don't have a camera button
> If I press the volume up key, phone goes into ffu mode. If I press the volume down key, exclamation mark appears. If I press power key it selects windows loader and disables countdown then just waits.

Click to collapse



What did you change?


----------



## svaethier (Sep 9, 2016)

Edit:
Finally got a telnet app to work on my android so here are all the commands for bcdedit :
http://imgur.com/RVQ4HJ2
http://imgur.com/d4ecch0
http://imgur.com/CaS6I6o
http://imgur.com/LosxJ6d
http://imgur.com/GScAoFg
http://imgur.com/Lz6JVby

*Warning*
Before you do something stupid with these commands I recommend you use a backup windows phone to test these out!! I'm not at fault if anything happens to your main phone


----------



## sensboston (Sep 9, 2016)

Hmm, @svaethier, what are you talking about (and who cares about your damn android screenshot here?!!)

BCDEdit is a very well documented program. If you not banned on google.com, try to search by yourself!

P.S. The very first link: https://technet.microsoft.com/en-us/library/cc709667(v=ws.10).aspx

P.P.S. Please don't tell me "you are rude and impolite"! Noobs some times are extremely annoying  What I suppose to say? "Thank you for the unique info!" ?


----------



## svaethier (Sep 9, 2016)

sensboston said:


> Hmm, @svaethier, what are you talking about (and who cares about your damn android screenshot here?!!)
> 
> BCDEdit is a very well documented program. If you not banned on google.com, try to search by yourself!
> 
> ...

Click to collapse



Well excuse me for providing info to those who may want it without having to google stuff up. Yes you are actually being quite rude, if you have nothing nice to say then just keep your opinions to yourself thanks.


----------



## BlueTR (Sep 9, 2016)

ninjaofbacon said:


> What did you change?

Click to collapse



bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /timeout 15

What if we extract 8.1 ffu on a sd card, and add it to the bootloader menu?
Can we dualboot W10 and 8.1?


----------



## svaethier (Sep 9, 2016)

I don't think it's as simple as adding another ffu.


----------



## BlueTR (Sep 9, 2016)

svaethier said:


> I don't think it's as simple as adding another ffu.

Click to collapse



I made a vhd file from ffu. It contains the whole WP8.1 system for RM-976 but I need an 8gb sd card since I don't have it I couldn't try.


----------



## svaethier (Sep 9, 2016)

I would help but I don't want to mess with boot options just yet.


----------



## BlueTR (Sep 9, 2016)

svaethier said:


> I would help but I don't want to mess with boot options just yet.

Click to collapse



I want but I can't. I don't have a camera button so I can't make os selection.


----------



## svaethier (Sep 9, 2016)

Couldn't we just make the power button os selection somehow?


----------



## ninjaofbacon (Sep 13, 2016)

Is there a way to use this locally, or do I need to use telnet over ssh?


----------



## yochu20 (Sep 14, 2016)

*More fun with telnet*

No, telnet runs independently of SSH.  They do a very similar job or terminal emulation, but telnet is less secure.  So if you were to get the telnet server running, you can probably use the same software you use for SSH and instead of connecting on port 22, you connect on port 23 without any credentials or cert. @ninjaofbacon I am using token2shell//MD on the app store on my phone to connect to the loopback address.  This way I can just use the phone.  If you check my screenshot you can see I am using continuum on the phone and token2shell.  Much easier to do with a kb&m although I still can't type.  Also a lot of programs have a loopback limitation in WP10.  you'll need a copy of checknetisolation.exe from IoT and run:

CheckNetIsolation LoopbackExempt -a -n=58486choungnetworks.token2shellmd_wdbh2zj61pq3j

or if you use a different TE app that can't connect via loopback, just change the "58486choungnetworks.token2shellmd_wdbh2zj61pq3j" part to match your app. to check which apps aren't isolated:

CheckNetIsolation LoopbackExempt -s

 I have tried to make some bootloader changes and have messed up a few times with typos, so if you do decide to try anything, be ready to flash and start again.  I have also been looking at the old spkgs included in the 8.1 WPBLUE kit posted elsewhere and wondered if the developermenu.efi would apply to 10 as well.

  For those asking about hardware keys, they didn't work for me when I did something wrong on my 950 XL.  I was able to move the cursor and delete, but no enter or esc key.  There seem to be registry settings for boot keys, but I am guessing that will only be so useful without modifying the efi.

Anyone else done anything cool with this yet?


----------



## ninjaofbacon (Sep 14, 2016)

yochu20 said:


> No, telnet runs independently of SSH.  They do a very similar job or terminal emulation, but telnet is less secure.  So if you were to get the telnet server running, you can probably use the same software you use for SSH and instead of connecting on port 22, you connect on port 23 without any credentials or cert. @ninjaofbacon I am using token2shell//MD on the app store on my phone to connect to the loopback address.  This way I can just use the phone.  If you check my screenshot you can see I am using continuum on the phone and token2shell.  Much easier to do with a kb&m although I still can't type.  Also a lot of programs have a loopback limitation in WP10.  you'll need a copy of checknetisolation.exe from IoT and run:
> 
> CheckNetIsolation LoopbackExempt -a -n=58486choungnetworks.token2shellmd_wdbh2zj61pq3j
> 
> ...

Click to collapse



I was able to get the boot menu functional, but pressing volume up just refreshes the boot menu, I can only select different options with volume down. Luckily it wraps back to the top from the bottom. If anyone has any ideas for dual booting, I'll try it on my 1520. Also, does anyone know what disabling securebootpolicy in bcd does?


----------



## GoodDayToDie (Sep 17, 2016)

Pretty sure the reason that BCDEDIT doesn't work if you run it from under SSH is because the SSH server drops some privileges. There are two kinds of objects on an NT security token: SIDs (security identifiers) and privileges. SIDs are the things checked by access control lists (ACLs); they identify who you are. For example, each user and service account has its own SID, each interactive session has its own SID, each sandboxed app has its own SID, and each capability (for sandboxed apps) has its own SID. There are also things called privileges, which are sort of like SIDs except they can be turned on and off, or removed entirely (but never added, or added back) on a process's token (SIDs are fixed at token creation, although there's also impersonation, which lets you pretend to use some other token).

Like SIDs, privileges are checked by the kernel; unlike SIDs, privileges are checked when you try to *do* a thing, rather than when you try to *access* a thing. The distinction is that when NT grants you *access* to something, you have that access until you give it up, and can do whatever you want within the limits of that access. For example, if you open a file for read and write, NT will check your SIDs against the file's ACL to determine whether or not you are allowed to have those kinds of access. However, assuming you do, once the access is granted the OS stops checking what you do with it. You can read the file all you want, write it all you want, no restrictions on where or how much. By comparison, privileges are checked when you do some, but do not give you any ongoing access. For example, to create a symbolic link (symlink) in the file system, NT requires that you have the SeCreateSymbolicLinkPrivilege. If you don't have it, the CreateSymbolicLink call will fail, as will trying to go deeper and call the underlying system calls directly.

The SSH server is executing in a Windows service that runs as SYSTEM. The SYSTEM (or LocalSystem) account is trusted by basically every ACL on the device and by default has every possible privilege. However, the phone allows services to specify a list of only the privileges that they need. If a service isn't going to need certain privileges, the service host process will drop those privileges before launching the service. Thus, the process that hosts the SSH server doesn't have SeTcbPrivilege (TCB stands for "Trusted Computing Base", and is basically Microsoft-ese for "can control the lowest-level parts of the OS") because nothing the SSH server is *supposed* to be used for needs it. Since editing the BCD requires SeTcbPrivilege, you can't do it from the SSH server (or any process that is directly descended from the server).

Launching a new service that has all the privileges (because it doesn't specify that it can drop any) and having that service host telnetd, and then having telnetd start cmd or powershell, and then having that shell program start bcdedit... in that case, bcdedit inherits full privileges and can do whatever.

*OBLIGATORY REMINDER: DO NOT LEAVE TELNETD OR FTPD RUNNING ON YOUR PHONE! THEY ARE NOT SECURE AND ANYBODY ON THE SAME NETWORK AS YOUR PHONE CAN COMPLETELY TAKE IT OVER IF THEY ARE RUNNING!*


----------



## iammomin (Sep 18, 2016)

GoodDayToDie said:


> Pretty sure the reason that BCDEDIT doesn't work if you run it from under SSH is because the SSH server drops some privileges. There are two kinds of objects on an NT security token: SIDs (security identifiers) and privileges. SIDs are the things checked by access control lists (ACLs); they identify who you are. For example, each user and service account has its own SID, each interactive session has its own SID, each sandboxed app has its own SID, and each capability (for sandboxed apps) has its own SID. There are also things called privileges, which are sort of like SIDs except they can be turned on and off, or removed entirely (but never added, or added back) on a process's token (SIDs are fixed at token creation, although there's also impersonation, which lets you pretend to use some other token).
> 
> Like SIDs, privileges are checked by the kernel; unlike SIDs, privileges are checked when you try to *do* a thing, rather than when you try to *access* a thing. The distinction is that when NT grants you *access* to something, you have that access until you give it up, and can do whatever you want within the limits of that access. For example, if you open a file for read and write, NT will check your SIDs against the file's ACL to determine whether or not you are allowed to have those kinds of access. However, assuming you do, once the access is granted the OS stops checking what you do with it. You can read the file all you want, write it all you want, no restrictions on where or how much. By comparison, privileges are checked when you do some, but do not give you any ongoing access. For example, to create a symbolic link (symlink) in the file system, NT requires that you have the SeCreateSymbolicLinkPrivilege. If you don't have it, the CreateSymbolicLink call will fail, as will trying to go deeper and call the underlying system calls directly.
> 
> ...

Click to collapse



is it possible to obtain SeTcbPrivilege? 

Sent from my E79 using Tapatalk


----------



## yochu20 (Sep 19, 2016)

*Thanks GoodDayToDie!*

Hey, great rundown @GoodDayToDie 

Good to know that NT sec and DACL's still work on the same principals that the standard windows flavors use.  I am still kinda lost with the CAPs, I was unsure how they relate to NT security and ACL's if at all.  I assume that they do since interop/CAP unlock made it possible to access parts of the phone that were previously inaccessible.  I found M$'s W10M CAP listing and some potential use cases, but it still isn't totally clear to me.  

I guess I should ask if phone CAPs are the same as the CAPs (Central Access Policies) used in server.  I haven't worked in an environment where server CAPs were used so I have some work to do understanding deployment and management if W10M uses these policies the same way.  If so powershell has a nice suite of commands to handle them that could be useful here.


----------



## Riyad_ (Oct 31, 2016)

i don't know what i have done wrong.  can anyone help me with this.??

*Edit :: Ok done successfully..copied bcdedit.exe from lot.*


----------

