# Yahallo {% hint style="info" %} The Yahallo jailbreak is also included in the [Tegra Jailbreak USB](/windows/tools/tegra-jailbreak-usb.md) {% endhint %} {% hint style="danger" %} As of August 2024 Yahallo has been detected as a threat by numerous antivirus vendors, as a result a threat notification may be received from antivirus software when attempting to download and extract any archive containing [Yahallo.efi](https://www.virustotal.com/gui/file/2107e65d90474fc7bfe10c4a221de8c614bbc12dfb48f8378f532ed5201dd33c). {% endhint %} ## Requirements * A Surface RT with UEFI v3.31.500 or a Surface 2 with UEFI v4.22.500. * [Golden Keys / Longhorn](/windows/jailbreaks/golden-keys-longhorn.md) jailbreak applied to the target device. * 1MB+ USB Drive. ## **Download** Download the Yahallo jailbreak files from the link below. {% hint style="danger" %} This download contains the [originally released files](https://github.com/NekomimiRouter/yahallo), an updated version of Yahallo which supports additional devices and UEFI versions is included in the [Tegra Jailbreak USB](/windows/tools/tegra-jailbreak-usb.md). {% endhint %} {% file src="/files/mBUhXIvomD8hPnEKfJDS" %} Yahallo USB Files {% endfile %} ## Extract {% hint style="danger" %} This will permanently delete any data stored on the USB drive. {% endhint %} 1. Format a USB drive as FAT32. 2. Right click on the downloaded file and select "Extract All..." 3. Select a destination for the extracted files. 4. Click "Extract". ![Selecting and formatting USB drive](/files/u08NcfwzGHKVttKMPasV) ![Extracting Zip file to USB drive](/files/rle0FkoEOx7ZlRIRiEzH) ![Expected contents of USB drive after extraction](/files/9HAjcI5JnDDETfOO4j9b) ## **Apply Yahallo Jailbreak** {% hint style="danger" %} The use of this Jailbreak is entirely at your own risk. {% endhint %} 1. With the target device powered off, insert Jailbreak USB into the devices USB port. 2. Hold the Volume Down button and press the Power button. 3. Once the Surface logo appears release the Volume Down button. 4. Wait for confirmation and reboot device when prompted. 5. Assuming no errors have occurred Secure Boot is now disabled on your device, this can be verified by running `msinfo32.exe` once booted into Windows and looking at the "Secure Boot State" field. ![msinfo32.exe showing Secure Boot is disabled](/files/QMvTkfksqT2qINwkIom5) ## Troubleshooting ### Digital Signature Error If Status Code 0xc0000428 is displayed (Windows cannot verify the digital signature for this file.) then apply the [Golden Keys / Longhorn](/windows/jailbreaks/golden-keys-longhorn.md) jailbreak and try again. ### Unsupported UEFI Attempting to run Yahallo on a device with an unsupported UEFI will result in an error message when booting Yahallo, make sure the UEFI is up to date and try again. To verify the currently installed UEFI version run `msinfo32.exe` and look at the "BIOS Version/Date" field. ![msinfo32.exe showing BIOS Version/Date on Surface 2](/files/Q5Qk7ZxOYoOuFYkvVA2q) ### USB Boot Failed If the USB drive does not boot on the target device try the following steps: 1. Follow the instructions one the [Format USB Drive](/windows/miscellaneous/format-usb-drive.md) page. 2. [Extract](#extract) again starting at Step 2. ## Release Notes #### Yahallo: Tegra 3 and Tegra 4 TrustZone UEFI variable services handler exploit and Secure Boot unlock tool This tool exploits NVIDIA Tegra 3/Tegra 4 UEFI variable services and implements TrustZone takeover. In this way, users can permanently turn off Secure Boot on Tegra-based Windows RT devices without external devices' assistance (e.g. RCM Mode.) This documentation is intentionally drafted in a professional way to discourage average device owners from messing up the system firmware. **Disclaimer**: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. By using this tool, you acknowledge that you are intentionally turning off the device's ~~security features~~. The author is not liable for any consequence, for instance, confidential data loss due to fTPM lockout, or warranty void. #### Issue Disclosure * 2020/08: Discovery, initial prototype * 2020/09/22: Reported to MSRC (MSRC 61209) * 2020/10/07: MSRC confirmed wontfix since Surface RT and Surface 2 hardware are EOL > Unfortunately, you are correct - support for these versions of the Surface has ended, and no additional security updates will be offered. We appreciate the opportunity to review your research... - MSRC * 2020/10/19: Reported to NVIDIA PSIRT (3156921) * 2020/10/23: NVIDIA confirmed new Tegra SoC UEFI implementations don't reuse the old TZ code, old SoC are EOL and they think MS16-100 and MS16-140 fully addressed the prerequisite (but you can always install a BMR image and reset it...), wontfix > The development team has evaluated this report. The UEFI variable store for current versions of Tegra has changed - the UEFI variable store for Orin/Hopper is not what was used in TZ in previous targets and they do not believe it is affected by this issue. > > Also, MS16-100 and MS16-140 appear to be both changes in MS code not system firmware, biggest potential piece would be for the bad images to be rejected from the UEFI secure boot. Likely, MS updated the main dbx file hosted here: as that is the normal way for security issues to be handled in UEFI. - NVIDIA PSIRT #### Usage * Install Secure Boot Golden Key Exploit first. If the device installed WU updates after Nov 2016, install the BMR to reset Secure Boot Key Storage. * Run this tool as Windows Boot Manager Boot Application. #### Buildout I've migrated the build system from Visual Studio (uefi-simple) to EDK2. To build it: * Place this repo under EDK2 tree, such as `YahalloPkg` * Apply the EDK2 build system patch. See `Edk2Patches` folder for details. * `build -a ARM -p YahalloPkg/YahalloPkg.dsc -t GCC5` Launch this image as a Windows Boot Manager OS entry, with `nointegritychecks` on and `testsigning` on. #### About Project Naming "Yahallo" by Yui Yuigahama From [Oregairu](https://www.youtube.com/watch?v=Nhr5vrjHcIM). *No objections will be acknowledged.* #### License Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved. This tool is released under GPLv2. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://windows-rt-devices.gitbook.io/windows/jailbreaks/yahallo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.