03-19-2016, 11:14 PM | #1 |
Connoisseur
Posts: 55
Karma: 8430
Join Date: Mar 2016
Device: PW3, Clara HD, PB740
|
Windows 10 signed RNDIS driver for USBNetwork
【Prerequisites】
【Situation】 On Windows 10, when jailbroken Kindle with enabled USBNet is plugged via USB, it will appear as a "Serial USB device (COM3)" in device manager. If Windows 10 already recognized your Kindle device as an extra network card, you do not need this driver package :3 【TL;DR】
* You should not run random batch files from untrusted parties usually 【Result】 You should see a new network card Kindle USB RNDIS Device (USBNetwork enabled) in "Network and Sharing Center" > Change adapter settings. Assign a static IP such as 192.168.15.1 and you can ping the device (ping 192.168.15.244). Note : please +Karma if you found this post useful! Last edited by Marco77; 03-20-2016 at 08:11 AM. |
03-19-2016, 11:15 PM | #2 | |||
Connoisseur
Posts: 55
Karma: 8430
Join Date: Mar 2016
Device: PW3, Clara HD, PB740
|
(Following is technical explanation; left for informative / educational purposes)
【Original issue】 · On Windows 10 specifically (version 1511 / TH2 as of this writing), the OS recognizes the Kindle with USBNetwork (Linux USB Gadget productId 0x0525, vendorId 0xA4A2) as a "Serial USB device" instead of a "Linux-USB Ethernet/RNDIS Gadget" (or an unknown device which would require drivers) See: http://answers.microsoft.com/en-us/w...5590447?auth=1 Quote:
Anyway, as a consequence, if you try to update its drivers, Windows will only show compatible drivers i.e. serial port drivers 【Rationale】 The solution is to provide a driver that will specifically handle USB\PID_0525&VID_A4A2. It is just a dummy driver that will tell the OS our "Linux USB Gadget" should be handled as a remote NDIS device. Windows has been shipping with the RNDIS driver bundled in for quite some time now, so it's basically a matter of a simple declaration. However, starting with Vista (EDIT: probably Windows 8 as mentioned below), Windows has been enforcing a mandatory signing requirement for 64-bit drivers. What it means is, every part of the driver bundle must be hashed and referenced in a catalog file (*.cat); this catalog itself is cryptographically signed to ensure authenticity and integrity. For WHQL drivers, Microsoft is the one who signs the catalog (after a bunch of tests). You can see installed drivers by running "pnputil -e". Most of them should be signed by "Microsoft Windows Hardware Compatibility Publisher". If you open the Computer Certificate Store (Run: certlm.msc) and browse to "Trusted Publisher", you may see others, depending on your PC brand. The idea is to generate a Code-Signing Keypair (Private-Key + Certificate), which will be "self-signed" (issuer == subject). The idea came to me because I use custom drivers signed by Fernando's WinRAID certificate authority. As stated on their thread: Quote:
In our specific case, the "driver" is merely an .inf file. What it basically says is, "hey, treat this kindle as a RNDIS device (a USB/Ethernet adapter); drivers are already in Windows (and signed) so you don't need to copy anything." 【Generating the Code-Signing Keypair】 We will now create a keypair. Usually, you would use an offline machine to do that, because you don't want people to obtain your private key and distribute malware while impersonating you or your company. (Recent example, sony) Requirements are the driver package in first post, and the Enterprise WDK from Microsoft. You can download it at https://msdn.microsoft.com/en-us/win...enterprise-wdk after accepting the EULA. After obtaining the kit, extract it to C:\EWDK. We actually only need a very very small subset of the kit, in C:\EWDK\Program Files\Windows Kits\10\bin\x86 (~50 MiB out of 1.5 GiB), maybe we could only fetch the relevant parts of the ZIP remotely like some do at reboot.pro/ but it is out of scope of this tutorial. Open "1-create_CA.cmd" in a text editor. Code:
"C:\EWDK\Program Files\Windows Kits\10\bin\x86\makecert.exe" ^ -r -pe -n "CN=MobileRead-CodeSigning-CA,O=MobileRead Forums,OU=Marco77" -ss My -sr CurrentUser ^ -a sha256 -cy end -sky signature -sv MobileRead-CodeSigning-CA.pvk -eku 1.3.6.1.5.5.7.3.3 -len 2048 ^ MobileRead-CodeSigning-CA.cer It will generate the Code-Signing Keypair (prompting you for a passphrase multiple times) and store the public part (certificate) in your personal store. Let's run down the options here:
Viva StackOverflow! http://stackoverflow.com/questions/8...ing-on-windows After executing, if you open your personal store (Run: certmgr.msc), you will see your certificate, and in the folder, the (pvk, cer) keypair files. Next, open the second batch "2-make_pfx.cmd" Code:
"C:\EWDK\Program Files\Windows Kits\10\bin\x86\pvk2pfx.exe" ^ -pvk MobileRead-CodeSigning-CA.pvk -spc MobileRead-CodeSigning-CA.cer ^ -f -pfx MobileRead-CodeSigning-CA.pfx
【Signing the Driver】 It's a two-stage operation: enumerate files into a catalog (*.cat), sign the catalog. Step 3, "3-build_cat.cmd" will inspect the INF file and produce a catalog of signed files. Code:
"C:\EWDK\Program Files\Windows Kits\10\bin\x86\Inf2Cat.exe" /driver:. /os:8_X64 /v
Inf2cat is a new command in Enterprise WDK, maybe WDK8's makecat.exe works too. On to step 4, "4-sign_cat.cmd": Code:
"C:\EWDK\Program Files\Windows Kits\10\bin\x86\signtool.exe" sign /v ^ /f MobileRead-CodeSigning-CA.pfx ^ /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 ^ kindle_rndisamd64.cat
An alternative to comodo timestamping (untested): Quote:
【Register the code-signing public certificate】 The last step is registering the code-signer as a trusted party. The batch needs to be run as admin because it modifies the Computer certificate store. Code:
::run as admin cd /d %~dp0 call %SYSTEMROOT%\System32\certutil.exe -f -addstore "Root" MobileRead-CodeSigning-CA.cer call %SYSTEMROOT%\System32\certutil.exe -f -addstore "TrustedPublisher" MobileRead-CodeSigning-CA.cer pause 【Bonus:verify cat on the commandline】 "C:\EWDK\Program Files\Windows Kits\10\bin\x86\signtool.exe" verify /v /pa kindle_rndisamd64.cat Verifying: kindle_rndisamd64.cat Signature Index: 0 (Primary Signature) Hash of file (sha256): A00949E21571B0998155AAE120B6C03F0113334D490E8E1CC3 7EB2BC09D985C2 Signing Certificate Chain: Issued to: MobileRead-CodeSigning-CA Issued by: MobileRead-CodeSigning-CA Expires: Sun Jan 01 00:59:59 2040 SHA1 hash: 58E285D47509E810DCCFA865A8F6D99B8A297FA5 The signature is timestamped: Sun Mar 20 12:38:06 2016 Timestamp Verified by: Issued to: UTN-USERFirst-Object Issued by: UTN-USERFirst-Object Expires: Tue Jul 09 19:40:36 2019 SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 Issued to: COMODO SHA-256 Time Stamping Signer Issued by: UTN-USERFirst-Object Expires: Tue Jul 09 19:40:36 2019 SHA1 hash: 36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA Successfully verified: kindle_rndisamd64.cat Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 Last edited by Marco77; 03-20-2016 at 11:11 AM. |
|||
Advert | |
|
03-20-2016, 12:00 AM | #3 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
What is the point?
That is the normal operation for the device. = = = = = = And why in the world would you distribute your private key? Even in Windows, of a Public-Private key-pair, the Private key is kept, well, private. Now anyone in the world can use your private key to sign a Windows driver, claiming to be yourself. I think you should pull that archive and re-think (or read the directions) on what its contents should be. That re-think should include posting a CRL for the (just) compromised key-pair and using a new key-pair to sign the next driver (and then only distribute the public key required to verify the signing of the driver). Last edited by knc1; 03-20-2016 at 12:19 AM. |
03-20-2016, 07:52 AM | #4 | |
Connoisseur
Posts: 55
Karma: 8430
Join Date: Mar 2016
Device: PW3, Clara HD, PB740
|
Thanks for the feedback @knc1,
I have pulled the zip archive and published a second version of the package. To me it's not as huge an issue as stated because the private key is passphrased with a long enough password, but I understand what you mean and generated a fresh set of keys to sign the driver and did not distribute the private key this time As for it being the normal procedure, that's what I thought before I actually tried; I previously "forced" the RNDIS driver for a tethered android phone in Windows 7 and it worked. However, I don't know if you have a W10 system lying around to test, but if I want to change the driver for this #!@*@ COM port device, unticking the "Show compatible hardware" checkbox won't let me select the RNDIS built-in driver. It's possible Windows enacts some kind of enforcement and won't allow to set the driver for some unknown VID/PID couple. If you can provide some insight here, I'd gladly take it. EDIT: the problem is mentioned at the MS forums. Apparently dlech on Sept 1, 2015 nails it: Quote:
Last edited by Marco77; 03-20-2016 at 08:05 AM. |
|
03-20-2016, 08:22 AM | #5 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
OK - I understand now (I think).
The first archive you posted had the complete set of everything you used to create the signed driver (other than the drive's source code). That looked to me as if it was your personal, backup, archive of your work. Not the 'end user' archive you intended to publish. Yes - people here have mentioned that Win10 is more than a bit funky about that driver. The rndis protocol is used by many, many devices, not just Kindles. so I would expect that you would post your driver somewhere that Win10 users would find it, rather than only Win10 users of Kindles. Note: We discourage the posting of closed source software at this site. If you can give a link to your modified source code for the driver, that would be great. But in this case, we will not ask that you be banned, just because of the funky terms of some Windows Driver License. But if the driver code is your own work (or you have a license to publish it) - then please give us a link to the public repository of your code (including its Open Source license). You should understand that we get enough closed source code here from Amazon. |
Advert | |
|
03-20-2016, 08:28 AM | #6 |
Connoisseur
Posts: 55
Karma: 8430
Join Date: Mar 2016
Device: PW3, Clara HD, PB740
|
There is no source besides the INF. You may have noticed that it ships with no *.sys device driver. The reason is simple, the file says "okay, I handle devices matching 'VID_0525&PID_A4A2', for this use the system-bundled netrndis.inf / Usb_Rndis.ndi sections."
On the contrary, all steps are outlined and you can generate your own signed "driver" using the posted batch files. The idea is not mine; I thought about it because I already use WinRAID-CA signed Intel drivers. (it's better than disabling driver signature enforcement system-wide) EDIt: apparently there is a template for that, see https://msdn.microsoft.com/en-us/lib...s_7_and_later_ I don't know what are the benefits for 6.0 drivers vs. 5.1, though. Last edited by Marco77; 03-20-2016 at 08:33 AM. |
03-20-2016, 08:34 AM | #7 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Sorry, I stopped following Windows internals somewhere between Win-2 and Win-95.
|
03-20-2016, 10:22 AM | #8 | |
Guru
Posts: 972
Karma: 10500010
Join Date: Feb 2010
Location: Serbia
Device: Kindle PW5, Kobo Libra 2, Kindle PW1
|
Quote:
I've found the link for downloading that driver/inf file somewhere here on Mobileread ... I think that the wiki section used to have the link for downloading Windows driver, but now it's not there anymore. |
|
03-20-2016, 11:04 AM | #9 |
Connoisseur
Posts: 55
Karma: 8430
Join Date: Mar 2016
Device: PW3, Clara HD, PB740
|
I'm not a specialist, but according to http://www.davidegrayson.com/signing/#dp_win8 it should be enforced starting from Win8 and not since Vista. Maybe it was disabled on your computer at some point? I remember when my laptop was on Win8 it would not accept modified INFs for my tethered phone (fortunately, manufacturer -intel- released signed ones later).
|
03-20-2016, 11:49 AM | #10 |
Guru
Posts: 972
Karma: 10500010
Join Date: Feb 2010
Location: Serbia
Device: Kindle PW5, Kobo Libra 2, Kindle PW1
|
Well I didn't disable it and I'm the one who did Windows installation and the only person using this PC.
I do remember running a Command Prompt command to enable display of "non present devices" in Device Manager, to be able to delete drivers & devices after I've changed motherboard and CPU. So as to not have to reinstall Windows. I do have UAC turned off... no idea if that has something to do with this driver(s) thing. I wouldn't expect turning UAC off to "disable" all metro/modern app but it did it, so... who knows with Microsoft I already have another Windows 8.1 x64 copy running inside VMware so maybe I will try installing RNDIS driver on it to refresh my memory. edit: I do get that error windows if I just try "right click>install": On my PC that already has working USBNetwork setup. Last edited by shamanNS; 03-20-2016 at 12:03 PM. |
09-17-2016, 08:49 AM | #11 |
Wizard
Posts: 3,489
Karma: 2914715
Join Date: Jun 2012
Device: kobo touch
|
With the help of kindle_rndis.inf_amd64-v1.0.0.1.zip I was able to connect to my ereaders (Kobos) via usbNet. Yesterday my pc updated to Windows Version 10.0.14393. After that the ability to use usbnet was lost, the Kindle USB RNDIS Device was gone from the adapter list ( Network and Sharing Center > Change adapter settings). I did not know exactly what to do. I run 5-runasadmin_register-CA-cer.cmd anew, tried to update the driver in the device manager; removed/desinstalled the device in the device manager, repeated those steps several times .... I cannot get it to work. Evidently, I am doing something wrong. I would appreciate any advice.
|
09-17-2016, 09:25 AM | #12 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
I read that you tried removing/de-installing the device -
Have you tried removing/de-installing the custom driver (the info file). Perhaps your recent update included a change to the MS included driver that creates a conflict. Hmm... Does your version of Windows still keep a detailed log of all changes made by an update of the system? If so, perhaps there is something helpful in the list of things the update touched. Does your version of Windows still set a 'restore point' just prior to begining any update changes? If so, perhaps rolling back the system to that restore point would get you back to the behavior prior to Windows self-destructing. Or perhaps you just need to update the OS information in the signed driver - See second post of this thread, step 3. Consider what I suggest very carefully before doing anything, my Windows experience is very, very old. Last edited by knc1; 09-17-2016 at 09:39 AM. |
09-17-2016, 09:40 AM | #13 | |
Wizard
Posts: 3,489
Karma: 2914715
Join Date: Jun 2012
Device: kobo touch
|
Quote:
|
|
09-17-2016, 09:45 AM | #14 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
That is what MS would do in that situation. - - - - - Seriously, thanks for the update, it tells people it is possible to make it work. Hopefully the next person to get it working will have kept notes. |
|
09-19-2016, 11:15 AM | #15 |
Enthusiast
Posts: 42
Karma: 20
Join Date: Aug 2015
Device: kindle pw4
|
Using windows 10 on a new computer with version 1607 Anniversary Update there's a known bug that causes windows 10 to crash, but that has been fixed at the beginning of sept 2016. Now kindle is detected and ;un works fine, at least on my computer with a pw3. I'm using Microsoft Windows 10 Pro - OS Version: 10.0.14393 N/A Build 14393
No need to install additional drivers. It just works fine. |
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Installing USBNetwork on Kindle 3 via Windows 7 | BoggyB | Kindle Developer's Corner | 6 | 02-22-2013 12:48 PM |
Can't install RNDIS on W7? Not even Windows Mobile. | n4ru | Kindle Developer's Corner | 6 | 08-28-2012 01:12 PM |
USBNetwork USB Driver & Telnet on Windows XP SP3 | namati | Kindle Developer's Corner | 0 | 02-24-2012 01:20 AM |
usbNetwork and Windows | G.T. | Kindle Developer's Corner | 9 | 04-10-2011 06:01 PM |
RNDIS driver installation messed up my wireless - How to roll back? | n4ru | Kindle Developer's Corner | 0 | 02-10-2010 01:24 AM |