Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 ... 8 9 [10]
 91 
 on: June 25, 2018, 05:56:47 AM 
Started by tjeske - Last post by tjeske
You can't permanently disable driver signature enforcement without any additional tools. One example seems to be "ReadyDriver". But, since Windows 10 the Windows Development Kit is not needed anymore. Then necessary tool is included with PowerShell: "New-SelfSignedCertificate". See the last answer here:
https://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows

Regarding your other comments:
1) I don't know for sure. When I open the file properties for tunnel.sys (new or old) it's missing the "Digital Signatures" tab. However, I was able to extract a certificate from the file. So I think it does have one. Why it doesn't show? No clue...
2) did you also edit nettun.inf to reflect the correct version number (i.e. 10.0.17134.1)?

But whenever I tried to edit nettun.inf it resulted in missing certificate. I wonder what certificate checks nettun.inf integrity. Must be somewhere else, cause the .inf-file doesn't contain an embedded signature.

BTW: I haven't been able to install the 1709 version without testsigning. It still complains about missing signature of 3rd party INF. So I guess testsigning is necessary, which also means no SecureBoot.

 92 
 on: June 23, 2018, 07:02:06 PM 
Started by tjeske - Last post by RDWells
I'm baffled AF on two counts:

1)  Is the v1709 version of tunnel.sys you use actually signed?  Mine, for some odd reason (even though it's from Microsoft, I think?), is not.
2)  I cannot for the life of me get v1803 tunnel.sys to work at all, even with signature enforcement turned off and right-clicking nettun.inf "install", with it saying the action was completed.  I keep getting "element not found"

I searched high and low for ways to sign an unsigned driver and most of them involve a looong process with Windows Development Kit (and one other whose name escapes me) and even then, the instructions were above my pay grade to understand.

So, it appears that even though I followed the command prompt of "bcdedit /set testsigning on" and "bcdedit.exe /set nointegritychecks on" to permanently disable signature verification, it does not "stick" and I am left with having to go with Shift+Restart>Troubleshoot >> Advanced Settings >> Windows Startup Settings >> Restart>7 Disable Signature Verification EVERY time I reboot in order for the driver tunnel.sys to remain loaded.  SecureBoot is turned off, btw.

 93 
 on: June 22, 2018, 07:34:13 AM 
Started by tjeske - Last post by tjeske
Thanks. So, I have possibly found a cleaner method. However, the embedded certificate of tunnel.sys (which weirdly is not shown when opening file properties, contrary to other .sys files!) is only valid till Aug 11th, 2018. But all other .sys files of a 1803(!) installation have the same certificate validity. So I don't know what will happen after Aug 11th, 2018. Also, I only confirmed this workaround for now on my insider preview installation running RS5 build 17692. Will report back if it also works on my main machine with 1803 final, or not.

What I have done:
  • You need the tool "RunAsTI" (short for "run as TrustedInstaller"), which is needed to edit files in C:\Windows\system32\drivers. It will open a cmd-window with TrustedInstaller privileges. Therefor, you don't need to change ownership or fiddle with any other access permissions. (it's a very useful tool for troubleshooting in general. E.g. it enables you to access ALL keys in the registry, even ones that are hidden from administrator! Unfortunately, the 32-bit version is flagged as virus/hacktool by Windows Defender)
  • use the tool to rename the old tunnel.sys (e.g. rename to tunnel.sy_)
  • use the tool to copy the tunnel.sys from 1709 into c:\windows\system32\drivers.
  • copy the nettun.inf from 1709 somewhere (e.g. desktop, documents folder, download directory, whatever...)
  • right-click nettun.inf and click "Install".

That's it. This way it should install fine with the old certificate and you can setup the tunnel as usual. Since it's even signed by Microsoft, not only don't you need signature enforcement turned off, even testsigning mode isn't needed anymore, which further allows you to keep SecureBoot turned on.

However, I don't feel comfortable using this method, as it will suggest to Microsoft that the issue doesn't exist anymore, and it probably won't work indefinitely.

 94 
 on: June 20, 2018, 07:35:15 PM 
Started by tjeske - Last post by RDWells
Yes, I took tunnel.sys from v1709 and copied into the v1803 installation.  I tried putting the v1803 version back but I kept getting "element not found" when I ran the HE CMD script.

Registries need not be altered, and just a reminder, the nettun files go as follows:

nettun.inf - copied to these folders:  Windows\INF and Windows\WinSxS\amd64_nettun.inf_31b...(etc)
nettun.inf_loc - copied to these folders:  Windows\System32\Driver Store\en-us and Windows\WinSxS\amd64_nettun.inf.resources_31b...(etc)
amd64_nettun.inf.resources_31bf3856ad364e35_10.0.16299.15_en-us_7612c139e588cebb - copied to Windows\WinSxS\Manifests

Sadly, the driver is still showing as unsigned.  Darned if I know why, so it looks like we'll still have the unsigned driver thing to deal with upon reboot.

 95 
 on: June 20, 2018, 06:51:48 PM 
Started by tjeske - Last post by tjeske
Sorry, I didn't fully understand your answer.

So did you take the tunnel.sys from 1709 and copied it to the 1803 installation? Or did you just leave the tunnel.sys from the 1803 installation?

I just tried copying the nettun-files, but it didn't solve it for now. But I also messed up my registry during my first tries. Fortunately I am just experimenting inside a VM until I find the proper method.

 96 
 on: June 20, 2018, 04:11:01 PM 
Started by tjeske - Last post by RDWells
That sounds interesting. And quite similar to my approach. No idea why I had no success :(

Anyway, I guess with this method you have to turn driver signature enforcement off with every boot? Maybe an alternative for that would be to use a self-signed driver (i.e. to sign a driver with your own certificate, that you create somewhere somehow). Then you only need to turn "testsigning" on, which is much more secure than no signature enforcement at all.

Agreed, and as it has turned out, yes, I had to turn off driver signature enforcement with a subsequent reboot.  Grrr....

Although I wonder what breaks the certificate of the old driver? Shouldn't it still be fine with MS old driver? Maybe if we also swap out tunnel.sys? Or does it need to be packed with the .cat-file and installed from there?

Yup, you'd think that tunnel.sys from v1709 would be fine, but noooo.... It's the one I used to replace the one in v1803.  If you find a suitable replacement and its source, I'm sure you'll let us know.  I'm thinking I can locate the v1803 version of it and replace the one from v1709.  Worth a shot, ya think?  It just might solve the driver signing issue.  No time right now to test that but I'll give it a go and see what happens.

 97 
 on: June 20, 2018, 10:57:10 AM 
Started by tjeske - Last post by tjeske
That sounds interesting. And quite similar to my approach. No idea why I had no success :(

Anyway, I guess with this method you have to turn driver signature enforcement off with every boot? Maybe an alternative for that would be to use a self-signed driver (i.e. to sign a driver with your own certificate, that you create somewhere somehow). Then you only need to turn "testsigning" on, which is much more secure than no signature enforcement at all.

Although I wonder what breaks the certificate of the old driver? Shouldn't it still be fine with MS old driver? Maybe if we also swap out tunnel.sys? Or does it need to be packed with the .cat-file and installed from there?

 98 
 on: June 16, 2018, 06:32:47 PM 
Started by tjeske - Last post by RDWells
Ladies and Gentlemen, be of good cheer!

I have found a way around the bustage and I credit TJeske for pointing me in the right direction.  I am pleased to report that as a result of what I am about to share that I have an HE tunnel that gives me 10/10 (https://test-ipv6.com) and 20/20 (http://ipv6-test.com) using the HE tunnel script for Win 10.

Here we go:

From where one can find it, obtain the .iso for v1709 and extract it to the folder of your choice.  Within it, search in Windows Explorer for nettun.inf.  You will find several files with either that name or the name within the file name:  (Caveat;  you may have to Take Ownership of the files and the folders in which they go for the copy transfer to work.)

nettun.inf - copied to these folders:  Windows\INF and Windows\WinSxS\amd64_nettun.inf_31b...(etc)
nettun.inf_loc - copied to these folders:  Windows\System32\Driver Store\en-us and Windows\WinSxS\amd64_nettun.inf.resources_31b...(etc)
amd64_nettun.inf.resources_31bf3856ad364e35_10.0.16299.15_en-us_7612c139e588cebb - copied to Windows\WinSxS\Manifests

Now, do a search for tunnel.sys.  You will find:

tunnel.sys - copied to these folders:  Windows\System32\drivers and Windows\WinSxS\amd64_microsoft-windows-tunnel_31b...(etc)
tunnel.sys.mui - copied to these folders:  Windows\System32\drivers\en-US and Windows\WinSxS\amd64_microsoft-windows-tunnel.resources_31b...(etc)

Now, run the tunnel config script from HE, check the results with ipconfig /all, and you should have your v6v4tunnel tunnel in place.

I must caution, however, that I did run into a few snags while going through all this.  You may well have the Microsoft Direct Point-to-point "Adapater" (yeah, that's what it says) but it has a yellow flag by it due to it not recognizing the driver as being digitally signed.  This is the sucky part.  Test the driver by drilling down to Windows\INF to nettun.inf, right click it, click Install and see what happens.  You might get a warning about a third-party driver signature issue in which case you'll have to do this:

Reboot by holding the Shift key while clicking Restart, choose Troubleshoot, then Advanced Options, then Startup Settings.  When the reboot comes around, you'll have a menu from which to choose.  Pick Option 7 Disable Driver Signature Enforcement and let the reboot continue to its end.  Drill back down to Windows\INF nettun.inf, right-click it, click Install, and this time you'll likely get a warning with the option to "continue anyway".  Choose that, and you're good.

If for some reason things get botched and you want to delete the "adapater", go to Device Manager, click View, show Hidden Devices, right click on the "adapater" and Uninstall.  Re-run your HE config script and THIS time things should be good to go.

Having typed all this, I have possibly left out some more caveats with all the trial-and-error I went though before I succeeded, so if there are any snags you hit along the way, I'll gladly try to walk/talk you through a solution.

Good luck, folks, and happy IPv6ing!

 99 
 on: June 15, 2018, 09:29:59 AM 
Started by BCN - Last post by broquea
It did. You should have some replies from the ticket system shortly.

 100 
 on: June 14, 2018, 10:06:18 PM 
Started by BCN - Last post by BCN
Yeah, not getting replies to the tickets. Need to ask maintainer to see whats up. Will find out later tomorrow if our server is even getting the emails from your server.

I just went old school and faxed it as well. Hopefully the old fashioned way works at least.

Pages: 1 ... 8 9 [10]