秒级绕过Win11硬件限制检测
2022.2.22更新
最近我在科学上网的时候,发现老外写了一个脚本,秒杀同类工具千里之外。话不多说,入正题。
一、操作方法
1.1、复制以下源码保存为bat
@(echo off% <#%) &color 07 &title Quick 11 iso esd wim TPM toggle by AveYo - with SendTo menu entry
set "0=%~f0" &set "1=%~f1"&set "2=%~2"& powershell -nop -c iex ([io.file]::ReadAllText($env:0)) &pause &exit/b ||#>)[1]
#:: what's new in v1.1: fixed relative seek, should now work on all iso's
$timer = $(get-date)
#:: Install to SendTo menu when run from another location
if (!$env:1) { write-host "`n No input iso / esd / wim file to patch! use 'Send to' context menu ...`n" -fore Yellow }
$SendTo = [Environment]::GetFolderPath('ApplicationData') + '\Microsoft\Windows\SendTo'
if (!$env:1 -and $env:0 -and $(Split-Path $env:0) -ne $SendTo) {copy $env:0 "$SendTo\Quick_11_iso_esd_wim_TPM_toggle.bat" -force}
if (!$env:1) { return }
#:: Can force either patch or undo via second commandline parameter: 1 to patch 0 to undo
if (1 -eq $env:2) {$toggle = 1} elseif (0 -eq $env:2) {$toggle = 0} else {$toggle = 2}
#:: Verify extension is .iso .esd or .wim
$input = get-item -lit $env:1; $invalid = '.iso','.esd','.wim' -notcontains $input.Extension
if ($invalid) {write-host "`n Input is not a iso / esd / wim file ...`n" -fore Yellow; return }
try {[io.file]::OpenWrite($input).close()} catch {write-host "`n ERROR! $input read-only or in use ...`n" -fore Red; return }
#:: TPM patch via InstallationType Server
$typeC = '<INSTALLATIONTYPE>Client'; $typeS = '<INSTALLATIONTYPE>Server'
$block = 1048576; $chunk = 2097152; $count = [uint64]([IO.FileInfo]$input).Length / $chunk - 1
$bytes = new-object "Byte[]" ($chunk); $begin = [uint64]0; $final = [uint64]0; $limit = [uint64]0
function tochars {return [Text.Encoding]::GetEncoding(28591).GetString([Text.Encoding]::Unicode.GetBytes($args[0]))}
$find1 = tochars "</INSTALLATIONTYPE>"; $find2 = tochars "</WIM>"; $cli = tochars $typeC; $srv = tochars $typeS
$f = new-object IO.FileStream ($input, 3, 3, 1); $p = 0; $p = $f.Seek(0, 2)
write-host "$input`nsearching $p bytes, please wait ...`n"
for ($o = 1; $o -le $count; $o++) {
$p = $f.Seek(-$chunk, 1); $r = $f.Read($bytes, 0, $chunk); if ($r -ne $chunk) {write-host invalid block $r; break}
$u = [Text.Encoding]::GetEncoding(28591).GetString($bytes); $t = $u.LastIndexOf($find1, [StringComparison]4)
if ($t -ge 0) {
$f.Seek(($t -$chunk), 1) >''
for ($o = 1; $o -le $chunk; $o++) { $f.Seek(-2, 1) >''; if ($f.ReadByte() -eq 0xfe) {$begin = $f.Position; break} }
$limit = $f.Length - $begin; if ($limit -lt $chunk) {$x = $limit} else {$x = $chunk}
$bytes = new-object "Byte[]" ($x); $r = $f.Read($bytes, 0, $x);
$u = [Text.Encoding]::GetEncoding(28591).GetString($bytes); $t = $u.IndexOf($find2, [StringComparison]4)
if ($t -ge 0) {$f.Seek(($t + 12 -$x), 1) >''; $final = $f.Position} ; break
} else { $p = $f.Seek(-$chunk, 1)}
}
if ($begin -gt 0 -and $final -gt $begin) {
$x = $final - $begin; $f.Seek(-$x, 1) >''; $bytes = new-object "Byte[]" ($x); $r = $f.Read($bytes, 0, $x)
if ($r -ne $x) {break}
$t = [Text.Encoding]::GetEncoding(28591).GetString($bytes)
if ($t.IndexOf($cli, [StringComparison]4) -ge 0) {$src = 0} else {$src = 1}
if ($src -eq 0 -and $toggle -ne 0) {$old = $cli; $new = $srv} elseif ($src -eq 1 -and $toggle -ne 1) {$old = $srv; $new = $cli}
else {write-host "`n:) $input already has TPM patch $toggle"; $f.Dispose(); return}
$t = $t.Replace($old, $new); $t; $b = [Text.Encoding]::GetEncoding(28591).GetBytes($t); $f.Seek(-$x, 1) >''; $f.Write($b, 0, $x)
if ($src -eq 1) {write-host "`n :D TPM patch removed" -fore Green} else {write-host "`n:D TPM patch added" -fore Green}
$f.Dispose(); [GC]::Collect()
} else {write-host "`n;( TPM patch failed" -fore Red; $f.Dispose()}
#:: how quick was that??
$(get-date) - $script:timer
#:: done
或者从以下下载
Quick_11_iso_esd_wim_TPM_toggle
1.2、将Win11原版ISO拖动到上述批处理上面,瞬间完成改造!
说明:上述改造好的ISO即可绕过所有硬件限制。更厉害的地方在于,再次把改造后的ISO拖动到批处理上面,ISO又恢复原貌了,且原版的哈希值不变。该脚本不仅支持ISO镜像,还支持install.wim和install.esd。直接拖动到批处理上面,即可瞬间完成改造。
二、该方法小缺陷
在几乎所有场景下,这种方法改造出来的ISO,均非常完美。然而针对Win11的消费者版,改造后,双击setup.exe安装的时候,会出现“输入产品密钥”的界面,且无法跳过。出现上面这个问题,仅仅在上面这一种场景中会出现。也就是说,如果ISO是商业版,即批量版(VL版),那么就不会出现这个问题。因此,这一点缺陷也不算大问题。
三、小缺陷解决方法
对于做网管的技术人来说或多或少都有一些强迫症习惯,强迫症患者一旦发现了缺陷,是不允许有一点瑕疵的。所以,解决方案也非常简单:只需在ISO的sources目录下放入一个名为ei.cfg的文件,即可完美跳过密钥输入的界面。
下载地址
不想下载的,自己新建一个txt文档,将下述内容复制进去,然后保存为ei.cfg文件即可:
[Channel]
_Default
[VL]
0
发表评论