Finish README

This commit is contained in:
opa334 2022-09-13 18:47:05 +02:00
parent 1be6e8efe3
commit fc5508e0f7
1 changed files with 96 additions and 1 deletions

View File

@ -2,6 +2,8 @@
TrollStore in a permasigned jailed app that can permanently install any IPA you open in it. TrollStore in a permasigned jailed app that can permanently install any IPA you open in it.
## NOTE: TrollStore will NEVER work on anything higher than iOS 15.5 beta 4 (No not on 15.5 full, not on 15.6 and certainly not on iOS 16.x), please stop asking!
## Installation Methods ## Installation Methods
| Version / Device | A8 | A9 | A10 | A11 | A12 | A13 | A14 | A15 | | Version / Device | A8 | A9 | A10 | A11 | A12 | A13 | A14 | A15 |
@ -35,4 +37,97 @@ TrollStore in a permasigned jailed app that can permanently install any IPA you
| iOS 15.4.1 | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | None | None | None | None | | iOS 15.4.1 | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | None | None | None | None |
| iOS 15.5 Beta 1 - Beta 4 | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | None | None | None | None | | iOS 15.5 Beta 1 - Beta 4 | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | [SSH Ramdisk](./install_with_sshrd.md) | None | None | None | None |
NOTE: Only versions between iOS 14.0 - 15.5b4 are supported by TrollStore, TrollStore will never work on versions outside of that range. NOTE: Only versions between iOS 14.0 - 15.5b4 are supported by TrollStore, TrollStore will never work on versions outside of that range.
# Updating TrollStore
After having installed TrollStore, you can update it to newer versions by opening the .tar file in releases in TrollStore. It will install the update and respring afterwards.
# Persistence Helper
The CoreTrust bug used in TrollStore is only enough to install "System" apps, this is because FrontBoard has an additional security check (it calls libmis) every time before a user app is launched. Unfortunately it is not possible to install new "System" apps that stay through an icon cache reload. Therefore when iOS reloads the icon cache, all TrollStore installed apps including TrollStore itself will revert back to "User" state and will no longer launch.
The only way to work around this is to install a persistence helper into a system app, this helper can then be used to reregister TrollStore and it's installed apps as "System" so they become launchable again, an option for this is available in TrollStore settings.
On jailbroken iOS 14 when TrollHelper is used for installation, it is located in /Applications and will persist as a "System" app through icon cache reloads, therefore TrollHelper is used as the persistence helper on iOS 14.
# Features
The binaries inside an IPA can have arbitary entitlements, fakesign them with ldid and the entitlements you want (`ldid -S<path/to/entitlements.plist> <path/to/binary>`) and TrollStore will preverse the entitlements when resigning them with the fake root cert on installation. This gives you a lot of possibilities, some of which are explained below.
## Banned entitlements
iOS 15 has banned the following three entitlements related to running unsigned code, these are impossible to get without a PPL or PAC bypass, apps signed with them will crash on launch.
`com.apple.private.cs.debugger`
`dynamic-codesigning`
`com.apple.private.skip-library-validation`
## Unsandboxing
Your app can run unsandboxed using one of the following entitlements:
```
<key>com.apple.private.security.container-required</key>
<false/>
```
```
<key>com.apple.private.security.no-container</key>
<true/>
```
```
<key>com.apple.private.security.no-sandbox</key>
<true/>
```
The third one is recommended if you still want a sandbox container for your application.
You might also need the platform-application entitlement in order for these to work propery:
```
<key>platform-application</key>
<true/>
```
Please note that the platform-application entitlement causes side effects such as some parts of the sandbox becoming tighter, so you may need additional private entitlements to circumvent that. (For example afterwards you need an exception entitlement for every single IOKit user client class you want to access).
## Root Helpers
When your app is not sandboxed, you can spawn other binaries using posix_spawn, you can also spawn binaries as root with the following entitlement:
```
<key>com.apple.private.persona-mgmt</key>
<true/>
```
Because a root binary needs special permissions, you need to specifiy all your root binaries in the Info.plist of your application like so:
```
<key>TSRootBinaries</key>
<array>
<string>roothelper1</string>
<string>some/nested/roothelper</string>
</array>
```
Note: The paths in the TSRootBinaries array are relative to the location of the Info.plist, you can also include this key in other bundles such as app plugins.
Afterwards you can use the [spawnRoot function in TSUtil.m](./Store/TSUtil.m#L39) to spawn the binary as root.
## Things that are not possible using TrollStore:
- Getting proper platformization / `CS_PLATFORMIZED`
- Spawning a launch daemon (Would need `CS_PLATFORMIZED`)
- Injecting a tweak into a system process (Would need `CS_PLATFORMIZED`, a userland PAC bypass and a PMAP Trust Level bypass)
# Credits and Further Reading
[@LinusHenze](https://twitter.com/LinusHenze/) - Found the CoreTrust bug that allows TrollStore to work.
[Early Write-Up on the bug with more information](https://worthdoingbadly.com/coretrust/).