Compare commits

...

12 Commits

Author SHA1 Message Date
opa334 6094bc024f 2.0.8 2023-11-29 18:47:24 +01:00
opa334 c30206b57e Fix compilation 2023-11-29 18:36:31 +01:00
Lars Fröder c1f0677c90
Merge pull request #618 from Halo-Michael/main
Fix Network for Chinese model
2023-11-29 18:30:50 +01:00
Lars Fröder 4433ec2f97
Merge pull request #617 from eltociear/patch-1
Update TSAppInfo.m
2023-11-29 18:30:03 +01:00
Halo-Michael c6ce29251e Remove unused entitlements 2023-11-30 01:03:25 +08:00
Halo-Michael b90a540d1d oops 2023-11-30 00:18:50 +08:00
Ikko Eltociear Ashimine 694973fda5
Update TSAppInfo.m
arbitary -> arbitrary
2023-11-30 01:05:13 +09:00
Halo-Michael 252d489ba3 Fix Network for Chinese model 2023-11-29 23:59:10 +08:00
Lars Fröder 9daa349a68
Merge pull request #604 from luken11/signing-fast-path-v2
Add support for multi-exploit Info.plist fast path
2023-11-29 16:02:42 +01:00
Lars Fröder d0781fb223
Merge pull request #613 from xiky/main
Update README.md
2023-11-29 16:00:26 +01:00
Livy Yao e0ecb70a43
Update README.md 2023-11-29 19:38:28 +08:00
Luke Noble e267749ada
Add support for multi-exploit Info.plist fast path
Deprecates TSBundlePreSigned in favour of TSPreAppliedExploitType
2023-11-28 21:44:12 +00:00
15 changed files with 163 additions and 54 deletions

View File

@ -20,7 +20,7 @@ Alternatively (if anything goes wrong), you can download the TrollStore.tar file
## Uninstalling an app ## Uninstalling an app
Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the right in the 'Apps' tab to delete it. Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the left in the 'Apps' tab to delete it.
## Persistence Helper ## Persistence Helper

View File

@ -13,6 +13,7 @@ trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist
trollstorehelper_INSTALL_PATH = /usr/local/bin trollstorehelper_INSTALL_PATH = /usr/local/bin
trollstorehelper_LIBRARIES = archive trollstorehelper_LIBRARIES = archive
trollstorehelper_FRAMEWORKS = CoreTelephony
trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager
include $(THEOS_MAKE_PATH)/tool.mk include $(THEOS_MAKE_PATH)/tool.mk

View File

@ -1,6 +1,6 @@
Package: com.opa334.trollstoreroothelper Package: com.opa334.trollstoreroothelper
Name: trollstoreroothelper Name: trollstoreroothelper
Version: 2.0.7 Version: 2.0.8
Architecture: iphoneos-arm Architecture: iphoneos-arm
Description: An awesome tool of some sort!! Description: An awesome tool of some sort!!
Maintainer: opa334 Maintainer: opa334

View File

@ -532,35 +532,37 @@ int signApp(NSString* appPath)
if(![[NSFileManager defaultManager] fileExistsAtPath:mainExecutablePath]) return 174; if(![[NSFileManager defaultManager] fileExistsAtPath:mainExecutablePath]) return 174;
NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"]; // Check if the bundle has had a supported exploit pre-applied
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]]) EXPLOIT_TYPE declaredPreAppliedExploitType = getDeclaredExploitTypeFromInfoDictionary(appInfoDict);
if(isPlatformVulnerableToExploitType(declaredPreAppliedExploitType))
{ {
// if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now NSLog(@"[signApp] taking fast path for app which declares use of a supported pre-applied exploit (%@)", mainExecutablePath);
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned; return 0;
if([tsBundleIsPreSignedNum boolValue] == YES)
{
NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", mainExecutablePath);
return 0;
}
}
// XXX: There used to be a check here whether the main binary was already signed with bypass
// In that case it would skip signing aswell, no clue if that's still needed
// With the new bypass adhoc signing should fail and reapplying the bypass should produce an identical binary
/*SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
if(codeRef != NULL)
{
if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
{
NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", mainExecutablePath);
CFRelease(codeRef);
return 0;
}
} }
else else
{ {
NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", mainExecutablePath); NSLog(@"[signApp] app (%@) declares use of a pre-applied exploit that is not supported on this device. Proceeding to re-sign...", mainExecutablePath);
}*/ }
// If the app doesn't declare a pre-applied exploit, and the host supports fake custom root certs,
// we can also skip doing any work here when that app is signed with fake roots
// If not, with the new bypass, a previously modified binary should failed to be adhoc signed, and
// reapplying the bypass should produce an identical binary
if(isPlatformVulnerableToExploitType(EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1))
{
SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
if(codeRef != NULL)
{
if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
{
NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", mainExecutablePath);
CFRelease(codeRef);
return 0;
}
CFRelease(codeRef);
}
}
NSURL* fileURL; NSURL* fileURL;
NSDirectoryEnumerator *enumerator; NSDirectoryEnumerator *enumerator;

View File

@ -36,6 +36,22 @@ typedef enum
PERSISTENCE_HELPER_TYPE_ALL = PERSISTENCE_HELPER_TYPE_USER | PERSISTENCE_HELPER_TYPE_SYSTEM PERSISTENCE_HELPER_TYPE_ALL = PERSISTENCE_HELPER_TYPE_USER | PERSISTENCE_HELPER_TYPE_SYSTEM
} PERSISTENCE_HELPER_TYPE; } PERSISTENCE_HELPER_TYPE;
// EXPLOIT_TYPE is defined as a bitmask as some devices are vulnerable to multiple exploits
//
// An app that has had one of these exploits applied ahead of time can declare which exploit
// was used via the TSPreAppliedExploitType Info.plist key. The corresponding value should be
// (number of bits to left-shift + 1).
typedef enum
{
// CVE-2022-26766
// TSPreAppliedExploitType = 1
EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 = 1 << 0,
// CVE-2023-41991
// TSPreAppliedExploitType = 2
EXPLOIT_TYPE_CMS_SIGNERINFO_V1 = 1 << 1
} EXPLOIT_TYPE;
extern LSApplicationProxy* findPersistenceHelperApp(PERSISTENCE_HELPER_TYPE allowedTypes); extern LSApplicationProxy* findPersistenceHelperApp(PERSISTENCE_HELPER_TYPE allowedTypes);
typedef struct __SecCode const *SecStaticCodeRef; typedef struct __SecCode const *SecStaticCodeRef;
@ -61,3 +77,6 @@ extern SecStaticCodeRef getStaticCodeRef(NSString *binaryPath);
extern NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef); extern NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef);
extern NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath); extern NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath);
extern NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData); extern NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData);
extern EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict);
extern bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType);

View File

@ -5,10 +5,10 @@
#import <sys/sysctl.h> #import <sys/sysctl.h>
#import <mach-o/dyld.h> #import <mach-o/dyld.h>
@interface PSAppDataUsagePolicyCache : NSObject static EXPLOIT_TYPE gPlatformVulnerabilities;
+ (instancetype)sharedInstance;
- (void)setUsagePoliciesForBundle:(NSString*)bundleId cellular:(BOOL)cellular wifi:(BOOL)wifi; void* _CTServerConnectionCreate(CFAllocatorRef, void *, void *);
@end int64_t _CTServerConnectionSetCellularUsagePolicy(CFTypeRef* ct, NSString* identifier, NSDictionary* policies);
#define POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE 1 #define POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE 1
extern int posix_spawnattr_set_persona_np(const posix_spawnattr_t* __restrict, uid_t, uint32_t); extern int posix_spawnattr_set_persona_np(const posix_spawnattr_t* __restrict, uid_t, uint32_t);
@ -17,14 +17,14 @@ extern int posix_spawnattr_set_persona_gid_np(const posix_spawnattr_t* __restric
void chineseWifiFixup(void) void chineseWifiFixup(void)
{ {
NSBundle *bundle = [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/SettingsCellular.framework"]; _CTServerConnectionSetCellularUsagePolicy(
[bundle load]; _CTServerConnectionCreate(kCFAllocatorDefault, NULL, NULL),
NSBundle.mainBundle.bundleIdentifier,
PSAppDataUsagePolicyCache* policyCache = [NSClassFromString(@"PSAppDataUsagePolicyCache") sharedInstance]; @{
if([policyCache respondsToSelector:@selector(setUsagePoliciesForBundle:cellular:wifi:)]) @"kCTCellularDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow",
{ @"kCTWiFiDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow"
[policyCache setUsagePoliciesForBundle:NSBundle.mainBundle.bundleIdentifier cellular:true wifi:true]; }
} );
} }
NSString *getExecutablePath(void) NSString *getExecutablePath(void)
@ -522,3 +522,96 @@ NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData)
} }
return entitlements; return entitlements;
} }
EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict)
{
NSObject *tsPreAppliedExploitType = infoDict[@"TSPreAppliedExploitType"];
if([tsPreAppliedExploitType isKindOfClass:[NSNumber class]])
{
NSNumber *tsPreAppliedExploitTypeNum = (NSNumber *)tsPreAppliedExploitType;
int exploitTypeInt = [tsPreAppliedExploitTypeNum intValue];
if(exploitTypeInt > 0)
{
// Convert versions 1, 2, etc... for use with bitmasking
return (1 << (exploitTypeInt - 1));
}
else
{
NSLog(@"[getDeclaredExploitTypeFromInfoDictionary] rejecting TSPreAppliedExploitType Info.plist value (%i) which is out of range", exploitTypeInt);
}
}
// Legacy Info.plist flag - now deprecated, but we treat it as a custom root cert if present
NSObject *tsBundleIsPreSigned = infoDict[@"TSBundlePreSigned"];
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
{
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
if([tsBundleIsPreSignedNum boolValue] == YES)
{
return EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1;
}
}
// No declarations
return 0;
}
void determinePlatformVulnerableExploitTypes(void *context) {
size_t size = 0;
// Get the current build number
int mib[2] = {CTL_KERN, KERN_OSVERSION};
// Get size of buffer
sysctl(mib, 2, NULL, &size, NULL, 0);
// Get the actual value
char *os_build = malloc(size);
if(!os_build)
{
// malloc failed
perror("malloc buffer for KERN_OSVERSION");
return;
}
if (sysctl(mib, 2, os_build, &size, NULL, 0) != 0)
{
// sysctl failed
perror("sysctl KERN_OSVERSION");
free(os_build);
return;
}
if(strncmp(os_build, "19F5070b", 8) <= 0)
{
// iOS 14.0 - 15.5 beta 4
gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
}
else if(strncmp(os_build, "19G5027e", 8) >= 0 && strncmp(os_build, "19G5063a", 8) <= 0)
{
// iOS 15.6 beta 1 - 5
gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
}
else if(strncmp(os_build, "20G81", 5) <= 0)
{
// iOS 14.0 - 16.6.1
gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
}
else if(strncmp(os_build, "21A5248v", 8) >= 0 && strncmp(os_build, "21A331", 6) <= 0)
{
// iOS 17.0
gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
}
free(os_build);
}
bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType) {
// Find out what we are vulnerable to
static dispatch_once_t once;
dispatch_once_f(&once, NULL, determinePlatformVulnerableExploitTypes);
return (exploitType & gPlatformVulnerabilities) != 0;
}

View File

@ -19,7 +19,7 @@ include $(THEOS)/makefiles/common.mk
APPLICATION_NAME = TrollStorePersistenceHelper APPLICATION_NAME = TrollStorePersistenceHelper
TrollStorePersistenceHelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) TrollStorePersistenceHelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager
TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared

View File

@ -52,7 +52,7 @@
<string>iPhoneOS</string> <string>iPhoneOS</string>
</array> </array>
<key>CFBundleVersion</key> <key>CFBundleVersion</key>
<string>2.0.7</string> <string>2.0.8</string>
<key>LSRequiresIPhoneOS</key> <key>LSRequiresIPhoneOS</key>
<true/> <true/>
<key>UIDeviceFamily</key> <key>UIDeviceFamily</key>

View File

@ -1,6 +1,6 @@
Package: com.opa334.trollstorehelper Package: com.opa334.trollstorehelper
Name: TrollStore Helper Name: TrollStore Helper
Version: 2.0.7 Version: 2.0.8
Architecture: iphoneos-arm Architecture: iphoneos-arm
Description: Helper utility to install and manage TrollStore! Description: Helper utility to install and manage TrollStore!
Maintainer: opa334 Maintainer: opa334

View File

@ -6,10 +6,7 @@
<string>com.opa334.trollstorepersistencehelper</string> <string>com.opa334.trollstorepersistencehelper</string>
<key>com.apple.CommCenter.fine-grained</key> <key>com.apple.CommCenter.fine-grained</key>
<array> <array>
<string>cellular-plan</string>
<string>data-usage</string>
<string>data-allowed-write</string> <string>data-allowed-write</string>
<string>preferences-write</string>
</array> </array>
<key>com.apple.private.persona-mgmt</key> <key>com.apple.private.persona-mgmt</key>
<true/> <true/>

View File

@ -9,7 +9,7 @@ include $(THEOS)/makefiles/common.mk
APPLICATION_NAME = TrollStore APPLICATION_NAME = TrollStore
TrollStore_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) TrollStore_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager
TrollStore_LIBRARIES = archive TrollStore_LIBRARIES = archive
TrollStore_CFLAGS = -fobjc-arc -I../Shared TrollStore_CFLAGS = -fobjc-arc -I../Shared

View File

@ -50,7 +50,7 @@
<string>iPhoneOS</string> <string>iPhoneOS</string>
</array> </array>
<key>CFBundleVersion</key> <key>CFBundleVersion</key>
<string>2.0.7</string> <string>2.0.8</string>
<key>LSRequiresIPhoneOS</key> <key>LSRequiresIPhoneOS</key>
<true/> <true/>
<key>UIDeviceFamily</key> <key>UIDeviceFamily</key>

View File

@ -1086,7 +1086,7 @@ extern UIImage* imageWithSize(UIImage* image, CGSize size);
} }
else if(isPlatformApplication && isUnsandboxed) else if(isPlatformApplication && isUnsandboxed)
{ {
[description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitary binaries as the mobile user." attributes:bodyWarningAttributes]]; [description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitrary binaries as the mobile user." attributes:bodyWarningAttributes]];
} }
else else
{ {

View File

@ -1,6 +1,6 @@
Package: com.opa334.trollstore Package: com.opa334.trollstore
Name: TrollStore Name: TrollStore
Version: 2.0.7 Version: 2.0.8
Architecture: iphoneos-arm Architecture: iphoneos-arm
Description: An awesome application! Description: An awesome application!
Maintainer: opa334 Maintainer: opa334

View File

@ -37,10 +37,7 @@
<true/> <true/>
<key>com.apple.CommCenter.fine-grained</key> <key>com.apple.CommCenter.fine-grained</key>
<array> <array>
<string>cellular-plan</string>
<string>data-usage</string>
<string>data-allowed-write</string> <string>data-allowed-write</string>
<string>preferences-write</string>
</array> </array>
<key>com.apple.springboard.opensensitiveurl</key> <key>com.apple.springboard.opensensitiveurl</key>
<true/> <true/>