Compare commits

...

12 Commits

Author SHA1 Message Date
opa334 6094bc024f 2.0.8 2023-11-29 18:47:24 +01:00
opa334 c30206b57e Fix compilation 2023-11-29 18:36:31 +01:00
Lars Fröder c1f0677c90
Merge pull request #618 from Halo-Michael/main
Fix Network for Chinese model
2023-11-29 18:30:50 +01:00
Lars Fröder 4433ec2f97
Merge pull request #617 from eltociear/patch-1
Update TSAppInfo.m
2023-11-29 18:30:03 +01:00
Halo-Michael c6ce29251e Remove unused entitlements 2023-11-30 01:03:25 +08:00
Halo-Michael b90a540d1d oops 2023-11-30 00:18:50 +08:00
Ikko Eltociear Ashimine 694973fda5
Update TSAppInfo.m
arbitary -> arbitrary
2023-11-30 01:05:13 +09:00
Halo-Michael 252d489ba3 Fix Network for Chinese model 2023-11-29 23:59:10 +08:00
Lars Fröder 9daa349a68
Merge pull request #604 from luken11/signing-fast-path-v2
Add support for multi-exploit Info.plist fast path
2023-11-29 16:02:42 +01:00
Lars Fröder d0781fb223
Merge pull request #613 from xiky/main
Update README.md
2023-11-29 16:00:26 +01:00
Livy Yao e0ecb70a43
Update README.md 2023-11-29 19:38:28 +08:00
Luke Noble e267749ada
Add support for multi-exploit Info.plist fast path
Deprecates TSBundlePreSigned in favour of TSPreAppliedExploitType
2023-11-28 21:44:12 +00:00
15 changed files with 163 additions and 54 deletions

View File

@ -20,7 +20,7 @@ Alternatively (if anything goes wrong), you can download the TrollStore.tar file
## Uninstalling an app
Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the right in the 'Apps' tab to delete it.
Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the left in the 'Apps' tab to delete it.
## Persistence Helper

View File

@ -13,6 +13,7 @@ trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist
trollstorehelper_INSTALL_PATH = /usr/local/bin
trollstorehelper_LIBRARIES = archive
trollstorehelper_FRAMEWORKS = CoreTelephony
trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager
include $(THEOS_MAKE_PATH)/tool.mk

View File

@ -1,6 +1,6 @@
Package: com.opa334.trollstoreroothelper
Name: trollstoreroothelper
Version: 2.0.7
Version: 2.0.8
Architecture: iphoneos-arm
Description: An awesome tool of some sort!!
Maintainer: opa334

View File

@ -531,36 +531,38 @@ int signApp(NSString* appPath)
if(!mainExecutablePath) return 176;
if(![[NSFileManager defaultManager] fileExistsAtPath:mainExecutablePath]) return 174;
NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"];
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
{
// if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
if([tsBundleIsPreSignedNum boolValue] == YES)
{
NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", mainExecutablePath);
return 0;
}
}
// XXX: There used to be a check here whether the main binary was already signed with bypass
// In that case it would skip signing aswell, no clue if that's still needed
// With the new bypass adhoc signing should fail and reapplying the bypass should produce an identical binary
/*SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
if(codeRef != NULL)
// Check if the bundle has had a supported exploit pre-applied
EXPLOIT_TYPE declaredPreAppliedExploitType = getDeclaredExploitTypeFromInfoDictionary(appInfoDict);
if(isPlatformVulnerableToExploitType(declaredPreAppliedExploitType))
{
if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
{
NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", mainExecutablePath);
CFRelease(codeRef);
return 0;
}
NSLog(@"[signApp] taking fast path for app which declares use of a supported pre-applied exploit (%@)", mainExecutablePath);
return 0;
}
else
{
NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", mainExecutablePath);
}*/
NSLog(@"[signApp] app (%@) declares use of a pre-applied exploit that is not supported on this device. Proceeding to re-sign...", mainExecutablePath);
}
// If the app doesn't declare a pre-applied exploit, and the host supports fake custom root certs,
// we can also skip doing any work here when that app is signed with fake roots
// If not, with the new bypass, a previously modified binary should failed to be adhoc signed, and
// reapplying the bypass should produce an identical binary
if(isPlatformVulnerableToExploitType(EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1))
{
SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
if(codeRef != NULL)
{
if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
{
NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", mainExecutablePath);
CFRelease(codeRef);
return 0;
}
CFRelease(codeRef);
}
}
NSURL* fileURL;
NSDirectoryEnumerator *enumerator;

View File

@ -36,6 +36,22 @@ typedef enum
PERSISTENCE_HELPER_TYPE_ALL = PERSISTENCE_HELPER_TYPE_USER | PERSISTENCE_HELPER_TYPE_SYSTEM
} PERSISTENCE_HELPER_TYPE;
// EXPLOIT_TYPE is defined as a bitmask as some devices are vulnerable to multiple exploits
//
// An app that has had one of these exploits applied ahead of time can declare which exploit
// was used via the TSPreAppliedExploitType Info.plist key. The corresponding value should be
// (number of bits to left-shift + 1).
typedef enum
{
// CVE-2022-26766
// TSPreAppliedExploitType = 1
EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 = 1 << 0,
// CVE-2023-41991
// TSPreAppliedExploitType = 2
EXPLOIT_TYPE_CMS_SIGNERINFO_V1 = 1 << 1
} EXPLOIT_TYPE;
extern LSApplicationProxy* findPersistenceHelperApp(PERSISTENCE_HELPER_TYPE allowedTypes);
typedef struct __SecCode const *SecStaticCodeRef;
@ -60,4 +76,7 @@ extern CFStringRef kSecPolicyLeafMarkerOid;
extern SecStaticCodeRef getStaticCodeRef(NSString *binaryPath);
extern NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef);
extern NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath);
extern NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData);
extern NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData);
extern EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict);
extern bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType);

View File

@ -5,10 +5,10 @@
#import <sys/sysctl.h>
#import <mach-o/dyld.h>
@interface PSAppDataUsagePolicyCache : NSObject
+ (instancetype)sharedInstance;
- (void)setUsagePoliciesForBundle:(NSString*)bundleId cellular:(BOOL)cellular wifi:(BOOL)wifi;
@end
static EXPLOIT_TYPE gPlatformVulnerabilities;
void* _CTServerConnectionCreate(CFAllocatorRef, void *, void *);
int64_t _CTServerConnectionSetCellularUsagePolicy(CFTypeRef* ct, NSString* identifier, NSDictionary* policies);
#define POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE 1
extern int posix_spawnattr_set_persona_np(const posix_spawnattr_t* __restrict, uid_t, uint32_t);
@ -17,14 +17,14 @@ extern int posix_spawnattr_set_persona_gid_np(const posix_spawnattr_t* __restric
void chineseWifiFixup(void)
{
NSBundle *bundle = [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/SettingsCellular.framework"];
[bundle load];
PSAppDataUsagePolicyCache* policyCache = [NSClassFromString(@"PSAppDataUsagePolicyCache") sharedInstance];
if([policyCache respondsToSelector:@selector(setUsagePoliciesForBundle:cellular:wifi:)])
{
[policyCache setUsagePoliciesForBundle:NSBundle.mainBundle.bundleIdentifier cellular:true wifi:true];
}
_CTServerConnectionSetCellularUsagePolicy(
_CTServerConnectionCreate(kCFAllocatorDefault, NULL, NULL),
NSBundle.mainBundle.bundleIdentifier,
@{
@"kCTCellularDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow",
@"kCTWiFiDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow"
}
);
}
NSString *getExecutablePath(void)
@ -521,4 +521,97 @@ NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData)
[[NSFileManager defaultManager] removeItemAtURL:tmpURL error:nil];
}
return entitlements;
}
}
EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict)
{
NSObject *tsPreAppliedExploitType = infoDict[@"TSPreAppliedExploitType"];
if([tsPreAppliedExploitType isKindOfClass:[NSNumber class]])
{
NSNumber *tsPreAppliedExploitTypeNum = (NSNumber *)tsPreAppliedExploitType;
int exploitTypeInt = [tsPreAppliedExploitTypeNum intValue];
if(exploitTypeInt > 0)
{
// Convert versions 1, 2, etc... for use with bitmasking
return (1 << (exploitTypeInt - 1));
}
else
{
NSLog(@"[getDeclaredExploitTypeFromInfoDictionary] rejecting TSPreAppliedExploitType Info.plist value (%i) which is out of range", exploitTypeInt);
}
}
// Legacy Info.plist flag - now deprecated, but we treat it as a custom root cert if present
NSObject *tsBundleIsPreSigned = infoDict[@"TSBundlePreSigned"];
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
{
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
if([tsBundleIsPreSignedNum boolValue] == YES)
{
return EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1;
}
}
// No declarations
return 0;
}
void determinePlatformVulnerableExploitTypes(void *context) {
size_t size = 0;
// Get the current build number
int mib[2] = {CTL_KERN, KERN_OSVERSION};
// Get size of buffer
sysctl(mib, 2, NULL, &size, NULL, 0);
// Get the actual value
char *os_build = malloc(size);
if(!os_build)
{
// malloc failed
perror("malloc buffer for KERN_OSVERSION");
return;
}
if (sysctl(mib, 2, os_build, &size, NULL, 0) != 0)
{
// sysctl failed
perror("sysctl KERN_OSVERSION");
free(os_build);
return;
}
if(strncmp(os_build, "19F5070b", 8) <= 0)
{
// iOS 14.0 - 15.5 beta 4
gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
}
else if(strncmp(os_build, "19G5027e", 8) >= 0 && strncmp(os_build, "19G5063a", 8) <= 0)
{
// iOS 15.6 beta 1 - 5
gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
}
else if(strncmp(os_build, "20G81", 5) <= 0)
{
// iOS 14.0 - 16.6.1
gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
}
else if(strncmp(os_build, "21A5248v", 8) >= 0 && strncmp(os_build, "21A331", 6) <= 0)
{
// iOS 17.0
gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
}
free(os_build);
}
bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType) {
// Find out what we are vulnerable to
static dispatch_once_t once;
dispatch_once_f(&once, NULL, determinePlatformVulnerableExploitTypes);
return (exploitType & gPlatformVulnerabilities) != 0;
}

View File

@ -19,7 +19,7 @@ include $(THEOS)/makefiles/common.mk
APPLICATION_NAME = TrollStorePersistenceHelper
TrollStorePersistenceHelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager
TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared

View File

@ -52,7 +52,7 @@
<string>iPhoneOS</string>
</array>
<key>CFBundleVersion</key>
<string>2.0.7</string>
<string>2.0.8</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>UIDeviceFamily</key>

View File

@ -1,6 +1,6 @@
Package: com.opa334.trollstorehelper
Name: TrollStore Helper
Version: 2.0.7
Version: 2.0.8
Architecture: iphoneos-arm
Description: Helper utility to install and manage TrollStore!
Maintainer: opa334

View File

@ -6,10 +6,7 @@
<string>com.opa334.trollstorepersistencehelper</string>
<key>com.apple.CommCenter.fine-grained</key>
<array>
<string>cellular-plan</string>
<string>data-usage</string>
<string>data-allowed-write</string>
<string>preferences-write</string>
</array>
<key>com.apple.private.persona-mgmt</key>
<true/>

View File

@ -9,7 +9,7 @@ include $(THEOS)/makefiles/common.mk
APPLICATION_NAME = TrollStore
TrollStore_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices
TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager
TrollStore_LIBRARIES = archive
TrollStore_CFLAGS = -fobjc-arc -I../Shared

View File

@ -50,7 +50,7 @@
<string>iPhoneOS</string>
</array>
<key>CFBundleVersion</key>
<string>2.0.7</string>
<string>2.0.8</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>UIDeviceFamily</key>

View File

@ -1086,7 +1086,7 @@ extern UIImage* imageWithSize(UIImage* image, CGSize size);
}
else if(isPlatformApplication && isUnsandboxed)
{
[description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitary binaries as the mobile user." attributes:bodyWarningAttributes]];
[description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitrary binaries as the mobile user." attributes:bodyWarningAttributes]];
}
else
{

View File

@ -1,6 +1,6 @@
Package: com.opa334.trollstore
Name: TrollStore
Version: 2.0.7
Version: 2.0.8
Architecture: iphoneos-arm
Description: An awesome application!
Maintainer: opa334

View File

@ -37,10 +37,7 @@
<true/>
<key>com.apple.CommCenter.fine-grained</key>
<array>
<string>cellular-plan</string>
<string>data-usage</string>
<string>data-allowed-write</string>
<string>preferences-write</string>
</array>
<key>com.apple.springboard.opensensitiveurl</key>
<true/>