15 changed files with 55 additions and 164 deletions
--- a/README.md
+++ b/README.md
@ -20,7 +20,7 @@ Alternatively (if anything goes wrong), you can download the TrollStore.tar file

 ## Uninstalling an app

-Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the left in the 'Apps' tab to delete it.
+Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the right in the 'Apps' tab to delete it.

 ## Persistence Helper

--- a/RootHelper/Makefile
+++ b/RootHelper/Makefile
@ -13,7 +13,6 @@ trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
 trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist
 trollstorehelper_INSTALL_PATH = /usr/local/bin
 trollstorehelper_LIBRARIES = archive
-trollstorehelper_FRAMEWORKS = CoreTelephony
 trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager

 include $(THEOS_MAKE_PATH)/tool.mk
--- a/RootHelper/control
+++ b/RootHelper/control
@ -1,6 +1,6 @@
 Package: com.opa334.trollstoreroothelper
 Name: trollstoreroothelper
-Version: 2.0.8
+Version: 2.0.7
 Architecture: iphoneos-arm
 Description: An awesome tool of some sort!!
 Maintainer: opa334
--- a/RootHelper/main.m
+++ b/RootHelper/main.m
@ -531,38 +531,36 @@ int signApp(NSString* appPath)
 	if(!mainExecutablePath) return 176;

 	if(![[NSFileManager defaultManager] fileExistsAtPath:mainExecutablePath]) return 174;
-
-	// Check if the bundle has had a supported exploit pre-applied
-	EXPLOIT_TYPE declaredPreAppliedExploitType = getDeclaredExploitTypeFromInfoDictionary(appInfoDict);
-	if(isPlatformVulnerableToExploitType(declaredPreAppliedExploitType))
+	
+	NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"];
+	if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
 	{
-		NSLog(@"[signApp] taking fast path for app which declares use of a supported pre-applied exploit (%@)", mainExecutablePath);
-		return 0;
+		// if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now
+		NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
+		if([tsBundleIsPreSignedNum boolValue] == YES)
+		{
+			NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", mainExecutablePath);
+			return 0;
+		}
+	}
+
+	// XXX: There used to be a check here whether the main binary was already signed with bypass
+	// In that case it would skip signing aswell, no clue if that's still needed
+	// With the new bypass adhoc signing should fail and reapplying the bypass should produce an identical binary
+	/*SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
+	if(codeRef != NULL)
+	{
+		if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
+		{
+			NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", mainExecutablePath);
+			CFRelease(codeRef);
+			return 0;
+		}
 	}
 	else
 	{
-		NSLog(@"[signApp] app (%@) declares use of a pre-applied exploit that is not supported on this device. Proceeding to re-sign...", mainExecutablePath);
-	}
-
-	// If the app doesn't declare a pre-applied exploit, and the host supports fake custom root certs,
-	// we can also skip doing any work here when that app is signed with fake roots
-	// If not, with the new bypass, a previously modified binary should failed to be adhoc signed, and
-	// reapplying the bypass should produce an identical binary
-	if(isPlatformVulnerableToExploitType(EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1))
-	{
-		SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
-		if(codeRef != NULL)
-		{
-			if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
-			{
-				NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", mainExecutablePath);
-				CFRelease(codeRef);
-				return 0;
-			}
-
-			CFRelease(codeRef);
-		}
-	}
+		NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", mainExecutablePath);
+	}*/

 	NSURL* fileURL;
 	NSDirectoryEnumerator *enumerator;
--- a/Shared/TSUtil.h
+++ b/Shared/TSUtil.h
@ -36,22 +36,6 @@ typedef enum
 	PERSISTENCE_HELPER_TYPE_ALL = PERSISTENCE_HELPER_TYPE_USER | PERSISTENCE_HELPER_TYPE_SYSTEM
 } PERSISTENCE_HELPER_TYPE;

-// EXPLOIT_TYPE is defined as a bitmask as some devices are vulnerable to multiple exploits
-//
-// An app that has had one of these exploits applied ahead of time can declare which exploit
-// was used via the TSPreAppliedExploitType Info.plist key. The corresponding value should be
-// (number of bits to left-shift + 1).
-typedef enum
-{
-	// CVE-2022-26766
-    // TSPreAppliedExploitType = 1
-	EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 = 1 << 0,
-
-	// CVE-2023-41991
-    // TSPreAppliedExploitType = 2
-	EXPLOIT_TYPE_CMS_SIGNERINFO_V1 = 1 << 1
-} EXPLOIT_TYPE;
-
 extern LSApplicationProxy* findPersistenceHelperApp(PERSISTENCE_HELPER_TYPE allowedTypes);

 typedef struct __SecCode const *SecStaticCodeRef;
@ -76,7 +60,4 @@ extern CFStringRef kSecPolicyLeafMarkerOid;
 extern SecStaticCodeRef getStaticCodeRef(NSString *binaryPath);
 extern NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef);
 extern NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath);
-extern NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData);
-
-extern EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict);
-extern bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType);
+extern NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData);
--- a/Shared/TSUtil.m
+++ b/Shared/TSUtil.m
@ -5,10 +5,10 @@
 #import <sys/sysctl.h>
 #import <mach-o/dyld.h>

-static EXPLOIT_TYPE gPlatformVulnerabilities;
-
-void* _CTServerConnectionCreate(CFAllocatorRef, void *, void *);
-int64_t _CTServerConnectionSetCellularUsagePolicy(CFTypeRef* ct, NSString* identifier, NSDictionary* policies);
+@interface PSAppDataUsagePolicyCache : NSObject
+ (instancetype)sharedInstance;
+- (void)setUsagePoliciesForBundle:(NSString*)bundleId cellular:(BOOL)cellular wifi:(BOOL)wifi;
+@end

 #define POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE 1
 extern int posix_spawnattr_set_persona_np(const posix_spawnattr_t* __restrict, uid_t, uint32_t);
@ -17,14 +17,14 @@ extern int posix_spawnattr_set_persona_gid_np(const posix_spawnattr_t* __restric

 void chineseWifiFixup(void)
 {
-	_CTServerConnectionSetCellularUsagePolicy(
-		_CTServerConnectionCreate(kCFAllocatorDefault, NULL, NULL),
-		NSBundle.mainBundle.bundleIdentifier,
-		@{
-			@"kCTCellularDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow",
-			@"kCTWiFiDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow"
-		}
-	);
+	NSBundle *bundle = [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/SettingsCellular.framework"];
+	[bundle load];
+
+	PSAppDataUsagePolicyCache* policyCache = [NSClassFromString(@"PSAppDataUsagePolicyCache") sharedInstance];
+	if([policyCache respondsToSelector:@selector(setUsagePoliciesForBundle:cellular:wifi:)])
+	{
+		[policyCache setUsagePoliciesForBundle:NSBundle.mainBundle.bundleIdentifier cellular:true wifi:true];
+	}
 }

 NSString *getExecutablePath(void)
@ -521,97 +521,4 @@ NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData)
 		[[NSFileManager defaultManager] removeItemAtURL:tmpURL error:nil];
 	}
 	return entitlements;
-}
-
-EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict)
-{
-    NSObject *tsPreAppliedExploitType = infoDict[@"TSPreAppliedExploitType"];
-    if([tsPreAppliedExploitType isKindOfClass:[NSNumber class]])
-    {
-        NSNumber *tsPreAppliedExploitTypeNum = (NSNumber *)tsPreAppliedExploitType;
-        int exploitTypeInt = [tsPreAppliedExploitTypeNum intValue];
-
-        if(exploitTypeInt > 0)
-        {
-            // Convert versions 1, 2, etc... for use with bitmasking
-            return (1 << (exploitTypeInt - 1));
-        }
-        else
-        {
-            NSLog(@"[getDeclaredExploitTypeFromInfoDictionary] rejecting TSPreAppliedExploitType Info.plist value (%i) which is out of range", exploitTypeInt);
-        }
-    }
-
-    // Legacy Info.plist flag - now deprecated, but we treat it as a custom root cert if present
-    NSObject *tsBundleIsPreSigned = infoDict[@"TSBundlePreSigned"];
-    if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
-    {
-        NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
-        if([tsBundleIsPreSignedNum boolValue] == YES)
-        {
-            return EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1;
-        }
-    }
-
-    // No declarations
-    return 0;
-}
-
-void determinePlatformVulnerableExploitTypes(void *context) {
-	size_t size = 0;
-
-	// Get the current build number
-	int mib[2] = {CTL_KERN, KERN_OSVERSION};
-
-	// Get size of buffer
-	sysctl(mib, 2, NULL, &size, NULL, 0);
-
-	// Get the actual value
-	char *os_build = malloc(size);
-	if(!os_build)
-	{
-		// malloc failed
-		perror("malloc buffer for KERN_OSVERSION");
-		return;
-	}
-
-	if (sysctl(mib, 2, os_build, &size, NULL, 0) != 0)
-	{
-		// sysctl failed
-		perror("sysctl KERN_OSVERSION");
-		free(os_build);
-		return;
-	}
-
-
-	if(strncmp(os_build, "19F5070b", 8) <= 0)
-	{
-		// iOS 14.0 - 15.5 beta 4
-		gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
-	}
-	else if(strncmp(os_build, "19G5027e", 8) >= 0 && strncmp(os_build, "19G5063a", 8) <= 0)
-	{
-		// iOS 15.6 beta 1 - 5
-		gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
-	}
-	else if(strncmp(os_build, "20G81", 5) <= 0)
-	{
-		// iOS 14.0 - 16.6.1
-		gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
-	}
-	else if(strncmp(os_build, "21A5248v", 8) >= 0 && strncmp(os_build, "21A331", 6) <= 0)
-	{
-		// iOS 17.0
-		gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
-	}
-
-	free(os_build);
-}
-
-bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType) {
-	// Find out what we are vulnerable to
-	static dispatch_once_t once;
-	dispatch_once_f(&once, NULL, determinePlatformVulnerableExploitTypes);
-
-	return (exploitType & gPlatformVulnerabilities) != 0;
-}
+}
--- a/TrollHelper/Makefile
+++ b/TrollHelper/Makefile
@ -19,7 +19,7 @@ include $(THEOS)/makefiles/common.mk
 APPLICATION_NAME = TrollStorePersistenceHelper

 TrollStorePersistenceHelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
-TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
+TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices
 TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager
 TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared

--- a/TrollHelper/Resources/Info.plist
+++ b/TrollHelper/Resources/Info.plist
@ -52,7 +52,7 @@
 		<string>iPhoneOS</string>
 	</array>
 	<key>CFBundleVersion</key>
-	<string>2.0.8</string>
+	<string>2.0.7</string>
 	<key>LSRequiresIPhoneOS</key>
 	<true/>
 	<key>UIDeviceFamily</key>
--- a/TrollHelper/control
+++ b/TrollHelper/control
@ -1,6 +1,6 @@
 Package: com.opa334.trollstorehelper
 Name: TrollStore Helper
-Version: 2.0.8
+Version: 2.0.7
 Architecture: iphoneos-arm
 Description: Helper utility to install and manage TrollStore!
 Maintainer: opa334
--- a/TrollHelper/entitlements.plist
+++ b/TrollHelper/entitlements.plist
@ -6,7 +6,10 @@
 	<string>com.opa334.trollstorepersistencehelper</string>
 	<key>com.apple.CommCenter.fine-grained</key>
 	<array>
+		<string>cellular-plan</string>
+		<string>data-usage</string>
 		<string>data-allowed-write</string>
+		<string>preferences-write</string>
 	</array>
 	<key>com.apple.private.persona-mgmt</key>
 	<true/>
--- a/TrollStore/Makefile
+++ b/TrollStore/Makefile
@ -9,7 +9,7 @@ include $(THEOS)/makefiles/common.mk
 APPLICATION_NAME = TrollStore

 TrollStore_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
-TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
+TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices
 TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager
 TrollStore_LIBRARIES = archive
 TrollStore_CFLAGS = -fobjc-arc -I../Shared
--- a/TrollStore/Resources/Info.plist
+++ b/TrollStore/Resources/Info.plist
@ -50,7 +50,7 @@
 		<string>iPhoneOS</string>
 	</array>
 	<key>CFBundleVersion</key>
-	<string>2.0.8</string>
+	<string>2.0.7</string>
 	<key>LSRequiresIPhoneOS</key>
 	<true/>
 	<key>UIDeviceFamily</key>
--- a/TrollStore/TSAppInfo.m
+++ b/TrollStore/TSAppInfo.m
@ -1086,7 +1086,7 @@ extern UIImage* imageWithSize(UIImage* image, CGSize size);
 	}
 	else if(isPlatformApplication && isUnsandboxed)
 	{
-		[description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitrary binaries as the mobile user." attributes:bodyWarningAttributes]];
+		[description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitary binaries as the mobile user." attributes:bodyWarningAttributes]];
 	}
 	else
 	{
--- a/TrollStore/control
+++ b/TrollStore/control
@ -1,6 +1,6 @@
 Package: com.opa334.trollstore
 Name: TrollStore
-Version: 2.0.8
+Version: 2.0.7
 Architecture: iphoneos-arm
 Description: An awesome application!
 Maintainer: opa334
--- a/TrollStore/entitlements.plist
+++ b/TrollStore/entitlements.plist
@ -37,7 +37,10 @@
 	<true/>
 	<key>com.apple.CommCenter.fine-grained</key>
 	<array>
+		<string>cellular-plan</string>
+		<string>data-usage</string>
 		<string>data-allowed-write</string>
+		<string>preferences-write</string>
 	</array>
 	<key>com.apple.springboard.opensensitiveurl</key>
 	<true/>