mirror of https://github.com/opa334/TrollStore.git
Compare commits
No commits in common. "6094bc024fe56197fbb8673faf4ec6a3a1dbcefc" and "5ac7448fb87c5923b702fd5f437523438daa26f7" have entirely different histories.
6094bc024f
...
5ac7448fb8
|
@ -20,7 +20,7 @@ Alternatively (if anything goes wrong), you can download the TrollStore.tar file
|
|||
|
||||
## Uninstalling an app
|
||||
|
||||
Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the left in the 'Apps' tab to delete it.
|
||||
Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the right in the 'Apps' tab to delete it.
|
||||
|
||||
## Persistence Helper
|
||||
|
||||
|
|
|
@ -13,7 +13,6 @@ trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
|
|||
trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist
|
||||
trollstorehelper_INSTALL_PATH = /usr/local/bin
|
||||
trollstorehelper_LIBRARIES = archive
|
||||
trollstorehelper_FRAMEWORKS = CoreTelephony
|
||||
trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager
|
||||
|
||||
include $(THEOS_MAKE_PATH)/tool.mk
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
Package: com.opa334.trollstoreroothelper
|
||||
Name: trollstoreroothelper
|
||||
Version: 2.0.8
|
||||
Version: 2.0.7
|
||||
Architecture: iphoneos-arm
|
||||
Description: An awesome tool of some sort!!
|
||||
Maintainer: opa334
|
||||
|
|
|
@ -532,25 +532,22 @@ int signApp(NSString* appPath)
|
|||
|
||||
if(![[NSFileManager defaultManager] fileExistsAtPath:mainExecutablePath]) return 174;
|
||||
|
||||
// Check if the bundle has had a supported exploit pre-applied
|
||||
EXPLOIT_TYPE declaredPreAppliedExploitType = getDeclaredExploitTypeFromInfoDictionary(appInfoDict);
|
||||
if(isPlatformVulnerableToExploitType(declaredPreAppliedExploitType))
|
||||
NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"];
|
||||
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
|
||||
{
|
||||
NSLog(@"[signApp] taking fast path for app which declares use of a supported pre-applied exploit (%@)", mainExecutablePath);
|
||||
// if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now
|
||||
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
|
||||
if([tsBundleIsPreSignedNum boolValue] == YES)
|
||||
{
|
||||
NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", mainExecutablePath);
|
||||
return 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
NSLog(@"[signApp] app (%@) declares use of a pre-applied exploit that is not supported on this device. Proceeding to re-sign...", mainExecutablePath);
|
||||
}
|
||||
|
||||
// If the app doesn't declare a pre-applied exploit, and the host supports fake custom root certs,
|
||||
// we can also skip doing any work here when that app is signed with fake roots
|
||||
// If not, with the new bypass, a previously modified binary should failed to be adhoc signed, and
|
||||
// reapplying the bypass should produce an identical binary
|
||||
if(isPlatformVulnerableToExploitType(EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1))
|
||||
{
|
||||
SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
|
||||
// XXX: There used to be a check here whether the main binary was already signed with bypass
|
||||
// In that case it would skip signing aswell, no clue if that's still needed
|
||||
// With the new bypass adhoc signing should fail and reapplying the bypass should produce an identical binary
|
||||
/*SecStaticCodeRef codeRef = getStaticCodeRef(mainExecutablePath);
|
||||
if(codeRef != NULL)
|
||||
{
|
||||
if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
|
||||
|
@ -559,10 +556,11 @@ int signApp(NSString* appPath)
|
|||
CFRelease(codeRef);
|
||||
return 0;
|
||||
}
|
||||
|
||||
CFRelease(codeRef);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", mainExecutablePath);
|
||||
}*/
|
||||
|
||||
NSURL* fileURL;
|
||||
NSDirectoryEnumerator *enumerator;
|
||||
|
|
|
@ -36,22 +36,6 @@ typedef enum
|
|||
PERSISTENCE_HELPER_TYPE_ALL = PERSISTENCE_HELPER_TYPE_USER | PERSISTENCE_HELPER_TYPE_SYSTEM
|
||||
} PERSISTENCE_HELPER_TYPE;
|
||||
|
||||
// EXPLOIT_TYPE is defined as a bitmask as some devices are vulnerable to multiple exploits
|
||||
//
|
||||
// An app that has had one of these exploits applied ahead of time can declare which exploit
|
||||
// was used via the TSPreAppliedExploitType Info.plist key. The corresponding value should be
|
||||
// (number of bits to left-shift + 1).
|
||||
typedef enum
|
||||
{
|
||||
// CVE-2022-26766
|
||||
// TSPreAppliedExploitType = 1
|
||||
EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 = 1 << 0,
|
||||
|
||||
// CVE-2023-41991
|
||||
// TSPreAppliedExploitType = 2
|
||||
EXPLOIT_TYPE_CMS_SIGNERINFO_V1 = 1 << 1
|
||||
} EXPLOIT_TYPE;
|
||||
|
||||
extern LSApplicationProxy* findPersistenceHelperApp(PERSISTENCE_HELPER_TYPE allowedTypes);
|
||||
|
||||
typedef struct __SecCode const *SecStaticCodeRef;
|
||||
|
@ -77,6 +61,3 @@ extern SecStaticCodeRef getStaticCodeRef(NSString *binaryPath);
|
|||
extern NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef);
|
||||
extern NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath);
|
||||
extern NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData);
|
||||
|
||||
extern EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict);
|
||||
extern bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType);
|
||||
|
|
115
Shared/TSUtil.m
115
Shared/TSUtil.m
|
@ -5,10 +5,10 @@
|
|||
#import <sys/sysctl.h>
|
||||
#import <mach-o/dyld.h>
|
||||
|
||||
static EXPLOIT_TYPE gPlatformVulnerabilities;
|
||||
|
||||
void* _CTServerConnectionCreate(CFAllocatorRef, void *, void *);
|
||||
int64_t _CTServerConnectionSetCellularUsagePolicy(CFTypeRef* ct, NSString* identifier, NSDictionary* policies);
|
||||
@interface PSAppDataUsagePolicyCache : NSObject
|
||||
+ (instancetype)sharedInstance;
|
||||
- (void)setUsagePoliciesForBundle:(NSString*)bundleId cellular:(BOOL)cellular wifi:(BOOL)wifi;
|
||||
@end
|
||||
|
||||
#define POSIX_SPAWN_PERSONA_FLAGS_OVERRIDE 1
|
||||
extern int posix_spawnattr_set_persona_np(const posix_spawnattr_t* __restrict, uid_t, uint32_t);
|
||||
|
@ -17,14 +17,14 @@ extern int posix_spawnattr_set_persona_gid_np(const posix_spawnattr_t* __restric
|
|||
|
||||
void chineseWifiFixup(void)
|
||||
{
|
||||
_CTServerConnectionSetCellularUsagePolicy(
|
||||
_CTServerConnectionCreate(kCFAllocatorDefault, NULL, NULL),
|
||||
NSBundle.mainBundle.bundleIdentifier,
|
||||
@{
|
||||
@"kCTCellularDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow",
|
||||
@"kCTWiFiDataUsagePolicy" : @"kCTCellularDataUsagePolicyAlwaysAllow"
|
||||
NSBundle *bundle = [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/SettingsCellular.framework"];
|
||||
[bundle load];
|
||||
|
||||
PSAppDataUsagePolicyCache* policyCache = [NSClassFromString(@"PSAppDataUsagePolicyCache") sharedInstance];
|
||||
if([policyCache respondsToSelector:@selector(setUsagePoliciesForBundle:cellular:wifi:)])
|
||||
{
|
||||
[policyCache setUsagePoliciesForBundle:NSBundle.mainBundle.bundleIdentifier cellular:true wifi:true];
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
NSString *getExecutablePath(void)
|
||||
|
@ -522,96 +522,3 @@ NSDictionary* dumpEntitlementsFromBinaryData(NSData* binaryData)
|
|||
}
|
||||
return entitlements;
|
||||
}
|
||||
|
||||
EXPLOIT_TYPE getDeclaredExploitTypeFromInfoDictionary(NSDictionary *infoDict)
|
||||
{
|
||||
NSObject *tsPreAppliedExploitType = infoDict[@"TSPreAppliedExploitType"];
|
||||
if([tsPreAppliedExploitType isKindOfClass:[NSNumber class]])
|
||||
{
|
||||
NSNumber *tsPreAppliedExploitTypeNum = (NSNumber *)tsPreAppliedExploitType;
|
||||
int exploitTypeInt = [tsPreAppliedExploitTypeNum intValue];
|
||||
|
||||
if(exploitTypeInt > 0)
|
||||
{
|
||||
// Convert versions 1, 2, etc... for use with bitmasking
|
||||
return (1 << (exploitTypeInt - 1));
|
||||
}
|
||||
else
|
||||
{
|
||||
NSLog(@"[getDeclaredExploitTypeFromInfoDictionary] rejecting TSPreAppliedExploitType Info.plist value (%i) which is out of range", exploitTypeInt);
|
||||
}
|
||||
}
|
||||
|
||||
// Legacy Info.plist flag - now deprecated, but we treat it as a custom root cert if present
|
||||
NSObject *tsBundleIsPreSigned = infoDict[@"TSBundlePreSigned"];
|
||||
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
|
||||
{
|
||||
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
|
||||
if([tsBundleIsPreSignedNum boolValue] == YES)
|
||||
{
|
||||
return EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1;
|
||||
}
|
||||
}
|
||||
|
||||
// No declarations
|
||||
return 0;
|
||||
}
|
||||
|
||||
void determinePlatformVulnerableExploitTypes(void *context) {
|
||||
size_t size = 0;
|
||||
|
||||
// Get the current build number
|
||||
int mib[2] = {CTL_KERN, KERN_OSVERSION};
|
||||
|
||||
// Get size of buffer
|
||||
sysctl(mib, 2, NULL, &size, NULL, 0);
|
||||
|
||||
// Get the actual value
|
||||
char *os_build = malloc(size);
|
||||
if(!os_build)
|
||||
{
|
||||
// malloc failed
|
||||
perror("malloc buffer for KERN_OSVERSION");
|
||||
return;
|
||||
}
|
||||
|
||||
if (sysctl(mib, 2, os_build, &size, NULL, 0) != 0)
|
||||
{
|
||||
// sysctl failed
|
||||
perror("sysctl KERN_OSVERSION");
|
||||
free(os_build);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
if(strncmp(os_build, "19F5070b", 8) <= 0)
|
||||
{
|
||||
// iOS 14.0 - 15.5 beta 4
|
||||
gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
|
||||
}
|
||||
else if(strncmp(os_build, "19G5027e", 8) >= 0 && strncmp(os_build, "19G5063a", 8) <= 0)
|
||||
{
|
||||
// iOS 15.6 beta 1 - 5
|
||||
gPlatformVulnerabilities = (EXPLOIT_TYPE_CUSTOM_ROOT_CERTIFICATE_V1 | EXPLOIT_TYPE_CMS_SIGNERINFO_V1);
|
||||
}
|
||||
else if(strncmp(os_build, "20G81", 5) <= 0)
|
||||
{
|
||||
// iOS 14.0 - 16.6.1
|
||||
gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
|
||||
}
|
||||
else if(strncmp(os_build, "21A5248v", 8) >= 0 && strncmp(os_build, "21A331", 6) <= 0)
|
||||
{
|
||||
// iOS 17.0
|
||||
gPlatformVulnerabilities = EXPLOIT_TYPE_CMS_SIGNERINFO_V1;
|
||||
}
|
||||
|
||||
free(os_build);
|
||||
}
|
||||
|
||||
bool isPlatformVulnerableToExploitType(EXPLOIT_TYPE exploitType) {
|
||||
// Find out what we are vulnerable to
|
||||
static dispatch_once_t once;
|
||||
dispatch_once_f(&once, NULL, determinePlatformVulnerableExploitTypes);
|
||||
|
||||
return (exploitType & gPlatformVulnerabilities) != 0;
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@ include $(THEOS)/makefiles/common.mk
|
|||
APPLICATION_NAME = TrollStorePersistenceHelper
|
||||
|
||||
TrollStorePersistenceHelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
|
||||
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
|
||||
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices
|
||||
TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager
|
||||
TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@
|
|||
<string>iPhoneOS</string>
|
||||
</array>
|
||||
<key>CFBundleVersion</key>
|
||||
<string>2.0.8</string>
|
||||
<string>2.0.7</string>
|
||||
<key>LSRequiresIPhoneOS</key>
|
||||
<true/>
|
||||
<key>UIDeviceFamily</key>
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
Package: com.opa334.trollstorehelper
|
||||
Name: TrollStore Helper
|
||||
Version: 2.0.8
|
||||
Version: 2.0.7
|
||||
Architecture: iphoneos-arm
|
||||
Description: Helper utility to install and manage TrollStore!
|
||||
Maintainer: opa334
|
||||
|
|
|
@ -6,7 +6,10 @@
|
|||
<string>com.opa334.trollstorepersistencehelper</string>
|
||||
<key>com.apple.CommCenter.fine-grained</key>
|
||||
<array>
|
||||
<string>cellular-plan</string>
|
||||
<string>data-usage</string>
|
||||
<string>data-allowed-write</string>
|
||||
<string>preferences-write</string>
|
||||
</array>
|
||||
<key>com.apple.private.persona-mgmt</key>
|
||||
<true/>
|
||||
|
|
|
@ -9,7 +9,7 @@ include $(THEOS)/makefiles/common.mk
|
|||
APPLICATION_NAME = TrollStore
|
||||
|
||||
TrollStore_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
|
||||
TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices CoreTelephony
|
||||
TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices
|
||||
TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager
|
||||
TrollStore_LIBRARIES = archive
|
||||
TrollStore_CFLAGS = -fobjc-arc -I../Shared
|
||||
|
|
|
@ -50,7 +50,7 @@
|
|||
<string>iPhoneOS</string>
|
||||
</array>
|
||||
<key>CFBundleVersion</key>
|
||||
<string>2.0.8</string>
|
||||
<string>2.0.7</string>
|
||||
<key>LSRequiresIPhoneOS</key>
|
||||
<true/>
|
||||
<key>UIDeviceFamily</key>
|
||||
|
|
|
@ -1086,7 +1086,7 @@ extern UIImage* imageWithSize(UIImage* image, CGSize size);
|
|||
}
|
||||
else if(isPlatformApplication && isUnsandboxed)
|
||||
{
|
||||
[description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitrary binaries as the mobile user." attributes:bodyWarningAttributes]];
|
||||
[description appendAttributedString:[[NSAttributedString alloc] initWithString:@"\nThe app can spawn arbitary binaries as the mobile user." attributes:bodyWarningAttributes]];
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
Package: com.opa334.trollstore
|
||||
Name: TrollStore
|
||||
Version: 2.0.8
|
||||
Version: 2.0.7
|
||||
Architecture: iphoneos-arm
|
||||
Description: An awesome application!
|
||||
Maintainer: opa334
|
||||
|
|
|
@ -37,7 +37,10 @@
|
|||
<true/>
|
||||
<key>com.apple.CommCenter.fine-grained</key>
|
||||
<array>
|
||||
<string>cellular-plan</string>
|
||||
<string>data-usage</string>
|
||||
<string>data-allowed-write</string>
|
||||
<string>preferences-write</string>
|
||||
</array>
|
||||
<key>com.apple.springboard.opensensitiveurl</key>
|
||||
<true/>
|
||||
|
|
Loading…
Reference in New Issue