Go to file
opa334 78e617e783 Reimplement fallback entitlements 2023-11-26 21:41:10 +01:00
.github/ISSUE_TEMPLATE Update bug-report-issue-template.yml 2022-10-10 14:46:23 +08:00
Exploits/fastPathSign Reimplement fallback entitlements 2023-11-26 21:41:10 +01:00
Pwnify UTF8String -> fileSystemRepresentation for paths 2022-11-13 21:41:39 +03:00
RootHelper Reimplement fallback entitlements 2023-11-26 21:41:10 +01:00
Shared Remove all mentions of ldid 2023-11-26 17:56:14 +01:00
TrollHelper TrollStore 2: First working POC :D 2023-11-26 20:43:30 +01:00
TrollStore Reimplement fallback entitlements 2023-11-26 21:41:10 +01:00
Victim remove mentions of User app installation as those can't work 2022-10-15 15:46:38 +02:00
.gitignore TrollStore 1.2, new build setup, deprecate installers in favor of TrollHelperOTA, add jailbreak guide, add better version compatibility notes 2022-10-11 22:57:08 +02:00
LICENSE TrollStore 1.2, new build setup, deprecate installers in favor of TrollHelperOTA, add jailbreak guide, add better version compatibility notes 2022-10-11 22:57:08 +02:00
Makefile Reimplement fallback entitlements 2023-11-26 21:41:10 +01:00
README.md Update README.md 2023-11-26 15:14:03 +01:00
cert.p12 1.5.0~b1 2023-01-21 13:52:39 +01:00
install_sshrd.md the steps were reversed 2022-11-30 17:32:36 -05:00
install_trollhelper.md Remove all mentions of ldid 2023-11-26 17:56:14 +01:00
install_trollhelperota_arm64e.md Remove all mentions of ldid 2023-11-26 17:56:14 +01:00
install_trollhelperota_ios15.md Remove all mentions of ldid 2023-11-26 17:56:14 +01:00

README.md

TrollStore

TrollStore is a permasigned jailed app that can permanently install any IPA you open in it.

It works because of an AMFI/CoreTrust bug where iOS does not verify whether or not a root certificate used to sign a binary is legit.

Installing TrollStore

Installation Guides

Version / Device arm64 (A8 - A11) arm64e (A12 - A17, M1-M2)
13.7 and below Not Supported (Both CT Bugs only got introduced in 14.0) Not Supported (Both CT Bugs only got introduced in 14.0)
14.0 - 14.8.1 checkra1n + TrollHelper TrollHelperOTA (arm64e)
15.0 - 15.4.1 TrollHelperOTA (iOS 15+) TrollHelperOTA (iOS 15+)
15.5 beta 1 - 4 TrollHelperOTA (iOS 15+) TrollHelperOTA (iOS 15+)
15.5 Coming Soon Coming Soon
15.6 beta 1 - 5 TrollHelperOTA (iOS 15+) TrollHelperOTA (iOS 15+)
15.6 - 16.5 Coming Soon Coming Soon
16.5.1 - 16.6.1 Coming Soon No Installation Method
16.7 - 16.7.2 Not Supported (Both CT Bugs fixed) Not Supported (Both CT Bugs fixed)
17.0 Coming Soon No Installation Method
17.0.1 and newer Not Supported (Both CT Bugs fixed) Not Supported (Both CT Bugs fixed)

Due to the discovery of a new CoreTrust vulnerability, support for 15.5 - 16.6.1 and 17.0 will be added in the future. Stay on these versions if you want TrollStore. 16.7 and 17.0.1+ will NEVER be supported (unless Apple fucks CoreTrust up a third time...).

Updating TrollStore

When a new TrollStore update is available, a button to install it will appear at the top in the TrollStore settings. After tapping the button, TrollStore will automatically download the update, install it, and respring.

Alternatively (if anything goes wrong), you can download the TrollStore.tar file under Releases and open it in TrollStore, TrollStore will install the update and respring.

Uninstalling an app

Apps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the right in the 'Apps' tab to delete it.

Persistence Helper

The CoreTrust bug used in TrollStore is only enough to install "System" apps, this is because FrontBoard has an additional security check (it calls libmis) every time before a user app is launched. Unfortunately it is not possible to install new "System" apps that stay through an icon cache reload. Therefore, when iOS reloads the icon cache, all TrollStore installed apps including TrollStore itself will revert back to "User" state and will no longer launch.

The only way to work around this is to install a persistence helper into a system app, this helper can then be used to reregister TrollStore and its installed apps as "System" so that they become launchable again, an option for this is available in TrollStore settings.

On jailbroken iOS 14 when TrollHelper is used for installation, it is located in /Applications and will persist as a "System" app through icon cache reloads, therefore TrollHelper is used as the persistence helper on iOS 14.

URL Scheme

As of version 1.3, TrollStore replaces the system URL scheme "apple-magnifier" (this is done so "jailbreak" detections can't detect TrollStore like they could if TrollStore had a unique URL scheme). This URL scheme can be used to install applications right from the browser, the format goes as follows:

apple-magnifier://install?url=<URL_to_IPA>

On devices that don't have TrollStore (1.3+) installed, this will just open the magnifier app.

Features

The binaries inside an IPA can have arbitrary entitlements, fakesign them with ldid and the entitlements you want (ldid -S<path/to/entitlements.plist> <path/to/binary>) and TrollStore will preserve the entitlements when resigning them with the fake root certificate on installation. This gives you a lot of possibilities, some of which are explained below.

Banned entitlements

iOS 15 on A12+ has banned the following three entitlements related to running unsigned code, these are impossible to get without a PPL bypass, apps signed with them will crash on launch.

com.apple.private.cs.debugger

dynamic-codesigning

com.apple.private.skip-library-validation

Unsandboxing

Your app can run unsandboxed using one of the following entitlements:

<key>com.apple.private.security.container-required</key>
<false/>
<key>com.apple.private.security.no-container</key>
<true/>
<key>com.apple.private.security.no-sandbox</key>
<true/>

The third one is recommended if you still want a sandbox container for your application.

You might also need the platform-application entitlement in order for these to work properly:

<key>platform-application</key>
<true/>

Please note that the platform-application entitlement causes side effects such as some parts of the sandbox becoming tighter, so you may need additional private entitlements to circumvent that. (For example afterwards you need an exception entitlement for every single IOKit user client class you want to access).

In order for an app with com.apple.private.security.no-sandbox and platform-application to be able to access it's own data container, you might need the additional entitlement:

<key>com.apple.private.security.storage.AppDataContainers</key>
<true/>

Root Helpers

When your app is not sandboxed, you can spawn other binaries using posix_spawn, you can also spawn binaries as root with the following entitlement:

<key>com.apple.private.persona-mgmt</key>
<true/>

You can also add your own binaries into your app bundle.

Afterwards you can use the spawnRoot function in TSUtil.m to spawn the binary as root.

Things that are not possible using TrollStore

  • Getting proper platformization (TF_PLATFORM / CS_PLATFORMIZED)
  • Spawning a launch daemon (Would need CS_PLATFORMIZED)
  • Injecting a tweak into a system process (Would need TF_PLATFORM, a userland PAC bypass and a PMAP trust level bypass)

Credits and Further Reading

@LinusHenze - Found the CoreTrust bug that allows TrollStore to work.

Fugu15 Presentation

Write-Up on the CoreTrust bug with more information.