Alfie @alfiecg_dev Twitter profile

Pinned Tweet

Alfie

1 month

I have been making good progress on my iOS 14 jailbreak! It now uses a kernel patchfinder, PTE-based physical r/w, trustcache injection, gives you a kernel call primitive and injects into launchd at runtime.

22

16

211

Last Seen Profiles

@EAM_Band

@Nortevision

@jacinda39718

@xo_shanee

@RAIPR

@kh29_saud

@Stepmom258760

@LoserHector

@bokeplokalmalam

@DeRushaJ

@ojek_ngalong

@zeropregi

@chamouxnicolas

@honihoniOioioi

@HungotheNomster

@daniels_ti75927

@wegilyle

@mayansilvoza

@brownC0CK

@_hina_hiyoko_

@balagopal_gokul

@waitrose

@meme3mtk

@abukhalid402

@GlitiP9

@666xiaoliu

@meQdisii

@4p0w2phf1EiN5

@hijabjilbab1

@thefroydenlunds

@Bhavinmaru2020

@AubrKosie

@__heidi_b__

@McToofe75583

@hijabjilbab1

@makachi12345

Alfie

@alfiecg_dev

7 months

What a crazy talk - looks like we have an unpatchable KTRR bypass for A12-A16 (possibly A17) as long as we have a PPL bypass. This will revolutionise jailbreaking for the next few years.

opa334

@opa334dev

7 months

Very excited for this one! #37c3

25

27

599

26

78

490

Alfie

@alfiecg_dev

4 months

iOS 14.0 - 16.6.1 (arm64) ✅ iOS 14.0 - 16.5.1 (A12 - A14) ✅ iOS 14.0 - 16.5 (A15 - A16) ✅ Remaining versions: ⏱️

40

72

436

Alfie

@alfiecg_dev

4 months

TrollInstallerX is now out, supporting almost every device from iOS 14.0 - 16.6.1. It's quick, easy and extremely reliable. 🔥

GitHub - alfiecg24/TrollInstallerX: A TrollStore installer for iOS 14.0 - 16.6.1

A TrollStore installer for iOS 14.0 - 16.6.1. Contribute to alfiecg24/TrollInstallerX development by creating an account on GitHub.

github.com

22

95

400

Alfie

@alfiecg_dev

2 months

iOS 18 seems to have introduced a new security feature meaning that arbitrarily-entitled binaries not running as root can no longer spawn binaries as root. This means that in the event of another CoreTrust bug, it is unlikely that TrollStore would be able to support iOS 18.

13

48

305

Alfie

@alfiecg_dev

5 months

👀

23

39

261

Alfie

@alfiecg_dev

7 months

A KTRR bypass will be groundbreaking in terms of jailbreaking. It will likely require a PAC bypass to trigger, but once you can utilise it, you can perform proper kernel patching (like palera1n), bypass any other mitigation in iOS (PAC, PPL) and have a very powerful jailbreak.

17

45

242

Alfie

@alfiecg_dev

5 months

CVE-2024-23225: “An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections.” Looks like an interesting bug! 👀

16

32

235

Alfie

@alfiecg_dev

7 months

Big news for TrollStore tweak injection - turns out that all this time you have been able to have arbitrary team IDs using the CoreTrust bypass. Update to ChOma will come soon to support this.

10

16

207

Alfie

@alfiecg_dev

6 months

Finally got NewTerm working, this is dope! Thanks @icrazeios for the help!

12

24

165

Alfie

@alfiecg_dev

2 months

This afternoon, I wrote my first kernel exploit, based on PhysPuppet. Super fun project and I learned a lot!

8

11

165

Alfie

@alfiecg_dev

2 months

There seems to be some doubt about this, so I will confirm it as well. There is now a TrollStore installation method for iOS 17, it is real and will be released in the future.

Michael

@MasterMike88

2 months

AT ALL COSTS, STAY ON 17.0 There is a legitimate installation method that has finally been found for 17.0 (yes - for all devices). It's not gonna be released for a while (for multitudes of reasons I can't go into), but YOU ARE LITERALLY AT A GOLDEN SPOT - DO NOT UPDATE

142

100

558

19

22

146

Alfie

@alfiecg_dev

26 days

I've used my iOS 14 kernel exploit (based on PhysPuppet) to obtain tfp0 on iOS 13. A much easier alternative to PTE-based physical r/w, which is what I'm using on iOS 14.

7

10

144

Alfie

@alfiecg_dev

8 months

Happy TrollStore 2.0 day everyone! So glad it’s finally released 🎉

opa334

@opa334dev

8 months

TrollStore 2 is out now Installation methods and more info will follow soon.

433

409

2K

11

9

138

Alfie

@alfiecg_dev

8 months

Any researchers who want to take a better look into the new CoreTrust bug, check out for some more details. Also heavily contributed to @opa334dev and @imnotclarity !

GitHub - opa334/ChOma: C library for manipulating MachO/FAT files and their code signatures

C library for manipulating MachO/FAT files and their code signatures - opa334/ChOma

github.com

2

18

135

Alfie

@alfiecg_dev

7 months

Bad news: myself and @mineekdev have confirmed that kfd (landa) was silently patched in iOS 16.7. This unfortunately means that we now don’t have a kernel exploit for the final iOS 16 versions.

9

15

135

Alfie

@alfiecg_dev

4 months

🔜

14

22

135

Alfie

@alfiecg_dev

4 months

TrollInstallerX should now support iOS 17.0 beta 1 - 4 on arm64 devices. arm64e support is still being worked on.

Release 1.0.2 · alfiecg24/TrollInstallerX

TrollInstallerX v1.0.2 Changes: Full support for iOS 17.0 beta 1 - 4 on arm64 devices - partially contributed to by @m1zole Note: arm64e support for the above versions is still being worked on.

github.com

12

32

132

Alfie

@alfiecg_dev

4 months

TrollInstallerX 1.0.1 is now out to fix a bug in version support checks, as well as adding (untested) support for early iOS 17.0 betas.

GitHub - alfiecg24/TrollInstallerX: A TrollStore installer for iOS 14.0 - 16.6.1

A TrollStore installer for iOS 14.0 - 16.6.1. Contribute to alfiecg24/TrollInstallerX development by creating an account on GitHub.

github.com

8

23

120

Alfie

@alfiecg_dev

2 months

I’ve extended my PhysPuppet exploit into a code-signing bypass for iOS 14 (and it’s not trustcache injection or an amfid debilitate). Once inside a launchd hook, it will completely bypass code-signing for every binary launched.

10

12

117

Alfie

@alfiecg_dev

7 months

Previously, the solution was to decrypt an App Store app, re-sign with the CoreTrust bypass, and then inject tweaks. Now, we can theoretically inject into any app without decryption, and even system apps on the root filesystem!

3

7

110

Alfie

@alfiecg_dev

7 months

Great work! 🔥🔥

sacrosanctuary

@htrowii

7 months

full springboard injection on 16.4.1 arm64e with launchd haxx and @RootHideDev ’s bootstrap for app injection. tweak preferences work, the video cut them for length reasons the video is sped up in the first half by 2x to show the tweaks, but there are no cuts.

50

83

439

2

8

103

Alfie

@alfiecg_dev

6 months

I've completely rewritten Achilles to be much faster and more stable - enjoy!

Release Achilles v2.0 · alfiecg24/Achilles

Achilles - a checkm8 utility for macOS. Achilles v2.0 is a complete rewrite of Achilles, focusing on clean code and a stable experience. Check out the README for more information on how to build an...

github.com

6

9

99

Alfie

@alfiecg_dev

8 months

Reminder for any developers of TrollStore apps: prepare to update any which have specific version checks, especially those which have MacDirtyCow and kfd options available. A good alternative for a version check is to check whether you can write outside of the sandbox.

5

15

100

Alfie

@alfiecg_dev

8 months

@opa334dev Maybe try “fastPathSign2 <path/to/your/binary” ⁉️

1

5

99

Alfie

@alfiecg_dev

2 months

Regarding this, the kernel now checks specifically for non-root users trying to spawn a binary as root. It does not affect any other UIDs/GIDs. This may allow for TrollStore to function, but certainly won't allow other root helpers to work.

Alfie

@alfiecg_dev

2 months

iOS 18 seems to have introduced a new security feature meaning that arbitrarily-entitled binaries not running as root can no longer spawn binaries as root. This means that in the event of another CoreTrust bug, it is unlikely that TrollStore would be able to support iOS 18.

13

48

305

6

12

97

Alfie

@alfiecg_dev

7 months

Support specifying a custom team ID for the bypass · opa334/ChOma@965e2e4

github.com

5

7

82

Alfie

@alfiecg_dev

3 months

I've written a tool that lets you call CoreTrust functions on the command line, as well as debug CoreTrust via LLDB.

GitHub - alfiecg24/coretrust_cli: A tool to call CoreTrust evaluation from userland

A tool to call CoreTrust evaluation from userland. Contribute to alfiecg24/coretrust_cli development by creating an account on GitHub.

github.com

1

7

81

Alfie

@alfiecg_dev

7 months

Update: this is partially incorrect. You still cannot inject into trustcached binaries - this rules out apps on the root filesystem, as well as SpringBoard.

Alfie

@alfiecg_dev

7 months

Previously, the solution was to decrypt an App Store app, re-sign with the CoreTrust bypass, and then inject tweaks. Now, we can theoretically inject into any app without decryption, and even system apps on the root filesystem!

3

7

110

1

5

77

Alfie

@alfiecg_dev

10 months

Recently, I've been REing CoreTrust for CVE-2023-41991. I haven't found it yet, but hopefully the notes below can be useful to other researchers while I take a week off. If you're looking into CT, use the notes from @zhuowei - they helped me a LOT.

CoreTrust RE notes while patch-diffing CVE-2023-41991

CoreTrust RE notes while patch-diffing CVE-2023-41991 - coretrust_notes.txt

gist.github.com

2

6

76

Alfie

@alfiecg_dev

5 months

14.0 - 16.6.1 arm64, 14.0 - 16.5.1 arm64e: direct TrollStore installation (no overwriting a system app) 16.6-16.6.1 arm64e: overwriting a system app

3

8

74

Alfie

@alfiecg_dev

2 months

Regarding these CoreTrust changes in iOS 17.5, here are some notes I made on them a while back. No, I don't know whether it's exploitable (chances are it's probably not). However, there's no harm in letting anyone else take a look.

CoreTrust RE notes from iOS 17.5 beta changes

CoreTrust RE notes from iOS 17.5 beta changes. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

Michael

@MasterMike88

2 months

Remember when I said a month ago that you should avoid 17.5+? Well, seeing as we're a day away from WWDC and 18.0 beta 1, I think it's time to finally go into why you should stay. Specifically, there were hardening changes made to CoreTrust in 17.5 (specifically, 17.5 beta 1).

11

15

89

3

9

69

Alfie

@alfiecg_dev

7 months

@g3nNuk_e It’s a hardware exploit, using undocumented registers. It can only be mitigated against, but not fully patched.

7

3

67

Alfie

@alfiecg_dev

5 months

Unfortunately it seems this bug will not be usable to install TrollStore.

BomberFish (@[email protected])

@bomberfish77

5 months

Installing TrollStore on 17.0.0 might be possible soon™

19

12

157

5

64

Alfie

@alfiecg_dev

1 month

This also affects iOS 17.6.

Alfie

@alfiecg_dev

2 months

Regarding this, the kernel now checks specifically for non-root users trying to spawn a binary as root. It does not affect any other UIDs/GIDs. This may allow for TrollStore to function, but certainly won't allow other root helpers to work.

6

12

97

5

60

Alfie

@alfiecg_dev

7 months

The fact that we’ve lost a reputable developer today, for this exact reason, sums up this community perfectly. People wonder why so many developers leave, but then things like this happen way too often 🤷‍♂️

Michael

@MasterMike88

7 months

This should really go without saying, but yet another reminder that doxxing somebody is not acceptable whatsoever. I can't believe how insane this community is at times good god.

4

1

46

3

2

59

Alfie

@alfiecg_dev

6 months

Any ideas?

8

5

58

Alfie

@alfiecg_dev

3 months

Pleased to say this super-specific issue has been resolved - a fix will come in the next release of TrollInstallerX. This release will also include support for A8(X) devices, but I am very busy at the moment so there is no ETA!

Alfie

@alfiecg_dev

5 months

Looking for help from people with a yellow iPhone 14 or 14 Plus, on it’s pre-installed version (20D50), either with TrollStore installed, or jailbroken. If you have such a device, reply to this tweet.

7

6

42

6

8

44

Alfie

@alfiecg_dev

5 months

Looking for help from people with a yellow iPhone 14 or 14 Plus, on it’s pre-installed version (20D50), either with TrollStore installed, or jailbroken. If you have such a device, reply to this tweet.

7

6

42

Alfie

@alfiecg_dev

7 months

@xina520 Nice work! 🔥

2

0

39

Alfie

@alfiecg_dev

6 months

🤔

0

36

Alfie

@alfiecg_dev

8 months

@Lfy_Trav Something about the fact that all of your demo videos involve the device being out-of-shot for several seconds continues to make me think that this is being faked. Can you upload a video where the device is fully in-shot for the entire duration?

4

0

33

Alfie

@alfiecg_dev

2 months

Thank you to @opa334dev for looking into the change!

0

27

Alfie

@alfiecg_dev

6 months

Achilles should now have support for Linux hosts. If you have a Linux machine and a checkm8 device, please test and let me know!

3

2

27

Alfie

@alfiecg_dev

6 months

@icrazeios @opa334dev Prison break?

2

0

25

Alfie

@alfiecg_dev

8 months

@charaleez_mc This isn’t me saying a TrollStore update is happening anytime soon, it’s just a reminder to developers.

2

0

21

Alfie

@alfiecg_dev

2 months

Shoutout to @staturnzdev for help with the IOSurface spray strategy, as well as overall help with writing the exploit 🔥

2

0

20

Alfie

@alfiecg_dev

8 months

@Lfy_Trav You clearly used the app switcher to swipe out of a screenshot of the tweak running. This doesn’t show it actually running on the phone.

3

1

20

Alfie

@alfiecg_dev

6 months

@thejailbreakhub

1

0

18

Alfie

@alfiecg_dev

6 months

@halo_michael You can’t use fork() without being trustcached (that’s why Dopamine has forkfix).

1

0

18

Alfie

@alfiecg_dev

7 months

@htrowii The KTRR bypass doesn’t affect A11/A10 I don’t think

3

1

17

Alfie

@alfiecg_dev

8 months

@MasterMike88 It only skips one set of userland checks - those done by SpringBoard using Security.framework - but it does these same checks for every single app on the system (except system apps). Clearly it just skips these checks if it’s already open, as it assumes it’s past verification.

0

14

Alfie

@alfiecg_dev

6 months

@c22_dev Thank you!

6

0

16

Alfie

@alfiecg_dev

7 months

@SamGuichelaar LeminLimez (Cowabunga developer)

3

0

14

Alfie

@alfiecg_dev

7 months

@wh1te4ever @eveiyneee @zhuowei There’s no overwriting involved - you just replace launchd and then hook it to open a custom SpringBoard binary.

4

0

13

Alfie

@alfiecg_dev

6 months

@luciascarlet It uses partial backups (restoring files at specific paths) to make changes. It uses some tricks to get around restrictions (e.g. icon theming is just writing bookmarks to a file that redirect to the app), but it’s a very intelligent idea.

0

12

Alfie

@alfiecg_dev

7 months

@wh1te4ever @eveiyneee If you’re injecting libraries, you’ll need to use the original launchd entitlements + get-task-allow.

0

13

Alfie

@alfiecg_dev

7 months

@imnotclarity Gotta set an alarm, I don’t want to miss this 😯

2

0

11

Alfie

@alfiecg_dev

7 months

@itsnebulalol @riscv64 The app binary won’t work when run as a regular CLI binary, you’ll have to modify its entry. See for a good example.

1

0

11

Alfie

@alfiecg_dev

4 months

@michael_melita Planning to if I can

2

0

9

Alfie

@alfiecg_dev

5 months

@sourceloc Redesign is planned 💪

1

0

10

Alfie

@alfiecg_dev

8 months

@MasterMike88 @notdarkn That’s what happens when you completely refactor a kext to do something it was never intended to do 💯

0

8

Alfie

@alfiecg_dev

11 months

@LeminLimez @opa334dev That was the CoreTrust bug, which essentially just blindly trusted the binary and approved its entitlements as it falsely assumed it was signed by Apple.

1

9

Alfie

@alfiecg_dev

5 months

@dleovl It means you can use the apple-magnifier:// URL scheme to install apps in TrollStore.

0

7

Alfie

@alfiecg_dev

6 months

@opa334dev 🤔

0

8

Alfie

@alfiecg_dev

5 months

@tealbathingsuit @MasterMike88 Bug is useless anyway - there’s no directory that both the user and xpcroleaccountd can access.

1

8

Alfie

@alfiecg_dev

8 months

@foxfortmobile You need to make sure that the libraries/frameworks are also decrypted, not all decryption utilities do this. Upstream TrollStore has a check for this, but it’s not in the latest release as of yet.

1

0

7

Alfie

@alfiecg_dev

2 months

@imjunhyeob13082 Yes, very similar in fact. It uses a technique that means you don’t have to re-sign the binary on-disk, as shown in the video (Cydia is on the root filesystem, which is mounted as read-only).

0

7

Alfie

@alfiecg_dev

8 months

@c22_dev Hi! I won’t speak, but if you’ve got any questions I can try and answer them.

1

0

7

Alfie

@alfiecg_dev

5 months

@Jailbreaki0S Really? Can you show the model and build number in Settings > General > About?

0

5

Alfie

@alfiecg_dev

8 months

@tihmstar @opa334dev @CokePokes Needs to be an App Store CD, so we can’t just distribute multiple of them without explicit developer permission.

1

5

Alfie

@alfiecg_dev

8 months

@haxi0sm @opa334dev @TranKha50277352 You can inject into an IPA, install it with TrollStore, and then it will work. But you can’t inject into SpringBoard without basically a full jailbreak, as you can’t replace the binary (because it is trustcache and protected by SSV).

1

0

5

Alfie

@alfiecg_dev

1 month

@TranKha50277352 🤷‍♂️

1

0

6

Alfie

@alfiecg_dev

11 months

I’ve just released version 1.0.0 of Achilles - a checkm8 toolkit for macOS. I’ve been working on this over the past few months - I hope you like it!

Release Achilles 1.0.0 · alfiecg24/Achilles

Achilles 1.0.0 This is the first release of Achilles, the brand-new checkm8 toolkit for macOS. Achilles has a handful of prominent features: Patching signature checks using gaster payloads Booting...

github.com

0

6

Alfie

@alfiecg_dev

2 months

@kpwn930 Not yet.

0

5

Alfie

@alfiecg_dev

6 months

Reliability is unfortunately not great, from my testing. “Failed to send overwrite” is a common reason for exploit failure.

0

5

Alfie

@alfiecg_dev

8 months

@whitetailani @MasterMike88 The app switcher state is stored in a file (you can even change it through backups).

0

4

Alfie

@alfiecg_dev

2 months

@c4ndyf1sh I plan to open-source it at some point, yes

0

4

Alfie

@alfiecg_dev

10 months

If you have any questions, you can reply to this post and/or DM me.

2

0

4

Alfie

@alfiecg_dev

7 months

@thezeddess It was part of a spyware chain, which is being disclosed as a whole. It's likely that, should there be a PAC bypass required, it will also be disclosed.

0

3

Alfie

@alfiecg_dev

7 months

@ImHaft @g3nNuk_e It’s unpatchable but it’s not a BootROM exploit

0

3

Alfie

@alfiecg_dev

8 months

@SeanIsTethered @Lfy_Trav It’s very clear that he did not actually get tweak injection if you watch the videos carefully.

1

0

4

Alfie

@alfiecg_dev

6 months

@sub_arale @MasterMike88 I think this is because NULL pointer is PACd on those versions (for some reason this got reversed on iOS 15.2 I believe).

0

3