I have been making good progress on my iOS 14 jailbreak! It now uses a kernel patchfinder, PTE-based physical r/w, trustcache injection, gives you a kernel call primitive and injects into launchd at runtime.
What a crazy talk - looks like we have an unpatchable KTRR bypass for A12-A16 (possibly A17) as long as we have a PPL bypass. This will revolutionise jailbreaking for the next few years.
iOS 18 seems to have introduced a new security feature meaning that arbitrarily-entitled binaries not running as root can no longer spawn binaries as root. This means that in the event of another CoreTrust bug, it is unlikely that TrollStore would be able to support iOS 18.
A KTRR bypass will be groundbreaking in terms of jailbreaking. It will likely require a PAC bypass to trigger, but once you can utilise it, you can perform proper kernel patching (like palera1n), bypass any other mitigation in iOS (PAC, PPL) and have a very powerful jailbreak.
CVE-2024-23225: “An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections.”
Looks like an interesting bug! 👀
Big news for TrollStore tweak injection - turns out that all this time you have been able to have arbitrary team IDs using the CoreTrust bypass. Update to ChOma will come soon to support this.
There seems to be some doubt about this, so I will confirm it as well. There is now a TrollStore installation method for iOS 17, it is real and will be released in the future.
AT ALL COSTS, STAY ON 17.0
There is a legitimate installation method that has finally been found for 17.0 (yes - for all devices).
It's not gonna be released for a while (for multitudes of reasons I can't go into), but YOU ARE LITERALLY AT A GOLDEN SPOT - DO NOT UPDATE
I've used my iOS 14 kernel exploit (based on PhysPuppet) to obtain tfp0 on iOS 13. A much easier alternative to PTE-based physical r/w, which is what I'm using on iOS 14.
Any researchers who want to take a better look into the new CoreTrust bug, check out for some more details. Also heavily contributed to
@opa334dev
and
@imnotclarity
!
Bad news: myself and
@mineekdev
have confirmed that kfd (landa) was silently patched in iOS 16.7. This unfortunately means that we now don’t have a kernel exploit for the final iOS 16 versions.
I’ve extended my PhysPuppet exploit into a code-signing bypass for iOS 14 (and it’s not trustcache injection or an amfid debilitate). Once inside a launchd hook, it will completely bypass code-signing for every binary launched.
Previously, the solution was to decrypt an App Store app, re-sign with the CoreTrust bypass, and then inject tweaks. Now, we can theoretically inject into any app without decryption, and even system apps on the root filesystem!
full springboard injection on 16.4.1 arm64e with launchd haxx and
@RootHideDev
’s bootstrap for app injection. tweak preferences work, the video cut them for length reasons
the video is sped up in the first half by 2x to show the tweaks, but there are no cuts.
Reminder for any developers of TrollStore apps: prepare to update any which have specific version checks, especially those which have MacDirtyCow and kfd options available. A good alternative for a version check is to check whether you can write outside of the sandbox.
Regarding this, the kernel now checks specifically for non-root users trying to spawn a binary as root. It does not affect any other UIDs/GIDs. This may allow for TrollStore to function, but certainly won't allow other root helpers to work.
iOS 18 seems to have introduced a new security feature meaning that arbitrarily-entitled binaries not running as root can no longer spawn binaries as root. This means that in the event of another CoreTrust bug, it is unlikely that TrollStore would be able to support iOS 18.
Update: this is partially incorrect. You still cannot inject into trustcached binaries - this rules out apps on the root filesystem, as well as SpringBoard.
Previously, the solution was to decrypt an App Store app, re-sign with the CoreTrust bypass, and then inject tweaks. Now, we can theoretically inject into any app without decryption, and even system apps on the root filesystem!
Recently, I've been REing CoreTrust for CVE-2023-41991. I haven't found it yet, but hopefully the notes below can be useful to other researchers while I take a week off.
If you're looking into CT, use the notes from
@zhuowei
- they helped me a LOT.
Regarding these CoreTrust changes in iOS 17.5, here are some notes I made on them a while back. No, I don't know whether it's exploitable (chances are it's probably not). However, there's no harm in letting anyone else take a look.
Remember when I said a month ago that you should avoid 17.5+? Well, seeing as we're a day away from WWDC and 18.0 beta 1, I think it's time to finally go into why you should stay.
Specifically, there were hardening changes made to CoreTrust in 17.5 (specifically, 17.5 beta 1).
Regarding this, the kernel now checks specifically for non-root users trying to spawn a binary as root. It does not affect any other UIDs/GIDs. This may allow for TrollStore to function, but certainly won't allow other root helpers to work.
The fact that we’ve lost a reputable developer today, for this exact reason, sums up this community perfectly. People wonder why so many developers leave, but then things like this happen way too often 🤷♂️
This should really go without saying, but yet another reminder that doxxing somebody is not acceptable whatsoever.
I can't believe how insane this community is at times good god.
Pleased to say this super-specific issue has been resolved - a fix will come in the next release of TrollInstallerX. This release will also include support for A8(X) devices, but I am very busy at the moment so there is no ETA!
Looking for help from people with a yellow iPhone 14 or 14 Plus, on it’s pre-installed version (20D50), either with TrollStore installed, or jailbroken. If you have such a device, reply to this tweet.
Looking for help from people with a yellow iPhone 14 or 14 Plus, on it’s pre-installed version (20D50), either with TrollStore installed, or jailbroken. If you have such a device, reply to this tweet.
@Lfy_Trav
Something about the fact that all of your demo videos involve the device being out-of-shot for several seconds continues to make me think that this is being faked. Can you upload a video where the device is fully in-shot for the entire duration?
@MasterMike88
It only skips one set of userland checks - those done by SpringBoard using Security.framework - but it does these same checks for every single app on the system (except system apps). Clearly it just skips these checks if it’s already open, as it assumes it’s past verification.
@luciascarlet
It uses partial backups (restoring files at specific paths) to make changes. It uses some tricks to get around restrictions (e.g. icon theming is just writing bookmarks to a file that redirect to the app), but it’s a very intelligent idea.
@LeminLimez
@opa334dev
That was the CoreTrust bug, which essentially just blindly trusted the binary and approved its entitlements as it falsely assumed it was signed by Apple.
@foxfortmobile
You need to make sure that the libraries/frameworks are also decrypted, not all decryption utilities do this. Upstream TrollStore has a check for this, but it’s not in the latest release as of yet.
@imjunhyeob13082
Yes, very similar in fact. It uses a technique that means you don’t have to re-sign the binary on-disk, as shown in the video (Cydia is on the root filesystem, which is mounted as read-only).
@haxi0sm
@opa334dev
@TranKha50277352
You can inject into an IPA, install it with TrollStore, and then it will work. But you can’t inject into SpringBoard without basically a full jailbreak, as you can’t replace the binary (because it is trustcache and protected by SSV).
@thezeddess
It was part of a spyware chain, which is being disclosed as a whole. It's likely that, should there be a PAC bypass required, it will also be disclosed.