The original TrollStore developed by @opa334 allows users to easily install any app / IPA permanently without having to worry about re-signing every 7 days, or about revokes. Today we’ve got word that TrollStore 2 is coming with support for iOS 15.5 up to iOS 16.6.1 and even iOS 17.0.
It turns out Apple introduced an AMFI/CoreTrust bug where iOS does not verify whether or not a root certificate used to sign a binary is legit.
UPDATE: If you’re running iOS 15.0 – 16.5 or iOS 16.6 Beta 1, you can now install TrollStore 2 with Misaka. Here’s a full guide.
This bug allowed developer @opa334 to build TrollStore back on iOS 15 and it’s a very similar bug now that allows TrollStore 2 to be done on iOS 16 and even on iOS 17.0.
What is Trollstore 2?
At its core, TrollStore is an application that once installed, exploits a CoreTrust / AMFI bug in iOS that allows it to install other applications while completely bypassing the CodeSign requirements.
When you install an application from the AppStore or by sideloading it with AltStore, Sideloadly, etc., it goes through the normal iOS security processes that check the CodeSign of the app. If the application is signed either by Apple or by an Apple Developer with a valid certificate (either free or paid), the app is installed and sandboxed.
These checks are normally done by the AMFI (Apple Mobile File Integrity) kext (Kernel Extension). Since AMFI is a kernel extension, it has its own userland helper processes such as AMFID (Apple Mobile File Integrity Daemon).
CoreTrust is part of the large Security framework iOS employs to prevent unauthorized app installs. When installing an application, installd (Install Daemon) will check with AMFI / CoreTrust to see if the app should be installed.
AMFI performs the signature checks in the background and returns back the result to installd which either finishes the installation or errors out depending on the case.
The bug used in TrollStore is so powerful that this whole affair can be bypassed and the apps can be installed without going through AMFI’s scrutiny.
This makes TrollStore a fantastic way to install apps. Since no certificate is checked, there’s nothing to expire either. Your apps will essentially last forever with just one install.
The research put together by @alfiecg_dev and @opa334 based on CVE-2023-41991 is the basis of TrollStore 2. Yes. This is really happening.
What iOS versions are supported by TrollStore 2?
Since this bug is quite old and Apple somehow missed it, there are many iOS versions supported. However, for some of these, you will need to wait for an installation method to be released.
Exploits like MDC (MacDirtyCow) and KFD (Kernel File Descriptor) can be used as an installation vector for TrollStore2, so if you have an iOS version compatible with either of these, you’re golden.
If you’re running iOS 15.5-15.7.6 or iOS 16.0-16.5 (Any Device)
This is the best iOS version range you can be on. Not only TrollStore 2 can be developed because the CoreTrust bug is present, but you also have an installation vector available (MDC or KFD).
Stay on this version at all costs! You will be amongst the very first people to experience TrollStore 2.
If you’re running iOS 15.7.7-15.8, iOS 16.5.1-16.6.1 or iOS 17.0: (A12+ Device)
TrollStore 2 can be made because the CoreTrust bug exists on these versions. However, there’s no installation vector available for now. iOS 16.6 Beta 1 is technically OK because KFD works there, but for the rest of these, there’s no public kernel exploit available yet.
This isn’t that big of a deal. Kernel exploits are frequently released. You should stay here and not update any further. While you may not be able to use TrollStore 2 once it’s out, it won’t be long before you will get it.
If you’re running iOS 16.7.x
This iOS version range does not support the CoreTrust bug that powers TrollStore 2 so it will not be available for you.
IMPORTANT: You can still DelayOTA to iOS 17.0 if you have an A12+ device. iOS 17 has the CoreTrust bug but doesn’t have an installation vector (which is much easier to obtain than CoreTrust bugs)!
If you are on iOS 16.7.x A12+, DelayOTA now to iOS 17.0. The deadline is December 20th (UTC 00:00), 2023. After this date, you won’t be able to do that anymore.
If you’re running iOS 17.0.1 or newer
This is the worst version you can be on. There’s no installation vector, and even if there was, the CoreTrust bug is not available on this iOS version range and you cannot use the DelayOTA method (with DelayOTA you can go up but not down).
If you’re running any of these iOS versions, you’ve missed Trollstore 2. Nothing you can do.
Download TrollStore and TrollHelper
If you wanna try the latest version of TrollStore and TrollHelper, developer @opa334 made it available on GitHub as open-source.
TrollStore 2.0.15 was released with these changes:
- Fix inaccurate error description when installing an app with additional encrypted binaries (2.0.14 regression)
- Add option in the root helper to specify root helper and persistence helper executable paths when installing a persistence helper
TrollStore 2.0.8 was released with the following changelog:
- Fix chinese wifi issues on iOS 16+ (Contributed by @Halo-Michael)
- Deprecate TSBundlePreSigned in favour of TSPreAppliedExploitType (1 for signed with old bug, 2 for signed with new bug) TSBundlePreSigned=1 is treated as TSPreAppliedExploitType=1 (Contributed by @luken11)
Version 2.0 changes:
- Add support for iOS 15.5 – 16.6.1, 17.0 thanks to CVE-2023-41991 (Note that not all devices / versions have an install method, kfd devices will get one shortly by misaka, checkm8 devices can use the TrollHelper package, the arm64e OTA method has been updated to support a few more versions of iOS 15, which exactly we do not know yet, but 15.5 is definitely supported by it now)
- Fix some minor bug where TrollStore wouldn’t delete an apps data container when uninstalling it
- Remove dependency on ldid
- Add donation links
What is a Persistence Helper?
The bug used in TrollStore 1 is only powerful enough to install “System” apps, this is because iOS does some additional additional security checks every time the user launches a new application.
It’s not currently possible to install new a “System” app that persists when the icon cache is rebuilt, so when that happens, all TrollStore-installed apps including the TrollStore app itself will lose the “System app” status and won’t launch anymore.
To fix this, you can install a persistence helper into a system app, this tool can be used to make TrollStore and the apps installed by it be recognized as System apps once again so that they can load.
The option to enable such Persistence Helper is available in TrollStore settings.
IMPORTANT: Applications that are installed with TrollStore can only be uninstalled via TrollStore. You will not be able to hold the app icon and press X (because System apps cannot be deleted).
How to install TrollStore (TrollHelperOTA) on iOS 15?
Keep in mind this is the method to install TrollStore 1. For TrollStore 2 we don’t have any install method yet.
To install TrollHelperOTA on iOS 15.0 – 15.4.1 on all devices, follow the steps below:
- On your iPhone in Safari, navigate to this URL: https://api.jailbreaks.app/troll
- You will be asked if you want to let the website install an app. Press Install.
- After the process finishes, you should have a new app called GTA Car Tracker on the Home Screen.
- If this app is not there, reboot your device. It should appear after that. Check all app pages.
- Launch GTA Car Tracker and tap the “Install TrollStore” button.
- After your device resprings, TrollStore should be installed.
- Either delete GTA Car Tracker or register it as the Persistence Helper (there’s an option on the app). Don’t delete the app if you register it as such.
- Open TrollStore and tap the “Install ldid” button Settings.
- That’s it. To install IPA files with TrollStore, open the Share Sheet and share them with TrollStore. Apps will be permanently installed and will not expire.
What URI Schemes does TrollStore register?
To avoid jailbreak detection from apps, TrollStore doesn’t register its own URI scheme. Instead, TrollStore replaces the URI scheme for Apple Magnifier, a system app.
The URI scheme in use would be: apple-magnifier://install?url=<URL_to_IPA>
This way applications that perform jailbreak detection cannot detect TrollStore. To those apps, it would look like you have Apple Magnifier (everybody does, it comes with iOS), but you can use that URI scheme to make TrollStore install an IPA from any link.
TrollStore and App Entitlements
The following binary entitlements cannot be used with TrollStore 1. It’s unclear if the same limitations will apply to TrollStore 2:
com.apple.private.cs.debuggerdynamic-codesigningcom.apple.private.skip-library-validation
However, using TrollStore 1 you can make your apps escape the sandbox by using any of the following entitlements:
<key>com.apple.private.security.container-required</key>
<false/><key>com.apple.private.security.no-container</key>
<true/><key>com.apple.private.security.no-sandbox</key>
<true/>Developer @opa334 recommends using the third one as it keeps the container for the application. It’s also likely that you need Platform Application for these to work:
<key>platform-application</key>
<true/>Recommended Guides from iDevice Central
- iOS 17 Jailbreak RELEASED! How to Jailbreak iOS 17 with PaleRa1n
- Dopamine 2 Jailbreak IPA RELEASED For iOS 16.0 – 16.6.1
- Download iRemovalRa1n Jailbreak (CheckRa1n for Windows)
- Dopamine Jailbreak (Fugu15 Max) Release Is Coming Soon for iOS 15.0 – 15.4.1 A12+
- Cowabunga Lite For iOS 16.2 – 16.4 Released in Beta! Install Tweaks and Themes Without Jailbreak
- Fugu15 Max Jailbreak: All Confirmed Working Rootless Tweaks List
- iOS 14.0 – 16.1.2 – All MacDirtyCow Tools IPAs
- iOS Jailbreak Tools for All iOS Versions
Leave a Reply
You must be logged in to post a comment.