TrollStore is an amazing tool that I’ve been using for years. It has made possible easy sideloading on iOS without having to worry about certificates, revokes, or app expiration.
Since TrollStore is based on a powerful codesign vulnerability it also allowed jailbreak-like tweaks to be created, like TrollLED, UiHaruX, TrollRecorder, and many more.
Naturally, Apple quickly patched the vulnerability used in the original iOS 14 TrollStore, but somehow managed to re-add the vulnerability a few versions later and that’s how we got TrollStore 2 with support for iOS 15, iOS 16, and even iOS 17.0.
TL; DR.
No, you cannot install TrollStore on iOS 17.0.1 or newer because Apple patched the CoreTrust vulnerability (CVE-2023-41991) in iOS 17.0.1 and iOS 16.7. However, continue reading to better understand how it works and what we would need to make it happen on iOS 18.
TrollStore does work on:
iOS Version | TrollStore Supported? | Installation Method |
|---|---|---|
iOS 14.0 – 16.6.1 | ✅ Yes | |
iOS 16.7 RC (20H18) | ✅ Yes | |
iOS 17.0 (not beta) | ✅ Yes | |
iOS 17.0.1+ | ❌ No | Not Supported |
iOS 18.0+ | ❌ No | Not Supported |
How does TrollStore work?
The original TrollStore works through a combination of vulnerabilities, mostly in AMFI / CoreTrust. First, we have CVE-2022-26766, a vulnerability that makes CoreTrust allow any root certificate which essentially makes code signing pointless.
CoreTrust itself is a powerful security mechanism that checks the signature before AMFID / limbis.dylib at the userland-level even has a chance.
By exploiting the CoreTrust vulnerability we can essentially trick the system into thinking our app has the App Store policy flag thus no further checks will be made and any entitlement can be used. This is particularly powerful since CoreTrust runs before AMFI does, so AMFI (Apple Mobile File Integrity) will believe anything CoreTrust says and do no further verifications.
TrollStore 2 (iOS 16 and iOS 17.0) uses a different vulnerability that also affects CoreTrust. It’s CVE-2023-41991 found by Citizen Lab and Google Threat Analysis Group (TAG) fixed by Apple in iOS 16.7 and iOS 17.0.1.
This vulnerability makes CoreTrust wrongly validate CMS blobs for binaries that have multiple signers. The trick is to include an App Store binary that CoreTrust will check and will successfully return the App Store policy flags which makes the app skip further scrutiny.
The CoreTrust bug itself is not all it takes, particularly because it’s only good for installing System apps. FrontBoard (Springboard, a.k.a the home screen) does additional checks every time you open an app by calling libMIS.dylib.
This call complicates matters because it means you can only replace existing system apps such as Books, Tips, etc. However, this is enough to replace an existing system app and install a Persistence Helper that would keep on re-exploiting the bug.
Can you install TrollStore on iOS 18.0 – iOS 18.3?
Now that you understand how the most important TrollStore component works you can easily understand why you cannot run it on iOS 18.0 – iOS 18.3 and even on iOS 17.0.1 – 17.x. The CoreTrust bug was patched.
When I first installed iOS 17.0.1 I checked the security changelog and sure enough, the CoreTrust vulnerability CVE-2023-41991 was there.
As you can see the security content of iOS 17.0.1 details the vulnerability saying a malicious application may be able to bypass signature validation. Since Apple patched the bug in iOS 17.0.1 and iOS 16.7, the bug can no longer be used.
Without this bug, TrollStore is essentially dead. It cannot perform the signature bypass so no more custom entilements and no more codesign bypass.
Apple has indeed managed to bring TrollStore back from the dead with their sloppy CoreTrust patches. However, based on Apple’s security patch history it’s unlikely this will happen a third time.
For now, TrollStore remains compatible with iOS 14.0 beta 2 – 16.6.1, iOS 16.7 RC (20H18) as well as iOS 17.0 on all devices.
How to install TrollStore?
Since TrollStore supports a wide variety of iOS versions the installation method is different depending on what your device is running.
There have been several installation methods released, such as TrollMisaka, TrollStar, etc. However, by now there are two main and reliable installation methods that I use depending on the iOS version.
- For iOS 14.0 – 16.6.1 and iOS 17.0 BETA: Use TrollInstallerX by @alfiecg_dev
- For iOS 17.0 (not beta) use TrollRestore, a new installation method based on the SparseRestore exploit.
For iOS 14.0 – 16.6.1 and iOS 17.0 BETA
- Download TrollInstallerX from GitHub
- Plug your iOS device into the computer using a USB cable.
- Make sure the device is unlocked and the computer is trusted.
- Using either Sideloadly or AltStore, sideload the IPA file.
- On your device, make sure the Apple ID is allowed in Settings so that you can open the app.
- Open the TrollInstallerX app and press Install TrollStore.
- Choose a system app to be replaced by Persistence Helper (Tips, Books, Measure, Compass, etc.)
- That’s it.
For iOS 17.0 (not beta)
- Make sure iTunes is installed.
- Download the TrollReStore.EXE binary from JJTech0130’s GitHub
- Run the TrollRestore.EXE binary.
- When asked about an app name, type Tips or the system app you installed.
- Your device will reboot by itself when complete.
For iOS 17.0.1 and newer there is no installation method, and even if there was one, the CoreTrust bug that is essentially the engine of TrollStore is patched.
While there might be a brand new similar bug in the future, for now, it’s just not possible and any website or video claiming you can install TrollStore on iOS 17.0.1+ or iOS 18 is a scam that you should avoid.
Final Thoughts
I hope this article has clarified for you not only how TrollStore works and what it requires to be able to support an iOS version, but also the compatible iOS versions, installation methods, and best practices.
This is an amazing tool and it has provided us with tweaks, sideloading, and customization apps even without a jailbreak.
This came in clutch considering that the last jailbreak released for modern devices was Dopamine for iOS 16.5. We were able to use Troll to have at least some jailbreak features.
Frequently Asked Questions (FAQ)
❓ Can I install TrollStore on iOS 17.1, iOS 17.2, or later?
❌ No. Apple patched the CoreTrust vulnerability (CVE-2023-41991) in iOS 17.0.1. No installation method works beyond iOS 17.0.
❓ Can I install TrollStore on iOS 18 without a jailbreak?
❌ No. Apple patched CoreTrust exploits in iOS 18.0+. There is no working installation method for TrollStore on iOS 18 or iOS 17.0.1+.
❓ Are there alternatives to TrollStore for sideloading?
Yes. If you are on iOS 17.0.1 or later, you can try:
✔️ AltStore – Requires a PC or Mac to refresh apps every 7 days.
✔️ Sideloadly – Allows sideloading apps via a computer.
✔️ Apple’s Developer Mode – Limited sideloading for registered developers.
❓ Will a new vulnerability bring back TrollStore?
🤔 It’s unlikely. While Apple previously made mistakes with CoreTrust patches, they have since improved security.
More iDevice Central Guides
- iOS 17 Jailbreak RELEASED! How to Jailbreak iOS 17 with PaleRa1n
- How to Jailbreak iOS 18.0 – iOS 18.2.1 / iOS 18.3 With Tweaks
- Download iRemovalRa1n Jailbreak (CheckRa1n for Windows)
- Dopamine Jailbreak (Fugu15 Max) Release Is Coming Soon for iOS 15.0 – 15.4.1 A12+
- Cowabunga Lite For iOS 16.2 – 16.4 Released in Beta! Install Tweaks and Themes Without Jailbreak
- Fugu15 Max Jailbreak: All Confirmed Working Rootless Tweaks List
- iOS 14.0 – 16.1.2 – All MacDirtyCow Tools IPAs
- iOS Jailbreak Tools for All iOS Versions
Leave a Reply
You must be logged in to post a comment.