[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-71754":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":9,"pushedAt":9,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":15,"starSnapshotCount":15,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},71754,"TrollStore","opa334\u002FTrollStore","opa334","Jailed iOS app that can install IPAs permanently with arbitary entitlements and root helpers because it trolls Apple",null,"Objective-C",21538,1581,363,46,0,22,52,167,66,119.6,"Other",false,"main",true,[],"2026-06-12 04:01:01","# TrollStore\n\nTrollStore is a permasigned jailed app that can permanently install any IPA you open in it.\n\nIt works because of an AMFI\u002FCoreTrust bug where iOS does not correctly verify code signatures of binaries in which there are multiple signers.\n\nSupported versions: 14.0 beta 2 - 16.6.1, 16.7 RC (20H18), 17.0\n\n## Installing TrollStore\n\nFor installing TrollStore, refer to the guides at [ios.cfw.guide](https:\u002F\u002Fios.cfw.guide\u002Finstalling-trollstore)\n\n16.7.x (excluding 16.7 RC) and 17.0.1+ will NEVER be supported (unless a third CoreTrust bug is discovered, which is unlikely).\n\n## Updating TrollStore\n\nWhen a new TrollStore update is available, a button to install it will appear at the top in the TrollStore settings. After tapping the button, TrollStore will automatically download the update, install it, and respring.\n\nAlternatively (if anything goes wrong), you can download the TrollStore.tar file under Releases and open it in TrollStore, TrollStore will install the update and respring.\n\n## Uninstalling an app\n\nApps installed from TrollStore can only be uninstalled from TrollStore itself, tap an app or swipe it to the left in the 'Apps' tab to delete it.\n\n## Persistence Helper\n\nThe CoreTrust bug used in TrollStore is only enough to install \"System\" apps, this is because FrontBoard has an additional security check (it calls libmis) every time before a user app is launched. Unfortunately it is not possible to install new \"System\" apps that stay through an icon cache reload. Therefore, when iOS reloads the icon cache, all TrollStore installed apps including TrollStore itself will revert back to \"User\" state and will no longer launch.\n\nThe only way to work around this is to install a persistence helper into a system app, this helper can then be used to reregister TrollStore and its installed apps as \"System\" so that they become launchable again, an option for this is available in TrollStore settings.\n\nOn jailbroken iOS 14 when TrollHelper is used for installation, it is located in \u002FApplications and will persist as a \"System\" app through icon cache reloads, therefore TrollHelper is used as the persistence helper on iOS 14.\n\n## URL Scheme\n\nAs of version 1.3, TrollStore replaces the system URL scheme \"apple-magnifier\" (this is done so \"jailbreak\" detections can't detect TrollStore like they could if TrollStore had a unique URL scheme). This URL scheme can be used to install applications right from the browser, or to enable JIT from the app itself (only 2.0.12 and above), the format goes as follows:\n\n- `apple-magnifier:\u002F\u002Finstall?url=\u003CURL_to_IPA>`\n- `apple-magnifier:\u002F\u002Fenable-jit?bundle-id=\u003CBundle_ID>`\n\nOn devices that don't have TrollStore (1.3+) installed, this will just open the magnifier app.\n\n## Features\n\nThe binaries inside an IPA can have arbitrary entitlements, fakesign them with ldid and the entitlements you want (`ldid -S\u003Cpath\u002Fto\u002Fentitlements.plist> \u003Cpath\u002Fto\u002Fbinary>`) and TrollStore will preserve the entitlements when resigning them with the fake root certificate on installation. This gives you a lot of possibilities, some of which are explained below.\n\n### Banned entitlements\n\niOS 15 on A12+ has banned the following three entitlements related to running unsigned code, these are impossible to get without a PPL bypass, apps signed with them will crash on launch.\n\n`com.apple.private.cs.debugger`\n\n`dynamic-codesigning`\n\n`com.apple.private.skip-library-validation`\n\n### Unsandboxing\n\nYour app can run unsandboxed using one of the following entitlements:\n\n```xml\n\u003Ckey>com.apple.private.security.container-required\u003C\u002Fkey>\n\u003Cfalse\u002F>\n```\n\n```xml\n\u003Ckey>com.apple.private.security.no-container\u003C\u002Fkey>\n\u003Ctrue\u002F>\n```\n\n```xml\n\u003Ckey>com.apple.private.security.no-sandbox\u003C\u002Fkey>\n\u003Ctrue\u002F>\n```\n\nThe third one is recommended if you still want a sandbox container for your application.\n\nYou might also need the platform-application entitlement in order for these to work properly:\n\n```xml\n\u003Ckey>platform-application\u003C\u002Fkey>\n\u003Ctrue\u002F>\n```\n\nPlease note that the platform-application entitlement causes side effects such as some parts of the sandbox becoming tighter, so you may need additional private entitlements to circumvent that. (For example afterwards you need an exception entitlement for every single IOKit user client class you want to access).\n\nIn order for an app with `com.apple.private.security.no-sandbox` and `platform-application` to be able to access it's own data container, you might need the additional entitlement:\n\n```xml\n\u003Ckey>com.apple.private.security.storage.AppDataContainers\u003C\u002Fkey>\n\u003Ctrue\u002F>\n```\n\n### Root Helpers\n\nWhen your app is not sandboxed, you can spawn other binaries using posix_spawn, you can also spawn binaries as root with the following entitlement:\n\n```xml\n\u003Ckey>com.apple.private.persona-mgmt\u003C\u002Fkey>\n\u003Ctrue\u002F>\n```\n\nYou can also add your own binaries into your app bundle.\n\nAfterwards you can use the [spawnRoot function in TSUtil.m](.\u002FShared\u002FTSUtil.m#L79) to spawn the binary as root.\n\n### Things that are not possible using TrollStore\n\n- Getting proper platformization (`TF_PLATFORM` \u002F `CS_PLATFORMIZED`)\n- Spawning a launch daemon (Would need `CS_PLATFORMIZED`)\n- Injecting a tweak into a system process (Would need `TF_PLATFORM`, a userland PAC bypass and a PMAP trust level bypass)\n\n### Compilation\n\nTo compile TrollStore, ensure [theos](https:\u002F\u002Ftheos.dev\u002Fdocs\u002Finstallation) is installed. Additionaly ensure [brew](https:\u002F\u002Fbrew.sh\u002F) is installed and install [libarchive](https:\u002F\u002Fformulae.brew.sh\u002Fformula\u002Flibarchive) from brew.\n\n## Credits and Further Reading\n\n[@alfiecg_dev](https:\u002F\u002Ftwitter.com\u002Falfiecg_dev\u002F) - Found the CoreTrust bug that allows TrollStore to work through patchdiffing and worked on automating the bypass.\n\nGoogle Threat Analysis Group - Found the CoreTrust bug as part of an in-the-wild spyware chain and reported it to Apple.\n\n[@LinusHenze](https:\u002F\u002Ftwitter.com\u002FLinusHenze) - Found the installd bypass used to install TrollStore on iOS 14-15.6.1 via TrollHelperOTA, as well as the original CoreTrust bug used in TrollStore 1.0.\n\n[Fugu15 Presentation](https:\u002F\u002Fyoutu.be\u002FrPTifU1lG7Q)\n\n[Write-Up on the first CoreTrust bug with more information](https:\u002F\u002Fworthdoingbadly.com\u002Fcoretrust\u002F).\n","TrollStore 是一个针对 iOS 系统的应用程序，能够永久安装具有任意权限和根辅助功能的 IPA 文件。该项目利用了 AMFI\u002FCoreTrust 中的一个漏洞，使得 iOS 无法正确验证含有多个签名者的二进制文件的代码签名，从而实现这一功能。TrollStore 支持从 iOS 14.0 beta 2 到 16.6.1、16.7 RC（20H18）以及 17.0 版本。用户可以通过特定指南在设备上安装 TrollStore，并通过其内部机制更新或卸载应用程序。此外，TrollStore 还提供了一个持久性助手，以解决因系统重启导致的应用程序状态回退问题。适用于希望绕过官方限制，在非越狱设备上安装自定义应用的开发者及高级用户。",2,"2026-06-11 03:38:45","high_star"]