When Apple released iOS & iPadOS 17.0.1 just over a week ago, we also touched on comments made by TrollStore lead developer Lars Fröder (@opa334dev), who claimed that a bug possibly similar to the one used by TrollStore had been patched in iOS & iPadOS 16.7 and 17.0.
We haven’t heard much else about this since then, but according to a post shared to X (formerly Twitter) by Fröder Monday, morning the aforementioned bug my very well be virtually identical to the CoreTrust bug taken advantage of by TrollStore, just with support for a much newer firmware.
Admittedly, there is no publicly-published write-up or proof-of-concept for this bug yet, and Fröder doesn’t have the time to look into it right now, so this means a newer so-called “TrollStore 2” isn’t likely to surface in the near term — at least not from him. Fröder has actually suggested leaving things to someone else to figure out.
In follow-up posts, Fröder said that if a TrollStore 2 does come to fruition, it would likely work exactly how TrollStore does now, except that it would need new installation methods. Firmware older than and including iOS & iPadOS 16.5 could use the kfd exploit to install it, while older arm64 iOS & iPadOS devices could use the checkm8 bootrom exploit on any supported firmware. On iOS & iPadOS 16.6-17.0, all other devices would require a new kernel exploit or installation method that doesn’t exist just yet.
Fröder also says that we don’t yet know when the more recent CoreTrust bug was first introduced. He even suggested that iOS & iPadOS 14 may have first introduced it. We won’t know for certain until a write-up officially materializes, and that’s if that even happens at all.
As you might recall, the original CoreTrust bug support firmware up to and including iOS & iPadOS 15.4.1. This is why TrollStore supported iOS & iPadOS 15.0-15.4.1. It allowed apps to be permanently signed by bypassing the operating system’s certificate validation scheme, meaning that unauthorized apps could be installed indefinitely instead of merely sideloaded for seven days before needing to be re-signed again.
Powerful exploits such as these, paired with kernel exploits such as MacDirtyCow and kfd, have worked as stop-gaps amid the lack of an iOS 16 jailbreak. If these efforts continue, it will provide creative outlets from add-on and tweak developers for several more months to come.
It will be interesting to see if Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group will actually produce a detailed writeup on this bug and whether someone in our beloved community makes use of it to make using iPhones and iPads more fun.
As an important side note, iOS & iPadOS 16.6.1 and 17.0 are still being signed at the time of this writing. If you’re anticipating taking advantage of these exploits should anything be released, now might be a good time to stay on the lowest possible firmware and avoid software updates.