The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Trust Cache"
(Created page with "The <code>*.trustcache</code> file is an out of band IM4P that provides trust for a paired file, as often happens with Root filesystems and Ramdisks.") |
(Add useful information about trust caches) |
||
Line 1: | Line 1: | ||
+ | A trust cache contains a list of approved CDHashes for binaries that can be executed, bypassing AMFI. Usually found inside an <code>IM4P</code> with a 4cc of either <code>trst</code> for static trust caches, <code>ltrs</code> for loadable trust caches or <code>dtrs</code> for development trust caches, these do not reflect different formats for the payload. Trust caches can be manipulated with [https://github.com/CRKatri/tc tc] or <code>cryptexctl</code>. There are two versions of trust caches: 0 and 1, both in little endian: |
||
− | The <code>*.trustcache</code> file is an out of band IM4P that provides trust for a paired file, as often happens with Root filesystems and Ramdisks. |
||
+ | <source lang="c"> |
||
+ | /* |
||
+ | * From https://github.com/apple-oss-distributions/xnu/blob/main/osfmk/kern/trustcache.h |
||
+ | */ |
||
+ | |||
+ | #include <stdint.h> |
||
+ | #include <uuid/uuid.h> |
||
+ | |||
+ | #ifdef PLATFORM_BridgeOS |
||
+ | /* Version 0 trust caches: No defined sorting order (thus only suitable for small trust caches). |
||
+ | * Used for loadable trust caches only, until phasing out support. */ |
||
+ | typedef uint8_t trust_cache_hash0[CS_CDHASH_LEN]; |
||
+ | struct trust_cache_module0 { |
||
+ | uint32_t version; |
||
+ | uuid_t uuid; |
||
+ | uint32_t num_hashes; |
||
+ | trust_cache_hash0 hashes[]; |
||
+ | } __attribute__((__packed__)); |
||
+ | #endif |
||
+ | |||
+ | /* Version 1 trust caches: Always sorted by cdhash, added hash type and flags field. |
||
+ | * Suitable for all trust caches. */ |
||
+ | |||
+ | struct trust_cache_entry1 { |
||
+ | uint8_t cdhash[CS_CDHASH_LEN]; |
||
+ | uint8_t hash_type; |
||
+ | uint8_t flags; |
||
+ | } __attribute__((__packed__)); |
||
+ | |||
+ | struct trust_cache_module1 { |
||
+ | uint32_t version; |
||
+ | uuid_t uuid; |
||
+ | uint32_t num_entries; |
||
+ | struct trust_cache_entry1 entries[]; |
||
+ | } __attribute__((__packed__)); |
||
+ | |||
+ | // hash_type |
||
+ | enum { |
||
+ | CS_HASHTYPE_SHA1 = 1, |
||
+ | CS_HASHTYPE_SHA256 = 2, |
||
+ | CS_HASHTYPE_SHA256_TRUNCATED = 3, |
||
+ | CS_HASHTYPE_SHA384 = 4, |
||
+ | }; |
||
+ | |||
+ | // flags |
||
+ | #define CS_TRUST_CACHE_AMFID 0x1 |
||
+ | #define CS_TRUST_CACHE_ANE 0x2 |
||
+ | </source> |
Revision as of 19:23, 28 May 2022
A trust cache contains a list of approved CDHashes for binaries that can be executed, bypassing AMFI. Usually found inside an IM4P
with a 4cc of either trst
for static trust caches, ltrs
for loadable trust caches or dtrs
for development trust caches, these do not reflect different formats for the payload. Trust caches can be manipulated with tc or cryptexctl
. There are two versions of trust caches: 0 and 1, both in little endian:
/*
* From https://github.com/apple-oss-distributions/xnu/blob/main/osfmk/kern/trustcache.h
*/
#include <stdint.h>
#include <uuid/uuid.h>
#ifdef PLATFORM_BridgeOS
/* Version 0 trust caches: No defined sorting order (thus only suitable for small trust caches).
* Used for loadable trust caches only, until phasing out support. */
typedef uint8_t trust_cache_hash0[CS_CDHASH_LEN];
struct trust_cache_module0 {
uint32_t version;
uuid_t uuid;
uint32_t num_hashes;
trust_cache_hash0 hashes[];
} __attribute__((__packed__));
#endif
/* Version 1 trust caches: Always sorted by cdhash, added hash type and flags field.
* Suitable for all trust caches. */
struct trust_cache_entry1 {
uint8_t cdhash[CS_CDHASH_LEN];
uint8_t hash_type;
uint8_t flags;
} __attribute__((__packed__));
struct trust_cache_module1 {
uint32_t version;
uuid_t uuid;
uint32_t num_entries;
struct trust_cache_entry1 entries[];
} __attribute__((__packed__));
// hash_type
enum {
CS_HASHTYPE_SHA1 = 1,
CS_HASHTYPE_SHA256 = 2,
CS_HASHTYPE_SHA256_TRUNCATED = 3,
CS_HASHTYPE_SHA384 = 4,
};
// flags
#define CS_TRUST_CACHE_AMFID 0x1
#define CS_TRUST_CACHE_ANE 0x2