Trust Cache

From The iPhone Wiki
Jump to: navigation, search

A trust cache contains a list of approved CDHashes for binaries that can be executed, bypassing AMFI. Usually found inside of an IM4P with a type of either trst for static trust caches, ltrs for loadable trust caches, rtsc for trustcaches used for ramdisks, or dtrs for development trust caches. These do not reflect different formats for the payload. Trust caches can be manipulated with tc or cryptexctl. There are two versions of trust caches: 0 and 1, both in little endian:

/*
 * From https://github.com/apple-oss-distributions/xnu/blob/main/osfmk/kern/trustcache.h
 */

#include <stdint.h>
#include <uuid/uuid.h>

#ifdef PLATFORM_BridgeOS
/* Version 0 trust caches: No defined sorting order (thus only suitable for small trust caches).
 * Used for loadable trust caches only, until phasing out support. */
typedef uint8_t trust_cache_hash0[CS_CDHASH_LEN];
struct trust_cache_module0 {
	uint32_t version;
	uuid_t uuid;
	uint32_t num_hashes;
	trust_cache_hash0 hashes[];
} __attribute__((__packed__));
#endif

/* Version 1 trust caches: Always sorted by cdhash, added hash type and flags field.
 * Suitable for all trust caches. */

struct trust_cache_entry1 {
	uint8_t cdhash[CS_CDHASH_LEN];
	uint8_t hash_type;
	uint8_t flags;
} __attribute__((__packed__));

struct trust_cache_module1 {
	uint32_t version;
	uuid_t uuid;
	uint32_t num_entries;
	struct trust_cache_entry1 entries[];
} __attribute__((__packed__));

// hash_type
enum {
	CS_HASHTYPE_SHA1 = 1,
	CS_HASHTYPE_SHA256 = 2,
	CS_HASHTYPE_SHA256_TRUNCATED = 3,
	CS_HASHTYPE_SHA384 = 4,
};

// flags
#define CS_TRUST_CACHE_AMFID 0x1
#define CS_TRUST_CACHE_ANE   0x2