The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Trust Cache
A trust cache contains a list of approved CDHashes for binaries that can be executed, bypassing AMFI. Usually found inside of an IM4P
with a type of either trst
for static trust caches, ltrs
for loadable trust caches, rtsc
for trustcaches used for ramdisks, or dtrs
for development trust caches. These do not reflect different formats for the payload. Trust caches can be manipulated with tc or cryptexctl
. There are two versions of trust caches: 0 and 1, both in little endian:
/*
* From https://github.com/apple-oss-distributions/xnu/blob/main/osfmk/kern/trustcache.h
*/
#include <stdint.h>
#include <uuid/uuid.h>
#ifdef PLATFORM_BridgeOS
/* Version 0 trust caches: No defined sorting order (thus only suitable for small trust caches).
* Used for loadable trust caches only, until phasing out support. */
typedef uint8_t trust_cache_hash0[CS_CDHASH_LEN];
struct trust_cache_module0 {
uint32_t version;
uuid_t uuid;
uint32_t num_hashes;
trust_cache_hash0 hashes[];
} __attribute__((__packed__));
#endif
/* Version 1 trust caches: Always sorted by cdhash, added hash type and flags field.
* Suitable for all trust caches. */
struct trust_cache_entry1 {
uint8_t cdhash[CS_CDHASH_LEN];
uint8_t hash_type;
uint8_t flags;
} __attribute__((__packed__));
struct trust_cache_module1 {
uint32_t version;
uuid_t uuid;
uint32_t num_entries;
struct trust_cache_entry1 entries[];
} __attribute__((__packed__));
// hash_type
enum {
CS_HASHTYPE_SHA1 = 1,
CS_HASHTYPE_SHA256 = 2,
CS_HASHTYPE_SHA256_TRUNCATED = 3,
CS_HASHTYPE_SHA384 = 4,
};
// flags
#define CS_TRUST_CACHE_AMFID 0x1
#define CS_TRUST_CACHE_ANE 0x2