TRCiOS

nope, it's an older exploit for 13.4.1 and below. You can find the writeup here https://blog.siguza.net/psychicpaper/#3-the-exploit . It allows for a sandbox escape and any arbitrary entitlements. I'm exploiting 8.x 64 bits and my Kernel Exploit needs a sandbox escape, this one is perfect, but Sideloadly overwrites the "exploited" entitlements I gave it before signing. The new exploit is a Coretrust exploit (a counterpart of AMFI) and it's not _yet_ exploitable through sideloading means.

Thanks for answering. I currently reproduce the exploit with a free cert and a mobileprovision I extracted from XCode (7 days signing, free account, whatever random XCode ents uses) then I use codesign with custom entitlements (codesign -f -s “cert” —entitlements=psychicpaperents.plist app.app and finally install with ideviceinstaller. Psychic paper gives you arbitrary entitlements due to different entitlement parsers in iOS. I understand this is pretty niche, but would be very helpful for legacy exploitation, since asking non-savvy users to do all of this just for a sandbox escape isn’t very friendly.

@Rook Would it be possible to add a function to specify custom entitlements? Trying to exploit Psychic Paper and the IPA doesn't retain the exploited entitlements from ldid before using sideloadly (unless I'm doing something wrong?)