|
1 | 1 | --- |
2 | | -title: JIT-Less Diagnostics |
| 2 | +title: JIT-Less |
3 | 3 | sidebar_position: 9 |
4 | 4 | --- |
5 | 5 |
|
6 | | -# About JIT-Less Diagnose Page |
| 6 | +# JIT-Less |
7 | 7 |
|
8 | | -<img width="300" alt="JIT-Less Diagnose Page" src="/img/jit-less-diagnose/1.png" /> |
| 8 | +If you are using the bundled SideStore build, complete the setup in [LiveContainer + SideStore: Setup after Installing](/docs/installation/lc_sidestore#setup-after-installing) first. |
| 9 | +If you are using standalone LiveContainer, follow [Standalone LiveContainer: JIT-Less mode setup](/docs/installation/standalone#jit-less-mode-without-jit-recommended). |
| 10 | + |
| 11 | +## JIT-Less actions in Settings |
| 12 | + |
| 13 | +Open `Settings` in LiveContainer and find the `JIT-Less` section. |
9 | 14 |
|
10 | | -:::note |
11 | | -This page exists in LiveContainer 3.1.51+ |
12 | | -::: |
| 15 | +- `Import Certificate`: Import a `.p12` certificate file and password manually from Files. |
| 16 | +- `Import Certificate from SideStore`: Ask your store app to export certificate data to LiveContainer. |
| 17 | +- `Refresh Certificate from SideStore`: Re-import certificate data from your store and overwrite the current one. |
| 18 | +- `Remove Certificate`: Remove imported certificate data/password from LiveContainer. |
| 19 | +- `JIT-Less Diagnose`: Open the diagnosis page to verify entitlement access and certificate state. |
| 20 | + |
| 21 | +On the bundled SideStore build, this refresh can read the certificate directly from the built-in SideStore after confirmation. |
| 22 | +Use `Refresh Certificate from AltStore/SideStore` after you reinstall, re-login, or refresh your store environment, especially if certificate-related checks become stale or fail. |
| 23 | + |
| 24 | +<img width="300" alt="JIT-Less Diagnose Page" src="/img/jit-less-diagnose/1.png" /> |
13 | 25 |
|
14 | | -If you successfully setup JIT-Less mode, your JIT-Less Mode Diagnose should look like the screenshot above. The most important indicator is "Certificate Last Up Date". This field should change if you reopens your store. If not, follow the following instructions to diagnose your setup. |
| 26 | +If you successfully setup JIT-Less mode, your **JIT-Less Mode Diagnose** should look like the screenshot above. The most important indicator is "Certificate Last Update Date". This field should change if you reopens your store. If not, follow the following instructions to diagnose your setup. |
15 | 27 |
|
16 | 28 | ## App Group ID, App Group Accessible, Store |
17 | 29 |
|
18 | | -The "App Group ID" field should end with the exact same 10 characters as the "Bundle Identifier". "App Group Accessible" should be "Yes" and "Store" should correctly show your store. |
19 | | - |
20 | | -> For example, if your Bundle Identifier is `com.kdt.livecontainer.A1B2C3D4E5` ,then your app group id should be `group.com.SideStore.SideStore.A1B2C3D4E5` if you use SideStore, or `group.com.rileytestut.AltStore.A1B2C3D4E5` if you use AltStore. |
21 | | -
|
22 | | -If it only say `group.com.SideStore.SideStore` or `Unknown`, then there's something wrong with your SideStore setup. Please check: |
23 | | - |
24 | | -- SideStore is installed through AltServer |
25 | | -- LiveContainer is installed directly through SideStore/AltStore |
26 | | -- Don't try to install LiveContainer through AltStore PAL |
27 | | -- Account used to install SideStore and LiveContainer matches. This can be checked by going to iOS settings -> General -> VPN & Device Management -> (your account name). Check if both LiveContainer and SideStore are under the same account. |
28 | | - |
29 | | -:::note |
30 | | -> "Entitlement File" exists in 3.2.51+ |
31 | | -::: |
32 | | - |
33 | | -If you meet the above 4 criteria but App Group is still not accessible, tap "Entitlement File" and check the entitlement extracted form LiveContainer's main executable. A correct entitlement may look like this: |
34 | | - |
35 | | -```xml |
36 | | -<?xml version="1.0" encoding="UTF-8"?> |
37 | | -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
38 | | -<plist version="1.0"> |
39 | | -<dict> |
40 | | - <key>application-identifier</key> |
41 | | - <string>A1B2C3D4E5.com.kdt.livecontainer.A1B2C3D4E5</string> |
42 | | - <key>com.apple.developer.team-identifier</key> |
43 | | - <string>A1B2C3D4E5</string> |
44 | | - <key>com.apple.security.application-groups</key> |
45 | | - <array> |
46 | | - <string>group.com.rileytestut.AltStore.A1B2C3D4E5</string> <--- Important! |
47 | | - <string>group.com.SideStore.SideStore.A1B2C3D4E5</string> <--- Important! |
48 | | - </array> |
49 | | - <key>get-task-allow</key> |
50 | | - <true/> |
51 | | - <key>keychain-access-groups</key> |
52 | | - <array> |
53 | | - <string>A1B2C3D4E5.com.kdt.livecontainer.shared</string> |
54 | | - <string>A1B2C3D4E5.com.kdt.livecontainer.shared.1</string> |
55 | | - <string>A1B2C3D4E5.com.kdt.livecontainer.shared.2</string> |
56 | | - </array> |
57 | | -</dict> |
58 | | -</plist> |
59 | | - |
60 | | -``` |
| 30 | +- `App Group ID`: The identifier of the detected App Group. |
| 31 | + **Expected**: not `Unknown`. |
| 32 | +- `App Group Accessible`: Indicates if LiveContainer can read/write to the shared container path. |
| 33 | + **Expected**: `Yes`. |
| 34 | +- `Store`: The detected installation source (`AltStore`, `SideStore`, `ADP`, or `Unknown`). |
| 35 | + **Expected**: matches your real install source and is normally not `Unknown`. |
| 36 | + |
| 37 | +If the App Group is inaccessible, resolve this issue before checking certificate details. |
| 38 | + |
| 39 | +## Entitlement File |
| 40 | + |
| 41 | +Tap `Entitlement File` to inspect the parsing results of the main executable's entitlements. |
| 42 | + |
| 43 | +This view verifies: |
| 44 | + |
| 45 | +- `Bundle Identifier`: Compares app bundle identifier with value derived from `application-identifier`. |
| 46 | + **Expected**: marked correct. |
| 47 | +- `Team ID`: Value from `com.apple.developer.team-identifier`. |
| 48 | + **Expected**: valid Team ID, not `Unknown`. |
| 49 | +- `get-task-allow`: Whether debug entitlement exists. |
| 50 | + **Expected**: `Yes`. |
| 51 | +- `com.apple.security.application-groups Correct`: Checks whether app-groups list is non-empty. |
| 52 | + **Expected**: `Yes`. |
| 53 | +- `keychain-access-groups Correct`: Checks whether LiveContainer keychain groups (`.shared` and indexed groups) are complete. |
| 54 | + **Expected**: `Yes`. |
61 | 55 |
|
62 | 56 | The most important part is `com.apple.security.application-groups`, which determines whether LiveContainer can access SideStore's app group. |
63 | 57 | This item should exist and its content should look like `group.com.rileytestut.AltStore.A1B2C3D4E5` and `group.com.SideStore.SideStore.A1B2C3D4E5`. If this item is missing or it looks like `group.com.SideStore.SideStore.A1B2C3D4E5.A1B2C3D4E5`, then this is an bug of SideStore, not LiveContainer. The only thing you can do is to remove both LiveContainer and SideStore, and then install them again and check if this issue is solved. |
64 | 58 |
|
65 | 59 | It is reported that if LiveContainer's entitlement is incorrect, you can't activate/deactivate apps in SideStore. **Please do not submit issues about incorrect entitlement as it is not a LiveContainer issue.** |
66 | 60 |
|
67 | | -## Patch Detected |
| 61 | +## Certificate details |
| 62 | + |
| 63 | +This section displays the status of the signing certificate used for JIT-less mode. |
68 | 64 |
|
69 | | -:::note |
70 | | -Make sure App Group ID, App Group Accessible and Store are correct before proceeding. |
71 | | -::: |
| 65 | +- `Certificate Last Up Date`: The timestamp of the last certificate refresh/import. |
| 66 | + **Expected**: a real timestamp, not `Unknown`. |
| 67 | +- `Certificate Team ID`: The Team ID extracted from the certificate. |
| 68 | + **Expected**: Your Apple Developer Team ID, not `Unknown`. |
| 69 | +- `Expected Team ID`: Team ID read from LiveContainer entitlement, used for mismatch detection. |
| 70 | + This row appears only when mismatch is detected. |
| 71 | +- `Certificate Status`: `Valid`, `Revoked`, or `Unknown`. |
| 72 | + **Expected**: `Valid`. |
| 73 | +- `Certificate Validate Until`: The expiration date of the certificate. |
| 74 | + **Expected**: a real timestamp while certificate is valid. |
| 75 | +- `Certificate Data Found`: whether imported certificate data exists. |
| 76 | + **Expected**: `Yes`. |
| 77 | +- `Certificate Password Found`: whether imported certificate password exists. |
| 78 | + **Expected**: `Yes` in normal certificate export/import flows. |
72 | 79 |
|
73 | | -It should say "Yes". If not, close your store from the app switcher, reopen it and refresh this diagnose page. |
74 | | -If still not, patch your store again. |
| 80 | +## Test JIT-Less Mode |
75 | 81 |
|
76 | | -## Certificate Data / Password Found, Certificate Last Up Date |
| 82 | +The `Test JIT-Less Mode` button performs a functional validation rather than a static check. |
77 | 83 |
|
78 | | -:::note |
79 | | -Make sure 1 & 2 are correct before proceeding. |
80 | | -::: |
| 84 | +When tapped, LiveContainer will: |
| 85 | +1. Create a temporary test app bundle. |
| 86 | +2. Sign it using the current certificate and password. |
| 87 | +3. Verify code-sign validity of the signed test dylib (`TestJITLess.dylib`). |
81 | 88 |
|
82 | | -If you patched your store correctly, Certificate Data / Password Found should turn to "Yes" if you refresh the diagnose page, and "Certificate Last Up Date" should show the time when you last opens your store. |
| 89 | +The button requires `Certificate Data Found = Yes` to start. If password/config is still invalid, signing fails in this step. |
83 | 90 |
|
84 | | -If Certificate Data / Password Found are "Yes", but "Certificate Last Up Date" is unknown, but apps are working correctly, you might have just updated from version prior to 3.1.51, patch your store again and this field should display correctly. |
| 91 | +If this test fails, JIT-less launch will likely fail. |
0 commit comments