https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=Katrinewhite79The iPhone Wiki - User contributions [en]2026-06-18T13:28:12ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=AT%2Bstkprof&diff=6002AT+stkprof2010-04-10T12:46:17Z<p>Katrinewhite79: /* New Implementation (yellowsn0w 0.9.8) */</p>
<hr />
<div>Used as an injection vector for the first [[iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].<br />
<br />
==Credit==<br />
[[geohot]]<br />
<br />
==Exploit==<br />
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the [[X-Gold 608|iPhone 3G baseband]].<br />
<br />
==Implementation==<br />
The [[dev team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.<br />
<br />
The source code (for old version 0.9.1) is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
===New Implementation (yellowsn0w 0.9.8)===<br />
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.<br />
<br />
<pre><br />
at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf<br />
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8<br />
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27<br />
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0<br />
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46<br />
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37<br />
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000<br />
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047<br />
071CC56080204000A047802214495200144B041C9847099B0193442303930A23<br />
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1<br />
0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420<br />
641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674<br />
65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B<br />
281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B<br />
13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000<br />
5427234098591620BC792F4000FF0001010402040304040468D53E20xx"<br />
</pre><br />
<br />
Information on how this was used can be found [[Yellowsn0w#Payload_w.2F_Comments_.28by_Darkmen.29_.3D|here]]<br />
[http://essaywritersworld.com/ essay paper/s]<br />
<br />
[[Category:Baseband Exploits]]</div>Katrinewhite79