Difference between revisions of "AT+XAPP Vulnerability"

From The iPhone Wiki
Jump to: navigation, search
(links)
Line 3: Line 3:
   
 
== Credit ==
 
== Credit ==
* '''vulnerability''': [https://twitter.com/sherif_hashim sherif_hashim], also discovered by [https://twitter.com/westbaer westbaer], [[User:Geohot|geohot]] and [https://twitter.com/oranav Oranav] (each one independently)
+
* '''vulnerability''': [[sherif_hashim]], also discovered by [[westbaer]], [[User:Geohot|geohot]] and [[Oranav]] (each one independently)
 
* '''exploitation''': [[iPhone Dev Team]]
 
* '''exploitation''': [[iPhone Dev Team]]
 
   
 
== Exploit ==
 
== Exploit ==

Revision as of 11:39, 20 July 2010

Used as an injection vector for the X-Gold 608 unlock payload. ‬Currently available in all baseband versions until 05.13.04‭.‬ ‭

Credit

Exploit

There is a stack overflow in the AT+XAPP‭="..." ‬command‭, ‬which allows unsigned code execution on the X-Gold 608 and XMM 6180.

at+xapp="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777PPPP"

Applying a string of more than 52‭ ‬characters will trigger the overflow.

It also exists on the XMM 6180

Implementation

The exploit was used by iPhone Dev Team in ultrasn0w 0.93‭ which is able to unlock the X-Gold 608 basebands 4.26.08, 5.11.07, 5.12.01 ‬and 5.13.04.