Difference between revisions of "AT+XEMN Heap Overflow"

From The iPhone Wiki
Jump to: navigation, search
(Timeline)
Line 29: Line 29:
 
== Timeline ==
 
== Timeline ==
 
=== July 2009 ===
 
=== July 2009 ===
*[[User:Oranav|Oranav]] discovers this command.
+
*[[User:Oranav|Oranav]] discovers this crash.
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the command is non-exploitable.
+
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.
*There was no talk about this command.
 
   
 
=== September 2009 ===
 
=== September 2009 ===
*iH8sn0w discovered this command but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]
+
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]
   
 
=== October 2009 ===
 
=== October 2009 ===
 
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]
 
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]
*Shortly after, Oranav discovered this, and posted his Hash from July. [http://pastebin.ca/1485104]
+
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]
*MuscleNerd tells iHacker that the command was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]
+
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]
*[[User:Geohot|Geohot]] attempts to use this command, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]
+
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]
 
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.
 
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.
*Geohot does more investigation and discovers that this command is indeed exploitable. [http://twitter.com/geohot/status/5196861045]
+
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]
 
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]
 
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]
  +
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]

Revision as of 14:50, 31 October 2009

AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07

Exception Dump

+XLOG: Exception Number: 1
Trap Class:     0xDDDD  (SW GENERATED TRAP)
Identification: 140 (0x008C)
Date: 22.10.2009
Time: 00:30
File: atform/text/_malloc.c
Line: 1036
Logdata:
 2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63   ..v.@.1datc:1.dc
 20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20    D..            
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20

Timeline

July 2009

  • Oranav discovers this crash.
  • Shortly after discovered, The iPhone Dev Team, confirms that the crash is non-exploitable.

September 2009

  • iH8sn0w discovered this command independently but kept it a secret for about a month. [1]

October 2009

  • When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [2]
  • Shortly after, Oranav posted his Hash from July. [3]
  • MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [4][5]
  • Geohot attempts to exploit this crash, but later finds out as well that it is non-exploitable. [6]
  • The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.
  • Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [7]
  • Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [8]
  • Geohot posts a video of an unlocked 05.11.07 device. [9]