Difference between revisions of "AT+stkprof"

From The iPhone Wiki
Jump to: navigation, search
(Unlock task loop)
m (Updating)
 
(12 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Used as an injection vector for the first [[iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].
+
Used as an injection vector for the first [[N82AP|iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].
   
 
==Credit==
 
==Credit==
[[geohot]]
+
[[User:geohot|geohot]]
   
 
==Exploit==
 
==Exploit==
Line 8: Line 8:
   
 
==Implementation==
 
==Implementation==
The [[dev team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
+
The [[iPhone Dev Team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
   
The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]
+
The source code (for old version 0.9.1) is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]
   
===New Implementation (yellowsn0w 0.9.6)===
+
===New Implementation (yellowsn0w 0.9.8)===
 
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
 
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
   
 
<pre>
 
<pre>
  +
at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf
at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1
 
  +
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8
54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120
 
  +
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27
000000001010101020202020611301000c000000223B22270F32101C1743BAA
 
  +
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0
50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C
 
  +
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46
93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016
 
  +
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37
01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025
 
  +
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000
09909820A047071CC56080204000A047802214495200144B041C9847099B01
 
  +
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047
93442303930A23013405930C23221C06930F49009502960495381C00230D4C
 
  +
071CC56080204000A047802214495200144B041C9847099B0193442303930A23
A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00
 
  +
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1
0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD
 
  +
0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420
4620581A01006465767465616D31000000004F4B21004552524F52202564000
 
  +
641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674
0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68
 
  +
65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B
1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328
 
  +
281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B
1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040
 
  +
13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000
2040304040468D53E207878220
 
  +
5427234098591620BC792F4000FF0001010402040304040468D53E20xx"
 
</pre>
 
</pre>
   
  +
Information on how this was used can be found [[Yellowsn0w#Payload_w.2F_Comments_.28by_Darkmen.29_.3D|here]]
Anyone with a better insight feel free to comment / modify, as I didn't look any further into this, I just looked at the ztringz :)
 
   
  +
[[Category:Baseband Exploits]]
===yellowsn0w 0.9.6 with comments===
 
The exploit consists from 3 parts:
 
====Code loader====
 
<pre>
 
ROM:00000000 ; =============== S U B R O U T I N E =======================================
 
ROM:00000000
 
ROM:00000000
 
ROM:00000000 loader
 
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code
 
ROM:00000002 ADDS R4, R2, #1 ; thumb switch
 
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where StrToHex result of the at-command is
 
ROM:00000006
 
ROM:00000006 copy.loop ; CODE XREF: loader+12�j
 
ROM:00000006 LDRB R0, [R3] ; copying code until double quotes
 
ROM:00000008 CMP R0, #0x22 ; '"'
 
ROM:0000000A BEQ run ; jump thumb code
 
ROM:0000000C STRB R0, [R2]
 
ROM:0000000E ADDS R2, #1
 
ROM:00000010 ADDS R3, #1
 
ROM:00000012 B copy.loop ; copying code until double quotes
 
ROM:00000014 ; ---------------------------------------------------------------------------
 
ROM:00000014
 
ROM:00000014 run ; CODE XREF: loader+A�j
 
ROM:00000014 BX R4 ; jump thumb code
 
ROM:00000014 ; End of function loader
 
ROM:00000014
 
ROM:00000014 ; ---------------------------------------------------------------------------
 
</pre>
 
 
====Task creator====
 
<pre>
 
RAM:000119A0 ; =============== S U B R O U T I N E =======================================
 
RAM:000119A0
 
RAM:000119A0
 
RAM:000119A0 handler_replace
 
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr
 
RAM:000119A2 ADR R1, new_handler
 
RAM:000119A4 ADDS R1, #1 ; thumbing
 
RAM:000119A6 STR R1, [R0] ; setting new handler
 
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack
 
RAM:000119A8 ; End of function handler_replace
 
 
RAM:000119B0 ; =============== S U B R O U T I N E =======================================
 
RAM:000119B0
 
RAM:000119B0
 
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o
 
RAM:000119B0 PUSH {R4-R7,LR}
 
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var
 
RAM:000119B4 MOVS R6, #0x80
 
RAM:000119B6 SUB SP, SP, #0x2C
 
RAM:000119B8 LSLS R6, R6, #4 ; 0x200
 
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var
 
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack
 
RAM:000119BE LDR R4, =0x201420AC ; malloc
 
RAM:000119C0 ADDS R0, R6, #0
 
RAM:000119C2 BLX R4 ; malloc(0x200)
 
RAM:000119C4 MOVS R5, #0
 
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack
 
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)
 
RAM:000119CA BLX R4 ; malloc(0x98)
 
RAM:000119CC ADDS R7, R0, #0 ; R7 = task
 
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0
 
RAM:000119D0 MOVS R0, 0x100
 
RAM:000119D4 BLX R4 ; malloc(0x100)
 
RAM:000119D6 MOVS R2, #0x80
 
RAM:000119D8 LDR R1, =task_loop ; src
 
RAM:000119DA LSLS R2, R2, #1 ; size to copy
 
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy
 
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop
 
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)
 
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]
 
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)
 
RAM:000119E6 MOVS R3, #0x44
 
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44
 
RAM:000119EA MOVS R3, #0xA
 
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop
 
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT
 
RAM:000119F0 MOVS R3, #0xC
 
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)
 
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START
 
RAM:000119F6 LDR R1, =devteam1 ; char *name
 
RAM:000119F8 STR R5, [SP] ; void *argv = 0
 
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200
 
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0
 
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task
 
RAM:00011A00 MOVS R3, #0 ; int argc = 0
 
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task
 
RAM:00011A04 BLX R4 ; status = NU_Create_Task()
 
RAM:00011A06 ADDS R2, R0, #0
 
RAM:00011A08 CMP R0, #0 ; success = zero
 
RAM:00011A0A BNE status_error
 
RAM:00011A0C LDR R1, =OK
 
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]
 
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf
 
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")
 
RAM:00011A14 B exit ; fixing stack
 
RAM:00011A16 ; ---------------------------------------------------------------------------
 
RAM:00011A16
 
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j
 
RAM:00011A16 LDR R1, =ERROR
 
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]
 
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf
 
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")
 
RAM:00011A1E
 
RAM:00011A1E exit ; CODE XREF: new_handler+64�j
 
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack
 
RAM:00011A20 POP {R4-R7,PC} ; bye
 
RAM:00011A20 ; End of function new_handler
 
RAM:00011A20
 
RAM:00011A20 ; ---------------------------------------------------------------------------
 
</pre>
 
 
====Unlock task loop====
 
<pre>
 
RAM:00011A64 ; =============== S U B R O U T I N E =======================================
 
RAM:00011A64
 
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o
 
RAM:00011A64 PUSH {R4,R5,LR}
 
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox
 
RAM:00011A68 SUB SP, SP, #0x14
 
RAM:00011A6A
 
RAM:00011A6A loop ; CODE XREF: task_loop+44�j
 
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox
 
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox
 
RAM:00011A6E MOV R1, SP ; void *Message
 
RAM:00011A70 MOVS R2, #0xFF ; Timeout
 
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)
 
RAM:00011A74 LDR R3, [SP] ; Message[0]
 
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?
 
RAM:00011A78 BNE skip ;
 
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]
 
RAM:00011A7C LDR R3, =0x402F79BC
 
RAM:00011A7E LDR R2, [R1] ; Message[1].field0
 
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0
 
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0
 
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1
 
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1
 
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2
 
RAM:00011A8A LDR R3, =0x100FF00
 
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00
 
RAM:00011A8E LDR R3, =0x4020401
 
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401
 
RAM:00011A92 LDR R3, =0x4040403
 
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403
 
RAM:00011A96 MOVS R3, #1
 
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1
 
RAM:00011A9A MOVS R3, #0x20
 
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20
 
RAM:00011A9E
 
RAM:00011A9E skip ; CODE XREF: task_loop+14�j
 
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox
 
RAM:00011AA0 MOV R1, SP ; void *Message
 
RAM:00011AA2 MOVS R2, #0xFF ; timeout
 
RAM:00011AA4 LDR R3, =0x203ED568
 
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()
 
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox
 
RAM:00011AA8 ; End of function task_loop
 
</pre>
 
[[Category:Unlocking Methods]]
 

Latest revision as of 08:28, 13 October 2015

Used as an injection vector for the first iPhone 3G unlock payload.

Credit

geohot

Exploit

There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.

Implementation

The iPhone Dev Team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.

The source code (for old version 0.9.1) is also available here [1]

New Implementation (yellowsn0w 0.9.8)

In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.

at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047
071CC56080204000A047802214495200144B041C9847099B0193442303930A23
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1
0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420
641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674
65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B
281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B
13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000
5427234098591620BC792F4000FF0001010402040304040468D53E20xx"

Information on how this was used can be found here