Difference between revisions of "AT+stkprof"

From The iPhone Wiki
Jump to: navigation, search
m (Updating)
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Used as an injection vector for the first [[iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].
+
Used as an injection vector for the first [[N82AP|iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].
   
 
==Credit==
 
==Credit==
[[geohot]]
+
[[User:geohot|geohot]]
   
 
==Exploit==
 
==Exploit==
Line 8: Line 8:
   
 
==Implementation==
 
==Implementation==
The [[dev team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
+
The [[iPhone Dev Team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
   
The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]
+
The source code (for old version 0.9.1) is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]
   
===New Implementation (yellowsn0w 0.9.6)===
+
===New Implementation (yellowsn0w 0.9.8)===
 
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
 
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
   
 
<pre>
 
<pre>
  +
at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf
at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1
 
  +
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8
54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120
 
  +
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27
000000001010101020202020611301000c000000223B22270F32101C1743BAA
 
  +
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0
50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C
 
  +
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46
93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016
 
  +
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37
01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025
 
  +
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000
09909820A047071CC56080204000A047802214495200144B041C9847099B01
 
  +
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047
93442303930A23013405930C23221C06930F49009502960495381C00230D4C
 
  +
071CC56080204000A047802214495200144B041C9847099B0193442303930A23
A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00
 
  +
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1
0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD
 
  +
0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420
4620581A01006465767465616D31000000004F4B21004552524F52202564000
 
  +
641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674
0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68
 
  +
65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B
1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328
 
  +
281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B
1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040
 
  +
13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000
2040304040468D53E207878220
 
  +
5427234098591620BC792F4000FF0001010402040304040468D53E20xx"
 
</pre>
 
</pre>
   

Latest revision as of 08:28, 13 October 2015

Used as an injection vector for the first iPhone 3G unlock payload.

Credit

geohot

Exploit

There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.

Implementation

The iPhone Dev Team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.

The source code (for old version 0.9.1) is also available here [1]

New Implementation (yellowsn0w 0.9.8)

In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.

at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047
071CC56080204000A047802214495200144B041C9847099B0193442303930A23
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1
0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420
641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674
65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B
281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B
13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000
5427234098591620BC792F4000FF0001010402040304040468D53E20xx"

Information on how this was used can be found here