Difference between revisions of "AT+XEMN Heap Overflow"

From The iPhone Wiki
Jump to: navigation, search
(New page: AT+XEMN was a possible unlock for 5.11.07. But turns out it is not exploitable. == July 2009 == *Oranav discovers this command. *Shortly after discovered, The iPhone Dev Team, confirmed ...)
 
m
 
(34 intermediate revisions by 15 users not shown)
Line 1: Line 1:
  +
AT+XEMN is a command on baseband [[05.11.07]] (pushed out with the 3.1 release), which when exploited correctly, causes a [[wikipedia:heap overflow|heap overflow]] allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an [[unlock|unlocking]] payload to provide a software SIM unlock on the official 3.1(.2) firmware running [[05.11.07]].
AT+XEMN was a possible unlock for 5.11.07. But turns out it is not exploitable.
 
   
== July 2009 ==
+
== Credit ==
  +
* '''Vulnerability''': [[User:Oranav|Oranav]] (July) and [[User:iH8sn0w|iH8sn0w]] (September) (discovered independently)
*Oranav discovers this command.
 
  +
* '''Exploit''': [[User:geohot|geohot]]
*Shortly after discovered, The iPhone Dev Team, confirmed that the command is non-exploitable.
 
*There was no talk about this command.
 
   
== September 2009 ==
+
== Implementation ==
  +
This exploit is used in [[blacksn0w]].
*iH8sn0w discovered this command but kept it a secret for about a month - http://twitter.com/iH8sn0w/status/4353547726
 
   
== October 2009 ==
+
== Exception Dump ==
  +
+XLOG: Exception Number: 1
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter - http://twitter.com/iH8sn0w/status/4954333558.
 
  +
Trap Class: 0xDDDD (SW GENERATED TRAP)
*Shortly after, Oranav discovered this, and posted his Hash from July - http://pastebin.ca/1485104.
 
  +
Identification: 140 (0x008C)
*MuscleNerd tells iHacker that the command was received it awhile ago and was non-exploitable - http://twitter.com/iHacker/status/4978821448
 
  +
Date: 22.10.2009
*GeoHot attempts to use this command, but later finds out aswell that it is non-exploitable - http://twitter.com/geohot/status/4979506974
 
  +
Time: 00:30
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] upgrade to Official Apple Firmware.
 
  +
File: atform/text/_malloc.c
  +
Line: 1036
  +
Logdata:
  +
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc
  +
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D..
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
  +
20 20 20 20 20 20 20 20
  +
  +
== Timeline ==
  +
=== {{date|2009|07}} ===
  +
*[[User:Oranav|Oranav]] discovers this crash and gives it to the [[iPhone Dev Team]].
  +
*Upon initial investigation, The [[iPhone Dev Team]], mistakenly concludes that the crash is non-exploitable.
  +
  +
=== {{date|2009|09}} ===
  +
*[[User:iH8sn0w|iH8sn0w]] discovered this command independently but kept it a secret for about a month. [https://twitter.com/iH8sn0w/status/4353547726 ]
  +
  +
=== {{date|2009|10}} ===
  +
*When the [[iPhone Dev Team]] stated that [[User:iH8sn0w|iH8sn0w]] did not have an [[unlock]], he posted the command on Twitter. [https://twitter.com/iH8sn0w/status/4954333558]
  +
*Shortly after, [[User:Oranav|Oranav]] posted his Hash from July. [http://pastebin.ca/1485104]
  +
*[[User:MuscleNerd|MuscleNerd]] tells [[iHacker]] that the crash was received awhile ago and is thought to be non-exploitable. [https://twitter.com/MuscleNerd/status/4978871033][https://twitter.com/iHacker/status/4978821448]
  +
*[[User:Geohot|Geohot]] attempts to exploit this crash, but intially also finds it to be non-exploitable. [https://twitter.com/geohot/status/4979506974]
  +
*[[User:Geohot|Geohot]] does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [https://twitter.com/geohot/status/5196861045]
  +
*[[User:Geohot|Geohot]] achieves arbitrary code execution and begins work on unlock which will be called [[blacksn0w]]. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]
  +
*[[User:Geohot|Geohot]] posts a video of an [[unlock]]ed [[05.11.07]] device. [http://www.youtube.com/watch?v=g23e9e9zOVI]
  +
  +
=== {{date|2009|11}} ===
  +
*Geohot releases [[blacksn0w]] to the masses.
  +
  +
[[Category:Baseband Exploits]]

Latest revision as of 13:35, 17 September 2021

AT+XEMN is a command on baseband 05.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a software SIM unlock on the official 3.1(.2) firmware running 05.11.07.

Credit

  • Vulnerability: Oranav (July) and iH8sn0w (September) (discovered independently)
  • Exploit: geohot

Implementation

This exploit is used in blacksn0w.

Exception Dump

+XLOG: Exception Number: 1
Trap Class:     0xDDDD  (SW GENERATED TRAP)
Identification: 140 (0x008C)
Date: 22.10.2009
Time: 00:30
File: atform/text/_malloc.c
Line: 1036
Logdata:
 2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63   ..v.@.1datc:1.dc
 20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20    D..            
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
 20 20 20 20 20 20 20 20

Timeline

July 2009

September 2009

  • iH8sn0w discovered this command independently but kept it a secret for about a month. [1]

October 2009

  • When the iPhone Dev Team stated that iH8sn0w did not have an unlock, he posted the command on Twitter. [2]
  • Shortly after, Oranav posted his Hash from July. [3]
  • MuscleNerd tells iHacker that the crash was received awhile ago and is thought to be non-exploitable. [4][5]
  • Geohot attempts to exploit this crash, but intially also finds it to be non-exploitable. [6]
  • Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [7]
  • Geohot achieves arbitrary code execution and begins work on unlock which will be called blacksn0w. [8]
  • Geohot posts a video of an unlocked 05.11.07 device. [9]

November 2009