The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "AT+stkprof"
ChronicDev (talk | contribs) |
ChronicDev (talk | contribs) m (AT+stkprof Exploit moved to At+stkprof: easier linkability) |
(No difference)
|
Revision as of 20:57, 7 March 2009
Used as an injection vector for the first iPhone 3G unlock payload.
Credit
Exploit
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.
Implementation
The dev team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
The source code is also available here [1]
New Implementation (yellowsn0w 0.9.6)
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1 54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120 000000001010101020202020611301000c000000223B22270F32101C1743BAA 50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C 93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016 01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025 09909820A047071CC56080204000A047802214495200144B041C9847099B01 93442303930A23013405930C23221C06930F49009502960495381C00230D4C A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00 0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD 4620581A01006465767465616D31000000004F4B21004552524F52202564000 0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68 1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328 1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040 2040304040468D53E207878220
Information on how this was used can be found here