|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "AT+stkprof"
ChronicDev (talk | contribs) m (AT+stkprof Exploit moved to At+stkprof: easier linkability) |
(→New Implementation (yellowsn0w 0.9.8): updated version and finally correct payload) |
||
| Line 12: | Line 12: | ||
The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2] |
The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2] |
||
| − | ===New Implementation (yellowsn0w 0.9. |
+ | ===New Implementation (yellowsn0w 0.9.8)=== |
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go. |
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go. |
||
<pre> |
<pre> |
||
| + | at+stkprof=1,"\x30\x36 |
||
| − | at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1 |
||
| + | \x34\x61\x35\x34\x31\x63\x30\x34\x34\x62\x31\x38\x37\x38\x32\x32 |
||
| − | 54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120 |
||
| + | \x32\x38\x30\x33\x64\x30\x31\x30\x37\x30\x30\x31\x33\x32\x30\x31 |
||
| − | 000000001010101020202020611301000c000000223B22270F32101C1743BAA |
||
| + | \x33\x33\x66\x38\x65\x37\x32\x30\x34\x37\x30\x30\x30\x30\x62\x66 |
||
| − | 50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C |
||
| + | \x39\x66\x31\x35\x34\x30\x30\x30\x31\x37\x30\x31\x30\x30\x35\x34 |
||
| − | 93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016 |
||
| + | \x36\x65\x35\x36\x34\x30\x32\x30\x30\x30\x30\x30\x30\x30\x35\x63 |
||
| − | 01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025 |
||
| + | \x31\x33\x30\x31\x30\x30\x32\x36\x36\x65\x35\x36\x34\x30\x64\x64 |
||
| − | 09909820A047071CC56080204000A047802214495200144B041C9847099B01 |
||
| + | \x64\x64\x64\x64\x64\x64\x65\x65\x65\x65\x65\x65\x65\x65\x62\x38 |
||
| − | 93442303930A23013405930C23221C06930F49009502960495381C00230D4C |
||
| + | \x39\x30\x35\x31\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30 |
||
| − | A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00 |
||
| + | \x31\x30\x31\x30\x31\x30\x32\x30\x32\x30\x32\x30\x32\x30\x36\x31 |
||
| − | 0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD |
||
| + | \x31\x33\x30\x31\x30\x30\x30\x63\x30\x30\x30\x30\x30\x30\x22\x3B |
||
| − | 4620581A01006465767465616D31000000004F4B21004552524F52202564000 |
||
| + | \x22\x10\x32\x0F\x27\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21 |
||
| − | 0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68 |
||
| + | \x78\x78\x29\x0C\xD0\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0 |
||
| − | 1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328 |
||
| + | \x46\xC0\x46\xC0\x46\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0 |
||
| − | 1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040 |
||
| + | \x46\xC0\x46\x01\x37\x38\x47\x30\x30\x41\x29\x01\xDA\x30\x39\x70 |
||
| − | 2040304040468D53E207878220 |
||
| + | \x47\x37\x39\x70\x47\x30\x32\x34\x38\x30\x33\x41\x31\x30\x31\x33 |
||
| + | \x31\x30\x31\x36\x30\x31\x46\x42\x44\x30\x30\x30\x30\x34\x43\x37 |
||
| + | \x31\x31\x31\x34\x30\x46\x30\x42\x35\x31\x43\x34\x42\x38\x30\x32 |
||
| + | \x36\x38\x42\x42\x30\x33\x36\x30\x31\x31\x38\x38\x30\x30\x38\x39 |
||
| + | \x31\x31\x41\x34\x43\x33\x30\x31\x43\x41\x30\x34\x37\x30\x30\x32 |
||
| + | \x35\x30\x39\x39\x30\x39\x38\x32\x30\x41\x30\x34\x37\x30\x37\x31 |
||
| + | \x43\x43\x35\x36\x30\x38\x30\x32\x30\x34\x30\x30\x30\x41\x30\x34 |
||
| + | \x37\x38\x30\x32\x32\x31\x34\x34\x39\x35\x32\x30\x30\x31\x34\x34 |
||
| + | \x42\x30\x34\x31\x43\x39\x38\x34\x37\x30\x39\x39\x42\x30\x31\x39 |
||
| + | \x33\x34\x34\x32\x33\x30\x33\x39\x33\x30\x41\x32\x33\x30\x31\x33 |
||
| + | \x34\x30\x35\x39\x33\x30\x43\x32\x33\x32\x32\x31\x43\x30\x36\x39 |
||
| + | \x33\x30\x46\x34\x39\x30\x30\x39\x35\x30\x32\x39\x36\x30\x34\x39 |
||
| + | \x35\x33\x38\x31\x43\x30\x30\x32\x33\x30\x44\x34\x43\x41\x30\x34 |
||
| + | \x37\x30\x32\x31\x43\x30\x30\x32\x38\x30\x34\x44\x31\x30\x42\x34 |
||
| + | \x39\x30\x38\x39\x38\x30\x42\x34\x42\x39\x38\x34\x37\x30\x33\x45 |
||
| + | \x30\x30\x42\x34\x39\x30\x38\x39\x38\x30\x39\x34\x42\x39\x38\x34 |
||
| + | \x37\x30\x42\x42\x30\x46\x30\x42\x44\x30\x30\x30\x30\x34\x34\x42 |
||
| + | \x33\x33\x42\x34\x30\x41\x43\x32\x30\x31\x34\x32\x30\x36\x34\x31 |
||
| + | \x41\x30\x31\x30\x30\x41\x30\x35\x38\x33\x43\x32\x30\x34\x38\x31 |
||
| + | \x41\x30\x31\x30\x30\x34\x30\x42\x35\x33\x46\x32\x30\x35\x34\x31 |
||
| + | \x41\x30\x31\x30\x30\x30\x30\x44\x44\x34\x36\x32\x30\x35\x38\x31 |
||
| + | \x41\x30\x31\x30\x30\x36\x34\x36\x35\x37\x36\x37\x34\x36\x35\x36 |
||
| + | \x31\x36\x44\x33\x31\x30\x30\x30\x30\x30\x30\x30\x30\x34\x46\x34 |
||
| + | \x42\x32\x31\x30\x30\x34\x35\x35\x32\x35\x32\x34\x46\x35\x32\x32 |
||
| + | \x30\x32\x35\x36\x34\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x42 |
||
| + | \x35\x31\x31\x34\x44\x38\x35\x42\x30\x31\x31\x34\x42\x32\x38\x31 |
||
| + | \x43\x36\x39\x34\x36\x46\x46\x32\x32\x39\x38\x34\x37\x30\x30\x39 |
||
| + | \x42\x30\x44\x32\x42\x31\x31\x44\x31\x30\x31\x39\x39\x30\x44\x34 |
||
| + | \x42\x30\x41\x36\x38\x31\x41\x36\x30\x30\x34\x33\x33\x34\x41\x36 |
||
| + | \x38\x31\x41\x36\x30\x38\x41\x36\x38\x30\x42\x34\x42\x31\x33\x36 |
||
| + | \x30\x30\x42\x34\x42\x35\x33\x36\x30\x30\x42\x34\x42\x39\x33\x36 |
||
| + | \x30\x30\x31\x32\x33\x43\x42\x36\x30\x32\x30\x32\x33\x30\x30\x39 |
||
| + | \x33\x32\x38\x31\x43\x36\x39\x34\x36\x46\x46\x32\x32\x30\x37\x34 |
||
| + | \x42\x39\x38\x34\x37\x44\x46\x45\x37\x30\x30\x30\x30\x35\x34\x32 |
||
| + | \x37\x32\x33\x34\x30\x39\x38\x35\x39\x31\x36\x32\x30\x42\x43\x37 |
||
| + | \x39\x32\x46\x34\x30\x30\x30\x46\x46\x30\x30\x30\x31\x30\x31\x30 |
||
| + | \x34\x30\x32\x30\x34\x30\x33\x30\x34\x30\x34\x30\x34\x36\x38\x44 |
||
| + | \x35\x33\x45\x32\x30\x78\x78" |
||
</pre> |
</pre> |
||
Revision as of 23:00, 8 May 2009
Used as an injection vector for the first iPhone 3G unlock payload.
Credit
Exploit
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.
Implementation
The dev team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
The source code is also available here [1]
New Implementation (yellowsn0w 0.9.8)
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
at+stkprof=1,"\x30\x36 \x34\x61\x35\x34\x31\x63\x30\x34\x34\x62\x31\x38\x37\x38\x32\x32 \x32\x38\x30\x33\x64\x30\x31\x30\x37\x30\x30\x31\x33\x32\x30\x31 \x33\x33\x66\x38\x65\x37\x32\x30\x34\x37\x30\x30\x30\x30\x62\x66 \x39\x66\x31\x35\x34\x30\x30\x30\x31\x37\x30\x31\x30\x30\x35\x34 \x36\x65\x35\x36\x34\x30\x32\x30\x30\x30\x30\x30\x30\x30\x35\x63 \x31\x33\x30\x31\x30\x30\x32\x36\x36\x65\x35\x36\x34\x30\x64\x64 \x64\x64\x64\x64\x64\x64\x65\x65\x65\x65\x65\x65\x65\x65\x62\x38 \x39\x30\x35\x31\x32\x30\x30\x30\x30\x30\x30\x30\x30\x30\x31\x30 \x31\x30\x31\x30\x31\x30\x32\x30\x32\x30\x32\x30\x32\x30\x36\x31 \x31\x33\x30\x31\x30\x30\x30\x63\x30\x30\x30\x30\x30\x30\x22\x3B \x22\x10\x32\x0F\x27\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21 \x78\x78\x29\x0C\xD0\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0 \x46\xC0\x46\xC0\x46\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0 \x46\xC0\x46\x01\x37\x38\x47\x30\x30\x41\x29\x01\xDA\x30\x39\x70 \x47\x37\x39\x70\x47\x30\x32\x34\x38\x30\x33\x41\x31\x30\x31\x33 \x31\x30\x31\x36\x30\x31\x46\x42\x44\x30\x30\x30\x30\x34\x43\x37 \x31\x31\x31\x34\x30\x46\x30\x42\x35\x31\x43\x34\x42\x38\x30\x32 \x36\x38\x42\x42\x30\x33\x36\x30\x31\x31\x38\x38\x30\x30\x38\x39 \x31\x31\x41\x34\x43\x33\x30\x31\x43\x41\x30\x34\x37\x30\x30\x32 \x35\x30\x39\x39\x30\x39\x38\x32\x30\x41\x30\x34\x37\x30\x37\x31 \x43\x43\x35\x36\x30\x38\x30\x32\x30\x34\x30\x30\x30\x41\x30\x34 \x37\x38\x30\x32\x32\x31\x34\x34\x39\x35\x32\x30\x30\x31\x34\x34 \x42\x30\x34\x31\x43\x39\x38\x34\x37\x30\x39\x39\x42\x30\x31\x39 \x33\x34\x34\x32\x33\x30\x33\x39\x33\x30\x41\x32\x33\x30\x31\x33 \x34\x30\x35\x39\x33\x30\x43\x32\x33\x32\x32\x31\x43\x30\x36\x39 \x33\x30\x46\x34\x39\x30\x30\x39\x35\x30\x32\x39\x36\x30\x34\x39 \x35\x33\x38\x31\x43\x30\x30\x32\x33\x30\x44\x34\x43\x41\x30\x34 \x37\x30\x32\x31\x43\x30\x30\x32\x38\x30\x34\x44\x31\x30\x42\x34 \x39\x30\x38\x39\x38\x30\x42\x34\x42\x39\x38\x34\x37\x30\x33\x45 \x30\x30\x42\x34\x39\x30\x38\x39\x38\x30\x39\x34\x42\x39\x38\x34 \x37\x30\x42\x42\x30\x46\x30\x42\x44\x30\x30\x30\x30\x34\x34\x42 \x33\x33\x42\x34\x30\x41\x43\x32\x30\x31\x34\x32\x30\x36\x34\x31 \x41\x30\x31\x30\x30\x41\x30\x35\x38\x33\x43\x32\x30\x34\x38\x31 \x41\x30\x31\x30\x30\x34\x30\x42\x35\x33\x46\x32\x30\x35\x34\x31 \x41\x30\x31\x30\x30\x30\x30\x44\x44\x34\x36\x32\x30\x35\x38\x31 \x41\x30\x31\x30\x30\x36\x34\x36\x35\x37\x36\x37\x34\x36\x35\x36 \x31\x36\x44\x33\x31\x30\x30\x30\x30\x30\x30\x30\x30\x34\x46\x34 \x42\x32\x31\x30\x30\x34\x35\x35\x32\x35\x32\x34\x46\x35\x32\x32 \x30\x32\x35\x36\x34\x30\x30\x30\x30\x30\x30\x30\x30\x33\x30\x42 \x35\x31\x31\x34\x44\x38\x35\x42\x30\x31\x31\x34\x42\x32\x38\x31 \x43\x36\x39\x34\x36\x46\x46\x32\x32\x39\x38\x34\x37\x30\x30\x39 \x42\x30\x44\x32\x42\x31\x31\x44\x31\x30\x31\x39\x39\x30\x44\x34 \x42\x30\x41\x36\x38\x31\x41\x36\x30\x30\x34\x33\x33\x34\x41\x36 \x38\x31\x41\x36\x30\x38\x41\x36\x38\x30\x42\x34\x42\x31\x33\x36 \x30\x30\x42\x34\x42\x35\x33\x36\x30\x30\x42\x34\x42\x39\x33\x36 \x30\x30\x31\x32\x33\x43\x42\x36\x30\x32\x30\x32\x33\x30\x30\x39 \x33\x32\x38\x31\x43\x36\x39\x34\x36\x46\x46\x32\x32\x30\x37\x34 \x42\x39\x38\x34\x37\x44\x46\x45\x37\x30\x30\x30\x30\x35\x34\x32 \x37\x32\x33\x34\x30\x39\x38\x35\x39\x31\x36\x32\x30\x42\x43\x37 \x39\x32\x46\x34\x30\x30\x30\x46\x46\x30\x30\x30\x31\x30\x31\x30 \x34\x30\x32\x30\x34\x30\x33\x30\x34\x30\x34\x30\x34\x36\x38\x44 \x35\x33\x45\x32\x30\x78\x78"
Information on how this was used can be found here
