|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "AT+XEMN Heap Overflow"
(Replacing page with 'Hacked by Chroniccommand') |
|||
| Line 1: | Line 1: | ||
| + | Hacked by Chroniccommand |
||
| − | AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07 |
||
| − | |||
| − | == Credit == |
||
| − | * '''Vulnerability''': [[User:Oranav|Oranav]] (July) and [[User:iH8sn0w|iH8sn0w]] (September) (discovered independently)<br> |
||
| − | * '''Exploit''': [[User:geohot|geohot]] |
||
| − | |||
| − | == Implementation == |
||
| − | This exploit is used in [[blacksn0w]]. |
||
| − | |||
| − | == Exception Dump == |
||
| − | +XLOG: Exception Number: 1 |
||
| − | Trap Class: 0xDDDD (SW GENERATED TRAP) |
||
| − | Identification: 140 (0x008C) |
||
| − | Date: 22.10.2009 |
||
| − | Time: 00:30 |
||
| − | File: atform/text/_malloc.c |
||
| − | Line: 1036 |
||
| − | Logdata: |
||
| − | 2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc |
||
| − | 20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
||
| − | 20 20 20 20 20 20 20 20 |
||
| − | |||
| − | == Timeline == |
||
| − | === July 2009 === |
||
| − | *[[User:Oranav|Oranav]] discovers this crash and gives is to the [[iPhone Dev Team]]. |
||
| − | *Upon initial investigation, The [[iPhone Dev Team]], mistakenly concludes that the crash is non-exploitable. |
||
| − | |||
| − | === September 2009 === |
||
| − | *iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ] |
||
| − | |||
| − | === October 2009 === |
||
| − | *When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558] |
||
| − | *Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104] |
||
| − | *MuscleNerd tells iHacker that the crash was received awhile ago and is thought to be non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448] |
||
| − | *[[User:Geohot|Geohot]] attempts to exploit this crash, but intially also finds it to be non-exploitable. [http://twitter.com/geohot/status/4979506974] |
||
| − | *Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045] |
||
| − | *Geohot achieves arbitrary code execution and begins work on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html] |
||
| − | *Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI] |
||
| − | |||
| − | === November 2009 === |
||
| − | *Geohot releases [[blacksn0w]] to the masses. |
||
| − | |||
| − | [[Category:Baseband Exploits]] |
||
Revision as of 17:39, 6 November 2009
Hacked by Chroniccommand
