The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "AT+stkprof"
(yellowsn0w exploit comments) |
m (Updating) |
||
(13 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
− | Used as an injection vector for the first [[iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]]. |
+ | Used as an injection vector for the first [[N82AP|iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]]. |
==Credit== |
==Credit== |
||
− | [[geohot]] |
+ | [[User:geohot|geohot]] |
==Exploit== |
==Exploit== |
||
Line 8: | Line 8: | ||
==Implementation== |
==Implementation== |
||
− | The [[ |
+ | The [[iPhone Dev Team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset. |
− | The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2] |
+ | The source code (for old version 0.9.1) is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2] |
− | ===New Implementation (yellowsn0w 0.9. |
+ | ===New Implementation (yellowsn0w 0.9.8)=== |
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go. |
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go. |
||
<pre> |
<pre> |
||
+ | at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf |
||
− | at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1 |
||
+ | 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 |
||
− | 54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120 |
||
+ | 905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27 |
||
− | 000000001010101020202020611301000c000000223B22270F32101C1743BAA |
||
+ | \xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0 |
||
− | 50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C |
||
+ | \xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46 |
||
− | 93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016 |
||
+ | \xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37 |
||
− | 01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025 |
||
+ | \x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000 |
||
− | 09909820A047071CC56080204000A047802214495200144B041C9847099B01 |
||
+ | 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 |
||
− | 93442303930A23013405930C23221C06930F49009502960495381C00230D4C |
||
+ | 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 |
||
− | A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00 |
||
+ | 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 |
||
− | 0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD |
||
+ | 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 |
||
− | 4620581A01006465767465616D31000000004F4B21004552524F52202564000 |
||
+ | 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 |
||
− | 0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68 |
||
+ | 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B |
||
− | 1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328 |
||
+ | 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B |
||
− | 1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040 |
||
+ | 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 |
||
− | 2040304040468D53E207878220 |
||
+ | 5427234098591620BC792F4000FF0001010402040304040468D53E20xx" |
||
</pre> |
</pre> |
||
+ | Information on how this was used can be found [[Yellowsn0w#Payload_w.2F_Comments_.28by_Darkmen.29_.3D|here]] |
||
− | Anyone with a better insight feel free to comment / modify, as I didn't look any further into this, I just looked at the ztringz :) |
||
+ | [[Category:Baseband Exploits]] |
||
− | ===yellowsn0w 0.9.6 with comments=== |
||
− | The exploit consists from 3 parts: |
||
− | ====Code loader==== |
||
− | <pre> |
||
− | ROM:00000000 ; =============== S U B R O U T I N E ======================================= |
||
− | ROM:00000000 |
||
− | ROM:00000000 |
||
− | ROM:00000000 loader |
||
− | ROM:00000000 LDR R2, =0x11700 ; unused ram to place code |
||
− | ROM:00000002 ADDS R4, R2, #1 ; thumb switch |
||
− | ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where StrToHex result of the at-command is |
||
− | ROM:00000006 |
||
− | ROM:00000006 copy.loop ; CODE XREF: loader+12�j |
||
− | ROM:00000006 LDRB R0, [R3] ; copying code until double quotes |
||
− | ROM:00000008 CMP R0, #0x22 ; '"' |
||
− | ROM:0000000A BEQ run ; jump thumb code |
||
− | ROM:0000000C STRB R0, [R2] |
||
− | ROM:0000000E ADDS R2, #1 |
||
− | ROM:00000010 ADDS R3, #1 |
||
− | ROM:00000012 B copy.loop ; copying code until double quotes |
||
− | ROM:00000014 ; --------------------------------------------------------------------------- |
||
− | ROM:00000014 |
||
− | ROM:00000014 run ; CODE XREF: loader+A�j |
||
− | ROM:00000014 BX R4 ; jump thumb code |
||
− | ROM:00000014 ; End of function loader |
||
− | ROM:00000014 |
||
− | ROM:00000014 ; --------------------------------------------------------------------------- |
||
− | </pre> |
||
− | |||
− | ====Task creator==== |
||
− | <pre> |
||
− | RAM:000119A0 ; =============== S U B R O U T I N E ======================================= |
||
− | RAM:000119A0 |
||
− | RAM:000119A0 |
||
− | RAM:000119A0 handler_replace |
||
− | RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr |
||
− | RAM:000119A2 ADR R1, new_handler |
||
− | RAM:000119A4 ADDS R1, #1 ; thumbing |
||
− | RAM:000119A6 STR R1, [R0] ; setting new handler |
||
− | RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack |
||
− | RAM:000119A8 ; End of function handler_replace |
||
− | |||
− | RAM:000119B0 ; =============== S U B R O U T I N E ======================================= |
||
− | RAM:000119B0 |
||
− | RAM:000119B0 |
||
− | RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o |
||
− | RAM:000119B0 PUSH {R4-R7,LR} |
||
− | RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var |
||
− | RAM:000119B4 MOVS R6, #0x80 |
||
− | RAM:000119B6 SUB SP, SP, #0x2C |
||
− | RAM:000119B8 LSLS R6, R6, #4 ; 0x200 |
||
− | RAM:000119BA STRH R0, [R3] ; saving R0 to mem var |
||
− | RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack |
||
− | RAM:000119BE LDR R4, =0x201420AC ; malloc |
||
− | RAM:000119C0 ADDS R0, R6, #0 |
||
− | RAM:000119C2 BLX R4 ; malloc(0x200) |
||
− | RAM:000119C4 MOVS R5, #0 |
||
− | RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack |
||
− | RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK) |
||
− | RAM:000119CA BLX R4 ; malloc(0x98) |
||
− | RAM:000119CC ADDS R7, R0, #0 ; R7 = task |
||
− | RAM:000119CE STR R5, [R0,#0xC] ; task.field=0 |
||
− | RAM:000119D0 MOVS R0, 0x100 |
||
− | RAM:000119D4 BLX R4 ; malloc(0x100) |
||
− | RAM:000119D6 MOVS R2, #0x80 |
||
− | RAM:000119D8 LDR R1, =task_loop ; src |
||
− | RAM:000119DA LSLS R2, R2, #1 ; size to copy |
||
− | RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy |
||
− | RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop |
||
− | RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100) |
||
− | RAM:000119E2 LDR R3, [SP,#0x40+ptr_200] |
||
− | RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200) |
||
− | RAM:000119E6 MOVS R3, #0x44 |
||
− | RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44 |
||
− | RAM:000119EA MOVS R3, #0xA |
||
− | RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop |
||
− | RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT |
||
− | RAM:000119F0 MOVS R3, #0xC |
||
− | RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry) |
||
− | RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START |
||
− | RAM:000119F6 LDR R1, =devteam1 ; char *name |
||
− | RAM:000119F8 STR R5, [SP] ; void *argv = 0 |
||
− | RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200 |
||
− | RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0 |
||
− | RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task |
||
− | RAM:00011A00 MOVS R3, #0 ; int argc = 0 |
||
− | RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task |
||
− | RAM:00011A04 BLX R4 ; status = NU_Create_Task() |
||
− | RAM:00011A06 ADDS R2, R0, #0 |
||
− | RAM:00011A08 CMP R0, #0 ; success = zero |
||
− | RAM:00011A0A BNE status_error |
||
− | RAM:00011A0C LDR R1, =OK |
||
− | RAM:00011A0E LDR R0, [SP,#0x40+resp_string] |
||
− | RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf |
||
− | RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK") |
||
− | RAM:00011A14 B exit ; fixing stack |
||
− | RAM:00011A16 ; --------------------------------------------------------------------------- |
||
− | RAM:00011A16 |
||
− | RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j |
||
− | RAM:00011A16 LDR R1, =ERROR |
||
− | RAM:00011A18 LDR R0, [SP,#0x40+resp_string] |
||
− | RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf |
||
− | RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR") |
||
− | RAM:00011A1E |
||
− | RAM:00011A1E exit ; CODE XREF: new_handler+64�j |
||
− | RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack |
||
− | RAM:00011A20 POP {R4-R7,PC} ; bye |
||
− | RAM:00011A20 ; End of function new_handler |
||
− | RAM:00011A20 |
||
− | RAM:00011A20 ; --------------------------------------------------------------------------- |
||
− | </pre> |
||
− | |||
− | ====Unlock task loop==== |
||
− | TBC... |
||
− | [[Category:Unlocking Methods]] |
Latest revision as of 08:28, 13 October 2015
Used as an injection vector for the first iPhone 3G unlock payload.
Credit
Exploit
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.
Implementation
The iPhone Dev Team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
The source code (for old version 0.9.1) is also available here [1]
New Implementation (yellowsn0w 0.9.8)
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27 \xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0 \xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46 \xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37 \x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx"
Information on how this was used can be found here