The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "AT+XEMN Heap Overflow"
m |
|||
(9 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
− | AT+XEMN is a command on baseband |
+ | AT+XEMN is a command on baseband [[05.11.07]] (pushed out with the 3.1 release), which when exploited correctly, causes a [[wikipedia:heap overflow|heap overflow]] allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an [[unlock|unlocking]] payload to provide a software SIM unlock on the official 3.1(.2) firmware running [[05.11.07]]. |
== Credit == |
== Credit == |
||
− | * '''Vulnerability''': [[User:Oranav|Oranav]] (July) and |
+ | * '''Vulnerability''': [[User:Oranav|Oranav]] (July) and [[User:iH8sn0w|iH8sn0w]] (September) (discovered independently) |
* '''Exploit''': [[User:geohot|geohot]] |
* '''Exploit''': [[User:geohot|geohot]] |
||
Line 35: | Line 35: | ||
== Timeline == |
== Timeline == |
||
− | === |
+ | === {{date|2009|07}} === |
− | *[[User:Oranav|Oranav]] discovers this crash and gives |
+ | *[[User:Oranav|Oranav]] discovers this crash and gives it to the [[iPhone Dev Team]]. |
*Upon initial investigation, The [[iPhone Dev Team]], mistakenly concludes that the crash is non-exploitable. |
*Upon initial investigation, The [[iPhone Dev Team]], mistakenly concludes that the crash is non-exploitable. |
||
− | === |
+ | === {{date|2009|09}} === |
− | *iH8sn0w discovered this command independently but kept it a secret for about a month. [ |
+ | *[[User:iH8sn0w|iH8sn0w]] discovered this command independently but kept it a secret for about a month. [https://twitter.com/iH8sn0w/status/4353547726 ] |
− | === |
+ | === {{date|2009|10}} === |
− | *When the Dev |
+ | *When the [[iPhone Dev Team]] stated that [[User:iH8sn0w|iH8sn0w]] did not have an [[unlock]], he posted the command on Twitter. [https://twitter.com/iH8sn0w/status/4954333558] |
− | *Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104] |
+ | *Shortly after, [[User:Oranav|Oranav]] posted his Hash from July. [http://pastebin.ca/1485104] |
− | *MuscleNerd tells iHacker that the crash was received awhile ago and is thought to be non-exploitable. [ |
+ | *[[User:MuscleNerd|MuscleNerd]] tells [[iHacker]] that the crash was received awhile ago and is thought to be non-exploitable. [https://twitter.com/MuscleNerd/status/4978871033][https://twitter.com/iHacker/status/4978821448] |
− | *[[User:Geohot|Geohot]] attempts to exploit this crash, but intially also finds it to be non-exploitable. [ |
+ | *[[User:Geohot|Geohot]] attempts to exploit this crash, but intially also finds it to be non-exploitable. [https://twitter.com/geohot/status/4979506974] |
− | *Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [ |
+ | *[[User:Geohot|Geohot]] does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [https://twitter.com/geohot/status/5196861045] |
− | *Geohot achieves arbitrary code execution and begins work on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html] |
+ | *[[User:Geohot|Geohot]] achieves arbitrary code execution and begins work on unlock which will be called [[blacksn0w]]. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html] |
− | *Geohot posts a video of an |
+ | *[[User:Geohot|Geohot]] posts a video of an [[unlock]]ed [[05.11.07]] device. [http://www.youtube.com/watch?v=g23e9e9zOVI] |
− | === |
+ | === {{date|2009|11}} === |
*Geohot releases [[blacksn0w]] to the masses. |
*Geohot releases [[blacksn0w]] to the masses. |
||
Latest revision as of 13:35, 17 September 2021
AT+XEMN is a command on baseband 05.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a software SIM unlock on the official 3.1(.2) firmware running 05.11.07.
Contents
Credit
Implementation
This exploit is used in blacksn0w.
Exception Dump
+XLOG: Exception Number: 1 Trap Class: 0xDDDD (SW GENERATED TRAP) Identification: 140 (0x008C) Date: 22.10.2009 Time: 00:30 File: atform/text/_malloc.c Line: 1036 Logdata: 2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc 20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Timeline
July 2009
- Oranav discovers this crash and gives it to the iPhone Dev Team.
- Upon initial investigation, The iPhone Dev Team, mistakenly concludes that the crash is non-exploitable.
September 2009
October 2009
- When the iPhone Dev Team stated that iH8sn0w did not have an unlock, he posted the command on Twitter. [2]
- Shortly after, Oranav posted his Hash from July. [3]
- MuscleNerd tells iHacker that the crash was received awhile ago and is thought to be non-exploitable. [4][5]
- Geohot attempts to exploit this crash, but intially also finds it to be non-exploitable. [6]
- Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [7]
- Geohot achieves arbitrary code execution and begins work on unlock which will be called blacksn0w. [8]
- Geohot posts a video of an unlocked 05.11.07 device. [9]
November 2009
- Geohot releases blacksn0w to the masses.