The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "AT+XEMN Heap Overflow"
m (→Credit) |
m (→Credit) |
||
Line 2: | Line 2: | ||
== Credit == |
== Credit == |
||
− | '''Vulnerability''': [[User:Oranav]] (July) and ih8sn0w (September) (discovered independently) |
+ | '''Vulnerability''': [[User:Oranav|Oranav]] (July) and ih8sn0w (September) (discovered independently) |
− | '''Exploit''': [[User:geohot]] |
+ | '''Exploit''': [[User:geohot|geohot]] |
== Implementation == |
== Implementation == |
Revision as of 16:33, 31 October 2009
AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07
Contents
Credit
Vulnerability: Oranav (July) and ih8sn0w (September) (discovered independently)
Exploit: geohot
Implementation
This exploit is used in blacksn0w.
Exception Dump
+XLOG: Exception Number: 1 Trap Class: 0xDDDD (SW GENERATED TRAP) Identification: 140 (0x008C) Date: 22.10.2009 Time: 00:30 File: atform/text/_malloc.c Line: 1036 Logdata: 2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc 20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Timeline
July 2009
- Oranav discovers this crash.
- Shortly after discovered, The iPhone Dev Team, confirms that the crash is non-exploitable.
September 2009
- iH8sn0w discovered this command independently but kept it a secret for about a month. [1]
October 2009
- When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [2]
- Shortly after, Oranav posted his Hash from July. [3]
- MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [4][5]
- Geohot attempts to exploit this crash, but later finds out as well that it is non-exploitable. [6]
- The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.
- Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [7]
- Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [8]
- Geohot posts a video of an unlocked 05.11.07 device. [9]