Talk:Ultrasn0w

From The iPhone Wiki
Revision as of 16:50, 3 January 2009 by Planetbeing (talk | contribs) (Payload vs injection vector)
Jump to: navigation, search

Thinking about this, I know how I could've done the unlock. I'm so lazy. This might be what yellowsn0w does already; theres a little object code in your source, so I don't know :-)

1. copy task_sim into memory
2. patch task_sim in the usual way(too bad i don't really understand the baseband at all)
3. modify the nucleus task struct to use the in memory task_sim(although idk why theres no execute on the stack, normal ram seems ok)
4. reset the sim card

no real reversing required. i could've had this in july dammit :-P

i also think this approach might solve some peoples problems with it dying after 10 minutes

~geohot

Payload vs injection vector

I edited the page in a way I felt was more accurate. Geohot deserves massive props for finding the vuln in 2.28, and maybe there should be a separate "iPhone 3G Unlock" page that notes that more prominently (noting the 2.2 unlock was dev team's payload with geohot's vuln), but yellowsn0w IS the payload and it doesn't make sense to give separate credits on this page for the injection vector.

I don't know much about how yellowsn0w works myself, but I understand it took a lot of careful reverse engineering of the Nucleus OS and baseband tasks in order to pull off, so the payload honestly doesn't take the backseat to the vuln in this case.

--Planetbeing 16:47, 3 January 2009 (UTC)

nx

heh, I think it is a standard thing for ARM for the stack to be nx. btw, of course there was reversing required, how else would you have found the injection hack itself x)

About AT+STKPROF exploit

Does only 2.28 vulnerable to at+stkprof exploit?

RE: About AT+STKPROF exploit

afaik all versions 1.45 through 2.28 are vulnerable, but devteam only designed a payload for 2.28. not 100% on that though.