AT+XEMN Heap Overflow

AT+XEMN is a command on baseband 05.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a software SIM unlock on the official 3.1(.2) firmware running 05.11.07.

Credit

 * Vulnerability: Oranav (July) and iH8sn0w (September) (discovered independently)
 * Exploit: geohot

Implementation
This exploit is used in blacksn0w.

Exception Dump
+XLOG: Exception Number: 1 Trap Class:    0xDDDD  (SW GENERATED TRAP) Identification: 140 (0x008C) Date: 22.10.2009 Time: 00:30 File: atform/text/_malloc.c Line: 1036 Logdata: 2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63  ..v.@.1datc:1.dc  20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20    D.. 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                    20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                     20 20 20 20 20 20 20 20

2009

 * Oranav discovers this crash and gives it to the iPhone Dev Team.
 * Upon initial investigation, The iPhone Dev Team, mistakenly concludes that the crash is non-exploitable.

2009

 * iH8sn0w discovered this command independently but kept it a secret for about a month.

2009

 * When the iPhone Dev Team stated that iH8sn0w did not have an unlock, he posted the command on Twitter.
 * Shortly after, Oranav posted his Hash from July.
 * MuscleNerd tells iHacker that the crash was received awhile ago and is thought to be non-exploitable.
 * Geohot attempts to exploit this crash, but intially also finds it to be non-exploitable.
 * Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow.
 * Geohot achieves arbitrary code execution and begins work on unlock which will be called blacksn0w.
 * Geohot posts a video of an unlocked 05.11.07 device.

2009

 * Geohot releases blacksn0w to the masses.