Used as an injection vector for the first iPhone 3G unlock payload.
Credit[edit]
Exploit[edit]
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.
Implementation[edit]
The iPhone Dev Team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.
The source code (for old version 0.9.1) is also available here [1] [Archived 2011-11-21 at the Wayback Machine]
New Implementation (yellowsn0w 0.9.8)[edit]
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.
at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf 9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8 905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27 \xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0 \xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46 \xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37 \x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000 4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047 071CC56080204000A047802214495200144B041C9847099B0193442303930A23 013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1 0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420 641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674 65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B 281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B 13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000 5427234098591620BC792F4000FF0001010402040304040468D53E20xx"
Information on how this was used can be found here
