AT+stkprof

From The Apple Wiki

Used as an injection vector for the first iPhone 3G unlock payload.

Credit[edit]

geohot

Exploit[edit]

There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the iPhone 3G baseband.

Implementation[edit]

The iPhone Dev Team used this exploit in the first public iPhone 3G unlock called yellowsn0w. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.

The source code (for old version 0.9.1) is also available here [1] [Archived 2011-11-21 at the Wayback Machine]

New Implementation (yellowsn0w 0.9.8)[edit]

In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.

at+stkprof=1,"064a541c044b1878222803d0107001320133f8e720470000bf
9f154000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8
905120000000001010101020202020611301000c000000";"\x10\x32\x0F\x27
\xBA\x43\x17\x1C\x0E\xA4\x0B\xA5\x01\x35\x21\x78\x78\x29\x0C\xD0
\xA8\x47\x0B\x01\x61\x78\xA8\x47\xC0\x46\xC0\x46\xC0\x46\xC0\x46
\xC9\x18\x11\x70\x02\x34\x01\x32\xEF\xE7\xC0\x46\xC0\x46\x01\x37
\x38\x47\x30\x30\x41\x29\x01\xDA09pG79pG024803A1013101601FBD0000
4C711140F0B51C4B80268BB03601188008911A4C301CA047002509909820A047
071CC56080204000A047802214495200144B041C9847099B0193442303930A23
013405930C23221C06930F49009502960495381C00230D4CA047021C002804D1
0B4908980B4B984703E00B490898094B98470BB0F0BD000044B33B40AC201420
641A0100A0583C20481A010040B53F20541A010000DD4620581A010064657674
65616D31000000004F4B21004552524F522025640000000030B5114D85B0114B
281C6946FF229847009B0D2B11D101990D4B0A681A6004334A681A608A680B4B
13600B4B53600B4B93600123CB6020230093281C6946FF22074B9847DFE70000
5427234098591620BC792F4000FF0001010402040304040468D53E20xx"

Information on how this was used can be found here