> Further, though the article seems carefully written enough to avoid the misconception, the basebands on modern phones don't get direct access to AP memory, but are instead connected over a high-speed serial connection with a limited command set.
That's good to know; for some reason I had an idea that it was all done via DMA.
Any idea about how exploitable that command set is?
Have a look around for one oldish implementation in Linux kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.... . If you're more interested in exploiting something on the baseband side, that source code is more difficult to come by and supposedly protects quite well from unexpected traffic from AP side.
That's good to know; for some reason I had an idea that it was all done via DMA.
Any idea about how exploitable that command set is?