An attacker with physical access to the device can overwrite a function pointer somewhere in the BootROM data section or a return address stored on the stack and execute their own code with BootROM privileges.
For detailed information, read the article by NCC Group.
工具下载:Releases
使用方法:Wiki
Download: Releases
Usage: Wiki