An attacker with physical access to the device can overwrite a function pointer somewhere in the BootROM data section or a return address stored on the stack and execute their own code with BootROM privileges.

For detailed information, read the article by NCC Group.

工具下载：Releases

使用方法：Wiki

Download: Releases

Usage: Wiki