First, congratulations to RPS for his reverse engineering! This is indeed very good news and I'm very happy to hear that the hash algorithm was RE-ed!
Now I just have a few questions though, what does it mean exactly when you say that you modified the flash? what files can be modified? which files need the ECC? I was under the impression that the files on the flash are not only checksummed but also encrypted and signed.. I don't think you got the certificate, so even if you can provide a valid checksum, you still can't modify signed files...
Or is it that only ELF executables are signed, and there are other files that are not (libraries?) or is it that there is a 'core' application that is unsigned and that's the application that will check the signature, so it's not signed by itself ?
If it is, then isn't it encrypted? wasn't there a chain of trust that will not allow you to modify the flash because the hypervisor/bootloader would check its signature/encryption ?
I'm hoping that all the bootloader/hypervisor did was check the ECC, and that you can modify the kernel/WM which is itself unsigned and does the signature checking.. this way you can hack it to bypass the signature checking..
I would also like to know *how* you were able to figure out where the encryption keys were stored by modifying the flash.
Anyways, thanks for your efforts, and I'm glad we're seeing some advancement from the dev scene! Keep it up!