Ok, so I haven’t updated on this in a while and figured I should. The exploit I was going after apparently didn’t exist, I missed the check which rendered that attack useless. The next attack is the fastboot vector mentions elsewhere on the web the last several days. However so far I don’t see where he got his data from about that being exloitable. I can’t find sourcecode to anything but the client/pc side app. And those obviously can’t tell us what the phone side does. Provided he’s right we’d need to modify the pc app to send more then the safe limit and figure out where our code dumps to and how many bytes we have to work with.
There is also the potential to bruteforce the RSA signing key with a distributed attack via boinc. I haven’t looked too far into what keysize they used but if it’s within reason, that could be a good solution as well.