r.belmont: if the builtin rom just jumps to flash contents, it should be possible to trojan it out, though it may require desoldering or JTAGing the flash chip and reflashing it with the 'correct' image afterward.
It also might be possible to dump the internal rom over JTAG if it is available on the SOC with no flashing at all.


"When life gives you zombies... *CHA-CHIK!* ...you make zombie-ade!"