Send a payload which patches a security fuse temporarily (until next power off). Uses original nvflash to read the BCT from Device.
BootConfigTable for the Surface This defines SDRAM configuration, as well as bootloader location. Described here (with compiler / decompiler) https://github.com/NVIDIA/cbootimage-configs
Send and launch fusee exploit binary over usb, using python script.
Send and launch custom bootloader binary over usb, using modified NvFlash to bypass security checks.
(Experimental) Loading a bootloader binary and executing at specific memory address by adding --setentry 0x80808000 0x80808000 before --bl. 0x80808000 for example, is the memory address for the factory UEFI SPI-Flash bootloader. The factory bootloader binary is obtained by using the decryption script with the relevant SBK and dump of the SPI-Flash memory.