[withinboredom]

The easiest thing would be to buy some flash, desolder the existing flash and install their own flash. Certs won’t matter then.

[Matthias247]

If some form of secure boot is used, then replacing the flash won't work either. There is one-time writable storage inside the SoC itself is used for verification. You won't be able to get it back into a state where it accepts non-signed firmware without also replacing the SoC.

[withinboredom]

Ah, I didn't know that. That's actually pretty neat.

[Namidairo]

You're assuming that flash storage is the only thing to be concerned about in a secure boot scenario.

Assuming that the platform is even secure boot capable, you'd blow a fuse or similar at the factory to put it into production mode.

However even then, secure boot isn't infallible. Either they're implemented shoddily, or you end up power glitching past verification.

(I've seen a certain vendor who's name starts with Qualco... fail because they didn't remember that u-boot was... configurable.)

[no_time]

Firmware signature verification is almost done in mask ROM exactly to prevent this.