That's nice work Martin - although I'm surprised you opted to remove the frame manually rather than write a Basic hack to process the image. I recently helped my wife with an animation for Chinese New Year. It's Flash 8, so not viewable on RISC OS, unfortunately, but here is a link : [link]
If I've got this straight, an attacker would have to find a specific bug in the device's programs:
- a null pointer under reproducible conditions
- before a STM, or better still, a looping store
- and where arbitrary data can be inserted
And then be able to force a reset or execute some other vector.
And for it to work the device mustn't:
allow writes to zero page, or use ROM directly (or flash-ROM which isn't directly writable), or put its vector table elsewhere.
I'd have thought finding other security bugs might be easier.