My HBOOT is untouched. I'd say the kernel's mtd drivers pretend to be erasing and writing when in reality they're not. When I do it to an image file (say on the SD card) instead of the device file, it gets patched exactly as I'd expect, but the mtd is not touched.
It's a kernel problem. The exploit is doing it all right, but the kernel is cheating us. So we'll need a custom kernel. Either true Linux (would be the best) or Android built from source with the "security" restrictions removed.
And no it can't be mtdutils problem as if mtdutils didn't erase but kernel did write, the phone would be dead now. Writing to NAND without erasing first leaves nothing but total garbage in the memory.
So now I'd say we're definitely stuck at a kernel level problem and that's where most of my skills end.