**zelch**

And so I've been digging into this, and it turns out that this is really quite similar to how the Gen 7 Archos 5 IT is locked.

The signature there is a RSA + MD5 signature, which is really the worst case as that means a 2048 bit RSA key, so we're kinda screwed there.

... has a good description of the situation on the 5IT. Getting a flash_unlock binary should be fairly trivial, so perhaps we can tamper with the key store to add additional keys.