TSEC Secure ROM does not verify the ACL for the input $c7 register. With use of additional exploits and careful analysis of TSEC MMIO registers during Heavy Secure program authentication, the attacker can guess which csecret values are used for the authentication algorithm and Heavy Secure program decryption. This lets the attacker know how to arbitrarily choose the "signature key" used in the authentication algorithm, by AES-128 decrypting the wanted key with csecret 0x01. Effectively, this allows for the attacker to sign and execute any Heavy Secure code.
https://hackerone.com/reports/924418