I think I have a basic grasp of what such an exploit would need, after numerous read-throughs of the Medium article.
First step would be to determine the address
receives the parameters from - specifically, the
parameter. This will most likely be different on every firmware and every different model, though the article makes me think that it's pretty constant - otherwise the attacker would need to know the exact device and firmware of the target.
Second step is to create the tool that takes the memory address in question, alongside a shell script, and generates a JPEG XR image that uses the exploit detailed to write the script (after a bit of formatting, since according to the article, there's a number of checks this script needs to pass) to the memory address.
Once the image can be generated, it can be easily hosted on e.g. GitHub. The script doesn't need to be much, all it needs to do is remount the system as RW, and inject the jailbreak certificate. Then the previously established jailbreak methods can be executed, without requiring the factory firmware (I think). However even if my logic in this part is wrong... The script has root access. It can literally do anything, including, say, downloading a script from GitHub and executing that, which in turn would download the latest jailbreak toolkit and execute it, bypassing the system updater, etc., that was used previously.
Unfortunately I'm a real dummy when it comes to memory management. I've never really liked C due to its manual memory management, and have always used managed languages like Java, C#, or JavaScript. I have no idea how to determine the memory address for
or how to encode the image for the exploit. There are people with much larger skillset - like NiLuJe - whose attempt would be more fruitful. I just hope that someone's working on it, and if they are, I have a PW3 WiFi model running 5.12.x that could be used for testing purposes
