Comment by seba_dos1

"Have control".

These commands let you do what a ROM bootloader does as well. They just do so over an unexpected vector (HCI interface), which could be a problem if you exposed it outside while not exposing the bootloader.

Are you actually trying to come up with a plausible case, or are just guessing without knowing what this "backdoor" is about?

Just for the record, the researches themselves described these command in their talk's abstract in this way:

> The tools will be complemented by the use of undocumented manufacturer commands on ESP32 devices that allow to increase the versatility of these devices when implementing attacks or conducting audits.

Source: https://reg.rootedcon.com/cfp/schedule/talk/5

The same could have been achieved by implementing an open-source replacement for the blob, by the way (just like it's already happening with ESP32's Wi-Fi peripheral: https://esp32-open-mac.be/).