Well then I'm correcting you - it's
not possible without kernel access, which is not desirable for the hackers in question
as it would also allow ROM loading which is something they're
againts.
More about ROP Programming for those interested can be found
here. The tl;dr version of it is "
the original binary asks for a set of privileges, the system gives the binary said privileges, then the hacked save comes into play, uses a bootloader to load entirely custom code which inherits the previously-assigned privileges" - with that definition in mind, the broader the exploited game is the more you can do.