To my understanding they inject some sort of electrical signal with nanosecond precise timing which somehow allows unsigned code to be run at a trustzone level. There has to be a more detailed explanation than this. The bootrom bug on Erista Switches had a very detailed technical document published about the buffer overflow and how to exploit it.