Your insight was how to combine existing exploits to accomplish this task, plus the trick with AES-ECB. =^-^=
For others reading this reply, dark_samus's quip about "which actually happened a while ago" needs more context:
With this new exploit, whenever Nintendo released a new NATIVE_FIRM version--which isn't every update--he figuratively got to roll three dice 31 times. If they ever came up 666, he could do the exploit. Otherwise, he had to wait for another NATIVE_FIRM release to get 31 more chances.
With the release of 11.1.0's new NATIVE_FIRM, dark_samus rolled the dice 31 more times, but none came up 666. But then he reviewed his previous dice rolls.
dark_samus noticed that with the NATIVE_FIRM from firmware 10.0.0, one of his dice rolls he wrote down as being a near-miss of 665. Also, he noticed from his "picture" of the dice roll, the 5 was sitting slightly on its edge, jammed into a corner on his desk.
I took a look at his "picture" of the near-miss and noticed that the third die wasn't a 5; it was actually a 6. He had rolled 666 back in 10.0.0 but due to the borderline nature of the result, he had thought he didn't. Thus now OTP-less is possible.
The above description with dice is very figurative, since the true answer is a lot more complicated, involving such loveliness as ARM CPU condition flags and invalid opcodes.