Really cool challenge and well-written writeup! I did work on something similar for NorthSec two years ago. Unknown instruction set, but in my case I let a way load and run arbitrary ROM on a remote service. Creating the challenge was fun, but looking at participants work and solve it was even better.
Shameless plug: It’s now hosted by a friend at https://ringzer0ctf.com/challenges under the “The NC8 Reverse Engineering Track” category.