We the bootloader is locked so this might never happen.
Sorry to repeate myselft but with this kexec coundn't we boot a custom kernel without having to reboot completely the device, so without the bootloader checking the signatures? Because we can write over /system and we know that the bootloader doesn't check that, isn't a custom rom just a kernel and a /system? Or does each rom need a boot.img to boot which can be only launched by the bootloader (so kexec would be useless without unlocked bootloader)?
Trying to learn new stuff here!