Hey David,
Well done with your hacking! Sounds like you're making great progress.
My $0.02:
The next stage is to figure out how to reflash the firmware, so I can upload a custom image. ... Oh, yeah, I pblq will now write data into the E2's SDRAM. Speed: 11000 Bps, which is a slight improvement to the download speed...
It sounds like this might be more of a convenient avenue: downloading/uploading things from flash can be slow as you say... I think having a route to getting a tiny loader of our own into DRAM via serial would make the flashing things much easier - e.g. if we can download a tiny routine via the slow route (PBL) we can use that to download stuff into DRAM (or reflash NAND) much quicker since it's in our control.
It's possible that getting PBL to execute something that it hasn't loaded from NAND (e.g. stuff we've poked into RAM) is completely impossible. But surely it must have an overflow somewhere.. maybe even a function to do so.. ;)
Also something that might be worth further investigation is the inbuilt recovery procedure; I've seen some code that checks the loaded DRAM image (from flash) with the magic numbers in the header, and tootles about picking 0800 numbers... Possible that if the header isn't tip-top it decides it's corrupt and will only try to dial the 1-800-FLASHME number. MAybe something to be careful of </paranoia>
Cheers,
Matt