I've figured out how to get PBL to program the NAND flash, and have added the appropriate stuff to pblq to make it all work... it's request 0E, of course, except it behaves rather oddly until you realise that it only works on 8kB chunks.
Unfortunately, it will only *program* the flash, not *erase* it. Which means that it can change a 1 to a 0, but not back to a 1 again... and since my test file consisted of about 70kB of zeros, this means that at least part of my flash is empty.
(Interestingly, the Amstrad firmware still boots --- except without the splash screen. Obviously, that first chunk simply contains the splash screen code, and chains on to the next chunk, which must take some time to decompress. Now I've overwritten the magic in the first chunk, PBL is skipping on ahead.)
So if anyone can figure out how to make PBL erase a flash sector, all the tools we need will be in place to actually run stuff!
Incidentally, would it be worth setting up a wiki or hieraki or something for the project?