So....

BOOT0 is the pin to flip if you want to get into UART boot mode. It is indeed traced out to DIP Switch 8. However, this boot mode is the same for SPI EEPROM mode. If it is HIGH, then it will look for the UART and then the SPI EEPROM. If it is LOW, then it will load from the main flash memory.

The boot flow is to first check the UART for 2048 characters. If it receives 2048 characters, then it loads that into a buffer and executes.

If it does not receive anything from the UART, then it checks for SPI EEPROM with "CRUS" or "SURC" at the front of the EEPROM. If this header is present, then it continues to load 2048 bytes into a buffer and executes that code. That code could then load the rest of the contents of the EEPROM.

The board does have the EEPROM installed, so it is possible that there is some custom boot code in there that runs when the DIPSW 8 is flipped.

So there are two ways to bootstrap the SoC.

I have also confirmed that the data bus width is set for 16 bit, so the the flash and RAM are 16MB.

Since I am looking for the least intrusive attack vector (and un/soldering that 56 pin TSOP is not on my fun list) my next move, I think will be to dump the contents of the EEPROM and see if it is boot code.

My target, of course, is to dump the flash memory. I'm going to poke around a bit to see if I can find some already spun code to save me some time and hassle.