Nice work, thanks! You should be bored more often
There was an interesting vulnerability found a few years ago, which allowed you to get root access:
Brilliantly simple, IIRC the bug was fixed in v7.x.x though, works on earlier releases.
Interesting files to look at are:
The "sdb" command allows you to view/modify the database, example:
~]$ sdb -r cfg.hostname
Much of the hardware information is gathered and pushed into the database on the first boot after a factory reset or when a license check is initiated from the GUI.
Root access is achieved in the field using the tac-login debug command, which uses a challenge/response method.
I have plenty of Palo hardware in the lab to play with, the 3000 series use some dedicated hardware with an off the shelf COMExpress format Intel SBC (single board computer). I added a VGA port to mine, there is also a hidden Ethernet interface and other ports direct to the SBC which i keep meaning to look into. I dumped the BIOS ROM, however from memory i think the BIOS is slightly customised for Palo by Portwell. I have limited Linux knowledge though, perhaps it's worth looking into the boot process with reference to your GRUB hack, i'll have to read up on how GRUB works! On the real tin the BIOS boots into onboard flash from which you set some environment variables from which to boot (partition etc) I have some notes somewhere.
200 uses a Cavium SoC with 2.5" SATA SSD, hidden PCI-E connector is worth a mention.
220 uses a SoC with no external disk, just one chip that does the lot. Very slow boxes to commit, slower than an old PA-500.
500 & 2000 use Cavium Octeon processors, 2000 is dreadfully slow but 500 is still quite good for the lab and runs 8.1.x
3000 is the best to play with as it has a standard CPU, anything else is too expensive!