"Browser foothold: we already had code execution inside the browser application's own security context on the TV, which meant the task was not "get code execution somehow" but "turn browser-app code execution into root.""

Finding the initial foothold is the hardest part. Codex didn't have anything to do with it.