Answers to some of the questions at the end, from future me:

- It also works on LPDDR5, LPDDR4

- Yes, it works on ARM platforms (at least, the ones I tried).

- The simplest way to trigger similar faults electronically is via a high-speed mux IC, as described in https://stefan-gloor.ch/ddr5 (chipshouter also works, but is less elegant imho!)

- Yes, you can get webkit addrof/fakeobj primitives like this, although I didn't write an end-to-end exploit.

- You can pwn nintendo switch kernel with an adjusted exploit strategy, but the same adjusted strategy does not work on Switch 2, due to memory encryption (one bitflip corrupts a whole cache line). But other strategies may be possible? (notably, it is possible to block a whole write operation from happening at all - see also https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was... )

I also spent a long time trying to do the glitching with a mosfet, but never got it to work. I couldn't get enough drive strength to actually glitch anything, without messing with the delicate capacitance+impedance tolerances of the bus.