When attacker penetrates Turris in general if you want to be sure then there is no other way then to wipe all internal storages.
To check if your system is not potentially penetrated you can verify checksums of files provided by packages against packages on our server (at the moment there is no tool for it but it is planned but no promises). On top of that you want to check what applications are running and what is automatically started (
Both Omnia and MOX have on top of basic system storage also on board mmc with u-boot (bootloader) and recovery system. If Turris is attacked directly then that can be place where malware can preserve it self between factory resets. That memory is also directly accessible from running system. That is disadvantage and advantage at the same time. Disadvantage is that it can be attacked directly but advantage is that such attack can be detected and both u-boot and recovery system updated/reflashed. Although at the moment we don’t have any documentation on how to do so.
Both MOX and Omnia have also flash for storing switch configuration. Those are not used at the moment and system is not reading nor using them. But it’s potentially possible to write to them from CPU.
Although you have asked for MOX I will also note that there is secondary microcontroller on Turris Omnia that has internal storage. Although improbable it is flash memory that can be attacked too but it can’t be programmed from CPU it self.
Considering TrustZone. Yes it is not used in Turris OS but you are probably thinking that it is something like Intel ME and it is not. It is more like additional CPU mode. It divides memory and other CPU resources to trusted and untrusted. By design boot and OS have to run in trusted mode. For example in case of memory CPU it self limits access from untrusted mode to memory sections marked as trusted. If TrustZone is not used then everything is run as trusted. It is not additional privileged mode that undetected virus could be running in. So no ARM TrustZone is not creating some privileged level that is not accessible by kernel. Instead it creates level that can be used to separate trusted and untrusted applications while kernel it self has to be trusted.
Yes there are fuses but according to my knowledge there is no way to change them without JTAG (the same is for verification). There is additional storage in CPU that can be used to store keys. That is just for storing keys and I doubt that someone will store malware there specially when there is no way how to run it and most of that memory is write only (it is a key store after all).
You can access mmc on both MOX and Omnia externally but only trough test points and that is probably not something you can consider as a access (of course you can use programming clip directly on chip). And also using JTAG if you know what you are doing as it’s accessible from CPU.
Our target is to ensure that there is no breach at all but if it happens then there are ways to wipe router clean. Factory reset is enough for malware not targeting embedded devices, full reflash is desirable for some malware that is aware of embedded hardware. That is possible with Turris although at the moment not documented. As last I want to state that we don’t know about any recorded breach on our routers that would be embedded aware.