Unfortunately, I don't have one myself, but I thought of a way that MAY be able to be used to update the Apple TV. It may be possible to redirect the DNS servers to your own, and then forward a 'software update' request to a computer on your local network. If Apple put some sort of hash check in(probably, but there's a chance they didn't), then this wouldn't work without Apple's private key(which they would NEVER give out). Can someone with a hacked Apple TV disassemble the Finder.app exexutable(from the Apple TV) with IDA or a similar debugger and see if it does do a hash check? If not, this may be a foolproof way to gain access to the Apple TV.

It's only my guess... since the automatic software update of Mac OS X, Apple has always had MD5 check. Even the iPod updater had online MD5 comparison for some time.