Hello mate. I used a sdcard for this and followed the steps described here:
The firmware that I used is this one:
http://www.mediafire.com/file/jenswqit5vpvuvu/%25E4%25B8%25AD%25E6%2580%25A7BZ-TX3-20191130.img/file
I understand that you can burn directly the image using the Amlogic Burncard maker, but as long as I’m using Linux, the first option was more suitable for me.
Then, as I said, exactly as your are explaining, I am not even sure if the sdcard is being used, because in the two recoveries that I’ve made (and you are confirming me that you had same experience), even with the sdcard inserted the system was booted into the emmc and I could access to the old CE installation untouched. The I disabled Bl301 injection directly from the GUI (CoreELEC menu from the settings → Hardware). I don’t have an explanation for this behavior either.
Hope this helps. Please feel free to ask any other specific question that you may have.
PS: @Portisch funny thing about this crap box: I’ve discovered that IR wakeup and shutdown is working OOB, so no need to use Bl301 injection. I understand that this has already a modified u-boot for that purpose and the injection simply doesn’t work and it isn’t needed. LOL.