The person who brought the tags has a lot of them, more than the 3 they donated to Zeus. If we replace the firmware, we have to do this for every device, which would be a lot of manual work (opening case, adding probes, flashing firmware, ...). This is even more work per device if you have to desolder the uC from the PCB and solder something else to it.
Reverse engineering the communication protocol is a lot of work, but only once. After that, you can talk to stock devices, without having to modify their hardware or software.
I also didn't find any datasheets for the e-ink display or how to control it, so here also the stock firmware can come in useful.
Aside from practical concerns, I won't lie, I also took this path because it's fun to do and I could practice hardware hacking.
Makes sense. I got more interested after finishing reading your whole post and went looking at the manufacturer's website... it would be too easy for them to just provide their software direct for people to download, huh? It looks like a total software-hardware-cloud service lock in... I can't seem to tell but it seems like all tags might have to call back to their cloud to get their displayed info that is managed by their "VUSION Manager". Talk about a nightmare.
They note it's end to end encrypted, and if they call home to their cloud and not to local area managed software, I bet they are calling a preset list of IP's to auth and DL data. You'd have to both spoof their IP and sign the data with their key somehow.
Reverse engineering the communication protocol is a lot of work, but only once. After that, you can talk to stock devices, without having to modify their hardware or software.
I also didn't find any datasheets for the e-ink display or how to control it, so here also the stock firmware can come in useful.
Aside from practical concerns, I won't lie, I also took this path because it's fun to do and I could practice hardware hacking.