When the Nano S is started in bootloader mode, the secure element does not allow access to it, and it doesn't even boot. To push a transaction to the secure element they would have to start the Nano S in standard mode, which would require the MCU check, which they did not demonstrate being able to bypass.
Why don't you watch the video? They have code running on the MCU. They explain the super secure magic value that the firmware checks against.
They also explain the communication between the main processor and the secure element.
Again, Rashid did not follow Ledger's Bounty Program, which he himself admits, instead choosing to publicly publish his findings. You can't expect them to pay people who don't follow the requirements for payment.
Not out of choice but because that wouldn't have allowed him to go public with the exploit.