FireWire had a backdoor into memory. FireWire isn't a "bus", it's a local area network. Mostly you send packets around. IP over Firewire was a thing. But there are also built-in packets to read and write memory, one word at a time. That's how commands are sent. This probably made sense to people who thought in terms of device registers, rather than a command with parameters.

There's a register in most Firewire controllers where you can set the address bounds for which that function is available. I once noted that the hard-coded default values for Linux were 0 .. 2^32-1, that is, the first 4GB. I reported this as a security bug and was told it was needed for the kernel debugger.

Sigh.