Hey. Since we can use a server mapper, ie for connecting to retail-servers from sp-int-accs etc
How about mapping a gameupdate to a local-network Computer. In this case we could sign a Modified-Game-Update [with an exploit included] with newer keys and a OFW-console would install it, and even run it, if the exploit is in the eboot.
So the last thing would be to use ORIGINAL sys-calls in our modified-eboot to gain access.