I know these ideas are probably full of holes, and sorry for not posting in Speculation, but as I've felt for a while, most people in the know don't read that crap!
What is preventing us from replacing (on 1.5, for ex., with a custom program after the PSP boots) the lib/prx functions that write out new blocks to the flash region that store the firmware with functions that will write to a specific location on the memory card? We would essentially be replacing something outside of the firmware update, which would not invalidate an update's digital signature. The theory is analagous to the way in which things like HD Loader map standard CD-Rom read calls to something else (a PS2 hard disk), except we would be redirecting write functions to some portion of a memory card.
At this point, could we possibly do the same type of replacement for code that shuts down the PSP (I think it does a software shutdown after firmware update, no?) and instead of having it truly reboot (which would cause it to load the old firmware in the traditional way mandated by the hardware), have it run some copied/modified firmware loading code? I'm not sure about the details of how the firmware loads -- like how much of the process is governed by software, and how much is governed by hardware. If a large portion of it is governed by software, could we possibly modify it so that it would attempt to load the firmware from the location we put it on the memory card (without ever truly rebooting or writing to flash), or have it all mapped from the memory card so that standard firmware functions look there instead.
Here's an idea I just had which is also prob. flawed (we are getting desperate, hehe, so stomach it) -- if we prevent that software shutdown after firmware update, none of the new, secure, firmware is loaded at that point -- couldn't we patch it inside of the flash at this point? Like patch it so that it allows allows valid eboots to run (regardless of their sig.). This idea must have been thought of before but I haven't seen it before, so I'm saying it. Obviously since we don't know the layout of the newest update(s) yet we could not go modifying things in flash. But we do know the structure of many of the newer versions don't we? Well at this point we would most certainly be burned after rebooting because the firmware block would be detected as corrupt (it is itself signed I can only assume). However, I am not sure about the details of this. Is the entire firmware block signed? Maybe only part of it is signed, so that it can be validated/loaded/booted faster (if this were the case, we might be able to make small changes here and there). I really don't know, but would like to know more about this stuff.
I realize these ideas are prob. flawed, but instead of general flames, it would be nice to learn more about the way in which firmware loads, so if anyone has links to such info. or insightful comments, please share. I am itching to play some of the new games (mostly the Street Fighter Alpha game), but don't want to upgrade as I feel it's my right to continue writing custom code for my PSP. Consider this just a brainstorming session (sounds like Speculation :icon_razz ).