Dude first you post that you think it's a kind of cex2dex then you say:
Where do you think that the "secret" is hidden?
So what ? If you know it how could you think that it is a kind of cex2dex ?
Then do you ever have started a PS3 DEX in Debug Mode ? Cause then you would understand that it never can be a debug mode that tb let the fw boot. In debug mode you have NO XMB. And of wich signing you talking about ?
The self's or fself's are not signed with something they are encrypted and hashed. And a fself don't contain any encryption or hash.
What tb hase done is simply a hybried. The use a debug flag in header 0800 and have encrypted the elf segments with there own key.
The hell which exploit your talking about ? The use a additional check in kernel which look up for the dongle and if the stick is detected they apply patches on the fly but that's for sure no exploit or something like that.
By the way you don't need a debug mode to run a fself on a retail machine.
No offence don't take that personally mate.