Any software that might have been adversely modified will not be given access to the unsealed keys. (http://www.ibm.com/developerworks/power/library/pa-cellsecurity/)
Controling the HV is the first key to the enigma. Make a software gain acess to the root key (by faking it as authorized) then capture it while running through the mem, if it doesnt work, then spur some drops of water on the chip out-conector, it could lead to fried the chip, i know, but not before you can take some or all the data from inside of it. By the way, you should connect some wires and all on the out-connector and must have a dump hardware to take the data inside the isoleted SPE.
Anyway, to take those keys out, you guys will need to use some brute force, cause the only other way to take then, are with factory equipaments or by creating some new gadges (hardwares that can interpret some new methods and translate them and/or dump then) and/or ways to circumvent this problem.
You should be learning "how to take out data from isolated CPUs" before going crazy and lost time trying to discover some softmods to do this tricks. Geohotz have some engineer knowledgments and tools to have come this far, and it seems that he hit the great wall of the Sonys security scheme. To go further its nothing that some soft hacks and knowledge can handle.
Why not try to hijack the comunication between the isolated SPE and the Memory process? Does anyone try this yet? Because maybe its the case that the isolated SPE can send some fragments or all the keys to the mem, but the mem blocks they keys for then to not be so easely hijaked. Dont know, dont have time to study on the PS3 specs. If nothing works, just try a way to fake the first authentication, but to capture the key, i think only by brute force (hadware).
The word ISOLATED doesnt exist for nothing.
All the data are there just waiting to be stolen, but not by the tradicional ways like showed by Geohotz. Keep that in mind.
My 2 cents.