I think its a bit different...Also, if a game contains a file such as an EBOOT.BIN that's signed for a specific Firmware (4.21 for example) then it won't work on a newer Firmware (4.80 for example) because the keys used to sign it were keys from 4.21 and 4.80 uses different keys.
There are 2 types of "keys": one for ENcrypting (signing) [privat] and one for DEcrypting (running) [public]
- An unmodified official sony EBOOT.BIN signed for 4.21 will ofc run on 4.80 OFW.
- We can only sign with 3.55-Keys (EBOOT.BINs/SELFS/etc.)
- On OFW3.56 and up, the 3.55-Keys are blacklisted resulting in a 80010017
- On every CFW there is no blacklist, so we can run 3.55 singed files AND all official sony signed files up to the CFW you got:
So on CFW 4.21 you can run all files singed with official keys (3.56-4.21) and even the blacklisted 3.55 ones but not official files greater than 4.21 (4.25-4.81)
So what we need would be the 3.56+ private signing keys (at best the 4.81 ones ).
But before one would bruteforce that, one would better bruteforce the PUP signing keys
Also there are different kinds for different contents: like NPDRM etc. but we are not ps3devwiki here^^