Ok got it. Hadn't found this link to the jailbreak:
Now I see how the symlink is used to place the key. Ah - this package is signed. Was this obtained by someone physically hacking the device or from the person who had the test pack still installed?
This is all interesting stuff btw. Many thanks for this.
ps I like your shell scripting style. Very readable!