I know the format for the new update files now.
0x4 bytes update type: SP01 means signature file
0x4 bytes certificate number: 0 = pubdevkey01.pem, 1 = pubprodkey01.pem, 2 = pubprodkey02.pem (first one does not exist, second two are same as older kindles)
0x38 byte unknown: I think this is random/garbage data. Someone test this by taking a 4.0 kindle. Downloading the 4.0.1 update, and changing the 0x38 bytes of data from offset 0x8 to 0x40 to 00 or random digits. I need to know for sure so we can ignore this space
0x100 / 0x80 byte signature depending on the size of the certificate as noted by the certificate number.
This is used to validate the second part of the file (below). If validation is passed, the next part is extracted and run.
0x4 byte update type: FC04 means signed update
... same as older updates
The new Kindle updater script also has more information on the usage of various fields of the headers and I'll be writing an updated "kindle_update_tool.py" sometime in the future.
Also, I'll be gone for the next few days or maybe a week or so, so sorry.