Yokowa, how good you are with hardware?
I have an idea which if realized should allow for inexpensive (relatively) hardware dependent way of jailbreaking any Sony readers with SD slot which does not require physically opening the devices.
It is based on understanding of the script Sony is using to verify signature of update package: if I am not mistaken internally Sony script (sh or bash - does not matter here) verifies signature of provided package (using openssl executable) and if it is OK issues mount on it, eventually running update script from inside of mounted file. Update file has a name update.img and signature should be update.sig. If you would be able to make sure that update.img for signature check is the original one from Sony but mounted update.img is yours - you will be able to run jailbreak the same way we did on T2 devices with firmware with opened hole.
For that it should be possible to use SD card emulation (simple SPI mode should do fine). Such device plugged into reader SD slot (as SD card) will internally count block reads and after signature verification is done (last block of the original Sony file has been read?) will start providing content of your update.img with jailbreak, allowing for it to be installed.
I believe similar hack has been used before on various devices using simple MCU based boards (Teensy, Arduino, Freescale Freedom or Texas Instrumental Launchpad) capable of implementing SPI protocol slave mode. Information on SD card protocol today is freely available and SPI capable board could be purchased for $10-$20. You just need a lot of time and some will
