you need to talk to someone with JTAG experience and they should be able to walk you through it but essentially you are going to start an update when you get one and then dump everything in the memory during the update. Thankfully if you get a brick, you'll be able to revive your device with JTAG relatively easily. I should also mention that anyone with a Magic *should* get the same keys so anyone with JTAG experience needs to try this first. I'll try to get you in contact with Geohotz and he'll be able to tell you everything you need to do.
That would be great, if you want to waste your time. The public key used to verify the signatures on the images is useless for signing our own images, unless you happen to have a quantum computer lying around. Nobody in the hardware business is stupid enough to use a symmetric key in this situation.
If you're going to mess around with JTAG, you're better off using it to dump contents of all non-volatile memory from an Ion (or other unrestricted device), extracting the SPL from that image, then using JTAG to write it onto one of these locked down devices.
Obviously, a less invasive solution would be to overwrite the restrictive SPL with a less restrictive one while the device is running. Barring any suitable exploits in the SPL itself, root access on a device should sufficient.
Last I heard, the pre-release myTouch 3Gs are using a 2.6.27 kernel version (default Ion image has 2.6.27-00393). Versions pre-2.6.28.4 are vulnerable to a heap overflow (see CVE-2009-1046), which has a root exploit (albeit fairly tricky one) for x86_64 available in the wild. Android 1.5 supports native development in ARM via the NDK (my Ion says ARMv6 compatible).
If I had a locked down device, that's the route I would take, anyway. Easiest, of course, would be a signed Ion NBH.