Just an idea, and please don't scoff me if it was already thought upon, but...
Why not just modify the signature key storage? I mean, wouldn't it be easier to patch that area, have a generic key inserted, grant it OEM level, and play further with that?
By my understanding, there are multiple levels of key storage, detailed
HERE. Say, we patch the PK, to a custom, public one (I do understand the threat of this, having a public key, BUT. It could be worked around if a tool was to be used, which would generate a PK replacement before flashing, so that it would be a one-time use key only). Then any application signed with that key, any modified firmware anything can be easily installed, in theory. I do understand that it's a bit further thinking than working with registry hives, but after all, this would be the ultimate goal: unlocking our phones so it can load any app, firmware, etc. we want on it.