There are topics on this thread that cross into my day job, so while I don't know a Southbridge from a NAND, I have thoughts about the security. Smartcard chips that are cropping up on US credit cards and have been on European ones for years contain several secured and unsecured containers. They also contain all the logic to perform all the necessary (typically RSA) algorithms for decryption. Because the private key and the decryption code are on the same chip, the decrypted private key never travels off the smartcard. People on this thread have said that it is possible that the key is on the CPU. If that's possible, it's also just as possible that the RSA logic is also on the CPU, forcing all crypto operations to route directly through the CPU, including the decryption of the encrypted parts of the BIOS on the NAND that are accessed once the CPU and its crypto are POSTed by cleartext BIOS code.
It is feasible that each 360 has a public and private key pair, with the public key wrapped by a digital certificate that is accessible by MS's manufacturing partners in real time during the assembly process with a secure LDAP connection. RSA algorithms provide that when content is encrypted using a device's public key, only that device's private key can decrypt the data. The final box assembly manufacturers would be able to use the public key to encrypt the BIOS without ever knowing or handling the private key.
I hate to oversimplify in such a technically competent audience, but this is the fundamental security behind SSL and every secure transaction on the internet on which the world's economy relies.
So MS has a copy of every Xbox's digital certificate in an Active Directory. Buying premium content over Xbox Live means the content has to be signed with your unique digital certificate so you can't share it with your friends who haven't paid. Same with BIOS updates, if any. They have to be signed with your public key so that the private key on your CPU can decrypt the encrypted parts of the BIOS during the last stages of the POST.
Great, rock solid concept if everyone has XBox Live. Falls to crap as soon as MS has a critical patch they must release to all customers including those with no internet access. It would be logistically unreasonable to ship each customer a unique update DVD. It would also make no sense to put the device's public key on the box because modders could simply use it to create legitimately signed alternate BIOS code.
However, if now and forever security will trump field upgrades for people without internet, all of this works and it is as easy to defeat without hardware mods as the security that keeps our economy intact. Including hardware mods, it's as easy as replacing the PowerPC and whatever miscellaneous baggage and clothing it happens to be carrying and wearing.
There are as many other ways to do this as people that post on this thread, so while MS has proven they are public key crypto aware in their operating systems, this is all a load of uselessness until someone proves MS used mainstream RSA crypto and CPU-based hardware security.