"user" keys are in mesg_ledXXX.prx, "kernel/internal" keys are in memlmdXXX.prx
The critical "kernel" key are stored in 2 parts, 1 part in kernel space 0x88nnnnnn, the other part in 0xBFC0nnnn. There are functions in "memlmd" to prepare (XOR the 2 parts to form the actual key and stored in 0xBFC0nnnn area) / clear the key.
The IPL since, 3000/brite, cannot be directly decrypted by Kirk command 1....
Edit: I may have the kernel keys now...
___________________________________________
So, right now kernel exploit is not found, but this message gives hope to us. And no one sure that when exploit will be found, author will be public it. + coyotebean has got congratulations by wololo, m0skit0, FreePlay and Davee.