Good luck with that! I agree that it's difficult to believe that the strings are hardcoded, but worth a crack. I too had a moment where I saw the file decrypting and thought "I've cracked it!", only just to get an invalid zip file!
Are you finding that the ImportPublicKeyBase64 and ImportSymmetricKeyBase64 methods don't work too? I captured some public keys and symmetric keys via Fiddler2 and whilst they're valid base64, it just refuses to load them. Same if I generate my own key/symmetric key, export them (ExportPublicKeyBase64 / ExportSymmetricKeyBase64) and then try and import them again. Completely refuses.
Interesting that there was an O2 UK firmware for the UK back in July. Must have been what they did their accreditation testing with (I believe it failed initially).
If nothing else we can produce a complete history of firmwares now. That kind of thing has been done by piecing together pieces of information from the community up to now.