Now, I have no knowledge here either, but some quick looking says...If someone knows how NIM knows that the title hash isn't the latest one, we could achieve eShop spoofing!
Nim has a GetSystemTitleHash, might be what we want, if we can find where the hash is?
The hash should be the same for any given version, provided the region matches the system, thus we might be able to search for where our own hash is stored and work from there?
The updater exits if it's given title hash is the latest patching. Thus, if we patch the title hash we may not need to patch update servers?
...of course, this very well be the simplest basics ever, but so far all that's been discussed is checking for updates, so tossing this out there.