Speculating on the details is retarded because there is no further information. Devkits do not use retail keys. Retail signing keys are held by Nintendo only and cannot be "calculated" (the PS3 thing was an exception, because Sony made a monumental epic failure of a crypto mistake. That's the only time that has ever happened in video game console history, and don't expect it to ever happen again.). Having a devkit might make investigation more convenient but it provides nothing essential to developing a retail exploit - there is no magic difference between having a devkit and not, other than perhaps it being harder to brick. Devkits don't use the retail common key as far as I know (which has nothing to do with signing and everything to do with encryption, by the way), so you can't extract it from them. Even with the common key, you still can't sign anything for retail (dev signing keys are available to devkit users but only work for devkit consoles). Console security doesn't rely on people not having access to devkits.
Note that you can't just "install HBC using an exploit" on the Wii U like you could on the Wii. The Wii U checks signatures on launch. To make that work you need a persistence exploit in system configuration data that can trigger on boot (think untethered vs. tethered iPhone jailbreaks). So, again, what they show can't work on a retail unit seamlessly without having a persistence exploit (which they don't show and which there's no evidence they have). Otherwise you'd have to perform some action (i.e. trigger an exploit, similar to BannerBomb or LetterBomb) every time you boot in order to break in and disable signature checks (which is also not shown). Meanwhile, all of this requires no exploit on a devkit... because it's a devkit.
Guys, that video is of a trivial demo app written on a devkit. It proves nothing. It would've been interesting had it been on a retail console, but the fact that we discovered that it was a devkit (and the towel/etc hiding the top of the controller all adds up) completely invalidates any claimed proof. Anyone who thinks there is anything more to the demo is just acting on faith. The video serves no purpose. Treat this as you would any random idiot saying "HAI GUYZ I HAZ DEVELOPED WII U HOMEBRU YO!". If you think that deserves trust, well, I have a shiny bridge to sell you.
Little-known fact: version 1.0 of the HackMii Installer (and a few earlier ones, IIRC, though not the latest one) does NOT use an exploit on Wii devkits. If you use it on a Wii development system, it detects that and installs The Homebrew Channel, signed with devkit signing keys, and encrypted with the devkit common key - exactly the same thing that is demoed on this video for Wii U. We did this to troll Nintendo, so if they ran it on a devkit to try to figure out the exploit, it wouldn't use an exploit at all (but it would still work).
Ray, shut up. You're rambling nonsense again.