From what I gathered, once you extract a pkg with a non zero passcode, the eboot.bin isn't encrypted, at least not with a game specific key. From the SDK it's also possible to build .selfs and run them directly on a devkit, an I'm pretty sure they work by loading the new .self inself of the eboot.bin, but they still read the data from the corresponding .pkg.
Once you rename a .self into eboot.bin and package it in a pkg, it strips the debug symbols from it, which apparently are the only difference, so it basically becomes identical to the original eboot.bin. Or so I think, maybe it just compresses it, but I'm pretty sure it's actually stripping debug info from it, and shrinking it down.
I need a way to run this .self directly to get more appropriate logs/debug information, and possibly a callstack of the crash.
For you last question: I have the passcode. It's a commercial app.
--------------------- MERGED ---------------------------
I think that the .self I have isn't encrypted with any additional game specific key, because I can just build it into a fpkg and run it, and even if it turns it into an eboot.bin, that would not have been possible if the .self was encrypted. Or maybe it's encrypted with an all 0 pass.
Edit: no, the .self I have isn't encrypted at all, because I can read pure strings into it (which are the debugging symbols). Maybe the actual code is encrypted, but I doubt they encrypt part of the file, and again, definitely not with a game specific key.