hello benjamin.deuker,
I doubt your 2nd approach is wrong, and the SBK key did not burn to the target. Due to the device is already fused with PKC, you cannot running odmfuse script for the fuse burning to assign PKC key again.
here’s also an FYI,
Any binaries loaded before CBoot are encrypted by SBK key.
Any binaries loaded by CBoot are encrypted by user_key, the user_key is specified in eks.img. An user_key is purely software, user can define it; 0 user_key means no encryption.
BTW,
you may see-also related Topic 208426 for Fuse Burning,