Now that 6.20 TN-A is out in the open, allow me to describe the kernel vulnerability used. Back in 5.70/6.00 Sony introduced a feature into the sceUtility_private library that allowed to set and unset a callback with kernel privileges.
sceUtility_private_764F5A3C //Set power callback sceUtility_private_2DC8380C // release (unset) power callback
These two functions are not normally imported so they require some special techniques such as syscall estimation to reach them in order to utilise their functionality.
Now, how does this kernel exploit work?