I took a look at T-TDT5DEUC-1016.1 firmware and fount that there is these parts for upgrade:
1. appdata.img.sec and corresponding cmac,cs,vs files - I guess it is encrypted /mtd_appdata partition content
2. exe.img.sec and corresponding cmac,cs,vs files - I guess it is encrypted /mtd_exe partition content
3. uImage - Linux kernel for TV
4. rootfs.img - squashfs TV root filesystem image
5. rocommon.img - I guess it is squashfs image of /mtd_rocommon partition (for me content looks very similar to B650 /mtd_appdata)
6. info.txt, validinfo.txt, version_info.txt, major_version, minor_version - text files with FW versions and checksums
7. boot_env.bin - I guess it is checksums of kernel (bml5), uboot (bml2) and fnw (bml4) partitions as petergey talks here
In documentation of TV is noted that it has CI port but in rootfs.img there is authuld binary, there is references to authuld in kernel image - so it seems that in 2010 series CI and CI+ devices are protected in the same manner.
Kernel image and boot_env.bin can help find bootloader checksum checking algorithm.
If rootfs image checksum is not checked by bootloader and authuld it is posible to change some startup files and autostart some programs by flashing only rootfs.img (by looking at 2009 series TV flashing script run.sh there is no mandatory files in update - we could leave only rootfs.img, info.txt, version_info.txt, major_version and minor_version files and flashing with TV original procedures should succeed).
But until there is no unbricking methods for 2010 TV's all experiments are very risky.