The problem is that we aren't even sure how long the salt is, whether the salt is placed before or after the data payload (or both), or even what sections of data are being hashed. If it's anywhere near as long as the 20 character SHA1 salt used in the GTS, then it's not even worth trying to brute-force. You'd have better luck finding/hiring a hardware engineer to reproduce what neimod and smea can do, and pull it out of RAM.
This deeply confuses me. Assuming we're right that this is a hash, and assuming that this hash is absolutely required by the game and that we're not just making mistakes elsewhere in our injection process, then it should've been impossible for bond and xfr to inject an edited Pokemon using wonder trade. Unless, of course, they happen to have the same hardware setup as neimod and smea.