FWIW, this is my take on the situation.
Each ROM has a table of CPs. The two tables are identical.
newlockedrom.bin
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13
0005BCE8 AA 00 54 4F 00 00 00 00 ª.TO....
0005BCFC D0 8A 05 D0 A0 03 A0 03 90 03 01 00 34 00 52 43 00 00 00 00 Њ.Р. .....4.RC....
0005BD10 40 8A 05 D0 70 00 70 00 6E 00 01 00 33 00 57 43 00 00 00 00 @Š.Ðp.p.n...3.WC....
0005BD24 D0 32 0A D0 50 0E 50 0E 4E 0E 01 00 99 00 4D 4F 00 00 00 00 Ð2.ÐP.P.N...™.MO....
0005BD38 70 8E 05 D0 10 00 00 00 00 00 00 00 44 00 53 47 00 00 00 00 pŽ.Ð........D.SG....
0005BD4C 80 8E 05 D0 30 00 30 00 2E 00 01 00 92 00 43 4F 00 00 00 00 €Ž.Ð0.0.....’.CO....
0005BD60 B0 8E 05 D0 10 00 10 00 0C 00 01 00 C1 00 47 4F 00 00 00 00 °Ž.Ð........Á.GO....
0005BD74 C0 8E 05 D0 10 00 10 00 02 00 01 00 95 00 48 54 00 00 00 00 ÀŽ.Ð........•.HT....
0005BD88 D0 8E 05 D0 10 00 10 00 0C 00 01 00 55 00 4D 4E 00 00 00 00 ÐŽ.Ð........U.MN....
0005BD9C E0 8E 05 D0 C0 00 40 00 00 00 01 00 56 00 4D 4E 00 00 00 00 àŽ.ÐÀ.@.....V.MN....
........
0005C6FC D0 D1 05 D0 10 00 10 00 0E 00 01 00 0A 01 56 46 00 00 00 00 ÐÑ.Ð..........VF....
0005C710 D0 2F 0B D0 E0 0F E0 0F DE 0F 01 00 0B 01 45 44 00 00 00 00 Ð/.Ðà.à.Þ.....ED....
0005C724 00 5B 05 D0 00 18 00 18 FE 17 01 00 83 00 00 00 53 48 00 00 .[.Ð....þ...ƒ...SH..
0005C738 E0 8F 05 D0 20 00 20 00 18 00 00 00 53 5A 00 00 00 90 05 D0 à..Ð . .....SZ.....Ð
0005C74C D0 00 D0 00 C6 00 00 00 48 50 00 00 D0 90 05 D0 10 00 10 00 Ð.Ð.Æ...HP..Ð..Ð....
0005C760 0C 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....................
000000-07FFFF.bin
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13
0005BD9C AA 00 54 4F 00 00 00 00 D0 8A 05 D0 ª.TO....Њ.Ð
0005BDB0 A0 03 A0 03 90 03 01 00 34 00 52 43 00 00 00 00 40 8A 05 D0 . .....4.RC....@Š.Ð
0005BDC4 70 00 70 00 6E 00 01 00 33 00 57 43 00 00 00 00 D0 32 0A D0 p.p.n...3.WC....Ð2.Ð
0005BDD8 50 0E 50 0E 4E 0E 01 00 99 00 4D 4F 00 00 00 00 70 8E 05 D0 P.P.N...™.MO....pŽ.Ð
0005BDEC 10 00 00 00 00 00 00 00 44 00 53 47 00 00 00 00 80 8E 05 D0 ........D.SG....€Ž.Ð
0005BE00 30 00 30 00 2E 00 01 00 92 00 43 4F 00 00 00 00 B0 8E 05 D0 0.0.....’.CO....°Ž.Ð
0005BE14 10 00 10 00 0C 00 01 00 C1 00 47 4F 00 00 00 00 C0 8E 05 D0 ........Á.GO....ÀŽ.Ð
0005BE28 10 00 10 00 02 00 01 00 95 00 48 54 00 00 00 00 D0 8E 05 D0 ........•.HT....ÐŽ.Ð
0005BE3C 10 00 10 00 0C 00 01 00 55 00 4D 4E 00 00 00 00 E0 8E 05 D0 ........U.MN....àŽ.Ð
0005BE50 C0 00 40 00 00 00 01 00 56 00 4D 4E 00 00 00 00 E0 8E 05 D0 À.@.....V.MN....àŽ.Ð
........
0005C7B0 10 00 10 00 0E 00 01 00 0A 01 56 46 00 00 00 00 D0 2F 0B D0 ..........VF....Ð/.Ð
0005C7C4 E0 0F E0 0F DE 0F 01 00 0B 01 45 44 00 00 00 00 00 5B 05 D0 à.à.Þ.....ED.....[.Ð
0005C7D8 00 18 00 18 FE 17 01 00 83 00 00 00 53 48 00 00 E0 8F 05 D0 ....þ...ƒ...SH..à..Ð
0005C7EC 20 00 20 00 18 00 00 00 53 5A 00 00 00 90 05 D0 D0 00 D0 00 . .....SZ.....ÐÐ.Ð.
0005C800 C6 00 00 00 48 50 00 00 D0 90 05 D0 10 00 10 00 0C 00 00 00 Æ...HP..Ð..Ð........
0005C814 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....................
The CPs in both ROMs are located at 0x79400.
newlockedrom.bin
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13
00079400 54 4F 06 0A B3 EC 06 0A B3 EC 00 00 DC EC 00 00 DC EC 36 03 TO..³ì..³ì..Üì..Üì6.
00079414 2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03 *ù6.*ù6.*ù6.*ù6.*ù6.
00079428 2A F9 36 03 2A F9 36 03 2A F9 00 00 00 00 00 00 00 00 00 00 *ù6.*ù6.*ù..........
0007943C 00 00 00 1B 43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1 ....CS.. .P........á
00079450 43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1 43 53 00 00 CS.. .P........áCS..
00079464 00 00 00 00 00 00 00 00 00 00 00 94 43 53 00 00 00 00 00 00 ...........”CS......
000000-07FFFF.bin
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13
00079400 54 4F 65 05 42 EC 65 05 42 EC 00 00 FC EC 00 00 FC EC 36 03 TOe.Bìe.Bì..üì..üì6.
00079414 2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03 *ù6.*ù6.*ù6.*ù6.*ù6.
00079428 2A F9 36 03 2A F9 36 03 2A F9 00 00 00 00 00 00 00 00 00 00 *ù6.*ù6.*ù..........
0007943C 00 00 00 1B 43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1 ....CS.. .P........á
00079450 43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1 43 53 00 00 CS.. .P........áCS..
00079464 00 00 00 00 00 00 00 00 00 00 00 94 43 53 00 00 00 00 00 00 ...........”CS......
ISTM that it may be worth trying to patch the locked drive's CPs (addresses 0x79400 - 0x7FFFF) into an unlocked ROM. Each CP has its own XOR8 checksum. However, I don't know if there are any additional checksums. If other checksums do exist, then hopefully the patch will not invalidate them. Also, the patch assumes that the lock is not contained within a CP. If it is, then hopefully the unlocked ROM code will ignore this lock. One additional question is whether the ROM firmware needs to match the SA firmware in some way.