Good to know. I don't think tampering with the bytes at the end would hurt anything, but the first 4 bytes (0bf0xxxx) make up a rather important jump instruction.
Originally Posted by The_Cable_Guy
To skip these checks, you'll want to edit the getprom binary (untested):
offset df0: 41860020 -> 48000020 (skip magic number check)
1800de4: 3c 00 54 69 lis r0,21609
1800de8: 60 00 56 6f ori r0,r0,22127
1800dec: 7c 89 00 00 cmpw cr1,r9,r0
1800df0: 41 86 00 20 beq- cr1,0x1800e10
offset e3c: 41820020 -> 48000020 (skip reset vector check)
1800e10: 3d 3e 00 02 addis r9,r30,2
1800e14: 80 09 ff fc lwz r0,-4(r9)
1800e18: 6c 09 4b fe xoris r9,r0,19454
1800e1c: 69 29 20 24 xori r9,r9,8228
1800e20: 31 49 ff ff addic r10,r9,-1
1800e24: 7d 2a 49 10 subfe r9,r10,r9
1800e28: 6c 00 4b ff xoris r0,r0,19455
1800e2c: 68 00 e0 04 xori r0,r0,57348
1800e30: 31 40 ff ff addic r10,r0,-1
1800e34: 7c 0a 01 10 subfe r0,r10,r0
1800e38: 7d 2a 00 39 and. r10,r9,r0
1800e3c: 41 82 00 20 beq- 0x1800e5c
This was from the 3.1.0d getprom binary. Offsets on other versions may vary.
BTW, I have not tried this yet on a Series2.5 system. However, I do know that the flash is mapped to the same physical address range, so it might work.
but the 39 can be reflashed at anytime in-circuit with the utilities that have been written and posted here.