I've been analyzing LoadCode.S, too, trying to better 'understand' ROP.
I have a dump of the spider applet RAM (made with MemoryDump.S, of course).
I started with the third word of the ROP chain (0x0019CA34) which is supposed to perform "FS_MOUNTSDMC()". Using the value as a function pointer, I followed a process of
1.) disassembling data at the current address
2.) finding the first flow-control instruction (in this case, always a BL instruction)
3.) following the address, setting my new "current address" to the target address.
After a few cycles of this, I reached the "end"--a span of code which does not perform any flow control before returning. Specifically, I followed the execution path to virtual address 0x002443e4 (RAM dump offset 0x001443e4). At this address is the instruction "SVC 0x32", immediately followed by a "BX lr".
I have not yet analyzed any other part of this execution path--that is, any code after the first flow-controlling instruction in a code block. Perhaps this would help my understanding further.
I suppose I'm looking for a sanity check. If I had one question, (nebulous as it is) it would be "
am I on the right track?".
Other, more specific questions would include:
* Are SVC instructions the main method by which userland code accesses system functions?
* Should userland code ever attempt to branch outside of the 0x00100000 process region?
* Does userland code ever interact "directly" with NATIVE_FIRM code?
* Is a decrypted set of the (in this case, 9.2) NATIVE_FIRM titles needed to fully understand the ROP chain process?
Many thanks in advance to anybody who reads this atrocity of a post