Finally got a FULL (101MB) working kernel dump of 7.55 (thanks
@KiiWii ) and the method I mentioned earlier of finding an offset for a later FW works.
Here is the method to find the correct offset for todex for FW 7.55:
First open a copy of previous FW version dumps in a hex editor and go to the known GOOD offset you are trying to find for that FW.
(you will see that the offest value for each FW is 87)
Then look for a common string of bytes before the offset you are trying to find. The longer the string the better!
Search on each FW dump and make sure that there is only one instance of string. This is why it is better to have a long string because there is less chance of it appearing again further on in the file.
(the same string appears only once in FW 5.05, 6.72 and 7.02)
Open the 7.55 kernel dump and search for the long string that is common in the previous FWs.
(Success! The string is found and it only appears once
)
Then highlight the 87 in the place it is an other FW versions after the string and the offset it shows in the bottom left of the screen is the one you are looking for.
The offset I found is 222898D and it is the same offset posted by zeco on twitter:
https://gbatemp.net/threads/release...exploit-host-menu.579557/page-16#post-9428378
This method may not work for all offsets but I have usually had good success in the past when looking for offsets on later FW versions.
Hope some people will find this useful.