Figured I'd update this thread with my latest advancement with regard to the SeriTek/1S2 ROM. I was able to successfully patch it to remove the EEPROM ID check, in both the OS X NDRV/kexts, and the OS9 NDRV! I was only able to get my hands on a copy of version 5.1.3 of the ROM, but it would be even more beneficial if I were able to find and patch version 5.0.7, as apparently that will fit on a 128k EEPROM.
That's great work, could you give us a quick/ dumbed down version of what you did with this patch?
The patch itself actually ended up being fairly easy to perform. The first thing to be aware of is that the EEPROM ID check is performed in the driver executables, run under OS 9 or OS X, and NOT in the ROM's FCode itself. There are two separate drivers embedded in the ROM, one for OS 9, and one for OS X (in the form of an mkext, containing 2 kexts). The OS 9 one was pretty easy, I simply had to extract the executable binary from the ROM, and load it into a disassembler. From there, after a bit of analysis, I was able to locate the EEPROM ID check, and perform a very small binary patch to bypass it. I'll attach a screenshot of the modified assembly control flow diagram, after I applied my patches. You can see where the EEPROM ID check is performed, where it checks for the IDs of the three supported EEPROM models (AM29LV040 - 01 4F, MX29LV040 - C2 4F, PM39LV040 - 9D 3E), and loads 1 into R31 when it sees one of these IDs present. I simply patched the binary to load 1 into R31 and finish the function, without doing any checking (as you can see in the diagram). A similar patch was made to the OS X kext. The kext is a bit more tricky to get back into the ROM image, as the patched kext must be re-packed into an mkext, and the resulting mkext binary re-encoded into a form where it can be inserted back into the ROM.
Now, just recently, I went even further with the modifications, by implementing a custom lzss decompression routine into the ROM. I could use this to decompress the OS 9 driver executable at runtime, allowing me to store it in an lzss-compressed form in the ROM. Compressing reduced the size of the executable by almost half, which was enough to get the entire ROM small enough to fit onto a 128K EEPROM. You can see my latest update on that
here. The OS X mkext is already compressed, so nothing could be done with that.