Well, I've spent the last few days going through the bootloader in a disassembler. So far I cannot for the life of me figure out where the bootloader is determining how many bytes to load for the kernel.

I have, however, along the way changed the image (the one that shows when you turn the power on) from the WowWee logo to something else. I have also managed to get the bootloader stuck in a perpetual loop, executing itself over and over and over, while trying to load the kernel. Which was fun.

I'm getting very tired of staring at stuff like this...

 
ROM:00005950                 LDR     R2, =0x8FF2A7C
ROM:00005954                 MOV     R3, #0x800      @ 2048
ROM:00005958                 STR     R3, [R2]
ROM:0000595C                 B       loc_596C        @ Str Add "Manu ID = "
ROM:00005960 @ ---------------------------------------------------------------------------
ROM:00005960                 LDR     R2, =0x8FF2A7C
ROM:00005964                 MOV     R3, #0x400      @ 1024
ROM:00005968                 STR     R3, [R2]
ROM:0000596C
ROM:0000596C loc_596C:                               @ CODE XREF: Copy_Kernel_+70
ROM:0000596C                                         @ Copy_Kernel_+80 ...
ROM:0000596C                 LDR     R0, =0x8FE6F98  @ Str Add "Manu ID = "
ROM:00005970                 BL      SendString__
ROM:00005974                 LDR     R0, [R11,#var_10] @ Manu ID?
ROM:00005978                 BL      SendHex__
ROM:0000597C                 LDR     R0, =0x8FE6FA4  @ Str Add "Device ID = "
ROM:00005980                 BL      SendString__
ROM:00005984                 LDR     R0, [R11,#var_14] @ Device ID?
ROM:00005988                 BL      SendHex__
ROM:0000598C                 LDR     R0, =0x8FE6FB4  @ Str Add "Block Count = "
ROM:00005990                 BL      SendString__

Parts of it make sense to me, parts of it don't. I hope I figure this out before my brain tries to escape out my head again (It took forever to find it last time that happened).