1. line(s): the contents of the BBRam according the file from matteo
2. blank line
3. the corresponding lines as they should be according the patched boot-eprom code
4. Comments from me
5. end sentence: =================
and so on

FFFC0000  05 29 19 89 00 00 07 11  03 00 00 00 00 00 00 02

FFFC0000  05 29 19 89 xx xx xx xx  04 00 00 00 00 00 00 02
first 4 bytes is the magic number, xx are a 4 byte byte-checksum
over the next 60 Bytes, the 04 seems to be the correct system modus.
=======================================================================
FFFC0010  00 00 25 80 01 00 00 00  C0 A8 02 01 01 00 00 00

FFFC0010  00 00 25 80 01 00 00 00  00 00 00 00 01 00 00 00
the C0 A8 02 01 seems to be the default gateway = 192.168.2.1
must be zero, because the application blocks if a non existing
address. 4 Bytes at FFFC0010: 0x2580 = 9600 seems to be the baud-rate
for serial port, the two bytes from FFC0010 my be stop bits and parity
on/off.
=======================================================================
FFFC0020  C0 A8 02 08 FF FF FF 00  00 00 00 00 00 00 00 00

FFFC0020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
ip-address and netmask, should be set to zero
=======================================================================
FFFC0040  01 00 05 80 00 00 3A 7B  72 61 6D 2E 68 65 78 00

FFFC0040  01 00 05 80 xx xx xx xx  72 61 6D 2E 68 65 78 00
xx is 4 byte byte-checksum over the next 100 bytes
=======================================================================

the next lines are only commented lines, the BIN File is right:
FFFC0090  AA AA AA AA AA AA AA AA  00 00 00 00 00 00 00 00
the last 8 bytes should be zero

FFFC1F20  AA AA AA AA AA AA AA AA  33 32 20 20 00 E0 A0 00  ........32  ....
FFFC1F30  04 08 AA AA AA AA 31 36  32 30 34 38 30 31 32 38  ......1620480128
6 bytes at 0xfffc1f2c mac-address to use
2 bytes at 0xfffc1f36 ramsize in megabytes ascii coded, 16 works always

The access of the boot-eprom code to BBRam is restricted to 9 places:
1. read 4 byte magic number from 0xfffc0000 via read_nvram
2. read 4 byte 60 byte block checksum from 0xfffc0004 via read_nvram
3. via read_nvram 60 Bytes are copied from 0xfffc0008 to 0x7cbc
4. if magic or checksum are wrong 20bytes from location in boot-eprom are copied to 0x7cbc (default values)
5. some code operates on 0x7cbc (system-mode), 0x7cc4 (constant 0x2580), 0x7cd0 (constant 0x01000000) and
   0x7cd4 (ip)
6. read 4 byte 100byte block checksum from 0xfffc0044 via read_nvram
7. via read_nvram 100 Bytes are copied from 0xfffc0048 to 0x18464
8. if magic or checksum are wrong, string 'ram.hex\0' is copied to 0x18464 and 2 long words at 0x18464+0x50
   and 0x18464+0x54 are zeroed
9. mac-address and ram size are read directly from BBRam

I have proofed:
1. no further access to 0xfffcxxx or via read_nvram or write_nvram
2. no further call of the checksum routine, that means that there are no other guards in the boot-eprom code.
3. the areas 0x7cbc and 0x18464 will be propably handend over to the application program that the boot-eprom loads.
4. the patched eprom should can load the application and start it, if it has not other failures
5. the original eprom should can load the application and start it, if it would be possible to program the BBRam as
   I have shown above.
6. that does not mean, that the application can run successfully, because I suppose that it reads other
   areas of BBRam and they may be guarded by checksums too.