On D4/D5 roms are at 0xF8000000 and 0xF0000000. They are mirrored multiple times in this range.
You want to take a look at qemu branch, memory maps for almost every camera is there in hardware configuration.
https://foss.heptapod.net/magic-lantern/magic-lantern/-/blob/branch/qemu/contrib/qemu/eos/model_list.cNot sure if this is the latest one, but it should give you the general idea:)
Canon code copies
some chunks of ROM into RAM. You can see this by running qemu with (iirc) -romcpy argument, as it happens during runtime. It will produce a script with dd commands to extract those parts, and log all the target offsets.
I know it's not a direct mapping to the ROM, as you can't just write to that
Address space is just "address space" Not "memory". Peripherals also live there. Or any memory mapped I/O...
RAM doesn't need to start at 0x0, as well as parts of address space may be executable, parts not, parts be RO, etc.
Also what is ROM0 and ROM1 about?
IIRC on D4/D5 ROM1 contains main firmware including bootloader, ROM0 contains some code on some cameras, but it is mostly used for resources. I may be wrong on that.
This is swapped on D7+ (D6+?) where ROM0 contains bootloader and main firmware, and they sit on different addresses.
I think they have different addresses on Powershoots too. What I don't get is how Digic jump to bootloader - as so far I was used to code execution starting from the very top or very bottom of the memory space. With that mapping bootloader is obviously not there. Is it somehow configurable on ARM?