It has been a couple days since there has been a a ROMDisk update, so... What I've learned so far from the ROMDisk driver in ROM experiment:
System 6 boots in 24bit addressing mode, at least initially. In 24bit addressing mode, ROM is located at 0x00800000, so pointing the ROM disk driver at 0x40880000 could result in garbage reads. Even though the ROM boots and refers to its self at 0x40800000, 0x00800000 is apparently always mapped, so just changing where the ROM disk driver points fixes that particular issue, and seems to reliably boot to Finder.
My speculation is that the II/IIx/SE30 ROMs were a transition from 24 to 32bit addressing, since the ROMs themselves map to 0x40800000 (the start address for the II ROM is 0x4080002A), but are not consistent in the use of the new 32bit mapping, for example when the ROM loads the DRVR resources, the pointers it returns are in the 0x00800000 range. System 6 boots initially in 24bit addressing mode with reads from 0x40800000 returning garbage, then loads a 'ptch' resource to move into using the newer ROM mappings.
It is not necessary to do a PostEvent(diskEvt, drvNum) for the boot drive, adding it to the Drive Queue is sufficient. When the ROM goes to look for bootable drives, it traverses the Drive Queue, mounts the selected drive, and records the bootdrive number at 0x210. The System picks all this up and runs with it. Only drives that are not the boot drive will then need to post the diskEvt event to get mounted. Subsequent diskEvts for mounted disks are ignored.
Once in Finder, I still have the problem of no cursor movement. As I noted before, the rawmouse low global gets updated, so it looks like interrupts are working, but the CrsrTask isn't getting called. Either it never gets added or something is removing it. I'm leaning towards the removal theory. If I check out the VBL queue once in the Finder, it has 2 entries in it: the Sound driver's VBL task, and another task located in RAM that I'm not too sure about. If I use macsbug and steal an existing VBL queue entry (such as my own), and put the crsrtask address in the VBL queue ptr element, CrsrTask gets run (the cursor is updated), and it works for some short period of time (fractions of a second or so), then that VBL queue element is removed. So, it's possible CrsrTask is removing its own task for some reason.
I'm (somewhat intentionally) not fully emulating the .Sony floppy driver, although at this point I have implemented almost all of the Control and Status entries of the floppy driver. Some of them don't make much sense for the ROM disk (I'm an HD20 with 1024 sectors, because I'm not 400/800/720/etc). The floppy driver installs a VBL task on Open, which seems to poll the floppy for disk insertion, update the SonyVars low global, and fire off a PostEvent(diskEvt) to mount the disk. This isn't particularly relevant for the ROM disk, since it's always attached, but I've tried adding my own VBL task and posting one diskEvt event (subsequent diskEvt events for a mounted disk will be ignored, but no need to do it repeatedly). After boot, I can find my VBL task in the VBL queue, but it makes no difference on the rest of the behavior.
Another thing that's weird about the floppy driver is it has memory at 0x222 which contains pointers to its own Prime/Control/Status and other routines. I'm not touching this space, and it's all initialized to 0xff, except I've noticed some of them are populated with valid looking addresses after boot. Disassembling the code at these addresses, it looks like the System is calling through to the ROM driver's code, then catching the return value and calling off to do something else in specific instances. This should be all harmless, since it appears to require the ROM driver calling these patched routines, which mine doesn't. But, it might be an interesting vector to experiment with bigmessowires' arbitrary sized floppies.
So, I'm trying to figure out the VBL task eater, and what I'm not doing to satisfy it...
) 
