On the S5L8900 the VROM is mapped to 0x20000000. On 1.x, it was jumped to for RSA checking, although now in 2.x onward, iBoot and friends do that on their own.
The pwnage exploit resides here.