I missed these latest responses on this thread.
Well, I'm probably getting a kof2002 cart, that I think uses the same pcm2 variation that ss5/ss5sp with the extra scrambling. Getting a SS5 or SS5SP is hard, as they are very expensive.
What I plan is probing the address and data bus of the V1 rom (I only have a 16 bit logic analyzer, so I can only partially probe it) and then making the game (via a custom m1 rom or using another game CHA board) play that sample, and sniff the addresses and values it reads, and then probe the V1 address bus and the cart data bus, to check that the encrypted and decrypted values match with the ones currently in the dump and after decryption. If the encrypted value matches, but the decrypted one doesn't, then it's definitely something happening in the PCM2 that is different for offset 0. It might be that address 0 is swapped to a different address in the V1 rom space, but the address probing should show that (if that's the case, I'll move all the probes to the address bus and extract it in several tries).
This might take a while, as I don't have the cart yet, and I need to find time to do that too
Also about the HYCS circuit, it seems to keep the MSB address of the rom LOW as long as the included voltage supervisor signals the voltage is too low, or the IN_RST pin is low. I don't know what's exactly for, but I can only guess that it must be forcing that to 0 during startup because the PCM2 might be reading the decryption data from the V1 rom itself, and it's stored in a place with the MSB set to 0, and they have some kind of bug that makes the address MSB float (or input, as the bus is muxed with in and out signals) and they need to force it to 0. I will also sniff the V1 accesses during startup to check which addresses it reads before playing any sample (not easy, as the YM always generates addresses even if it's not playing data, it just generates the last address over and over, without increment)