Just my notes on how to find load addresses of ALICE partition, if you have a full firmware folder for flash tool. Could be useful for the very first step to reverse-engineer the firmware.
First load ROM partition to 0x1000A000 address.
Then search for "memory_dump_off" string in HEX editor of ROM partition. About 0x100-0x130 bytes before the string, there would be several "HpG" (48 80 47) strings, this is actually a code. Look for first or second 0x10xxxxxx address near HpG's, this is the ALICE loading address.
CACHED_EXTSRAM data is also stored in ROM file. To find it, search for "00 00 00 00 00 0C 00 00 F4 F3 F2 F1" (hex) in ROM, the 4 bytes BEFORE this data is the beginning of CACHED_EXTSRAM partition (there should be the address to 0x10xxxxxx, it's a pointer).
CACHED_EXTSRAM load address could be found in the very beginning of ALICE CAKE. Switch to Thumb code mode (alt+g in IDA), press "C" to make code right after first "CAKE" bytes of the ALICE partition. The address which is getting loaded to R0 is CACHED_EXTSRAM load address.
Just my notes on how to find load addresses of ALICE partition, if you have a full firmware folder for flash tool. Could be useful for the very first step to reverse-engineer the firmware.