maybe I should do a little write-up on how to port xip. essentially:
don't dump with rommaster (manually extract the rom)
to do this, first nbsplit, then on payload...
run imgfsfromnb. write down the imgfs start location.
open os.nb.payload with hex editor. go to the imgfs start location, and delete to end. go to the beginning of the file, and search for FE 03 00 EA (unconditional branch to 00 03 FE), and find the second / last occurance. (this is the second xip).
delete everything from the beginning to just before the second branch.
save this as your xip.bin
open xipport. press dump xip.bin. move stuff around, checking the maps between the donor xip and your xip. when you're done, press realloc p, and write maps. if any area shows !!!, fix it. (usually, modify realaddress[r] in imageinfo.txt, where r is the xipregion).
technically, you might need to check the nk.exe pointer in S000 of nk.exe, but i think realloc p fixes that (maybe). if you're worried, from the old map of the xip (not from the donor, but your device), search for the rom_00 header, look at where it starts, check if it matches with the new map If it doesn't you'll have to do this: if the old start address is 8ABCDEF9, search S000 of nk.exe for F9 DE BC 8A (just an example), because of the endianess of arm. replace with new start address, be sure to reverse it as well.
once you're done, write xipout.bin, and write it to os.nb.payload at the right xip2 address (for the titan, its 3200000) (sleepy and not sure if i put the right amount of zeros, but the default is 3100000, so change the 1 to a 2.)
hopefully everything boots up after this. I've used this technique to change everything except nk.exe... which is device dependent, so you'll have to do other stuff...
http://www.airscanner.com/pubs/fogieDC11.pdf is a good reference for arm assembly opcodes