Grab source from http://code.google.com/p/gbadev/ the 'romdumper' branch, then you can apply the gbadev.diff to it to make it dump the OTPs
You need an SD card and it will write to the SD card a file otp_ppc.bin, boot0.bin and bootrom.bin
The exploit works using SRESET, fail0verflow said that they enable SRESET at the end of bootrom execution, after it invalidates the L2 cache and reenables it, and before the bootrom is disabled. What I do is do the SRESET trick at the begining of the bootrom execution, just after it enables the L2 cache and before it overwrites the reset interrupt vector. And it works, we run before bootrom is executed and before the otp is disabled
