Also where is the rom chaining information stored (rom select + next rom in list) 
In (#b8d3) (6128), there is a pointer to the most recent RSX block registered.
The first two bytes are the address of the next RSX block, the second two bytes are the "RSX address".
If the RSX address has a zero high-byte, it is a ROM RSX table and the low-byte is the ROM select byte and the table is at #c004. Otherwise, it's a RAM RSX table.
This is exactly what the 4 bytes that gets used per ROM is for.
The "Firmware Guide" claims &b8da->&b8f8 hold the IY value for each ROM. There is space here in CPC6128 for 16 roms, 8 for 464.
What happens in firmware 3.1 where it supports more or in the rom that extends the range up to 32?
So where exactly is the information stored. I am guessing because if it's in a fixed size buffer it may be running out.
You're totally correct, there does appear to have a fixed size block for the IY table for each ROM:
034c 23 inc hl
034d eb ex de,hl
034e 21dab8 ld hl,$b8da ; the ROM table
0351 ed4bd6b8 ld bc,($b8d6) ; the currently active ROM (as we're probing them all in sequence this will be set)
0355 0600 ld b,$00
0357 09 add hl,bc
0358 09 add hl,bc ; #B8DA + 2*(#B8D6)
0359 73 ld (hl),e
035a 23 inc hl
035b 72 ld (hl),d ; store IY (which is HL+1 as returned from the ROM)
035c 21fcff ld hl,$fffc
035f 19 add hl,de ; reserve the 4 bytes for the RSX chain
0360 cda002 call $02a0 ; KL LOG EXT
Also, this supports the theory of the fixed-size:
;; rom select below 16 (max for firmware 1.1)?
048c fe10 cp $10
048e 300f jr nc,$049f
;; 16-bit table at &b8da
0490 87 add a,a
0491 c6da add a,$da
0493 6f ld l,a
0494 ceb8 adc a,$b8
0496 95 sub l
0497 67 ld h,a
So, in summary, I'd say if someone is using the standard firmware, there should be no issue. With a modified firmware to accept more than 16 ROMs, this table will need to be moved somewhere else. I'd suggest the following additional patches (untested though):
0089 21ffab ld hl,$abff ; decrease this by number of ROMs, so 32 -> #abdf
...
034e 21dab8 ld hl,$b8da ; change to #abe0 for 32 ROMs
...
0491 c6da add a,$da ; change to #e0 for 32 ROMS
0493 6f ld l,a
0494 ceb8 adc a,$b8 ; change to #ab
So,
008a df
008b ae
034f e0
0350 ab
0492 e0
0495 ab
This should work reliably as nothing else uses these table, but at the expense of another 64 bytes of RAM...
