A bit embarrassing to continue, but anyway.
My issue was that I did not call the lockdown routine. After doing that, things do behave much better, but.
On my a3200 (DryOS):
Faked cache content gets erased randomly (it sticks for a few milliseconds, sometimes for a few seconds). The lockdown status does not seem to change.
Started investigating the possible reasons and found a library (adjacent functions) in firmware that manipulates CPU cache (sort of like the CHDK cache routines).
- one function is used by the flash ROM writer routines
- another one is used by SD card DMA routines
- another one used by exmem_free, AllocateUncachedMemory and AdditionAgentRAM
There might be other such functions, did not check further yet.
If high reliability is not required, cache_fake() can be called from the keyboard task to refresh faked content.
However, I'm not sure what would be the optimal way for high reliability.
Some of the above mentioned fw cache functions don't disable interrupts until they clean things, some do.
I suspect that they need to be completely rewritten to skip over 'our' locked down cache segment, because the other way (let them do their stuff and put our faked content back when they are finished) doesn't seem really reliable. A modified version needs to be included in CHDK source, and the ROM routines need to be redirected there. I'm a bit confused that ML does not seem to do this, though.
I've attached a version of cache_hacks.h, in case somebody wants to play with this.
The source is cache_hacks.h and arm-mcr.h from ML, licence is the same as the ML licence (GPL v2). I had to make slight adjustments to make it work on CHDK.