AES obfuscation on the Wii U bootrom

I’ve read the whole bootrom code and i have to admit, that big N has done a good job on hiding where and how it calls the AES code.
Finding the AES implementation is easy, it’s just before the ancast header check function and after the most useless function.
Finding how the AES implementation is called, is a little bit hard, for two reasons:
there are no cross references in the text segment; This means you will not see something like:
bl AES_Decrypt
there are no addresses saved in the data segment:
AES_offset: .long AES_Decrypt
So how to find it? you have to read the code, because the value is hardcoded and saved into a memory on an unknown address (like 0xE0000000); then a function will load that addresses to the count (CTR) register and jumps there.
I’ll make an example:

How normally should be:

1Screenshot 2014-03-07 11.20.17

How is obfuscated on the Wii U:

2Screenshot 2014-03-07 11.22.01

Deroad Said
The last thing:
I had a lot of fun on reverse the whole bootrom. You’ll find interesting stuff, there (but not keys :P).