I use a PERL module CPU::Z80:
isassembler to explore/disassemble Z80 code. Given a binary and an entry point it traces all paths of execution through the code from that point. Using that result as a starting point you can give it hints of other entry points. As you explore the code the "hints" can get more and more detailed: giving names to labels and back-annotating comments, without ever modifying the binary or reassembling.
Here's a partial exploration of the IVC ROM using this tool. dis_ivc,txt is a PERL program that contains all of the hints, ivc.asm.txt is the result. I did a most of this "blind" in a couple of hours and then read the (excellent) software manual for the board and corrected some wrong guesses that I had made.
This code makes extensive use of the alternative HL/BC/DE register set. The exx instruction swaps between the two, but it's super-tricky to inspect the code and know which of the two sets is in use at any time. I expect the original source file/author had some "rules" about what was the default swap and how to handle use of exx but it would take more inspection that I have time for.
Another strange thing is that the code uses NMI from the vertical retrace. There is code at the NMI entry point, but there is no occurrence of RETN (return from NMI) anywhere in the code. Reading the Z80 manual, I conclude that RETN is not strictly necessary and that RET will do instead, PROVIDED that you never use interrupts (only the non-maskable interrupt) -- which is true for this code.
Neal