Here are some infos I gathered on the AR (m) codes for anyone interessed (chishm mainly?).
I'm still working on it, but as I've gone far enought for now, I decided to post it.
I'm still missing infos on line #1 (and possibly #9), I haven't looked at all at the automatic hook search, didn't looked at the TT, and I'm not quite sure if the AR is only capable of hooking ARM7.
Once it'll be finalized, I'll add these infos in the first post.
And sorry if some explanations/words seem a bit strange...
If you have any trouble to understand them, don't hesitate to ask !
Code:
AR (m) codes decrypted ! (still wip)
1 : 00000000 023F0000
2 : 00000000 02380868
3 : 00000000 037F8700
4 : 00000000 00000001
5 : 00000000 E51DE004
6 : 00000000 023FD000
7 : 00000000 023FE000
8 : 00000000 023FF000
9 : 00000000 00000001
This (m) code has been made for and tested on SM64 v1.01 US.
Line #1 : ? (used prior to launching game ?).
--------------------------------------------
Might be used to put some routines that clean the ram and softresets the NDS to actually launch the game (at least there is the reset subroutine at address+0x1314 to address+0x136C, which also means there must be some free space at that address).
Line #2 : address to write the hook at (inside the ARM7 executable).
--------------------------------------------------------------------
Also acts as a Hook mode selection, if line # is set to 0.
00000000 : no hook (?)
00000001 : automatic hooking
anything else : address to write to.
Line #3 : hook final address.
-----------------------------
It's the address at which the hook, ie. the bl instruction, will be executed.
This address is used by the AT to actually create the bl instruction.
Used as a mask in automatic hooking is set (default mask, if line #3 0ed, is 0x0380FFF8 ?).
Line #4 : Hook mode selection.
-------------------------------
0 : automatic hooking.
1 : loads the hooked instruction and writes bl at the same address, ie. line #3's address.
(means the instruction should not be moved at all, else it'll crash)
2 : load the hook from line #3's address, and write the bl at line #4's address.
Line #5 : if <>0, this will be the ARM instruction that replaces the hooked one.
--------------------------------------------------------------------------------
Replace, as in 'the original instruction is destroyed, and this one is executed instead'.
Can be used to hook a bx r14 that is after a pop {..r14}. Set that instruction to E51DE004 in that case.
But as this intruction (or the original instruction, if line #5 is 0ed), is executed before the code handler, it seems a bit limited (ie. you can't hook a bx r2, unless you destroy r14 by moving r2 to r14 (E1A0E002), as bx r14 will be the instruction that will jump back to the game).
Might be useful for other things I guess...
Line #6 : address to store important stuff (hooking and hook execution routine).
--------------------------------------------------------------------------------
If 0ed, 0x023FE000 will be used by default.
Total size is 0x74 bytes.
The bl of the hook will point to address + 0x38.
There you have the hooked instruction (or line #5's intruction), then a nop (?), then a bl to the code handler.
For the TT, the size is 0x98. The added stuff is a routine that checks if L+R is pressed, and one that will check if the ARM7 has the right to access the GBA slot.And it'll jump to the TT's program (at 0x08800000). The hook's bl still points at address+0x38.
Line #7 : address to store the code handler.
--------------------------------------------
If 0ed it'll be put right after the routines written at the address of line #6 (if 0ed = 0x023FE074).
Total size is 0x4F0 bytes.
Knowing this, porting the ar hacks while the code handler is moved is just an easy operation.
Works the same for the TT, however, the code handler that is at this is a copy of the AR code handler (!= TT code handler) which will NOT be executed, the routines at line #6 jumping directly to the TT's program... So it's just wasted space.
Line #8 : address to store the code list.
-----------------------------------------
If 0ed it'll be put right after the routines written at the address of line #7 (ie. default = 0x023FE564).
It begins with the ((size of the code list in bytes) >> 2) (=# of codes' lines * 2).
Then follow all the codes that have been entered.
For the TT the code list will be copied there during game bootup, but it'll not be actually used, the code list inside the TT will is actually used. So it's just wasted space.
Line # 9 : Must be 1 ?
------------------------
If not set to 1 the (m) code will not be recognized as an (m) code (and will not be 'executed').