Quote Originally Posted by toenailed
and thanks for the documentation .. it will really help us a lot not only for the acww but for future hacking ..
Hmm, really? It was all quite ACWW-specific, apart from the long THUMB code call maybe.

Anyways, I found a little stupidity in my untested ARDS code snippet. You can't reasonably unpatch the ARDS routines with 023ff090 e3520003 while the offset is not zero.
Thus you have to clear the offset before that.
This of course requires that you do the processing before clearing the offset.

EDIT: changed the snippet to put the offset into r9 instead of r10, according to kenobi's updated register usage information regarding v1.54 of the firmware.