I haven't the faintest idea... any insights? :)
Loading up executable code in ram that modifies the incoming disc data after the swap maybe?
True. Action Replay DS works the same way, as the DS card interface is a
block device, more like ATA than like a traditional ROM address/data bus interface.
But it can't replace data that would normally sit in it's place, right? When a code specifies an address on these systems, it seems more like it's "hard-patching" a RAM address, not the ROM media. Even once the game is fully loaded, there is still some way for the AR to take control since they support cheat finding through either a COMM Link card, PC parallel port or broadband adapter etc (I'm not sure about DS; perhaps there is WiFi cheat finding?)
Yes, the AR master code installs a kernel into some unused area of RAM that gets called each vblank. Interestingly enough, the ARDS code format almost matches that of DipStar, a cheating program from the DS homebrew scene created before Datel figured out how to make ARDS.
Do these consoles have reserved RAM games are expected to ignore? This makes the number of active codes finite too, I vaguely recall some devices advertising unlimited codes.
The master code appears to specify where in RAM the patch gets loaded. Most commonly, this is near the end of heap.