I'd completely missed the reusability aspect of things; I guess because the tight coupling to specific addresses would mean redoing a lot of the work for different builds. But once you figure it out, it looks like it could be trivial to replicate for future minor revisions.
And I agree, it's fun stuff! That kind of hacking really makes me smile. I was just curious about the pragmatic motivations.
Sorry, I didn't mean to imply that you had hardcoded the addresses, only that you'll have to go through the process of finding the addresses anew for each build. Not an insurmountable problem (as you've shown), but making it slightly harder to automate.
However, I admit to having had time to only read through it casually, so please take any incorrect statements solely as misunderstanding on my part.
And I agree, it's fun stuff! That kind of hacking really makes me smile. I was just curious about the pragmatic motivations.