BlackShark

VC RBY - Virtual Console Mew (UK)

113 posts in this topic

5 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

The assumption that there are no duplicate title keys is an unsafe assumption to make, since there could be duplicates.  But if that assumption were true, let's suppose there've been 1 million games released.  I'm pretty sure the actual number is far less than this, my point will still stand.  Given 2 ^ 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys, removing 1 million of them results in 340,282,366,920,938,463,463,374,607,431,767,211,456 possible keys, which (probably) won't finish within the life of the universe.

1 person likes this

Share this post


Link to post
Share on other sites
11 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

Did you read the post with the numbers?
Frankly the list of keys is considerable negligible compared to the amount of combinations.

Share this post


Link to post
Share on other sites
11 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

We do know these keys, but these won't serve any purpose of possibly reverse-engineering anything to figure out a range of keys if Nintendo implemented their cryptography correctly. If you have 2 ^ 128 combinations of keys, you are going to pick one as randomly as possible and not limit where you can pick from.

To explain what keys are.
Every time you buy a title from the eShop, the CDN gives you a title key in encrypted format, which is stored on the 3DS system itself. This title key grants you permission to request a download from their CDN.

Due to 3DS hacking developments at the start of the year where the 3DS was fully exploited, specifically gaining control of the ARM9 kernal and breaking the cryptography implementation, this made it possible to dump and decrypt the title keys stored on a system, and even share them among other 3DS systems.

This lead to the development of an application called freeShop, which enables you to download anything directly from Nintendo's eShop CDN if you have the appropriate title keys, legitimate or illegally shared. The lack of authentication beyond anything other than title keys on the 3DS is what made this possible, and could've very easily been avoided if they authenticated purchases on the server side instead of the client side. A possible reasoning for doing this is that some 3DS systems come pre-installed with games, and if you perform a system transfer to such a system it will retain the pre-installed software along with the title key, thereby granting you that game to keep.

This state of affairs means that in order to download the Mew Distribution App, you need a 3DS that has the app installed since the title is not publicly listed, and then you would need to hack this 3DS to dump and decrypt the title key. This would be extremely unlikely as the systems would be controlled by Nintendo UK or NIntendo of Japan.

Share this post


Link to post
Share on other sites

Oh excellent, hopefully this will shed some light on things.

I did get to see my cousin this past Christmas, but he forgot to bring his 3DS with him so sadly I didn't get to make a backup of his Mew. That means we don't have a sample that is guaranteed to have come from a separate distribution system.

Even so I imagine the data is going to be identical anyway.

Share this post


Link to post
Share on other sites
On 1/1/2017 at 1:39 PM, HMM said:

Sorry about how long it took. If anyone still needs a second save for anything then here it is.

sav.dat

151 - MEW - E4BE.pk1

Is the mew pk1 file you attached comming from your sav.dat? I'm asking because the one in the sav.dat is a little different, more precisely OT name:

Your sav.dat: 86 85 00 00 00 00 00 50 89 80 82
RupeeClock's: 86 85 50 00 00 00 00 50 89 80 82
scottishdanstfu*: 86 85 50 00 00 00 00 50 89 80 82

*scottishdanstfu kindly shared his savegame with me to check the mew, it's 100% the same as RupeeClock's

@HMM, did you directly dump your savegame with the new entrypoint (soundhax) or did you trade it to your already homebrew enabled 3DS?
I'm gonna see if boxing RupeeClocks's Mew produces this result, I'm kinda puzzled right now.

EDIT: Nevermind, I tested RupeeClock's savegame and boxed the mew: it converted to 86 85 00 00 00 00 00 50 89 80 82 (same as HMM's) so it was really due to boxing.

I guess there's no doubt now about them being all the same (we were pretty much sure anyways).

1 person likes this

Share this post


Link to post
Share on other sites

Huh, I don't think the homebrew method of dumping the save game should make a difference, all will ultimately run a program that decrypts a save file and dumps the contents to the SD card.

Also with thanks to soundhax my cousin might be able to share his save if he finds any time to even play his 3DS.

Share this post


Link to post
Share on other sites

I went and boxed your mew on my 3DS, got the same as HMM's, so that settles it (I didn't know this happened, I should check how trash bytes are handled in the different games and generations, best case scenario would be that some stadium game erases them completely...).

We have 3 different saves and all 3 mews are the same, alongside the fact that they used savestates (and with it, they were distributing cloned Mews), but still I'm sure someone would appreaciate a 100% confirmation of different distro consoles providing the very same Mew.

Now, when is that pokebank update coming?

 

ps: RupeeClock, I was refering not to the dump method itself, but if he had done another trade before dumping the savegame, as I was thinking that maybe trading again was what changed the trash bytes.

4 people like this

Share this post


Link to post
Share on other sites

That's weird, so technically the OT changes from "GF" to "GF     " when it gets boxed? 50 is terminator byte isn't it

Share this post


Link to post
Share on other sites

I guess that pretty much confirms it then, all VC RBY Mews distributed are the same, although trash bytes may change if boxed.

All that's left is to wait for the Pokémon Bank update, how exciting.

1 person likes this

Share this post


Link to post
Share on other sites
7 hours ago, Ammako said:

That's weird, so technically the OT changes from "GF" to "GF     " when it gets boxed? 50 is terminator byte isn't it

Yes, makes no difference visually. I'll test what happens when unboxing tonight.

Share this post


Link to post
Share on other sites

It may make a difference once transferred to Sun/Moon since OT names seem to be aligned to the right in Summary screen there.

That is, unless the transfer corrects it and removes (hides) trailing 00s on any Pokémon.

 

Thinking about it, it's unlikely that the Pokémon Bank transfer will let you transfer away Party Pokémon, only boxed ones. Therefore the only Mews that will make it to Gen. 7 are those with that first terminator byte zeroed out.

Share this post


Link to post
Share on other sites

Unboxing keeps it as "86 85 00 00 00 00 00 50 89 80 82". Now I'm wondering if trading over VC will make that 0x50 appear again.

I have a friend's 3DS, so I might as well go ahead and try it.

EDIT: I made some trades between english red and yellow and the terminator from the distribution is gone for good, so misteries... I guess we could find the answer at pokémon red disassemby: https://github.com/pret/pokered

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now