BlackShark

VC RBY - Virtual Console Mew (UK)

165 posts in this topic

Recommended Posts

evandixon    282
5 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

The assumption that there are no duplicate title keys is an unsafe assumption to make, since there could be duplicates.  But if that assumption were true, let's suppose there've been 1 million games released.  I'm pretty sure the actual number is far less than this, my point will still stand.  Given 2 ^ 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys, removing 1 million of them results in 340,282,366,920,938,463,463,374,607,431,767,211,456 possible keys, which (probably) won't finish within the life of the universe.

  • Like 1

Share this post


Link to post
Share on other sites
theSLAYER    897
11 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

Did you read the post with the numbers?
Frankly the list of keys is considerable negligible compared to the amount of combinations.

Share this post


Link to post
Share on other sites
RupeeClock    36
11 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

We do know these keys, but these won't serve any purpose of possibly reverse-engineering anything to figure out a range of keys if Nintendo implemented their cryptography correctly. If you have 2 ^ 128 combinations of keys, you are going to pick one as randomly as possible and not limit where you can pick from.

To explain what keys are.
Every time you buy a title from the eShop, the CDN gives you a title key in encrypted format, which is stored on the 3DS system itself. This title key grants you permission to request a download from their CDN.

Due to 3DS hacking developments at the start of the year where the 3DS was fully exploited, specifically gaining control of the ARM9 kernal and breaking the cryptography implementation, this made it possible to dump and decrypt the title keys stored on a system, and even share them among other 3DS systems.

This lead to the development of an application called freeShop, which enables you to download anything directly from Nintendo's eShop CDN if you have the appropriate title keys, legitimate or illegally shared. The lack of authentication beyond anything other than title keys on the 3DS is what made this possible, and could've very easily been avoided if they authenticated purchases on the server side instead of the client side. A possible reasoning for doing this is that some 3DS systems come pre-installed with games, and if you perform a system transfer to such a system it will retain the pre-installed software along with the title key, thereby granting you that game to keep.

This state of affairs means that in order to download the Mew Distribution App, you need a 3DS that has the app installed since the title is not publicly listed, and then you would need to hack this 3DS to dump and decrypt the title key. This would be extremely unlikely as the systems would be controlled by Nintendo UK or NIntendo of Japan.

Share this post


Link to post
Share on other sites
RupeeClock    36

Oh excellent, hopefully this will shed some light on things.

I did get to see my cousin this past Christmas, but he forgot to bring his 3DS with him so sadly I didn't get to make a backup of his Mew. That means we don't have a sample that is guaranteed to have come from a separate distribution system.

Even so I imagine the data is going to be identical anyway.

Share this post


Link to post
Share on other sites
suloku    154
On 1/1/2017 at 1:39 PM, HMM said:

Sorry about how long it took. If anyone still needs a second save for anything then here it is.

sav.dat

151 - MEW - E4BE.pk1

Is the mew pk1 file you attached comming from your sav.dat? I'm asking because the one in the sav.dat is a little different, more precisely OT name:

Your sav.dat: 86 85 00 00 00 00 00 50 89 80 82
RupeeClock's: 86 85 50 00 00 00 00 50 89 80 82
scottishdanstfu*: 86 85 50 00 00 00 00 50 89 80 82

*scottishdanstfu kindly shared his savegame with me to check the mew, it's 100% the same as RupeeClock's

@HMM, did you directly dump your savegame with the new entrypoint (soundhax) or did you trade it to your already homebrew enabled 3DS?
I'm gonna see if boxing RupeeClocks's Mew produces this result, I'm kinda puzzled right now.

EDIT: Nevermind, I tested RupeeClock's savegame and boxed the mew: it converted to 86 85 00 00 00 00 00 50 89 80 82 (same as HMM's) so it was really due to boxing.

I guess there's no doubt now about them being all the same (we were pretty much sure anyways).

  • Like 1

Share this post


Link to post
Share on other sites
RupeeClock    36

Huh, I don't think the homebrew method of dumping the save game should make a difference, all will ultimately run a program that decrypts a save file and dumps the contents to the SD card.

Also with thanks to soundhax my cousin might be able to share his save if he finds any time to even play his 3DS.

Share this post


Link to post
Share on other sites
suloku    154

I went and boxed your mew on my 3DS, got the same as HMM's, so that settles it (I didn't know this happened, I should check how trash bytes are handled in the different games and generations, best case scenario would be that some stadium game erases them completely...).

We have 3 different saves and all 3 mews are the same, alongside the fact that they used savestates (and with it, they were distributing cloned Mews), but still I'm sure someone would appreaciate a 100% confirmation of different distro consoles providing the very same Mew.

Now, when is that pokebank update coming?

 

ps: RupeeClock, I was refering not to the dump method itself, but if he had done another trade before dumping the savegame, as I was thinking that maybe trading again was what changed the trash bytes.

  • Like 4

Share this post


Link to post
Share on other sites
Ammako    112

That's weird, so technically the OT changes from "GF" to "GF     " when it gets boxed? 50 is terminator byte isn't it

Share this post


Link to post
Share on other sites
RupeeClock    36

I guess that pretty much confirms it then, all VC RBY Mews distributed are the same, although trash bytes may change if boxed.

All that's left is to wait for the Pokémon Bank update, how exciting.

  • Like 1

Share this post


Link to post
Share on other sites
suloku    154
7 hours ago, Ammako said:

That's weird, so technically the OT changes from "GF" to "GF     " when it gets boxed? 50 is terminator byte isn't it

Yes, makes no difference visually. I'll test what happens when unboxing tonight.

Share this post


Link to post
Share on other sites
Ammako    112

It may make a difference once transferred to Sun/Moon since OT names seem to be aligned to the right in Summary screen there.

That is, unless the transfer corrects it and removes (hides) trailing 00s on any Pokémon.

 

Thinking about it, it's unlikely that the Pokémon Bank transfer will let you transfer away Party Pokémon, only boxed ones. Therefore the only Mews that will make it to Gen. 7 are those with that first terminator byte zeroed out.

Share this post


Link to post
Share on other sites
suloku    154

Unboxing keeps it as "86 85 00 00 00 00 00 50 89 80 82". Now I'm wondering if trading over VC will make that 0x50 appear again.

I have a friend's 3DS, so I might as well go ahead and try it.

EDIT: I made some trades between english red and yellow and the terminator from the distribution is gone for good, so misteries... I guess we could find the answer at pokémon red disassemby: https://github.com/pret/pokered

Share this post


Link to post
Share on other sites
RupeeClock    36

Pokémon Bank update finally dropped!

I got to import my Mew from VC Pokémon Yellow, this required boxing the Mew into the first box.

P8MD7LL.jpg

Upon transferring, it arrived with 31/27/31/31/31/31 IVs and a Timid nature. This is pretty great, as apparently Pokémon imported from Gen I are "guaranteed to have 3 perfect IVs, and a random nature". The Mew already have a perfect spread of 15/15/15/15/15 DVs though, so I'm wondering how they picked an attack IV of 27 when it's attack DV would've been 15.

hc3aOMx.jpg

I extracted my Mew using PKHex if you wanna examine the bytes.

I thought it pretty interesting that it has a generated shiny value too, and a trainer shiny value based on the OT. The GF Mew had a TSV of 1424, I'm interested to see if this is consistent. It might not be shiny locked as a result of this.

Oh yeah and it was also nice that the Bank update gave away free Mewnium Z to Sun/Moon game cards, via mystery gift.

A few other Gen I Pokémon I imported have a TSV of 2512. They also indeed have 3 perfect IVs and random natures, my Rattata got its HA Hustle, my Sandshrew got its HA Sand Rush, my Caterpie got its HA Run Away, and my Mankey got its HA Defiant.

Edit: Turns out SciresM is really on the ball with figuring out how the transfers work, nature is determined by EXP, IVs are purely random, nearly everything always gets its hidden ability, genders are completely random despite how gen II determined them using DVs. Every untrained Mew imported will always be timid, and you can manipulate which nature it will get by getting a specific EXP number.
 

151 - Mew - 44C0A4DC05E1.pk7

Edited by RupeeClock
  • Like 2

Share this post


Link to post
Share on other sites
MrCheeze    10

Ah, good to know that the Mews originally come with 15/15/15/15/15/15 in RBY... that confirms that legitimate shiny Mews can't exist. (As was the case with the original gen 1 Mew distributions, back in the day.)

Share this post


Link to post
Share on other sites
HaxAras    125
2 minutes ago, MrCheeze said:

Ah, good to know that the Mews originally come with 15/15/15/15/15/15 in RBY... that confirms that legitimate shiny Mews can't exist. (As was the case with the original gen 1 Mew distributions, back in the day.)

Well, I can still think of 2 methods to get a shiny Mew, legit. Both in gen 3.

1: Use that glitch to get any Pokemon as an egg and do Mew. Then, use my favorite tool of all time. Triggers PC to scan all the eggs for a shiny match with one of your saves. 

2: Just use a Japanese save and the Mystery Gift Tool to get a working ticket. Then just go do the run-away method to shiny hunt for a Mew. 

Share this post


Link to post
Share on other sites
theSLAYER    897
18 minutes ago, MrCheeze said:

Ah, good to know that the Mews originally come with 15/15/15/15/15/15 in RBY... that confirms that legitimate shiny Mews can't exist. (As was the case with the original gen 1 Mew distributions, back in the day.)

The only shiny Mews that can happen, are the legit VC ones that are distributed, with their IVs changed, via glitch or arbitrary code execution glitches, or hacks.

Share this post


Link to post
Share on other sites
Invader TAK    87

So considering PokeTransporter checks for Mews with the OT ゲーフリ or GF and the TID 22796, then any other English VC Mews would have to be identical to the UK one. At least that makes it easy for people to make their own VC Mew saves (which I did just now).

EDIT: Looking through the topic and seeing they used a special version of the game with Restore Points, it might be able to be replicated in the normal games (patch in the Restore Points and the GF option on the Name Select, then play normally until getting the Pokedex, then inject or trade for the Mew and make a restore point in front of the Cable Club). Since the Mews are identical anyway, it'd have the same effect.

Edited by Invader TAK
  • Like 1

Share this post


Link to post
Share on other sites
theSLAYER    897
5 hours ago, Invader TAK said:

So considering PokeTransporter checks for Mews with the OT ゲーフリ or GF and the TID 22796, then any other English VC Mews would have to be identical to the UK one. At least that makes it easy for people to make their own VC Mew saves (which I did just now).

EDIT: Looking through the topic and seeing they used a special version of the game with Restore Points, it might be able to be replicated in the normal games (patch in the Restore Points and the GF option on the Name Select, then play normally until getting the Pokedex, then inject or trade for the Mew and make a restore point in front of the Cable Club). Since the Mews are identical anyway, it'd have the same effect.

Question came up, whether the terminators were checked as well..
I'm going to check soon.

Edit:
Right now, it appears the terminators aren't really checked.
I've had a few different ones, unnicknamed, retyped the OT, and it passed. odd.

Mew's nickname is completely not checked,
OT without the terminators still pass.

  • Like 3

Share this post


Link to post
Share on other sites
Invader TAK    87
9 minutes ago, theSLAYER said:

Question came up, whether the terminators were checked as well..
I'm going to check soon.

Edit:
Right now, it appears the terminators aren't really checked.
I've had a few different ones, unnicknamed, retyped the OT, and it passed. odd.

So you can literally gen one that easily, that's hilarious. Now is it possible to mod Restore Points into a Gen 1 CIA so we can send infinite Mews like they did at the Japan and UK events?

Share this post


Link to post
Share on other sites
theSLAYER    897
Just now, Invader TAK said:

So you can literally gen one that easily, that's hilarious. Now is it possible to mod Restore Points into a Gen 1 CIA so we can send infinite Mews like they did at the Japan and UK events?

Well, I would think if you use the old VC injections, you'll get the Restore Point Function.
Now, just inject rom, and let the title ID be the same as one of the official ones, and I'll imagine it'll work.

However, I'm not sure the old VC injections allow the trading patches they worked into the present VC model RBYG uses.

Share this post


Link to post
Share on other sites
Invader TAK    87
1 minute ago, theSLAYER said:

Well, I would think if you use the old VC injections, you'll get the Restore Point Function.
Now, just inject rom, and let the title ID be the same as one of the official ones, and I'll imagine it'll work.

However, I'm not sure the old VC injections allow the trading patches they worked into the present VC model RBYG uses.

Well, there's only one way to find out! I'll try it later (if someone doesn't beat me to it), I need to get some sleep.

Share this post


Link to post
Share on other sites
theSLAYER    897

Just for lols, I previously switched out Pokemon Yellow's rom with Debug Yellow ASM rom,
and I'm now documenting how A Certain Mythical Mew got across through the deep recesses of time and space.

Spoiler

I've changed my TID and OT (TID can't be seen here, tho)
top_0000.png

Debug Item
top_0001.png

This calls Mew as wild battle when menu is totally closed.
top_0002.png

Changes it's level to 50
top_0003.png

In Battle
top_0004.png

Captured
top_0005.png

Swapped out game still recognized (cause using same Title ID as original)
top_0006.png


See, it's accepted xD
top_0007.png

 

  • Like 3

Share this post


Link to post
Share on other sites
RupeeClock    36

What's most hilarious is that Poké Transporter is accepting a modified Pokémon Yellow as a save source.

It logically follows that it just checks for a matching title ID, and looks at the save contents matching that title, but still hilarious.

Of course I reckon it's probably just easier to clone/inject as many Mews as you please, like if you want Gen 1 TM moves of varying natures.

Moves like Softboiled and Whirlwind are probably the most interesting as Mew lacks access to Recover or Roar, or similar moves. Actually I think this might be the only way to get that legal Softboiled Mew that the Smogon sets use.

  • Like 1

Share this post


Link to post
Share on other sites
theSLAYER    897
2 minutes ago, RupeeClock said:

What's most hilarious is that Poké Transporter is accepting a modified Pokémon Yellow as a save source.

It logically follows that it just checks for a matching title ID, and looks at the save contents matching that title, but still hilarious.

Of course I reckon it's probably just easier to clone/inject as many Mews as you please, like if you want Gen 1 TM moves of varying natures.

Moves like Softboiled and Whirlwind are probably the most interesting as Mew lacks access to Recover or Roar, or similar moves. Actually I think this might be the only way to get that legal Softboiled Mew that the Smogon sets use.

I find it hilarious too.
Yup, it just checks Title ID, and Save isn't corrupt, then proceeds to read save.

Also, they didn't bother to language lock, too,
Since Japanese 3DS shouldn't have English Pokemon, if I'm not mistaken.

Yeah, it'll be fun to clone a bunch of Mews, get access to unique movesets and all.
I purchased my Pokemon Bank subscription right before it came online xD

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now