theSLAYER

GEN 7 - NTR RAM Dump for Local Wireless WC7FULL data

22 posts in this topic

Recommended Posts

theSLAYER    1038

Hello Everyone!
Purpose of this thread, is to research grabbing of WC7FULL from RAM dumps from Local Wireless/Infrared events.

This thread will definitely get technical, however I'll try to simplify details wherever I can.
Some screenshots are outdated, but the principle applies.


What you'll need:
1. CFW (Preferably Luma on A9LH)
2. NTR (this implemention works great)
3. A save manager (I think this is what I have)
 

Steps inside:

Spoiler
  1. Backup your save before you collect the event.
    It'll also be good if you have multiple saves with different TID/SID/OT combination.

    (in case the distribution system logs and restricts connectivity from the same TID/SID/OT combo)
     
  2. Launch NTR before playing Pokemon
    NTR needs to be relaunched per 3DS reboot.
    EWuJOLV.png

    If on O3DS/O3DSXL/2DS, make sure you're using the Mode-3 version build
    Capture2.PNG

    (N3DS/N3DSXL can use the normal build)

    Launch 3.2 (it's the most stable)
     
  3. Launch game, prepare to collect wonder card, but don't collect it.
    Basically, hover at the screen that shows you collection.
    59118f8f3607a_2017-05-0910_32_36.thumb.jpg.e979317302bcf6d6dc9b7aeec3570d3e.jpg
    As seen above, you can still see the Silver/Gray Bar.

    For Gen 6, make sure you hover on "NO"
    F8317dd.jpg&key=12a7312e2d0569a83d62b2fc

    If you are at a Local Infrared event, or there's Nintendo/Pokemon staff around,
    Put your 3DS to sleep while maintaining that screen above,
    and walk to somewhere safe first.
    (the data should already be in RAM)


     
  4. Access NTR Menu
    This is done by holding X&Y buttons simultaneously.
    It pops up on the bottom screen
    PZyuDFG.jpg&key=eab43a91bb7c694364020c15
     
  5. Identify Process ID

    Serial Code/Online: BOSS process
    Local Wireless/Infrared: Niji_locSunMoon or Sango-1/Sango-2ORAS,

    The Process ID usually changes, but it's around the same location (usually)

    so Process Manager > Process List > (look at a number) > Info
    As seen below:
    zdPl9n1.jpg&key=944d4edc002ad9b156963b78    j6OaDK2.jpg?1&key=f6a043fa9f19b914b63c4bPYzVUKb.jpg?1&key=0d9280ad930e09679ab60e
     
  6. Dump Ram!
    Get back to the Process screen, choose Dump.
    Now, select 0x08000000,
    but if we can't find what we're looking for, has to be done by trial and error.

    As seen here: (select dump, not info)
    j6OaDK2.jpg?1&key=f6a043fa9f19b914b63c4b9k=
    During this stage, in gen 7,
    it may cause the Mystery Gift to be accepted.
    (Cause NTR Menu keypresses may overflow back into the game)
    which is why Step 1 required you to backup save before doing any of this.
     
  7. Wait for NTR Menu to pop back up
    NTR Menu will pop back up once dumping is complete.
    If the area to dump is big, it may take a while.


Video Tutorial (thanks to @ReignOfComputer)

  • Like 3

Share this post


Link to post
Share on other sites
theSLAYER    1038

WC7FULL Documentation

Offset Description
 0x00-0x03  Allowed Receiving Game (Bit 0 - Sun, Bit 1 - Moon)
Bit 2 and 3 likely used by Ultra Sun and Ultra Moon
0x04-0x01FD Distribution Text
0x01FE 0x01 - Speculated Halo Effect
(Receiving Animation)
0x01FF 0x00 - Any Language
Otherwise must be language ID
0x0200 0x00 - Receive Unconditionally (Single)
0x01 - Receive One Per Day Randomly
 0x0201  WC Sub-ID
 0x0202-0x0203  WC7FULL Checksum
0x0204  Number of WCs in Set
If this value is 1 more than the number of
WCs in the set then the set can only be
received once even though it is 
technically
repeatable.
(example, WCID 244 anime pokemon)
 0x0205-0x0207  Gen 6: 0x464646
Gen 7: 0x004646
0x205 used for randomization weight in Gen 7
 0x0208-0x030F  WC7 Data

This post by @Purin was referenced, for the purposes of this documentation.


Local Wireless WC7FULL Location in Ram Dump
0x3FA4A4 in ram Damp, size of WC7FULL is 0x310.
Next WC7FULL immediately follows. (0x3FA7B4)

Seems to go as far as many WC7Full.
(present known max distribution is 8 for Gen VII <eevee colorful friends>, 10 for Gen VI <birthday distribution>)

Next data found is 0x3FF4A4, so likely can't fit till here.
(Max size till here, is 25 wonder cards)


edit:
So far, Halo appeared on only Marshadow, and Ash Cap Pikachu

Spoiler

halo1.PNGhalo2.PNG

 

  • Like 1

Share this post


Link to post
Share on other sites
Purin    84

I was actually working with @Bond697 to get wireless wc7full dumps much easier, but he hasn't replied to me since April 19, I wonder if he's okay.

  • Like 3

Share this post


Link to post
Share on other sites
theSLAYER    1038

Now that Japan is doing Local Wireless for the Eevees, if this isn't too much trouble to test:
@argus1963 @ReignOfComputer @ajxpk

//--shifted down--//

is there a working concept right now, like which process for example?

I don't regularly have communications with him, but I think somewhat talks to him about overwatch (think I just saw it in the IRC, but didn't see his resposne)

Share this post


Link to post
Share on other sites
theSLAYER    1038

Update:
It appears BOSS dumps didn't work out.

ROC will do one last check on BOSS dumps tonight.
We are also testing NWM service dumps, as based on 3dbrew, it handles Local Wireless communications.

Share this post


Link to post
Share on other sites
theSLAYER    1038

@ReignOfComputer I'm still analyzing your dumps, and something interesting happened!

It seems like the entire distribution is held by the game, then chosen at random!

I'm completely through it, but there are WC7FULL for Vaporeon, Jolteon and Flareon in your Day 2 - N3DS Dump - dump_pid2f_6. dmp
(which process and offset was that again?)


//----------edit----------//
The dump_pid2f_6.dmp was the only dump that yielded any WC7FULL (I believe this is Niji_loc, at 0x800000 right)

I theorize that this is the same process for Infrared events,
and you could probably dump it using NTR by walking away from the counter, meaning:
1. Launch NTR, then Launch game
2. Queue up
3. when its your turn, get the event, but keep at at this screen and put your 3DS to sleep
    IMG_8978.JPG.2f5300433f12f9fe5b9356831c3
4. Walk away from the counter and crowd
5. Open back up 3DS, while staying on that screen, go to NTR and dump the desired process

This way, you get all relevant events at one shot (won't have to re-queue for eggs, for example)

 

Once I get confirmation from ROC,
@BLACKBIRD @katsuya @argus1963@Kirzi may wanna take note of this method, and perhaps get familiarized with it,
as you guys are the most likely to get Local Wireless or Infrared events :)

our first ever Local Wireless WC7FULL.rar

  • Like 5

Share this post


Link to post
Share on other sites

That should be niji_loc, yes, though I'm not sure which offset that was.

This is cool stuff :)

 

Does O3DS > dump_pid28_0.dmp have the WC7FULL as well? I think both that and 2f_6.dmp are from 0x00100000 actually. I'm not too sure >.<

Nevermind, 28_0.dmp is from 0x00100000 and 2f_6.dmp should be from 0x8000000.

Share this post


Link to post
Share on other sites
theSLAYER    1038
6 minutes ago, ReignOfComputer said:

That should be niji_loc, yes, though I'm not sure which offset that was.

This is cool stuff :)

Does O3DS > dump_pid28_0.dmp have the WC7FULL as well? I think both that and 2f_6.dmp are from 0x00100000 actually. I'm not too sure >.<

Nope, it doesn't have.
Also your 28_0 shares the same internal header information as your 2f_5,
and your 2f_6 header is different.


It's likely your 28_0 and 2f_5 are the same offset,
and 2f_6 is the next offset

 

Share this post


Link to post
Share on other sites
theSLAYER    1038

The tutorial in the first post has been updated to reflect the new information!

Share this post


Link to post
Share on other sites
Purin    84

Probably a flag for the "special animation" during downloading? I remember a flag like this also existed in Gen 5 and 6 full wondercards.

Share this post


Link to post
Share on other sites
theSLAYER    1038

Good Eye @Sabresite!
Not sure why it's there, tho.

I don't recall noticing the animation being different or something.
If it's movie related, I guess we'll only know when we grab the Marshadow or Ho-oh.

Share this post


Link to post
Share on other sites
Johnwraight    18

Awesome guide!

Just wanted to say that I am fully committed to contributing any wc7full events that are ever released in Scotland, maybe even the rest of the united kingdom if I'm able to attend them.

  • Like 1

Share this post


Link to post
Share on other sites
Sabresite    283

Unfortunately there will probably be no local wireless events outside of Japan. :(
It was unique for Germany to have a Nintendo Zone event.

Share this post


Link to post
Share on other sites
Johnwraight    18

can the new b9s loaders Rosalina menu now be used to extract wondercard data? I wanted to try it but I've nothing to redeem right now :)5935a84a84e27_2017-06-0519_48_40.thumb.jpg.9eb084bb05cc5cd823217d8da62de675.jpg

Share this post


Link to post
Share on other sites
Purin    84
8 minutes ago, Johnwraight said:

can the new b9s loaders Rosalina menu now be used to extract wondercard data? I wanted to try it but I've nothing to redeem right now :)
5935a84a84e27_2017-06-0519_48_40.thumb.jpg.9eb084bb05cc5cd823217d8da62de675.jpg

Well, can you dump RAM with Rosalina? Then it can be used.

Share this post


Link to post
Share on other sites
theSLAYER    1038

@Johnwraight & @Purin as far as I could tell, based on me fiddling around with it just now,
Rosalina doesn't support native ram dumping without connecting computer running the debugger.
(which is
minimally what we need, in order to dump Local Wireless or Infrared events)

  • Like 2

Share this post


Link to post
Share on other sites
theSLAYER    1038

Based on existing RAM Dumps, I've made a mini program to easily dump the WC7FULL out of the ram dumps!

So far it only reads from the same addresses, and works with the RAM we got from ROC previously!

edit:
it's been updated for more dynamic searching.

 

  • Like 3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now