theSLAYER

GEN 7 - NTR RAM Dump for Local Wireless WC7FULL data

22 posts in this topic

Hello Everyone!
Purpose of this thread, is to research grabbing of WC7FULL from RAM dumps from Local Wireless/Infrared events.

This thread will definitely get technical, however I'll try to simplify details wherever I can.
Some screenshots are outdated, but the principle applies.


What you'll need:
1. CFW (Preferably Luma on A9LH)
2. NTR (this implemention works great)
3. A save manager (I think this is what I have)
 

Steps inside:

Spoiler
  1. Backup your save before you collect the event.
    It'll also be good if you have multiple saves with different TID/SID/OT combination.

    (in case the distribution system logs and restricts connectivity from the same TID/SID/OT combo)
     
  2. Launch NTR before playing Pokemon
    NTR needs to be relaunched per 3DS reboot.
    EWuJOLV.png

    If on O3DS/O3DSXL/2DS, make sure you're using the Mode-3 version build
    Capture2.PNG

    (N3DS/N3DSXL can use the normal build)

    Launch 3.2 (it's the most stable)
     
  3. Launch game, prepare to collect wonder card, but don't collect it.
    Basically, hover at the screen that shows you collection.
    59118f8f3607a_2017-05-0910_32_36.thumb.jpg.e979317302bcf6d6dc9b7aeec3570d3e.jpg
    As seen above, you can still see the Silver/Gray Bar.

    For Gen 6, make sure you hover on "NO"
    F8317dd.jpg&key=12a7312e2d0569a83d62b2fc

    If you are at a Local Infrared event, or there's Nintendo/Pokemon staff around,
    Put your 3DS to sleep while maintaining that screen above,
    and walk to somewhere safe first.
    (the data should already be in RAM)


     
  4. Access NTR Menu
    This is done by holding X&Y buttons simultaneously.
    It pops up on the bottom screen
    PZyuDFG.jpg&key=eab43a91bb7c694364020c15
     
  5. Identify Process ID

    Serial Code/Online: BOSS process
    Local Wireless/Infrared: Niji_locSunMoon or Sango-1/Sango-2ORAS,

    The Process ID usually changes, but it's around the same location (usually)

    so Process Manager > Process List > (look at a number) > Info
    As seen below:
    zdPl9n1.jpg&key=944d4edc002ad9b156963b78    j6OaDK2.jpg?1&key=f6a043fa9f19b914b63c4bPYzVUKb.jpg?1&key=0d9280ad930e09679ab60e
     
  6. Dump Ram!
    Get back to the Process screen, choose Dump.
    Now, select 0x08000000,
    but if we can't find what we're looking for, has to be done by trial and error.

    As seen here: (select dump, not info)
    j6OaDK2.jpg?1&key=f6a043fa9f19b914b63c4b9k=
    During this stage, in gen 7,
    it may cause the Mystery Gift to be accepted.
    (Cause NTR Menu keypresses may overflow back into the game)
    which is why Step 1 required you to backup save before doing any of this.
     
  7. Wait for NTR Menu to pop back up
    NTR Menu will pop back up once dumping is complete.
    If the area to dump is big, it may take a while.


Video Tutorial (thanks to @ReignOfComputer)

3 people like this

Share this post


Link to post
Share on other sites

WC7FULL Documentation

Offset Description
 0x00  Allowed Receiving Game (Bit 0 - Sun, Bit 1 - Moon)
 0x01-0x03  0x000000 (?)
0x04-0x01FF Distribution Text
 0x0200  Flag for Local Wireless Events
 0x0201  Counter used by Local Wireless Events
 0x0202-0x0203  WC7FULL Checksum
 0x0204  Local Wireless Max Counter
 0x0205  0x00 (?)
 0x0206-0x0207  0x4646 (Signature of some sort?)
 0x0208-0x030F  WC7 Portion

This post by @Purin was referenced, for the purposes of this documentation.


Local Wireless WC7FULL Location in Ram Dump
0x3FA4A4 in ram Damp, size of WC7FULL is 0x310.
Next WC7FULL immediately follows. (0x3FA7B4)

Seems to go as far as many WC7Full.
(present known max distribution is 8 for Gen VII <eevee colorful friends>, 10 for Gen VI <birthday distribution>)

Next data found is 0x3FF4A4, so likely can't fit till here.
(Max size till here, is 25 wonder cards)

1 person likes this

Share this post


Link to post
Share on other sites

I was actually working with @Bond697 to get wireless wc7full dumps much easier, but he hasn't replied to me since April 19, I wonder if he's okay.

3 people like this

Share this post


Link to post
Share on other sites

Now that Japan is doing Local Wireless for the Eevees, if this isn't too much trouble to test:
@argus1963 @ReignOfComputer @ajxpk

//--shifted down--//

is there a working concept right now, like which process for example?

I don't regularly have communications with him, but I think somewhat talks to him about overwatch (think I just saw it in the IRC, but didn't see his resposne)

Share this post


Link to post
Share on other sites

Update:
It appears BOSS dumps didn't work out.

ROC will do one last check on BOSS dumps tonight.
We are also testing NWM service dumps, as based on 3dbrew, it handles Local Wireless communications.

Share this post


Link to post
Share on other sites

@ReignOfComputer I'm still analyzing your dumps, and something interesting happened!

It seems like the entire distribution is held by the game, then chosen at random!

I'm completely through it, but there are WC7FULL for Vaporeon, Jolteon and Flareon in your Day 2 - N3DS Dump - dump_pid2f_6. dmp
(which process and offset was that again?)


//----------edit----------//
The dump_pid2f_6.dmp was the only dump that yielded any WC7FULL (I believe this is Niji_loc, at 0x800000 right)

I theorize that this is the same process for Infrared events,
and you could probably dump it using NTR by walking away from the counter, meaning:
1. Launch NTR, then Launch game
2. Queue up
3. when its your turn, get the event, but keep at at this screen and put your 3DS to sleep
    IMG_8978.JPG.2f5300433f12f9fe5b9356831c3
4. Walk away from the counter and crowd
5. Open back up 3DS, while staying on that screen, go to NTR and dump the desired process

This way, you get all relevant events at one shot (won't have to re-queue for eggs, for example)

 

Once I get confirmation from ROC,
@BLACKBIRD @katsuya @argus1963@Kirzi may wanna take note of this method, and perhaps get familiarized with it,
as you guys are the most likely to get Local Wireless or Infrared events :)

our first ever Local Wireless WC7FULL.rar

5 people like this

Share this post


Link to post
Share on other sites

That should be niji_loc, yes, though I'm not sure which offset that was.

This is cool stuff :)

 

Does O3DS > dump_pid28_0.dmp have the WC7FULL as well? I think both that and 2f_6.dmp are from 0x00100000 actually. I'm not too sure >.<

Nevermind, 28_0.dmp is from 0x00100000 and 2f_6.dmp should be from 0x8000000.

Share this post


Link to post
Share on other sites
6 minutes ago, ReignOfComputer said:

That should be niji_loc, yes, though I'm not sure which offset that was.

This is cool stuff :)

Does O3DS > dump_pid28_0.dmp have the WC7FULL as well? I think both that and 2f_6.dmp are from 0x00100000 actually. I'm not too sure >.<

Nope, it doesn't have.
Also your 28_0 shares the same internal header information as your 2f_5,
and your 2f_6 header is different.


It's likely your 28_0 and 2f_5 are the same offset,
and 2f_6 is the next offset

 

Share this post


Link to post
Share on other sites

@theSLAYER I edited my message after posting it, oops. 28_0.dmp is from 0x00100000 and 2f_6.dmp should be from 0x8000000.

1 person likes this

Share this post


Link to post
Share on other sites

The tutorial in the first post has been updated to reflect the new information!

Share this post


Link to post
Share on other sites

@ReignOfComputer's video tutorial added to first post!
(look at how fast he scrolls through, looking for niji_loc)

1 person likes this

Share this post


Link to post
Share on other sites

@theSLAYER, Ash hat Pikachu has a flag or something set at 0x1fe. Thoughts on this?

Share this post


Link to post
Share on other sites

Probably a flag for the "special animation" during downloading? I remember a flag like this also existed in Gen 5 and 6 full wondercards.

Share this post


Link to post
Share on other sites

Good Eye @Sabresite!
Not sure why it's there, tho.

I don't recall noticing the animation being different or something.
If it's movie related, I guess we'll only know when we grab the Marshadow or Ho-oh.

Share this post


Link to post
Share on other sites

Awesome guide!

Just wanted to say that I am fully committed to contributing any wc7full events that are ever released in Scotland, maybe even the rest of the united kingdom if I'm able to attend them.

1 person likes this

Share this post


Link to post
Share on other sites

Unfortunately there will probably be no local wireless events outside of Japan. :(
It was unique for Germany to have a Nintendo Zone event.

Share this post


Link to post
Share on other sites

can the new b9s loaders Rosalina menu now be used to extract wondercard data? I wanted to try it but I've nothing to redeem right now :)5935a84a84e27_2017-06-0519_48_40.thumb.jpg.9eb084bb05cc5cd823217d8da62de675.jpg

Share this post


Link to post
Share on other sites
8 minutes ago, Johnwraight said:

can the new b9s loaders Rosalina menu now be used to extract wondercard data? I wanted to try it but I've nothing to redeem right now :)
5935a84a84e27_2017-06-0519_48_40.thumb.jpg.9eb084bb05cc5cd823217d8da62de675.jpg

Well, can you dump RAM with Rosalina? Then it can be used.

Share this post


Link to post
Share on other sites

@Johnwraight & @Purin as far as I could tell, based on me fiddling around with it just now,
Rosalina doesn't support native ram dumping without connecting computer running the debugger.
(which is
minimally what we need, in order to dump Local Wireless or Infrared events)

1 person likes this

Share this post


Link to post
Share on other sites

Based on existing RAM Dumps, I've made a mini program to easily dump the WC7FULL out of the ram dumps!

 


So far it only reads from the same addresses, and works with the RAM we got from ROC previously!

 

 

3 people like this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now