Jump to content

VC RBY - Virtual Console Mew (UK)


BlackShark
 Share

Recommended Posts

5 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

The assumption that there are no duplicate title keys is an unsafe assumption to make, since there could be duplicates.  But if that assumption were true, let's suppose there've been 1 million games released.  I'm pretty sure the actual number is far less than this, my point will still stand.  Given 2 ^ 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys, removing 1 million of them results in 340,282,366,920,938,463,463,374,607,431,767,211,456 possible keys, which (probably) won't finish within the life of the universe.

  • Like 1
Link to comment
Share on other sites

11 minutes ago, 1quacka1 said:

do we know keys for 3ds games that have been officially released? Maybe they could be used to narrow the range of keys to try via bruteforce?

We do know these keys, but these won't serve any purpose of possibly reverse-engineering anything to figure out a range of keys if Nintendo implemented their cryptography correctly. If you have 2 ^ 128 combinations of keys, you are going to pick one as randomly as possible and not limit where you can pick from.

To explain what keys are.
Every time you buy a title from the eShop, the CDN gives you a title key in encrypted format, which is stored on the 3DS system itself. This title key grants you permission to request a download from their CDN.

Due to 3DS hacking developments at the start of the year where the 3DS was fully exploited, specifically gaining control of the ARM9 kernal and breaking the cryptography implementation, this made it possible to dump and decrypt the title keys stored on a system, and even share them among other 3DS systems.

This lead to the development of an application called freeShop, which enables you to download anything directly from Nintendo's eShop CDN if you have the appropriate title keys, legitimate or illegally shared. The lack of authentication beyond anything other than title keys on the 3DS is what made this possible, and could've very easily been avoided if they authenticated purchases on the server side instead of the client side. A possible reasoning for doing this is that some 3DS systems come pre-installed with games, and if you perform a system transfer to such a system it will retain the pre-installed software along with the title key, thereby granting you that game to keep.

This state of affairs means that in order to download the Mew Distribution App, you need a 3DS that has the app installed since the title is not publicly listed, and then you would need to hack this 3DS to dump and decrypt the title key. This would be extremely unlikely as the systems would be controlled by Nintendo UK or NIntendo of Japan.

Link to comment
Share on other sites

  • 4 weeks later...

Oh excellent, hopefully this will shed some light on things.

I did get to see my cousin this past Christmas, but he forgot to bring his 3DS with him so sadly I didn't get to make a backup of his Mew. That means we don't have a sample that is guaranteed to have come from a separate distribution system.

Even so I imagine the data is going to be identical anyway.

Link to comment
Share on other sites

  • 2 weeks later...
On 1/1/2017 at 1:39 PM, HMM said:

Sorry about how long it took. If anyone still needs a second save for anything then here it is.

sav.dat

151 - MEW - E4BE.pk1

Is the mew pk1 file you attached comming from your sav.dat? I'm asking because the one in the sav.dat is a little different, more precisely OT name:

Your sav.dat: 86 85 00 00 00 00 00 50 89 80 82
RupeeClock's: 86 85 50 00 00 00 00 50 89 80 82
scottishdanstfu*: 86 85 50 00 00 00 00 50 89 80 82

*scottishdanstfu kindly shared his savegame with me to check the mew, it's 100% the same as RupeeClock's

@HMM, did you directly dump your savegame with the new entrypoint (soundhax) or did you trade it to your already homebrew enabled 3DS?
I'm gonna see if boxing RupeeClocks's Mew produces this result, I'm kinda puzzled right now.

EDIT: Nevermind, I tested RupeeClock's savegame and boxed the mew: it converted to 86 85 00 00 00 00 00 50 89 80 82 (same as HMM's) so it was really due to boxing.

I guess there's no doubt now about them being all the same (we were pretty much sure anyways).

  • Like 1
Link to comment
Share on other sites

Huh, I don't think the homebrew method of dumping the save game should make a difference, all will ultimately run a program that decrypts a save file and dumps the contents to the SD card.

Also with thanks to soundhax my cousin might be able to share his save if he finds any time to even play his 3DS.

Link to comment
Share on other sites

I went and boxed your mew on my 3DS, got the same as HMM's, so that settles it (I didn't know this happened, I should check how trash bytes are handled in the different games and generations, best case scenario would be that some stadium game erases them completely...).

We have 3 different saves and all 3 mews are the same, alongside the fact that they used savestates (and with it, they were distributing cloned Mews), but still I'm sure someone would appreaciate a 100% confirmation of different distro consoles providing the very same Mew.

Now, when is that pokebank update coming?

 

ps: RupeeClock, I was refering not to the dump method itself, but if he had done another trade before dumping the savegame, as I was thinking that maybe trading again was what changed the trash bytes.

  • Like 4
Link to comment
Share on other sites

It may make a difference once transferred to Sun/Moon since OT names seem to be aligned to the right in Summary screen there.

That is, unless the transfer corrects it and removes (hides) trailing 00s on any Pokémon.

 

Thinking about it, it's unlikely that the Pokémon Bank transfer will let you transfer away Party Pokémon, only boxed ones. Therefore the only Mews that will make it to Gen. 7 are those with that first terminator byte zeroed out.

Link to comment
Share on other sites

Unboxing keeps it as "86 85 00 00 00 00 00 50 89 80 82". Now I'm wondering if trading over VC will make that 0x50 appear again.

I have a friend's 3DS, so I might as well go ahead and try it.

EDIT: I made some trades between english red and yellow and the terminator from the distribution is gone for good, so misteries... I guess we could find the answer at pokémon red disassemby: https://github.com/pret/pokered

Link to comment
Share on other sites

  • 2 weeks later...

Pokémon Bank update finally dropped!

I got to import my Mew from VC Pokémon Yellow, this required boxing the Mew into the first box.

P8MD7LL.jpg

Upon transferring, it arrived with 31/27/31/31/31/31 IVs and a Timid nature. This is pretty great, as apparently Pokémon imported from Gen I are "guaranteed to have 3 perfect IVs, and a random nature". The Mew already have a perfect spread of 15/15/15/15/15 DVs though, so I'm wondering how they picked an attack IV of 27 when it's attack DV would've been 15.

hc3aOMx.jpg

I extracted my Mew using PKHex if you wanna examine the bytes.

I thought it pretty interesting that it has a generated shiny value too, and a trainer shiny value based on the OT. The GF Mew had a TSV of 1424, I'm interested to see if this is consistent. It might not be shiny locked as a result of this.

Oh yeah and it was also nice that the Bank update gave away free Mewnium Z to Sun/Moon game cards, via mystery gift.

A few other Gen I Pokémon I imported have a TSV of 2512. They also indeed have 3 perfect IVs and random natures, my Rattata got its HA Hustle, my Sandshrew got its HA Sand Rush, my Caterpie got its HA Run Away, and my Mankey got its HA Defiant.

Edit: Turns out SciresM is really on the ball with figuring out how the transfers work, nature is determined by EXP, IVs are purely random, nearly everything always gets its hidden ability, genders are completely random despite how gen II determined them using DVs. Every untrained Mew imported will always be timid, and you can manipulate which nature it will get by getting a specific EXP number.
 

151 - Mew - 44C0A4DC05E1.pk7

Edited by RupeeClock
  • Like 2
Link to comment
Share on other sites

2 minutes ago, MrCheeze said:

Ah, good to know that the Mews originally come with 15/15/15/15/15/15 in RBY... that confirms that legitimate shiny Mews can't exist. (As was the case with the original gen 1 Mew distributions, back in the day.)

Well, I can still think of 2 methods to get a shiny Mew, legit. Both in gen 3.

1: Use that glitch to get any Pokemon as an egg and do Mew. Then, use my favorite tool of all time. Triggers PC to scan all the eggs for a shiny match with one of your saves. 

2: Just use a Japanese save and the Mystery Gift Tool to get a working ticket. Then just go do the run-away method to shiny hunt for a Mew. 

Link to comment
Share on other sites

18 minutes ago, MrCheeze said:

Ah, good to know that the Mews originally come with 15/15/15/15/15/15 in RBY... that confirms that legitimate shiny Mews can't exist. (As was the case with the original gen 1 Mew distributions, back in the day.)

The only shiny Mews that can happen, are the legit VC ones that are distributed, with their IVs changed, via glitch or arbitrary code execution glitches, or hacks.

Link to comment
Share on other sites

So considering PokeTransporter checks for Mews with the OT ゲーフリ or GF and the TID 22796, then any other English VC Mews would have to be identical to the UK one. At least that makes it easy for people to make their own VC Mew saves (which I did just now).

EDIT: Looking through the topic and seeing they used a special version of the game with Restore Points, it might be able to be replicated in the normal games (patch in the Restore Points and the GF option on the Name Select, then play normally until getting the Pokedex, then inject or trade for the Mew and make a restore point in front of the Cable Club). Since the Mews are identical anyway, it'd have the same effect.

Edited by Invader TAK
Link to comment
Share on other sites

5 hours ago, Invader TAK said:

So considering PokeTransporter checks for Mews with the OT ゲーフリ or GF and the TID 22796, then any other English VC Mews would have to be identical to the UK one. At least that makes it easy for people to make their own VC Mew saves (which I did just now).

EDIT: Looking through the topic and seeing they used a special version of the game with Restore Points, it might be able to be replicated in the normal games (patch in the Restore Points and the GF option on the Name Select, then play normally until getting the Pokedex, then inject or trade for the Mew and make a restore point in front of the Cable Club). Since the Mews are identical anyway, it'd have the same effect.

Question came up, whether the terminators were checked as well..
I'm going to check soon.

Edit:
Right now, it appears the terminators aren't really checked.
I've had a few different ones, unnicknamed, retyped the OT, and it passed. odd.

Mew's nickname is completely not checked,
OT without the terminators still pass.

  • Like 3
Link to comment
Share on other sites

9 minutes ago, theSLAYER said:

Question came up, whether the terminators were checked as well..
I'm going to check soon.

Edit:
Right now, it appears the terminators aren't really checked.
I've had a few different ones, unnicknamed, retyped the OT, and it passed. odd.

So you can literally gen one that easily, that's hilarious. Now is it possible to mod Restore Points into a Gen 1 CIA so we can send infinite Mews like they did at the Japan and UK events?

Link to comment
Share on other sites

Just now, Invader TAK said:

So you can literally gen one that easily, that's hilarious. Now is it possible to mod Restore Points into a Gen 1 CIA so we can send infinite Mews like they did at the Japan and UK events?

Well, I would think if you use the old VC injections, you'll get the Restore Point Function.
Now, just inject rom, and let the title ID be the same as one of the official ones, and I'll imagine it'll work.

However, I'm not sure the old VC injections allow the trading patches they worked into the present VC model RBYG uses.

Link to comment
Share on other sites

1 minute ago, theSLAYER said:

Well, I would think if you use the old VC injections, you'll get the Restore Point Function.
Now, just inject rom, and let the title ID be the same as one of the official ones, and I'll imagine it'll work.

However, I'm not sure the old VC injections allow the trading patches they worked into the present VC model RBYG uses.

Well, there's only one way to find out! I'll try it later (if someone doesn't beat me to it), I need to get some sleep.

Link to comment
Share on other sites

Just for lols, I previously switched out Pokemon Yellow's rom with Debug Yellow ASM rom,
and I'm now documenting how A Certain Mythical Mew got across through the deep recesses of time and space.

Spoiler

I've changed my TID and OT (TID can't be seen here, tho)
top_0000.png

Debug Item
top_0001.png

This calls Mew as wild battle when menu is totally closed.
top_0002.png

Changes it's level to 50
top_0003.png

In Battle
top_0004.png

Captured
top_0005.png

Swapped out game still recognized (cause using same Title ID as original)
top_0006.png


See, it's accepted xD
top_0007.png

 

  • Like 3
Link to comment
Share on other sites

What's most hilarious is that Poké Transporter is accepting a modified Pokémon Yellow as a save source.

It logically follows that it just checks for a matching title ID, and looks at the save contents matching that title, but still hilarious.

Of course I reckon it's probably just easier to clone/inject as many Mews as you please, like if you want Gen 1 TM moves of varying natures.

Moves like Softboiled and Whirlwind are probably the most interesting as Mew lacks access to Recover or Roar, or similar moves. Actually I think this might be the only way to get that legal Softboiled Mew that the Smogon sets use.

  • Like 1
Link to comment
Share on other sites

2 minutes ago, RupeeClock said:

What's most hilarious is that Poké Transporter is accepting a modified Pokémon Yellow as a save source.

It logically follows that it just checks for a matching title ID, and looks at the save contents matching that title, but still hilarious.

Of course I reckon it's probably just easier to clone/inject as many Mews as you please, like if you want Gen 1 TM moves of varying natures.

Moves like Softboiled and Whirlwind are probably the most interesting as Mew lacks access to Recover or Roar, or similar moves. Actually I think this might be the only way to get that legal Softboiled Mew that the Smogon sets use.

I find it hilarious too.
Yup, it just checks Title ID, and Save isn't corrupt, then proceeds to read save.

Also, they didn't bother to language lock, too,
Since Japanese 3DS shouldn't have English Pokemon, if I'm not mistaken.

Yeah, it'll be fun to clone a bunch of Mews, get access to unique movesets and all.
I purchased my Pokemon Bank subscription right before it came online xD

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...