theSLAYER Posted May 12, 2017 Posted May 12, 2017 Hello Everyone! Purpose of this thread, is to research grabbing of WC7FULL from RAM dumps from Local Wireless/Infrared events. This thread will definitely get technical, however I'll try to simplify details wherever I can. Some screenshots are outdated, but the principle applies. What you'll need: 1. CFW (Preferably Luma on A9LH) 2. NTR (this implemention works great) 3. A save manager (I think this is what I have) Steps inside: Spoiler Backup your save before you collect the event. It'll also be good if you have multiple saves with different TID/SID/OT combination. (in case the distribution system logs and restricts connectivity from the same TID/SID/OT combo) Launch NTR before playing Pokemon NTR needs to be relaunched per 3DS reboot. If on O3DS/O3DSXL/2DS, make sure you're using the Mode-3 version build (N3DS/N3DSXL can use the normal build)Launch 3.2 (it's the most stable) Launch game, prepare to collect wonder card, but don't collect it.Basically, hover at the screen that shows you collection. As seen above, you can still see the Silver/Gray Bar. For Gen 6, make sure you hover on "NO"If you are at a Local Infrared event, or there's Nintendo/Pokemon staff around, Put your 3DS to sleep while maintaining that screen above, and walk to somewhere safe first. (the data should already be in RAM) Access NTR Menu This is done by holding X&Y buttons simultaneously. It pops up on the bottom screen Identify Process IDSerial Code/Online: BOSS processLocal Wireless/Infrared: MomijiUSUM, Niji_locSM, Sango-1XY, Sango-2ORAS The Process ID usually changes, but it's around the same location (usually) so Process Manager > Process List > (look at a number) > Info As seen below: Dump Ram! Get back to the Process screen, choose Dump. Now, select 0x08000000, but if we can't find what we're looking for, has to be done by trial and error. As seen here: (select dump, not info) During this stage, in gen 7, it may cause the Mystery Gift to be accepted. (Cause NTR Menu keypresses may overflow back into the game) which is why Step 1 required you to backup save before doing any of this. Wait for NTR Menu to pop back up NTR Menu will pop back up once dumping is complete. If the area to dump is big, it may take a while. Video Tutorial (thanks to @ReignOfComputer) 4 1
theSLAYER Posted May 12, 2017 Author Posted May 12, 2017 WC7FULL Documentation Offset Description 0x00-0x03 Allowed Receiving Game (Bit 0 - Sun, Bit 1 - Moon) Bit 2 and 3 likely used by Ultra Sun and Ultra Moon 0x04-0x01FD Distribution Text 0x01FE 0x01 - Speculated Halo Effect (Receiving Animation) 0x01FF 0x00 - Any Language Otherwise must be language ID 0x0200 0x01 - Receive One Per Day 0x0201 WC Sub-ID 0x0202-0x0203 WC7FULL Checksum 0x0204 Number of WCs in Set If this value is 1 more than the number of WCs in the set then the set can only be received once even though it is technically repeatable. (example, WCID 244 anime pokemon) 0x0205-0x0207 Gen 6: 0x464646 Gen 7: 0x004646 0x205 used for randomization weight in Gen 7 0x0208-0x030F WC7 Data This post by @Purin was referenced, for the purposes of this documentation. Local Wireless WC7FULL Location in Ram Dump 0x3FA4A4 in ram Damp, size of WC7FULL is 0x310. Next WC7FULL immediately follows. (0x3FA7B4) There is a hard limit of 20 WCs, whether random or not. If there are multiple wondercards with separate WCIDs and they are not flagged to be random or part of a set, then the game will receive all of them. Next data found is 0x3FF4A4, so likely can't fit till here. (Max size till here, is 25 wonder cards) edit: So far, Halo appeared on only Marshadow, and Ash Cap Pikachu Spoiler
Guest Posted May 13, 2017 Posted May 13, 2017 I was actually working with @Bond697 to get wireless wc7full dumps much easier, but he hasn't replied to me since April 19, I wonder if he's okay.
theSLAYER Posted May 13, 2017 Author Posted May 13, 2017 Now that Japan is doing Local Wireless for the Eevees, if this isn't too much trouble to test:@argus1963 @ReignOfComputer @ajxpk //--shifted down--// is there a working concept right now, like which process for example? I don't regularly have communications with him, but I think somewhat talks to him about overwatch (think I just saw it in the IRC, but didn't see his resposne)
theSLAYER Posted May 14, 2017 Author Posted May 14, 2017 Update: It appears BOSS dumps didn't work out. ROC will do one last check on BOSS dumps tonight. We are also testing NWM service dumps, as based on 3dbrew, it handles Local Wireless communications.
ReignOfComputer Posted May 14, 2017 Posted May 14, 2017 Dumped Boss, NWM, and niji_loc. Sent to @theSLAYER and @Sabresite again. One last try in 3 days if needed 2
theSLAYER Posted May 14, 2017 Author Posted May 14, 2017 @ReignOfComputer I'm still analyzing your dumps, and something interesting happened! It seems like the entire distribution is held by the game, then chosen at random! I'm completely through it, but there are WC7FULL for Vaporeon, Jolteon and Flareon in your Day 2 - N3DS Dump - dump_pid2f_6. dmp (which process and offset was that again?)//----------edit----------// The dump_pid2f_6.dmp was the only dump that yielded any WC7FULL (I believe this is Niji_loc, at 0x800000 right) I theorize that this is the same process for Infrared events, and you could probably dump it using NTR by walking away from the counter, meaning: 1. Launch NTR, then Launch game 2. Queue up 3. when its your turn, get the event, but keep at at this screen and put your 3DS to sleep 4. Walk away from the counter and crowd 5. Open back up 3DS, while staying on that screen, go to NTR and dump the desired process This way, you get all relevant events at one shot (won't have to re-queue for eggs, for example) Once I get confirmation from ROC,@BLACKBIRD @katsuya @argus1963@Kirzi may wanna take note of this method, and perhaps get familiarized with it, as you guys are the most likely to get Local Wireless or Infrared events our first ever Local Wireless WC7FULL.rar 5
ReignOfComputer Posted May 14, 2017 Posted May 14, 2017 That should be niji_loc, yes, though I'm not sure which offset that was. This is cool stuff Does O3DS > dump_pid28_0.dmp have the WC7FULL as well? I think both that and 2f_6.dmp are from 0x00100000 actually. I'm not too sure >.< Nevermind, 28_0.dmp is from 0x00100000 and 2f_6.dmp should be from 0x8000000.
theSLAYER Posted May 14, 2017 Author Posted May 14, 2017 6 minutes ago, ReignOfComputer said: That should be niji_loc, yes, though I'm not sure which offset that was. This is cool stuff Does O3DS > dump_pid28_0.dmp have the WC7FULL as well? I think both that and 2f_6.dmp are from 0x00100000 actually. I'm not too sure >.< Nope, it doesn't have. Also your 28_0 shares the same internal header information as your 2f_5, and your 2f_6 header is different. It's likely your 28_0 and 2f_5 are the same offset, and 2f_6 is the next offset
ReignOfComputer Posted May 14, 2017 Posted May 14, 2017 @theSLAYER I edited my message after posting it, oops. 28_0.dmp is from 0x00100000 and 2f_6.dmp should be from 0x8000000. 1
theSLAYER Posted May 14, 2017 Author Posted May 14, 2017 The tutorial in the first post has been updated to reflect the new information!
theSLAYER Posted May 21, 2017 Author Posted May 21, 2017 @ReignOfComputer's video tutorial added to first post! (look at how fast he scrolls through, looking for niji_loc) 1
Sabresite Posted May 21, 2017 Posted May 21, 2017 @theSLAYER, Ash hat Pikachu has a flag or something set at 0x1fe. Thoughts on this?
Guest Posted May 21, 2017 Posted May 21, 2017 Probably a flag for the "special animation" during downloading? I remember a flag like this also existed in Gen 5 and 6 full wondercards.
theSLAYER Posted May 22, 2017 Author Posted May 22, 2017 Good Eye @Sabresite! Not sure why it's there, tho. I don't recall noticing the animation being different or something. If it's movie related, I guess we'll only know when we grab the Marshadow or Ho-oh.
Johnwraight Posted May 22, 2017 Posted May 22, 2017 Awesome guide! Just wanted to say that I am fully committed to contributing any wc7full events that are ever released in Scotland, maybe even the rest of the united kingdom if I'm able to attend them. 1
Sabresite Posted May 24, 2017 Posted May 24, 2017 Unfortunately there will probably be no local wireless events outside of Japan. It was unique for Germany to have a Nintendo Zone event.
Johnwraight Posted June 5, 2017 Posted June 5, 2017 can the new b9s loaders Rosalina menu now be used to extract wondercard data? I wanted to try it but I've nothing to redeem right now
Guest Posted June 5, 2017 Posted June 5, 2017 On 6/6/2017 at 4:52 AM, Johnwraight said: can the new b9s loaders Rosalina menu now be used to extract wondercard data? I wanted to try it but I've nothing to redeem right now Expand Well, can you dump RAM with Rosalina? Then it can be used.
theSLAYER Posted June 5, 2017 Author Posted June 5, 2017 @Johnwraight & @Purin as far as I could tell, based on me fiddling around with it just now,Rosalina doesn't support native ram dumping without connecting computer running the debugger. (which is minimally what we need, in order to dump Local Wireless or Infrared events) 1
theSLAYER Posted June 22, 2017 Author Posted June 22, 2017 Based on existing RAM Dumps, I've made a mini program to easily dump the WC7FULL out of the ram dumps! So far it only reads from the same addresses, and works with the RAM we got from ROC previously! edit: it's been updated for more dynamic searching. 4
Sabresite Posted November 18, 2017 Posted November 18, 2017 @argus1963, I believe @theSLAYER needs to update WFR Dumper before we can use it with USUM. Meanwhile, if you need help to manually find/extract the dump, please PM me. Thank you for your help. Oh and regarding the other thread about Rotom Powers, I deleted the thread because I forgot we already had one.
theSLAYER Posted November 18, 2017 Author Posted November 18, 2017 2 minutes ago, Sabresite said: @argus1963, I believe @theSLAYER needs to update WFR Dumper before we can use it with USUM. Meanwhile, if you need help to manually find/extract the dump, please PM me. Thank you for your help. Oh and regarding the other thread about Rotom Powers, I deleted the thread because I forgot we already had one. Pass me USUM ram dumps, and I can see where the location is. (I'm not sure if the scanning function is still there. If it is, it'll technically work)
Deoxyz Posted November 18, 2017 Posted November 18, 2017 Well if it means anything, I dumped the Rockruff wc7fulls for my personal archives and used WFR Dumper without any problem.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now