Jump to content

GEN 6/7 - NTR RAM Dump for Local Wireless WCFULL Data


Recommended Posts

Hello Everyone!
Purpose of this thread, is to research grabbing of WC7FULL from RAM dumps from Local Wireless/Infrared events.

This thread will definitely get technical, however I'll try to simplify details wherever I can.
Some screenshots are outdated, but the principle applies.


What you'll need:
1. CFW (Preferably Luma on A9LH)
2. NTR (this implemention works great)
3. A save manager (I think this is what I have)
 

Steps inside:

Spoiler
  1. Backup your save before you collect the event.
    It'll also be good if you have multiple saves with different TID/SID/OT combination.

    (in case the distribution system logs and restricts connectivity from the same TID/SID/OT combo)
     
  2. Launch NTR before playing Pokemon
    NTR needs to be relaunched per 3DS reboot.
    EWuJOLV.png

    If on O3DS/O3DSXL/2DS, make sure you're using the Mode-3 version build
    Capture2.PNG

    (N3DS/N3DSXL can use the normal build)

    Launch 3.2 (it's the most stable)
     
  3. Launch game, prepare to collect wonder card, but don't collect it.
    Basically, hover at the screen that shows you collection.
    59118f8f3607a_2017-05-0910_32_36.thumb.jpg.e979317302bcf6d6dc9b7aeec3570d3e.jpg
    As seen above, you can still see the Silver/Gray Bar.

    For Gen 6, make sure you hover on "NO"
    F8317dd.jpg&key=12a7312e2d0569a83d62b2fc

    If you are at a Local Infrared event, or there's Nintendo/Pokemon staff around,
    Put your 3DS to sleep while maintaining that screen above,
    and walk to somewhere safe first.
    (the data should already be in RAM)


     
  4. Access NTR Menu
    This is done by holding X&Y buttons simultaneously.
    It pops up on the bottom screen
    PZyuDFG.jpg&key=eab43a91bb7c694364020c15
     
  5. Identify Process ID

    Serial Code/Online: BOSS process
    Local Wireless/Infrared: MomijiUSUMNiji_locSM, Sango-1XY, Sango-2ORAS

    The Process ID usually changes, but it's around the same location (usually)

    so Process Manager > Process List > (look at a number) > Info
    As seen below:
    zdPl9n1.jpg&key=944d4edc002ad9b156963b78    j6OaDK2.jpg?1&key=f6a043fa9f19b914b63c4bPYzVUKb.jpg?1&key=0d9280ad930e09679ab60e
     
  6. Dump Ram!
    Get back to the Process screen, choose Dump.
    Now, select 0x08000000,
    but if we can't find what we're looking for, has to be done by trial and error.

    As seen here: (select dump, not info)
    j6OaDK2.jpg?1&key=f6a043fa9f19b914b63c4b9k=
    During this stage, in gen 7,
    it may cause the Mystery Gift to be accepted.
    (Cause NTR Menu keypresses may overflow back into the game)
    which is why Step 1 required you to backup save before doing any of this.
     
  7. Wait for NTR Menu to pop back up
    NTR Menu will pop back up once dumping is complete.
    If the area to dump is big, it may take a while.


Video Tutorial (thanks to @ReignOfComputer)

  • Like 4
  • Ditto 1
Link to comment
Share on other sites

WC7FULL Documentation

Offset Description
 0x00-0x03  Allowed Receiving Game (Bit 0 - Sun, Bit 1 - Moon)
Bit 2 and 3 likely used by Ultra Sun and Ultra Moon
0x04-0x01FD Distribution Text
0x01FE 0x01 - Speculated Halo Effect
(Receiving Animation)
0x01FF 0x00 - Any Language
Otherwise must be language ID
0x0200 0x01 - Receive One Per Day
 0x0201  WC Sub-ID
 0x0202-0x0203  WC7FULL Checksum
0x0204  Number of WCs in Set
If this value is 1 more than the number of
WCs in the set then the set can only be
received once even though it is 
technically
repeatable.
(example, WCID 244 anime pokemon)
 0x0205-0x0207  Gen 6: 0x464646
Gen 7: 0x004646
0x205 used for randomization weight in Gen 7
 0x0208-0x030F  WC7 Data

This post by @Purin was referenced, for the purposes of this documentation.


Local Wireless WC7FULL Location in Ram Dump
0x3FA4A4 in ram Damp, size of WC7FULL is 0x310.
Next WC7FULL immediately follows. (0x3FA7B4)

There is a hard limit of 20 WCs, whether random or not.  If there are multiple wondercards with separate WCIDs and they are not flagged to be random or part of a set, then the game will receive all of them.

Next data found is 0x3FF4A4, so likely can't fit till here.
(Max size till here, is 25 wonder cards)


edit:
So far, Halo appeared on only Marshadow, and Ash Cap Pikachu

Spoiler

halo1.PNGhalo2.PNG

 

Link to comment
Share on other sites

Now that Japan is doing Local Wireless for the Eevees, if this isn't too much trouble to test:
@argus1963 @ReignOfComputer @ajxpk

//--shifted down--//

is there a working concept right now, like which process for example?

I don't regularly have communications with him, but I think somewhat talks to him about overwatch (think I just saw it in the IRC, but didn't see his resposne)

Link to comment
Share on other sites

@ReignOfComputer I'm still analyzing your dumps, and something interesting happened!

It seems like the entire distribution is held by the game, then chosen at random!

I'm completely through it, but there are WC7FULL for Vaporeon, Jolteon and Flareon in your Day 2 - N3DS Dump - dump_pid2f_6. dmp
(which process and offset was that again?)


//----------edit----------//
The dump_pid2f_6.dmp was the only dump that yielded any WC7FULL (I believe this is Niji_loc, at 0x800000 right)

I theorize that this is the same process for Infrared events,
and you could probably dump it using NTR by walking away from the counter, meaning:
1. Launch NTR, then Launch game
2. Queue up
3. when its your turn, get the event, but keep at at this screen and put your 3DS to sleep
    IMG_8978.JPG.2f5300433f12f9fe5b9356831c3
4. Walk away from the counter and crowd
5. Open back up 3DS, while staying on that screen, go to NTR and dump the desired process

This way, you get all relevant events at one shot (won't have to re-queue for eggs, for example)

 

Once I get confirmation from ROC,
@BLACKBIRD @katsuya @argus1963@Kirzi may wanna take note of this method, and perhaps get familiarized with it,
as you guys are the most likely to get Local Wireless or Infrared events :)

our first ever Local Wireless WC7FULL.rar

  • Like 5
Link to comment
Share on other sites

6 minutes ago, ReignOfComputer said:

That should be niji_loc, yes, though I'm not sure which offset that was.

This is cool stuff :)

Does O3DS > dump_pid28_0.dmp have the WC7FULL as well? I think both that and 2f_6.dmp are from 0x00100000 actually. I'm not too sure >.<

Nope, it doesn't have.
Also your 28_0 shares the same internal header information as your 2f_5,
and your 2f_6 header is different.


It's likely your 28_0 and 2f_5 are the same offset,
and 2f_6 is the next offset

 

Link to comment
Share on other sites

Probably a flag for the "special animation" during downloading? I remember a flag like this also existed in Gen 5 and 6 full wondercards.

Link to comment
Share on other sites

  • 2 weeks later...
On 6/6/2017 at 4:52 AM, Johnwraight said:

can the new b9s loaders Rosalina menu now be used to extract wondercard data? I wanted to try it but I've nothing to redeem right now :)
5935a84a84e27_2017-06-0519_48_40.thumb.jpg.9eb084bb05cc5cd823217d8da62de675.jpg

Expand  

Well, can you dump RAM with Rosalina? Then it can be used.

Link to comment
Share on other sites

  • 3 weeks later...
2 minutes ago, Sabresite said:

@argus1963, I believe @theSLAYER needs to update WFR Dumper before we can use it with USUM.  Meanwhile, if you need help to manually find/extract the dump, please PM me.  Thank you for your help.  Oh and regarding the other thread about Rotom Powers, I deleted the thread because I forgot we already had one.

Pass me USUM ram dumps, and I can see where the location is.

(I'm not sure if the scanning function is still there. If it is, it'll technically work)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...