Jump to content
This Topic

Codes for Pokemon Ranger 1 and 2

Pokedoc

By Pokedoc
in RAM - NDS Cheats

 Share

Recommended Posts

Pokedoc

Pokedoc

Posted
Posted

Since HG/SS is still two weeks away here in Europe, I got bored and made some AR codes for the Ranger games. These codes will reset the one-time-per-cart events, i.e. the Manaphy Eggs, Riolu and Darkrai.

Pokemon Ranger:

(use only one of these codes at once)

Reset Manaphy Egg

22134828 00000001

2213482a 00000000

Reset Manaphy Mission

22134828 00000003

2213482a 00000001

Pokemon Ranger 2:

Reset Manaphy Egg

220b0268 00000000

Reset Kyle Riolu

220b027c 00000000

Reset Almia Darkrai

220b0290 00000000

To make the reset permanent, just enter the regular game and save. (Of course, sending something without the code removes it again.)

The codes work on the European versions of Ranger 1 and 2, tested with the game language set to German. They *should* work with other languages on the European version, too. I have no idea if they work with other versions. I am especially curious if these codes can trigger the Ranger 1 Manaphy mission on a Japanese cart, where the mission was activated using a different mechanism.

icorez

icorez

Posted
Posted

Hi, i want to ask you if these codes unlock the special mission ( Manaphy, Riolu and Darkrai)..I didn't unlok special missions in the past by wifi..do you know how unlock them now?..I tried searching in internet but I found nothing..thanks

interested too a .sav file!!

bye and thanks!

  • 4 months later...
kamcbk

kamcbk

Posted
Posted

Can you make these same AR codes, but for the American Version? I tested your Manaphy codes on an American Pokemon Rangers cart and it didn't work. May you please make a AR code for the American Version!!!

  • 5 months later...
  • 3 weeks later...
  • 8 years later...
DeadSkullzJr

DeadSkullzJr

Posted
Posted

Pokemon Ranger (USA)

  Reveal hidden contents

Pokemon Ranger (Europe)

  Reveal hidden contents

The Japanese versions handled the missions differently and I would have to do more extensive work to see if I can make the missions work for Ranger 1.

Guest

Guest

Posted
Posted

Japanese ranger 1 was rather interesting. if i recall right, it had two ways of mission downloading, slot 2 (this is where decchi.bin's title screen came from) and ds local wireless.

oh and the downloaded data was really the mission data, it was not just a flag as the data was not inside the game ROM. might be possible to create own missions for the game and distribute them to japanese games 🤔

DeadSkullzJr

DeadSkullzJr

Posted
Posted
  On 10/24/2019 at 7:18 PM, Purin said:

Japanese ranger 1 was rather interesting. if i recall right, it had two ways of mission downloading, slot 2 (this is where decchi.bin's title screen came from) and ds local wireless.

oh and the downloaded data was really the mission data, it was not just a flag as the data was not inside the game ROM. might be possible to create own missions for the game and distribute them to japanese games 🤔

Expand  

Mind explaining the slot 2 method please?

Guest

Guest

Posted
Posted
  On 10/24/2019 at 8:03 PM, DeadSkullzJr said:

Mind explaining the slot 2 method please?

Expand  

when booting the ranger 1 game, it checks the cartridge inserted into slot-2 of the ds handheld and if it contained valid distribution mission data, it would download this data from there and store it in the savegame.

DeadSkullzJr

DeadSkullzJr

Posted
Posted
  On 10/24/2019 at 8:35 PM, Purin said:

when booting the ranger 1 game, it checks the cartridge inserted into slot-2 of the ds handheld and if it contained valid distribution mission data, it would download this data from there and store it in the savegame.

Expand  

Going to assume said cart was never dumped. I have some type of slot 2 distribution dump flashed to NOR, it has a Japanese Ranger icon with the ID ZP3J. I thought it was the ID for the NDS Japanese game, however since the retail uses a different ID, I tried to play it smart by changing the ID, seeing if the data would transfer then. Nope, so I am unsure where to go next for the Japanese missions. I have a Japanese save with all the missions except Mew on it (came from this forum), and have beeing trying to figure out how I can write the data with cheats that way, so far it hasn't worked to the point that the missions actually load yet.

Guest

Guest

Posted
Posted

Yes, the japanese distribution cart for the manaphy+deoxys missions was AGB-ZP3J-JPN and internally called "ポケモンレンジャー Wミッション配布ROM"

maybe @ajxpk is interested in reverse engineering the boot process of the japanese ranger 1 game in order to recreate this cartridge? i think chances are good it's possible.

DeadSkullzJr

DeadSkullzJr

Posted
Posted
  On 10/24/2019 at 8:58 PM, Purin said:

Yes, the japanese distribution cart for the manaphy+deoxys missions was AGB-ZP3J-JPN and internally called "ポケモンレンジャー Wミッション配布ROM"

maybe @ajxpk is interested in reverse engineering the japanese ranger 1 game in order to recreate this cartridge? i think chances are good it's possible.

Expand  

Good thing I made cheats for the Fiore browser, worst case scenario players can use my new codes once I post them to complete their browser for the Japanese games if they wish.

https://i.postimg.cc/3xnSVz64/Pokemon-Ranger-Japan-28843.png

Guest

Guest

Posted
Posted (edited)

Hey there! Haven’t been active for a while, but I’m watching what’s going on... always happy to see someone interested to support research.

I’m not sure if the gallery in this forum had been updated but we actually do have a save file with all the downloadable missions including the Mew one, the save file can be found here.

The big issue was in fact, as you can imagine, that those have been played already and we’re very interested in resetting them back to original state and it would be cool to inject them in other save files. Unfortunately the Pokémon Ranger save files are encrypted and we don’t have the decryption algorithm.

@Purin is right that I could reverse engineer it as I have learned how to read assembly code for ARM architecture. But I’m too busy with my private life now and there are other Pokémon related projects with higher priority. Even if I would do it, it might take me a long time and I’m not sure if it’s worth the time and effort.

Besides I think it should be doable even without reverse engineering by just memory research. The data must be decrypted in memory and might be available for edit from there and when you save the data the change becomes permanent. All it needs is someone with patience to find the exact location. I suggest using another save file where downloadable missions are still unplayed and then clear them, compare data from before and after and see what changed.

Edited by ajxpk
lol, I mixed up decryption/encryption
DeadSkullzJr

DeadSkullzJr

Posted
Posted (edited)
  On 10/24/2019 at 11:02 PM, ajxpk said:

Hey there! Haven’t been active for a while, but I’m watching what’s going on... always happy to see someone interested to support research.

I’m not sure if the gallery in this forum had been updated but we actually do have a save file with all the downloadable missions including the Mew one, the save file can be found here.

The big issue was in fact, as you can imagine, that those have been played already and we’re very interested in resetting them back to original state and it would be cool to inject them in other save files. Unfortunately the Pokémon Ranger save files are decrypted and we don’t have the encryption algorithm.

@Purin is right that I could reverse engineer it as I have learned how to read assembly code for ARM architecture. But I’m too busy with my private life now and there are other Pokémon related projects with higher priority. Even if I would do it, it might take me a long time and I’m not sure if it’s worth the time and effort.

Besides I think it should be doable even without reverse engineering by just memory research. The data must be encrypted in memory and might be available for edit from there and when you save the data the change becomes permanent. All it needs is someone with patience to find the exact location. I suggest using another save file where downloadable missions are still unplayed and then clear them, compare data from before and after and see what changed.

Expand  

I already did just that, I know exactly where the data is, however it's not as simple as copy and paste unfortunately. I was up all night doing multiple attempts, each of which failed. The closest so far that I have gotten was getting the missions to actually show up, but the code I made is pretty lengthy just to make it do that. Launching missions isn't successful either, all of them end up erasing themselves, if you launch all of the missions then Ranger Net itself disappears (I guess since there is no reason for it to stick around if no missions for it exist).

I did research in both memory AND the save itself.

Edited by DeadSkullzJr
Guest

Guest

Posted
Posted
  On 10/25/2019 at 4:16 AM, DeadSkullzJr said:

Alright so I beat the game with that save, and managed to make the two missions fresh again:

https://i.postimg.cc/QCHmd6Hd/Pokemon-Ranger-Japan-12756.png

Expand  

Awesome! Congratulations! And you say copying + pasting the mission data into another save file didn’t worked?

Can you share the memory locations? Just for the record and just in case if others want to participate in the research. If there’s no success I might take a look later once I have time again.

Knowing the memory locations is also important in case of reverse engineering, because then I can see which subroutines reading from those locations and this way determine the responsible subroutines. 

As far as the cartridge goes, if it’s a Slot-2 one then, there’s still a lot I would need to learn about how it works. But shouldn’t be as difficult as if it’s coming from another NDS, in that case it’s impossible for me, because of the lack of debug tools to research this scenario...

DeadSkullzJr

DeadSkullzJr

Posted
Posted (edited)
  On 10/25/2019 at 9:42 AM, ajxpk said:

Awesome! Congratulations! And you say copying + pasting the mission data into another save file didn’t worked?

Can you share the memory locations? Just for the record and just in case if others want to participate in the research. If there’s no success I might take a look later once I have time again.

Knowing the memory locations is also important in case of reverse engineering, because then I can see which subroutines reading from those locations and this way determine the responsible subroutines. 

As far as the cartridge goes, if it’s a Slot-2 one then, there’s still a lot I would need to learn about how it works. But shouldn’t be as difficult as if it’s coming from another NDS, in that case it’s impossible for me, because of the lack of debug tools to research this scenario...

Expand  

Everything I put together so far related to the missions, I put it together in a plain basic format purely for testing purposes.

  Reveal hidden contents

This is part of the missions data, just located in a deeper part of the memory.

  Reveal hidden contents

I have no clue if this helps any, sorry if it's not organized the way you wish it to be, usually I do all the organization and what not needed after gathering the data I need. Mind you this isn't complete and I will likely keep looking/adding into this. I split the codes up based on mission data so hopefully that helps a little bit. The data is pretty raw in terms of how it's handled in memory, all the numbers and what not throughout the code lines is mostly the bytes that make up the Japanese characters for the missions, the data for the mission itself is at the top of each of them. Can't use just those addresses though because then the game would crash trying to understand the blank mission lol.

 

WARNING:

Yes these are cheat codes, HOWEVER, I advise you NOT TO USE ANY OF THESE CODES ABOVE, doing so will render data that doesn't work due to the lack of data needed based on testing and ultimately will taint your perfect saves if you do (maybe even corrupt it). This is purely for documentation purposes, you have been warned.

 

P.S.

If you can't read that warning above, I recommend seeing your eye doctor ASAP and getting yourself a nice set of glasses and or contacts of your liking. The warning isn't a joke.

Edited by DeadSkullzJr
Guest

Guest

Posted
Posted
  On 10/25/2019 at 9:42 AM, ajxpk said:

As far as the cartridge goes, if it’s a Slot-2 one then, there’s still a lot I would need to learn about how it works. But shouldn’t be as difficult as if it’s coming from another NDS, in that case it’s impossible for me, because of the lack of debug tools to research this scenario...

Expand  

chances are it just works as a data storage device, just like other slot-2 distributions in Gen 4.
by theory, we just need to put the data in the correct offset inside the GBA rom and put it on a flashcart and it should work. just like decchi.bin for d/p 🤔

Guest

Guest

Posted
Posted

@DeadSkullzJr Wow, so this is the dumped data from these missions? And what did you change do make them appear as ”New!”? Looking forward to see when you have mapped the data out a little bit. Also @BlackShark has been interested in it before, maybe he can help with stuff.

  On 10/25/2019 at 6:52 PM, Purin said:

chances are it just works as a data storage device, just like other slot-2 distributions in Gen 4.
by theory, we just need to put the data in the correct offset inside the GBA rom and put it on a flashcart and it should work. just like decchi.bin for d/p 🤔

Expand  

Sounds interesting to me. Of course I would be interested to look at the ROM and see what’s there. 

DeadSkullzJr

DeadSkullzJr

Posted
Posted (edited)
  On 10/25/2019 at 10:42 PM, ajxpk said:

@DeadSkullzJr Wow, so this is the dumped data from these missions? And what did you change do make them appear as ”New!”? Looking forward to see when you have mapped the data out a little bit. Also @BlackShark has been interested in it before, maybe he can help with stuff.

Sounds interesting to me. Of course I would be interested to look at the ROM and see what’s there. 

Expand   
0212D8C8 000F0000

The address above uses that value by default for new missions added, at least for the Japanese version.

0212D8C8 000F0000

0F - New Missions (Changes when completing missions, also different depending on the missions you have, 0F is for all the missions, also works slightly different in the other regional versions since you can’t have all the missions at once as “new”)

00 - Is used in the other regional versions to determine if Ranger Net is enabled or not, as well as the password system, however this does nothing in the Japanese version.

00 - Manaphy Egg (00 - Mission wasn’t completed, 01 - Egg, 02 - Egg Transferred, in the other regions this is actually the byte for the Manaphy mission itself, 00 - No Mission, 01 - Mission Complete which renders the egg, 03 - Mission Not Completed/Mission Available)

I still need to grab the byte for when you transfer the egg, nonetheless, that helps hopefully.

Edited by DeadSkullzJr
Guest

Guest

Posted
Posted (edited)

Very interesting! Thanks!

The hex value 0xF translates to 0b1111. Each bit represents 1 mission.

0x1 + 0x2 + 0x4 + 0x8 = 0xF

Edited by ajxpk
Guest

Guest

Posted
Posted (edited)

Yeah that’s because the Mew Mission is the 4th bit flag, which adds 0x8.

Bit 0: Manaphy Egg Mission

Bit 1: Deoxys Mission

Bit 2: Celebi Mission

Bit 3: Mew Mission

Edited by ajxpk

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...