Jump to content

Recommended Posts

Posted

Since HG/SS is still two weeks away here in Europe, I got bored and made some AR codes for the Ranger games. These codes will reset the one-time-per-cart events, i.e. the Manaphy Eggs, Riolu and Darkrai.

Pokemon Ranger:

(use only one of these codes at once)

Reset Manaphy Egg

22134828 00000001

2213482a 00000000

Reset Manaphy Mission

22134828 00000003

2213482a 00000001

Pokemon Ranger 2:

Reset Manaphy Egg

220b0268 00000000

Reset Kyle Riolu

220b027c 00000000

Reset Almia Darkrai

220b0290 00000000

To make the reset permanent, just enter the regular game and save. (Of course, sending something without the code removes it again.)

The codes work on the European versions of Ranger 1 and 2, tested with the game language set to German. They *should* work with other languages on the European version, too. I have no idea if they work with other versions. I am especially curious if these codes can trigger the Ranger 1 Manaphy mission on a Japanese cart, where the mission was activated using a different mechanism.

Posted

Hi, i want to ask you if these codes unlock the special mission ( Manaphy, Riolu and Darkrai)..I didn't unlok special missions in the past by wifi..do you know how unlock them now?..I tried searching in internet but I found nothing..thanks

interested too a .sav file!!

bye and thanks!

  • 4 months later...
Posted

Can you make these same AR codes, but for the American Version? I tested your Manaphy codes on an American Pokemon Rangers cart and it didn't work. May you please make a AR code for the American Version!!!

  • 5 months later...
  • 3 weeks later...
  • 8 years later...
Posted

Pokemon Ranger (USA)

Spoiler

Manaphy Mission Codes

Restart Mission
(Press L+R+Select)
94000130 FCFB0000
2212F448 00000003
D2000000 00000000

Complete Mission for Egg
(Press L+R+Select)
94000130 FCFB0000
2212F448 00000001
D2000000 00000000

 

Pokemon Ranger (Europe)

Spoiler

Manaphy Mission Codes

Restart Mission
(Press L+R+Select)
94000130 FCFB0000
22134828 00000003
D2000000 00000000

Complete Mission for Egg
(Press L+R+Select)
94000130 FCFB0000
22134828 00000001
D2000000 00000000

 

The Japanese versions handled the missions differently and I would have to do more extensive work to see if I can make the missions work for Ranger 1.

Posted

Japanese ranger 1 was rather interesting. if i recall right, it had two ways of mission downloading, slot 2 (this is where decchi.bin's title screen came from) and ds local wireless.

oh and the downloaded data was really the mission data, it was not just a flag as the data was not inside the game ROM. might be possible to create own missions for the game and distribute them to japanese games 🤔

Posted
43 minutes ago, Purin said:

Japanese ranger 1 was rather interesting. if i recall right, it had two ways of mission downloading, slot 2 (this is where decchi.bin's title screen came from) and ds local wireless.

oh and the downloaded data was really the mission data, it was not just a flag as the data was not inside the game ROM. might be possible to create own missions for the game and distribute them to japanese games 🤔

Mind explaining the slot 2 method please?

Posted
On 10/25/2019 at 7:03 AM, DeadSkullzJr said:

Mind explaining the slot 2 method please?

when booting the ranger 1 game, it checks the cartridge inserted into slot-2 of the ds handheld and if it contained valid distribution mission data, it would download this data from there and store it in the savegame.

Posted
10 minutes ago, Purin said:

when booting the ranger 1 game, it checks the cartridge inserted into slot-2 of the ds handheld and if it contained valid distribution mission data, it would download this data from there and store it in the savegame.

Going to assume said cart was never dumped. I have some type of slot 2 distribution dump flashed to NOR, it has a Japanese Ranger icon with the ID ZP3J. I thought it was the ID for the NDS Japanese game, however since the retail uses a different ID, I tried to play it smart by changing the ID, seeing if the data would transfer then. Nope, so I am unsure where to go next for the Japanese missions. I have a Japanese save with all the missions except Mew on it (came from this forum), and have beeing trying to figure out how I can write the data with cheats that way, so far it hasn't worked to the point that the missions actually load yet.

Posted

Yes, the japanese distribution cart for the manaphy+deoxys missions was AGB-ZP3J-JPN and internally called "ポケモンレンジャー Wミッション配布ROM"

maybe @ajxpk is interested in reverse engineering the boot process of the japanese ranger 1 game in order to recreate this cartridge? i think chances are good it's possible.

Posted
15 minutes ago, Purin said:

Yes, the japanese distribution cart for the manaphy+deoxys missions was AGB-ZP3J-JPN and internally called "ポケモンレンジャー Wミッション配布ROM"

maybe @ajxpk is interested in reverse engineering the japanese ranger 1 game in order to recreate this cartridge? i think chances are good it's possible.

Good thing I made cheats for the Fiore browser, worst case scenario players can use my new codes once I post them to complete their browser for the Japanese games if they wish.

https://i.postimg.cc/3xnSVz64/Pokemon-Ranger-Japan-28843.png

Posted (edited)

Hey there! Haven’t been active for a while, but I’m watching what’s going on... always happy to see someone interested to support research.

I’m not sure if the gallery in this forum had been updated but we actually do have a save file with all the downloadable missions including the Mew one, the save file can be found here.

The big issue was in fact, as you can imagine, that those have been played already and we’re very interested in resetting them back to original state and it would be cool to inject them in other save files. Unfortunately the Pokémon Ranger save files are encrypted and we don’t have the decryption algorithm.

@Purin is right that I could reverse engineer it as I have learned how to read assembly code for ARM architecture. But I’m too busy with my private life now and there are other Pokémon related projects with higher priority. Even if I would do it, it might take me a long time and I’m not sure if it’s worth the time and effort.

Besides I think it should be doable even without reverse engineering by just memory research. The data must be decrypted in memory and might be available for edit from there and when you save the data the change becomes permanent. All it needs is someone with patience to find the exact location. I suggest using another save file where downloadable missions are still unplayed and then clear them, compare data from before and after and see what changed.

Edited by ajxpk
lol, I mixed up decryption/encryption
Posted (edited)
4 hours ago, ajxpk said:

Hey there! Haven’t been active for a while, but I’m watching what’s going on... always happy to see someone interested to support research.

I’m not sure if the gallery in this forum had been updated but we actually do have a save file with all the downloadable missions including the Mew one, the save file can be found here.

The big issue was in fact, as you can imagine, that those have been played already and we’re very interested in resetting them back to original state and it would be cool to inject them in other save files. Unfortunately the Pokémon Ranger save files are decrypted and we don’t have the encryption algorithm.

@Purin is right that I could reverse engineer it as I have learned how to read assembly code for ARM architecture. But I’m too busy with my private life now and there are other Pokémon related projects with higher priority. Even if I would do it, it might take me a long time and I’m not sure if it’s worth the time and effort.

Besides I think it should be doable even without reverse engineering by just memory research. The data must be encrypted in memory and might be available for edit from there and when you save the data the change becomes permanent. All it needs is someone with patience to find the exact location. I suggest using another save file where downloadable missions are still unplayed and then clear them, compare data from before and after and see what changed.

I already did just that, I know exactly where the data is, however it's not as simple as copy and paste unfortunately. I was up all night doing multiple attempts, each of which failed. The closest so far that I have gotten was getting the missions to actually show up, but the code I made is pretty lengthy just to make it do that. Launching missions isn't successful either, all of them end up erasing themselves, if you launch all of the missions then Ranger Net itself disappears (I guess since there is no reason for it to stick around if no missions for it exist).

I did research in both memory AND the save itself.

Edited by DeadSkullzJr
Posted
4 hours ago, DeadSkullzJr said:

Alright so I beat the game with that save, and managed to make the two missions fresh again:

https://i.postimg.cc/QCHmd6Hd/Pokemon-Ranger-Japan-12756.png

Awesome! Congratulations! And you say copying + pasting the mission data into another save file didn’t worked?

Can you share the memory locations? Just for the record and just in case if others want to participate in the research. If there’s no success I might take a look later once I have time again.

Knowing the memory locations is also important in case of reverse engineering, because then I can see which subroutines reading from those locations and this way determine the responsible subroutines. 

As far as the cartridge goes, if it’s a Slot-2 one then, there’s still a lot I would need to learn about how it works. But shouldn’t be as difficult as if it’s coming from another NDS, in that case it’s impossible for me, because of the lack of debug tools to research this scenario...

Posted (edited)
25 minutes ago, ajxpk said:

Awesome! Congratulations! And you say copying + pasting the mission data into another save file didn’t worked?

Can you share the memory locations? Just for the record and just in case if others want to participate in the research. If there’s no success I might take a look later once I have time again.

Knowing the memory locations is also important in case of reverse engineering, because then I can see which subroutines reading from those locations and this way determine the responsible subroutines. 

As far as the cartridge goes, if it’s a Slot-2 one then, there’s still a lot I would need to learn about how it works. But shouldn’t be as difficult as if it’s coming from another NDS, in that case it’s impossible for me, because of the lack of debug tools to research this scenario...

Everything I put together so far related to the missions, I put it together in a plain basic format purely for testing purposes.

Spoiler

0212D8C8 000F0000
0212D8CC 06160706
0212D8D0 3A83E431

0212D8D8 31303044
0212D8F8 00000001
0212D900 00230000
0212D904 5F746573
0212D908 696C6564
0212D90C 79726576
0212D910 2E313030
0212D914 00746164
0212D924 03E80000
0212D928 03E80095
0212D92C 03E80096
0212D930 01F90001
0212D934 0000003C
0212D938 03E80097
0212D93C 00100000
0212D940 00000061
0212D944 008400A0
0212D948 00AA0098
0212D94C 011E00FF
0212D950 00D200F4
0212D954 00A80020
0212D958 00C200CA
0212D95C 009B00A9
0212D960 00000021
0212D964 013300F7
0212D968 01290110
0212D96C 00C7008D
0212D970 00980086
0212D974 008C00C5
0212D978 00A60020
0212D97C 008400AB
0212D980 009F00CC
0212D984 011E000A
0212D988 0115010A
0212D98C 00AE00E3
0212D990 00FF0020
0212D994 00F4011E
0212D998 000A00D2
0212D99C 014C00F4
0212D9A0 014C00F4
0212D9A4 00D300A0
0212D9A8 002000AB
0212D9AC 00B00086
0212D9B0 00CC00CF
0212D9B4 009700A6
0212D9B8 00A300BE
0212D9BC 0021009F
0212D9C0 008B000A
0212D9C4 00C900CC
0212D9C8 002000AB
0212D9CC 008F0082
0212D9D0 008600C8
0212D9D4 00CC0095
0212D9D8 002000CB
0212D9DC 008800BE
0212D9E0 000A00AB
0212D9E4 008400A0
0212D9E8 00AA0098
0212D9EC 00FF0020
0212D9F0 00F4011E
0212D9F4 002000D2
0212D9F8 00CA00A8
0212D9FC 00A900C2
0212DA00 0021009B
0212DA04 00F70000
0212DA08 01100133
0212DA0C 00000129


0212DE44 32303044
0212DE64 00000001
0212DE6C 00220000
0212DE70 5F746573
0212DE74 696C6564
0212DE78 79726576
0212DE7C 2E313030
0212DE80 00746164
0212DE90 03E80000
0212DE94 03E80042
0212DE98 03E80043
0212DE9C 01F90001
0212DEA0 0000002F
0212DEA4 03E80044
0212DEA8 00100000
0212DEAC 0000006F
0212DEB0 00EA0107
0212DEB4 00F700ED
0212DEB8 00A800F9
0212DEBC 00CF0020
0212DEC0 00CA008B
0212DEC4 00880082
0212DEC8 008B00CB
0212DECC 0000003F
0212DED0 00D300AA
0212DED4 008B00C9
0212DED8 002000AE
0212DEDC 00C600CA
0212DEE0 00A70086
0212DEE4 00930020
0212DEE8 00920086
0212DEEC 00A6008D
0212DEF0 00AB008D
0212DEF4 00AA000A
0212DEF8 009F00A3
0212DEFC 01070020
0212DF00 00ED00EA
0212DF04 00F900F7
0212DF08 0020008C
0212DF0C 00A300AF
0212DF10 00D30091
0212DF14 00CC0095
0212DF18 014A009F
0212DF1C 00BE000A
0212DF20 00CA00CF
0212DF24 002000AE
0212DF28 00F1011D
0212DF2C 01330122
0212DF30 002000C4
0212DF34 00D300AB
0212DF38 00D30092
0212DF3C 000A00AB
0212DF40 008C00B2
0212DF44 008C0084
0212DF48 00A70020
0212DF4C 00BE00CB
0212DF50 00AB0088
0212DF54 01070020
0212DF58 00ED00EA
0212DF5C 00F900F7
0212DF60 000A00D2
0212DF64 0084009B
0212DF68 00C70098
0212DF6C 00AA0086
0212DF70 00980020
0212DF74 008600C7
0212DF78 0084009F
0212DF7C 002000AB
0212DF80 00A900C2
0212DF84 00AE0099
0212DF88 002100A0
0212DF8C 010F0000
0212DF90 01060124


0212E3B0 33303044
0212E3D0 00000001
0212E3D8 00210000
0212E3DC 5F746573
0212E3E0 696C6564
0212E3E4 79726576
0212E3E8 2E313030
0212E3EC 00746164
0212E3FC 03E80000
0212E400 03E80028
0212E404 03E80029
0212E408 01F90001
0212E40C 0000002F
0212E410 03E8002A
0212E414 000D0000
0212E418 0000006B
0212E41C 012C00FB
0212E420 00E30113
0212E424 002000D2
0212E428 008F0099
0212E42C 00A00084
0212E430 0021009B
0212E434 01290000
0212E438 012900E4
0212E43C 00C200AE
0212E440 00AB00CA
0212E444 00820020
0212E448 00CF00C9
0212E44C 009F00CC
0212E450 00FB0020
0212E454 0113012C
0212E458 00D200E3
0212E45C 00F4000A
0212E460 00F4014C
0212E464 00A0014C
0212E468 00AE00D3
0212E46C 00CC0020
0212E470 00A100D3
0212E474 008600C5
0212E478 000A008C
0212E47C 00C900AD
0212E480 00A600A3
0212E484 00CB0084
0212E488 008400A8
0212E48C 00200086
0212E490 00C70098
0212E494 00BB0086
0212E498 008C0086
0212E49C 00820020
0212E4A0 014A00CB
0212E4A4 00FB000A
0212E4A8 0113012C
0212E4AC 00D200E3
0212E4B0 00B60020
0212E4B4 00AB0098
0212E4B8 00BB0020
0212E4BC 00990094
0212E4C0 009F00CB
0212E4C4 00AB00C1
0212E4C8 008B000A
0212E4CC 00C900CC
0212E4D0 00CA00C8
0212E4D4 002000C2
0212E4D8 008D0095
0212E4DC 002000AB
0212E4E0 012300ED
0212E4E4 01010117
0212E4E8 009B0123
0212E4EC 002100C8
0212E4F0 010F0000
0212E4F4 01060124


0212E91C 34303044
0212E93C 00000001
0212E944 00200000
0212E948 5F746573
0212E94C 696C6564
0212E950 79726576
0212E954 2E313030
0212E958 00746164
0212E968 03E80000
0212E96C 03E80026
0212E970 03E80027
0212E974 01F9000B
0212E978 0000003C
0212E97C 03E80028
0212E980 000F0000
0212E984 00000073
0212E988 00BC00BE
0212E98C 009700CD
0212E990 011F00AE
0212E994 00E60125
0212E998 002000D2
0212E99C 008C0095
0212E9A0 0021009B
0212E9A4 00BE0000
0212E9A8 00CD00BC
0212E9AC 00AE0097
0212E9B0 00F1011D
0212E9B4 01330122
0212E9B8 002000A8
0212E9BC 00CF0084
0212E9C0 00A600CC
0212E9C4 00CB0084
0212E9C8 011F000A
0212E9CC 00E60125
0212E9D0 0020008C
0212E9D4 012300F8
0212E9D8 00F00133
0212E9DC 00A7012B
0212E9E0 00C20020
0212E9E4 0092008F
0212E9E8 0095008D
0212E9EC 009F00CC
0212E9F0 000A014A
0212E9F4 013300F7
0212E9F8 01290110
0212E9FC 00C7008D
0212EA00 00980086
0212EA04 00AE00C5
0212EA08 00910020
0212EA0C 008D00D3
0212EA10 008600C5
0212EA14 002000AE
0212EA18 00C1009F
0212EA1C 00B2000A
0212EA20 00CA00A8
0212EA24 002000AE
0212EA28 0133012C
0212EA2C 012300F8
0212EA30 00AE014C
0212EA34 00C10020
0212EA38 00C80084
0212EA3C 002000AE
0212EA40 00C1009F
0212EA44 009C000A
0212EA48 002000B2
0212EA4C 0125011F
0212EA50 00D200E6
0212EA54 00ED0020
0212EA58 01170123
0212EA5C 01230101
0212EA60 00A60097
0212EA64 009700BB
0212EA68 00210084
0212EA6C 00F70000
0212EA70 01100133
0212EA74 00000129

 

This is part of the missions data, just located in a deeper part of the memory.

Spoiler

0216A0B8 31303044
0216A0D8 00000001
0216A0E0 00230000
0216A0E4 5F746573
0216A0E8 696C6564
0216A0EC 79726576
0216A0F0 2E313030
0216A0F4 00746164
0216A104 03E80000
0216A108 03E80095
0216A10C 03E80096
0216A110 01F90001
0216A114 0000003C
0216A118 03E80097


0216A11C 32303044
0216A13C 00000001
0216A144 00220000
0216A148 5F746573
0216A14C 696C6564
0216A150 79726576
0216A154 2E313030
0216A158 00746164
0216A168 03E80000
0216A16C 03E80042
0216A170 03E80043
0216A174 01F90001
0216A178 0000002F
0216A17C 03E80044


0216A180 33303044
0216A1A0 00000001
0216A1A8 00210000
0216A1AC 5F746573
0216A1B0 696C6564
0216A1B4 79726576
0216A1B8 2E313030
0216A1BC 00746164
0216A1CC 03E80000
0216A1D0 03E80028
0216A1D4 03E80029
0216A1D8 01F90001
0216A1DC 0000002F
0216A1E0 03E8002A


0216A1E4 34303044
0216A204 00000001
0216A20C 00200000
0216A210 5F746573
0216A214 696C6564
0216A218 79726576
0216A21C 2E313030
0216A220 00746164
0216A230 03E80000
0216A234 03E80026
0216A238 03E80027
0216A23C 01F9000B
0216A240 0000003C
0216A244 03E80028

 

I have no clue if this helps any, sorry if it's not organized the way you wish it to be, usually I do all the organization and what not needed after gathering the data I need. Mind you this isn't complete and I will likely keep looking/adding into this. I split the codes up based on mission data so hopefully that helps a little bit. The data is pretty raw in terms of how it's handled in memory, all the numbers and what not throughout the code lines is mostly the bytes that make up the Japanese characters for the missions, the data for the mission itself is at the top of each of them. Can't use just those addresses though because then the game would crash trying to understand the blank mission lol.

 

WARNING:

Yes these are cheat codes, HOWEVER, I advise you NOT TO USE ANY OF THESE CODES ABOVE, doing so will render data that doesn't work due to the lack of data needed based on testing and ultimately will taint your perfect saves if you do (maybe even corrupt it). This is purely for documentation purposes, you have been warned.

 

P.S.

If you can't read that warning above, I recommend seeing your eye doctor ASAP and getting yourself a nice set of glasses and or contacts of your liking. The warning isn't a joke.

Edited by DeadSkullzJr
Posted
On 10/25/2019 at 8:42 PM, ajxpk said:

As far as the cartridge goes, if it’s a Slot-2 one then, there’s still a lot I would need to learn about how it works. But shouldn’t be as difficult as if it’s coming from another NDS, in that case it’s impossible for me, because of the lack of debug tools to research this scenario...

chances are it just works as a data storage device, just like other slot-2 distributions in Gen 4.
by theory, we just need to put the data in the correct offset inside the GBA rom and put it on a flashcart and it should work. just like decchi.bin for d/p 🤔

Posted

@DeadSkullzJr Wow, so this is the dumped data from these missions? And what did you change do make them appear as ”New!”? Looking forward to see when you have mapped the data out a little bit. Also @BlackShark has been interested in it before, maybe he can help with stuff.

3 hours ago, Purin said:

chances are it just works as a data storage device, just like other slot-2 distributions in Gen 4.
by theory, we just need to put the data in the correct offset inside the GBA rom and put it on a flashcart and it should work. just like decchi.bin for d/p 🤔

Sounds interesting to me. Of course I would be interested to look at the ROM and see what’s there. 

Posted (edited)
32 minutes ago, ajxpk said:

@DeadSkullzJr Wow, so this is the dumped data from these missions? And what did you change do make them appear as ”New!”? Looking forward to see when you have mapped the data out a little bit. Also @BlackShark has been interested in it before, maybe he can help with stuff.

Sounds interesting to me. Of course I would be interested to look at the ROM and see what’s there. 

0212D8C8 000F0000

The address above uses that value by default for new missions added, at least for the Japanese version.

0212D8C8 000F0000

0F - New Missions (Changes when completing missions, also different depending on the missions you have, 0F is for all the missions, also works slightly different in the other regional versions since you can’t have all the missions at once as “new”)

00 - Is used in the other regional versions to determine if Ranger Net is enabled or not, as well as the password system, however this does nothing in the Japanese version.

00 - Manaphy Egg (00 - Mission wasn’t completed, 01 - Egg, 02 - Egg Transferred, in the other regions this is actually the byte for the Manaphy mission itself, 00 - No Mission, 01 - Mission Complete which renders the egg, 03 - Mission Not Completed/Mission Available)

I still need to grab the byte for when you transfer the egg, nonetheless, that helps hopefully.

Edited by DeadSkullzJr
Posted (edited)

Very interesting! Thanks!

The hex value 0xF translates to 0b1111. Each bit represents 1 mission.

0x1 + 0x2 + 0x4 + 0x8 = 0xF

Edited by ajxpk
Posted (edited)

Yeah that’s because the Mew Mission is the 4th bit flag, which adds 0x8.

Bit 0: Manaphy Egg Mission

Bit 1: Deoxys Mission

Bit 2: Celebi Mission

Bit 3: Mew Mission

Edited by ajxpk

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...