RupeeClock

Fantastic to see the Mew files archived onto the gallery, with accommodating event videos.

The video in question is using an arbitrary execution glitch to rewrite certain parts of the Pokémon in save data, in order to give it the necessary DVs to make it shiny upon transfer. From what I've gathered, the Mew import legality check is only checking for that OT/TID combination of GF/22796, I don't believe it actually checks that the Mew have 15/15/15/15/15 DVs? So if I'm not mistaken, this would mean you could use the arbitrary execution glitch to give the Mew the necessary DVs, and it would successfully import and come through shiny. Technically speaking, it shouldn't be legal though as they never distributed any Mews that should conceivably be shiny.

Yup, I'll definitely be making the effort to get my own Softboiled Mew after this, despite actually having already transferred my Mew. That's what JKSM is for though!

What's most hilarious is that Poké Transporter is accepting a modified Pokémon Yellow as a save source. It logically follows that it just checks for a matching title ID, and looks at the save contents matching that title, but still hilarious. Of course I reckon it's probably just easier to clone/inject as many Mews as you please, like if you want Gen 1 TM moves of varying natures. Moves like Softboiled and Whirlwind are probably the most interesting as Mew lacks access to Recover or Roar, or similar moves. Actually I think this might be the only way to get that legal Softboiled Mew that the Smogon sets use.

Pokémon Bank update finally dropped! I got to import my Mew from VC Pokémon Yellow, this required boxing the Mew into the first box. Upon transferring, it arrived with 31/27/31/31/31/31 IVs and a Timid nature. This is pretty great, as apparently Pokémon imported from Gen I are "guaranteed to have 3 perfect IVs, and a random nature". The Mew already have a perfect spread of 15/15/15/15/15 DVs though, so I'm wondering how they picked an attack IV of 27 when it's attack DV would've been 15. I extracted my Mew using PKHex if you wanna examine the bytes. I thought it pretty interesting that it has a generated shiny value too, and a trainer shiny value based on the OT. The GF Mew had a TSV of 1424, I'm interested to see if this is consistent. It might not be shiny locked as a result of this. Oh yeah and it was also nice that the Bank update gave away free Mewnium Z to Sun/Moon game cards, via mystery gift. A few other Gen I Pokémon I imported have a TSV of 2512. They also indeed have 3 perfect IVs and random natures, my Rattata got its HA Hustle, my Sandshrew got its HA Sand Rush, my Caterpie got its HA Run Away, and my Mankey got its HA Defiant. Edit: Turns out SciresM is really on the ball with figuring out how the transfers work, nature is determined by EXP, IVs are purely random, nearly everything always gets its hidden ability, genders are completely random despite how gen II determined them using DVs. Every untrained Mew imported will always be timid, and you can manipulate which nature it will get by getting a specific EXP number. 151 - Mew - 44C0A4DC05E1.pk7

I guess that pretty much confirms it then, all VC RBY Mews distributed are the same, although trash bytes may change if boxed. All that's left is to wait for the Pokémon Bank update, how exciting.

Huh, I don't think the homebrew method of dumping the save game should make a difference, all will ultimately run a program that decrypts a save file and dumps the contents to the SD card. Also with thanks to soundhax my cousin might be able to share his save if he finds any time to even play his 3DS.

Oh excellent, hopefully this will shed some light on things. I did get to see my cousin this past Christmas, but he forgot to bring his 3DS with him so sadly I didn't get to make a backup of his Mew. That means we don't have a sample that is guaranteed to have come from a separate distribution system. Even so I imagine the data is going to be identical anyway.

We do know these keys, but these won't serve any purpose of possibly reverse-engineering anything to figure out a range of keys if Nintendo implemented their cryptography correctly. If you have 2 ^ 128 combinations of keys, you are going to pick one as randomly as possible and not limit where you can pick from. To explain what keys are. Every time you buy a title from the eShop, the CDN gives you a title key in encrypted format, which is stored on the 3DS system itself. This title key grants you permission to request a download from their CDN. Due to 3DS hacking developments at the start of the year where the 3DS was fully exploited, specifically gaining control of the ARM9 kernal and breaking the cryptography implementation, this made it possible to dump and decrypt the title keys stored on a system, and even share them among other 3DS systems. This lead to the development of an application called freeShop, which enables you to download anything directly from Nintendo's eShop CDN if you have the appropriate title keys, legitimate or illegally shared. The lack of authentication beyond anything other than title keys on the 3DS is what made this possible, and could've very easily been avoided if they authenticated purchases on the server side instead of the client side. A possible reasoning for doing this is that some 3DS systems come pre-installed with games, and if you perform a system transfer to such a system it will retain the pre-installed software along with the title key, thereby granting you that game to keep. This state of affairs means that in order to download the Mew Distribution App, you need a 3DS that has the app installed since the title is not publicly listed, and then you would need to hack this 3DS to dump and decrypt the title key. This would be extremely unlikely as the systems would be controlled by Nintendo UK or NIntendo of Japan.

Bruteforcing this sort of thing seems like a silly thing to do too, seeing as it's just a small distro app. We kinda sorta know how to reproduce the distro app as it is, as we have data on the Mew distributed and an understanding of how the rom/VC title works. That also seems silly as you can just inject the event data now.

if I'm not mistaken, the only way we could hope to get that key is if someone with the title installed on their system, hacked the system, and then dumped and shared the title key. That seems extremely unlikely.

The trash being intentional is not unexpected, as it's maybe one of the few ways they can verify you have an event Mew instead of a glitched or save hacked Mew. I hope we can get more samples too, just to confirm if there are data differences or not. At this stage it seems less likely.

Well that settles that then, there really was a special distribution version. It'll be extremely lucky if we ever get to use them, but this was a nice finding.

I have doubts about that, I don't think binary size is relative so much as there's an astronomical number of possible encryption values, so a bruteforcing attempt maybe wouldn't be shorter. I could be mistaken. My other thought was that the VC versions might be hiding some functionality that haven't been looked into. What if a Mew distribution was planned in advance so that there exists an undocumented distribution mode in the commercial VC release of Red Version?

Fascinating, simply by examining the "trash" bytes and with intimate knowledge of the game's programming, you were able to deduce at the event was running a modified VC version of Pokémon Red. The alterations could be done either patched on-the-fly or baked into the VC rom, but in either case coupled with the visible restore points is solid evidence of a special Distribution version of the game. If it's a digital title, who knows, it might even exist on the eShop CDN like Sun/Moon did at some point. If it were though I would think it would've already been discovered though, and simply knowing about it's (possible) existence is probably insufficient to even acquire it.

I believe I already explained this, you definitely saw that. Did you have trouble understanding the instructions? ajxpk a few posts up also supplied a file you can use with PKHex, instead of PKXDelta.

I doubt that he does personally since he doesn't play games as much as he used to, and didn't know much about buying a bigger SD card for his 3DS despite buying games digitally. We'll just have to wait and see with HMM.

If I get to meet him at Christmas time that'll probably be my only chance to do this, which is before it can be legally transported to Gen 7 anyway. So there might be a chance but I can't promise anything.

I hadn't tried PKHex as I didn't know it supported all gens, but I imagine it should work too.

I'd like to do that myself if the chance happens, but it's very unlikely since we don't meet very often. Maybe I'll get to see him at Christmas time but that's the best that could happen. It's also possible that he's been playing the game since then and the Mew has levelled up or something. There's also HMM who has yet to dump their save game, the only issue is there's no guarantee they had a different vendor to me.

That's right, they had multiple consoles. My cousin was with me at the event and we received our Mews at the same time from different vendors. We compared them briefly and they had matching IDs and stats, they appeared to be identical. His 3DS isn't hacked though and he lives in London unlike myself, so it's not possible to check his Mew to see if they're byte for byte the same.

That sounds about right, one of the last distros was the Liberty Ticket distro I think. Everything after that has been distribution by password or Nintendo Zone in endorsed locations. In any case, the restore point thing means that lots of Mews are identical to each other, but it's possible that the other distribution systems weren't identical to each other.

I'm wondering if they may've even had the VC rom on a game card rather than on the system itself, but there's no way to tell from here.

I just caught an interesting detail whilst rewatching the video. It was only for the briefest of moments, but I noticed that the Mew distributor had access to Restore Points unlike normal Virtual Console versions of the game, and as soon as my trade was completed he used the restore point. This could mean that they were in fact using a special version of Red or Blue VC, or there's actually something hidden in the VC release that may re-enable Restore Point usage, as this is still a VC release capable of link-trading.

Interesting, can you elaborate on the differences between the JP Mew, my Mew, and if one comes a third Mew?