froggestspirit

Let me see if I got this, The en/decryption is done through the reader hardware, or is it sent to a server online? (I never applied cheats yet, only used it to back up saves).

Secondly, the cheats appear to be downloaded each time the card is connected. Is there any way we can view the cheats (again, through a memory editor?)

Lastly, is there a way if we can view the cheats, to maybe hack the cheats? (or is that stored on their server again?)

Has been tried, does not work. Datel's setup can't load "corrupted" savefiles; all of their edits are done after their unit decrypts and verifies -- probably outside of their control.

What about using something like cheat Engine to view the memory while the power save program runs? Or maybe looking at the ASM of the program? (I just got this, and was thinking of trying it)

I think I understand. Is there a way I can obtain the SID from my Pokemon Y game? Even if it's calculating something with the SV, or hex viewing

I like to keep record of my TID and SID's for my games, because I have been known to RNG for matching ones in gen 4. However, I noticed that Bank'ed pokemon from my gen 4 games have matching TID's but the SID is completely different for them (in Y it is 2446 and in gen 4 it was 00468) Other than the obvious change of all SID's becoming 4 digits, does anyone know how this works?

I'm sorry if I missed something, but is there currently a way I can dump a Pokemon from my game? I'm mostly interested in finding out my SID for personal reasons

Well, I looked into this myself, and found something interesting...

http://hastebin.com/vatibovipi.avrasm

That is what i disassembled, not finished, but it told me some things...

The probability of continuing a chain seem to be hard-coded.

If you faint a pokemon OR RESET the radar, your chances are:

28% for one away continuing

48% for two away continuing

68% for 3 away continuing

88% for 4 away continuing.

Now here's where it get's interesting... line 465 makes a compare, but normally this value is 1, so we get the above percentages.

However, if you catch a pokemon, the value gets set to 4, and uses a different set of percentages:

38% for one away continuing

58% for two away continuing

78% for 3 away continuing

98% for 4 away continuing.

This is much better, although keep in mind that even if you caught the previous pokemon, resetting the radar will set the percentages back down.

Also, keep in mind that this seems to be for the patch that you are currently chaining, so if you switch patch types, the probability is probably lower.

Here's a few Ram addresses i found too

http://hastebin.com/rikatiyeqa.coffee

Well, after using the PokeRadar a lot, chaining, and having a few chains seemingly break for no reason, I was hoping to find out what exactly makes it work? I'm familair with ASM, but I'm not sure where I'd start with NDS. If anyone has information on solid evidence for how the PokeRadar works (mostly to keep the chain going, like how it calculates the chances of continuing the chain per patch), please post here.

Actually, that's what I have been doing!

If you have a program to edit saves on a GBA cart, you can use a code to read from that in DS mode, but keep in mind you have to read one byte at a time.

No, Those are all defined in the ROM, the pokewalker doesn't actually store the data of the wild pokemon, except pictures, a (picture of the) name, and.. maybe the type. Although, If you found the route definitions in the rom, you could do that, but mearly changing the graphics wont change what you get when you send it back obviously.

Double post because the site wouldn't let me edit my previous one: After more tedious research, I don't know if the file a/2/4/8 is related. I managed to find out that in the US HG, address 0x021FFAD0 contains a pointer that points to the info that is sent to the walker. I want to say 0x021FFAD4 is the end of that data, and out of all those i've dumped, they are all x28C0 bytes long. This contains (imagewise) (in this order more or less):

The icon of your route

Name of your route (sprite text)

Your pokemon small sprites

Your pokemon big sprites

Name of your pokemon/nickname (sprite text)

group A pokemon small sprites

group B pokemon small sprites

group C pokemon small sprites

group C pokemon big sprites (for if they join you with an empty walker)

Name of group A pokemon (sprite text)

Name of group B pokemon (sprite text)

Name of group C pokemon (sprite text)

Name of the 10 items (sprite text)

Keep in mind this data is only present when your DS is waiting to sync with the walker.

And if any Moderators are reading this, feel free to move it to RAM if necessary. I wasn't sure which approach I'd find when creating this thread.

I think someone should take a look at the NARC in a/2/4/8 it contains 540 or so files, small, and they seem to be compressed. I couldn't find them in the RAM dump though...

Edit: On HG (us) I changed some spots in the ram, at address 023BF1A8. This is the pointer to the file a/2/4/8, so i changed it to match the pointer of a/2/4/9 (not for any particular reason, just wanted to get to to a different location). And 023BF1AC is the end pointer of a/2/4/8, so I changed that aswell to match a/2/4/9's (for consistency I guess). When I went to the pokewalker option, picked Bulbasaur, and hit transfer, it said Point at the DS card and press select, about a second later, the game froze.

EDIT:

Pokemon graphics are in a/2/5/6, and they are loaded into RAM when the DS tries connecting to the pokewalker

I want to say that it's stored on the rom for the reason: if you sync a pokewalker with a game, it will use the language the game is in (the route names etc. are all in there as sprites), that way, nintendo wouldn't have to make the pokewalkers have different innards worldwide. Also, the sprites in the RAM dump I did were rotated 90 degrees clockwise, just incase anyone else searches. I might look for this in the ROM though, because id imagine the pokemon sprites might be located near the folder of the icons and such

Pokemon HG/SS and PT had more battle modes than D/P did, but if the leader was using say HG, and selected a new battle mode VS someone with D/P, D/P would read the rules from HG.

I don't think this would work on random wifi either, but the main thing is... what if hypothetically, Nintendo released Gray, and it had 6v6 flat battles, and it worked like gen 4, where B/W could read the rules from a leader using Gray? I feel that AR should be able to make this possible.

So, I hacked the pokewalker.... I dumped RAM when I was on the transfer screen, and looked through it with a GameBoy tile editor. I found something interesting... The graphics for the Pokewalker are stored on HG/SS This also includes a DECOMPRESSED sprite of Spinda (because of the way the game handles his spots). So, this led me to conclude, the game transfers the Pokemon sprites when it connects, (and probably the sprites for that route youre on) I'd have to assume that if you transfer your pokemon back. The only time it transfers the menu Icons and misc sprites is the first time you sync it, or after you erase it, then sync again.

I did this by hacking the sprites with AR, I made a code that will copy data from a hacked gba save file to the RAM.

That's where I got most of the locations, and was my starting point But, I have a feeling that it could be the same values for setting the mode on vs people over wifi (more so people with your friendcode). I know platinum had extra battle modes, and if the server game was platinum, and chose a new battle mode, the client games (diamond or pearl) could access that mode. I'm thinking it might be possible to do something like that for black and white.

Hello, I've been looking into making a code to allow lvl 100 or lvl 50 6 vs 6 battles on wifi, and maybe even c-gear. so far, I've managed to dig up this info by looking at battle replays with different modes in Pokemon Black (US). here are my findings:

0x0226B032:

00-Battle Subway, Single

00000000

01-Battle Subway, Double

00000001

04-Battle Subway, Multi

00000100

18-Colosseum Single, No Restrictions

00011000

19-Colosseum Double, No Restrictions

00011001

1A-Colosseum Triple, No Restrictions

00011010

1B-Colosseum Rotation, No Restrictions

00011011

1C-Colosseum Multi, No Restrictions

00011100

28-Random Matchup, Free Single

00101000

29-Random Matchup, Free Double

00101001

2A-Random Matchup, Free Triple

00101010

2B-Random Matchup, Free Rotation

00101011

38-Competition, Single, Launcher Off

00111000

39-Competition, Double, Launcher Off

00111001

3A-Competition, Triple, Launcher Off

00111010

3B-Competition, Rotation, Launcher Off

00111011

68-Random Matchup, Rating Single

01101000

69-Random Matchup, Rating Double

01101001

6A-Random Matchup, Rating Triple

01101010

6B-Random Matchup, Rating Rotation

01101011

98-Colosseum Single, No Restrictions, Launcher On

10011000

99-Colosseum Double, No Restrictions, Launcher On

10011001

9A-Colosseum Triple, No Restrictions, Launcher On

10011010

9B-Colosseum Rotation, No Restrictions, Launcher On

10011011

9C-Colosseum Multi, No Restrictions, Launcher On

10011100

B8-Competition, Single, Launcher On

10111000

B9-Competition, Double, Launcher On

10111001

BA-Competition, Triple, Launcher On

10111010

BB-Competition, Rotation, Launcher On

10111011

0x0226B033 seems to be 02 if the battle is a flat battle, otherwise it is a zero?

(bits are 1 for the left most, and 8 for the right most)

first bit appears to be what determines if the launcher is on

second bit appears to be for rating?

third bit seems to be for random matchups and competitions only

fourth bit appears for only colosseum and competition

fith bit seems to determine if the battle is a battle subway one

bits 6-8 seem to be the mode:

0=single

1=double

2=triple

3=rotation

4=multi

I want to try and search these after selecting a battle mode, but I cannot get the game to connect to wifi through the emulator. if someone else could use this data to find a code, that'd be swell

If I got the source, I'd be glad to fix bugs and add support for B/W. I got all the DS pokemon games, and 3 flash carts.

EDIT: Forgot to say, message me if anyone is interested

Hi! I've been looking for possible ways to preform a buffer overflow in pokemon black (or white) through save editing. So far, I've come up with this list of possibilities:

-Pokemon data (part, or box)

-Names in general (pokemon names, trainer name, box names) (the names end with FF FF, giving a pokemon name with 11 letters is possible, but looks glitchy)

-Battle replay data

-mystery gift

-number of phrases for the trainer card

-number of pokemon in party

-items in bag (looked into this, and it doesn't look like this can be manipulated to cause an overflow)

-mail (looked at this, not in depth, it is custom phrases only, so probably not much potential)

-Friend roster

-possible number of pokemon in battle box?

If you have any ideas on how to achieve this, please post. In the long run, I hope to run maybe some custom ASM, and potentially change around some pre-loaded variables (music table if you're wondering) If you find an address, please list if its for black or white, and any help is appreciated. thank you

Here's something i made:

Well, this is what I got. It's about the best i can do without it being read from the re-writable GBA cart, the boxes get loaded in RAM

I'll do a youtube video when I get home. I think I can load the battle theme from soul silver (kanto GB sounds) by putting the data in a PC box, but I wont be able to access the box. I was looking for a way to have AR read directly from the save file (if possible because it has plenty of free space)

Alright. I've been using 23A9000 for a while, and I haven't had the song overwritten after loading the game before, but wanted to check if there was a better alternative. I've also tried looking for a way to put it in the save file, I was able to put it in the data of a few PC boxes, but then you cant access the PC

Thank you. Sorry for the hassle I gave, I had this completely wrong in my head, but this makes a lot more sense now :3

Edit: Also, do you know if there is free space in the RAM? I've made a code to load custom music from a re-writable GBA cart using AR, and having the song pointer point to it, but I dont know if it is permanent free space, but so far its worked

Does it work a bit like this in 5th gen? RNG call to see if man has egg (every 17 steps) if he does, generate the stats?

or are the stats pre-generated before the 17 step check? I think I do have this mixed up.

Go ahead, prove me wrong then :3