Jump to content

Falo

Member
  • Posts

    26
  • Joined

Everything posted by Falo

  1. 0628_Potions & 1624_dusk_rockruff are now also released, strangely they glued 2 dusk rockruff wondercards together with different values Rockruff #1: Card #: 1624 - A special Rockruff! Rockruff @ Focus Band --- *Playername* - 51277/12369 Tackle / Bite / Fire Fang / Happy Hour Repeatable: False Collected: False Once Per Day: False Rockruff #2: Card #: 1624 - A special Rockruff! Rockruff @ Focus Band --- *Playername* - 51277/12369 Tackle / Bite / Thunder Fang / Happy Hour Repeatable: False Collected: False Once Per Day: False
  2. Each game with spotpass access, like Mario Kart 7 or Pokemon has some way to access this url *snipped*
  3. Yeah ok, didn't know you guys already updated spotpass tools for USUM. A bunch of new wondercards are released today on the server 0252_Wpack, //100 x Poké Ball 0263_maxrevive (EU Eng & JPN), //3 x Max Revive 0265_7_malasada, //7 x Big Malasada & 11 x Fresh Water 0266_7_tsutaya_rotopon, //4 wondercards glued together, 1 x Roto Catch/Roto Bargain/Roto Prize Money/Roto Exp. Points 1625_QuickBalls (JPN, EU, USA) // 12 x Quick Ball 0267_line_rotom, //Line App Rotom たくさん おしゃべりして まんぞくしたから アローラに もどってきたロト! これからは ぼうけんの パートナーとして よろしくロ~! Card #: 0267 - スマートフォンに はいりこんでいた ロトム Rotom @ (None) --- ククイ - 46381/04076 Uproar / Confide / Disarming Voice / (None) Repeatable: False Collected: False Once Per Day: False 0272_Asia_marshadow (EU, JPN, USA), Marshadow, the Pokémon which guides the Rainbow Hero. Can you make the mythical Pokémon that suddenly appeared in front of Satoshi, approve of you? Card #: 0272 - Mythical Pokémon Marshadow Marshadow @ (None) --- MT. Tensei - 60981/04151 Spectral Thief / Close Combat / Force Palm / Shadow Ball Repeatable: False Collected: False Once Per Day: False somehow the 1625_QuickBalls_US_S is missing for Ultra Sun.
  4. The first Ultra Sun/Moon event is online! Gold/Silver Serialcode Celebi. Ultra Sun: 0251_celebi_SER_JP_J_1510631793 Ultra Moon: 0251_celebi_SER_JP_J_1510631840 Downloaded from the official Spotpass server, both are identical after decryption and work with the newest PKHex. Distribution Text: 『ポケットモンスター 金・銀』を ダウンロードしてくれて ありがとう! ウバメのもりに まつられる セレビィが ときを こえて やってきた! Translated: "Pocket Monsters Gold & Silver" Thank you for downloading! Celebi to be enshrined in the woods of Ubame came beyond the time! Card #: 0251 - ときわたりポケモン セレビィ Celebi @ (None) --- ウバメ - 43783/03831 Heal Bell / Safeguard / Ancient Power / Future Sight Repeatable: False Collected: False Once Per Day: False 0251_celebi.wc7full
  5. Haven't gotten to the part where you can scan QR Codes. But from the code of the game, the event checks if Savedata::QRReaderSaveData:: Data+0x170 is set to 0xCBE05F18356504AC and checks if EventFlag 3100 is set, and flag 3487 is unset, so: 3100 = IsMagearnaActive 3487 = IsMagearnaCaptured So it should be easy to activate the event on any system with pkhex. Note: QR Encryption is the same as save signing, so memecrypto.
  6. You mean this list ? [i]relevant data removed[/i] The demo really contains to much code from the full game ^^, even the mystery gift server code is there.
  7. It was just a quick analysis, init_rtc_ctx initializes a 8 byte structure this is then used by j_getGameTime, i'm not sure if it "gets" or "sets" the time, since "get" makes more sense i used that name. savePtr is a pointer to the Savedata:: Savedata structure, not the raw save. gfl2::math::Random::Initialize, the name comes from the sun&moon demo, not oras, this initializes a mersenne twister algo, here the rest of the functions: (pseudo c code) I found the algo online, it's "Tiny Mersenne Twister" https://gitlab-dev.in2p3.fr/SOPHYA/SophyaLib/blob/927c275e1bbe27c728119b9763ef174ece43fc47/BaseTools/tinymt32.c https://gitlab-dev.in2p3.fr/SOPHYA/SophyaLib/blob/927c275e1bbe27c728119b9763ef174ece43fc47/BaseTools/tinymt32.h
  8. Yes but it's still a random value: unsigned int __fastcall sub_4608F4(int a1, int a2){ _DWORD *savePtr; // r4@1 int trainerId; // r6@1 unsigned int rnd; // r0@1 int rnd_ctx; // [sp+0h] [bp-28h]@1 char ctx; // [sp+10h] [bp-18h]@1 savePtr = *(_DWORD **)(sub_14E348() + 28); trainerId = *(_DWORD *)(*savePtr + 0x129A8); init_rnc_ctx((int)&ctx); j_getGameTime(savePtr, (int)&ctx); j_gfl2::math::Random::Initialize((int)&rnd_ctx, *(_DWORD *)(*savePtr + 0x1048) + trainerId); rnd = j_MersenneTwister((int)&rnd_ctx); *(_WORD *)(a1 + 0x51DA) = rnd % 33 + 1; return rnd % 33 + 1;} //*(_DWORD *)(*savePtr + 0x1048) = the random value from SaveData::RandomGroup
  9. The code for this can be found in DllSkyTrip.cro and the code.bin, function to generate mirage spot: ".text:004608F4 sub_4608F4" To find the current Mirage Spot, it uses that random value, and some other values, like the current time and generates a new random value. the final result of it is then "rnd % 33 + 1".
  10. Block 5 (0x1600) is Savedata::RandomGroup this block is just a 4 byte random value, which is generated by the 3DS AES engine. I didn't fully reverse it, but it calls SVC 0x28 "GetSystemTick(void)" and then uses a Mersenne Twister algo with sha256 and sha1 hash. So it's not encrypted, just a random value. It's like a seed value from the good old RNG days.
  11. I could look into it, but later. I use ida pro, patchrom and a cro/crs loading script. patchrom is used to convert the exefs code.bin and exheader.bin into a loadable exefs.elf. Then i load the exefs.elf and use the script to load static.crs, this loads a lot of export entries and give a basic overview where stuff is. The rest is done via vTable decoding, string search and knowledge how stuff should look like. Also hex-rays decompiler plugin helps a lot and after cleaning up you get a nice output like this: void __cdecl Savedata::MyStatus::SetZenryokuRingFlag(MyStatus *this, int flag){ unsigned int v2; // r3@1 int v3; // r1@1 v2 = this->data.OutFitFlags[1] & 0xEFFFFFFF | (flag << 28); v3 = (unsigned __int16)(this->data.Flags & 0xFFFD) | 2 * flag; this->data.OutFitFlags[1] = v2; this->data.Flags = v3;}
  12. There is a lot more code ^^ like collecting zygarde cells, berry field island, fishing spot, join festa, battle tree, battle spot.... But the more interesting code is just dummy... Magearna Event code: int MagianaQREventEnableCheck(){ return 0;} Pokédex QR making codes... void NetApp::QR::QRUtility::SetUpZukanQRData(){ ;}
  13. Nothing changed. _BOOL4 __fastcall pml::pokepara::CoreParam::CalcShiny(unsigned int TrainerID, unsigned int PokemonID){ return ((unsigned __int16)TrainerID ^ (TrainerID >> 16) ^ (PokemonID >> 16) ^ (unsigned __int16)PokemonID) < 16;} That new id is an exported function and only the FieldRo uses it to show that id, everything else uses the old id's. //edit: Wondercard was slightly changed, Oras uses 6800 Byte Sun&Moon Demo uses 16208 Byte i haven't looked into it yet, but Savedata::MysteryGiftSave::GetMameGiftNum Savedata::MysteryGiftSave::GetBPGiftNum Savedata::MysteryGiftSave::GetItemGiftNum Savedata::MysteryGiftSave::GetPokeGiftNum looks like they will give Battle Points via Wondercard... ^^ //edit2: a quick look into the structure: - Wondercard Size = 264 Byte -> nothing changed - There are 48 spaces for cards Types: 0 = Pokemon 1 = Item 2 = Battle Points 3 = Poké Beans (japanese: Mame, 豆) There is some date field after the card storage, it's defaulted to 2000:01:01:00:00:00:00
  14. C# gives me the correct result 201761, Also manually: TrainerID / 1.000.000 = 564 564 * -15625 = -8812500 -8812500 << 6 = -564000000 -564000000 + TrainerID = 201761 //edit, my code is an exact copy of the original asm code, but i just noticed -15625 << 6 = -1000000 so TrainerID + ((TrainerID / 1.000.000) * -1000000) or TrainerID % 1.000.000 should work...
  15. //PokeTool::GetDrawID public static int GetDrawID(uint TrainerID, int GameID) { if (GameID < 30) return (int)(TrainerID & 0xFFFF); else { return (int)((TrainerID + (((TrainerID / 1000000) * -15625) << 6))); } } TrainerID is the full 4 byte id, tid and sid. GameID's: 30 = Sun&Moon Demo, 31 = Sun, 32 = Moon, 33 = ???, 34 = ??? Note: this calculation allows any id from 0 to 999.999 And yes Greninja now has 3 forms 1. Form = Default 2. Form = "Battle Bond" Form, same stats as default form, just the ability is different (3x Battle Bond) 3. Form = "Ash-Greninja" Form
  16. While most data in personal.garc is overwritten with Pikachu's data, FormCount is left intact. Flabébé & Florges have 5 forms, Floette has 6 forms -> AZ's Floette is still there.
  17. The crypto is exactly the same as XYORAS. What they changed is the CRC16 algo, XYORAS used CCITT. Sun & Moon uses ModbusCRC16 with a few small changes. CRC16 [rev] precalculated table is @.data:004DE408, and the algo is @.text:0025C598 in the demo exefs code.bin. But it's pointless to inject stuff into the save, to many dummy data.
  18. Here the german version of the serperior (POKEMON497) event, dumped with powersaves & pkhex. id: 1505 text: Hier kommt Serpiroyal! date: 2015.01.22 Event Text: Dieses besondere Serpiroyal hat eine versteckte Fähigkeit, dank der es sich noch besser für Kämpfe eignet! 1505 - Hier kommt Serpiroyal!.zip
  19. Here the german version of the shiny beldum event, dumped with powersaves. wondercard id: 1504 name: Ein Schillerndes Tanhel! dumped on: 2014.11.29 Event Text: Dieses Tanhel ist nicht nur ein Schillerndes Exemplar, sondern trägt auch noch einen Mega-Stein bei sich! 1504 - Ein Schillerndes Tanhel! (GER)(20141129).zip
  20. I still need some static values. Some work on the Powersaves CRC: (Powersaves 1.1.6) 00412CD3 /$ 55 PUSH EBP 00412CD4 |. 8BEC MOV EBP,ESP 00412CD6 |. 33C0 XOR EAX,EAX //uint crc32 = 0; 00412CD8 |. 33C9 XOR ECX,ECX //int i = 0; 00412CDA |. 3945 0C CMP DWORD PTR SS:[EBP+C],EAX // 00412CDD |. 7E 1F JLE SHORT PowerSav.00412CFE // 00412CDF |> 8B55 08 /MOV EDX,DWORD PTR SS:[EBP+8] //edx = &buffer; 00412CE2 |. 0FB61411 |MOVZX EDX,BYTE PTR DS:[ECX+EDX] //edx = *(byte*)(buffer + i); 00412CE6 |. 33D0 |XOR EDX,EAX //edx ^= crc32; 00412CE8 |. 81E2 FF000000 |AND EDX,0FF //edx &= 0xFF; 00412CEE |. C1E8 08 |SHR EAX,8 //crc32 >>= 8; 00412CF1 |. 330495 80C26D>|XOR EAX,DWORD PTR DS:[EDX*4+6DC280] //crc32 ^= crctbl[edx]; 00412CF8 |. 41 |INC ECX //i++; 00412CF9 |. 3B4D 0C |CMP ECX,DWORD PTR SS:[EBP+C] // 00412CFC |.^ 7C E1 \JL SHORT PowerSav.00412CDF //if(i < length) goto 00412CDF 00412CFE |> 5D POP EBP 00412CFF \. C3 RETN Powersaves calculates 2 CRC's with this function: First 0x18 byte from the powersave header (should match crc32 @ 0x14, but 0x14 is 0x00000000 in memory), then the save itself (should match crc32 @ 0x18). Here the code translated to C# (don't know if it's the normal crc32 or not), tested and working: public static uint[] CRC32_TABLE = { 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, 0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01, 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F, 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5, 0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713, 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9, 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D }; public static uint PowersaveCRC32(byte[] buffer) { uint crc32 = 0; for (int i = 0; i < buffer.Length; i++) { crc32 = (uint)(CRC32_TABLE[(buffer[i] ^ crc32) & 0xFF] ^ (crc32 >> 8)); } return crc32; }
  21. Cant update the Wiki ("The action you have requested is limited to users in one of the groups: Bots, Administrators, Editors. "): DISA hash: Start: active DIFI partition offset - End: active DIFI partition offset+size (0x200 - 0x32B or 0x330 - 0x45B) - Offset: 0x16C IVFC hash 0: Start: 0x2000 - End: 0x201F - Offset: active DIFI partition offset + hash offset (= 0x30C or 0x43C) IVFC hash 1: Start: 0x2020 - End: 0x203F - Offset: 0x2000 IVFC hash 2: Start: 0x2040 - End: 0x2FFF - Offset: 0x2020 To calculate them you must create a new byte array block with the size "1 << ivfc.levels[x].BlockSize" and fill it with 0x00, for hash 0 & 1 it is 512 (1 << 9), hash 2 is 4096 (1 << 12). To get these information, read the active DIFI partition and get these values from the IVFC part. After making the byte array, memcpy the data into it and then calc sha256 over the whole array. The only missing thing now is AES_MAC and the algo to generate the XorPad, can someone tell it to me? http://www.3dbrew.org/wiki/Savegames is confusing to read...
  22. I have a fully decrypted save (not just boxes) and all my checksums match, so yes there is an error. This is how a real empty ekx looks like: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 00 00 00 00 00 00 00 00 00 00 7E E9 71 52 B0 31 ..........~éqR°1 00000010 42 8E CC E2 C5 AF DB 67 33 FC 2C EF 5E FC C5 CA BŽÌâůÛg3ü,ï^üÅÊ 00000020 D6 EB 3D 99 BC 7A A7 CB D6 5D 78 91 A6 27 8D 61 Öë=™¼z§ËÖ]x‘¦'.a 00000030 92 16 B8 CF 5D 37 80 30 7C 40 FB 48 13 32 E7 FE ’.¸Ï]7€0|@ûH.2çþ 00000040 A3 DF 69 3D 9E 63 29 1D 8D EA 96 62 68 92 97 A3 £ßi=žc)..ê–bh’—£ 00000050 49 1C 03 6E AA 31 89 AA C5 D3 EA C3 D9 82 C6 E0 I..nª1‰ªÅÓêÃÙ‚Æà 00000060 5C 94 3B 4E 5F 5A 28 24 B3 FB E1 BF 8E 7B 7F 00 \”;N_Z($³ûá¿Ž{.. 00000070 C4 40 48 C8 D1 BF B6 38 3B 90 23 FB 23 7D 34 BE Ä@HÈÑ¿¶8;.#û#}4¾ 00000080 00 DA 6A 70 C5 DF 84 BA 14 E4 A1 60 2B 2B 38 8F .ÚjpÅß„º.ä¡`++8. 00000090 A0 B6 60 41 36 16 09 F0 4B B5 0E 26 A8 B6 43 7B *¶`A6..ðKµ.&¨¶C{ 000000A0 CB F9 EF 68 D4 AF 5F 74 BE C3 61 E0 95 98 F1 84 ËùïhÔ¯_t¾Ãaà•˜ñ„ 000000B0 BA 11 62 24 80 CC C4 A7 A2 B7 55 A8 5C 1C 42 A2 º.b$€Ìħ¢·U¨\.B¢ 000000C0 3A 86 05 AD D2 11 19 B0 FD 57 E9 4E 60 BA 1B 45 :†..Ò..°ýWéN`º.E 000000D0 2E 17 A9 34 93 2D 66 09 2D 11 E0 A1 74 42 C4 73 ..©4“-f.-.à¡tBÄs 000000E0 0B 2B 23 F2 43 28 54 A6 .+#òC(T¦ The Party extra: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000000E0 00 00 7E E9 71 52 B0 31 ..~éqR°1 000000F0 42 8E CC E2 C5 AF DB 67 33 FC 2C EF 5E FC C5 CA BŽÌâůÛg3ü,ï^üÅÊ 00000100 D6 EB 3D 99 Öë=™ this empty ekx needs to be used to dump: - party - box 1-31 - battle box
  23. The problem is simple "Blank.ekx" is wrong, Kaphotics made a mistake here, he generates an "empty egg ekx" instead of an "empty ekx", there are language specific diffrences, for example: german uses "Ei", not "Egg", but a real empty ekx is just 0x00 + encryption. The *.bak file is generated after trying to fix this "Egg" mistake, but it doesn't always work, this is why you're getting errors. Blank.ekx is the same for every save/user, no matter what language you are having, he just needs to correct this error.
  24. There are some errors: 0004 06800 00000038 6A83A Trainer Stat Flags (Style) has a wrong size, in my save it is 0x150 0021 1D600 00000644 6A922 ???? 0022 1D800 000005C8 6A92A Tournament Data 1D600 + 00000644 = 1DC44 -> 1D800 should be 1DD00 0030 25400 00000C48 6A99A Pokemon Bank Gifts 0031 26000 00000078 6A9A2 ???? 25400 + 00000C48 = 26048 -> 25400 should be 25200 I checked this with my (non-public) Save Editor and these values are correct, all checksums match after making these changes. Well about the hash regions, as long as we can calculate them there should be no problem, except AES-MAC... About the IVFC hash table, i tried to calculate them with sha256, but no success, i can't get a working xorpad, is there anything i'm missing, like 0x00 values where it should be 0xFF ? //edit found my mistake, all hashs are now working, except 0x3000-53FF, but i haven't decrypted that part yet, so no problem... also note: if the data contains only 0xFF, then the hash is empty (0x00)
  25. For detailed info about the savegames look here: http://www.3dbrew.org/wiki/Savegames To dump and restore saves it reads the NCSD/NCCH header from the rom, this is where it gets the needed informations (NAND save/EPROM save/etc...). The Pokemon X/Y save is missing the "Wear leveling" sector structs, (after the powersave header) it starts directly with the AES-MAC hash, then the DISA/DIFI/... stuff. It's most likely that the save id (which should protect against save modding) is tricked by not modifing these structs and just copy/pasting the save data, but i don't know exactly how it works. @OmegaDonut I have my doubts about datel using a real 3DS and ram hacks to modify saves, datel has enough resources to break any encryption/private keys (they did prove this with the PSP AR), their setup modifies values where a real 3DS just writes 0xFF, this proves they calculate more than a real 3DS would do and it makes more sense then a 3DS farm.
×
×
  • Create New...