suloku

On 23/3/2017 at 7:49 AM, BlackShark said:

You can't clear the whole 0x7F000 block. The CRGF identifier has to be there. Otherwise the DR thinks you don't have a save file.

Yes, I thought that might have been the culprit, I should have explored more why my save got deleted after clearing the blocks.

I did plan a dream radar editor since the begining, but never got to research it. I already have functions for block managing, checksum fixing and decrypting so It's not like I have to make all from scratch.

In fact, I'd like to replicate all pokestock functions that can't be done with pkhex (I think entralink records and other stats may be the only thing missing since other functions can be done with pokegen or other english tools, but I'd also like to see those in an open source fashion), but since there's no demand or personal need motivation to do it just lacks. As ultimate goal, integrating all into pkhex would be great, but my coding style and knowledge isn't adecuate for it, but at least an open source program can serve as some sort of documentation for someone else to integrate it into pkhex.

EDIT: I have the editor nearly finished and stumbled upon a problem, but after comparing two examples with pockestock I've noticed how the actual encryption key is generated:

Enc key at 0x7F014 is XORed with the legendaries flags present at 0x25E04, and then that's the actual encryption key that will be used and stored at 0x7F090.
The value at 0x25E00/0x7f004 might be just a seed to generate the next encryption key...it doesn't serve any apparent purpose.

In any case, with that last piece of information I can complete the editor, hopefully bug-free.

EDIT 2: You may find the updated program with the 3DS link editor here: https://github.com/suloku/BW_tool/releases
Hopefully it's bug free, it seemed to work fine for what I tested, even just reseting the flags worked.
@AyanamiRei0@BlackShark

EDIT 3: I've just re-read BlackShark's post and turns out I failed to understand that he already explained how the flags where XORed with the encryption key... (blame it to language or me being tired, luckily I didn't spend more than 15 minutes to figure out, it would be a shame if I spend hours trying to find something already found and posted...)

On 16/2/2017 at 1:00 AM, suloku said:

If that's all there is to it, the program is really trivial, I've wrapped this up real quick: just drag and drop a pk2 file (make it with pkhex) onto the exe and an ar.txt file will be generated. Please tell me if the code worked, currently it generates an AR code for pokémon crystal to change the pokémon in the first party slot with the pk2 file.

As I said, if it works I'll make versions for the other games (not sure how to test myself)

Nice find! I've just tried it myself, at first 3DS Link option claimed the data was corrupted (I used Pockestock to insert the data instead of the actual app), so I basically wiped out 0x25e00 to be all zeroes and put the dream radar data at 0x7F000 with an encryption key of 0x00000000.

Now I'm thinking that clearing both 0x7F000 and 0x25e00 block should reset the flags, but I think I already tried and my save got erased due to corruption...probably I messed up somewhere.

By the way, the value at 0x25e00 (and enc key) gets updated also when transfering non lengedaries/items... I wonder how that works.

I'll code my own version of PokeTrainerS tomorrow, with an option to "reset" the encryption key to receive the legendaries again. Or maybe I should just make it always wipe the data and write it unencrypted for simplicity?

ps: in the end you were the one who did all relevant research and findings

Basically, it seems that clearing the flags needs an extra step since they seem to be encrypted in some unique per savegame way.

I've just thought a tedious way of locating where the secret value migth be, albeit time consuming:
1) Create two blank savefiles (A and B) (blank so less data is in them, the 3DS link feature is accessible anyways).
2) Put the value at 0x25E00 from B in A, then check if any of the lengendaries can't be transfered anymore (we want at least one to be flagged as already transfered)
3) Start inserting blocks from savegame B into savegame A. After each insertion, check if the game allows to transfer the legendary again.
4) Repeat 3 until we can transfer the lengedary.

Those steps would allow us to locate the block where the value used with 0x25E00 is stored, from there locating the actual value should be easier...at least in theory.

Another option would be to reverse engineer how the value at 0x25E00 is generated on a new game, but that's something I can't do. This reminds me of the mirage island in ORAS, I hope this uses a simple operation with a value somewhere in the save, and not a complicated algorythm like that one (which someone actually went and kindly reversed).

EDIT: I've been using desmune and I've noticed that each time you receive 3DS link data, the value at 0x25E00 is different, so as I feared this seems to have some RNG involved...

On 9/3/2017 at 9:35 PM, virgyxx said:

1) How can I create an event where the player receive NOT an egg but directly a specified Pokémon ?
You'll need to create a script yourself for that and put it on a wondercard. I wanted to modify the givegg scripts to directly have a a "give pokemon script" button, but as you can see it has not yet been done (having 7 languages in the game, meaning 7 scripts doesn't help my motivation).

2) How to create a custom event of Regi dolls ? i can't see any option in the tool to enable the player to receive the dolls
You could create a script that gives you the Regi Dolls.
Also, we wanted to make e-reader saves that would work with games other than japanese (an user already had them in fact), but I've never actually looked into that.

But you can use the Decoration Editor to add the Regi Dolls to your savegame.

3) How can I change the current pokémon in the Altering Cave?
The script for this is actually in the rom, we wanted to make a wondercard for each one, but never got to write the WC text for all languages. I think ajxp had some text, I'll ask him. In any case I'll try to include a english and spanish version in the package for people to use. (The way this script works is that it will change the pokemon in altering cave each time you talk to the man in green/blue)

As you can see, the tool allows to do many things with custom scripts, but being able to do it was the main objective and little has been done. Well, I made a wondercard that enables the eon ticket event in emerald and another one that resets the legendary flags so you can rebattle/recapture them, but never uploaded them becasue I did them for some tests and are somewhere in my computer.

I should really retake this project and close those loose ends.

I received a spanish Celebi from colosseum long time ago using the AR codes, maybe a german/french one too (on PAL, you just need to change the game language setting before receiving). I don't have a clue about how to receive pikachu, I've never seen any video/post with details and I may be dumb for never finding it in the disk (not that I tried that much, but I did try all the options in the bonus disk menu).

Fun fact about the spanish colosseum celebi: OT name is "Ágate", and because they seem to have changed character encoding in gen 4 onwards, the first character "Á" appears as garbage in all following generations.

Also, it went up to gen 6, haven't tried to put it on gen 7, but I assume it would pass.

I ban KittyCats for making long posts.

10 hours ago, DryBones157 said:

Is there a way to change my Super Mystery Dungeon in Spanish? Sorry for bothering, but I want an easy way, because most of the majoriy of tutorials are usually confusing

Depends on your 3DS configuration. If you have custom firmware and are using LUMA cfw (if you are using something else, you should change to Luma), it supports per game language/region faking. If you don't have custom firmware and are on official firmware <=11.2, you should follow this guide: https://3ds.guide/

If you are on 11.3, you can still run homebrew, in this case you'll want to use HANS to run the game in another language setting. Here seems to be a good guide to run homebrew on 11.3: https://www.youtube.com/watch?v=XNXfDiFnI7k

I do recommend installing a custom firmware if you have the chance, but you can still use HANS in any firmware 9.x to 11.x via SoundHax (the youtube video guide). There's a step in between, which is stayin in 9.2 or 11.2 and use homebrew to run a custom firmware from your SD card, but I find this unnecesessary and more tedious than the safe and quicker installation of A9LH and custom firmware. The only benefit is that you can't brick your 3DS, but the current A9LH installation process is foolproof and has many security checks to ensure no one screws up, the only real danger is that you close the lid/suspend your 3DS while on firmware 2.1 (a step needed for installation).

13 hours ago, Purin said:

1) the PK3 generation algorithm

That would be the most troublesome to get, not sure how the RE efforts on that have gone.

13 hours ago, Purin said:

2) code for fixing checksums of all Pokémon GBA saves, in C language

BlackShark's Mirage Island appearance program was what I used as basis, which I think in turn is based on kaphotics checksum verification tool. Thinking back, if it weren't for his program I probably wouldn't have dared to play with gen 3 savegame editing.

Also, I think the client from glitchcity I posted previously has been updated to handle checksums and even party/pc pokémon with simple functions.

I have another alternative, for now we have:
1) A client for each distro
2) Client-host communication

As an (easiest?) alternative, I suggest that the final client binary has a dummy pk3 file embeded. The host generates the pk3 once selected using the needed algorythm, then it changes the dummy pk3 file to the actual pk3 on the client and sends it. The client would only need to be a really simple app to check if there's party/pc space and add the pk3.

If they ever release gen 2 I guess they'll just fix the formula, you aren't supposed to trade back anyways, so your aren't supposed to know they screwed up.

I seem to not be exaplining myself well:

Collector Togami's list refers to gen1->7 shinies that can actually be catched in game. The list covers those that will have shiny DV as per gen 7 current pokébank formula. What I'm asking is if the list is also applicable to gen1->2 shiny factor (unrelated to gen 7).

Example: caterpie can't be shiny for gen1->7, but can it be shiny for gen1->2?

Just now, theSLAYER said:

Even if the limitations were the same, a ton of Pokemon can be bred, so that bypassing the "wild Pokemon can't be shiny" problem.

I was referring to the fact that pokemon bank screw up shiny formula and it's different from standard gen 2, I assumed the list is for the current gen1->7 shiny factor.

On 19/3/2017 at 6:15 PM, ajxpk said:

Maybe @suloku is interested in it, but he's very busy at the moment. 

I'd change that to "I don't have the skills", but it seems someone has already covered the difficult part!: http://forums.glitchcity.info/index.php?topic=7861.0

Basically, it's a custom rom that gets sent over to GBA and does stuff to the savefile. The example changes the player name's first letter to "z", but adding a pokémon to the party/first slot would be easy. The only thing really missing would be pokemon generation algorythm, the downside is that this uses gamecube/wii connection, but maybe doing it over two GBA wouldn't be that difficult for someone familiar with GBA development.
Edit: I think it does alter the savefile in RAM, so changes only apply if the player runs the game and saves afterwards.

I wonder, does this apply to gen 2 shininess?

Also, why not ditto? Shouldn't one be able to abuse the ditto glitch for that? It's a glitch that was classically made with the red gyarados, but if you already have a 10/10/10/10 pokémon (say, bulbasaur), would that count as illegal? The glitch is less elaborated than the mew glitch in a way that it could happen without the player noticing, but I gess it's a glitch after all.

2 hours ago, BlackShark said:

I assume it must have something to do with 0x25E00 and/or 0x7F004. I did some test with those value yesterday and I was able to block Tornadus on a save that hasn't received it yet.

Yes, I also tweaked it a little and was able to receive again some pokémon (but not all of them). I'm going to try the full reset with arbitrary 0x25E00/0x7F004 value, see if I can receive them all all over again. Also I'll check again the 8 at once transfer, but I didn't have any normal pokémon and it didn't allow me to transfer all 8 for some reason.

EDIT: it did not allow me to transfer all 8 at once yet again, only 6. I only had legendaries. Lugia and Ho-oh were left out.

EDIT 2: Do you have a savefile that has never transfered anything from Dream Radar? Maybe the same value at 0x25E00 is used for all games, or tied to TID/SID in some way to make it unique. Mine at 0x25E00 is 0x783398F2 and I checked the first savefile backup (right before selecting the starter) and my latest one (never had used dream radar) and the value is unchanged. TID: 07310, SID: 41549

In any case I'll start a new game and check what gets in 0x25E00

EDIT 3: seems random, I even tried used my savegame with memory transfer (which always results in the same key for the key system), but also generates one at random. Changing TID/SID doesn't seem to have any effect. I've noticed a suspicious value at 0x19428, but it may be unrelated as it lays in the trainer region.

EDIT 4: 0x19428 is unrelated, pokestock doesn't handle the receive flags. On a save that had received all 8 legendaries, I went and put the data for the 0x25e00 block and dream radar block from a save before ever interacting with dream radar and I could receive them again.

I've been doing some test, but seems BlackShark make a lot more research! I was about to post about the flag location and found he already did quite the research.

It's curious that they allow for the 8 legendaries in the structure, while the game only allows to transfer 6 pokémon at a time (legendaries + catched) for some reason.

I made a quick test and I managed to re-receive some of the legendaries, but not all of them. What I did was get my savegame that hadn't made any Dream Radar connection, get the 0x25E00 value and paste it in a save that has received 7/8 legendaries at 0x25E00 and 0x7F004, I also cleared 0x25E04 and 0x25E08.

I'm gonna set 0x25E00 to 0x00 and see what happens when transfering something over.

EDIT: I just noticed that after receiving landorus on the 0x00 file, the dream radar block still has the 0x80808080 for tornadus, so maybe what's needed is to clear the flags and those "identificators".

The value I got at 0x25E00 after a single transfer when it was all zeroed is "86 FF A0 F1" (direct hex view).

EDIT 2: I've just realized that for our purposes, we don't really need to know how it exactly works, we can just reset the whole thing to an "unused" state, as if dream radar was never used in that savegame, there's really no need to individually clear each flag.

Here you can a guide about how to use pokestock for dream radar legendaries: https://www.reddit.com/r/pokemonrng/comments/2ezvry/guide_pokestock_entralink_and_dream_radar/

It doesn't mention anything about only being able to retrieve the legendaries once, so maybe pockestock also takes care of the received flag? I guess testing is needed.
BlackShark, does all the block get zeroed after receiving the pokemon/items? Also, the unused byte in the pokémon structure maybe is the ability modifier? I'll have to catch some Dream radar and start some transfers...

Maybe this feature is already in pockestock?
I wanted to look into this, but no motivation right now. If it's already in pockestock it would certainly help to document.

I have before and after saves for all legendaries in black2, if anyone wants them to check the catch/uncatch flags.
Also, if there are already re-battle AR codes, enabling it and saving after just loading a game should be the quickest way to locate the flag for save editing purposes.
 

11 hours ago, Aquaaquaaqua said:

So, I thought I should tell everyone that at first the program worked for me after using a Neo N64 Myth Cart to backup my cartridge save and then using ED64-SaveSwap on the save, however that was once and now any new backups I make from the cartridge don't work with the program, even after using SaveSwap.  Personally, I don't care since I have a fully-compatible backup of the save already, but I just thought I'd mention this oddity.

Send me the saves via PM and I'll check them and see what's wrong.

8 hours ago, evandixon said:

Lombre

It may not be surprising that Lombre is Spanish, and they work in Spanish words to his dialog.

Hash	NA	EU
1748202028	Caramba ! Mais tou es encore une niña !	Caramba ! Mais tou es encore oune niña !

I only know a few words in Spanish, certainly not enough to be able to comment on why they'd make this change. The effect, however, is a slight change in pronunciation of "une".  Rather than attempt to describe it using words, it's best to use Google Translate to sound it out for you.

Neither "une" or "oune" are correct in spanish, but "oune" pronunciation remsembles a lot more the spanish word "una" (which would be the correct article for "niña"), so maybe that's what they wanted with the change ("une" doesn't sound like "una" at all, in fact it would sound just like the masculin article "un", and we are talking about a little girl [niña]): https://translate.google.es/#es/fr/un. una.

You can get one of each legitimately in-game, so nothing prevents you from making playtroughs, get the balls, transfer them via pokemon trade and start over...
Of course no one would be doing this, but I don't think they'll ban because having too many of a legal item... but again having even 10 of each would require a tremendous amount of work. Current speedruns take between 5-6 hours, probably can be optimized with pokebank and some team transfer, but the game has been out for months, so someone crazy enough could have 50 of each legitimately... or even more.

I tend to go by the "if it's technically possible for someone to do it legaly, they won't ban for it", but I've been told nintendo banned people who used hackmons received from wondertrading so you never know with nintendo.

But you may get the balls you need, catch what you want and toss the balls before going online again, that should be pretty safe, they most likely won't be checking if you have too many pokemon caught with apricorn balls.

This is probably the best bet about how they were recognizing game carts in GBA games: http://forums.glitchcity.info/index.php?topic=7114.msg198750#msg198750
If they used something similar, it should be possible to change. I hope it doesn't have any checksum or something.

For both the 10ANNIV rom and Colosseum bonus disk (JAP), a program is sent to the client GBA, which is most likely the one that checks the console's inserted cartridge, so using VBA it should be easier to find what to change if dumping the "rom" that gets sent over to the GBA.

I wonder what would happen if the rom can be made compatible with non-english games for languages like french, which have different pokémon names.

Yes, the wipe save data basically wipes it, probably by writing all of it as 0xFF (you could also restore a full 0xFF savegame to obtain the same result, a corrupted save might also make the game reset the save on itself).
In any case, you might be interested in just restoring a savedata that can distribute the manaphy egg instead of replaying the whole thing, there's one available at gamefaqs, and also at digiex.

Well, that's weird. May you send me your savegame via private messaging for testing? I'll try myself and see what's wrong.

18 hours ago, pokejed said:

Thanks when I try and inject the old sea map into my Emerald save it keeps on saying that file size is invalid?

You are most likely injecting the official japanese event into a non-japanese savegame. Use the unofficial one included in the package for non-japanese games, it will enable the event just like the japanese one. Of course the Mew will be considered non-legal, since it was only ever possible to obtain in a japanese game.

But you may override the langauge setting and inject the official japanese wondercard into your non-jap save and use it with a japanese rom to get a japanese gen 3 mew.

ps: mystery gift can be enabled in the editor via the "extra" menu, for those who don't mind enabling it via save editing.