Search the Community

Disclaimer: This was originally posted on GBATemp, but decided to also create a thread here. This program is a WIP, it's pretty stable for Gen VI and VII games. However it can fail at any time. Make a save backup of your games before using this tool. I will not take responsibility for any save corruption, loss of data or banning from Nintendo. What is this application? PKMN-NTR is a on-the-air memory editing program for pokémon games in the Nintendo 3DS. In other words, is a mini-PKHeX that works while the game is running. It also has some bots capable of automate tasks like Wonder Trading pokémon or Breeding. Which games are compatible? Pokémon X Pokémon Y Pokémon Omega Ruby Pokémon Alpha Sapphire Pokémon Sun Pokémon Moon All games need to be updated to the latest version and .NET Framework 4.6 is also needed. Pokémon Sun and Moon are compatible using Mode3-NTR. What it can do? Dump and edit pokémon from boxes, Day Care/Nursery, Battle Box and Party using PKHeX interface. See wild opponent pokémon and your partner's pokémon during a trade. Clone and delete pokémon. Inject pokémon from a *.pkx file in your computer. Edit Items and Trainer Data. Bots for Breeding, Soft-reset and Wonder Trade. Search pokémon in the 3DS' RAM with Poké Digger. Build your own mini-bots with the Script Builder. How do I use it? Read the wiki. Look for your 3DS' IP address using FBI or an FTP client. Start NTR-CFW (Use Mode-3 if you want to use a Gen 7 game in an old 3DS). If you want to use bots, enable InputRedirection. Open your game, both retail and digital version are supported. Enable the NTR debugger. Go to PSS / Festival Plaza. Connect to Internet. In your computer, start PKMN-NTR.exe. Input the IP Address of your Nintendo 3DS. Click on the Connect button Enjoy the application! Source code and downloads: Last stable version: https://github.com/drgoku282/PKMN-NTR/releases/latest Source code: https://github.com/drgoku282/PKMN-NTR Older and preview versions: https://github.com/drgoku282/PKMN-NTR/releases Report issues, bugs and suggestions: https://github.com/drgoku282/PKMN-NTR/issues FAQs: https://github.com/drgoku282/PKMN-NTR/wiki/FAQs Credits: fa-dx: Gathering offsets, creating the tool. 44670: NTR CFW & NTRClient, this tool is based off a modified NRClient. Kaphotics: For PKHeX, which is used as the core of the program. jackmax: Doing a large-scale rewrite of the code to make it more robust, readable and maintainable. Stary2001 and Kazo: For InputRedirection which was the base for the Remote Controls and the Bots. Davi Andrade: For the application icon.

Pokémon Structure in RAM Due to a lack of documentation regarding how Pokémon are stored in RAM during battle of the generation 4 games I have taken it upon myself to document how they are structured and how to extract them. I've found that the Pokémon data is stored around the addresses 002C0BC2 to 002D5780 when a RAM dump is viewed in a hex editor. The length of the data is of 128 bytes (decimal value) or 80 bytes (hexadecimal value) per Pokémon. With that the following is the structure of Pokémon data in the RAM of generation 4 main line games if the relevant 128 bytes were extracted from the RAM; therefore, I'll be starting at address 0x00. Please note that for all values that use 2 or more bytes the values are stored in little-endian format. Offset Content 0x00-0x01 National Pokédex identification number. 0x02-0x0B 0x02-0x03 = Attack stat 0x04-0x05 = Defense stat 0x06-0x07 = Speed stat 0x08-0x09 = Special attack stat 0x0A-0x0B = Special defense stat 0x0C-0x13 The moves known by the Pokémon with every two bytes corresponding to the move index. 0x0C-0x0D = Move 1 0x0E-0x0F = Move 2 0x10-0x11 = Move 3 0x12-0x13 = Move 4 0x14-0x17 IVs, IsEgg Flag, IsNicknamed Flag. Same as in Block B of PKM Structure for Gen 4 found in the tech documents. 0x18-0x1F This set of bytes start at 06 and keeps track of the how the stats of the Pokémon have increased or decreased during the battle. Example 00 = a decrease in a stat by -6 stages and 0C = an increase in a stat by +6 stages. 0x20-0x21 These bytes are linked to the species of the Pokémon in some way. As such a byte combination of 70 0B will be set there if the opposing Pokémon is a Lugia. 0x22-0x23 Unused, in all tests. All bytes have been 00 and after many tests these bytes did not change. 0x24-0x25 These bytes are linked to the species of the Pokémon in some way. As such a byte combination of 0E 02 will be set there if the opposing Pokémon is a Lugia. 0x26 Pokémon form index. If the Pokémon does not have more than one form or the Pokémon is in its base form this value will be 00. Note form and evolution stage are different concepts. 0x27 Ability index 0x28 Unused, in all tests. All bytes have been 00 and after many tests these bytes did not change. 0x29 Appears to change if the Pokémon has a blanket ability activated. 00 = no blanket ability and 04 = the Pressure ability. It is unclear if this byte can have a value other than 00 or 04 depending on the ability. 0x2A-0x2B Unused, in all tests. All bytes have been 00 and after many tests these bytes did not change. 0x2C-0x2F Current Power Points of moves. 0x2C = Power Points Remaining for move 1 0x2D = Power Points Remaining for move 2 0x2E = Power Points Remaining for move 3 0x2F = Power Points Remaining for move 4 0x30-0x33 Number of PP UPs used for each move. 0x30 = Number of PP Ups used on move 1 0x31 = Number of PP Ups used on move 2 0x32 = Number of PP Ups used on move 3 0x33 = Number of PP Ups used on move 4 Values cannot exceed hexadecimal value 03. 0x34 Current level of Pokémon. Value cannot exceed hexadecimal value 64. 0x35 Happiness of Pokémon. 0x36-0x4B Pokémon nickname. If no nickname is set the Pokémon species name will be stored here with a terminating FF value. Note this is a character array; therefore, little-endian formatting does not apply here. 0x4C-0x4D The current Hit Point value of the Pokémon. 0x4E-0x4F Unused, in all tests. All bytes have been 00 and after many tests these bytes did not change. 0x50 The max Hit Point value of the Pokémon. 0x51-0x53 Unused, in all tests. All bytes have been 00 and after many tests these bytes did not change. 0x54-0x63 Original trainer (OT) name. If the Pokémon belongs to a non-playable character (NPC) all bytes will be 00 with a terminating FF. Note this is a character array; therefore, little-endian formatting does not apply here. 0x64-0x67 Current EXP. If the Pokémon belongs to a NPC all bytes will be 00. 0x68-0x6B Pokémon personality identification number (PID). 0x6C This byte gets set if the Pokémon is affected with a status condition that is not temporary such as burn or poison. 0x6D-0x73 Each byte correlates with a temporary status condition. For example the byte set for confusion is the counter for how many turns is remaining before the confusion status effect wears off. 0x74-0x75 Trainer identification number (ID). 0x76-0x77 Trainer secret identification number (SID). 0x78-0x79 The index of the item that the Pokémon is holding. 0x7A-0x7D Each byte correlates with a status condition that is not temporary. The byte set for sleep is the counter for how many turns is remaining before the wakes up. 0x7E This byte is the gender of the Pokémon. 00 = male, 01 = female, 02 = genderless. 0x7F This byte is the type of Poke Ball that the Pokémon is in. If it is in a special ball from Pokémon Heart Gold or Pokémon Soul Silver this byte will be 04 which is the same as the Poke Ball. --footer-- Pokémon Extraction In order to easily extract a Pokémon from RAM I recommend dumping the RAM as soon as the Pokémon that you want to extract is sent into battle. This is done so when viewing the RAM in a hex editor you can find a string of bytes that is both unique enough that it will not appear multiple times in the RAM and consistent with any Pokémon currently in the RAM. With that said the string of bytes that meets both of these conditions in most cases is the stat increase/decrease values with would be 06 06 06 06 06 06 06 06. Please note if an ability such as Intimidate or Download actives before dumping the RAM you will have to adjust the string of bytes accordingly. In a standard 1 vs 1 battle the first Pokémon that will appear in the RAM will be yours and the second one will be your opponents. From there follow how a Pokémon is stored in the save file in order to rearrange the data to create a valid PK4 file. Update: I have developed an application that can find and extract Pokémon from a generation 4 RAM dump file. Application can be downloaded from here Additional Reading

For the fifth generation of Pokémon games the RAM is actually very easy to read when compared to the fourth generation. This is largely due to the fact that when the RAM is opened in a simple text editor the headers in the RAM are in plain text. However, ripping Pokémon from RAM is both easier, but harder than generation four. In my pervious topic when I broke down the structure of Pokémon in generation four’s RAM I was able to locate all of the important information of the Pokémon, but with generation five important information that one would expect to find does not appear to be present at a first glance. Fortunately that is not where this topic ends; it turns out all Pokémon that are on the field as well as the entire party of all trainers are stored in the RAM in an encrypted format. It appears that the entire party block from the save is copied into the RAM and when a battle starts the other trainer’s Pokémon in loaded into the RAM using the exact same structure as the player’s party Pokémon. This allows for easy ripping of Pokémon at the cost of this topic appearing extremely underwhelming due to this outcome (sorry no table this time). How to Extract Pokémon from RAM Dumps During a Non Vs. Recorder Battle As stated earlier the RAM for generation 5 is very easy to read and this easiness to read makes it easy to rip Pokémon. In order to rip a Pokémon you will need to find it in the RAM and that is where the header N.pokeparty.c comes into play or its hex equivalent 4E 19 70 6F 6B 65 70 61 72 74 79 2E 63. In most cases there will be four instances of this header with the first one being the player’s party, the second one being the NPC’s party, the third one being the player’s party again, and the last one being the NPC’s party again (upon writing this I have realized that I did not test this with a multi-battle so the results my change for that). In some cases there may be an extra header before the first normal instance of it where different functionality such as Wi-Fi is mentioned. In order to start extracting a Pokémon you will need to start 20 bytes after the c in N.pokeparty.c, therefore the 21st byte onwards will be the start of the Pokémon data. Since it follows the same structure as party Pokémon in the save each Pokémon occupies 220 bytes so with some simple multiplication you can find the end of relevant data in the block. At this point I have covered general information and how to find the Pokémon, but now you probably want to know how to get a Pokémon from the RAM to the save even though the data is encrypted. 1. Locate the correct party block that has the Pokémon you want. 2. Copy the entire block or until the end of relevant data (if there is less than six Pokémon only copy up to the end of the last Pokémon). 3. Get a save file where the party Pokémon can be over written. 4. Copy the RAM block into the party block. 5. Open the save in PKHeX 6. Use PKHeX to update the checksum or remove the Pokémon from the same to your main save. For now this is the best method until an application is developed that can do this. How to Extract Pokémon from RAM Dumps During a Vs. Recorder Playback For these kind of RAM dumps the method above does not work as intended and the Pokémon will appear to have incorrect data if opened in PKHeX. The corruption occurs primarily with Pokémon obtained in a fifth generation game and is caused by the 0x5F byte which indicates which game the Pokémon was caught in being set to 00. In order to prevent this the Pokémon needs to be extracted from the RAM, decrypted without the use of PKHeX, opened in a hex editor, and manually change the 0x59 byte to either 14 for Pokémon White or 15 for Pokémon Black. This only needs to be done if the 0x59 byte is set to 00. Now just general remarks and interesting information from looking into this: In Pokémon Black2 and Pokémon White 2 there are NPCs that you can trade with and then have them challenge you to a battle with the traded Pokémon, but is it the same Pokémon? No, it is not the same Pokémon. In the end the Pokémon does maintain its PID, gender, nickname, ID, and SID, but its level is raised to the nearest 5th level, nature is changed, held item removed, met data wiped, IVs are changed to a predetermined set of IVs, EVs are set to 0, moves will reflect the four most recent moves that that species of Pokémon would know at the new level, and OT is wiped. As well, despite not usually being found in the RAM decrypted the Pokémon will have its name, ID, and SID decrypted in the RAM. Going back to generation four, Pokémon are also stored in the RAM encrypted, but it does not appear NPC Pokémon are always stored this way since 1 out of 5 attempts resulted in a good rip and not a glitch Pokémon. Therefore, keep using the information outlined in my earlier topic. For further reading please read my mapping of Pokémon in generation four RAM and generation five Pokémon structure in the technical documents. Special thanks to @BlackSharkfor providing some Pokémon White RAM dumps. Also here is an updated folder of some Pokémon that I dumped from popular NPC’s from Pokémon Black and Pokémon White (this time properly ripped and not using an AR code): Black White Special Trainers Updated.zip

Hi, Sorry if this is the wrong section, wasn't sure where to put this since I'm new here. Does anyone have the Vblank patch for Japanese Emerald, and if it exists, a FireRed version? On max settings FR is only running at about 1600% (turbo, 1000% speed, highest process priority, skip 2 frames, frames advancing in a battle) I have the regular English version, which I'm grateful for and has helped immensely, just hoping if its available in the versions I mentioned above. Thank you.

Hey all, I'm trying to pull the memory addresses for the flags that determine if a badge has been earned in all of the Pokémon games. I've managed to get out the pokemon party, etc, but can't find badges. I've done some research and I've gathered links that detail some things about badge memory addresses in RAM (I'm not aware of rules about external linking, but I can post the stuff I've found thus far if I'm allowed). Is there anybody out there that's done this or knows about the badges? I thought I'd start with Gen3 and work my way up. I'm using Lua to pull these out of emulators at the moment. But to no avail. Thanks in advance!

Hi, is there any tool to dump the RAM on old 3DS GW3D 11.2.0-35E ? I'm trying to get the Totem Pokemon in Sun/Moon and I need to dump the Ram for.

Hi, does someone know where is located the wild pokemon you encounter in Black2/White in the Ram? It must be something like 20XXXXXX Thanks in advance.

So with Animal Crossing New Leaf if you have a 3DS version 9.5 or below you can use a simple RAM dump and injection method to edit your games save file. Bookmark websites for dumping & injecting ram > load game & make sure you can move around > go to browser & go to ram dump link "browser will crash" > save game & power down console > put SD card in computer & edit save file (either Hex editing or in program) > replace your old save on SD card with new hacked save file > put SD card back in 3DS & load game > go to browser & click the injection link "browser will crash" > check your changes & save if you like them. So with XY I'm really interested in randomizing the Pokemon, starters & in-game events, trainers Pokemon, and encounter Pokemon, just like you can do with the universal randomizer for B/W2 and below. I have a 3DS with firmware 9.4 and a powersave if necessary... however the only option I can find for randomizing the 6th generation games is pk3DS which looks awesome but requires firmware 9.2 or below and a gateway flashcard (I don't have either of them nor do I want to put the money into getting them). I'm only interested in randomizing the game to play a nuzlocke in my free time and after going over my options Pokemon Y is a game I haven't played in forever and I'd love to do my first nuzlocke with 3D and fairy typing! Does anyone know of an easy method to do with like the one for Animal Crossing New Leaf? Thank you for all help and suggestions!

I'm looking for some W2 RAM addresses on the Web. I could find a few. There are the codes of Total steps: 2223024 And values recorded in trainer card. But the other ones seem not to be found anywhere. If anyone is free, please find them. It doesn't matter which version in region is. They're kind of counter that related to Medals. Specifically I want two addresses, the number of times the game saved, and Super Effective Hit counter.

Hello again ! I recently did a lot of work on PMD2, but before that I was working on a script to make some deep modifications to Pokemon at runtime, directly in the RAM of the emulator. It got put on hold, given I use cheat engine as backend for the lua script that powers the whole thing, and the UI editor is very finicky and keeps crashing when I'm editing list views, and given I'm using a ton of them, its getting a little tedious.. I'm still trying to find out whether I can still use Cheat Engine as backend but used from another language such as C# or something where I can make a separate UI easily.. Its really not polished and it still has its share of bugs. And this far the actual editor can only list pokemon in the party, and in the 8 first pc boxes(I doubt its even possible to ever use more than that tbh..). However, it does list a lot of data that is invisible to the player, such as PID, SID, IVs, EVs, etc.. Right now, it works only on a x64 setup, x64 Windows OS + x64 dolphin. x64 Cheat Engine.. But I was in the process of implementing a detection for that and to use the proper addresses for an x32 setup. However, its really not that complicated to change the addresses in the script to their x32 equivalents.. PPXD Memedit Description: For x64 setups only right now.. Unless you want to manually edit it in the script, which is still possible ! Don't expect too much of it. I'm mainly only releasing it so others can pick it up and improve on it, because it will probably be a while before I put good progress into it ! This thing can basically read straight from the dolphin emulator's memory data for each pokemons in the player's party, and in the pc boxes. It shows normally invisible details about pokemons, such as PID, SID, IVs, and EVs. These guys have helped me a lot with the data they've published : http://www.smogon.com/forums/threads/past-gen-rng-research.61090/page-32#post-3808418 Eventually it will allow modifying those things ! Along with editing the actual data for pokemon species, moves, typing, etc.. This far most of the in-memory data for those has been figured out, and the only thing left to do is to build a proper UI to edit those, and a proper way to save changes and load them easily later on.. How to use: You need to have Cheat Engine x64, and Dolphin x64 installed on your computer for this to work ! I currently have CE 6.3.x Dolphin uses a certain technique to access/manage memory, and the "MEM_MAPPED" option in the Cheat Engine's Scan Settings must be turned on ! 1. First extract everything to the same directory. Double click on the .CT file. Cheat Engine should load it. At the popup say yes to loading the script. Right now the script doesn't auto-start when loaded with Cheat Engine, because its still kinda glitchy and having access to the Cheat Engine UI can help ! 2. So, in the Cheat Engine window, got to the menu, then Table->PDXMainWindow->Restore and Show. This should popup the main window of the memeditor. 3. Then, make sure dolphin x64, is running with the game loaded, and click on the button named "attach to dolphin". It should freeze for less than a second, and a message saying "process already attached"(my code is still glictchy, but it actually attached the process correctly) will popup in the box at the bottom. 4. Then, given I didn't find the static pointers to the player's party and PC boxes, you need to input your trainer's name exactly as you entered it in the game inside the player name box. Then if you changed the name of your first pc box, enter the name you gave it in the second box, then click "analyze memory". This should take a second or so, and if it found the player party and the pc boxes it will list those in the box along with their addresses.. 5. Once it worked, you can either click on "Party Pkmns" to see a list of the pokemon currently in your party, or PC Boxes to see a list of pokemons in your pc boxes. The other options are not guaranteed to work as off now, or won't do anything at all. *NOTE: the "auto-refresh" checkbox and the "switch to battle party" button don't work at all yet. Download: - Version 0.1 pre-pre-pre-alpha : https://www.dropbox.com/s/sjfcc8zsiymslu9/ppxd_memedit-0.1.zip Research Notes: Those are the interesting part ! They are strictly about RAM editing, given I haven't managed to decompress anything on the game disc.. I couldn't find out what compression it used or if tools existed for it.. But the notes contains details on how to modify most values for each individual pokemons, and how to edit specie wide data, or even edit single moves' data ! They're a work in progress though, and still not very clean and not 100% accurate.. So any contributions anyone can make to them would be greatly appreciated ! Even if, right now I'm mainly focusing on reversing PMD2, I figured it was better to share those than have them on my hdd doing nothing useful ! Here they are : https://www.dropbox.com/s/qx8zah411t6dbvt/PPDX_MemoryDataStructureInfo.txt On a side note, I was really surprised at how sturdy the game is even if you enter completely invalid things ! I never even managed to freeze or crash the game once when working on finding out those things ! Things like replacing an entire pokemon block with ones everywhere ! I made really weird and dumb things, such as have a pokemon evolve like shedinja, and creates a copy of itself of its pre-evo specie ! And then that evolved, and gave basically a copy of itself at each levels I hope this will be useful to someone !

The title says it all, I'm requesting a code that lets you use items in the Battle Frontier. I've only started experimenting with AR codes so I don't really have the experience necessary to figure out how to do this. Any help/codes/suggestions are appreciated.

I can't find one anywhere (that's suitable for me, and specifically for games). I already understand Hexadecimal, Binary, Octal (Not that I'll need it), Decimal (THE HARD KIND), and how to convert between them. I also know Logic Gates, but that probably only applies to hardware, not software. I want to learn about addresses, and what order I would put a code in, and things like that. I own a Trainer Toolkit, but I don't understand large portions of the manual. If anyone could give me a link to a website that I don't have to sign up for, I would be eternally grateful. I still don't get what 32-bit addresses and "If equal to/If more/less than" means. If you know an incredible tutorial that I would have to sign up for, that would be fine, too. Thanks in advance!