Hacking Gateway 3.6.2

[dsrules]

I will try another ram search for see if it's dynamic adress.

Spoiler: Test

1:
Before Battle1: XXXXX Knights (Ram1.bin) (Adress: X)
After Battle1: XXXXX Knights (Ram2.bin) (Adress: X)
Before Battle2: XXXXX Knights (Ram3.bin) (Adress: X)
After Battle2: XXXXX Knights (Ram4.bin) (Adress: X)

2:
Before Battle3: XXXXX Knights (Ram5.bin) (Adress: X)
After Battle3: XXXXX Knights (Ram6.bin) (Adress: X)
Before Battle4: XXXXX Knights (Ram7.bin) (Adress: X)
After Battle4: XXXXX Knights (Ram8.bin) (Adress: X)

you can't use the Ram Dumper dumps to search for the address, it won't give you the correct address

 

[Asia81]

Why?

 

[cearp]

you can't use the Ram Dumper dumps to search for the address, it won't give you the correct address

why not?
won't this help?

Furthermore you can create RAM dumps to the microSD card in the Gateway Red card if you plan to do analysis of these on
your computer rather than use our cheat finder. The format for the dumps files is as follows:
* 32 bit header with number of memory mappings (mapcount)
* mapping info objects [int vaddr, int paddr, int size] (12byte per entry)
* data for each mapping, stored consecutively

maybe it won't be as simple as just the ram and the address you see is the same as the address, but surely we can work it out with the data they give us?

 

[Asia81]

65535 is 16bits, right?
so 666666 is 32bits, if I'm not wrong?

 

[cearp]

65535 is 16bits, right?
so 666666 is 32bits, if I'm not wrong?

yes, if you need to check with a calculator, just convert 666666 to hex:
0xA2C2A (it's bigger than 4 digits)

 

[Asia81]

thanks

--------------------- MERGED ---------------------------

I tried:

[Test1] #NotWorking, Freeze
029921A8 000A2C2A
029DA724 000A2C2A

[Test2]#NotWorking, Freeze
D3000000 10000000
029921A8 000A2C2A
029DA724 000A2C2A

 

[tony_2018]

If have a gateway as well as a ds2+. I hope they brick there own users again to teach themselves another lesson. The lesson I thought they would have learned already

I'm pretty sure they did, why else has no GW red card owner complained yet.

 

[Deleted User]

My nands are already unlinked..

You have to unlink your NANDs to use autoboot menuhax (by formatting your sysNAND)
The best way to do that is using this tool, which won't wipe your SD card data or unlink your NNID on Nintendo's servers. https://github.com/javimadgit/TinyFormat/releases

 

[dsrules]

you can't use the Ram Dumper dumps to search for the address, it won't give you the correct address

why not?
won't this help?


maybe it won't be as simple as just the ram and the address you see is the same as the address, but surely we can work it out with the data they give us?

because the ram dumper doesn't dump from 00000000 to end of address, it skipped some data in between
maybe you could try search the Values you see in the gw Hex Editor 08000000, 14000000 or 30000000, then search some of those values in the Ram Dump
if found then that could be the address corresponding to 08000000, 14000000, or 30000000

 

[SuzieJoeBob]

Now that Gateway has released the live RAM searching feature and people are making codes in swarms, I was wondering if I am the only one that thinks a sub-forum for testing cheats would be useful.

 

[tony_2018]

MaxConsole already got started on a separate section from there main support forum.

 

[Asia81]

Now that Gateway has released the live RAM searching feature and people are making codes in swarms, I was wondering if I am the only one that thinks a sub-forum for testing cheats would be useful.

not a bad idea

 

[Deleted User]

because the ram dumper doesn't dump from 00000000 to end of address, it skipped some data in between
maybe you could try search the Values you see in the gw Hex Editor 08000000, 14000000 or 30000000, then search some of those values in the Ram Dump
if found then that could be the address corresponding to 08000000, 14000000, or 30000000

The first few bytes of the RAM dump file is a header describing the RAM chunks that will follow.

* 32 bit # of ram chunks
* 32 bit ??? (this is not described in gateway doc and missing even)
* ram chunk description [int vaddr, int paddr, int size] (12byte per entry)
* ram chunks

Just had an idea: someone could build a tool that converts offsets in the ram file to virtual addresses. Then you can use the regular cheat search tools and when it outputs an offset, you can convert it with the tool to get the real virtual address

 

[Asia81]

@dsrules
Ok so I did some other searchs.

Spoiler: RAM SEARCH ON PC WITH CHEAT-ENGINE

1:
Before Battle1: 46588 Knights (Ram1.bin) (Adress1: 029921A8) (Adress2: 029DA724)
After Battle1: 81040 Knights (Ram2.bin) (Adress1: 029921A8) (Adress2: 029DA724)

2:
Before Battle2: 81040 Knights (Ram3.bin) (Adress1: 029921A8) (Adress2: 029DA724)
After Battle2: 85103 Knights (Ram4.bin) (Adress1: 029921A8) (Adress2: 029DA724)

Spoiler: RAM SEARCH IN-GAME 1:

New 32bit exact search:
89976
92606
(Address: 15411724)

New 32bit [Unsigned] search:
92606
94893
97302
(Address: 15411724)
(Address: 168000C8)
(Address: 16848644)

New 32bit [Signed] search:
97681
98075
98471
(Address: 15411724)
(Address: 168000C8)
(Address: 16848644)

Spoiler: RAM SEARCH IN-GAME 2: (After a PowerOff for see if it's dynamic or not)

New 32bit exact search:
98471
98845
(Address: 168000C8)
(Address: 16848644)

New 32bit [Unsigned] search:
98845
99219
99580
(Address: 15411724)
(Address: 168000C8)
(Address: 16848644)

New 32bit [Signed] search:
99580
99976
100347
(Address: 15411724)
(Address: 168000C8)
(Address: 16848644)

So as you can see, I found differents address between on PC and in-game.
I guess it's not dynamic because even after a PowerOff, I refound the same address.

Now I'm trying to make a code, and see if I can have something working...

Edit: I will try those codes:

Spoiler: GateShark

[Test1]
05411724 00‭0A2C2A‬

[Test2]
D3000000 10000000
05411724 00‭0A2C2A‬

[Test3]
068000C8 00‭0A2C2A‬
06848644 00‭0A2C2A‬

[Test4]
D3000000 10000000
068000C8 00‭0A2C2A‬
06848644 00‭0A2C2A‬

[Test5]
05411724 00‭0A2C2A‬
068000C8 00‭0A2C2A‬
06848644 00‭0A2C2A‬

[Test6]
D3000000 10000000
05411724 00‭0A2C2A‬
068000C8 00‭0A2C2A‬
06848644 00‭0A2C2A‬

 

[cearp]

MaxConsole already got started on a separate section from there main support forum.

yes but i don't really like maxconsole gbatemp is home

 

[tony_2018]

yes but i don't really like maxconsole gbatemp is home

Understood, everyone has there preference.

Someone alert a mod, I'm to lazy today.

 

[dsrules]

[Test1]
05411724
don't just take away the 1 from the address
put the 1 in D3000000 10000000

[Test1]
D3000000 10000000
05411724 000A2C2A

 

[Asia81]

[Test1]
05411724
don't just take away the 1 from the address
put the 1 in D3000000 10000000

[Test1]
D3000000 10000000
05411724 000A2C2A

[Test1] #Freeze
05411724 00‭0A2C2A‬

[Test2] #Didn't Work
D3000000 10000000
05411724 00‭0A2C2A‬

Or I don't understand?

 

[reiyu]

The best way to do that is using this tool, which won't wipe your SD card data or unlink your NNID on Nintendo's servers. https://github.com/javimadgit/TinyFormat/releases

how do you use this tool? i want to format my sysnand, do i have to install this in sysnand as well or can i run the tool in emunand?

 

[dsrules]

[Test1] #Freeze
05411724 00‭0A2C2A‬

[Test2] #Didn't Work
D3000000 10000000
05411724 00‭0A2C2A‬

Or I don't understand?

the second one has the correct code format
try the other two address
like I said, if enabled the cheat doesn't work then use Cheat Finder to search for the address again to see if the address becomes different