[DEVELOPMENT] Injecting pokemon in ORAS without a cyber gadget or Gateway

Discussion in '3DS - ROM Hacking, Translations and Utilities' started by AquaX101, Jan 24, 2015.

  1. AquaX101
    OP

    AquaX101 GBAtemp Advanced Fan

    Member
    713
    165
    Apr 15, 2014
    United States
    Somewhere
    SciresM PKHeX Browser Exploit has been released! Kazo's encounter exploit is still being worked on!
    http://projectpokemon.org/forums/sh...-Browser-RAM-based-Pokemon-Injection&p=195497

    SciresM and KazoWAR have successfully been able to inject pokemon without the need of a gateway or a cyber gadget using the tool Spider3DS. It will be compatible with both ORAS and XY and currently, SciresM is making a program for this exploit.
    VIDEOS:

    Warning: Spoilers inside!
    Warning: Spoilers inside!
     


  2. ubergeek77

    ubergeek77 Post editing world champ.

    Member
    556
    255
    Dec 6, 2014
    United States
    If they could use the same tool to dump a decrypted version of the save for savedatafiler, I would be so happy <3
     
  3. cearp

    cearp the ticket master

    Member
    7,406
    4,658
    May 26, 2008
    Tuvalu
    so there will be a post about it in that spider thing thread, then a development thread here, saying wow look at this, and then finally the actual release thread when it is finished. :D
    but this is very very cool stuff, looking at it in the wider picture (not just injecting pokemon etc)
     
    Dartz150 likes this.
  4. Dartz150

    Dartz150 GBATemp Official Lolicon Onii-chan™

    Member
    1,406
    845
    May 5, 2010
    Mexico
    On a Strange Journey
    Like cearp said, this will turn into a masive post flood lol. Well, I'm VERY impressed they achieved this, my high hopes right now is to enable custm plugins while running an X program, even screenshot function would be very amazing.
     
  5. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,043
    3,349
    Nov 13, 2014
    United States
  6. AquaX101
    OP

    AquaX101 GBAtemp Advanced Fan

    Member
    713
    165
    Apr 15, 2014
    United States
    Somewhere
    Yet you don't need to give them money for this!
     
  7. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    559
    1,620
    Mar 21, 2014
    United States

    This should, in fact, be possible. And by "should", I mean I am looking at a RAM dump right now and it is totally doable.
     
  8. ubergeek77

    ubergeek77 Post editing world champ.

    Member
    556
    255
    Dec 6, 2014
    United States
    This is amazing. I think I can safely assume we can do this for other 6.0 games too.
     
  9. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    559
    1,620
    Mar 21, 2014
    United States

    I don't know that and can't say it for sure.

    I know that specifically for Pokemon it should be possible because all the data in the save is loaded into RAM.
     
  10. ubergeek77

    ubergeek77 Post editing world champ.

    Member
    556
    255
    Dec 6, 2014
    United States
    Oh, I see. Probably due to the card2 format it uses.
     
  11. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    That shouldn't matter since the system handles that should it?

    Anw I thought with gpuhax you can only access a small portion of the program? This is full on ram editing. Not to mention NX and stuff?
     
  12. ubergeek77

    ubergeek77 Post editing world champ.

    Member
    556
    255
    Dec 6, 2014
    United States
    I wasn't even considering they only had RAM access in the bag for right now. When I asked that question, I was under the impression we'd have enough access to just tell the 3DS to decrypt the save, and have it do just that. I beleive we have enough access to do this, seeing as smealum demo'd Smash when he released regionthree. Even if we aren't actively accessing the save during play, surely we can make something to handle saves on 9.x; previously we were locked to 4.x, and that isn't the case anymore.

    But I don't know. I'm not an expert on this. Really wish I was though.
     
  13. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    Hmm... If you can execute code as the program (Pokemon in this case) you should be able to dump its save (and whatever else the system allows)
     
  14. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    559
    1,620
    Mar 21, 2014
    United States

    I don't know if that's possible or not, but for what it's worth the code Kazo and I are executing is entirely within the web browser.
     
  15. Apache Thunder

    Apache Thunder I have cameras in your head!

    Member
    4,091
    3,999
    Oct 7, 2007
    United States
    Levelland, Texas
    I can definitely see Pokecheck using this in some form when they finally get back up and running. This would be the kinda of breakthrough they would need. ;)

    At some point they can dynamically build the payload for pokemon stored on Pokecheck.org and spit out an auto generated QR code to point the web browser to the unique payload for the end user.


    Quite some time before this happens. But we're already using the web browser to do this. Just put the two and two together and this seems destined for Pokecheck. :D

    A version for 9.2 and below with more features would be great as well. 9.3/9.4 can't use a launcher.dat file I believe so code space is limited I would assume?

    How much information can you jam into the web browser payload without using an external file on the SD card? Curious about that. :P
     
  16. Dartz150

    Dartz150 GBATemp Official Lolicon Onii-chan™

    Member
    1,406
    845
    May 5, 2010
    Mexico
    On a Strange Journey
    For now only the devs know what is possible and what isn't, so i'll only wait for the upcoming updates, and yep, I'm so hyped as hell, but my mind tells me to not jump and start to theorize on everything lol
     
  17. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    Then editing another program's RAM is possible inside the browser (with just the initial ROP then gpuhax) ?
     
  18. SciresM

    SciresM GBAtemp Advanced Fan

    Member
    559
    1,620
    Mar 21, 2014
    United States

    Yeah, Kazowar's code is public: http://pastebin.com/4TJAfRe6

    And I'll make my injection stuff public when it's ready.
     
  19. Dartz150

    Dartz150 GBATemp Official Lolicon Onii-chan™

    Member
    1,406
    845
    May 5, 2010
    Mexico
    On a Strange Journey
    But in X there is no more fun to find, maybe the classic "walk through walls cheat", so we can sneak peek on the locked power plants lol.
     
  20. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    People saw what's behind those doors already. There was nothing.