Past Gen RNG Research

Current information on the B&W RNG:

The state of the RNG is stored as a 64-bit number at memory location 022160A4.
I don't think that is correct, I was just working on trying to find the formula and I think they are 2 32-bit RNGs.

here is what i got so far.
Code:
OFFSETS BLACK (add 0x20 to offset for white)
02216084 = SEED1
02216088 = SEED2
0221608C = 0x6C078965
02216090 = 0x5D588B65
02216094 = 0x00269EC3

SEED1 = (0x6C078965 * SEED1) + 0x00269EC3;
SEED2 = ???
Variables and constants for SEED2 seem to include SEED2, SEED1, 0x6C078965, and 0x5D588B65.


RNG advancements when forcing SEEDs to certain values.
00000000 00000000
00269EC3 00000000
55AE9CB2 7188D00C
A0C3B2FD 0AF528D3
C910A194 0A8B4E34

00000001 00000000
6C2E2828 5D588B65
5AF1DE8B E3B543E4
0B78CE9A 3D7FCA1A
CB968B85 3FE714A2

00000000 00000001
00269EC3 6C078965
55AE9CB2 76CC11E5
A0C3B2FD 75AA4470
C910A194 0D113825


AR codes to modify RNG variables and constants to try to crack formula.
02216084 00000001
02216088 00000000
0221608C 00000001
02216090 00000001
02216094 00000000
 

mingot

free agent
is a Site Content Manager Alumnusis a Battle Simulator Admin Alumnusis a Top Researcher Alumnusis a Contributor Alumnusis a Smogon Media Contributor Alumnusis an Administrator Alumnus
Some things that might help:

Regarding seed 2 and the constant 0x5D588B65:

It looks like it's a hash function.

http://blogs.msdn.com/b/ricom/archive/2007/01/22/performance-quiz-12-the-cost-of-a-good-hash.aspx

Regarding seed 1:

0x6C078965 used to be part of the old ARNG.

It really looks like this is just another LCRNG with new constants. I used the researcher function in RNG Reporter and plugged in your new constants and got the same results that you did when you forced the seed.

Regarding something I found a few days ago:

Check out the routine at 02019B7A. It's the old LCRNG, but I didn't see where it actually stored the value. Everything came in and out through registers and without a debugger I could not get a handle on where / when it was called.
 
Check out the routine at 02019B7A. It's the old LCRNG, but I didn't see where it actually stored the value. Everything came in and out through registers and without a debugger I could not get a handle on where / when it was called.
I think it is used for the pkm data encryption, trying to modify either 0x41C64E6D or 0x6073 caused the game to display an error message when trying to get into a battle, access the storage box, or open the party. Starting a new game with the value modified before the game generates your starter does not display the error message. Haven't tested this part yet, but I am sure if you try to import a pkm from the save file with the modified encryption to a normal save file would result in the pkm being invalid.

The encryption routine: http://www.projectpokemon.org/wiki/Pokemon_NDS_Structure#Encryption
 

mingot

free agent
is a Site Content Manager Alumnusis a Battle Simulator Admin Alumnusis a Top Researcher Alumnusis a Contributor Alumnusis a Smogon Media Contributor Alumnusis an Administrator Alumnus
Cool, that makes me feel like that code has a reason that doesn't necessarily have anything to do with pokemon generation. Oddly enough, that makes me feel better.

Do you think it might be worthwhile for me to quickly release an rng reporter with a method for "SEED1 = (0x6C078965 * SEED1) + 0x00269EC3" so that we can do a quick check to see if we can find a captured pokemon?
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Both seeds are used to generated egg PIDs. I kept Seed1 constant and got changing PIDs, Seed2 constant and got changing PIDs, and when I kept both constant I got a static PID.

Code:
Seed1	Seed2	PID
0x0	0x0	C0AAEBC6
0x0	0x1	5878F4C3
0x1	0x0	5878F4C3
0x1	0x1	539702A7
The fact that we get the same PID when Seed1 and Seed2 are reversed is promising. It might not be so hard to figure out egg PID generation, even if we don't have a debugger.

Unfortunately, the egg IVs seem to be coming from some other RNG, one that's constantly changing in the background. I'll need some more testing to see if it advances "Emerald fast" or not.

A few notes:

- The game does not load if the time recorded at the last save matches the time when you reload the game. You'd have to re-save at a different time.
- The egg PIDs are loaded into memory location 02234BA4 (White) when generated. I've confirmed this several times, and it spares the trouble of checking the save files under PokeGen.
 
Seems like i was wrong early, it is a 64bit seed, and the formula for advancing is.
Code:
OFFSETS BLACK (add 0x20 to offset for white)
02216084 = SEED
0221608C = 0x5D588B656C078965
02216094 = 0x0000000000269EC3

SEED = (0x5D588B656C078965 * SEED) + 0x0000000000269EC3;
Also what you said about the IVs being generated by another RNG, I believe that since I had matching PIDs but different IVs when I froze the RNG and captured a few Pokemon.

Also the PID was 0A8A4E34. I think I rember seeing somthing on that one site mingot linked earlyer about XORing something by 0x10000 I think it was the PID, cause the PID seems to be the 32bit high of the 4th RNG call (0A8B4E34C910A194) XOR'd to 0x10000.

0000000000000000
0000000000269EC3
7188D00C55AE9CB2
0AF528D3A0C3B2FD
0A8B4E34C910A194
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Also the PID was 0A8A4E34. I think I rember seeing somthing on that one site mingot linked earlyer about XORing something by 0x10000 I think it was the PID, cause the PID seems to be the 32bit high of the 4th RNG call (0A8B4E34C910A194) XOR'd to 0x10000.
Is that a PID generated from a stationary legendary? I did the same thing with a Pokemon I Sweet Scented in the grass, but didn't get a similar result (PID -- 86F3A159)

EDIT: Actually, I kinda did. 06F2A159, one of the upper 32 bits, when XOR'd with 0x10000 is 06F3A159. Add 80000000 and you get the PID result.

Code:
RNG calls with Sweet Scent:

00000000 00000000
00000000 00269ec3	
7188D00C 55AE9CB2	
0AF528D3 A0C3B2FD	
0A8B4E34 C910A194	
C83FB970 153A9227	
0C45453A 2B8A2726	
CC28FE89 36A566C1	
22967565 4EAC71E8	
38C7575F 507CB74B	
67795501 267F125A	
C0AAEBC7 A9910645	
0[B]6F[/B]2[B]A159[/B] CA9C04FC	<-- probably where the PID came from, with some modification
C9E3DDA4 E143722F	
08D1DD28 EB26D24E	<-- PID was definitely generated just before here
94CB488B 35255589	
9D847485 1566AED0	
36360093 ECE6E6D3	
8B8FEA14 5C8B9B02	
6493EA8F 4E3CD88D	
46DD090E D5E68364	<-- RNG value at the battle start
Additionally, I tested the PID outcomes of Pokemon Sweet Scented in grass, with fixed seed values:

Code:
U32	L32	PID
0x0	0x0	10000
0x1	0x0	EC068965
0x0	0x1	DD598B65
0x1	0x1	496114CA
0x10000	0x10000	94CB6C07
0x0	0x10000	8BCB6C07
0x10000	0x0	09640000
0x10000	0x1	E6BC8B65
0x1	0x10000	776DF56C
Will analyze these later, right now have to do some paying work. My girlfriend is trying to get a better translation of the Japanese RNG researcher's blog, but she hasn't had time to make much progress yet.

Some additional notes:

- The PID is stored at 02259DA0, 0225A410, 0226AB74, 0226B0D4, and 022A7BB4(White) when generated. Only the first two keep the PID stored immediately after the battle ends. At least for wild, Sweet Scented Pokemon. Don't know why it's stored in several locations, though.

- Nature is no longer linked to PID in 5th gen. I'll have to test to see if the nature comes off the same RNG as the PIDs.
 
I know the nature is in the RNG at 02216084 cause it is always the same for a certain SEED. Still haven't figured out wall call its from though.

Also the Sweet Scent PID might just be XOR'd to 0x80010000

also I noticed
Code:
0x0    0x0    1000
Make sure you are setting the RNG and then disabling the code. The PID should be 0A8A4E34. I had the same issue when I was testing, I think it has to do with the rate the AR codes are refreshed, stuffing 0 back in to SEED as soon as the game reads it for the PID then XORing 0 with 0x10000 to get a PID of 0x10000
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Also the Sweet Scent PID might just be XOR'd to 0x80010000
Tested with an initial seed of 0x100000000 and got a PID of 28F7922A.

Code:
	RNG value
0	100000000
1	6C07896500269EC3
2	76CC11E555AE9CB2
3	75AA4470A0C3B2FD
4	D113825C910A194
5	82DDFE85153A9227
6	1F41C3832B8A2726
7	A95AE25636A566C1
8	D0C90A464EAC71E8
9	28F7D24507CB74B
10	4409A8BA267F125A
11	5878F4C4A9910645
12	[B]28F6922A[/B]CA9C04FC
13	1308B919E143722F
14	FA010F51EB26D24E
So sometimes it's XORing with 0x80010000, other times with 0x10000.

Make sure you are setting the RNG and then disabling the code. The PID should be 0A8A4E34. I had the same issue when I was testing, I think it has to do with the rate the AR codes are refreshed, stuffing 0 back in to SEED as soon as the game reads it for the PID then XORing 0 with 0x10000 to get a PID of 0x10000
It works for some short tests. The PID result is generally the next RNG result XOR'd with 0x10000, or 0x80010000, or some other number. It's a quicker way of getting results, at least until RNG Reporter is updated to handle the 64-bit seeds. (Hey, don't I have access to the source code? Yes. Yes, I do.)

Code:
U32	L32	PID		Next RNG #	XOR'd with
0x0	0x0	10000		0		   10000
0x1	0x0	EC068965	6C078965	80010000
0x0	0x1	DD598B65	5D588B65	80010000
0x1	0x1	496114CA	C96014CA	80010000
0x10000	0x10000	94CB6C07	14CA6C07	80010000
0x0	0x10000	8BCB6C07	8B656C07	  AE0000
0x10000	0x0	O9640000	89650000	80010000
0x10000	0x1	E6BC8B65	E6BD8B65	   10000
0x1	0x10000	776DF56C	F76CF56C	80010000
So remember when I said that IVs and nature\PID were no longer linked, that IVs were generated by a different RNG? I've been sitting in a quiet NPC-less area in Victory Road and using Sweet Scent. I keep getting the same Gantoru every time - same stats, same nature, same PID. So they're linked after all, at least in some cases.

The fluctuating IVs just might've been a side effect of not disabling the codes I used, like Kazo said.

Also: the C-Gear advances the RNG at a slow and steady rate, probably once every 1 to 1.5 seconds, but needs further confirmation on an actual cart.
 
I'm in front of Victini right now, can I help you guys on something? I didn't know that it respawns everytime I defeat it and I enter the room again.
 

mattj

blatant Nintendo fanboy
Also: the C-Gear advances the RNG at a slow and steady rate, probably once every 1 to 1.5 seconds, but needs further confirmation on an actual cart.
Yeah, echoing the guy above. I got my cart in. What could I do to help you guys? What do you mean by confirmation on an actual cart?
 
Echoing the previous two posters. I also have my retail game in (Black) so if you need any testing done, let me know.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Yeah, echoing the guy above. I got my cart in. What could I do to help you guys? What do you mean by confirmation on an actual cart?
Right now, nobody can help with an actual cart until we figure out a way for people to find out their initial seed. We don't even know how it's being calculated; all we about it is from a Japanese blog, and all the author knows is that it somehow involves date\time and the MAC address unique to that DS.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
If you are looking for the MAC address of the DS, you can check it while in game via the C-Gear.




some other RNG observations (on White) to look over, I can't analyze this to the depth you guys can ;). Don't take it as 100% true, I could have messed up writing something down (did this 2 weeks ago)

Did some testing so far on Kyuremu and Victini.
Victini's room has no frame advancement, same with Kyuremu (even though there are some snow particles falling). Turning in Kyuremu's room changed the place by 1, just like generation 4.​

Victini advanced the frame three times (0 changes -> 3 changes),
Kyuremu changed twice (0 changes -> 2 changes).
I exited Victini's main chamber many times and did not get either location to change. I did not test the entire building. Battling an NPC inside the building changed the resulting PID/Nature/IVs of the Victini. It also changed when I went back to Hiun and came back.
It did not look like Victini's island had any moving NPCs, his room does not.​

Additionally I tested one of the deer trios (Birijion), the one in the forest.
I ran around over 500 steps on a bicycle and neither position advanced (CGear off). It advanced both places by 2 when encountered.

Step counter???​

Seeding + Spreads (Birijion)
The positions 022160A4 and 022160A8 changed 3 times (felt like the first one had a delay in between the 2nd two, which changed faster). Was in the Spring Season.
022160A4 started at: 9B7A6317, to 39DD22AA, D69845D5, 412A3D34
and then when encountering: 412A3D34 to 54A2B1C6, D9E3B7E1.
022160A8 started at: 0E6A08D2, to D3B25B59, AE9BA4EA, F5CE805A
and then when encountering: F5CE805A to 39216839, 39016579
The resulting Birijion was bold, (Hex 39206839) (Decimal 0958425145) PID, 18/02/20/14/24/28 (speed last) as the frame advanced twice (frame 2 pokemon? or 1 for PID, 1 for nature?)​

Manipulating the Memory Spots
They only changed when I restarted the game. Resetting the game changed it from 00000000, to one value, and then to another. When I entered the game at different time (and delay), I always ended up with the same values as a different time. Upon confirming the CGear to be off/on, these places changed 3 times when I "continued" (fade to season)
Not based on time/delay anymore?​

I've noticed saving the game (with the C-Gear off) advances the RNG.

The C-Gear being on advances the RNG at pretty much any time, even if you are at the Party Pokemon summary screen, Pokedex, or even saving.​


Having a monster frame of 2 is weird, it could possibly do IVPID and a nature?..... just speculating :)
 
Something I've noticed about breeding in B/W: Saving in front of the Day Care Man when he has an egg does not guarantee the same nature or gender. I have tested multiple times with the same save position while standing in front of the Day Care Man while he's holding an egg. I've gotten different natures and different genders on the supposedly same egg. Perhaps this is already known or has been discussed elsewhere on the forum, but I'm making a note of it here for anyone looking at the research thread with breeding min mind.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Pieced it all together now. Go ahead and read!
-----

Did some testing for memory locations of egg PIDs. White, C-Gear off. Frame @022160A4(8) advances fairly fast at the daycare man.
Started testing with the second egg, after I had received
the message from the man that the egg was ready.

Code:
Searched 1 change after receiving the egg as a preliminary filter, 
and then searched for the PID. 
Resulted place: 02234BA4 - value: 81EFFED3 (Egg's PID) 
-- it was set after confirming that I want it, 
         not after when I dismissed the post dialogue message.

Rewatching this place over the course:
02234BA4 - 00000000
02234BA4 - 81EFFED3 -- (pressed yes)

Resulting [PID 81EFFED3] [IVs FFF32F3F] 
(31/25/11/6/31/31 speed 4th entry), Naughty Nature Ability 2 Male.
	Saying no first does not set the eggs PID.

So once I had the PID, I searched it for all the memory locations. 
Taking the egg then had:
02234BA4 - 81EFFED3
0223EBFC - 81EFFED3
odd... Noticed that 0223EBFC changed twice when I grabbed it (rapid)


[b]02234BA4  0223EBFC[/b]
00000000  02284034
00000000  3600FEFE (could it be Nature generation? Don't think so...)
81EFFED3  81EFFED3 egg received

I could not find the value [Egg's PID] 81EFFED3 at any place 
in the memory before initiating the ingame chat with the man.


When the man triggers the event (Egg is available) after receiving an egg.
[b]02234BA4  0223EBFC[/b]
81EFFED3  81EFFED3 - start (contains old PID)
81EFFED3  FFFFFFFF - man triggered (stepped on the line trigger)****
81EFFED3  FFFFFFFF - walked up to man (no change), started talking **
81EFFED3  02284034 - changed once the Yes/No option appeared.
81EFFED3  ECEBE286 - pressed yes (part 1 of rapid change)
81EFFED3  39FA5BBB - egg received (this is the PID)

reloading from **, 02234C80 contained the new PID 
rather than the 02234BA4 after receiving the egg.

reloading from **** and waiting momentarily...
81EFFED3  FFFFFFFF - man triggered (stepped on the line trigger)****
81EFFED3  FFFFFFFF - walked up to man (no change), started talking
81EFFED3  02284034 - changed once the Yes/No option appeared.
81EFFED3  [B]72A5C151[/B] - Different PID!!!

02234C80 had this same PID stored in its location. I don't have this save 
anymore, so I can't check the rapid change of 0223EBFC.

Now being a little trickier, I waited a different amount of time and got this:

[b]02234C80  0223EBFC[/b]
00000000  81EFFED3 - start (contains old PID)
00000000  FFFFFFFF - man triggered (stepped on the line trigger)****
00000000  FFFFFFFF - walked up to man (no change), started talking **
00000000  02284034 - changed once the Yes/No option appeared.
00000000  [B]72A5C152[/B] - pressed yes (part 1 of rapid change)
BD38F73B  BD38F73B - egg received (this is the PID)

what's interesting is that I saw the bolded value before 
(but a little bit different)

Further delving into this:

[b]0223EBFC[/b]
81EFFED3 - start (contains old PID or any old value)
FFFFFFFF - man triggered (stepped on the line trigger)****
FFFFFFFF - walked up to man (no change), started talking **
02284034 - changed once the Yes/No option appeared.
[B]3B41C782[/B] - pressed yes (part 1 of rapid change)
F888399E - egg received (this is the PID)

[b]0223EBFC[/b]
81EFFED3 - start (contains old PID or any old value)
FFFFFFFF - man triggered (stepped on the line trigger)****
FFFFFFFF - walked up to man (no change), started talking **
02284034 - changed once the Yes/No option appeared.
[B]F888399F[/B] - pressed yes (part 1 of rapid change)
3E2E1307 - egg received (this is the PID)

Looking at the 022160A4(8) value (frames) of when I initiated 
the talk with the man, they were both different.

I then logged all of these values in order of occurrence.
022160A4 022160A8 Values:
[INDENT][B]925FACE2   67F73030[/B] --- Start for [0DDE57E0]
5CD38A44   BB1A907D - [0DDE57E0] frame change one
4C768F97   964D5914
3EE61456   [B]72A5C152[/B] - Rapid for [BD38F73B] / 0DDE57E0 Frame change 2
[B]1261AF98   21EC4FE9[/B] --- Start for [F888399E]
74D13DBB   3B41C782 - Start [39FA5BBB] / Rapid [F888399E]
A4DA0C8A   ECEBE286 (F888399E frame change one)
0772097E   057793AE
61AACB79   7F90DE7A
1AC9CF43   F611675A
[B]80853F32   F7210446[/B] Start 3E2E1307 
9FC2E014   [B]39FA5BBC[/B] After Received (F888399E)] / 3E2E1307 frame change 1
45FFA1A6   9C0E22C1 (3E2E1307 frame change 2)
DF0D3B41   E8ADCF63
1FDBC868   C9209EC6
[B]BE66F37C   8E59EB27[/B]
2F760AAF   [B]3E2E1308[/B] (3E2E1307 frame change 3)
04397CCE   3A233868 [After Egg Received (3E2E1307)]
88CC9D82   3C91AD54
9FB9550D   B33169E4
4BC701B7   7E13A588
......

Didn't see the ending frame for 39FA5BBB, 
probably further down the frame line or the frame didn't 
advance consistently enough (2 times at once). I was going at 
a very slow speed so if it appeared I would have seen it.[/INDENT]

Unobserved Frame Changes F888399E
69D047AC BBC9FDC9 -- change 2
D5E84F7D F888399F -- change 3

Unobserved Frame Changes for 0DDE57E0
BB61F19F 0DDE57E1 -- change 3
Unobserved Rapid For 0DDE57E0
56B24A36

Unobserved Rapid for 3E2E1307
F888399F
extrapolated to D5E84F7D F888399F in regular positions -- [i]yay![/i]


There has got to be a pattern for this!

----------

Opening the ingame menu wiped 0223EBFC to 0000081C, 
saving changed it twice to some other value I won't bother checking... 
constant values after saving/opening menu.
Summary: [WHITE]
Code:
Egg PIDs are based off of a 022160A8 Value, [I][U]exactly[/U][/I] the same [B]-1[/B].
Thus they are based off of the frame, and are not set upon "generation".

0223EBFC stores the PID generated for eggs after you confirm yes. 
It changes after certain in game interactions.
There is another place that has the PID stored... but it's not related at all to RNG:
The PID is stored in your party too... It is in a different place according to slot, and it is not changed based on ingame progress or egg generation. Putting the pokemon in the PC wipes this location to 00000000 (derp). This was already known but just putting it here for others who don't know.

If you want to check the PIDs of Pokemon while in game WHITE, go ahead (lol).
Party 1: 02234834
Party 2: 02234910
Party 3: 022349EC
Party 4: 02234AC8
Party 5: 02234BA4
Party 6: 02234C80
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Did a little bit of observational research using a memory analysis with cheat engine to get some opcodes and memory locations.

Seed1+Seed2 Address in Memory: 022160A4 and 022160A8
Address in Cheat Engine: 00F525A4 and 00F525A8

Cheat Engine's memory locations are -011C3B00 off for these 2 values.

--

CE Addr - Bytes - Opcode

Victini or Kyuremu Engaged (00F525A4 and 00F525A8) [022160A4 and 022160A8]
Code:
Reads this address when battling victini
CE Addr  -     Bytes       -      Opcode
004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
Writes to this address when battling Victini
004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
-

Standing by egg man with world running and Starting the game,
both Seed values are influenced by

Code:
Read by
0043ba5f - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
Written by
0043ba5f - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
Automatic advancement based on NPCs/other memory locations?

------- Other Places

Eggs
Code:
Eggs (0107B0FC) -- this is the one I saw earlier [0223EBFC]
Read by
004fcdbc - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
Written by
0043cfb7 - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax

Eggs (00F71180) -- Party location (irrelevant) [2134C80]
Read by
004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
Written by
004fcdbc - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
Looks like the egg PID is made, read and copied to the party when it is received.

Outside Daycare at man, npcs move -- observing RNG Seeds 1+2 (00F525A4 and 00F525A8)
Code:
Read by (both locations are)
004d8e51 - 8a 80 00 c5 d3 00 - mov al,[eax+00d3c500]
004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
Written by (Both again)
004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
All of these memory locations in context:
Code:
http://dl.dropbox.com/u/12206225/Debugger/0043BA5F.png
http://dl.dropbox.com/u/12206225/Debugger/004FB682.png
http://dl.dropbox.com/u/12206225/Debugger/004FB7E8.png
http://dl.dropbox.com/u/12206225/Debugger/004FCDBC.png
other things I have noticed about PID locations:

When encountering a Pokemon the PID is stored before you even catch it.
These are off by 12C3B00 in CE instead of 11C3B00...

Encountering Kyuremu, PID is stored on encounter at:
00F99660 (0225D160)
00F99CD0 (0225D7D0)

Encountering Victini, PID is stored on encounter at:
00F998C8 (0225D3C8)
00F99F38 (0225DA38)

Possible differences for all the legends?

Encountering a Wild Pokemon Tile not scenting(At Kyuremu and Forest), PID is at:
00F96158 (02259C58)
00F967C8 (0225A2C8)
Also has the PID for for the shaking tile Pokemon (forest +etc??)

Interesting that the interval between all of these is 670 hex...

Setting and Freezing these values (or changing them) and then encountering the respective Pokemon results in the blue screen error. (tested Kyuremu, set the 2 to E2D36280). Setting and freezing them after the Sprite appears during battle will not change the PID from what it was originally calculated as.


When the game freezes you and starts the battle scene (after any encounter text), the PID for the Pokemon is already set (as in gen 4)
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Zoroark's PID is stored in 0225DE74 and 0225D804 when you encounter it.

At this point we can manipulate the RNG for shininess on most Pokemon, though IVs are off the table. The PID is derived directly from the upper 32 bits of one of the main RNG results, but in most cases it is modified as follows:

Wild Pokemon: XOR'd with 0x8001000 or 0x10000
bred Pokemon: XOR'd with 0x1, or possibly just -0x1 as Kaphotics noted
Urgamosu: XOR'd with 0x8001000 or 0x10000
Zekrom\Reshiram: PID completely unaltered
Zoroark: XOR'd with 0x100??, changes for every frame
Victini: not tested
Kyuremu: not tested
Borutorusu\Torunerosu: not tested

The nature of Zoroark's PID modification means we cannot control its shininess at this time. But it can be bred, so that's not much of an issue.


IVs are generated by a separate RNG, the same Mersenne Twister used for generating egg PIDs last gen. (Or so says one Japanese blog on RNG research.) We don't know how it's seeded, so we don't have much control at this time. We've found through trial and error that advancing the main RNG by walking in an area with wild Pokemon does not advance the RNG for IVs.

However the C-Gear does, at a steady rate. So with LOTS of trial and error I could get the IVs I wanted, turn off the C-Gear to lock them in, and then advance the main RNG to the point I got a shiny Pokemon. The Pokemon would then have the IVs I wanted.

But for all of this, I would need an emulator to watch the RNG, and to use save states to see which IVs were locked in.

tl;dr: We can control shininess on an emulator, but getting good IVs is still just a lot of trial and error. However, at least we can get decent and\or shiny Pokemon that should pass the Wi-Fi and VGC hack checks.

NOTE: I'd like to remind readers that any Pokemon generated through an emulator must be VERY clearly labeled if you plan on trading them here on the Wi-Fi boards. This label must stick even if you receive the Pokemon in a trade and are allowed to redistribute them, no Pokélaundering.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Egg PIDs are based off of a 022160A8 Value, exactly the same, but -1. I tested with a female parent having a dream world ability flagged. This might influence it just like international Dittos did in gen 4.

They aren't based off of the 022160A8 value at the point the egg is received, it's based off of another value from that place further down the line.

ctrl F in my egg Hide: Start [39FA5BBB] / Rapid [F888399E]

The pattern I noticed:
There's a rapid change at 0223EBFC for Egg A with an ending frame of XXXXXXXX YYYYYYYYY
-- (egg is received, X-X being seed 1, Y-Y being seed 2)
Receiving an egg in which the starting frame was the rapid of A becomes YYYYYYYY-00000001 as the PID for the egg.

I tried logging all of the 1+2 seed values and placed them, but I'd assume it skips over some during regular uninterrupted advancement just like gen 4 did.

Do note that I did get the Rapid of egg A to be the start of B only once because the frame advanced multiple times instead of 1 by 1.


other stationary legends to test for PID locations that you can get to after the elite four:
Birijion Kobaruon Terakion (the trio) [I'll be finding these and updating this post later today]
Randorosu
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
They aren't based off of the 022160A8 value at the point the egg is received, it's based off of another value from that place further down the line.
True. Later today I'll document which RNG value down the line the PID comes from for each type of encounter. This what I have for now:

Zekrom\Reshiram - 2 advances
Sweet Scent in cave - 4 advances
Sweet Scent in (normal) grass - 12 advances
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Probably not the most sophisticated thought out there.. but after a little testing (not confirmed) it seems that breeding is different based on season, as well as the month, hour and minute.
To take it a little further, every 30 days is a season, suggesting that it has a somewhat irregular pattern when compared to the month/date.
Therefore, if what I said above is correct, one would need to determine the month, season and time to hit the wanted seed (for breeds)
The testing was done on an emulator, but it is very possible that I am wrong.
Egg PIDs aren't saved when you save the game, nor are they saved when the man yells that you have an egg. They are entirely seed dependent and get their PIDs from the upper seed. (if that clears anything up)


----------

Looked for more PID locations upon encountering the Pokemon, did some seed freezing as well

Code:
Birijion 
00F99608 (0225D108)
00F99C78 (0225D778)

Kobaruon
00F99B48 (0225D648)
00F9A1B8 (0225DCB8)

Terakion
00F99608 (0225D108)
00F99C78 (0225D778)

Freezing the 1+2 RNG Seeds resulted in the same PID
for Birijion and Terakion. Didn't test IVs, didn't test for Kobaruon.

Note how Terakion and Birijion have the same places. 
Kobaruon has a small dialogue with a man like the Embedded tower in HGSS.
^Implied difference?

Freezing the PID Memory locations to a foreign value caused a blue screen
Code:
Zekrom
00F9B0DC (0225EBDC)
00F9B74C (0225F24C)
and
00FA7074 (0226AB74)
00FA75D4 (0226B0D4)
and 00FE40B4

The first set is set upon talking to Zekrom for the battle intro, 
the 2nd set appears when zekrom's sprite does.
The 3rd appears after a slight delay of the 2nd.

Could possibly pertain to Zekrom and Reshiram?

I think the first location is the one that is the correct one, 
just leaving the others there as additional info.
---

Code:
Boltros (White Roamer)
Read below all the code wrapped for why I can't check this.
C918519E PID when I caught it
Seen at:
00F58BAC (0221C6AC) -- Box 1, Spot 17 (heh I could map this)
00F871F4 (0224ACF4)

Not the same place when sent out. Inconclusive.
I need a state before he is sent out, after he is sent out, 
and the PID he is caught with.
---

Code:
Zorua
00F99848 (0225D348) (changes after you can continue text so look quick)
02C281EC (not viewable in ARM9 emu)

Thus you must pause. It might be a different based on initial seed, 
since there is only 1 location...

The game resets the memory locations on restart, so caught legend PIDs are not part of the save file.


The memory locations for Party PIDs are insanely useful with RAM Watch or with Cheat Engine to get a PID to find other locations.

Going to test freezing of the upper seed (022160A8) and its effects on the egg PID.

---

Tested Seed relationships to the PID
Stated at the man with Yes/No, no C-Gear, stable seeds.
Code:
Pressed yes, Received egg. Froze the 2 seeds, and rewound to the previous state.
Pressed yes, Received egg. Froze the 2 seeds, and rewound the previous state.

Basically I just set my own values for the RNG. Got different PIDs every time.

Did it again but only froze the 2nd seed. Different PIDs every time.

Setting the rapid location [02234BA4 (White)] to 01010101 for lols
resulted in blue screen errors rarely when I reloaded the state fast enough
so the game could not update other locations related to it.
It's related to both of the 2 seeds for sure, and relies on 02234BA4 (White) for setting the PID.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Did some memory location lookings with the new Mystery Gift Wondercards from the 10/10/2010 Event.

PIDs generated for Mystery Gift/Wondercards are stored at
0225CCF8 (00F991F8 in Cheat Engine)

Engaging the talk with the man:
Code:
The location did not change until pressing A to advance after the message
	with the Exclamation Mark (!), before you receive the Pokemon. 
It then advances twice more after you advance past the message 
	that you received the gift just like Generation 4. 

The PID is then [B]XXXXYYYY[/B].

It persists only momentarily, once you dismiss his final message 
	(We hope to see you again/blah blah) the location then 
	adjusted to [B]003BYYYY[/B] for the next gift.
--------------

Also, recapping Party/PC Box PID locations (other data is encrypted) for those who want to check without saving.
Party 1: 02234834
Party 2: 02234910
Party 3: 022349EC
Party 4: 02234AC8
Party 5: 02234BA4
Party 6: 02234C80
Box X, Slot Y PID Location = (0221ADA4+X*1000+Y*88)
Calculate it in hex, not decimal.


Other data is still encrypted, so you can't view the IVs in a specific location.

--------------

Mystery Gift IVPID/Nature Generation Patterns
The pokecenter at the elite four has no moving NPCs, but has a Blue Man when there is a gift. There is no advancement of 022160A4 or 022160A8.

See Summary, I've given this updated pattern and frame calls along with how Nature is generated to OmegaDonut.


Summary of Mystery Gift IVNPID Patterns:
Code:
PID and Nature are calculated in the second 3 calls.

The Nature and PID are generated with the same RNG at different frames.
	Thus NPID is untied (not like the old decimal 1-25 natures) but ^, 
	IV-PID is still completely untied.

The IV RNG is updated by the NPID RNG changing.

The 8 Gifts from the 10/10/10 Event are Dynamic PIDs.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Looked back at my Egg PID generation notes, and remembered that SEED1's advancement was already known. I added in the missing frames that the game didn't show me, and I arrived at this pattern for every egg I generated:

Mind you this was with a female parent with a Dream World ability, if that possibly had any influence. I can check to see without.

Code:
Frame 0  -- Starting SEED1/SEED2 (Frame)
Frame 1  -- Not Displayed (SEED2's would be value appears in 0223EBFC)
Frame 2  -- Shown in SEED1 and SEED2
Frame 3  -- Never Displayed
Frame 4  -- Shown in SEED1 and SEED2
Frame 5  -- Never Displayed
Frame 6  -- Never Displayed
Frame 7  -- Never Displayed
Frame 8  -- Never Displayed
Frame 9  -- Never Displayed
Frame 10 -- Never Displayed
Frame 11 -- Shown in SEED1 SEED1 and (SEED2)------------\
Frame 12 -- Shown in SEED1 and SEED2 			|
	 -- ^^^Ending Frame -> Egg has been generated!	|
		    .-----------------------------------/
PID = Frame 11's [SEED2-00000001]
PID Generation for Normal Dream World Egg Offspring is the same for Normal Egg PID Generation, except the Normal generation PID is stored at 0233EFBC instead of 0233EBFC.

International Breeding follows a different generation pattern. Still testing. Taken from a different frame, same XOR (0x1).
PID is stored at 0233EFBC, like DW Breeding. So far the pattern is not constant.

International Breeding relies on some other value that is separate from the RNG but is not the IRNG(IV). Freezing to different values from one seed to another produces one pattern, while starting at the same one without codes produces a different pattern. The patterns contradicted eachother, so it's not exclusively calculated from the RNG/IRNG only.

---

Wondercards still have a shiny check. I found the SID location of the new Wondercard file standard and changed the SID to make it shiny based off of a seed spread I already knew (the one I tested with).

Since the PID is Initial Frame 0's Frame 32 upper half XOR'd with 0x10000, if it comes out shiny it is then XOR'd with 0x10000000 to become nonshiny.

The only available gift wondercards are of random non-Dream World Abilities. In the data for the card there are flags for what the ability should be. Since there are restrictions on ability based on PID, there must be some limit on the results for the PID if it is a set ability.

-----

Passive Seed Advancement while Breeding:
Other than the set path Moving Pokemon, there are 5 moving NPCs with a non-set path in the area that advance the frame.

(one in top left corner, one girl in the play area, 1 man in grass, 1 girl in the lower half of the route, girl on the bridge)
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
I've just located the lookup table generated by the Mersenne Twister RNG. It starts at 022151D4 and ends at 02215B90 (in White).

The very first 32-bit value in that table is the seed used to generate IVs. Plug that seed into RNG Reporter's Researcher feature, set it to right-shift the result 27 bits, and the next six values are the IVs of the next Pokemon you catch.



Once I figure out a way to advance this RNG, we can catch flawless and\or shiny Pokemon that pass Wi-Fi and VGC hack checks - on an emulator. (Not sure about breeding yet, but it should be a lot easier.)

The big challenge is still figuring out how the initial seeds are generated. Without that info, it won't be possible to manipulate the RNG on a cartridge.
 

mattj

blatant Nintendo fanboy
The big challenge is still figuring out how the initial seeds are generated. Without that info, it won't be possible to manipulate the RNG on a cartridge.
Actually, as long as we can determine what seed we happen to have hit, with enough patience (especially if advancement is anything like 4th Gen) we'd be able to look down the list and abuse for acceptable IVs/nature on non-breedables. In my experience with FR/LG abuse, that's basically what we had to do. It's not as nice as being able to hit any seed you choose, but it's usable. Is there any way to figure out what seed you happen to have hit yet? Kind of like the Seed finder in Gen 4?
 

Users Who Are Viewing This Thread (Users: 1, Guests: 3)

Top