1. Welcome to Smogon Forums! Please take a minute to read the rules.
  2. New to the forums? Check out our Mentorship Program!
    Our mentors will answer your questions and help you become a part of the community!
  3. Welcome to Wi-Fi! Please remember to read the rules and do NOT create a new thread for simple trades or Friend Safari codes.

Past Gen RNG Research

Discussion in 'Wi-Fi' started by mingot, Sep 12, 2009.

  1. Bond697

    Bond697 Dies, died, will die.
    is a Pokemon Researcher

    Joined:
    Jun 20, 2010
    Messages:
    307
    last night when i posted the jolteon i had said it was impossible without an emulator, but thinking about it now it probably is do-able. like you said, just loads of practice. you might want to do it on an emu first and count the amount of time between hitting A on the "xxx warped to the high link!" and when the mtrng reseeds. then you'll know how much time to give between pressing a and hitting it on a real cart.
  2. mattj

    mattj blatant Nintendo fanboy

    Joined:
    Mar 30, 2009
    Messages:
    4,622
    There were a lot of people who said that RNGing the stationary Lati@s in HG/SS was impossible aside of an emulator, but I've done like 3 of them each on a normal cart. Just takes a crap ton of patience, and an easy to hit seed.
  3. Netsyphen

    Netsyphen

    Joined:
    Jan 31, 2011
    Messages:
    4
    I can confirm that in Soul Silver you only need to have shown a Pokemon that has at one time been infected with pokerus to the Pokemon center, it does not need to be actively infected.

    However I have another question, can you RNG prior to Latios being released. I RNGd for shiny egg, hit my seed, confirmed with elm calls, and got a non shiny pokemon when hatched. Hatched same egg multiple times, never shiny. So I don't know if it was a fluke, or perhaps latios not being released had something to do with it. Other roamers had been caught.
  4. chrish

    chrish

    Joined:
    Aug 1, 2008
    Messages:
    14
    I found that I did not get the "there are so many ways..." message until I showed the hatched Togepi message to Professor Elm.

    I also found that catching the Sudowoodo caused my entry frame to increase by 1.
  5. Bond697

    Bond697 Dies, died, will die.
    is a Pokemon Researcher

    Joined:
    Jun 20, 2010
    Messages:
    307
    if anyone is going to start abusing wondercards, both kagome town and the elite 4 are usable, as the PIDRNG doesn't advance in those pokemon centers.
  6. chrish

    chrish

    Joined:
    Aug 1, 2008
    Messages:
    14
    White Roamer (can't find result in chart)

    Using a white cartridge, MAC address CA544C, I did the following while saved inside the house but about to step outside:

    1) Set my game time to 2011-02-07 20:30
    2) Started my run.
    3) Soft reset after 43 seconds.
    4) Said yes to the CGear 28 seconds later.
    5) Stepped out of the house and pressed A quickly at each opportunity until the scene ended.
    6) Caught the roamer and IV'd it.
    7) Nature: Jolly, IVs: 11/3/16/21/17/6

    I ran this through RNG Reporter 8.40 capture tab with a max frame of 20 and delay ranging from 1600 all the way to 7000 and did not get a hit.

    Can anyone tell me what I am doing wrong? I have repeatedly studied Matt J's and Kaphotic's posts but still can't figure out what I am doing wrong. The only thing I can think is that the frame is too low, but it sure takes a long time to look through large delay ranges also with a large Max frame.

    Any help would be appreciated; I am getting ready to faint the roamer and verify that it is regenerated by beating the elite 4; I have already verified this for the 3 Justice Heart Pokemon and Randorosu.
  7. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    chrish: that post belongs in the help thread, not here. But I'm getting the feeling that you are turning on the C-Gear immediately after selecting Yes from the Continue menu, not from in-game. It messes up the second the C-Gear starts. That is like 95% of the cause of problems with people's C-Gear seeds not working.

    I've discovered something interesting while resetting with save states for a shiny Thundurus. On many occasions the PID defaults to a PID on frame 695, even after the RNG has advanced well past that. just by button mashing and finishing the encounter as soon as possible. I've gotten that same PID five times in a row without coordinating my timing at all.

    If we can figure out under what conditions it defaults to another PID, we can get much greater control over the PID of the roamers.
  8. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    IDSID Abuse for Shiny PIDs with only RNG Reporter (currently beta3)

    1) Get a Non-CGear seed with the IV spread you want.
    2) Get a PID from that Non-CGear seed that you can hit
    Be sure that the frame is high enough so that the 40+ advancements from the initial seed is already factored in​
    3) Split the PID into SID and ID. Convert to decimal.
    4) Open up [Time Finder], be sure your same parameters are loaded.
    5) Select Method 5 (Natures) Theoretical, select 5th Gen Roamers.
    6) Enter the PID (converted into IDs) into the ID/SID field. Order doesn't matter.
    7) Max frame is 100
    8) Generate your "Shiny Roamers"
    9) [Delete your old save so that you can start a new game]
    10) Take a "Shiny Roamer" non-cgear seed and hit it. Start the new game.
    11) Take the IDs you got, convert them back into a seed (SID_ID) to see what frame you hit.
    12) Determine how many times you have to say "No" to the Professor so that what you hit would be what you want to hit (the shiny roamer PID).
    13) Hit your non-cgear seed again, say "no" the proper amount of times on the second question from the Professor (name is correct).
    14) You should have the IDs that you were wanting to hit (shiny roamer PID)
    15) That seed from step 1 (the IV spread / PID) will now be shiny on whatever frame you took it from.


    No choosing your IDs, yet.
  9. steamraven

    steamraven

    Joined:
    Feb 9, 2011
    Messages:
    1
    Really cool. Just a couple questions since I am a newbie.

    I assume that you can save after you get your new ID/SID. Then in step 15, we can restart and hit the initial seed from step 1 before getting your starters. Correct?

    Also do we know the exact number of advances from the initial seed there are? You said 40+. Does this also apply to the frames for getting your SID/ID in step 8?

    For finding the IV seed, are starters considered roamers or not in RNGReporter Timefinder?

    Finally, in step 15, what are the ways to advance your frame after hitting the seed from step 1? From what I have seen, the only option is saving advances by one since this is at the very start.

    Thanks
  10. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Yes.

    The frame too should be above forty for the SID/ID seed. You do it once to see how much it normally does when you hit the seed, then you accommodate when you hit the seed again. Basically a calibration.

    No. Wild Pokemon (I think it's Method 5 Natures Theoretical)

    Only saving. With your non-Cgear seed, you shouldn't have to advance more than ~25 frames at most to get to your target nature (which is your wanted PID).
    (super manageable)​
    ===

    Somewhat related, the IDs you get from the roamer seed result with an SID / ID(-1). It's got a 1/8 chance of not being right, but with a bunch of roamer seeds you'll get shiny IDs.

    Only reason I posted it is for those wanting to do it now, but it'll be a little easier to do when Pandora's Box gets updated in RNG Reporter.
  11. Expert Evan

    Expert Evan every battle has a smell!
    is a Forum Moderator
    Moderator

    Joined:
    Jan 16, 2007
    Messages:
    3,856
    Since I started RNGing B/W on my R4 I have been noticing for each second there could be 4 possible seeds. In revisiting, I have at first determine there were 2 possible RWTimers but could not understand where the other pair came from. In taking a given second from my DS, I tried getting all the frame 1 IVs to see how the DS Parameters in the beta version would react, and while 2 of them only differed by RWTimer, another 2 seeds, both with the same different RWTimer values were apparently unsearchable so I wonder if there is perhaps another switch out there. So here were my results as follows:

    Date/Time: 02/01/2011 02:11:21
    Mac address: 0017AB88585F
    GxStat=6
    VFrame=9

    (these 2 were searchable in DS parameters)
    seed vcount rwtimer HP attack defense sp.atk sp.def speed
    31F36527 50 A77 20 5 13 6 22 25
    E733759E 50 A78 31 6 31 31 31 31

    (these 2 were not searchable somehow)
    seed vcount rwtimer HP attack defense sp.atk sp.def speed
    BBCAFE56 50 A77 20 13 13 14 28 4
    66D00A5D 50 A78 0 18 12 24 0 22
  12. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Startup Key States

    If you haven't pressed anything: 0x2fff
    If you just pressed the A button: 0x2ffe

    That's what this situation is. Magnemite has this noted on his site where the hashing is discussed.

    So yeah, you have your two RWtimer values, and then you have this keypress variable that is dependent on your input. It's discussed in a later post :)

    edit1: fixed link
    edit2: removed speculative sentence, fixed translation
  13. Bond697

    Bond697 Dies, died, will die.
    is a Pokemon Researcher

    Joined:
    Jun 20, 2010
    Messages:
    307
    just FYI, the amount of delay between hitting A on the "XXX warped to the high link!" screen and the game reseeding is exactly 0x128 delay(296 delay in dec).
  14. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    Testing in Desmume shows that you only need to hold down A when turning on the game to get the second set of seeds. Gonna implement in RNG Reporter in a bit.

    EDIT: oh wow, I got a third set of seeds just by holding down B at the start.

    EDIT #2: So it looks like the encryption also depends on which button(s) you are holding down at the start of the game.

    2FFF = No button
    2FFE = A
    2FFD = B

    2FF7 = Start, Down
    2FFB = Select, Up

    2FDF = Left
    2FEF = Right

    2EFF = R
    2DFF = L
    2BFF = X
    27FF = Y

    Apparently the effects of buttons also stack, too. But only up to two buttons; if you add a third it reverts to 2FFF.

    2FFC = A + B
    2BFE = A + X
    2BFD = B + X
    27FE = A + Y
    27FD = B + Y
    2FF3 = Start + Select

    Certain combinations count as a single button (and thus can be stacked with a third):

    2FAF = Up+Right
    2F9F = Up+Left
    2F6F = Down+Right
    2F5F = Down+Left

    2F97 = Up+Left+Start
    etc.
  15. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    preserved scratch notes (open)
    Code:
    2FFE A			|2FFC	A + B	|2F7E	A + Down	|2FBE	A + Up
    2FFD B			|----		|2F7D	B + Down	|2FBD	B + Up
    2FFB Select		|2FF3	St + Se	|			|
    2FF7 Start		|----		|			|
    			|		|			|
    2FEF Right		|		|2FD7	St + Le		|2FE7	St + Ri	
    2FDF Left		|----		|2FDB	Se + Le		|2FE8	Se + Ri	
    2FBF Up			|		|			|
    2F7F Down		|----	Le + Ri	|2FDE	A + Le		|2FEE	A + Ri
    			|Impossible	|2FDD	B + Le		|2FED	B + Ri
    			|		|			|
    2EFF R			|2EFE	A + R	|2EFD	B + R		|2E7F	Down + R
    2DFF L			|2DFE	A + L	|2DFD	B + L		|2D7F	Down + L
    2BFF X			|2BFE	A + X	|2BFD	B + X		|2B7F	Down + X
    27FF Y			|27FE	A + Y	|27FD	B + Y		|277F	Down + Y
    			|		|			|
    2FAF U + Ri		|2EDF	Le + R	|2EEF	Ri + R		|2EBF	Up + R
    2F9F U + Le		|2DDF	Le + L	|2DEF	Ri + L		|2DBF	Up + L
    2F6F D + Ri		|2BDF	Le + X	|2BEF	Ri + X		|2BBF	Up + X
    2F5F D + Le		|27DF	Le + Y	|27EF	Ri + Y		|27BF	Up + Y
    			|		|			|
    2FFF None		|2AFF	R + X	|29FF	L + X 		|2CFF	R + L
    			|26FF	R + Y	|25FF	L + Y		|23FF	X + Y
    
    2F97	U+Le+St
    ew, can't see the entire contents in one view. paste it into notepad (edit to fill in)

    triple combos at the bottom. Pressing 3 buttons is definitely possible. (Left Up and R for example) Gotta be quick!

    This whole keypress stuff increases the initial seeds possible by at least 40x :D

    0x2XYZ,
    x=(3)-[F].... 14 possible
    y=5,6,7,9,A,B,D,E,F.... 9 possible
    z=(3)-[F].... 14 possible
    Variables = 14*9*14 = 1764 different theorized key combinations.

    Bunch of edits from OD... and...


    Single/Double/Triple (Same Group) Key Press Chart
    Code:
    2FF[u]x[/u]		|2F[u]x[/u]F			|2[u]x[/u]FF
    2FFF None	|2FFF None		|2FFF None	
    2FFE A		|2FEF Right		|2EFF R		
    2FFD B		|2FDF Left		|2DFF L	
    2FFC A+B	|2FCF Impossible	|2CFF R+L
    2FFB Select	|2FBF Up		|2BFF X	
    2FFA Se+A	|2FAF U+Ri		|2AFF X+R
    2FF9 Se+B	|2F9F U+Le		|29FF X+L
    2FF8 Se+A+B	|2F8F Impossible	|28FF X+R+L
    2FF7 Start	|2F7F Down		|27FF Y	
    2FF6 St+A	|2F6F D+Ri		|27FF Y+R
    2FF5 St+B	|2F5F D+Le		|25FF Y+L
    2FF4 St+A+B	|2F4F Impossible	|24FF Y+R+L?? (doesn't work, pauses initial game loading)
    2FF3 St+Se	|2F3F Impossible	|23FF X+Y
    2FF2 ???	|2F2F ????Imposs	|22FF ???
    2FF1 ???	|2F1F ????Imposs	|21FF ???
    2FF0 ???	|2F0F ????Imposs	|20FF ???
    
    ?? is unverified but assumed
    ??? is unobserved thus assumed
    ???? is assumed (Up+Down lol)

    It also works for two singles from different groups, as pointed out in the above code box. The noted triple button press has a double from one and a single from another.


    A massive increase in the amount of seeds that are hittable!!
  16. chiizu

    chiizu PPPPPPPPPPPPPPPPP RNG
    is a Programmeris a Pokemon Researcher

    Joined:
    Nov 12, 2010
    Messages:
    410
    A question for the researchers. Have DSi and DSLL timings been figured out yet?

    I ask because in my search of various sources of information (this forum and Japanese pages like rusted coil's and kxtad's) the values mentioned are for the original DS or DS lite. I've verified the values of GxStat, what you guys call VFrame, VCount, and Timer0 for my DSLite using a program I wrote (using a White retail cart with no AR) and I can use those values to generate usuable seeds fine, but I've not been successful in doing the same for my DSi. All the comments I've seen on Japanese pages indicate that no one has gotten it working yet, but I know that RNGReporter 9.0 is currently being beta tested, so I thought maybe the DSi stuff had been figured out.

    (Edit)
    Here's my DSi / seed info:

    Pokemon White JP Retail on JP Retail DSi
    MAC Address: 002331c8d2e8

    20:59:25 2/15/2011 Tue(2) (This is when the game was started from the DSi menu, so I'm assuming actual time was 1-2 seconds later.)

    TID 1: 16759
    TID 2: 20684
    TID 3: 39591
    TID 4: 45921

    (For verification purposes)
    TID 5: 57371

    IVs (no AR, but caught at high level):
    (22,23), (16,17), (27,28), 9, 5, 30

    TID seed:
    xxxx41789fe04cf6

    f88841789fe04cf6 found to lead to below initial seed when rolled back 19 times.

    Initial Seed (where PIDRNG and MTIVRNG split):
    6a6af7e4be9ef132


    On my DS Lite (JP retail) and same White cart, I used the same procedure to find my initial seed, which when rolled back one tick was found to match the output of the SHA-1 hash (first two 32-bit words with endian-swapped bytes) constructed as described by Rusted Coil here.
  17. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    We haven't figured it out yet, but that's due in part to nobody around here having a DSi capable of playing Black\White. The data you just gave us will be a huge help in figuring out the DSi variables before the US release, thank you so much.

    EDIT: Also, hey I described that hash construction first. :/
  18. chiizu

    chiizu PPPPPPPPPPPPPPPPP RNG
    is a Programmeris a Pokemon Researcher

    Joined:
    Nov 12, 2010
    Messages:
    410
    I've been working through variations of the message components (GxStat, VCount, VFrame, Timer0) in hopes of finding the DSi variables myself, and at this point I'm starting to work through the possibilities of the mysterious 'nazo'. But the search space is large and I only have 2 cores. If you have any suspicions and / or knowledge about what might be different on the DSi, and are willing to share of course, I'd be happy to hear about it. I will certainly report anything I find in the meantime.

    Indeed, I saw your detailed description of it here first and it was your post that helped me solve the my final problem (the endian swapping after the hash, and one additional frame advancement before seeding the MTIVRNG) to confirm that my searcher worked, so thank you.

    Not to burst any bubbles, but I did find that others had been talking about the hashing and the message contents for some time, though.
  19. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    "nazo" is actually a set of parameters unique to each version. They're just a list of addresses stored at a location that happens to be just before the other encryption values. Black has 0x105F2102, 0x0C602102, 0x0C602102, 0x58602102, 0x58602102, and White has 0x305F2102, 0x2C602102, 0x2C602102, 0x78602102, 0x78602102 (post-endian swapping). I'm probably going to have to find these values all over again for the English release.

    I'm going to have Bond697 start a search on his 8-core server. The seed encryption is built into RNG Reporter 9, and has multi-core optimization (I don't know if that's true of Rusted Coil's programs).

    Consider my bubble somewhat burst, although I should point out that nobody, not even Rusted Coil had a working seed encryption program until three days after I posted that.
  20. chiizu

    chiizu PPPPPPPPPPPPPPPPP RNG
    is a Programmeris a Pokemon Researcher

    Joined:
    Nov 12, 2010
    Messages:
    410
    I hope that's true, though it's a bit of a curious thing to dump into the message, seeing as they've obviously gone out of their way to make finding these seeds difficult. It would make a bit more "sense" if it varied by hardware or firmware version. Not that it needs to make sense.

    That's great news about RNG Reporter 9! I'm sure you guys will crank through the variations before I will, then.

    And I don't know about Rusted Coil's programs either, as being on a Mac I can't run them. That's been a big motivator for me working on my own stuff, actually (along with general curiosity). Running RNG Reporter in Mono is buggy and painfully slow (through no fault of it's developers, obviously). Wichu's recent Mac release helps out for Gen 4 (and I was a bit sad to get ninja'd so soon after I'd started on some Gen 4 stuff) but there is still Gen 5 stuff to do. I have a set of tools and demo programs in the works that I hope to release at some point for Mac users, though they're all just individual command line programs at the moment. Making GUIs was never much fun...

    I've seen some mentions of Smogon on a few Japanese pages, so they're certainly looking to see what's going on here. And as I said, your post had key and detailed information in it that allowed me to get my code working. It wouldn't surprise me at all if Rusted Coil or anybody else was finding similar information here as well.
  21. Bond697

    Bond697 Dies, died, will die.
    is a Pokemon Researcher

    Joined:
    Jun 20, 2010
    Messages:
    307
    just FYI, the search is going. rng reporter is spread across 8 cores at 80% usage and is absolutely FLYING through the search. hopefully we'll have some good stuff in a day or two.

    thanks a lot for your data, chiizu. it's being used for this parameter search. :)

    e: we have a hit! not gonna stop the search, though.
  22. chiizu

    chiizu PPPPPPPPPPPPPPPPP RNG
    is a Programmeris a Pokemon Researcher

    Joined:
    Nov 12, 2010
    Messages:
    410
    I take it that it doesn't show the result until it's finished? I'm very keen to try it out on my side, obviously. :-)

    Edit:
    Could you let me know the search parameter ranges you used?
  23. Bond697

    Bond697 Dies, died, will die.
    is a Pokemon Researcher

    Joined:
    Jun 20, 2010
    Messages:
    307
    unfortunately, no. if it did, i would have put it up.

    e: 2 hits!!
  24. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    VCount, RWTimer: 0-FFFF
    GxStat, VFrame: 0-F
    Seconds: 24-32

    I'm doing the same thing with mattj's earlier data on a DS Lite + AR right now, but by using only three cores on a laptop the search isn't nearly as fast.
  25. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Same Nationality Breeding without Ditto:
    Already implemented.​
    Same Nationality Breeding with Ditto:
    DW calc is not present. Everything else after that is shifted to accommodate this loss.​
    International Breeding without Ditto:
    Calculate the PID once (n), then again (n+2), then again (n+4), and again (n+6). If one is shiny, stop. Else stop at n+6.​
    International Breeding with Ditto:
    Still being tested. If same, Calculate the PID once (n), then again (n+2), then again (n+4), and again (n+6). If one is shiny, stop. Else stop at n+6.​


    I suspect that everstones will NOT change any calculation routine, meaning that Everstones will work for the Masuda Method. Also we have to make sure there's no difference for the male + ditto, but this is highly unlikely. I'll update this later with the routine.

    Ditto + IV Inheritance:
    Ditto will always give the A no matter the positioning (while female is B)
    Ditto will always give the B no matter the positioning (while a male is A)

    International with Everstone yielded different results, have to test more later.

    ===
    @bonds post
    0000-FFFF x2 = 16^8 possibilities
    0-F x2 = 16^2 possibilities
    24-32 = 9 possibilities
    16^10 * 9 = 9 trillion possibilities :S

Users Viewing Thread (Users: 0, Guests: 7)