Past Gen RNG Research

Bond697

Dies, died, will die.
Emulators obviously make things easier and more controllable, but do you think that with enough patience this could be done through trial and error on a normal cart? Just try, try, try, try, try, try, and try again?
last night when i posted the jolteon i had said it was impossible without an emulator, but thinking about it now it probably is do-able. like you said, just loads of practice. you might want to do it on an emu first and count the amount of time between hitting A on the "xxx warped to the high link!" and when the mtrng reseeds. then you'll know how much time to give between pressing a and hitting it on a real cart.
 

mattj

blatant Nintendo fanboy
There were a lot of people who said that RNGing the stationary Lati@s in HG/SS was impossible aside of an emulator, but I've done like 3 of them each on a normal cart. Just takes a crap ton of patience, and an easy to hit seed.
 
HGSS Testing Needed

Figure out exactly how to make sure elm can use all three messages.
Must pkrs be cured or just have been encountered?
Perhaps there is a reset before?
We know the Kanto message requires having opened Kanto.
I can confirm that in Soul Silver you only need to have shown a Pokemon that has at one time been infected with pokerus to the Pokemon center, it does not need to be actively infected.

However I have another question, can you RNG prior to Latios being released. I RNGd for shiny egg, hit my seed, confirmed with elm calls, and got a non shiny pokemon when hatched. Hatched same egg multiple times, never shiny. So I don't know if it was a fluke, or perhaps latios not being released had something to do with it. Other roamers had been caught.
 
I can confirm that in Soul Silver you only need to have shown a Pokemon that has at one time been infected with pokerus to the Pokemon center, it does not need to be actively infected.

However I have another question, can you RNG prior to Latios being released. I RNGd for shiny egg, hit my seed, confirmed with elm calls, and got a non shiny pokemon when hatched. Hatched same egg multiple times, never shiny. So I don't know if it was a fluke, or perhaps latios not being released had something to do with it. Other roamers had been caught.
I found that I did not get the "there are so many ways..." message until I showed the hatched Togepi message to Professor Elm.

I also found that catching the Sudowoodo caused my entry frame to increase by 1.
 

Bond697

Dies, died, will die.
if anyone is going to start abusing wondercards, both kagome town and the elite 4 are usable, as the PIDRNG doesn't advance in those pokemon centers.
 
White Roamer (can't find result in chart)

Using a white cartridge, MAC address CA544C, I did the following while saved inside the house but about to step outside:

1) Set my game time to 2011-02-07 20:30
2) Started my run.
3) Soft reset after 43 seconds.
4) Said yes to the CGear 28 seconds later.
5) Stepped out of the house and pressed A quickly at each opportunity until the scene ended.
6) Caught the roamer and IV'd it.
7) Nature: Jolly, IVs: 11/3/16/21/17/6

I ran this through RNG Reporter 8.40 capture tab with a max frame of 20 and delay ranging from 1600 all the way to 7000 and did not get a hit.

Can anyone tell me what I am doing wrong? I have repeatedly studied Matt J's and Kaphotic's posts but still can't figure out what I am doing wrong. The only thing I can think is that the frame is too low, but it sure takes a long time to look through large delay ranges also with a large Max frame.

Any help would be appreciated; I am getting ready to faint the roamer and verify that it is regenerated by beating the elite 4; I have already verified this for the 3 Justice Heart Pokemon and Randorosu.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
chrish: that post belongs in the help thread, not here. But I'm getting the feeling that you are turning on the C-Gear immediately after selecting Yes from the Continue menu, not from in-game. It messes up the second the C-Gear starts. That is like 95% of the cause of problems with people's C-Gear seeds not working.

I've discovered something interesting while resetting with save states for a shiny Thundurus. On many occasions the PID defaults to a PID on frame 695, even after the RNG has advanced well past that. just by button mashing and finishing the encounter as soon as possible. I've gotten that same PID five times in a row without coordinating my timing at all.

If we can figure out under what conditions it defaults to another PID, we can get much greater control over the PID of the roamers.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
IDSID Abuse for Shiny PIDs with only RNG Reporter (currently beta3)

1) Get a Non-CGear seed with the IV spread you want.
2) Get a PID from that Non-CGear seed that you can hit
Be sure that the frame is high enough so that the 40+ advancements from the initial seed is already factored in​
3) Split the PID into SID and ID. Convert to decimal.
4) Open up [Time Finder], be sure your same parameters are loaded.
5) Select Method 5 (Natures) Theoretical, select 5th Gen Roamers.
6) Enter the PID (converted into IDs) into the ID/SID field. Order doesn't matter.
7) Max frame is 100
8) Generate your "Shiny Roamers"
9) [Delete your old save so that you can start a new game]
10) Take a "Shiny Roamer" non-cgear seed and hit it. Start the new game.
11) Take the IDs you got, convert them back into a seed (SID_ID) to see what frame you hit.
12) Determine how many times you have to say "No" to the Professor so that what you hit would be what you want to hit (the shiny roamer PID).
13) Hit your non-cgear seed again, say "no" the proper amount of times on the second question from the Professor (name is correct).
14) You should have the IDs that you were wanting to hit (shiny roamer PID)
15) That seed from step 1 (the IV spread / PID) will now be shiny on whatever frame you took it from.


Snivy, Tepig, Oshawott(all shiny)


Nature: Timid
Catch location: Starters!
30/18/30/31/31/30 Elec 70


This is the result of the very first 5th gen ID abuse. We had to manipulate it so that the non-CGear IV seed and the non-CGear PID seed were hittable at the same time and then I could advance to the proper frame for the PID and hit a shiny. IV frames can't be advanced, so that seed had to be on frame 1.
No choosing your IDs, yet.
 
Really cool. Just a couple questions since I am a newbie.

I assume that you can save after you get your new ID/SID. Then in step 15, we can restart and hit the initial seed from step 1 before getting your starters. Correct?

Also do we know the exact number of advances from the initial seed there are? You said 40+. Does this also apply to the frames for getting your SID/ID in step 8?

For finding the IV seed, are starters considered roamers or not in RNGReporter Timefinder?

Finally, in step 15, what are the ways to advance your frame after hitting the seed from step 1? From what I have seen, the only option is saving advances by one since this is at the very start.

Thanks
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
I assume that you can save after you get your new ID/SID. Then in step 15, we can restart and hit the initial seed from step 1 before getting your starters. Correct?
Yes.

Also do we know the exact number of advances from the initial seed there are? You said 40+. Does this also apply to the frames for getting your SID/ID in step 8?
The frame too should be above forty for the SID/ID seed. You do it once to see how much it normally does when you hit the seed, then you accommodate when you hit the seed again. Basically a calibration.

For finding the IV seed, are starters considered roamers or not in RNGReporter Timefinder?
No. Wild Pokemon (I think it's Method 5 Natures Theoretical)

Finally, in step 15, what are the ways to advance your frame after hitting the seed from step 1? From what I have seen, the only option is saving advances by one since this is at the very start.
Only saving. With your non-Cgear seed, you shouldn't have to advance more than ~25 frames at most to get to your target nature (which is your wanted PID).
(super manageable)​
===

Somewhat related, the IDs you get from the roamer seed result with an SID / ID(-1). It's got a 1/8 chance of not being right, but with a bunch of roamer seeds you'll get shiny IDs.

Only reason I posted it is for those wanting to do it now, but it'll be a little easier to do when Pandora's Box gets updated in RNG Reporter.
 

Expert Evan

every battle has a smell!
is a Forum Moderator Alumnus
Since I started RNGing B/W on my R4 I have been noticing for each second there could be 4 possible seeds. In revisiting, I have at first determine there were 2 possible RWTimers but could not understand where the other pair came from. In taking a given second from my DS, I tried getting all the frame 1 IVs to see how the DS Parameters in the beta version would react, and while 2 of them only differed by RWTimer, another 2 seeds, both with the same different RWTimer values were apparently unsearchable so I wonder if there is perhaps another switch out there. So here were my results as follows:

Date/Time: 02/01/2011 02:11:21
Mac address: 0017AB88585F
GxStat=6
VFrame=9

(these 2 were searchable in DS parameters)
seed vcount rwtimer HP attack defense sp.atk sp.def speed
31F36527 50 A77 20 5 13 6 22 25
E733759E 50 A78 31 6 31 31 31 31

(these 2 were not searchable somehow)
seed vcount rwtimer HP attack defense sp.atk sp.def speed
BBCAFE56 50 A77 20 13 13 14 28 4
66D00A5D 50 A78 0 18 12 24 0 22
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Startup Key States

If you haven't pressed anything: 0x2fff
If you just pressed the A button: 0x2ffe

That's what this situation is. Magnemite has this noted on his site where the hashing is discussed.

So yeah, you have your two RWtimer values, and then you have this keypress variable that is dependent on your input. It's discussed in a later post :)

edit1: fixed link
edit2: removed speculative sentence, fixed translation
 

Bond697

Dies, died, will die.
just FYI, the amount of delay between hitting A on the "XXX warped to the high link!" screen and the game reseeding is exactly 0x128 delay(296 delay in dec).
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
So yeah, you have your two RWtimer values, and then you have this keypress variable that is dependent on your input. Not sure how this is triggered exactly, but it could be another advantage so that we can double the amount of seeds we can hit.
Testing in Desmume shows that you only need to hold down A when turning on the game to get the second set of seeds. Gonna implement in RNG Reporter in a bit.

EDIT: oh wow, I got a third set of seeds just by holding down B at the start.

EDIT #2: So it looks like the encryption also depends on which button(s) you are holding down at the start of the game.

2FFF = No button
2FFE = A
2FFD = B

2FF7 = Start, Down
2FFB = Select, Up

2FDF = Left
2FEF = Right

2EFF = R
2DFF = L
2BFF = X
27FF = Y

Apparently the effects of buttons also stack, too. But only up to two buttons; if you add a third it reverts to 2FFF.

2FFC = A + B
2BFE = A + X
2BFD = B + X
27FE = A + Y
27FD = B + Y
2FF3 = Start + Select

Certain combinations count as a single button (and thus can be stacked with a third):

2FAF = Up+Right
2F9F = Up+Left
2F6F = Down+Right
2F5F = Down+Left

2F97 = Up+Left+Start
etc.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Code:
2FFE A			|2FFC	A + B	|2F7E	A + Down	|2FBE	A + Up
2FFD B			|----		|2F7D	B + Down	|2FBD	B + Up
2FFB Select		|2FF3	St + Se	|			|
2FF7 Start		|----		|			|
			|		|			|
2FEF Right		|		|2FD7	St + Le		|2FE7	St + Ri	
2FDF Left		|----		|2FDB	Se + Le		|2FE8	Se + Ri	
2FBF Up			|		|			|
2F7F Down		|----	Le + Ri	|2FDE	A + Le		|2FEE	A + Ri
			|Impossible	|2FDD	B + Le		|2FED	B + Ri
			|		|			|
2EFF R			|2EFE	A + R	|2EFD	B + R		|2E7F	Down + R
2DFF L			|2DFE	A + L	|2DFD	B + L		|2D7F	Down + L
2BFF X			|2BFE	A + X	|2BFD	B + X		|2B7F	Down + X
27FF Y			|27FE	A + Y	|27FD	B + Y		|277F	Down + Y
			|		|			|
2FAF U + Ri		|2EDF	Le + R	|2EEF	Ri + R		|2EBF	Up + R
2F9F U + Le		|2DDF	Le + L	|2DEF	Ri + L		|2DBF	Up + L
2F6F D + Ri		|2BDF	Le + X	|2BEF	Ri + X		|2BBF	Up + X
2F5F D + Le		|27DF	Le + Y	|27EF	Ri + Y		|27BF	Up + Y
			|		|			|
2FFF None		|2AFF	R + X	|29FF	L + X 		|2CFF	R + L
			|26FF	R + Y	|25FF	L + Y		|23FF	X + Y

2F97	U+Le+St
ew, can't see the entire contents in one view. paste it into notepad (edit to fill in)

triple combos at the bottom. Pressing 3 buttons is definitely possible. (Left Up and R for example) Gotta be quick!

This whole keypress stuff increases the initial seeds possible by at least 40x :D

0x2XYZ,
x=(3)-[F].... 14 possible
y=5,6,7,9,A,B,D,E,F.... 9 possible
z=(3)-[F].... 14 possible
Variables = 14*9*14 = 1764 different theorized key combinations.

Bunch of edits from OD... and...


Single/Double/Triple (Same Group) Key Press Chart
Code:
2FF[u]x[/u]		|2F[u]x[/u]F			|2[u]x[/u]FF
2FFF None	|2FFF None		|2FFF None	
2FFE A		|2FEF Right		|2EFF R		
2FFD B		|2FDF Left		|2DFF L	
2FFC A+B	|2FCF Impossible	|2CFF R+L
2FFB Select	|2FBF Up		|2BFF X	
2FFA Se+A	|2FAF U+Ri		|2AFF X+R
2FF9 Se+B	|2F9F U+Le		|29FF X+L
2FF8 Se+A+B	|2F8F Impossible	|28FF X+R+L
2FF7 Start	|2F7F Down		|27FF Y	
2FF6 St+A	|2F6F D+Ri		|27FF Y+R
2FF5 St+B	|2F5F D+Le		|25FF Y+L
2FF4 St+A+B	|2F4F Impossible	|24FF Y+R+L?? (doesn't work, pauses initial game loading)
2FF3 St+Se	|2F3F Impossible	|23FF X+Y
2FF2 ???	|2F2F ????Imposs	|22FF ???
2FF1 ???	|2F1F ????Imposs	|21FF ???
2FF0 ???	|2F0F ????Imposs	|20FF ???

?? is unverified but assumed
??? is unobserved thus assumed
???? is assumed (Up+Down lol)

It also works for two singles from different groups, as pointed out in the above code box. The noted triple button press has a double from one and a single from another.


A massive increase in the amount of seeds that are hittable!!
 

chiizu

PPPPPPPPPPPPPPPPP RNG
is a Programmer Alumnusis a Top Researcher Alumnus
A question for the researchers. Have DSi and DSLL timings been figured out yet?

I ask because in my search of various sources of information (this forum and Japanese pages like rusted coil's and kxtad's) the values mentioned are for the original DS or DS lite. I've verified the values of GxStat, what you guys call VFrame, VCount, and Timer0 for my DSLite using a program I wrote (using a White retail cart with no AR) and I can use those values to generate usuable seeds fine, but I've not been successful in doing the same for my DSi. All the comments I've seen on Japanese pages indicate that no one has gotten it working yet, but I know that RNGReporter 9.0 is currently being beta tested, so I thought maybe the DSi stuff had been figured out.

(Edit)
Here's my DSi / seed info:

Pokemon White JP Retail on JP Retail DSi
MAC Address: 002331c8d2e8

20:59:25 2/15/2011 Tue(2) (This is when the game was started from the DSi menu, so I'm assuming actual time was 1-2 seconds later.)

TID 1: 16759
TID 2: 20684
TID 3: 39591
TID 4: 45921

(For verification purposes)
TID 5: 57371

IVs (no AR, but caught at high level):
(22,23), (16,17), (27,28), 9, 5, 30

TID seed:
xxxx41789fe04cf6

f88841789fe04cf6 found to lead to below initial seed when rolled back 19 times.

Initial Seed (where PIDRNG and MTIVRNG split):
6a6af7e4be9ef132


On my DS Lite (JP retail) and same White cart, I used the same procedure to find my initial seed, which when rolled back one tick was found to match the output of the SHA-1 hash (first two 32-bit words with endian-swapped bytes) constructed as described by Rusted Coil here.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
We haven't figured it out yet, but that's due in part to nobody around here having a DSi capable of playing Black\White. The data you just gave us will be a huge help in figuring out the DSi variables before the US release, thank you so much.

EDIT: Also, hey I described that hash construction first. :/
 

chiizu

PPPPPPPPPPPPPPPPP RNG
is a Programmer Alumnusis a Top Researcher Alumnus
We haven't figured it out yet, but that's due in part to nobody around here having a DSi capable of playing Black\White. The data you just gave us will be a huge help in figuring out the DSi variables before the US release, thank you so much.
I've been working through variations of the message components (GxStat, VCount, VFrame, Timer0) in hopes of finding the DSi variables myself, and at this point I'm starting to work through the possibilities of the mysterious 'nazo'. But the search space is large and I only have 2 cores. If you have any suspicions and / or knowledge about what might be different on the DSi, and are willing to share of course, I'd be happy to hear about it. I will certainly report anything I find in the meantime.

Also, hey I described that hash construction first. :/
Indeed, I saw your detailed description of it here first and it was your post that helped me solve the my final problem (the endian swapping after the hash, and one additional frame advancement before seeding the MTIVRNG) to confirm that my searcher worked, so thank you.

Not to burst any bubbles, but I did find that others had been talking about the hashing and the message contents for some time, though.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
I've been working through variations of the message components (GxStat, VCount, VFrame, Timer0) in hopes of finding the DSi variables myself, and at this point I'm starting to work through the possibilities of the mysterious 'nazo'. But the search space is large and I only have 2 cores. If you have any suspicions and / or knowledge about what might be different on the DSi, and are willing to share of course, I'd be happy to hear about it. I will certainly report anything I find in the meantime.
"nazo" is actually a set of parameters unique to each version. They're just a list of addresses stored at a location that happens to be just before the other encryption values. Black has 0x105F2102, 0x0C602102, 0x0C602102, 0x58602102, 0x58602102, and White has 0x305F2102, 0x2C602102, 0x2C602102, 0x78602102, 0x78602102 (post-endian swapping). I'm probably going to have to find these values all over again for the English release.

I'm going to have Bond697 start a search on his 8-core server. The seed encryption is built into RNG Reporter 9, and has multi-core optimization (I don't know if that's true of Rusted Coil's programs).

Indeed, I saw your detailed description of it here first and it was your post that helped me solve the my final problem (the endian swapping after the hash, and one additional frame advancement before seeding the MTIVRNG) to confirm that my searcher worked, so thank you.


Not to burst any bubbles, but I did find that others had been talking about the hashing and the message contents for some time, though.
Consider my bubble somewhat burst, although I should point out that nobody, not even Rusted Coil had a working seed encryption program until three days after I posted that.
 

chiizu

PPPPPPPPPPPPPPPPP RNG
is a Programmer Alumnusis a Top Researcher Alumnus
"nazo" is actually a set of parameters unique to each version. They're just a list of addresses stored at a location that happens to be just before the other encryption values.
I hope that's true, though it's a bit of a curious thing to dump into the message, seeing as they've obviously gone out of their way to make finding these seeds difficult. It would make a bit more "sense" if it varied by hardware or firmware version. Not that it needs to make sense.

I'm going to have Bond697 start a search on his 8-core server. The seed encryption is built into RNG Reporter 9, and has multi-core optimization (I don't know if that's true of Rusted Coil's programs).
That's great news about RNG Reporter 9! I'm sure you guys will crank through the variations before I will, then.

And I don't know about Rusted Coil's programs either, as being on a Mac I can't run them. That's been a big motivator for me working on my own stuff, actually (along with general curiosity). Running RNG Reporter in Mono is buggy and painfully slow (through no fault of it's developers, obviously). Wichu's recent Mac release helps out for Gen 4 (and I was a bit sad to get ninja'd so soon after I'd started on some Gen 4 stuff) but there is still Gen 5 stuff to do. I have a set of tools and demo programs in the works that I hope to release at some point for Mac users, though they're all just individual command line programs at the moment. Making GUIs was never much fun...

Consider my bubble somewhat burst, although I should point out that nobody, not even Rusted Coil had a working seed encryption program until three days after I posted that.
I've seen some mentions of Smogon on a few Japanese pages, so they're certainly looking to see what's going on here. And as I said, your post had key and detailed information in it that allowed me to get my code working. It wouldn't surprise me at all if Rusted Coil or anybody else was finding similar information here as well.
 

Bond697

Dies, died, will die.
just FYI, the search is going. rng reporter is spread across 8 cores at 80% usage and is absolutely FLYING through the search. hopefully we'll have some good stuff in a day or two.

thanks a lot for your data, chiizu. it's being used for this parameter search. :)

e: we have a hit! not gonna stop the search, though.
 

chiizu

PPPPPPPPPPPPPPPPP RNG
is a Programmer Alumnusis a Top Researcher Alumnus
I take it that it doesn't show the result until it's finished? I'm very keen to try it out on my side, obviously. :-)

Edit:
Could you let me know the search parameter ranges you used?
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Edit:
Could you let me know the search parameter ranges you used?
VCount, RWTimer: 0-FFFF
GxStat, VFrame: 0-F
Seconds: 24-32

I'm doing the same thing with mattj's earlier data on a DS Lite + AR right now, but by using only three cores on a laptop the search isn't nearly as fast.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Same Nationality Breeding without Ditto:
Already implemented.​
Same Nationality Breeding with Ditto:
DW calc is not present. Everything else after that is shifted to accommodate this loss.​
International Breeding without Ditto:
Calculate the PID once (n), then again (n+2), then again (n+4), and again (n+6). If one is shiny, stop. Else stop at n+6.​
International Breeding with Ditto:
Still being tested. If same, Calculate the PID once (n), then again (n+2), then again (n+4), and again (n+6). If one is shiny, stop. Else stop at n+6.​


I suspect that everstones will NOT change any calculation routine, meaning that Everstones will work for the Masuda Method. Also we have to make sure there's no difference for the male + ditto, but this is highly unlikely. I'll update this later with the routine.

Ditto + IV Inheritance:
Ditto will always give the A no matter the positioning (while female is B)
Ditto will always give the B no matter the positioning (while a male is A)

International with Everstone yielded different results, have to test more later.

===
@bonds post
0000-FFFF x2 = 16^8 possibilities
0-F x2 = 16^2 possibilities
24-32 = 9 possibilities
16^10 * 9 = 9 trillion possibilities :S
 

Users Who Are Viewing This Thread (Users: 1, Guests: 0)

Top