Past Gen RNG Research

Bond697

Dies, died, will die.
i can get to all 24 via pokegen, though. i was able to get it to show me 16 without the nationall pokedex, so that may be the limit. kaph found a save past the part that was freezing on me, and he tested it and it does the same shiny check.
 

Mario With Lasers

Self-proclaimed NERFED king
is a Forum Moderator Alumnusis a CAP Contributor Alumnus
Fucking Game Freak, why is Resh/Zek so damn important for not to be shiny.

I'm not sure if you have checked it already or not, Kaphotics, but if, in N's castle, you faint Resh/Zek and then rebattle it, will it have the same IVs/Nature?
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Fucking Game Freak, why is Resh/Zek so damn important for not to be shiny.

I'm not sure if you have checked it already or not, Kaphotics, but if, in N's castle, you faint Resh/Zek and then rebattle it, will it have the same IVs/Nature?
Different IVs, different Nature.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
I wouldn't rule out the possibility of shiny Zekrom\Reshiram entirely.

It's possible that the game just says "okay, if the PID would become shiny if you XOR'd with 0xSomeNumber, then make it shiny. And if the PID is already shiny, then AND it with 0x10000000."

This would make it possible to still have shiny Zekrom\Reshirams while thwarting people attempting the obvious - modifying the ID\SID so the PID would be shiny.
 

Mario With Lasers

Self-proclaimed NERFED king
is a Forum Moderator Alumnusis a CAP Contributor Alumnus
This would make it possible to still have shiny Zekrom\Reshirams while thwarting people attempting the obvious - modifying the ID\SID so the PID would be shiny.
Then again, they didn't do that with Kyurem, only with Reshiram, Zekrom and Victini. Resh/Zek have their IVs/Nature changed every time you face them even if they don't respawn, and yet they cannot be shiny; Game Freak actively made them not to, as it seems.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Game Freak went to a lot of trouble to encrypt the date\time\MAC Address for the non-C-Gear seeds. But no amount of encryption can stop someone with a debugger. :)

tl;dr We can now predict non-C-Gear seeds, given a date\time\DS MAC address. This will be incorporated into RNG Reporter within the next day or two, and there will be a short beta period to make sure this works perfectly for real carts. EDIT: Apparently not quite yet, there are still some issues.

Non-C-Gear seeds are MUCH easier to work with than the C-Gear; you don't have to get millisecond-precision timing, all you need is to hit the right time down to the second. What's more, the same seed is used for both RNGs, so both IVs and nature\shininess\etc. can be predicted.

Code:
This isn't so much encrypting the number as it is putting each pair of bytes in reverse order.

Example: 
[COLOR="Red"]AD[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="#2e8b57"]58[/COLOR]
becomes
[COLOR="#2e8b57"]58[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Red"]AD[/COLOR]
This is done to 16 4-byte numbers, which are strung together to make the SHA-1 message. Thankfully, 12 of these numbers are constant (at least, I hope they stay that way). The rest of the values are the date, time, and the two halves of the MAC address.

Also note that Date\Time is stored in a different number format than the last gen. This will be covered in another post.

Code:
02215F30, 0221602C, 0221602C, 0221602C -> 305F2102, 2C602102, 2C602102, 78602102
02216078, [ DSID ], [MACpt1], [MACpt2] -> 78602102, ????????, ????????, ????????
[ Date ], [ Time ], 00000000, 00000000 -> [b]????????, ????????, 00000000, 00000000[/b]
00002FFF, 00000080, 00000000, A0010000 -> FF2F0000, 80000000, 00000000, 000001A0

Note: I haven't yet determined how exactly the two parts of MAC address is placed, since No$GBA has a set MAC address of 0.

EDIT: I have since discovered that one of the inputs is actually some ID unique to the DS.  I hope this won't be too difficult to find without an AR.

Final message:
305F21022C6021022C60210278602102786021023E0318000000C3310709BF16????????????????????????????????FF2F00008000000000000000000001A0


Copied from Wikipedia. The message-generation step is not included because we did that in the previous step.

Code:
    Initialize hash value for this chunk:
    a = h0
    b = h1
    c = h2
    d = h3
    e = h4

    Main loop:
    [27]
    for i from 0 to 79
        if 0 ≤ i ≤ 19 then
            f = (b and c) or ((not b) and d)
            k = 0x5A827999
        else if 20 ≤ i ≤ 39
            f = b xor c xor d
            k = 0x6ED9EBA1
        else if 40 ≤ i ≤ 59
            f = (b and c) or (b and d) or (c and d) 
            k = 0x8F1BBCDC
        else if 60 ≤ i ≤ 79
            f = b xor c xor d
            k = 0xCA62C1D6

        if i >= 16
            w[i] = (w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]) leftrotate 1

        temp = (a leftrotate 5) + f + e + k + w[i]
        e = d
        d = c
        c = b leftrotate 30
        b = a
        a = temp

    Add this chunk's hash to result so far:
    h0 = h0 + a
    h1 = h1 + b 
    h2 = h2 + c
    h3 = h3 + d
    h4 = h4 + e


Same reversing of values as in step 1.

Code:
For each 4-byte value in the SHA-1 hash, put each pair of bytes in reverse order.

Example: 
[COLOR="Red"]AD[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="#2e8b57"]58[/COLOR]
becomes
[COLOR="#2e8b57"]58[/COLOR][COLOR="Orange"]59[/COLOR][COLOR="Blue"]53[/COLOR][COLOR="Red"]AD[/COLOR]


Code:
temp = 0x6C078965 * [first 4 bytes of jumbled-up SHA-1]
temp = temp + (0x6C078965 * [second 4 bytes of jumbled-up SHA-1] * 0x100000000)
[b]seed = temp + (0x5D588B65 * [first 4 bytes of jumbled-up SHA-1] * 0x100000000)[/b]


I commented most of the lines up until the point I figured out what was going on.

Step 1: Reversing numbers
Code:
02081DA0 E92D5FF0 stmfd   r13!,{r4-r12,r14}
02081DA4 E1A0B000 mov     r11,r0
02081DA8 E24DD040 sub     r13,r13,#0x40
02081DAC E1A0C00D mov     r12,r13
02081DB0 E3E03CFF mvn     r3,#0xFF00			; k = 0xFFFF00FF
02081DB4 E28B8014 add     r8,r11,#0x14
02081DB8 E1A0100C mov     r1,r12
02081DBC E8B800F0 ldmia   r8!,{r4-r7}
02081DC0 E3A09010 mov     r9,#0x10
02081DC4 E0242864 eor     r2,r4,r4,ror #0x10		; temp = a ^ (a rightrotate 16)
02081DC8 E0032422 and     r2,r3,r2,lsr #0x8		; temp = k & (temp >> 8)
02081DCC E0224464 eor     r4,r2,r4,ror #0x8		; a = temp ^ (a rightrotate 8)
02081DD0 E0252865 eor     r2,r5,r5,ror #0x10		; temp = b ^ (b rightrotate 16)
02081DD4 E0032422 and     r2,r3,r2,lsr #0x8		; temp = k & (temp >> 8)
02081DD8 E0225465 eor     r5,r2,r5,ror #0x8		; b = temp ^ (b rightrotate 8)
02081DDC E0262866 eor     r2,r6,r6,ror #0x10		; temp = c ^ (c rightrotate 16)
02081DE0 E0032422 and     r2,r3,r2,lsr #0x8		; temp = k & (temp >> 8)
02081DE4 E0226466 eor     r6,r2,r6,ror #0x8
02081DE8 E0272867 eor     r2,r7,r7,ror #0x10
02081DEC E0032422 and     r2,r3,r2,lsr #0x8
02081DF0 E0227467 eor     r7,r2,r7,ror #0x8
Step 2: SHA-1
Code:
02081E04 E89B01F0 ldmia   r11,{r4-r8}
02081E08 E51FC080 ldr     r12,=#0x5A827999  	; k = 5A827999 [2081D90]
02081E0C E3A09000 mov     r9,#0x0		; i = 0
02081E10 E005A006 and     r10,r5,r6		; (b and c)
02081E14 E1E0E005 mvn     r14,r5		; (not b)
02081E18 E00EE007 and     r14,r14,r7		; ((not b) and d)
02081E1C E18AA00E orr     r10,r10,r14		; f = (b and c) or ((not b) and d)
02081E20 E08AA00C add     r10,r10,r12		; temp = f + k
02081E24 E209E00F and     r14,r9,#0xF		; j = i mod 16
02081E28 E79DE10E ldr     r14,[r13,r14,lsl #0x2]; retrieve w[i]
02081E2C E08AA008 add     r10,r10,r8		; temp = temp + e 
02081E30 E08AA00E add     r10,r10,r14		; temp = temp + r14 (w[i]?)
02081E34 E08AADE4 add     r10,r10,r4,ror #0x1B  ; temp = temp + (a left-rotate 5)
02081E38 E1A08007 mov     r8,r7			; (e = d)
02081E3C E1A07006 mov     r7,r6			; (d = c)
02081E40 E1A06165 mov     r6,r5,ror #0x2	; (c = b left-rotate 30)
02081E44 E1A05004 mov     r5,r4			; (b = a)
02081E48 E1A0400A mov     r4,r10		; (a = temp)
02081E4C E2899001 add     r9,r9,#0x1		; i++
02081E50 E3590010 cmp     r9,#0x10		; loop while (i < 15)
02081E54 1AFFFFED bne     #0x2081E10
02081E58 E005A006 and     r10,r5,r6		; (b and c)
02081E5C E1E0E005 mvn     r14,r5		; (not b)
02081E60 E00EE007 and     r14,r14,r7		; ((not b) and d)
02081E64 E18AA00E orr     r10,r10,r14		; f = (b and c) or ((not b) and d)
02081E68 E08AA00C add     r10,r10,r12		; f + k
02081E6C E2492010 sub     r2,r9,#0x10		; r2 = i - 16	
02081E70 E202200F and     r2,r2,#0xF
02081E74 E249E00E sub     r14,r9,#0xE		; r14 = i - 14
02081E78 E20EE00F and     r14,r14,#0xF
02081E7C E79D3102 ldr     r3,[r13,r2,lsl #0x2]  ; load w[i-16] into r3
02081E80 E79D110E ldr     r1,[r13,r14,lsl #0x2]	; load w[i-14] into r1
02081E84 E249E008 sub     r14,r9,#0x8		; r14 = i - 8
02081E88 E0233001 eor     r3,r3,r1		; w[i-14] XOR w[i-16]
02081E8C E20EE00F and     r14,r14,#0xF		; 
02081E90 E79D110E ldr     r1,[r13,r14,lsl #0x2] ; load w[i-8] into r1
02081E94 E2492003 sub     r2,r9,#0x3		; r14 = i - 3
02081E98 E0233001 eor     r3,r3,r1		; w[i-8] XOR w[i-16] XOR w[i-14] 
02081E9C E202200F and     r2,r2,#0xF		;
02081EA0 E79D1102 ldr     r1,[r13,r2,lsl #0x2]	; load w[i-3] into r1
02081EA4 E209200F and     r2,r9,#0xF
02081EA8 E0233001 eor     r3,r3,r1		; w[i-3] XOR w[i-8] XOR w[i-16] XOR w[i-14]
02081EAC E1A03FE3 mov     r3,r3,ror #0x1F	; left-rotate 1
02081EB0 E78D3102 str     r3,[r13,r2,lsl #0x2]
02081EB4 E209E00F and     r14,r9,#0xF
02081EB8 E79DE10E ldr     r14,[r13,r14,lsl #0x2]
02081EBC E08AA008 add     r10,r10,r8
02081EC0 E08AA00E add     r10,r10,r14
02081EC4 E08AADE4 add     r10,r10,r4,ror #0x1B
02081EC8 E1A08007 mov     r8,r7
02081ECC E1A07006 mov     r7,r6
02081ED0 E1A06165 mov     r6,r5,ror #0x2
02081ED4 E1A05004 mov     r5,r4
02081ED8 E1A0400A mov     r4,r10
02081EDC E2899001 add     r9,r9,#0x1
02081EE0 E3590014 cmp     r9,#0x14		; while (i < 20)
02081EE4 1AFFFFDB bne     #0x2081E58		; else
02081EE8 E51FC15C ldr     r12,=#0x6ED9EBA1	; constant used in second phase
02081EEC E025A006 eor     r10,r5,r6		; b xor c
02081EF0 E02AA007 eor     r10,r10,r7		; b xor c xor d
02081EF4 E08AA00C add     r10,r10,r12		; f + k
02081EF8 E2492010 sub     r2,r9,#0x10
02081EFC E202200F and     r2,r2,#0xF
02081F00 E249E00E sub     r14,r9,#0xE
02081F04 E20EE00F and     r14,r14,#0xF
02081F08 E79D3102 ldr     r3,[r13,r2,lsl #0x2]
02081F0C E79D110E ldr     r1,[r13,r14,lsl #0x2]
02081F10 E249E008 sub     r14,r9,#0x8
02081F14 E0233001 eor     r3,r3,r1
02081F18 E20EE00F and     r14,r14,#0xF
02081F1C E79D110E ldr     r1,[r13,r14,lsl #0x2]
02081F20 E2492003 sub     r2,r9,#0x3
02081F24 E0233001 eor     r3,r3,r1
02081F28 E202200F and     r2,r2,#0xF
02081F2C E79D1102 ldr     r1,[r13,r2,lsl #0x2]
02081F30 E209200F and     r2,r9,#0xF
02081F34 E0233001 eor     r3,r3,r1
02081F38 E1A03FE3 mov     r3,r3,ror #0x1F
02081F3C E78D3102 str     r3,[r13,r2,lsl #0x2]
02081F40 E209E00F and     r14,r9,#0xF
02081F44 E79DE10E ldr     r14,[r13,r14,lsl #0x2]
02081F48 E08AA008 add     r10,r10,r8
02081F4C E08AA00E add     r10,r10,r14
02081F50 E08AADE4 add     r10,r10,r4,ror #0x1B
02081F54 E1A08007 mov     r8,r7
02081F58 E1A07006 mov     r7,r6
02081F5C E1A06165 mov     r6,r5,ror #0x2
02081F60 E1A05004 mov     r5,r4
02081F64 E1A0400A mov     r4,r10
02081F68 E2899001 add     r9,r9,#0x1
02081F6C E3590028 cmp     r9,#0x28		; while (i < 40)
02081F70 1AFFFFDD bne     #0x2081EEC
02081F74 E51FC1E4 ldr     r12,=#0x8F1BBCDC
02081F78 E005A006 and     r10,r5,r6
02081F7C E005E007 and     r14,r5,r7
02081F80 E18AA00E orr     r10,r10,r14
02081F84 E006E007 and     r14,r6,r7
02081F88 E18AA00E orr     r10,r10,r14
02081F8C E08AA00C add     r10,r10,r12
02081F90 E2492010 sub     r2,r9,#0x10
02081F94 E202200F and     r2,r2,#0xF
02081F98 E249E00E sub     r14,r9,#0xE
02081F9C E20EE00F and     r14,r14,#0xF
02081FA0 E79D3102 ldr     r3,[r13,r2,lsl #0x2]
02081FA4 E79D110E ldr     r1,[r13,r14,lsl #0x2]
02081FA8 E249E008 sub     r14,r9,#0x8
02081FAC E0233001 eor     r3,r3,r1
02081FB0 E20EE00F and     r14,r14,#0xF
02081FB4 E79D110E ldr     r1,[r13,r14,lsl #0x2]
02081FB8 E2492003 sub     r2,r9,#0x3
02081FBC E0233001 eor     r3,r3,r1
02081FC0 E202200F and     r2,r2,#0xF
02081FC4 E79D1102 ldr     r1,[r13,r2,lsl #0x2]
02081FC8 E209200F and     r2,r9,#0xF
02081FCC E0233001 eor     r3,r3,r1
02081FD0 E1A03FE3 mov     r3,r3,ror #0x1F
02081FD4 E78D3102 str     r3,[r13,r2,lsl #0x2]
02081FD8 E209E00F and     r14,r9,#0xF
02081FDC E79DE10E ldr     r14,[r13,r14,lsl #0x2]
02081FE0 E08AA008 add     r10,r10,r8
02081FE4 E08AA00E add     r10,r10,r14
02081FE8 E08AADE4 add     r10,r10,r4,ror #0x1B
02081FEC E1A08007 mov     r8,r7
02081FF0 E1A07006 mov     r7,r6
02081FF4 E1A06165 mov     r6,r5,ror #0x2
02081FF8 E1A05004 mov     r5,r4
02081FFC E1A0400A mov     r4,r10
02082000 E2899001 add     r9,r9,#0x1
02082004 E359003C cmp     r9,#0x3C
02082008 1AFFFFDA bne     #0x2081F78
0208200C E51FC278 ldr     r12,=#0xCA62C1D6
02082010 E025A006 eor     r10,r5,r6
02082014 E02AA007 eor     r10,r10,r7
02082018 E08AA00C add     r10,r10,r12
0208201C E2492010 sub     r2,r9,#0x10
02082020 E202200F and     r2,r2,#0xF
02082024 E249E00E sub     r14,r9,#0xE
02082028 E20EE00F and     r14,r14,#0xF
0208202C E79D3102 ldr     r3,[r13,r2,lsl #0x2]
02082030 E79D110E ldr     r1,[r13,r14,lsl #0x2]
02082034 E249E008 sub     r14,r9,#0x8
02082038 E0233001 eor     r3,r3,r1
0208203C E20EE00F and     r14,r14,#0xF
02082040 E79D110E ldr     r1,[r13,r14,lsl #0x2]
02082044 E2492003 sub     r2,r9,#0x3
02082048 E0233001 eor     r3,r3,r1
0208204C E202200F and     r2,r2,#0xF
02082050 E79D1102 ldr     r1,[r13,r2,lsl #0x2]
02082054 E209200F and     r2,r9,#0xF
02082058 E0233001 eor     r3,r3,r1
0208205C E1A03FE3 mov     r3,r3,ror #0x1F
02082060 E78D3102 str     r3,[r13,r2,lsl #0x2]
02082064 E209E00F and     r14,r9,#0xF
02082068 E79DE10E ldr     r14,[r13,r14,lsl #0x2]
0208206C E08AA008 add     r10,r10,r8
02082070 E08AA00E add     r10,r10,r14
02082074 E08AADE4 add     r10,r10,r4,ror #0x1B
02082078 E1A08007 mov     r8,r7
0208207C E1A07006 mov     r7,r6
02082080 E1A06165 mov     r6,r5,ror #0x2
02082084 E1A05004 mov     r5,r4
02082088 E1A0400A mov     r4,r10
0208208C E2899001 add     r9,r9,#0x1
02082090 E3590050 cmp     r9,#0x50
02082094 1AFFFFDD bne     #0x2082010
02082094 1AFFFFDD bne     #0x2082010
02082098 E89B060E ldmia   r11,{r1-r3,r9,r10}
0208209C E0811004 add     r1,r1,r4
020820A0 E0822005 add     r2,r2,r5
020820A4 E0833006 add     r3,r3,r6
020820A8 E0899007 add     r9,r9,r7
020820AC E08AA008 add     r10,r10,r8
020820B0 E88B060E stmia   r11,{r1-r3,r9,r10} ; stored in 2FE36CC, 2FE36D0, 2FE36D4, 2FE36D8, 2FE36DC
020820B4 E28DD040 add     r13,r13,#0x40
020820B8 E8BD9FF0 ldmfd   r13!,{r4-r12,r15}
020820BC E92D4008 stmfd   r13!,{r3,r14}
020820C0 EB000EE6 bl      #0x2085C60
Step 3
Code:
020814BC E8941020 ldmia   r4,{r5,r12}
020814C0 E1A01C25 mov     r1,r5,lsr #0x18		; right shift 24 (first 32bits of SHA-1)
020814C4 E20170FF and     r7,r1,#0xFF			; 
020814C8 E1A01006 mov     r1,r6				; 
020814CC E1A06C05 mov     r6,r5,lsl #0x18		; left shift 24 (first 32bits of SHA-1)
020814D0 E206E4FF and     r14,r6,#0xFF000000
020814D4 E1A06405 mov     r6,r5,lsl #0x8		; left shift 8 (first 32bits of SHA-1)
020814D8 E1A05425 mov     r5,r5,lsr #0x8		; right shift 8 (first 32bits of SHA-1)
020814DC E2055CFF and     r5,r5,#0xFF00
020814E0 E20668FF and     r6,r6,#0xFF0000
020814E4 E1875005 orr     r5,r7,r5
020814E8 E1865005 orr     r5,r6,r5
020814EC E18E5005 orr     r5,r14,r5			; list pairs in reverse order (WWXXYYZZ becomes ZZYYXXWW)
020814F0 E1A06C2C mov     r6,r12,lsr #0x18		; right shift 24 (second 32bits of SHA-1)
020814F4 E5845000 str     r5,[r4]			; store 1st 32bits, reordered
020814F8 E1A0542C mov     r5,r12,lsr #0x8		; right shift 8 (second 32bits of SHA-1)
020814FC E5943008 ldr     r3,[r4,#0x8]			; load third 32bits
02081500 E20660FF and     r6,r6,#0xFF			
02081504 E2055CFF and     r5,r5,#0xFF00			
02081508 E1866005 orr     r6,r6,r5
0208150C E1A05C23 mov     r5,r3,lsr #0x18		; right shift 24 (third 32bits of SHA-1)
02081510 E205E0FF and     r14,r5,#0xFF
02081514 E1A05C0C mov     r5,r12,lsl #0x18		; left shift 24 (second 32bits of SHA-1)
02081518 E20574FF and     r7,r5,#0xFF000000
0208151C E1A0540C mov     r5,r12,lsl #0x8		; left shift 8 (second 32bits of SHA-1)
02081520 E20558FF and     r5,r5,#0xFF0000
02081524 E1855006 orr     r5,r5,r6
02081528 E1876005 orr     r6,r7,r5
0208152C E1A05423 mov     r5,r3,lsr #0x8		; right shift 8 (third 32bits of SHA-1)
02081530 E2055CFF and     r5,r5,#0xFF00
02081534 E594200C ldr     r2,[r4,#0xC]			; load fourth 32bits
02081538 E5846004 str     r6,[r4,#0x4]			; store 2nd 32bits, reordered
0208153C E1A06C22 mov     r6,r2,lsr #0x18		; right shift 24 (fourth 32bits of SHA-1)
02081540 E18EE005 orr     r14,r14,r5			
02081544 E1A05422 mov     r5,r2,lsr #0x8		; right shift 8 (fourth 32bits of SHA-1)
02081548 E5940010 ldr     r0,[r4,#0x10]			; load fifth 32bits
0208154C E20660FF and     r6,r6,#0xFF
02081550 E2055CFF and     r5,r5,#0xFF00
02081554 E186C005 orr     r12,r6,r5
02081558 E1A05C20 mov     r5,r0,lsr #0x18		; right shift 24 (fifth 32bits of SHA-1)
0208155C E20560FF and     r6,r5,#0xFF
02081560 E1A05C03 mov     r5,r3,lsl #0x18		; left shift 24 (third 32bits of SHA-1)
02081564 E1A03403 mov     r3,r3,lsl #0x8		; left shift 8 (third 32bits of SHA-1)
02081568 E20338FF and     r3,r3,#0xFF0000
0208156C E20554FF and     r5,r5,#0xFF000000
02081570 E183300E orr     r3,r3,r14
02081574 E1853003 orr     r3,r5,r3
02081578 E5843008 str     r3,[r4,#0x8]			; store 3rd 32bits, reordered
0208157C E1A03402 mov     r3,r2,lsl #0x8		; left shift 8 (fourth 32bits of SHA-1)
02081580 E1A02C02 mov     r2,r2,lsl #0x18		; left shift 24 (fourth 32bits of SHA-1)
02081584 E202E4FF and     r14,r2,#0xFF000000
02081588 E20328FF and     r2,r3,#0xFF0000
0208158C E182200C orr     r2,r2,r12
02081590 E18E3002 orr     r3,r14,r2
02081594 E1A05420 mov     r5,r0,lsr #0x8		; right shift 8 (fifth 32bits of SHA-1)
02081598 E1A0C400 mov     r12,r0,lsl #0x8		; left shift 8 (fifth 32bits of SHA-1)
0208159C E2052CFF and     r2,r5,#0xFF00
020815A0 E1A0EC00 mov     r14,r0,lsl #0x18		; left shift 24 (fifth 32bits of SHA-1)
020815A4 E1860002 orr     r0,r6,r2
020815A8 E20C58FF and     r5,r12,#0xFF0000
020815AC E20E24FF and     r2,r14,#0xFF000000
020815B0 E1850000 orr     r0,r5,r0
020815B4 E1825000 orr     r5,r2,r0
020815B8 E1A00004 mov     r0,r4
020815BC E3A02014 mov     r2,#0x14
020815C0 E584300C str     r3,[r4,#0xC]			; store 4th 32bits, reordered
020815C4 E5845010 str     r5,[r4,#0x10]			; store 5th 32bits, reordered
020815C8 EB0005A6 bl      #0x2082C68
Step 4: Final Seed
Code:
0209BF78 E92D4030 stmfd   r13!,{r4,r5,r14}
0209BF7C E0845290 umull   r5,r4,r0,r2
0209BF80 E0244390 mla     r4,r0,r3,r4
0209BF84 E0244192 mla     r4,r2,r1,r4
0209BF88 E1A01004 mov     r1,r4
0209BF8C E1A00005 mov     r0,r5
0209BF90 E8BD4030 ldmfd   r13!,{r4,r5,r14}
0209BF94 E12FFF1E bx      r14
0209BF98 E212203F ands    r2,r2,#0x3F
0209BF9C 012FFF1E bxeq    r14
0209BFA0 E2523020 subs    r3,r2,#0x20
0209BFA4 AA000004 bge     #0x209BFBC


To-Do List:
  • Find out how far the *very* initial seed is advanced to become the seed for the nature\PID RNG
  • Determine encounter slots
  • Determine when a wild Pokemon PID is XOR'd with 0x10000 and when it's XOR'd with 0x80010000
  • Find the "shiny check" assembly code for Reshiram\Zekrom
  • Finish RNG Reporter

Debugging this was a lot easier than I thought it would be. :D

p.s. Kaphotics, date is stored at 0x23FFDE8 and time at 0x23FFDEC.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
I lol'd that the tl;dr was longer than the thing it was to summarize.

Time is in (decimal)

00SSMMHH

HH from 00-11 (12-11AM), 52-63 (12-11 PM).
So, adding PM into it you go up 51, eh...

==

Date (decimal), srsly wat

06010100 for 1/1/00

01010101 for 1/1/01,
02010102 for 1/1/02,
03010103 for 1/1/03,
04010104 for 1/1/04,
+1
06010105 for 1/1/05,
00010106 for 1/1/07,
01010107 for 1/1/07,
02010108 for 1/1/08,
+1
04010109 for 1/1/09,
05010110 for 1/1/10,
06010111 for 1/1/11,
00010112 for 1/1/12.
+1
02010113 for 1/1/13
...

05010110 for 1/1/10, 06010111 for 1/1/11, 00010112 for 1/1/12, 02010113 for 1/1/13
06020110 for 1/2/10, 00020111 for 1/2/11, 01020112 for 1/2/12, 03020113 for 1/2/13
00030110 for 1/3/10, 01030111 for 1/3/11, 02030112 for 1/3/12, 04030113 for 1/3/13
01040110 for 1/4/10, 02040111 for 1/4/11, 03040112 for 1/4/12, 05040113 for 1/4/13
02050110 for 1/5/10, 03050111 for 1/5/11, 04050112 for 1/5/12, 06050113 for 1/5/13
03060110 for 1/6/10
04070110 for 1/7/10
05080110 for 1/8/10
06090110 for 1/9/10
00010110 for 1/10/10

00310110 for 1/31/10
01010210 for 2/01/10

So far it looks like XXDDMMYY. Year does something to the XX area.

It's screwy every 4 years, changing from it's 0 to 6 pattern by increasing 1. Doesn't do it for changes in months or days, as far as I could see. Only difference is year separation. I can't think of a particular formula for it but it is an easy pattern.

==

(below) were they the same exact save files?
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Looks like it's a little too early to pop the champagne.

I thought the SHA-1 input was all constant except for the time\date\MAC address. On closer inspection, it looks like the 6th, 7th, and 8th 4-byte values also differ across DSes.

In no$gba: 3E031800 0000C331 0709BF16 (unscrambled 0018033E 31C30000 16BF0907)
In Desmume: 22062F00 00000000 05000006 (unscrambled 002F0622 00000000 06000005)

I know this is DS-specific because we get the same values regardless of which game I put in. This also explains why mattj and I couldn't get the same seed with the same date\time\MAC address way back when.

I really hope this is something we'll be able to find easily without an AR, like the Nintendo WFC ID.

EDIT, response to above: I get the same seed with completely different save files.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
Okay, so here's the story:

It looks like regular seeds are also partly dependent on some ID that is unique to each DS. As far as we know, this ID can't be retrieved by anything except an AR (and so far Kaphotics hasn't been successful in making a code for that).

However, since this ID is only one 32-bit value, it's feasible to brute-force every possible combination and find this ID, so long as you know the seed for a particular time\date\MAC address. (I wrote a program for determining this seed a few pages back, but I've found it's a little buggy and won't be fixing it until I integrate it into RNG Reporter.) It's a process that will take hours, maybe even a day or two to complete, but once you have that ID you can predict IVs (and more importantly nature\ability\shininess, which C-Gear seeds can't do) for any date\time, for that DS.

This is going to be a pretty complex process, so I'll make sure RNG Reporter 9.0 will guide the user through it, step by step. But I'm swamped this week, so don't expect to see progress on it until the end of next week. In the meantime, I'll see if I can find time to get RNG Reporter 8.4 out in the next day or two. I won't be posting any guides for it, though - I expect the people who have been beta testing it to help. :)

Kaphotics said:
It's screwy every 4 years
You mean like this?
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
XX looks like the weekday of the date.
omg yes

<3

In conclusion:

00SSMMHH time
0XDDMMYY date
X=weekday

Wikipedia for help predicting days of the week for future years



Here's the code that doesnt work, if anyone else wants to take a stab. Still can't get my version of DeSmuME to show the 67452301, >.>
WHITE ONLY, SO FAR
Code:
52FE36CC 67452301
DA000000 02FE36AC
D6000000 __dump__     or D7000000, I suck at this
D2000000 00000000

when 02FE36CC is 67452301, copy 02FE36AC to dump location
Code:
94000130 MODIFIER
DA000000 __dump__
D7000000 022696A4
A226969A 00000000
1226969A 00000000
DA000000 __dump__
D6000000 0226969A
D2000000 00000000

[URL="http://www.smogon.com/forums/showpost.php?p=3089232&postcount=378"]data check code from page 16[/URL] to view the dump's location, being 02FE36AC's value when 02FE36CC is 67452301
==

I did happen to write a 6 page image included guide for (non) C-Gear seed hitting and IVRNG that I passed off to MattJ on Saturday.
 

Bond697

Dies, died, will die.
mine is missing a line or 2, i think.

the logic behind it is that it checks 02FE36CC for 67452301 and when that address is equal to that value it will write the value at 02FE36AC to the Dx data register. once that is done, D6 invokes that Dx register to write the 02FE36AC value to a specified address. It would have to be broken up into a pair of 16-bit parts for use in the actual game, but i just want to get it working first.

e: \/\/\/ it took 5 days on a fairly powerful server 2008 R2 machine running nothing but DHCP and RNG reporter and was set to give precedence to running programs not background services.

e2: kaph's is organized, but here's the raw csv if someone wants it for whatever reason:

http://pokemon.thundaga.com/rngreporter.csv
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
DeSmuME C-Gear Seeds

MAC Last Half: 123456
Criteria: 10000 frames, 1050-5000 delay, complete search for all IVs 30 or 31

Searched by Bond697, took 5 days on a really fast good computer.

Bestest seed!
Seed: 7e2345bb
Frame: 30
IVs: Flawless
 
I don't know if this has been mentioned earlier, but I've been using the same c-gear seed for catching and I have gotten different pokemon on the same frame IVs. I'm doing a frame 3 spread to learn the RNG on gen 5, because there's no advancement involved for IVs, but the encounter slots are definitely not related to the IV frame. Caught two different pokemon on the same seed in the same cave, same position using sweet scent.
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
I don't know if this has been mentioned earlier, but I've been using the same c-gear seed for catching and I have gotten different pokemon on the same frame IVs. I'm doing a frame 3 spread to learn the RNG on gen 5, because there's no advancement involved for IVs, but the encounter slots are definitely not related to the IV frame. Caught two different pokemon on the same seed in the same cave, same position using sweet scent.
No surprise there. If wild encounters were based off the IVRNG, you could walk for ages without getting one, because walking only advances it every 128 steps.

Since you're using the C-Gear, which advances the other RNG at a slow and steady rate, the Pokemon you encounter will change depending on how long you wait.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Testing the roamer generation, with C-Gear and without it for kicks.

non C-Gear IV frames: 0270->0007
C-Gear IV frames: 0002->0009->0002 (New, different value each time).

Can't see it flashing to 000X for each IV call or the shifting (too fast for 1 FPS), but we know it does that.

Seems like the C-Gear is turned off temporarily when the event is going, and is then re-enabled (thus re-seeded) after the event (rainy) stops. It's funny how it is raining when it is cold enough to snow, guess it was an oversight when the game was made :P



Restating it in a RNG-wise approach:

IVs are generated RIGHT as the rain lets lets up. The rain lets up a few seconds after the roamer flies off the screen. So IV's are definitely easy to reset for, but nature and shiny (when we get there) will be nigh impossible at this location on a cart, unless you are extremely extremely extremely persistent (and lucky). It's still an absolute crapshoot because of the rain.

Since respawning hasn't really been tested (haven't seen any info on it), I'd assume it's also respawned after beating the elite four like last gen. But until then...

0223D538

still getting this confirmed, but I was able to get this value to change depending on how fast I dismissed the dialogue. This location had the PID of the roamer I caught earlier on a previous save. There's another location that doesn't always show it (02271118).

0223D518 is NOT the memory location for Black's Roamer. It is in another location. I loaded my white active roaming save and the PID did show up in this location, but doing the event with an unactivated event save on black instead of white had it at a different location.

This kind of hints the possibility of having two roamers, we'd probably get both roamers in gray, hopefully :)



The PID is kept in the save obviously, but it is encrypted. In the memory it's in the same region as the egg PID dump (0223EBFC), but this value isn't kept on saving (PID not saved duh)
 

ΩDonut

don't glaze me bro
is a Programmer Alumnusis a Forum Moderator Alumnusis a Top Researcher Alumnusis a Top Contributor Alumnus
IVs are generated RIGHT as the rain lets lets up. The rain lets up a few seconds after the roamer flies off the screen. So IV's are definitely easy to reset for, but nature and shiny (when we get there) will be nigh impossible at this location on a cart, unless you are extremely extremely extremely persistent (and lucky). It's still an absolute crapshoot because of the rain.
What we need to do is figure out the rate at which the rain advances the PIDRNG, so it's feasible for someone using non-C-Gear seeds and a timer. The only problem is we don't have a way to verify the seed, so you'd have to track down the roamer and catch it to check.

There's a guy who gives you a random fossil once a day, maybe that could be used to check. Assuming there are no other NPCs between the roamer and flying off to the fossil guy.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
^ = ~.~

Pattern of the "crazy rain" and snow NPID RNG advancement:
Code:
C74ADE85	09FC	Start
1C74006F	09FD	+2
1C74006F	09FE	+0
302C29C9	09FF	+2
302C29C9	0A00	+0
3E551113	0A01	+2
3E551113	0A02	+0
9C18E8CD	0A03	+2
E88EFF77	0A05	(+0)+2
F4E75F91	0A07	(+0)+2
Still 60 times per second. However the rain lets up at different spots and starts slowly at times (one raindrop at a time).

You'd have to calibrate for doing the roamer, to see what frame you innately hit while going at a precise (timed) pace.

There's no moving NPCs in the building, so that's a plus.

=====

Takes around 25 seconds to do the event, with the PID being generated somewhere around the (453-465) frame from the initial seed. Carried out in Spring, as there is no rain until the screen flashes yellow.

=====
Code:
279A6AF7	18B542B1	Frame -46	Initial Seed
A4AB08FD	BA2F810F	Frame 0		Before Walking Outside
	Starting delay: 048E
	Walked outside
0ED47FE8	E4A87CA2	Frame 5		Appears
F1C83D4B	A2E5622C	Frame 6		Jagged Border, Colors start changing
DE00F05A	1954C70B	Frame 7		Happens right after screen flashes yellow
6B0F32FC	E49BE55A	Frame 9		Raindrops start falling
	Rain is crazy.
41CCC6D1	41D1B442	Frame 404	Leading up...
280DE838	7D5BAF49	Frame 405 (Unshown)
387134DB	B3B34ABD	Frame 406	Rain advancing..
B016AC2A	2E5CD0A7	Frame 407 (Unshown)
08610555	A2042B37	Frame 408	Rain advancing.
3B9B364C	3F33EAA2	Frame 409 (Unshown)
2085B6BF	A479300A	Frame 410	Rain advancing?
F6ECEF1E	F8277A81	Frame 411 (Unshown)
696A0399	5F7C389C	Frame 412	1 delay before IVs generated (0A62)
F815EB20	A76D23E6	Frame 413	(Unshown) - PID Call
89808263	1C8FF04E	Frame 414	IV's generated (0A63), (0A64)
5A560AD2	D0130226	Frame 415	(Unshown) - ???/Rain advances
93A1459D	DED16F3E	Frame 416	(Unshown) - ???/Rain advances
B0531AB4	348C2969	Frame 417	Roamer PID set [A76D23E6]
	Ending delay: 0A65 = 1495 = 24.916 seconds
	PID Frame: 413 + 46 = Frame 459 from initial seed
=====

Roamer PID Generation:

Unaltered, from the upper seed like all other PIDs, right after the IVs are generated.
PID didn't change when I had different IDs (which would have it end up being shiny). Seems like it can be shiny.
 

mattj

blatant Nintendo fanboy
Does using an AR give you a different seed than you would get without using it?

I plotted out the common MTIVRNG seed that shows up for each second on 10-25-10 from 00:01:22 - 00:02:16 while searching for good non-CGear seeds / frames. I did this by resetting 4 or more times on each second, then checking to see what MTIVRNG value the Check Code gave. In my personal experience, one MTIVRNG value would show up very, VERY consistently (90+%) and then there would be like 1 or 2 or 3 other "tangent" MTIVRNG values that I couldn't explain. I documented this in detail an earlier post in the RNG Research thread.

In order to see if using an AR soemhow gives different seeds than you would normally hit without using an AR, I'm going to:

1) Save my game on my surfer in Hodomoe City.
2) Start my game on the DS Startup Screen without an AR on 10-25-10 at 00:01:49 (which is smack dab in the middle of the consecutive seconds that I looked at).
3) Sweet Scent and Masterball a Pururiru.
4) Repeat this maybe 10 times
5) Stick my AR in and check the IVs.

If the IVs show up as the first 6 frames on or around 10-25-10 00:01:49, then it probably doesn't make a difference. If they don't... 10 resets is a pretty large sample size in my experience. In all of my time trying this, tangent seeds usually only show up... 10% of the time max... something weird would be going on...

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

All Resets booted on 10-25-2010 @ 00:01:49

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Reset #1) 14 / 12 / 15 / 26 / 15 / 24 checked no matches

Reset #2) 14 / 12 / 15 / 26 / 15 / 24

Reset #3) 14 / 12 / 15 / 26 / 15 / 24

Reset #4) 29 / 22 / 30 / 13 / 30 / 29 checked no matches

Reset #5) 29 / 22 / 30 / 13 / 30 / 29

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

All Resets booted on 10-25-2010 @ 00:01:48

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Reset #1) 11 / 28 / 0 / 8 / 6 / 16 checked no matches

Reset #2) 11 / 28 / 0 / 8 / 6 / 16

Reset #3) 11 / 28 / 0 / 8 / 6 / 16

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

All Resets booted on 10-25-2010 @ 00:01:47

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Reset #1) 20 / 7 / 20 / 24 / 2 / 19 checked no matches

Reset #2) 20 / 7 / 20 / 24 / 2 / 19

Reset #3) 17 / 12 / 8 / 15 / 12 / 2 checked no matches

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

All Resets booted on 10-25-2010 @ 00:01:50

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Reset #1) 10 / 29 / 6 / 10 / 3 / 6 checked no matches

Reset #2) 10 / 29 / 6 / 10 / 3 / 6

Reset #3) 10 / 29 / 6 / 10 / 3 / 6

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Past Results, while using an AR

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

22.0
09059435


23.0
d8c84fef


24.0


25.0
828b8d29


26.0
293414e0
443e2197


27.0
819340c3


28.0
830c3ab4


29.0
6453994d


30.0
c62a78bb


31.0
a95174aa


32.0
24d49b89


33.0
5c7b749d


34.0
d2b9b026


35.0
22776a9e


36.0
1777ef87
101cde27


37.0
b57091b3
6 / 1 / 0 / 28 / 26 / 18

38.0
e5ff5ded
10 / 30 / 24 / 1 / 5 / 26

39.0
9757ecef
25 / 5 / 2 / 29 / 4 / 29
f93181f7
22 / 18 / 21 / 24 / 23 / 6

40.0
81ddcd92
12 / 2 / 13 / 4 / 8 / 8

41.0
61266a47
11 / 26 / 15 / 21 / 4 / 13

42.0
9751fdb4
19 / 15 / 22 / 24 / 1 / 18

43.0
570a938
27 / 28 / 5 / 19 / 0 / 31

44.0
f6fd652e
23 / 17 / 0 / 10 / 12 / 29

45.0
86e3c15b
22 / 3 / 11 / 21 / 1 / 8

46.0
bfcf4ff2
18 / 0 / 1 / 8 / 9 / 8

47.0
b7cdb995
15 / 14 / 30 / 23 / 5 / 15

48.0
921ab4e1
31 / 23 / 12 / 19 / 18 / 31

49.0
9d8c4542
13 / 3 / 16 / 12 / 6 / 28

50.0
ced1b9c4
1 / 22 / 31 / 2 / 10 / 6

51.0
b9b7430a
15 / 15 / 15 / 8 / 10 / 4

52.0
8af890db
5 / 15 / 24 / 29 / 14 / 13

53.0
d3039559
3 / 4 / 19 / 11 / 16 / 0

54.0
2e31fdd1
23 / 2 / 13 / 2 / 13 / 27

55.0
70e5d3de
13 / 11 / 18 / 12 / 28 / 6

56.0
3ac53665
31 / 17 / 25 / 12 / 10 / 15
54baaf38
25 / 24 / 25 / 2 / 12 / 30

57.0
7685b738
16 / 27 / 7 / 3 / 11 / 9

58.0
863f4488
26 / 18 / 28 / 7 / 5 / 16
8d18b9dc
10 / 24 / 20 / 2 / 3 / 29

59.0
143b3db3
14 / 17 / 2 / 12 / 13 / 5

60.0
d97badbf
28 / 16 / 21 / 24 / 10 / 6

61.0
773a7d2a


62.0
c1a4f871


63.0
6cb8ac6


64.0
22f34a12


65.0
a462a262


66.0
4b3b3b6b



67.0
2d77a24a
87e75974


68.0
3f7e3677


69.0
2c417a5d
73ed98e7


70.0
96b383ec


71.0
81bc1e0


72.0
219a8ef1

73.0
8ade1ff1

3e4ca4b1


74.0
93a3b9d4



75.0
c18354e0
a295341



76.0
8580222

Well... I Reset on 4 different seconds, and while the IVs I got were consistent within themselves (as expected) none of them matched anything within 10 seconds of what I got while using an AR (unexpected). I suppose it does make a difference.
 
Does using an AR give you a different seed than you would get without using it?

...


Well... I Reset on 4 different seconds, and while the IVs I got were consistent within themselves (as expected) none of them matched anything within 10 seconds of what I got while using an AR (unexpected). I suppose it does make a difference.

I wanted to let you know, mattj, that the AR only seems to affect non C-Gear seeds. It appears that when the C-Gear starts up it "overides" anything the AR codes did where as the AR codes may have an affect without the C-Gear...that is something at least.
 

Kaphotics

Remodeling Kitchens
is a Top Researcher Alumnusis a Top Contributor Alumnus
Well the C-Gear seeds don't set the PID RNG, they only reseed the MTRNG with the new seed. ~~When Bond tested to see if freezing these date/time locations at startup would give the same non C-Gear seed, it did not.

We had trouble getting the code to work because the AR code isn't fast enough to grab the value correctly so it had to be achieved differently.

This unique ID is taken from two places in the memory, not from the game but from the DS hardware. Since there is an AR inserted into the mix, this value will inadvertently be different. Thus you have different initial seeds.

With the BWSeedFinder (implemented into Reporter) you'd get your initial seed without an AR, and then you could get your unique ID. Then seeds :)
 
IIRC bond says he got different results between his DStwo and Desmume, but has it been tested if running the game from the DStwo is different from running a real cart?(On the same hardware)
 

Bond697

Dies, died, will die.
we're still experimenting. if you have a copy of white and an AR, say something.

e: yeah, i tried freezing date, time, and delay with the internal memory freezing function, and the seeds still kept changing.

e2: my original code was correct, but it didn't work because of 2 factors:

1. the ar isn't quite fast enough

2. the ar usually only works in ARM7 and in this case the memory region 02FE36AC and 02FE36CC are located in is different between ARM7 and ARM9. it had to be hooked into ARM9 via assembly and then pull the value out.
 

Users Who Are Viewing This Thread (Users: 1, Guests: 3)

Top