Past Gen RNG Research

Kaphotics

Remodeling Kitchens
is a Researcher Alumnusis a Contributor Alumnus
C-Gear SEED1/SEED2 advancement upon activation:

Tested on Black
Code:
B35076F9 MTRNG		Reseeds@
Delay @A: 0FEE		1001
NPID[112C6B07,8F675234]	C-Gear: 00A1E204

Delay Changes and Frame Changes
1001 --> 1008	1055	10BC	110B	114C	119F	123C	1287	134B	1396	1438	149B	154C	158E	15D7	162D
ΔF=	+1Frame	+1Frame	...
ΔD=		4D	67	4F	41	53	9D	4B	C4	4B	A2	63	B1	42	49	56
I did a earlier test and got the 41, 53. I think it follows a similar pattern of advancement, but it is definitely not at a fixed repeating rate. It might be a cyclic changing rate. Just posting what I have for now.

Wonder what a plot of (more of) these values would look like... too much studying :P

Did some more tests for different resulting C-Gear seeds, pressing at the exact same delay. Not the same ΔD/ΔF. So if there is any calculation done as to how fast, it's not consistent across all times/seeds. It did however stick to within 10H delay of each one, so all seeds would probably have the same approximate rate of advancement.

For my first test, it advanced on average every 68H, being 104.667, thus every 1.7333 seconds.
 

Kaphotics

Remodeling Kitchens
is a Researcher Alumnusis a Contributor Alumnus
Going to confirm a method to verify if you got a shiny roamer or not.

Done, shiny roamer verification method confirmed to be correct!



After encountering your roamer via the event with the old lady, open up your PokeDex.
If it is a shiny sprite, it is shiny. If it isn't, it isn't.

Black - 0223D52C
White - 0223D538
 
Date Rollover
When I decided to RNG Ho-oh, I like the date roll over. My frame had advance by 2. I don't know if it the advancement will be consistent or not.
This screwed up my results too many times with Raikou. When I was RNG Abusing my Raikou, I let the date rollover to get Buena's Password to stop playing. All 4 attempts had the frame advance by 2. It seems pretty consistent to me.
 

Kaphotics

Remodeling Kitchens
is a Researcher Alumnusis a Contributor Alumnus
There is also another type rollover advance during regular playtime, each time doing +1.

I'd be RNGing something in HGSS without calls/radio, and I'd use the NPCs and walking to advance the frame. Instead of walking I would "time warp" to another time, usually +1 hour did the trick. I would then advance 1 frame. Repeatable, and it didn't work when going back in time obviously. Mind you this was on an emulator, I'm too lazy to wait on a DS :) Never figured out what triggered it (never debugged).
 

Kaphotics

Remodeling Kitchens
is a Researcher Alumnusis a Contributor Alumnus
Mystery Gift (Blue Man) IV RNG:

It's not based on the MTRNG to create IVs. It is instead reliant on the SEED1/SEED2 combination. Freezing both of these and receiving gifts yields the same IVs, but different PIDs depending on the gender, which wasn't all one gender for 5 mons grabbed.

Code:
Test 1: Frozen SEED1 | SEED2 (451E2B75 | 0C325BE2)
D31AA193 Calm Male   (26/15/20/18/6/18)
9410760B Calm Female (26/15/20/18/6/18)
D31AA193 Calm Male   (26/15/20/18/6/18)
9410760B Calm Female (26/15/20/18/6/18)
D31AA193 Calm Male   (26/15/20/18/6/18)       speed IV last for all mons
that's all for now.


No MTIVRNG for Mystery Gift Pokemon. It doesn't mean they aren't abuseable, just not with our currently known methods.
 

ΩDonut

don't glaze me bro
is a Pokemon Researcheris a Programmer Alumnusis a Forum Moderator Alumnusis a Contributor Alumnus
This was worth overhauling the Researcher window. Wondercard IV generation:

Frame 1 -- initial RNG value
...
...
...
Frame 23 -- (upper 32 bits of RNG) >> 27 = HP IV
Frame 24 -- (upper 32 bits of RNG) >> 27 = Attack IV
Frame 25 -- (upper 32 bits of RNG) >> 27 = Defense IV
Frame 26 -- (upper 32 bits of RNG) >> 27 = SpAttk IV
Frame 27 -- (upper 32 bits of RNG) >> 27 = SpDef IV
Frame 28 -- (upper 32 bits of RNG) >> 27 = Speed IV
...
Frame 31 -- (upper 32 bits of RNG) ^ 0x10000 = PID (probably changes depending on the shiny check, or to maintain a certain gender value)
Frame 33 -- ending frame, and (upper 32 bits of RNG * 25) >> 32 = nature, using the following table

0 Hardy
1 Lonely
2 Brave
3 Adamant
4 Naughty
5 Bold
6 Docile
7 Relaxed
8 Impish
9 Lax
10 Timid
11 Hasty
12 Serious
13 Jolly
14 Naive
15 Modest
16 Mild
17 Quiet
18 Bashful
19 Rash
20 Calm
21 Gentle
22 Sassy
23 Careful
24 Quirky


Thanks to Rusted Magnemite for info on natures.
 

Kaphotics

Remodeling Kitchens
is a Researcher Alumnusis a Contributor Alumnus
yay mystery solved

Going back to the Male/Female issue, the female PID came from the 10th advancement of this frozen seed, upper32bits XOR'd with 0x10000.
Code:
Test 1: Frozen SEED1 | SEED2 (451E2B75 | 0C325BE2)
D31AA193 Calm Male   (26/15/20/18/6/18)
9410760B Calm Female (26/15/20/18/6/18)
D31AA193 Calm Male   (26/15/20/18/6/18)
9410760B Calm Female (26/15/20/18/6/18)
D31AA193 Calm Male   (26/15/20/18/6/18)       speed IV last for all mons
9411760BAD641154 is the 64bit seed for the frame in which it was XOR'd with the usual 0x10000.
9410760B

Now, why on the 10th frame (40th in actual)? Not sure. This won't always always generate another female, depending on the seeds. The nature could have just been pure luck to be the same as well.

Still one place that still needs ironing out.
 

Bond697

Dies, died, will die.
is a Researcher Alumnus
well, it looks like zorua and zoroark both do the same shiny check as zekrom and reshiram. hitting the same seed with both a shiny and non-shiny TID/SID resulted in different PIDs. the odd thing is that with zoroark the PID was subtracted by 0x10000000 while with zorua the PID had 0x10000000 added to it. odd that they don't both have the same amount added or subtracted, it's different for each.
 
Egg PIDs sadly aren't so simple, there's some kind of shift that increases the amount of frames advanced between talking to the man and receiving the egg and PID.

Tested with Kaphotics on #smogonwifi via PM with PIDRNG to get shiny eggs in Black since Kaphotics' laptop sucks:
Code:
Initial Seeds
SEED: AB57EEB4E3020DA2
Lower: E3020DA2
Upper: AB57EEB4
IDSID [i]Censored[/i]
In Daycare: Ditto and Oshawott
Code:
Aiming for 381 - - - Shiny with Musicmeister's IDs. Frame of the seed from Initial and the Seed Values (Lower Upper [Hex] === Lower Upper [Dec])
14          364... F55B231E and EEDFA781 === 4116390686 s1, 4007634817 s2
                Frame 378, Naive   [2DEB15BA]
12          365... 30B88799 and 9847EFB8 ===  817399705 s1, 2554851256 s2
                Frame 377, Adamant [64F49718]
12          366... 3AB3FF20 and 7247E65B ===  984874784 s1, 1917314651 s2
                Frame 378, Lax     [2DEB15BA]
12          367... F6926663 and 91714695 === 4136789603 s1, 2440119957 s2
                Frame 379, Bold    [B318553D]
12          368... 3168FED2 and 20F8C160 ===  828964562 s1,  553173344 s2
                Frame 380, Quirky  [709816B4]
16          369... 3EAF899D and 6312F99E === 1051691421 s1, 1662187934 s2
                Frame 385, Naughty [6E9A1783]
12          370... AB57EEB4 and 35C979C6 === 2874666676 s1, 0902396358 s2
                Frame 382, Modest  [9C84A0B4]
14          371... 1F821FC7 and F98D0E33 ===  528621511 s1, 4186770995 s2
                Frame 385, Modest  [6E9A1783]
12          372... E3EFA746 and 32F04E81 === 3824133958 s1,  854609537 s2
                Frame 384, Calm    [EC364294]
12          373... 49221361 and 9FF8D2F7 === 1226969953 s1, 2683884279 s2
                Frame 385, Rash    [6E9A1783]
12          374... 8A9E2D08 and 9EFE4213 === 2325622024 s1, 2667463187 s2
                Frame 386, Lax     [5A7F530E]
14          375... F1DFAAEB and CE4B285E === 4057967339 s1, 3461032030 s2
                Frame 389, Naughty [EAB7946F]
12          376... F049D07A and C3B8BDD5 === 4031369338 s1, 3283664341 s2
                Frame 388, Quiet   [A536499A]
12          377... 792D28E5 and 64F49719 === 2033002725 s1, 1693751065 s2
                Frame 389, Timid   [EAB7946F]
12          378... B41D4E1C and 2DEB15BB === 3021819420 s1,  770381243 s2
                Frame 390, Impish  [F510028D]

Frame Differences:
14 12 12 12 12 16 12 14 12 12 12 14 12 12 12

trollfreak (edited by Kaphotics... musicmeister did almost all of the work)
Sadly, we didn't get the shiny egg. Will do some more testing tomorrow. @_@
 

Bond697

Dies, died, will die.
is a Researcher Alumnus
so.. RNGPID works? at least, as much as it should work right now? that is, finding shiny frames, predicting the next s seeds, outputting PIDs for all the frames based on method.

done.
 
Wild PID Encounters: Trying for Shiny

Code:
Initial Conditions + Notes
SEED: 111BFFCAE76B5F24
SEED1: E76B5F24
SEED2: 111BFFCA
SEEDs Loc:  022160A(4/8)
PID6 Loc: 02234C80
Code:
Aiming for 3050: Scenting on Frame 0 in a cave resulted in Frame 4's PID
3044... 331554D8 and 1D6A5EDD === 857035992 s1, 493510365 s2
        Rockdude frame 3048 [62E8297F], 0x8* XOR
3045... 03E0AFFB and D010F434 === 65056763 s1, 3490772020 s2
        Koromori frame 3049 [17B20FA9], 0x8* XOR
3046... 79D65FCA and FCE9CB02 === 2044092362 s1, 4243180290 s2
          Kibago frame 3050 [f0a60a58], 0x8* XOR
3047... A1838375 and 455FA925 === 2709750645 s1, 1163897125 s2
        Koromori frame 3051 [A823B542], 0x1* XOR
3048... 0E9618EC and E2E9297F === 244717804 s1, 3806931327 s2
        Rockdude frame 3052 [FF9800AC], 0x8* XOR
        
Aiming for 9809: 
9805... A9B107E3 and 2BB03DC1 === 2846951395 s1, 732970433 s2
        Koromori frame 9809, NSy [CF76358A], 0x1* XOR

Aiming for 19112:
19118... F1AAE432 and 4544E35A === 4054508594 s1, 1162142554 s2
        Rockdude frame 19118, Sy [4329B9D3], 0x1* XOR
        
Aiming for 22387:
22383... 40AA4F3D and E75DADD6 === 1084903229 s1, 3881676246 s2
          Kibago frame 22387, [E7EA1D12] 0x8* XOR
    
Aiming for 28301
28297... 6FC3487F and FB9C8E5E === 1875069055 s1, 4221341278 s2
        Rockdude frame 28301, [BA90406C], 0x8* XOR
        
Aiming for  38230
38226... 762EE1C6 and 33CA0FF3 === 1982783942 s1, 868880371 s2
        Koromori frame 38230, [AED6D42A], 0x8* XOR
        Shiny with my IDs!!!!!
        
YOU CAN'T BEST US GAMEFREAK!!! XD
 

Kaphotics

Remodeling Kitchens
is a Researcher Alumnusis a Contributor Alumnus
Was browsing the net looking for some infoz, mainly the synchronization check, hmmmmmm

http://ameblo.jp/xyz-wing/day-20101116.html

XYZ Wing + Google Translate said:
SEED: S [n +1] = S [n] * 0x5D588B656C078965 + 0x269EC3
Numbers: r [n] = S [n +1]>> 32
Synchro determined: (r [n]>> 63) = 0x1 (32bit I was standing, sync)
Incidence: (r [n +1]>> 48) / 0x290
Character Values: ① r [n +3] ^ 0x00010000 (Reshiramu is here. Another legend?)
② r [n +3] ^ 0x80010000 (wild: 1bit 32bit and at different times of the value here)
③ r [n +3] ^ 0x10010000 (Reshiramu if it was the wrong color, avoiding over here)
Character value: (r [n +4] * 0x19)>> 32 (if synchronized, to promote the desired character?)
Kaphotics' Ghetto Translation said:
SEED: S [n +1] = S [n] * 0x5D588B656C078965 + 0x269EC3 === RNG Algorithm
Numbers: r [n] = S [n +1]>> 32 === Upper 32 bits of RNG, used for XOR decision, sync check too?
Synchro determined: (r [n]>> 63) = 0x1 (32bit I was standing, sync) === Synchronization Check
Incidence: (r [n +1]>> 48) / 0x290 === Encounter Slot Value (0-100)
Character Values: ① r [n +3] ^ 0x00010000 (Reshiramu is here. Another legend?) === Wild PID XOR 1 / Mystery Gift
② r [n +3] ^ 0x80010000 (wild: 1bit 32bit and at different times of the value here) === Wild PID XOR 2 / explaination of the choice (which we know)
③ r [n +3] ^ 0x10010000 (Reshiramu if it was the wrong color, avoiding over here) === Shiny Reshiram/Zekrom XOR
Character value: (r [n +4] * 0x19)>> 32 (if synchronized, to promote the desired character?) === Nature Value
Sync? Incidence = Occurance/Appearance Rate (encounter slot? more stuff here)

I'll make sense of it tomorrow if it isn't by then :P. Hope it's not wrong!


working on the eggskipping invalid PIDs
 

ΩDonut

don't glaze me bro
is a Pokemon Researcheris a Programmer Alumnusis a Forum Moderator Alumnusis a Contributor Alumnus
Okay, cool. I have Synchronize implemented in RNG Reporter, and if I can just get some info on the encounter rates from veekun, I can implement encounter slots.

The last thing I need to to before release is to figure out how many times the RNG advances between loading the game and when the game starts. The number of advances changes depending on the initial seed, so I need to go look at the code under a debugger.
 

lucariojr

MS State Pokemon!!!
is a Forum Moderator Alumnusis a Community Contributor Alumnusis a Contributor Alumnus
Just a quick question about the PIDRNG reporter- once I have my numbers from the code provided by the app, do I have do convert them somehow, and do I put them in the lower and upper seed boxes?

if the answer is obvious i swear >_>
 

Bond697

Dies, died, will die.
is a Researcher Alumnus
PIDRNG is updated now and it lists only the correct PID for wild pokemon each seed. Eggs still list 3, as that method is still undetermined. It also has functionality built in to reverse the RNG if someone needs that for some reason.

Also, all the necessary frame shifting is built in. The egg PIDs listed next to a given seed are +12, +14, and +16 ahead of the current seed, for example.

(credit for this update goes to toastplusone)
 
Encountering Landlos (not roamer) advances the RNG 4 times to get the PID (wild method). This was the same as my previous test sweet scenting in a cave.
 
Could someone find out how Rock Smash works in HG/SS (chance of finding a Pokémon, encounter slot percentages)? Serebii says it's 90% slot 0 and 10% slot 1, but their fishing percentages appear to be wrong, so I'm not going to trust them on that...

EDIT: Also Headbutt Trees. Do they even have encounter tables?
 

Kaphotics

Remodeling Kitchens
is a Researcher Alumnusis a Contributor Alumnus
@Wichu, from when I did my headbutt RNG the shroomish always appeared with the same encounter slot set.

Last night musicmeister and I tested shaking patches and the encounter slots for them to get a shiny Emonga. Slots are not like fishing, surfing, or wilds. Probably like headbutts :)

==

5th Gen Breeding Compendium

Code:
Frame 0    n-1             Initial Seed [Start]
Frame 1    n               IVs From MTRNG Grabbed 
---        if Nidoran/Illumise/Volbeat, a frame is skipped (taking n+1 and shifting everything else +1)
Frame 2    n+1             Species                  (r[n+1] * 2) >>32 
Frame 3    n+2             Nature                   (r[n+2]*0x19) >>32, nature value
---        if Everstone, becomes Frame 4 (r[n+3] * 2) >>32 0 or 1; and all calls are shifted +1
Frame 4    n+3             DW                       (r[n+3] * 5) >>32 > 1, inherit DW
---        if Ditto parent, becomes Frame 5 [n+4] and all calls are shifted +1.  Not sure what is done here.
Frame 5    n+4        m    IV1-Place                r[m]*6>>64, return 0-5 for what IV (HABCDS)
Frame 6    n+5        m+1  IV1-Parent               r[m+1]>>63, return 0/1 for what parent (A=1, B=0)
Frame 7    n+6+2r     m+2  IV2-Place                r[m+2]*6>>64, return 0-5 for what IV (HABCDS)        ...r=rejected frames for 2nd iteration, each rejection is +1 to r value
Frame 8    n+7+2r     m+3  IV2-Parent               r[m+3]>>64, return 0/1 for what parent (A=1, B=0)
Frame 9    n+8+2r+2s  m+4  IV3-Place                r[m+4]*6>>63, return 0-5 for what IV (HABCDS)        ...s=rejected frames for 3rd iteration, each rejection is +1 to s value
[u]Frame 10   n+9+2r+2s  m+5  IV3-Parent[/u]               r[m+5]>>64, return 0/1 for what parent (A=1, B=0)
Frame 11   n+10+2r+2s      PID Generated            r[n+10+2r+2s] *FFFFFFFF >>32 = PID
Frame 12   n+11+2r+2s      International PID Sequence      (if PID = notshiny; PID=seed*FFFFFFFF) 5 times [End]
***                Run 5 times if international, else it is a fake calc that has no influence.
For >>32, assume using upper32
For >>6*, assume using full seed
"Rejected": 0-5 value calculated matches one from a previous iteration. 
Discard and repeat calc until it does not match a previous 0-5, thus advancing 2 frames.
No everstone, not international. Everstone has yet to be tested.
Code:
--
Nature calculated
DW passing calculated right after
--
Then IVs: Calculates IV, then Parent
Repeat until 3 different IVs are inherited, same IV results are discarded
Then the PID

Inheritance: 0-5 for positioning, [0/1/2/3/4/5]=[HP/At/De/SA/SD/Sp]
Parent M = 0
Parent F = 1
Code:
Nature: same way as every other method
r[DW] = SEED>>32 *0x64 >>32; if > 40, pass DW

frame skipping: dependent on the IV calculations
r[i] = SEED>>32 *6 >> 32
    Determines what IV inherited (0-5)
r[i+1] = SEED>>32 >> 31 
    Determines what parent passes IV (0 or 1)
    
    If IV = a previous iteration result, repeat step.
Loop back to r[i] until 3 different IVs are inherited.

PID is still SEED >>32 *FFFFFFFF >>32
Illustration test, carried out by xElite and translated from code by Kaphotics and Bond697

For the last test pic, the first (3,1) is the one used, not the last one.

Also, the first one saying >2 for the Hidden Ability calc should be >1
 
In case anyone wants to abuse pokemon that can be caught in shaking grass the frame is advanced by "4" not 1 or 2. It has been consistent for me during the time I was testing. The method used is the same as the method I used for capturing wild pokemon hence called "wild pokemon method" from Bond697's PIDRNG. The encounter slots aren't mapped yet so this was a hit and miss test.

I used this:

Target pokemon: Emonga
Location: Illusion Forest (no NPC distractions)
Seed: 36357FAA 99EC6E26
Upper Seed: 909475754
Lower Seed: 2582408742
Frame: 543,507
 

Bond697

Dies, died, will die.
is a Researcher Alumnus
IV abuse in the High Link\Entralink
--------------------------------

This is something I figured out last night and the results were rather nice:

Jolteon #135

Nature: any
Ability: Quick Feet - High Link poke!
Catch location: High Link
31/31/31/31/31/31

Doing this is very similar to hitting one's CGear seed. The way it works is that right before you show up in the High Link,(the frame when the screen changes from getting brighter to letting you move in the HL) the MTRNG reseeds. That reseed can be treated exactly as starting up the CGear in terms of hitting your seed.

This is what I did:

-Find a CGear seed I wanted to hit. I used 7E2345BB, delay 4442, frame 30
-Click on the orange part of the CGear and choose "High Link"
-When it says "xxx warped to the High Link", pause the emulator
-Slowly advance frames counting the number of frames and watching for the MTRNG to reseed so you know what you're aiming to hit.
-The point 1 frame before reseed is where you need to get back to.
-You need to hit the right second AND the right delay ON that reseed point.
-Hitting your seed once normally with the CGear and writing down the encrypted seed is a good idea, as you will see the same resultant seed on hitting it when entering the High Link.

Once in the High Link:

Generally, when catching pokemon and abusing the MTRNG frames, you want to be on the first frame you want use for an IV. In other words, since my frame is 30, I want to be on frame 30 when I get into a fight. The High Link is different. You must get into the "battle" with your desired poke 0x15 IV frames early. If my target frame was 0x1E in the overworld, it would be frame 0x09 in the High Link.

The way I did it was to use an emulator and hit my delay first, leaving it 1 or 2 back 1 fame before reseed. I paused the emulator here and adjusted the Windows clock to 5 seconds before the desired second. Once the second hit I unpaused the emulator and the delay and time advanced just right to cause the CGear to reseed in my favor and hit my desired seed within the High Link.

I suppose that with practice this might be do-able on a normal cart. ZOMGTimer would probably be a huge help.

Anyway, there you go, IV abuse in the High Link. Now we can have great DW pokes in different pokeballs, not just bred in plain pokeballs. Also, competitive Speed Boost Blaziken is now possible among other things.(since they're all male)

For the PID/nature, PIDRNG can predict PID and nature might require a few state reloads.
 

mattj

blatant Nintendo fanboy
Emulators obviously make things easier and more controllable, but do you think that with enough patience this could be done through trial and error on a normal cart? Just try, try, try, try, try, try, and try again?
 

Users Who Are Viewing This Thread (Users: 1, Guests: 0)