Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Háčky

Pages: [1] 2 3 ... 9
1
I don’t think bits 4 and 5 are used for anything. So if you want all the other values to be 0, you could keep 16, 32, or 48 of the item.
2
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: May 15, 2020, 12:34:51 am »
Here’s a post I should have made ages ago. Here’s an overelaborate version of the script I used. Here’s a short video demonstration.

Battle Tower
Overview
Once Mobile Mode is enabled by connecting the Mobile Adapter GB at startup, the Battle Tower is unlocked. Rather than the random opponents featured in the localized versions, the opponents were seven other players’ real parties that were downloaded prior to each Battle Tower challenge. A player could challenge up to five different Battle Rooms each day (according to the in-game clock). After completing a challenge, the player had the option to submit their results and possibly have their team appear in the Battle Room the next day, with the most successful challenger of the day becoming the Room Leader. Once downloaded and challenged, a Battle Room can be fought again, but results cannot be submitted on these repeat attempts. A separate feature allowed players to download a list of the Room Leaders of a particular room, which can be viewed on a monitor in the lobby after downloading.

The mechanics are otherwise the same as the offline Battle Tower in the localized games, except that no prizes are awarded: battles are 3 vs 3, levels above 40 are unlocked after defeating Lance at the Pokémon League, and Mewtwo, Mew, Lugia, Ho-Oh, and Celebi are barred from rooms below level 70.

Index file
When entering a Battle Tower challenge or requesting a list of Room Leaders, the game first downloads http://gameboy.datacenter.ne.jp/cgb/download?name=/01/CGB-BXTJ/battle/index.txt. This file contains four URIs: the first is where the player’s team and score will be submitted at the end of a challenge, the second is a file containing the number of Battle Rooms, the third is a file containing the data for challenging a particular Battle Room, and the fourth is a file containing the list of Room Leaders.

The latter two file names should contain a string of four "X"s, which will be replaced with a zero-padded decimal number corresponding to the requested Battle Room. The values 00010010 are used for Room 001 of each Battle Tower level from 10 to 100, 00110020 are for Room 002 of each level, and so on. Note that while the concept is the same as for the Egg Ticket redemption, the implementation details are different: there a variable number of "X"s were allowed and the replacement value was hexadecimal.

To charge the fee of ¥10 for each Battle Room challenged, the file name of the challenge data should start with 10, and presumably the game would have to authenticate in order to download it. I previously explored how the game authenticates itself to upload data, but not to download it. With Pokémon News, I had assumed the authentication required for the ¥100 fee would occur when rankings data was uploaded before downloading the News itself, but with the Battle Tower, that can’t be the case, because it only optionally uploads data after the Battle Tower challenge is completed, and the fee wasn’t optional.

The way Nintendo’s mobile library handles uploads and downloads to and from the four different endpoints on gameboy.datacenter.ne.jp (/cgb/download, /cgb/upload, /cgb/utility, and /cgb/ranking) involves a lot of spooky action at a distance that I didn’t have the patience to understand, but based on empirical testing of all four in authenticated and unauthenticated scenarios, I think the intent is that /cgb/download is for unauthenticated downloads, /cgb/upload is for authenticated uploads, /cgb/utility is for authenticated downloads, and /cgb/ranking is for unauthenticated uploads.

If /cgb/download is used to download and the server demands authentication, the game will give authentication, receive the file, but then make an extra POST request with no Content-Length header, and rage-quit when the server tells it that’s no good. In contrast, /cgb/utility works as expected when authentication is required. (They both work the same when authentication is not required.)

If /cgb/ranking is used to upload and the server demands authentication, the game will make a POST request that gives authentication and uploads the file at the same time, then make another POST request with Content-Length: 0. In contrast, /cgb/upload sends the authentication in a GET request, then POSTs the file with its Gb-Auth-ID. (Again, they both work the same when authentication is not required. If authentication is required and the file name does not start with a number indicating a fee, they both return error 32-401 instead of attempting authentication.)

Now, something called “ranking” being unauthenticated sounds like a bad idea to me, but I would speculate that the reason behind it is that authentication of the DION account was only for the purpose of charging a content fee, and was not available to the game developers as a method of identifying their players. There wouldn’t be any additional charge (beyond the call charge) for submitting a score for a ranking, so it would use the unauthenticated /cgb/ranking. If this is correct, Pokémon News would have used /cgb/ranking for its uploads (and their file names wouldn’t need a fee prefix) and /cgb/utility for the main News download (prefixed with 100). Likewise, the Battle Room challenge download would use /cgb/utility and the score submission would use /cgb/ranking.

Number of Battle Rooms
Whether entering a Battle Tower challenge or requesting a list of Room Leaders, the first thing the game does after downloading index.txt is to ask how many Battle Rooms there are. This file must be exactly two bytes long. The total number of Battle Rooms across all levels is encoded as a 16-bit big-endian integer. This number should be a multiple of 10, as it will be divided by 10 to determine the number of Rooms at each of the ten levels. Perplexingly, the game attempts to validate this file by taking the bitwise-or of the two bytes and checking that it’s not less than 10. This will fail if the number is, for example, 260 (hex 01 04).

I haven’t seen any official documentation that mentions the number of Battle Rooms, but based on Kakeru’s Battle Tower after-action reports, we can infer that, at least in the latter months of the Battle Tower’s operation, there were 20 at each level and the actual content of this file was 00 C8.

Room Leader list
These files (one for each Battle Room) must be exactly 150 bytes long. They contain 30 trainer names, each 5 bytes long. If the first byte of a name slot is $00, the name will be displayed as ーーーーー. Once downloaded, the list may be viewed on the monitor next to the attendant at any time. It appears as ten rows of three names, with scrolling required to view each row below the first six.

Battle Room challenge data
These files (one for each Battle Room) must be exactly 1428 bytes long. They contain seven 204-byte structures describing the Room’s trainers. The order that the trainers appear in the file is the reverse of the order that they will be battled, so the first entry in the file is the Room Leader.

OffsetLengthDescription
$005Trainer name
$051Trainer class
$0654Pokémon 1 data
$3C54Pokémon 2 data
$7254Pokémon 3 data
$AE12Message before battle
$BA12Message after this trainer defeats (or draws?) the player
$C612Message after the player defeats this trainer

The Pokémon data is the standard 48-byte structure followed by 6 bytes for the nickname. (The OT name is not included. There’s no good reason the 48-byte structure was used rather than the 32-byte PC structure; the current HP and stats are all recalculated anyway. The one thing that’s not recalculated is the status condition, but a Pokémon can’t legitimately have a status condition when it’s uploaded to the Battle Tower.) The three messages consist of six two-byte “easy chat” words.

The game runs several sanity checks on each trainer:
  • If any of the easy chat words have invalid values, all of the trainer’s messages are replaced by the defaults:
Quote
かくご いい ? さあ いくよ !
やったー かった ! うれしい !!
うう くやしい …! こんど こそ かつ
  • If the trainer class is invalid ($00 or $44–FF), it’s replaced with Youngster. (Leader, Rival, Pokémon Prof., Elite Four, Pkmn Trainer, Champion, Rocket, Twins, and Mysticalman are allowed, even though they probably shouldn’t be.)
  • If a Pokémon’s species is invalid ($00 or $FC–FF), it’s replaced with Smeargle.
  • If a Pokémon’s level is less than 2, it’s raised to level 2. If it’s greater than the maximum level of this Battle Tower challenge, it’s reduced to the maximum level.
  • If a Pokémon’s first move is blank or invalid ($FC–FF), it’s replaced with Pound and the remaining move slots are cleared. If its second, third, or fourth move is invalid, that move slot is cleared.
  • As mentioned before, all Pokémon’s stats are recalculated.
  • If a Pokémon’s nickname contains invalid characters ($01–04, $14–18, $1D–25, $35–39, $3F, $49–5F), it’s renamed to its species name. (The set of accepted characters still includes many characters that are unavailable on the nickname screen.) In any case, the sixth character of the name is overwritten with the termination byte $50.
  • Then the Pokémon’s moves are checked again, apparently forgetting that this was already done. If the Pokémon’s first move were somehow still invalid (but not if it were blank) at this point, it would be replaced by Pound without clearing the rest of the move set. If its second, third, or fourth move is blank or invalid, then it and the subsequent slots are cleared. The net effect of these two checks is that blank or invalid moves and all moves that follow them are cleared, and if a Pokémon’s first move is blank or invalid, it will only know Pound.
  • If the trainer’s name contains invalid characters (using the same list as for Pokémon nicknames), it becomes クリス (Chris/Kris).
Score submission
After completing the Battle Tower challenge, the player is given the option to submit their party and score. If they defeated all seven trainers, they are informed that they may become the Room Leader. The uploaded file is 246 bytes:

OffsetLengthDescription
$002Room number (big-endian, e.g., 00 0A for level 100 Room 001)
$0230E-mail address (read from Mobile Adapter GB)
$204Trainer ID / secret ID
$24204Trainer data (in the same format as the download)
$F01Number of trainers defeated
$F12Number of turns taken (big-endian) xor $FFFF
$F32Total damage taken (counted at end of each battle, big-endian) xor $FFFF
$F51Number of fainted Pokémon (counted at end of each battle) xor $FF

The player’s trainer class is chosen based on their gender and trainer ID. The two bytes of the trainer ID are xor’d and the result is used to select from a list of male or female trainer classes. Because of the peculiar algorithm used, some classes are much more likely than others:

ValueMale classFemale class
00BurglarMedium
01–07YoungsterLass
08–0FSchoolboyLass
10–17Bird KeeperBeauty
18–1FPokémaniacBeauty
20–27GentlemanSkier
28–2FBug CatcherSkier
30–37FisherTeacher
38–3FSwimmer♂Teacher
40–47SailorSwimmer♀
48–4FSuper NerdSwimmer♀
50–57GuitaristPicnicker
58–5FHikerPicnicker
60–67FirebreatherKimono Girl
68–6FBlackbeltKimono Girl
70–77PsychicPokéfan
78–7FCamperPokéfan
80–87CooltrainerCooltrainer
88–8FBoarderCooltrainer
90–97JugglerSwimmer♀
98–9FPokéfanSwimmer♀
A0–A7OfficerPicnicker
A8–AFSagePicnicker
B0–B7BikerPicnicker
B8–BFScientistPicnicker
C0–CFFirebreatherKimono Girl
D0–DFBlackbeltKimono Girl
E0–EFPsychicPokéfan
F0–FFCamperPokéfan

The last six bytes of the upload are the criteria used to rank trainers to determine the Room Leader, as listed on page 32 of the Pocket Monsters: Crystal Version: Mobile Guide. The order and format of these values allows a simple byte-for-byte comparison to determine the ranking. (A perfect run, in which all trainers were defeated in 3 turns with no damage taken, would result in the highest possible value of 07 FF EA FF FF FF.)

How were trainers chosen for the next day’s Battle Rooms?
It is clear from the Mobile Guide that the trainers in each Battle Room were reset each day, and that the player with seven wins in that Room who submitted the highest score (based on turns, damage, and faints) became the next day’s Room Leader. It is not as clear when this reset occurred (midnight?), how two or more trainers with the same score were separated (time of submission?), what happened if no one submitted a seven-win score (logically, I would expect the existing Room Leader to remain?), or how the other trainers in the room were chosen. Page 33 of the Mobile Guide does have some mention of how the Room’s first trainer (who would be seventh in the data file) is selected:

Quote
ただし、翌日の1人目のトレーナーは成績にかかわらず、登録した人の中から選ばれます。
However, the next day’s first trainer will be selected from among the people who submitted, irrespective of their score.

This implies that this slot was chosen differently from the other six, although nowhere is it explicitly stated how slots 2–6 were chosen.

If I had to guess how it actually worked, I would say that all entries were sorted by score, and the top six and a seventh chosen at random constituted the next day’s Battle Room. (If this were the case, having seven wins wouldn’t technically be required to become Room Leader, as long as no one else had seven wins either.)

Battle Tower data in the localized ROMs
Because the Battle Tower was modified for offline use in the localized games, they contain pertinent data that is not present in the Japanese version. By reexamining this data with the Japanese version’s mechanics in mind, a few new observations can be made.

The file currently named data/battle_tower/unknown.asm in pokecrystal contains Japanese easy-chat messages for 70 trainers. Here they are converted to text. This data appears in all versions except the Japanese version, despite it having no use in those versions. The localized games instead give Battle Tower trainers a random selection from 40 sets of messages written as regular text scripts.

It is well-known that there are 70 trainer names and classes that are randomly selected for the offline Battle Tower (by mistake, only 21 of them are used in the 1.0 English ROM), and 21 Pokémon for each level that are also randomly selected.

There is no apparent relation between this list of trainers and this list of Pokémon, except that the number of Pokémon happens to be three times the number of trainers. However, a close examination of the easy-chat messages reveals that they correlate with both the trainer list and the Pokémon list, implying these were designed as 70 individual trainers, each with their own three Pokémon, rather than a mix-and-match buffet. (Of course, the three Pokémon still don’t relate to the trainer’s class in the way that normal in-game rosters do; that wouldn’t make a very good Battle Tower.)

Some easy-chat messages refer to specific Pokémon that appear in the corresponding position in the party list. For example, the first group of three messages are all about evolution, and the first party of three Pokémon is Jolteon, Espeon, and Umbreon. The second group of messages are all about Wobbuffet, and the second party’s first Pokémon is a Wobbuffet. The forty-sixth group of messages refer to Umbreon, Gyarados, and Quagsire, and the forty-sixth party contains those Pokémon in that exact order.

I’m no expert in the nuances of Japanese speech, but it appears to me that the style in which different trainers’ messages are written matches the trainer class in the corresponding position in the names list; for example, Youngsters speak like young boys. To pick out one obvious case, the forty-fourth trainer is Gentleman Hatcher, and the forty-fourth group of messages have him calling himself おじさん old man.

There is one further subtle hint that the order of the trainer names list is quite deliberate. If these seventy trainers correspond to ten Battle Rooms, one for each level, and the trainers in each Room are ordered as the Japanese Battle Tower expects, with the Room Leader first, then the place of highest honor, the Room Leader at level 100, should be the sixty-fourth position (the first one in the last group of seven). The sixty-fourth trainer name is Bug Catcher Tajiri.

The part in which I cite with a straight face some idle speculation on some random person’s blog 17½ years ago
It is reasonable to assume that, before it was repurposed for the offline Battle Tower, a version of this data (with Japanese names for the trainers, which don’t appear in any of the ROMs) was used to initialize the Battle Rooms, whether only during testing or also at the Mobile System GB’s public launch. There is one piece of evidence, found in Kakeru’s after-action report of a level 20 Battle Tower challenge on October 6, 2002, that this data was used even after the public launch:

Quote
暴走族のえのもとが、水鉄砲ヌオーという人を食ったポケモンを使用。
そういえば「えのもと」の名はどこかで聞いたことがあるので調べてみると、
任天堂HPのバトルタワー体験記にも登場している。任天堂が用意したトレーナーか?
不正トレーナーが置き換えられたのだろうか?謎である。
おかげで楽に勝ち星を稼ぐことが出来た。この勢いでルーム7クリア!初の7人抜き!

Against Biker Enomoto, the Pokémon I’m using devoured a Water Gun Quagsire.
Come to think of it, I’ve heard the name “Enomoto” somewhere, so I tried looking it up, and…
It also appears in the Nintendo website’s Battle Tower hands-on preview. Is it a trainer Nintendo prepared?
I wonder if an illegal trainer might have been replaced? It’s a mystery.
Thanks to that, I was able to record a comfortable win. With this momentum, I cleared Room 7! First seven-win streak!

Two days later, he mentioned encountering Biker Enomoto in two more level 20 Battle Rooms. In the linked article, from the January 2001 issue of Nintendo Online Magazine promoting the launch of the Mobile System GB, the writer also mentions entering a level 20 Battle Room and facing a Biker Enomoto.

The data for the offline Battle Tower includes a Biker, whose English name is Erickson, in the fourteenth position, which would make him the first trainer of the level 20 Battle Room. His corresponding party’s last Pokémon is a Quagsire. What do you want to bet that Erickson’s Japanese name was Enomoto?

There is one discrepancy between Kakeru’s account and the localized ROM data: the move set for Biker Erickson’s Quagsire is Amnesia, Earthquake, Surf, and Rain Dance, but Kakeru mentions Water Gun. But I think there’s a reason for that: Quagsire cannot legally know Amnesia until level 21. According to the Pokémon Battle Historia, the Battle Tower originally didn’t check for illegal moves, but this changed in early March 2001 after widespread abuse. (It still didn’t check for illegal move sets, according to Kakeru, who complained of a Blastoise knowing both Counter and Mirror Coat.) It is plausible that these stock Pokémon had to be altered to pass the legality check themselves, perhaps by giving them their default level-up moves, which for a level 20 Quagsire would be Water Gun, Tail Whip, and Slam.

I don’t think it’s necessarily the case that Biker Enomoto was inserted into the Battle Room in place of an illegal submission. (Perhaps illegal submissions were handled in the same way as Game Freak’s own illegal Quagsire?) It could simply be that the default trainers were used to fill Battle Rooms where fewer than seven scores were submitted the previous day.



^ I know this is an old post, but does the code to actually load Pokémon News remain in English Crystal? What measures would need to be done to bypass the checksum/could you bypass the check with Game Genie codes? I'm wondering if we could use this to make our own minigames with arbitrary code execution. Like instead of the normal quizzes, theme one around glitch Pokémon.
I think the main problem with loading Pokémon News in the English version would be that it’s expecting the data to be saved in an SRAM bank that doesn’t exist. (For anyone who doesn’t know, the Japanese Crystal cartridge has 8 banks [64 KiB] of SRAM, while every other GB/GBC Pokémon game has 4 banks [32 KiB]. Pokémon News is saved in bank 6.) The English version has a check in GetSRAMBank that closes SRAM whenever leftover mobile code tries to access an invalid bank.

inb4 Mobile Adapter spoofing is an ACE vector
(funnily enough, we could send the vector AND THEN AN ENTIRE PAYLOAD as well from the server if this is indeed an ACE vector.)
I did suggest that it could be done with a corrupt Pokémon News metadata file ;)
3
The function PokeBallEffect sets wWildMon to the value of wEnemyMonSpecies when a Pokémon is caught (either because the catch rate check succeeds, the battle is the Dude’s tutorial, or a Master Ball was used), and to 0 when a ball fails to catch the Pokémon. If the species is number 0, wWildMon will be 0, just as if the ball failed.
4
With a Nintendo DS that has the GBA slot and a DS flash cart, you can use GBA Backup Tool.
5
There are no item checks for Generation II trades. Even the unused items corresponding to Generation I Pokémon’s catch rates, which are converted by the Time Capsule into different items, are not altered when traded from another Generation II game.
6
Pokémon Discussion / Re: Crystal: Unused party sanitisation function
« on: October 04, 2017, 04:04:15 pm »
Wait, does the game really spell out 「クりス」? That's an awkward combination of hiragana and katakana. And oops for not terminating that 「?????」 :P

The Generation I and II games use the same character ($D8) for リ and り (likewise with $CD for ヘ and へ); the disassemblies treat it as the hiragana by default.
7
Pokémon Discussion / Re: Crystal: Unused party sanitisation function
« on: October 03, 2017, 11:52:59 pm »
The unused occurrence and first used occurrence are in Battle Tower code, sanitising Battle Tower Pokémon after they are read. (The unused occurrence seems to have just been dummied out, as it is directly after the used code ends.)

This code sanitises Pokémon nicknames, replaces any OT name with bad characters with "CHRIS" (only one terminator this time), makes sure all nicknames and the OT name are terminated, and sanitises invalid moves in the same way as detailed in the OP (except here, move $00 is never considered invalid).

The unused half of this function replaces invalid Pokémon species ($FD being considered invalid) with Smeargle ($EB). Instead of a simple greater-than-or-equal check, it checks for equality against each invalid species value in turn. Pokémon levels are also checked, but the maximum level instead of being hardcoded is taken from SRAM at 5:B2FB.

Both of these checks are applied to Battle Tower opponents in the Japanese version. 5:B2FB is the chosen level of the Battle Tower challenge. Oddly, move sets are sanitized twice using slightly different criteria, the difference being that ValidateBTParty checks if the first move slot is empty and fills it with Pound if it is, while CheckBTMonMovesForErrors, called from ReadBTTrainerParty, erases any moves following an invalid or empty second or third slot. The cumulative effect seems to be identical to the unused move check in bank 4.

It seems Game Freak relied solely on this client-side validation at first; the Pokémon Battle Historia reports that Pokémon with illegal move sets were found in level 100 Battle Rooms in February 2001, until some server-side checks were introduced in early March. But even in late 2002, Kakeru complained of encountering Blastoise which knew both Counter and Mirror Coat (it can learn Mirror Coat as an Egg move, and Counter using the Generation I TM, but a Pokémon with Mirror Coat can’t be traded through the Time Capsule).

The last occurrence is inside mobile-related code. Every single string (nickname, OT, mail, mail author) is checked for invalid bytes and termination (where the terminator is $4E for some reason) within the correct length, by bankswitched calls. If one of these checks fails, the offending string is replaced with a default string by a bankswitched call.

I think this one is for Pokémon received from the Trade Corner.
8
Quote from: DMGAAUP0.J56
;-----111111111111111144444444444444----0xc902 no ..............Mem Write: pc32 = 0xcc46a addr = 0xc902 value = 0xd                             
;                                                                                                                                               
;PC:51-4461=FA 000CC461  LY:006 AF:0080 BC:E401 DE:0001 HL:C900 SP:DFAB                                                                         
;PC:51-4464=FE 000CC464  LY:006 AF:0080 BC:E401 DE:0001 HL:C900 SP:DFAB                                                                         
;PC:51-4466=D0 000CC466  LY:006 AF:0070 BC:E401 DE:0001 HL:C900 SP:DFAB                                                                         
;PC:51-4467=CD 000CC467  LY:006 AF:0070 BC:E401 DE:0001 HL:C900 SP:DFAB -----  happend only once while the explosive animation begin.           
;000cc471h: FA 19 CA FE                                   
 
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf7e value = 0x8f
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf7f value = 0x91
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf80 value = 0x84
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf81 value = 0x92
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf82 value = 0x84
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf83 value = 0x8d
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf84 value = 0x93
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf85 value = 0x50

DMGAAUP0 seems to be one of the English Golds. Interestingly CF7E-CF85 is a string buffer and this appears to be to do with the string "PRESENT" (8F 91 84 92 84 8D 93 50).

The only Present oddities I know are the Present damage glitch and this little text glitch:


That’s for blurring/dimming the move animation, which includes rapid flashing. I don’t see any indication of either glitch being fixed.
9
Generation II Glitch Discussion / Re: G/S/C glitch discussion
« on: September 21, 2017, 12:33:21 pm »
when trading from gen 2 to 1 using johto guard, do the type bytes of the pokemon stay the same, or are they set to whatever type the gen 1 equivalent is?

ie: use johto guard to trade lugia to gen 1, is it still psychic/flying type?

Yes. When converting the Pokémon to Generation I format, the Generation II game looks up its types from its own data. (An exception is made for Magnemite and Magneton.) This also means the resulting glitch Pokémon can be traded back to Generation II and become a Lugia again, since the type data is used to check whether a Pokémon is “abnormal”.
10
Quote from: CGBBXTJ0.534.patch
Code: [Select]
;0004e433h: A5 01 00 00 FF 00 FF 00 FF 00 FF 00 FF 00 FF 00 ; ?........
;0004e443h: FF 00 FF 00 FF 00 FF 00 FF 10 00 00 FF 00 FF 00 ; .........
                                                                                                                           
;                                                                                                                           
;00023a9fh: C0 01 00 00 FF 00 FF 00 FF 00 FF 00 FF 10 00 00 ; ?.........                                               
;00023aafh: FF 01 00 00 0A 10 00 00 0A 01 00 00 FF 00 FF 00 ; .............                                             
;                                                                                                                           
;change to below                                                                                                           
;                                                                                                                           
;00023a9fh: FF 00 E0 01 00 00 FF 00 FF 10 00 00 FF 01 00 00 ; .?.........                                               
;00023aafh: 0A 10 00 00 0A 01 00 FF FF 00 FF 00 FF 00 FF 00 ; ...........                                             
;                                                                                                                           
                                                                                                                           
                                                                                                                           
[teaching movie]                                                                                                           
Mode = 1                                                                                                                   
Address = 0x4e433                                                                                                       
Fixcode = a32:FF 00 E0 01 00 00 FF 00 FF 10 00 00 FF 01 00 00 0A 10 00 00 0A 01 00 FF FF 00 FF 00 FF 00 FF 00               

As SatoMew pointed out to me once, there’s a minor issue in Japanese Crystal (but not Gold and Silver, I thought?) with an unusually long delay during the Dude’s catching tutorial. This patch is applied in all Japanese versions; $2ea9f is the address in Gold and Silver while $4e433 is the Crystal equivalent. I never found out what caused the delay, so I don’t know if this fixes it.
11
(It assumes that the Pokémon available using the Egg Ticket were the same ones, with the same probabilities, as in the English version’s Odd Egg event; I don’t know for sure that this assumption is correct.)
From (ECCH) Bulbapedia:
Quote
In the Japanese version of Pokémon Crystal, there is a 50% chance the hatched Pokémon will be Shiny (IVs 2/10/10/10) and a 50% chance it will not (IVs 0/0/0/0).
In the international versions of Pokémon Crystal, there is a 14% chance the hatched Pokémon will be Shiny (IVs 2/10/10/10) and an 86% chance it will not (IVs 0/0/0/0), but the chance of any particular Pokémon species hatching from the Egg and the chance of any given species being Shiny are not uniform.

Bulbapedia originally said that the Odd Egg had a 50% chance of being shiny in all versions, then that it was 50% for the Japanese event but 12.5% in the English version, then reverted back to 50% for all versions until someone finally came up with the correct 14% figure from the localizations. I have no reason to believe that the 50% figure is anything more than someone’s guess that’s been propagated as fact.
12
Editing the save file won’t help because the Egg Ticket event is not in the game. There is nothing in the Japanese ROM that defines which Pokémon you can receive from it or what their chance of being shiny is. The only way to redeem the Egg Ticket is to connect to an emulated Mobile System GB with an emulated Mobile Adapter GB in order to download a file which contains the Pokémon’s data. The proof-of-concept Python script I wrote last year links to BGB and emulates enough of the Mobile Adapter GB and Mobile System GB to allow the Egg Ticket to be redeemed. (It assumes that the Pokémon available using the Egg Ticket were the same ones, with the same probabilities, as in the English version’s Odd Egg event; I don’t know for sure that this assumption is correct.)
13
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: August 15, 2017, 09:38:22 pm »
Okay, “tomorrow” was two days ago, but I have this silly, old-fashioned obsession with factual accuracy and needed to recheck a bunch of things. I guess it would be easier if I posted more often… :)

Question: If we connect to a server from a client, but it's over Dial-Up, is it still technically considered to be running on an actual adapter and therefore valid in TAS?

I think more research is needed to determine accurate timings for the adapter ;D




HTTP authentication scheme
Nintendo’s mobile library will attempt to authenticate the user with the Mobile System GB server only when a POST request is made for http://gameboy.datacenter.ne.jp/cgb/upload or http://gameboy.datacenter.ne.jp/cgb/ranking, and only if the filename at the end of the URI begins with a number indicating a service fee (even if it’s ¥0).

Even when those conditions are met, the library has a bug that can cause it to fail to detect whether authentication is required:

Code: [Select]
; Find the string terminator at the end of the URI
.asm_1112a0
ld a, [hli]
or a
jr nz, .asm_1112a0

; Now back up and find the last slash
; Right now, hl points to the byte *after* the string terminator!
; If that byte happens to be a slash ($2F), this code may
; fail to properly detect whether this is a paid upload.
; There ought to be a “dec hl” here.
.asm_1112a4
ld a, [hld]
cp $2f
jr nz, .asm_1112a4

Since Pokémon Crystal does not erase the last URI in memory before writing the next in a series of requests, it is possible that the residual byte after the string terminator could be a slash if a previous URI was longer than the current one. A careful choice of URIs avoids this issue.

An authentication attempt begins by sending an HTTP GET request, to which the server responds with 401 Unauthorized and a WWW-Authenticate: GB00 name="…" header, where the name is an arbitrary 36-byte value encoded in Base64.

The game then sends another GET request, this time with the header Authorization: GB00 name="…", where the name is a concatenation of two separate Base64-encoded values: the first is the first 32 bytes from the WWW-Authenticate name, and the second is a 36-byte value determined by a byzantine procedure:
  • The login password is appended to the 48-character Base64-encoded WWW-Authenticate name, and then this string is hashed with MD5.
  • The 36-byte WWW-Authenticate value is split into two 18-byte values, the first containing all of the even-numbered bits of the original and the second containing all of the odd-numbered bits. The first byte of each two-byte pair fills the most significant bits of each output byte, and the second byte fills the least significant bits. These values are concatenated into a new 36-byte string.
  • The login ID is appended to the MD5 hash from step 1. This string is padded with $FF until it is 35 bytes long, then a $00 is added to make it 36 bytes.
  • The 36-byte strings produced in steps 2 and 3 are xor’d.
  • But that would have been too simple, so then each byte has bits 0, 3, and 6 rotated into bits 3, 6, and 0.
The first step necessitates that the server retains users’ plaintext passwords in order to calculate arbitrary MD5 hashes from them—unless the value in the WWW-Authenticate header is predetermined, which would allow the hash to be precalculated, but would make the rest of this shell game even more pointless as a successful authentication attempt could be replayed.

If the Authorization header is valid, the server responds with 200 OK and a Gb-Auth-ID header which contains an arbitrary string. The game then sends its POST request and includes the same Gb-Auth-ID header.


Pokémon News
A Pokémon News download begins by accessing http://gameboy.datacenter.ne.jp/cgb/download?name=/01/CGB-BXTJ/news/index.txt, a text file containing four URIs which are used to:
  • Download metadata for the current News issue
  • Upload selected data from the save file
  • Upload scores to be added to the rankings, and receive the updated rankings in response
  • Download the current News issue
The cost of Pokémon News was ¥100 per issue. The fourth URI should be tagged with that cost so that it is displayed by the game; the two upload URIs should be tagged with a cost of ¥0 so that the game will authenticate and upload the data.


Metadata
The metadata file is an unstructured hodgepodge of variable-length fields, the boundaries of which can only be determined by parsing each field in its own unique way. In typical Game Freak style, the game makes no effort to validate the data received from the server or protect against buffer overflows. A malformed metadata file can certainly crash the game and corrupt the save file (I’ve done it more than once), and could probably execute arbitrary code.

Unique ID: This is a fixed-width field which, inexplicably, is 12 bytes long. If this ID is the same as the last News that was downloaded, then the download is aborted with the message 「あたらしい ニュースは ありません でした」 There was no new News.

Description: A text string, terminated with $50, that is displayed in the lower text box when the player is asked to confirm whether he or she wants to upload the save data and proceed with the News download.

Rankings save address: This 2-byte field contains the address where the rankings data will be stored in SRAM bank 6. Since the main News data will be written starting at 6:A000, the rankings data should be placed somewhere around 6:B000, such that the News does not overwrite the rankings.

Rankings metadata: This field begins with a 16-bit value denoting the length of the data that follows. The data is a series of 16-bit values, one for each rankings table that will be sent, indicating the width of a record in each rankings table. (For example, if there are 9 different rankings tables and each table contains 26-byte records, this field would be 12 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00.)

Save data selection: This is a list of the regions of save data that will be sent to the server. Each region is specified by four bytes: the first byte is an SRAM bank, the second and third are an address, and the fourth is the number of bytes to send. The end of the list is marked with $FF. The requested data is concatenated and uploaded as a binary file.

Rankings data selection: This specifies the data that will be submitted for the rankings. The rankings data is submitted as key–value pairs in the manner of an HTML form submission, with the values encoded in ASCII hexadecimal. Each key is a string literal (in ASCII?) terminated with $50 (ASCII "P"‽). Each value is specified with a bank number, address, and length in the same manner as the save data upload. The list of key–value pairs is terminated with $50 (i.e., an empty string where the name of the next key would be expected).

Although data can technically be read from anywhere in SRAM, there is a block of data at 5:A001–A082 which exists specifically for use in the rankings. With the exception of 5:A016–A017, which doesn’t seem to be referenced at all, this block comprises 2-, 3-, or 4-byte big-endian values which are managed by a series of functions in bank $41. (Except for the Battle Tower win counter, these functions are still called in the English version in the relevant situations, but they’ve been dummied out, and wouldn’t work anyway since SRAM bank 5 doesn’t exist.)

AddressLengthDescription
A0014Play time when last entered the Hall of Fame (2 bytes hours, 1 byte minutes, 1 byte seconds)
A0054Step count when last entered the Hall of Fame
A0093Number of times the party was healed when last entered the Hall of Fame
A00C1Extraneous byte copied from 5:A03C when last entered the Hall of Fame
A00D3Number of battles when last entered the Hall of Fame
A0104Step count
A0142Number of Battle Tower wins
A0183Number of times TMs and HMs have been taught
A01B3Number of battles
A01E3Number of wild Pokémon battles
A0213Number of Trainer battles
A0243Unused
A0273Number of Hall of Fame inductions
A02A3Number of wild Pokémon caught
A02D3Number of hooked Pokémon encounters
A0303Number of Eggs hatched
A0333Number of Pokémon evolved
A0363Number of Berries and Apricorns picked
A0393Number of times the party is healed
A03C3Number of times Mystery Gift is used
A03F3Number of trades
A0423Number of uses of field move Fly
A0453Number of uses of field move Surf
A0483Number of uses of field move Waterfall
A04B3Number of times the player whited out
A04E3Number of Lucky Number Show prizes won
A0513Number of Phone calls made and received
A0543Unused
A0573Number of Colosseum battles
A05A3Number of times player’s Pokémon used Splash
A05D3Number of tree Pokémon encounters
A0603Unused
A0633Number of Colosseum wins
A0663Number of Colosseum losses
A0693Number of Colosseum ties
A06C3Number of times player’s Pokémon used SelfDestruct or Explosion
A06F2Current streak of consecutive slot machine wins
A0712Longest streak of consecutive slot machine wins
A0734Total coins won from slot machines
A0774Total money earned from battles (including Pay Day)
A07B2Largest Magikarp measured
A07D2Smallest Magikarp measured
A07F2Bug-Catching Contest high score
A0812Bytewise checksum of A001–A080

There are functions which would increment the three-byte values at 5:A024, 5:A054, and 5:A060, but these functions don’t appear to be referenced even in the Japanese version.

5:A039 is incremented when the party is healed at a Pokémon Center, by the machine in Elm’s Lab, by Mr. Pokémon after giving the Mystery Egg, by Lance in the Rocket Hideout, by the old woman on Route 26, by resting in the bed on the S.S. Aqua, or before a Battle Tower or mobile Colosseum battle. It is not incremented when the party is healed after whiting out, by using a Sacred Ash, after winning or losing the first rival battle in Cherrygrove City, or after defeating the last Rocket Grunt in Slowpoke Well, Sailor Stanly on the S.S. Aqua, Lance at the Pokémon League, or Red at Mt. Silver.

The value from 5:A039 is then copied into 5:A009 when entering the Hall of Fame, but 4 bytes are copied rather than 3, so the high byte of the number of times Mystery Gift was used is copied into 5:A00C. (That byte will still always be $00, because Mystery Gift can’t be used more than 65535 times before the SRAM battery runs out. ;))

5:A05A and 5:A06C are incremented when the effect of the move is executed during the player’s turn, regardless of whether it was chosen by the player, chosen by a disobedient Pokémon, or called through Metronome, Mirror Move, or Sleep Talk.

Save data upload
The game uploads the save data as specified in the metadata file. The body of the server’s response is of no consequence.

Rankings upload
The game uploads the rankings data as specified in the metadata file. The server responds with the updated rankings tables. The game saves that data to the address specified in the metadata file. Each table begins with a 12-byte header:

OffsetLengthDescription
$04Number of ranked players (big-endian)
$42Unknown
$64Player’s rank (big-endian; will be treated as unranked if this value is greater than the number of ranked players)
$A2Number of entries in the table (big-endian)

The number of ranked players may be greater than the number of entries in the table; e.g., 1000 players might be given ranks (shown only to themselves) even though the table only lists the top 10 (shown to everyone).

Each entry in the table is of the length specified in the metadata file. The first 24 bytes follow a fixed format and the remaining bytes (up to 4?) are the score value.

OffsetLengthDescription
$007Trainer name
$071Prefecture (values assigned in gojūon order from $01 = Aichi-ken to $2F = Wakayama-ken)
$082Unknown
$0A1Age
$0B1Gender ($00 = male, $01 = female)
$0C12Message (six two-byte little-endian easy chat words)
$18?Score (big-endian)

News download
The game downloads the News issue, stores it at 6:A000, and then executes it.

Based on the historical accounts of Pokémon News (particularly Kakeru’s transcripts of the last seven issues), which describe various quizzes, minigames, and rewards (including, of course, the GS Ball), it can be surmised that the News involves a scripting language with many different commands. Without access to any of the original News downloads, it could be quite a challenge to determine how the data is packaged and what the available commands are, and then reconstruct something resembling a News issue.



Good news, everyone! Game Freak left us some samples in ROM bank $7D.

There are three unused functions in that bank which each copy a different block of data to 6:A000. If a News issue has already been downloaded, these functions overwrite it with data from the ROM. (If no News had been downloaded, the game will say 「まえの ニュースが ありません!」 “There is no old NEWS…” when attempting to view it. This can be manually overridden by setting 5:AA72 to $01.)

This data in the ROM does not include any of the metadata or rankings tables, only the main News download. (This means we don’t know what data from the save file would be requested by the server, or what message would be displayed before downloading the News.) Also, dispointingly, none of the text of these News issues was translated in Vietnamese Crystal.

Here’s a video showing each of the News issues found in the ROM.


Trainer Rankings
A News issue entitled 「トレーナーランキング」 Trainer Rankings appears at 7D:5C6B in the Japanese ROM and at 7D:5DB4 in the localized ROMs. The function to copy this data into SRAM is at 7D:5C56 in the Japanese ROM and at 7D:5D9F in the localized ROMs.

This is the simplest News issue found in the ROM, having no features other than the rankings. It matches the screenshots on pages 25–26 of the Pocket Monsters: Crystal Version: Mobile Guide (ポケットモンスター クリスタルバージョン モバイルのてびき) packaged with the Mobile Adapter GB.

The main menu has four options:
NameDescription
ランキング を みる
View Rankings
いろいろな ランキングが みれます
View the different rankings.
ランキング の せつめい
Rankings Description
ランキングの せつめいです
A description of the rankings.
ランキング の こうしん
Update Rankings
さいしんの ランキングを ダウンロード します
Download the latest rankings.
やめる
Quit
ニュースを みるのを やめます
Quit viewing the News.

The background music for these menus is “Elm Pokémon Lab”.

Quit (or pressing B) returns to the News Machine menu. Update Rankings downloads the News metadata from the server, and then proceeds to submit the save data and rankings again only if the unique ID of the News issue has not changed. The description of the rankings says:

Quote
3つの テーマで ランキング!
いま おくった レポート からも
なにかが ランキングに はいって
いるかも しれません!

Rankings in three categories!
Now something from the save file you sent could be in the rankings!

View Rankings brings up a submenu to select from three ranking categories:
  • コロシアムで かった かいすう Number of Colosseum wins
  • むしとりたいかい こうとくてん Bug-Catching Contest high score
  • つった コイキングの おおきさ Size of caught Magikarp
In each category, there are three rankings:
  • ぜんこく の ランキング National ranking
  • とどうふけん の ランキング Prefectural ranking
  • ゆうびんばんごう の ランキング Postal code ranking
The latter two rankings would depend on the prefecture and the three-digit prefix of the postal code entered in the Mobile Profile. If the player has opted not to enter a postal code, it’s treated as 000 (no actual Japanese postal code starts with 000).

The first of the downloaded rankings tables is expected to contain the national ranking for Colosseum wins, the second one the prefectural ranking for the same, the fourth one the national ranking for the Bug-Catching Contest, et cetera.

Selecting any ranking shows the top 10 entries; for each entry, the trainer name, score, gender, age, prefecture can be seen, as well as the message they set in the Mobile menu. At the bottom of each top-10 ranking, the player can see their own current score (read from the corresponding address in SRAM: 5:A063 for the Colosseum, 5:A07F for the Bug-Catching Contest, and 5:A07B for the largest Magikarp) and ranking (as of the last rankings download, so not necessarily consistent with the score read from SRAM). If the player is not ranked, their score is followed by the message 「ランクイン しなかった… ざんねん…」 You were not ranked… Sorry…

The message 「ランキングデータが ありません[。] ランキングの こうしんを するば みることが できます」 There is no rankings data. You can see it by updating the rankings. appears in this News data (and all the other ones, too), but I don’t know what circumstances would cause it to appear.

In the Japanese ROM only, there is a near-identical copy of this News data at 7E:4000. (In the localized ROMs, bank $7E instead contains data for the offline Battle Tower and Odd Egg event.) The only difference is that the copy at 7E:4000 is missing four bytes at offset $002. Two of these missing bytes represent the length of the remaining data and the other two bytes are a bytewise checksum of that data. Since the checksum fails, the game refuses to load this version of the data, saying 「ニュースの データが こわれています[。] よみこみ なおして ください」 “The NEWS data is corrupted. Please download the NEWS again.”


Trainer Rankings (bis)
Another News issue entitled 「トレーナーランキング」 Trainer Rankings appears at 7D:4015 in the Japanese ROM and 7D:4018 in the localized ROMs. The corresponding function to copy this data into SRAM is at 7D:4000 in the Japanese ROM and 7D:4003 in the localized ROMs.

The most obvious difference between this News issue and the other one is that the main menu has an additional option called 「ポケモンなきごえクイズ」 Pokémon Cries Quiz, with the description 「ポケモンの なきごえを あててね!」 Guess the Pokémon cries!. The quiz has ten Pokémon to choose from: Suicune, Clefairy, Spearow, Gastly, Togepi, Zubat, Jynx, Espeon, Mewtwo, and Dunsparce. For each one, the player can listen to three different cries and guess which one is the correct cry for that Pokémon. There’s no scoring and no reward for guessing correctly. The background music for the quiz is “Hurry Along 2”.

The rankings menus have several changes:

The Update Rankings option has been…updated…to give some feedback after the download: If successful, 「ランキングの こうしんを しました!」 Rankings update done! If the news ID has changed, 「ランキングの こうしんに しっぱい… あたらしい ニュースを よみこんで ください」 Rankings update failed… Please load the new News. If cancelled by the user (or an error occurs?), 「ランキングの こうしんを やめました」 Rankings update cancelled.

The category Number of Colosseum wins has been replaced by 「バトルタワーで かった かいすう」 Number of Battle Tower wins. Notably, this ranking tries to read the player’s score from the unused location 5:A016, rather than the correct address 5:A014.

The local rankings now have the player’s prefecture and postal code in the title of the rankings (e.g., mine are called 「とうきょうと の ランキング」 and 「〒000 の ランキング」 because I set my prefecture to Tōkyō-to and didn’t set a postal code).

Selecting a blank entry in the top 10 now displays the message 「ここには だれも ランクイン してません」 No one is ranked here.

If the player’s score in any ranking is checked using the 「[player’s name] の じゅんい」 option and the player is #1 in that ranking, this message is displayed:

Quote
ランキングで トップを とった
あなたに…
すてきな プレゼントが あります
おたのしみに!

For earning the top spot in the ranking…
Here is a wonderful gift! Enjoy!

This triggers the GS Ball event; the player will receive the GS Ball upon leaving the PokéCom Center.


Pokémon News Debug Starting Issue
A News issue entitled 「ポケモンニュース デバッグかいしごう」 Pokémon News Debug Starting Issue appears only in the Japanese ROM at 7D:4DD0.  The function to copy this data into SRAM is at 7D:4DBB.

The main menu options are:
NameDescription
トレーナーランキング
Trainer Rankings
いろいろな ランキングが みれます
View the different rankings.
ポケモンなきごえクイズ
Pokémon Cries Quiz
ポケモンの なきごえを あててね!
Guess the Pokémon cries!
ゲーフリからのメッセージ
Message from Game Freak
ゲームフリークからの メッセージです
A message from Game Freak.
やめる
Quit
ニュースを みるのを やめます
Quit viewing the News.

Trainer Rankings leads to a submenu identical to the first Trainer Rankings news data. The Pokémon Cries Quiz is identical to the one in the second Trainer Rankings news data. The Message from Game Freak could probably be translated better by someone who knows what they’re doing, but I’ll give it a shot:

Quote
さわやかな あきかぜが ふきぬける
きょう このごろですが
みなさま いかが おすごしで
いらっしゃいますでしょうか

われわれ クリスタルチームは
まいにち みぎてに マウス
ひだりてに こぶしを にぎりしめ
ねむくなれば おたがいを なぐり
かんせいに むけて はげんでおります

この ニュースは デバッグように
つくられて おります

ですので なきごえクイズなどでも
『ずかんにない ポケモンが!
…という ごしんぱいは
ごむようで ございます

それでは ひきつづき ニュースの
デバッグを よろしく おねがいします

もちろん ほかのところも
よろしく おねがいします
……… ……… ………

As the refreshing autumn breeze now blows through, is everyone getting along well?

Every day our Crystal Team is striving to finish the game, with our right hands holding our mice, and our left hands clenched in fists to hit each other if we get sleepy.

We made this News for debugging use.

Thus, in the Cries Quiz for example, you don’t need to worry about things like, “That Pokémon’s not in the Pokédex!”

That said, we ask that you continue with debugging the News.

Of course, we’d like you to work on other things as well…

This message seems to be directed at Nintendo’s product testers, which suggests it may have been deliberately included in the final build that Game Freak submitted for testing. The background music for the message is “National Park”.


Pokémon News First Issue
In the localized ROMs, the Pokémon News Debug Starting Issue is replaced by an entirely different issue entitled 「ポケモンニュース そうかんごう」 Pokémon News First Issue, found at 7D:4DD3. The function to copy this data into SRAM is at 7D:4DBE.

The fact that it appears in the localized ROMs and not the Japanese ROM suggests it may have been developed after the Japanese ROM was finalized. The name implies that it could be the actual first issue of Pokémon News that was published when the Mobile System GB launched in January 2001. However, I don’t think it is, because it contains the same script as the second Trainer Rankings data for awarding the GS Ball to a player who is #1 in any ranking, and I’m not aware of any documentation that the GS Ball was actually distributed in this manner.

The main menu options are:
NameDescription
ニュースガイド
News Guide
よみこんだ ニュースを かんたんに せつめいします
A brief description of the loaded News.
トレーナーランキング
Trainer Rankings
3つの テーマで ランキングを します!
Rankings in three categories!
ポケモンカルト
Pokémon Cult
これまでの ぼうけんを どこまで おもいだせるか テストします!
Test how well you remember your adventure so far!
やめる
Quit
ニュースを みるのを やめます
Quit viewing the News.

The News Guide says:

Quote
ポケモンニュース そうかんごうでは
トレーナーランキングと
ポケモンカルトクイズで
おたのしみ ください!

あなたの ランキングの せいせきは
ランキングの こうしんを すれば
なんどでも かきかえられるので
がんばれば トップに なれるかも!

In the Pokémon News First Issue, please enjoy Trainer Rankings and the Pokémon Cult Quiz!

Your rankings can be updated as many times as you like; try your best and you might reach the top!

The Trainer Rankings submenu is pretty much the same as the second Trainer Rankings data (including the GS Ball reward), except that the player’s score for Number of Battle Tower wins is read from the correct address, 5:A014. The menu items have been rearranged and most of the descriptions rewritten:

NameDescription
ランキング を みる
View Rankings
いろいろな ランキングが みれます
View the different rankings.
ランキング の こうしん
Update Rankings
ランキングを よみこみなおします
あなたの せいせきも かわります
Reloads the rankings. Your results will also change.
ランキング の せつめい
Rankings Description
こんかいの ランキングの テーマに ついて せつめいします
Describes the current rankings categories.
やめる
Quit
さいしょの ページに もどります
Return to the first page.

The Rankings Description is more descriptive:

Quote
バトルタワーで かった かいすうは
40ばんどうろの バトルタワーで
あなたが これまでに なんにんの
トレーナーとの しょうぶに かったか
にんずうで きそいます

コイキングの おおきさは
いかりのみずうみに いる
つりめいじんに はかってもらった
コイキングの うち いちばん
おおきかった もので きそいます

むしとりたいかい こうとくてんは
しぜんこうえんで おこなわれる
むしとりたいかいで これまでに
とった いちばん たかい
てんすうで きそいます

“Number of Battle Tower wins” is ranked by the number of trainers you’ve won battles against so far in the Battle Tower on Route 40.

“Size of caught Magikarp” is ranked by the largest Magikarp measured by the Fishing Guru at Lake of Rage.

“Bug-Catching Contest high score” is ranked by the highest score earned so far in the Bug-Catching Contest held in the National Park.

The Pokémon Cult Quiz, unlike the cries quiz, is a proper quiz with scoring. Ten multiple-choice questions are presented in sequence, varying from mildly obscure (Is Mom’s specialty a Cinnabar Volcano bakemeat burger, curry, or yakisoba?) to incredibly obscure (How many times did Earl spin around before he entered the Pokémon Academy?). After you’ve answered all of the questions, Professor Oak evaluates your performance, although he doesn’t give any reward. The background music during the quiz is “Goldenrod Game Corner”, and the music for the evaluation is “Pokégear Radio: Professor Oak’s Pokémon Talk”.


News data structure
While I haven’t yet endeavored to write my own fake news, I have done some basic analysis of the structure of the existing data:

Header
The data has a six-byte header; the first two bytes are 00 A0, the next two bytes are a bytewise checksum of the data (excluding the header), and the final two bytes are the length of the data (excluding the header). As mentioned above, the duplicate News data at 7E:4000 in the Japanese ROM omits these checksum and length values, and therefore doesn’t work in the final game.

Screen data
Data for the opening screen of the News issue begins immediately after the header. Other screens use the same data structure, which may be placed anywhere in the file and called using script command $01.

LengthDescription
1Background music ID
1Number of custom palettes
Custom palette data. Four two-byte color values. Repeat × number of custom palettes.
1Number of boxes to draw
Box data. The first two bytes are origin x and y coordinates, the next two bytes are length and width, the fifth byte is the border type, and the sixth byte is the palette. Repeat × number of boxes to draw.
1Number of strings to print
Position to print a string, expressed as an offset into the screen buffer, followed by the string itself ($50-terminated). Repeat × number of strings to print.
12Menu origin x and y coordinates, number of columns and rows, column width and row height, plus six more bytes of menu parameters?
16Offsets to script data for each of the eight joypad buttons (A B Select Start ← → ↑ ↓). These offsets are relative to the start of the current screen data. The value $FFFF is used for a button which has no script.
1Number of menu items.
4Position to print menu descriptions, expressed as an offset into the screen buffer, and width and height of the area to be blanked before printing a description. (The blanked area begins one row above the given text position, to account for diacritics.)
1If not $00, loads the rankings table specified in 0:CD62. (That address should have been set by a script on the prior screen.)
Pointer to the name of each menu item. Repeat × number of items.
Pointer to script data for each menu item. Repeat × number of items.
Pointer to description text for each menu item. Repeat × number of items.

If anyone wants to have a go at documenting the News script commands, they’re in Jumptable17d72a in pokecrystal’s misc/mobile_5f.asm. Also of interest is the text character $15, which invokes another, smaller scripting language within a text string; this is used extensively in the Pokémon News data to insert variables into strings. Those commands are defined by the jumptable in Function17f047.
14
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: August 13, 2017, 01:59:33 am »
I have actually been working on this occasionally over the past several months, but never found the time to compile my notes into something coherent.

I’ve figured out how the HTTP authentication scheme is supposed to work (an essential prerequisite for creating a server), and have also mostly documented the Pokémon News system. I need to put together a video to show that off, which I should do tomorrow.

I have some design plans for a server and client, but haven’t implemented anything. I might start on that this week, although I’m torn on whether to do that first or decipher the Battle Tower system.

Also, does the mobile phone adapter still work in 2017? As in, if I edited the rom of Crystal and the Mobile Trainer to not connect to gameboy.datacenter.ne.jp but instead to our own server, would it work?

The adapter still works for peer-to-peer communication (Pokémon Cable Club) as long as the handsets are able to receive service. The last PDC network shut down in March 2012, and the original frequency allocation for CDMA service in Japan was changed in July 2012, so it is likely that only DDI Pocket handsets still work, as their service continues under the Y!mobile brand.

To allow the adapter to connect to the Internet, an alternative to the DION dial-up service would need to be provided. Assuming that were possible, the adapter would need to be reconfigured to dial that service instead of DION; this could be achieved by running a specially-prepared ROM off a flash cartridge, or perhaps through an elaborate arbitrary code execution exploit. But if you could connect to your own dial-up ISP, you wouldn’t need to edit the domain names in the ROM; you could just intercept requests at the ISP end and redirect them to the server of your choice.

If the goal is just to connect a real Pokémon Crystal (or other compatible game) cartridge to a reconstructed server, then a much simpler way to achieve that would be to plug a device directly into the link port and emulate the Mobile Adapter GB in exactly the same way that a PC-based emulator would. (Can a Raspberry Pi bit-bang at 256 Kib/s?)

It'd be cool to see the actual web servers this used brought back; a null-modem cable could be constructed using the real Mobile Adapter GB, which could then plug into a PC for actual Internet connection.

That’s another possibility, but would require knowing the protocol the adapter uses to control the handset (surely it’s documented somewhere?). Also, I doubt the requisite connectors are still manufactured, so some disassembly may be required… :)

Eventually I’ll want to do something like that anyway, in order to test the actual behavior of the adapter and find out what those missing numbers in the command list are for.
15
Pokémon Discussion / Re: Debug menus in Japanese Crystal
« on: February 22, 2017, 04:52:26 pm »
I found some more debug code that I’d missed! Okay, I shouldn’t get too excited, it’s only 9 bytes ;D

It’s at the end of bank 1, corresponding to the Predef1 function which is dummied out in the release build. It calls 3F:56DB, which is the debug menu with 「ロム バージョン」 ROM Version on it, and then returns to the title screen:
Code: [Select]
Predef1: ; 7e79
callba $fd6db
jp StartTitleScreen.TitleScreen
Pages: [1] 2 3 ... 9