Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Háčky

Pages: [1] 2 3 ... 9
With a Nintendo DS that has the GBA slot and a DS flash cart, you can use GBA Backup Tool.
There are no item checks for Generation II trades. Even the unused items corresponding to Generation I Pokémon’s catch rates, which are converted by the Time Capsule into different items, are not altered when traded from another Generation II game.
Pokémon Discussion / Re: Crystal: Unused party sanitisation function
« on: October 04, 2017, 04:04:15 pm »
Wait, does the game really spell out 「クりス」? That's an awkward combination of hiragana and katakana. And oops for not terminating that 「?????」 :P

The Generation I and II games use the same character ($D8) for リ and り (likewise with $CD for ヘ and へ); the disassemblies treat it as the hiragana by default.
Pokémon Discussion / Re: Crystal: Unused party sanitisation function
« on: October 03, 2017, 11:52:59 pm »
The unused occurrence and first used occurrence are in Battle Tower code, sanitising Battle Tower Pokémon after they are read. (The unused occurrence seems to have just been dummied out, as it is directly after the used code ends.)

This code sanitises Pokémon nicknames, replaces any OT name with bad characters with "CHRIS" (only one terminator this time), makes sure all nicknames and the OT name are terminated, and sanitises invalid moves in the same way as detailed in the OP (except here, move $00 is never considered invalid).

The unused half of this function replaces invalid Pokémon species ($FD being considered invalid) with Smeargle ($EB). Instead of a simple greater-than-or-equal check, it checks for equality against each invalid species value in turn. Pokémon levels are also checked, but the maximum level instead of being hardcoded is taken from SRAM at 5:B2FB.

Both of these checks are applied to Battle Tower opponents in the Japanese version. 5:B2FB is the chosen level of the Battle Tower challenge. Oddly, move sets are sanitized twice using slightly different criteria, the difference being that ValidateBTParty checks if the first move slot is empty and fills it with Pound if it is, while CheckBTMonMovesForErrors, called from ReadBTTrainerParty, erases any moves following an invalid or empty second or third slot. The cumulative effect seems to be identical to the unused move check in bank 4.

It seems Game Freak relied solely on this client-side validation at first; the Pokémon Battle Historia reports that Pokémon with illegal move sets were found in level 100 Battle Rooms in February 2001, until some server-side checks were introduced in early March. But even in late 2002, Kakeru complained of encountering Blastoise which knew both Counter and Mirror Coat (it can learn Mirror Coat as an Egg move, and Counter using the Generation I TM, but a Pokémon with Mirror Coat can’t be traded through the Time Capsule).

The last occurrence is inside mobile-related code. Every single string (nickname, OT, mail, mail author) is checked for invalid bytes and termination (where the terminator is $4E for some reason) within the correct length, by bankswitched calls. If one of these checks fails, the offending string is replaced with a default string by a bankswitched call.

I think this one is for Pokémon received from the Trade Corner.
Quote from: DMGAAUP0.J56
;-----111111111111111144444444444444----0xc902 no ..............Mem Write: pc32 = 0xcc46a addr = 0xc902 value = 0xd                             
;PC:51-4461=FA 000CC461  LY:006 AF:0080 BC:E401 DE:0001 HL:C900 SP:DFAB                                                                         
;PC:51-4464=FE 000CC464  LY:006 AF:0080 BC:E401 DE:0001 HL:C900 SP:DFAB                                                                         
;PC:51-4466=D0 000CC466  LY:006 AF:0070 BC:E401 DE:0001 HL:C900 SP:DFAB                                                                         
;PC:51-4467=CD 000CC467  LY:006 AF:0070 BC:E401 DE:0001 HL:C900 SP:DFAB -----  happend only once while the explosive animation begin.           
;000cc471h: FA 19 CA FE                                   
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf7e value = 0x8f
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf7f value = 0x91
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf80 value = 0x84
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf81 value = 0x92
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf82 value = 0x84
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf83 value = 0x8d
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf84 value = 0x93
 ; ******0xcccccccccffffffff8***********---------------   Mem Write: pc32 = 0x3180 addr = 0xcf85 value = 0x50

DMGAAUP0 seems to be one of the English Golds. Interestingly CF7E-CF85 is a string buffer and this appears to be to do with the string "PRESENT" (8F 91 84 92 84 8D 93 50).

The only Present oddities I know are the Present damage glitch and this little text glitch:

That’s for blurring/dimming the move animation, which includes rapid flashing. I don’t see any indication of either glitch being fixed.
Generation II Glitch Discussion / Re: G/S/C glitch discussion
« on: September 21, 2017, 12:33:21 pm »
when trading from gen 2 to 1 using johto guard, do the type bytes of the pokemon stay the same, or are they set to whatever type the gen 1 equivalent is?

ie: use johto guard to trade lugia to gen 1, is it still psychic/flying type?

Yes. When converting the Pokémon to Generation I format, the Generation II game looks up its types from its own data. (An exception is made for Magnemite and Magneton.) This also means the resulting glitch Pokémon can be traded back to Generation II and become a Lugia again, since the type data is used to check whether a Pokémon is “abnormal”.
Quote from: CGBBXTJ0.534.patch
Code: [Select]
;0004e433h: A5 01 00 00 FF 00 FF 00 FF 00 FF 00 FF 00 FF 00 ; ?........
;0004e443h: FF 00 FF 00 FF 00 FF 00 FF 10 00 00 FF 00 FF 00 ; .........
;00023a9fh: C0 01 00 00 FF 00 FF 00 FF 00 FF 00 FF 10 00 00 ; ?.........                                               
;00023aafh: FF 01 00 00 0A 10 00 00 0A 01 00 00 FF 00 FF 00 ; .............                                             
;change to below                                                                                                           
;00023a9fh: FF 00 E0 01 00 00 FF 00 FF 10 00 00 FF 01 00 00 ; .?.........                                               
;00023aafh: 0A 10 00 00 0A 01 00 FF FF 00 FF 00 FF 00 FF 00 ; ...........                                             
[teaching movie]                                                                                                           
Mode = 1                                                                                                                   
Address = 0x4e433                                                                                                       
Fixcode = a32:FF 00 E0 01 00 00 FF 00 FF 10 00 00 FF 01 00 00 0A 10 00 00 0A 01 00 FF FF 00 FF 00 FF 00 FF 00               

As SatoMew pointed out to me once, there’s a minor issue in Japanese Crystal (but not Gold and Silver, I thought?) with an unusually long delay during the Dude’s catching tutorial. This patch is applied in all Japanese versions; $2ea9f is the address in Gold and Silver while $4e433 is the Crystal equivalent. I never found out what caused the delay, so I don’t know if this fixes it.
(It assumes that the Pokémon available using the Egg Ticket were the same ones, with the same probabilities, as in the English version’s Odd Egg event; I don’t know for sure that this assumption is correct.)
From (ECCH) Bulbapedia:
In the Japanese version of Pokémon Crystal, there is a 50% chance the hatched Pokémon will be Shiny (IVs 2/10/10/10) and a 50% chance it will not (IVs 0/0/0/0).
In the international versions of Pokémon Crystal, there is a 14% chance the hatched Pokémon will be Shiny (IVs 2/10/10/10) and an 86% chance it will not (IVs 0/0/0/0), but the chance of any particular Pokémon species hatching from the Egg and the chance of any given species being Shiny are not uniform.

Bulbapedia originally said that the Odd Egg had a 50% chance of being shiny in all versions, then that it was 50% for the Japanese event but 12.5% in the English version, then reverted back to 50% for all versions until someone finally came up with the correct 14% figure from the localizations. I have no reason to believe that the 50% figure is anything more than someone’s guess that’s been propagated as fact.
Editing the save file won’t help because the Egg Ticket event is not in the game. There is nothing in the Japanese ROM that defines which Pokémon you can receive from it or what their chance of being shiny is. The only way to redeem the Egg Ticket is to connect to an emulated Mobile System GB with an emulated Mobile Adapter GB in order to download a file which contains the Pokémon’s data. The proof-of-concept Python script I wrote last year links to BGB and emulates enough of the Mobile Adapter GB and Mobile System GB to allow the Egg Ticket to be redeemed. (It assumes that the Pokémon available using the Egg Ticket were the same ones, with the same probabilities, as in the English version’s Odd Egg event; I don’t know for sure that this assumption is correct.)
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: August 15, 2017, 09:38:22 pm »
Okay, “tomorrow” was two days ago, but I have this silly, old-fashioned obsession with factual accuracy and needed to recheck a bunch of things. I guess it would be easier if I posted more often… :)

Question: If we connect to a server from a client, but it's over Dial-Up, is it still technically considered to be running on an actual adapter and therefore valid in TAS?

I think more research is needed to determine accurate timings for the adapter ;D

HTTP authentication scheme
Nintendo’s mobile library will attempt to authenticate the user with the Mobile System GB server only when a POST request is made for or, and only if the filename at the end of the URI begins with a number indicating a service fee (even if it’s ¥0).

Even when those conditions are met, the library has a bug that can cause it to fail to detect whether authentication is required:

Code: [Select]
; Find the string terminator at the end of the URI
ld a, [hli]
or a
jr nz, .asm_1112a0

; Now back up and find the last slash
; Right now, hl points to the byte *after* the string terminator!
; If that byte happens to be a slash ($2F), this code may
; fail to properly detect whether this is a paid upload.
; There ought to be a “dec hl” here.
ld a, [hld]
cp $2f
jr nz, .asm_1112a4

Since Pokémon Crystal does not erase the last URI in memory before writing the next in a series of requests, it is possible that the residual byte after the string terminator could be a slash if a previous URI was longer than the current one. A careful choice of URIs avoids this issue.

An authentication attempt begins by sending an HTTP GET request, to which the server responds with 401 Unauthorized and a WWW-Authenticate: GB00 name="…" header, where the name is an arbitrary 36-byte value encoded in Base64.

The game then sends another GET request, this time with the header Authorization: GB00 name="…", where the name is a concatenation of two separate Base64-encoded values: the first is the first 32 bytes from the WWW-Authenticate name, and the second is a 36-byte value determined by a byzantine procedure:
  • The login password is appended to the 48-character Base64-encoded WWW-Authenticate name, and then this string is hashed with MD5.
  • The 36-byte WWW-Authenticate value is split into two 18-byte values, the first containing all of the even-numbered bits of the original and the second containing all of the odd-numbered bits. The first byte of each two-byte pair fills the most significant bits of each output byte, and the second byte fills the least significant bits. These values are concatenated into a new 36-byte string.
  • The login ID is appended to the MD5 hash from step 1. This string is padded with $FF until it is 35 bytes long, then a $00 is added to make it 36 bytes.
  • The 36-byte strings produced in steps 2 and 3 are xor’d.
  • But that would have been too simple, so then each byte has bits 0, 3, and 6 rotated into bits 3, 6, and 0.
The first step necessitates that the server retains users’ plaintext passwords in order to calculate arbitrary MD5 hashes from them—unless the value in the WWW-Authenticate header is predetermined, which would allow the hash to be precalculated, but would make the rest of this shell game even more pointless as a successful authentication attempt could be replayed.

If the Authorization header is valid, the server responds with 200 OK and a Gb-Auth-ID header which contains an arbitrary string. The game then sends its POST request and includes the same Gb-Auth-ID header.

Pokémon News
A Pokémon News download begins by accessing, a text file containing four URIs which are used to:
  • Download metadata for the current News issue
  • Upload selected data from the save file
  • Upload scores to be added to the rankings, and receive the updated rankings in response
  • Download the current News issue
The cost of Pokémon News was ¥100 per issue. The fourth URI should be tagged with that cost so that it is displayed by the game; the two upload URIs should be tagged with a cost of ¥0 so that the game will authenticate and upload the data.

The metadata file is an unstructured hodgepodge of variable-length fields, the boundaries of which can only be determined by parsing each field in its own unique way. In typical Game Freak style, the game makes no effort to validate the data received from the server or protect against buffer overflows. A malformed metadata file can certainly crash the game and corrupt the save file (I’ve done it more than once), and could probably execute arbitrary code.

Unique ID: This is a fixed-width field which, inexplicably, is 12 bytes long. If this ID is the same as the last News that was downloaded, then the download is aborted with the message 「あたらしい ニュースは ありません でした」 There was no new News.

Description: A text string, terminated with $50, that is displayed in the lower text box when the player is asked to confirm whether he or she wants to upload the save data and proceed with the News download.

Rankings save address: This 2-byte field contains the address where the rankings data will be stored in SRAM bank 6. Since the main News data will be written starting at 6:A000, the rankings data should be placed somewhere around 6:B000, such that the News does not overwrite the rankings.

Rankings metadata: This field begins with a 16-bit value denoting the length of the data that follows. The data is a series of 16-bit values, one for each rankings table that will be sent, indicating the width of a record in each rankings table. (For example, if there are 9 different rankings tables and each table contains 26-byte records, this field would be 12 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00 1A 00.)

Save data selection: This is a list of the regions of save data that will be sent to the server. Each region is specified by four bytes: the first byte is an SRAM bank, the second and third are an address, and the fourth is the number of bytes to send. The end of the list is marked with $FF. The requested data is concatenated and uploaded as a binary file.

Rankings data selection: This specifies the data that will be submitted for the rankings. The rankings data is submitted as key–value pairs in the manner of an HTML form submission, with the values encoded in ASCII hexadecimal. Each key is a string literal (in ASCII?) terminated with $50 (ASCII "P"‽). Each value is specified with a bank number, address, and length in the same manner as the save data upload. The list of key–value pairs is terminated with $50 (i.e., an empty string where the name of the next key would be expected).

Although data can technically be read from anywhere in SRAM, there is a block of data at 5:A001–A082 which exists specifically for use in the rankings. With the exception of 5:A016–A017, which doesn’t seem to be referenced at all, this block comprises 2-, 3-, or 4-byte big-endian values which are managed by a series of functions in bank $41. (Except for the Battle Tower win counter, these functions are still called in the English version in the relevant situations, but they’ve been dummied out, and wouldn’t work anyway since SRAM bank 5 doesn’t exist.)

A0014Play time when last entered the Hall of Fame (2 bytes hours, 1 byte minutes, 1 byte seconds)
A0054Step count when last entered the Hall of Fame
A0093Number of times the party was healed when last entered the Hall of Fame
A00C1Extraneous byte copied from 5:A03C when last entered the Hall of Fame
A00D3Number of battles when last entered the Hall of Fame
A0104Step count
A0142Number of Battle Tower wins
A0183Number of times TMs and HMs have been taught
A01B3Number of battles
A01E3Number of wild Pokémon battles
A0213Number of Trainer battles
A0273Number of Hall of Fame inductions
A02A3Number of wild Pokémon caught
A02D3Number of hooked Pokémon encounters
A0303Number of Eggs hatched
A0333Number of Pokémon evolved
A0363Number of Berries and Apricorns picked
A0393Number of times the party is healed
A03C3Number of times Mystery Gift is used
A03F3Number of trades
A0423Number of uses of field move Fly
A0453Number of uses of field move Surf
A0483Number of uses of field move Waterfall
A04B3Number of times the player whited out
A04E3Number of Lucky Number Show prizes won
A0513Number of Phone calls made and received
A0573Number of Colosseum battles
A05A3Number of times player’s Pokémon used Splash
A05D3Number of tree Pokémon encounters
A0633Number of Colosseum wins
A0663Number of Colosseum losses
A0693Number of Colosseum ties
A06C3Number of times player’s Pokémon used SelfDestruct or Explosion
A06F2Current streak of consecutive slot machine wins
A0712Longest streak of consecutive slot machine wins
A0734Total coins won from slot machines
A0774Total money earned from battles (including Pay Day)
A07B2Largest Magikarp measured
A07D2Smallest Magikarp measured
A07F2Bug-Catching Contest high score
A0812Bytewise checksum of A001–A080

There are functions which would increment the three-byte values at 5:A024, 5:A054, and 5:A060, but these functions don’t appear to be referenced even in the Japanese version.

5:A039 is incremented when the party is healed at a Pokémon Center, by the machine in Elm’s Lab, by Mr. Pokémon after giving the Mystery Egg, by Lance in the Rocket Hideout, by the old woman on Route 26, by resting in the bed on the S.S. Aqua, or before a Battle Tower or mobile Colosseum battle. It is not incremented when the party is healed after whiting out, by using a Sacred Ash, after winning or losing the first rival battle in Cherrygrove City, or after defeating the last Rocket Grunt in Slowpoke Well, Sailor Stanly on the S.S. Aqua, Lance at the Pokémon League, or Red at Mt. Silver.

The value from 5:A039 is then copied into 5:A009 when entering the Hall of Fame, but 4 bytes are copied rather than 3, so the high byte of the number of times Mystery Gift was used is copied into 5:A00C. (That byte will still always be $00, because Mystery Gift can’t be used more than 65535 times before the SRAM battery runs out. ;))

5:A05A and 5:A06C are incremented when the effect of the move is executed during the player’s turn, regardless of whether it was chosen by the player, chosen by a disobedient Pokémon, or called through Metronome, Mirror Move, or Sleep Talk.

Save data upload
The game uploads the save data as specified in the metadata file. The body of the server’s response is of no consequence.

Rankings upload
The game uploads the rankings data as specified in the metadata file. The server responds with the updated rankings tables. The game saves that data to the address specified in the metadata file. Each table begins with a 12-byte header:

$04Number of ranked players (big-endian)
$64Player’s rank (big-endian; will be treated as unranked if this value is greater than the number of ranked players)
$A2Number of entries in the table (big-endian)

The number of ranked players may be greater than the number of entries in the table; e.g., 1000 players might be given ranks (shown only to themselves) even though the table only lists the top 10 (shown to everyone).

Each entry in the table is of the length specified in the metadata file. The first 24 bytes follow a fixed format and the remaining bytes (up to 4?) are the score value.

$007Trainer name
$071Prefecture (values assigned in gojūon order from $01 = Aichi-ken to $2F = Wakayama-ken)
$0B1Gender ($00 = male, $01 = female)
$0C12Message (six two-byte little-endian easy chat words)
$18?Score (big-endian)

News download
The game downloads the News issue, stores it at 6:A000, and then executes it.

Based on the historical accounts of Pokémon News (particularly Kakeru’s transcripts of the last seven issues), which describe various quizzes, minigames, and rewards (including, of course, the GS Ball), it can be surmised that the News involves a scripting language with many different commands. Without access to any of the original News downloads, it could be quite a challenge to determine how the data is packaged and what the available commands are, and then reconstruct something resembling a News issue.

Good news, everyone! Game Freak left us some samples in ROM bank $7D.

There are three unused functions in that bank which each copy a different block of data to 6:A000. If a News issue has already been downloaded, these functions overwrite it with data from the ROM. (If no News had been downloaded, the game will say 「まえの ニュースが ありません!」 “There is no old NEWS…” when attempting to view it. This can be manually overridden by setting 5:AA72 to $01.)

This data in the ROM does not include any of the metadata or rankings tables, only the main News download. (This means we don’t know what data from the save file would be requested by the server, or what message would be displayed before downloading the News.) Also, dispointingly, none of the text of these News issues was translated in Vietnamese Crystal.

Here’s a video showing each of the News issues found in the ROM.

Trainer Rankings
A News issue entitled 「トレーナーランキング」 Trainer Rankings appears at 7D:5C6B in the Japanese ROM and at 7D:5DB4 in the localized ROMs. The function to copy this data into SRAM is at 7D:5C56 in the Japanese ROM and at 7D:5D9F in the localized ROMs.

This is the simplest News issue found in the ROM, having no features other than the rankings. It matches the screenshots on pages 25–26 of the Pocket Monsters: Crystal Version: Mobile Guide (ポケットモンスター クリスタルバージョン モバイルのてびき) packaged with the Mobile Adapter GB.

The main menu has four options:
ランキング を みる
View Rankings
いろいろな ランキングが みれます
View the different rankings.
ランキング の せつめい
Rankings Description
ランキングの せつめいです
A description of the rankings.
ランキング の こうしん
Update Rankings
さいしんの ランキングを ダウンロード します
Download the latest rankings.
ニュースを みるのを やめます
Quit viewing the News.

The background music for these menus is “Elm Pokémon Lab”.

Quit (or pressing B) returns to the News Machine menu. Update Rankings downloads the News metadata from the server, and then proceeds to submit the save data and rankings again only if the unique ID of the News issue has not changed. The description of the rankings says:

3つの テーマで ランキング!
いま おくった レポート からも
なにかが ランキングに はいって
いるかも しれません!

Rankings in three categories!
Now something from the save file you sent could be in the rankings!

View Rankings brings up a submenu to select from three ranking categories:
  • コロシアムで かった かいすう Number of Colosseum wins
  • むしとりたいかい こうとくてん Bug-Catching Contest high score
  • つった コイキングの おおきさ Size of caught Magikarp
In each category, there are three rankings:
  • ぜんこく の ランキング National ranking
  • とどうふけん の ランキング Prefectural ranking
  • ゆうびんばんごう の ランキング Postal code ranking
The latter two rankings would depend on the prefecture and the three-digit prefix of the postal code entered in the Mobile Profile. If the player has opted not to enter a postal code, it’s treated as 000 (no actual Japanese postal code starts with 000).

The first of the downloaded rankings tables is expected to contain the national ranking for Colosseum wins, the second one the prefectural ranking for the same, the fourth one the national ranking for the Bug-Catching Contest, et cetera.

Selecting any ranking shows the top 10 entries; for each entry, the trainer name, score, gender, age, prefecture can be seen, as well as the message they set in the Mobile menu. At the bottom of each top-10 ranking, the player can see their own current score (read from the corresponding address in SRAM: 5:A063 for the Colosseum, 5:A07F for the Bug-Catching Contest, and 5:A07B for the largest Magikarp) and ranking (as of the last rankings download, so not necessarily consistent with the score read from SRAM). If the player is not ranked, their score is followed by the message 「ランクイン しなかった… ざんねん…」 You were not ranked… Sorry…

The message 「ランキングデータが ありません[。] ランキングの こうしんを するば みることが できます」 There is no rankings data. You can see it by updating the rankings. appears in this News data (and all the other ones, too), but I don’t know what circumstances would cause it to appear.

In the Japanese ROM only, there is a near-identical copy of this News data at 7E:4000. (In the localized ROMs, bank $7E instead contains data for the offline Battle Tower and Odd Egg event.) The only difference is that the copy at 7E:4000 is missing four bytes at offset $002. Two of these missing bytes represent the length of the remaining data and the other two bytes are a bytewise checksum of that data. Since the checksum fails, the game refuses to load this version of the data, saying 「ニュースの データが こわれています[。] よみこみ なおして ください」 “The NEWS data is corrupted. Please download the NEWS again.”

Trainer Rankings (bis)
Another News issue entitled 「トレーナーランキング」 Trainer Rankings appears at 7D:4015 in the Japanese ROM and 7D:4018 in the localized ROMs. The corresponding function to copy this data into SRAM is at 7D:4000 in the Japanese ROM and 7D:4003 in the localized ROMs.

The most obvious difference between this News issue and the other one is that the main menu has an additional option called 「ポケモンなきごえクイズ」 Pokémon Cries Quiz, with the description 「ポケモンの なきごえを あててね!」 Guess the Pokémon cries!. The quiz has ten Pokémon to choose from: Suicune, Clefairy, Spearow, Gastly, Togepi, Zubat, Jynx, Espeon, Mewtwo, and Dunsparce. For each one, the player can listen to three different cries and guess which one is the correct cry for that Pokémon. There’s no scoring and no reward for guessing correctly. The background music for the quiz is “Hurry Along 2”.

The rankings menus have several changes:

The Update Rankings option has been…updated…to give some feedback after the download: If successful, 「ランキングの こうしんを しました!」 Rankings update done! If the news ID has changed, 「ランキングの こうしんに しっぱい… あたらしい ニュースを よみこんで ください」 Rankings update failed… Please load the new News. If cancelled by the user (or an error occurs?), 「ランキングの こうしんを やめました」 Rankings update cancelled.

The category Number of Colosseum wins has been replaced by 「バトルタワーで かった かいすう」 Number of Battle Tower wins. Notably, this ranking tries to read the player’s score from the unused location 5:A016, rather than the correct address 5:A014.

The local rankings now have the player’s prefecture and postal code in the title of the rankings (e.g., mine are called 「とうきょうと の ランキング」 and 「〒000 の ランキング」 because I set my prefecture to Tōkyō-to and didn’t set a postal code).

Selecting a blank entry in the top 10 now displays the message 「ここには だれも ランクイン してません」 No one is ranked here.

If the player’s score in any ranking is checked using the 「[player’s name] の じゅんい」 option and the player is #1 in that ranking, this message is displayed:

ランキングで トップを とった
すてきな プレゼントが あります

For earning the top spot in the ranking…
Here is a wonderful gift! Enjoy!

This triggers the GS Ball event; the player will receive the GS Ball upon leaving the PokéCom Center.

Pokémon News Debug Starting Issue
A News issue entitled 「ポケモンニュース デバッグかいしごう」 Pokémon News Debug Starting Issue appears only in the Japanese ROM at 7D:4DD0.  The function to copy this data into SRAM is at 7D:4DBB.

The main menu options are:
Trainer Rankings
いろいろな ランキングが みれます
View the different rankings.
Pokémon Cries Quiz
ポケモンの なきごえを あててね!
Guess the Pokémon cries!
Message from Game Freak
ゲームフリークからの メッセージです
A message from Game Freak.
ニュースを みるのを やめます
Quit viewing the News.

Trainer Rankings leads to a submenu identical to the first Trainer Rankings news data. The Pokémon Cries Quiz is identical to the one in the second Trainer Rankings news data. The Message from Game Freak could probably be translated better by someone who knows what they’re doing, but I’ll give it a shot:

さわやかな あきかぜが ふきぬける
きょう このごろですが
みなさま いかが おすごしで

われわれ クリスタルチームは
まいにち みぎてに マウス
ひだりてに こぶしを にぎりしめ
ねむくなれば おたがいを なぐり
かんせいに むけて はげんでおります

この ニュースは デバッグように
つくられて おります

ですので なきごえクイズなどでも
『ずかんにない ポケモンが!
…という ごしんぱいは
ごむようで ございます

それでは ひきつづき ニュースの
デバッグを よろしく おねがいします

もちろん ほかのところも
よろしく おねがいします
……… ……… ………

As the refreshing autumn breeze now blows through, is everyone getting along well?

Every day our Crystal Team is striving to finish the game, with our right hands holding our mice, and our left hands clenched in fists to hit each other if we get sleepy.

We made this News for debugging use.

Thus, in the Cries Quiz for example, you don’t need to worry about things like, “That Pokémon’s not in the Pokédex!”

That said, we ask that you continue with debugging the News.

Of course, we’d like you to work on other things as well…

This message seems to be directed at Nintendo’s product testers, which suggests it may have been deliberately included in the final build that Game Freak submitted for testing. The background music for the message is “National Park”.

Pokémon News First Issue
In the localized ROMs, the Pokémon News Debug Starting Issue is replaced by an entirely different issue entitled 「ポケモンニュース そうかんごう」 Pokémon News First Issue, found at 7D:4DD3. The function to copy this data into SRAM is at 7D:4DBE.

The fact that it appears in the localized ROMs and not the Japanese ROM suggests it may have been developed after the Japanese ROM was finalized. The name implies that it could be the actual first issue of Pokémon News that was published when the Mobile System GB launched in January 2001. However, I don’t think it is, because it contains the same script as the second Trainer Rankings data for awarding the GS Ball to a player who is #1 in any ranking, and I’m not aware of any documentation that the GS Ball was actually distributed in this manner.

The main menu options are:
News Guide
よみこんだ ニュースを かんたんに せつめいします
A brief description of the loaded News.
Trainer Rankings
3つの テーマで ランキングを します!
Rankings in three categories!
Pokémon Cult
これまでの ぼうけんを どこまで おもいだせるか テストします!
Test how well you remember your adventure so far!
ニュースを みるのを やめます
Quit viewing the News.

The News Guide says:

ポケモンニュース そうかんごうでは
おたのしみ ください!

あなたの ランキングの せいせきは
ランキングの こうしんを すれば
なんどでも かきかえられるので
がんばれば トップに なれるかも!

In the Pokémon News First Issue, please enjoy Trainer Rankings and the Pokémon Cult Quiz!

Your rankings can be updated as many times as you like; try your best and you might reach the top!

The Trainer Rankings submenu is pretty much the same as the second Trainer Rankings data (including the GS Ball reward), except that the player’s score for Number of Battle Tower wins is read from the correct address, 5:A014. The menu items have been rearranged and most of the descriptions rewritten:

ランキング を みる
View Rankings
いろいろな ランキングが みれます
View the different rankings.
ランキング の こうしん
Update Rankings
ランキングを よみこみなおします
あなたの せいせきも かわります
Reloads the rankings. Your results will also change.
ランキング の せつめい
Rankings Description
こんかいの ランキングの テーマに ついて せつめいします
Describes the current rankings categories.
さいしょの ページに もどります
Return to the first page.

The Rankings Description is more descriptive:

バトルタワーで かった かいすうは
40ばんどうろの バトルタワーで
あなたが これまでに なんにんの
トレーナーとの しょうぶに かったか
にんずうで きそいます

コイキングの おおきさは
いかりのみずうみに いる
つりめいじんに はかってもらった
コイキングの うち いちばん
おおきかった もので きそいます

むしとりたいかい こうとくてんは
しぜんこうえんで おこなわれる
むしとりたいかいで これまでに
とった いちばん たかい
てんすうで きそいます

“Number of Battle Tower wins” is ranked by the number of trainers you’ve won battles against so far in the Battle Tower on Route 40.

“Size of caught Magikarp” is ranked by the largest Magikarp measured by the Fishing Guru at Lake of Rage.

“Bug-Catching Contest high score” is ranked by the highest score earned so far in the Bug-Catching Contest held in the National Park.

The Pokémon Cult Quiz, unlike the cries quiz, is a proper quiz with scoring. Ten multiple-choice questions are presented in sequence, varying from mildly obscure (Is Mom’s specialty a Cinnabar Volcano bakemeat burger, curry, or yakisoba?) to incredibly obscure (How many times did Earl spin around before he entered the Pokémon Academy?). After you’ve answered all of the questions, Professor Oak evaluates your performance, although he doesn’t give any reward. The background music during the quiz is “Goldenrod Game Corner”, and the music for the evaluation is “Pokégear Radio: Professor Oak’s Pokémon Talk”.

News data structure
While I haven’t yet endeavored to write my own fake news, I have done some basic analysis of the structure of the existing data:

The data has a six-byte header; the first two bytes are 00 A0, the next two bytes are a bytewise checksum of the data (excluding the header), and the final two bytes are the length of the data (excluding the header). As mentioned above, the duplicate News data at 7E:4000 in the Japanese ROM omits these checksum and length values, and therefore doesn’t work in the final game.

Screen data
Data for the opening screen of the News issue begins immediately after the header. Other screens use the same data structure, which may be placed anywhere in the file and called using script command $01.

1Background music ID
1Number of custom palettes
Custom palette data. Four two-byte color values. Repeat × number of custom palettes.
1Number of boxes to draw
Box data. The first two bytes are origin x and y coordinates, the next two bytes are length and width, the fifth byte is the border type, and the sixth byte is the palette. Repeat × number of boxes to draw.
1Number of strings to print
Position to print a string, expressed as an offset into the screen buffer, followed by the string itself ($50-terminated). Repeat × number of strings to print.
12Menu origin x and y coordinates, number of columns and rows, column width and row height, plus six more bytes of menu parameters?
16Offsets to script data for each of the eight joypad buttons (A B Select Start ← → ↑ ↓). These offsets are relative to the start of the current screen data. The value $FFFF is used for a button which has no script.
1Number of menu items.
4Position to print menu descriptions, expressed as an offset into the screen buffer, and width and height of the area to be blanked before printing a description. (The blanked area begins one row above the given text position, to account for diacritics.)
1If not $00, loads the rankings table specified in 0:CD62. (That address should have been set by a script on the prior screen.)
Pointer to the name of each menu item. Repeat × number of items.
Pointer to script data for each menu item. Repeat × number of items.
Pointer to description text for each menu item. Repeat × number of items.

If anyone wants to have a go at documenting the News script commands, they’re in Jumptable17d72a in pokecrystal’s misc/mobile_5f.asm. Also of interest is the text character $15, which invokes another, smaller scripting language within a text string; this is used extensively in the Pokémon News data to insert variables into strings. Those commands are defined by the jumptable in Function17f047.
Emulation & ROM Hacking / Re: Emulating the Mobile Adapter GB
« on: August 13, 2017, 01:59:33 am »
I have actually been working on this occasionally over the past several months, but never found the time to compile my notes into something coherent.

I’ve figured out how the HTTP authentication scheme is supposed to work (an essential prerequisite for creating a server), and have also mostly documented the Pokémon News system. I need to put together a video to show that off, which I should do tomorrow.

I have some design plans for a server and client, but haven’t implemented anything. I might start on that this week, although I’m torn on whether to do that first or decipher the Battle Tower system.

Also, does the mobile phone adapter still work in 2017? As in, if I edited the rom of Crystal and the Mobile Trainer to not connect to but instead to our own server, would it work?

The adapter still works for peer-to-peer communication (Pokémon Cable Club) as long as the handsets are able to receive service. The last PDC network shut down in March 2012, and the original frequency allocation for CDMA service in Japan was changed in July 2012, so it is likely that only DDI Pocket handsets still work, as their service continues under the Y!mobile brand.

To allow the adapter to connect to the Internet, an alternative to the DION dial-up service would need to be provided. Assuming that were possible, the adapter would need to be reconfigured to dial that service instead of DION; this could be achieved by running a specially-prepared ROM off a flash cartridge, or perhaps through an elaborate arbitrary code execution exploit. But if you could connect to your own dial-up ISP, you wouldn’t need to edit the domain names in the ROM; you could just intercept requests at the ISP end and redirect them to the server of your choice.

If the goal is just to connect a real Pokémon Crystal (or other compatible game) cartridge to a reconstructed server, then a much simpler way to achieve that would be to plug a device directly into the link port and emulate the Mobile Adapter GB in exactly the same way that a PC-based emulator would. (Can a Raspberry Pi bit-bang at 256 Kib/s?)

It'd be cool to see the actual web servers this used brought back; a null-modem cable could be constructed using the real Mobile Adapter GB, which could then plug into a PC for actual Internet connection.

That’s another possibility, but would require knowing the protocol the adapter uses to control the handset (surely it’s documented somewhere?). Also, I doubt the requisite connectors are still manufactured, so some disassembly may be required… :)

Eventually I’ll want to do something like that anyway, in order to test the actual behavior of the adapter and find out what those missing numbers in the command list are for.
Pokémon Discussion / Re: Debug menus in Japanese Crystal
« on: February 22, 2017, 04:52:26 pm »
I found some more debug code that I’d missed! Okay, I shouldn’t get too excited, it’s only 9 bytes ;D

It’s at the end of bank 1, corresponding to the Predef1 function which is dummied out in the release build. It calls 3F:56DB, which is the debug menu with 「ロム バージョン」 ROM Version on it, and then returns to the title screen:
Code: [Select]
Predef1: ; 7e79
callba $fd6db
jp StartTitleScreen.TitleScreen
Generation III Glitch Discussion / Re: Gen III Remote Code Execution
« on: February 19, 2017, 06:58:51 am »
Another technique that might be useful is to take advantage of the Mystery Events feature that overrides an NPC script (used to install Norman’s Eon Ticket script). By storing a script that uses the callasm command, you could execute code on demand by talking to a particular NPC.

By writing such a script into the save file using multiboot, it might be possible to do this even in games where Mystery Events is unavailable (FireRed/LeafGreen and non-Japanese Emerald).
Pokémon Discussion / Re: Scrapped Pokémon from Gold and Silver
« on: February 18, 2017, 07:07:51 pm »
The HP bars are red-orange as well, so it looks like there may be just one palette applied to the entire screen.
Generation II Glitch Discussion / Re: Nightmare glitch and more
« on: February 03, 2017, 05:51:37 pm »
That code is only called when the player uses an item, not the AI. AI item usage is controlled by the code in battle/ai/items.asm. The equivalent function AI_HealStatus cures the AI’s active Pokémon of the effect of Toxic but not the effect of Nightmare. EnemyUsedFullRestore additionally cures the AI’s active Pokémon of confusion, but EnemyUsedFullHeal does not cure confusion. These bugs seem to be holdovers from Generation I, when Nightmare didn’t exist and neither Full Heal nor Full Restore cured confusion.
Pages: [1] 2 3 ... 9