Kaphotics Posted June 10, 2011 Posted June 10, 2011 (edited) Information Consolidation of all of my posts: VS Recorder data in the 5th gen is stored a little bit differently compared to the known Platinum convention (research done by NulMyre). 512 KB Save File offsets: 0x0004A000 - Native Battle Video 0x0004C000 - First Battle Video 0x0004E000 - Second Battle Video 0x00050000 - Third Battle Video [*]Example Videos, extracted from the save file with HxD (Offset Range Copy), Decrypted are from RAM dumps. Each video is 8KB spaced, but occupies 6420 Bytes (down from 7520 in last gen). Jenn - Video 1 || (Decrypted Jenn Video) James - Video 2 || (Decrypted James Video) Frank - Video 3 || (Decrypted Frank Video) Native Video 1 || (Decrypted Native Video 1) Native Video 2 || (Decrypted Native Video 2) Native Video 3 || (Decrypted Native Video 3) I cropped the remaining FFs from the end of the videos, as they aren't used. Down from 8192 bytes. [*]Research RAR Battle Video Card Structure 0x00-0x0F - Trainer Profile (Owner of Video) 0x10-0x25 -- Trainer Profile Data 0x10-0x13 - Trainer PID 0x14 - Trainer Gender (00 Male 01 Female) 0x15 - Trainer Birth Month 0x16 - Trainer Avatar 0x17 - Trainer Nation 0x18 - Trainer SubLocale 0x1C - Trainer Pokemon Displayed (Half Word) 0x1D-0x25 - ??? 0x26-0x6F -- FF Pads 0x70-0x7B -- Unused/Unknown 0x80-0xAX -- Battle Overview Data 0x80-0x8B - Team#1 0x8C-0x97 - Team#2 0xA4 - Battle # (Subway Streak) 0xA6 - Battle Mode(???) 0xA7 - Game Modes (Launcher?) 0xB8-0xBC - Battle Video ID(???) Battle Process Structure Currently Un-researched. PKM Data Structure (.bpkm) Battle Video PKMs are 112 bytes long (not all data is present!!!) Offsets in Decrypted Battle Video: 0XCFC: Max Present PKM 0xCFE: Currently Present PKM PID 0xD00 + 0x70*pkm Species 0xD06 + 0x70*pkm Held Item 0xD08 + 0x70*pkm Trainer ID 0xD0C + 0x70*pkm Trainer SID 0xD0E + 0x70*pkm Happiness 0xD14 + 0x70*pkm Ability 0xD15 + 0x70*pkm HP-EV 0xD16 + 0x70*pkm Atk-EV 0xD17 + 0x70*pkm Def-EV 0xD18 + 0x70*pkm SpA-EV 0xD19 + 0x70*pkm SpD-EV 0xD1A + 0x70*pkm SpE-EV 0xD1B + 0x70*pkm Move 1 0xD1C + 0x70*pkm Move 2 0xD1E + 0x70*pkm Move 3 0xD20 + 0x70*pkm Move 4 0xD22 + 0x70*pkm PP 1 0xD24 + 0x70*pkm PP 2 0xD25 + 0x70*pkm PP 3 0xD26 + 0x70*pkm PP 4 0xD27 + 0x70*pkm IVs 0xD2C + 0x70*pkm Gender Forme 0xD30 + 0x70*pkm NickName Field 0xD32 + 0x70*pkm OTName Field 0xD48 + 0x70*pkm PokeBall 0xD58 + 0x70*pkm Origin 0xD59 + 0x70*pkm (01 is Japan, 02 is English) Level 0xD60 + 0x70*pkm BatlStat(maxHP) 0xD62 + 0x70*pkm BatlStat(curHP) 0xD64 + 0x70*pkm BatlStat(AtK) 0xD66 + 0x70*pkm BatlStat(Def) 0xD68 + 0x70*pkm BatlStat(SpA) 0xD6A + 0x70*pkm BatlStat(SpD) 0xD6C + 0x70*pkm BatlStat(SpE) 0xD6E + 0x70*pkm For Enemy Pokemon, add 4 to the base offset as every trainer has leading Max/Current PKM before the PKM Field. Trainers Battling Somewhere after bpkm Closing Currently un-researched. My posts before the last edit date may not be current information. Edited June 14, 2011 by Kaphotics
Kaphotics Posted June 11, 2011 Author Posted June 11, 2011 (edited) OLD Did some looking into in the RAM (I know it's not save related but does give some insight as to what is inside the saved video). VS. Recorder Screenshots of the Battles and Trainer Profiles (data stored on card) RAM Offsets of Important Information (PKM and Trainer): Battling Trainers: 0x0226C73C Trainer PID(???): 0x226C74C This data also appears at 0x10 of the VRD Opposing Trainer's PID not in VRD. At 0x0226C84C, the data from 0x18A0 is loaded, and shows the rest of the data. Team Lineup and OT Trainers of Jenn.vrd in the RAM: Jenn: HENRY: Cofagrigus - Jenn Reuniclus - HENRY Excadrill - Jenn Meinshao - Glacen Swoobat - Jenn Banette - Japanese Scrafty - Jenn Stoutland - HENRY Gigalith - MASON Accelgor - JOHN Emboar - Jenn Lucario - Japanese Pokemon Data in the RAM -- woo! 112 Bytes in Between Each PKM Brown - Pokemon PID Green - Species Dark Red - Happiness (?? Henry's Stoutland is mad) Orange - Trainer PID (or ID/SID) Yellow - Move ID Pink - Move PP Purple - Gender of Pokemon Red - Pokemon Name Blue - Trainer Name Black - Unknown / Unused Gray - Max HP & Battle Stats -- Right Before this is Level (32) and something else as a halfword. Missing: Pokeball, Met Location, Hatch Location, Version Origin, Language Origin, IVs, Ribbons, EVs, Sheen. Pretty sure everything is in there somehow. IVs are probably right before gender. Edited June 14, 2011 by Kaphotics
Kaphotics Posted June 13, 2011 Author Posted June 13, 2011 (edited) OLD Alrighty, after spending more time with the RAM and a few battle videos I have found out how it operates. The Pokemon Data in the RAM was only the tip of the iceberg on what was contained within Upon clicking on a battle video, the entire encrypted battle video (which I have a few uploaded in the first post) is loaded into the RAM at offsets (0x0226BA0????). It remains there in its entirety for a split second (one or two frames, 1/60th of a second), in which it is decrypted and left there for easy access. If you dump the memory and copy the offsets for where the encrypted/decrypted battle video was (like in HxD), you can then just separate it out like I did from the save file. The Encrypted battle video is exactly the same, and the Decrypted battle video is the same size as well. I would upload a decrypted battle video, but I am only able to post currently (I will upload stuff when I can). Approximate Layout: Trainer Profile FFFFFFFF Battle Video Summary == Battle Moves/Etc PKM Trainers Closing =========== Pokemon Data occupies 112 bytes of data for each PKM. Strangely, it includes the ingame Stats. In the decrypted battle video, they start at 0xD00. They are there for 6 Trainer#1 PKMs, then there is a 4 byte (Max/Current PKMs Present) gap in between, then the Trainer#2(opponent) PKMs are there. =========== Battle videos can be copied on top of the others. If you copy Frank's video onto another save file's appropriate offset (to overwrite the previous video), it can be viewed in game as there is no overall checksum on the save file to check (heh). I was able to make Frank's battle video occupy all 3 slots on the "Other Videos" menu (and viewing worked of course). =========== Confirmed the native battle video locations via battle subway. =========== I'll have more things (offsets/structure of bpkm) when I am able to upload stuff I don't know how to make programs/make something to decrypt Edited June 14, 2011 by Kaphotics
Poryhack Posted June 13, 2011 Posted June 13, 2011 Interesting stuff here. Did NulMyre's program decrypt the videos or just backup/restore them?
evandixon Posted June 13, 2011 Posted June 13, 2011 Interesting stuff here. Did NulMyre's program decrypt the videos or just backup/restore them? It would have to decrypt it if you can extract the pokemon from each video.
Kaphotics Posted June 13, 2011 Author Posted June 13, 2011 Research RAR'd up, includes battle pkms, more encrypted videos and everything else that follows and more. This was done without using NulMyre's program as the structure is entirely different, all that I used from it was the decompiled java just to see how it worked in Platinum. Decrypted Jenn Video Overwriting Battle Videos Reading the BPKM data from the RAM (identical to the decrypted data) A little tutorial on accessing data within a Battle Video: Upon loading the battle video, the game loads the entire VRD at 0x0226AFAC. The video is loaded in its encrypted form, occupying 0x0226AFAC-0x0226C8BF Guess what, it gets decrypted by the game. Huzzah! While in DeSmuME, Open Memory Viewer at the Battle Video Screen. Dump All. Open .bin in HxD copy the offsets: 0x0226AFAC-0x0226C8BF Into a new file. Bam, decrypted VRD, aka DBV (decrypted battle video) Now to make sense of what the data is inside! Program Implications: There are no checksums on the entire save file in regards to Battle Videos. If you overwrite one video in the save with another downloaded one, it will be viewable instead! Backup and Share them! Battle Video Structure: Surface Summaries Moves Pokemon Trainers Closing Summaries (???) Battle Video PKMs are 112 bytes long (not all data is present!!!) Offsets in Decrypted Battle Video: 0XCFC: Max Present PKM 0xCFE: Currently Present PKM PID 0xD00 + 0x70*pkm Species 0xD06 + 0x70*pkm Held Item 0xD08 + 0x70*pkm Trainer ID 0xD0C + 0x70*pkm Trainer SID 0xD0E + 0x70*pkm Happiness 0xD14 + 0x70*pkm Ability 0xD15 + 0x70*pkm HP-EV 0xD16 + 0x70*pkm Atk-EV 0xD17 + 0x70*pkm Def-EV 0xD18 + 0x70*pkm SpA-EV 0xD19 + 0x70*pkm SpD-EV 0xD1A + 0x70*pkm SpE-EV 0xD1B + 0x70*pkm Move 1 0xD1C + 0x70*pkm Move 2 0xD1E + 0x70*pkm Move 3 0xD20 + 0x70*pkm Move 4 0xD22 + 0x70*pkm PP 1 0xD24 + 0x70*pkm PP 2 0xD25 + 0x70*pkm PP 3 0xD26 + 0x70*pkm PP 4 0xD27 + 0x70*pkm IVs 0xD2C + 0x70*pkm Gender Forme 0xD30 + 0x70*pkm NickName Field 0xD32 + 0x70*pkm OTName Field 0xD48 + 0x70*pkm PokeBall 0xD58 + 0x70*pkm Origin 0xD59 + 0x70*pkm (01 is Japan, 02 is English) Level 0xD60 + 0x70*pkm BatlStat(maxHP) 0xD62 + 0x70*pkm BatlStat(curHP) 0xD64 + 0x70*pkm BatlStat(AtK) 0xD66 + 0x70*pkm BatlStat(Def) 0xD68 + 0x70*pkm BatlStat(SpA) 0xD6A + 0x70*pkm BatlStat(SpD) 0xD6C + 0x70*pkm BatlStat(SpE) 0xD6E + 0x70*pkm For Enemy Pokemon, add 4 to the base offset as the max/current PKM present shifts it as well. Some Offsets within the Battle Video that define visual cues: 0x00-0x0F - Trainer Profile (Owner of Video) 0x10-0x25 -- Trainer Profile Data 0x10-0x13 - Trainer PID 0x14 - Trainer Gender (00 Male 01 Female) 0x15 - Trainer Birth Month 0x16 - Trainer Avatar 0x17 - Trainer Nation 0x18 - Trainer SubLocale 0x1C - Trainer Pokemon Displayed (Half Word) 0x1D-0x25 - ??? 0x26-0x6F -- FF Pads 0x70-0x7B -- Unused/Unknown 0x80-0xAX -- Battle Overview Data 0x80-0x8B - Team#1 0x8C-0x97 - Team#2 0xA4 - Battle # (Subway Streak) 0xA6 - Battle Mode(???) 0xA7 - Game Modes (Launcher?) 0xB8-0xBC - Battle Video ID(???)
Kaphotics Posted June 14, 2011 Author Posted June 14, 2011 Copying the Native Video onto the Other Videos works: Comes with it's own blank trainer profile! Viewing your own native video has the game load the encrypted one too, it then generates your Profile when it decrypts. Static Locations The value at 0xA8 must match the decrypted value at 0x189C, which is (always) 81 E2. This signifies "end data"? The value at 0xAA must be 00 64. The value at 0x18A6 must match the value at 0x1900. The value at 0x18A4 is battle video # (1-native/1/2/3) The Value at 0x1904 is 01 00 00 00 14 19 00 00 27 35 05 31 (decryption vars?) The value at 0x00C0 is a checksum The Value at 0x18A0 is a checksum The Value at 0x18A6 is a checksum The Value at 0x1900 is a checksum The value at 0x1912 is a checksum Encrypted Region The first value different between Encrypted/Decrypted is 0xC4 The first value that is the same after 0xC4 is 0x18A0
Kaphotics Posted July 7, 2011 Author Posted July 7, 2011 The region 0xC4-0x189F of the decrypted battle video CRC16-CCITT checksum is at 0x18A0. This spans the only region of data that is different between Encrypted and Decrypted.
Kyogre1 Posted July 10, 2011 Posted July 10, 2011 Any idea how to decrypt this without the use of an emulator?
Kaphotics Posted July 10, 2011 Author Posted July 10, 2011 well you need the save file to get the video on file. No idea how to decrypt without an emulator.
Kyogre1 Posted July 12, 2011 Posted July 12, 2011 I see. No problem. I looked at the decrypted data, but the only thing I could identify was the value at 0xF0. This seems to be controlling the battle BGM. Did you make any progress? I really would like to know more about the Battle Process Structure.
Kaphotics Posted July 13, 2011 Author Posted July 13, 2011 Nah I haven't been looking at Battle Videos, trying to finish up on some RNG things for the Smogon Community BGM = background music? If you could go a little more in depth with what you've found / how to abuse it, we might start to get some Video modding codes like in the HGSS era of display modding. I will shift my focus back to this after that is done, thanks for your interest/help!
Kaphotics Posted July 24, 2011 Author Posted July 24, 2011 When you are at the point where you can press play on the video, you can modify the values of the decrypted battle video. 0xF8 - Battle Duration (Hex Length) Moves are (almost) immediately after, obviously. Turns appear to be 0xB long. Moves: I messed around with 0x14D, and was able to change the move the Pokemon did. 0x0226B0CD = mymove on move 3 0x0226B0F9 = mymove on move 6 These may be different depending on the battle video in question. Some more decrypted battle videos: http://dl.dropbox.com/u/12206225/Battle%20Video%20Research/Leaf%20Blade.DBV http://dl.dropbox.com/u/12206225/Battle%20Video%20Research/Blaze%20Kick.DBV http://dl.dropbox.com/u/12206225/Battle%20Video%20Research/Earthquake.DBV save states They are all from the same battle, except with different endings. For the first one (Leaf Blade), I did not switch and used Leaf Blade to finish off the Pokemon. For the second one (Blaze Kick), I switched to Blaziken. The next turn, I used Blaze Kick to finish off the Pokemon. For the third one (Earthquake), I switched to Gyarados. The next turn, I used Earthquake to finish off the Pokemon. Here's when I modified the 6th turn move: Here's when I modified the 3rd turn move:
Kaphotics Posted July 24, 2011 Author Posted July 24, 2011 (edited) Fooling around with the RAM part 1, translates to the Battle Video data... 0x0226B0AB = 0x82, making it 0x81 doesn't do anything and doesn't make me switch (I pound = move 0x0000) By forcing Blaziken to stay out with this hex, it makes Virizion switch in on turn 5 instead of Virizion for Blaziken, which makes me think it swaps Pokemon slots not calls out a certain dex#. 0x0226B0A3 = 0x81 double battle. 0x82 regular triple 0x83 rotate triple 0x0226B0A2 = trainer identifier. Changed it to 0x4, and a wild Tirtouga appeared! It does the introductory battle as how to catch a pokemon, then errors out. 0x5 makes the first Pokemon appear as if it were wild, and the battle still works. Combining A3 and A2 leads to some weird stuff... Edited July 24, 2011 by Kaphotics
Kaphotics Posted July 24, 2011 Author Posted July 24, 2011 (edited) Figured out how to change the background / pads of the Battle! 0x0226B08C, whole word controls the background. Still haven't figured out how to control it to my desires... B08F = 01 and 02 B08D = 01 B08C = 00, 05, 06, B08C = 15, 16, 32 147 127 110 183 -222 325 Background Decimal Numbers (assorted good looking) Edited July 24, 2011 by Kaphotics
Kaphotics Posted July 24, 2011 Author Posted July 24, 2011 English White (Select) Background / Tile Changer (VS. Recorder) Moved to RAM board as it is unrelated to saves. It's a particular offset in the DBV. Also, the Battle Video has the RNG constants, probably for encryption/decryption.
Kaphotics Posted July 28, 2011 Author Posted July 28, 2011 The Battle RNG seeds (64bit) are located at 0x0226B070 in the RAM (white) right before the standard RNG constants (64bits) of Gen 5. When the battle begins playback it is then loaded to the main Battle RNG interpretation region (used for everything ingame as well), and is advanced there. So far everything lines up with ingame battle RNG, so I might as well link to it here. I'm kinda going away from Saves towards RAM because in the RAM it is decrypted... ~Encrypted Zone~ 0xCC = Battle RNG Constants (16 bytes) 0xDC = Background/Pad #1 (4 bytes) 0xE0 = Background Pad #2 (4 bytes)
Kaphotics Posted January 30, 2013 Author Posted January 30, 2013 hello old thread B2W2 structure is the same as BW, if anyone was wondering. Posting a list of the offsets of videos within the save file. Good on GameFreak for eliminating some dead space in B2W2. Black/White: 0x4A000 - Native Video Ends: 0x4B913 0x4C000 - Video 1 Ends: 0x4D913 0x4E000 - Video 2 Ends: 0x4F913 0x50000 - Video 3 Ends: 0x51913 ======================= Black 2/White 2: 0x4C000 - Native Video Ends: 0x4D913 0x4DA00 - Video 1 Ends: 0x4F313 0x4F400 - Video 2 Ends: 0x50D13 0x50E00 - Video 3 Ends: 0x52713
LEGOanimal22 Posted August 31, 2013 Posted August 31, 2013 (edited) The size of turns varies for different battle types. Turns for double battles are about x18 bytes. Turns for triple battles are about x24 bytes. Edited August 31, 2013 by LEGOanimal22
Kaphotics Posted August 31, 2013 Author Posted August 31, 2013 I haven't bothered updating this thread since Pokecheck has added battle video parsing (and fetching!). however, here's a few tidbits ~ example doubles instruction 92 - turn start 02 - player 0 moves (2) 01 85 00 00 61 3B 00 00 22 - player 2 moves (2) 91 4C 00 00 91 4C 00 00 92 - turn start 02 - player 0 moves (2) 61 3B 00 00 91 4C 00 00 22 - player 2 moves (2) 91 4C 00 00 91 4C 00 00 12 - Switch Instructions 01 - Player 0 switches (1) 03 01 00 00 22 - Player 2 switches (2) 03 01 00 00 93 01 00 00 92 - turn start 02 - player 0 moves (2) 61 3B 00 00 11 06 00 00 22 - player 2 moves (2) 81 4E 00 00 81 4E 00 00 there's a "turnstart" instruction, "player # move" instruction (with how many PKMs instructed to move), and a switch instruction (also with a secondary per-player instruction), different instructions for "rotate" and "launch" exist but meh once you know how to visualize instructions it's easy to figure out the rest. targeting is a little bit wonky; for moves it's little endian with the rightmost (lowest) 3 bits being flags on who is targeted (iirc).
LEGOanimal22 Posted August 31, 2013 Posted August 31, 2013 92 - turn start02 - player 0 moves (2) 01 85 00 00 61 3B 00 00 22 - player 2 moves (2) 91 4C 00 00 91 4C 00 00 What are the 2 lines after "player # moves" ?
Kaphotics Posted August 31, 2013 Author Posted August 31, 2013 the instructions for what the trainer's PKMs do. instead of saying what move it chose from its movepool; it says what exact move it used and on what target. So stuff like Mimic and sketch can still work (without keeping track of that stuff). It's just easier to say what move a field pokemon uses rather than referring and looking up stuff.
LEGOanimal22 Posted August 31, 2013 Posted August 31, 2013 Have you made any progress on decrypting from an EBV file?
Kaphotics Posted August 31, 2013 Author Posted August 31, 2013 As I mentioned earlier, Pokecheck decrypts videos and displays them at the bottom of the page (so does the game when you view a video). It's just standard encryption.
codemonkey85 Posted September 1, 2013 Posted September 1, 2013 It's just standard encryption. You mean it uses the PRNG like Pokémon data? If that's the case, what's the seed?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now