VS. Recorder in Black and White and PKM Extraction

[Kaphotics]

Information Consolidation of all of my posts:

• VS Recorder data in the 5th gen is stored a little bit differently compared to the known Platinum convention (research done by NulMyre).
  
• 512 KB Save File offsets:
  
  • 0x0004A000 - Native Battle Video
    
  • 0x0004C000 - First Battle Video
    
  • 0x0004E000 - Second Battle Video
    
  • 0x00050000 - Third Battle Video
    

  [*]Example Videos, extracted from the save file with HxD (Offset Range Copy), Decrypted are from RAM dumps.

  • Each video is 8KB spaced, but occupies 6420 Bytes (down from 7520 in last gen).
    
  • Jenn - Video 1 || (Decrypted Jenn Video)
    
  • James - Video 2 || (Decrypted James Video)
    
  • Frank - Video 3 || (Decrypted Frank Video)
    
  • Native Video 1 || (Decrypted Native Video 1)
    
  • Native Video 2 || (Decrypted Native Video 2)
    
  • Native Video 3 || (Decrypted Native Video 3)
    
  • I cropped the remaining FFs from the end of the videos, as they aren't used. Down from 8192 bytes.
    

  [*]Research RAR

Battle Video Card Structure

0x00-0x0F - Trainer Profile (Owner of Video)
0x10-0x25 -- Trainer Profile Data
   0x10-0x13 - Trainer PID
   0x14 - Trainer Gender (00 Male 01 Female)
   0x15 - Trainer Birth Month
   0x16 - Trainer Avatar
   0x17 - Trainer Nation
   0x18 - Trainer SubLocale
   0x1C - Trainer Pokemon Displayed (Half Word)
   0x1D-0x25 - ???
0x26-0x6F -- FF Pads
0x70-0x7B -- Unused/Unknown
0x80-0xAX -- Battle Overview Data
   0x80-0x8B - Team#1
   0x8C-0x97 - Team#2
   0xA4 - Battle # (Subway Streak)
   0xA6 - Battle Mode(???)
   0xA7 - Game Modes (Launcher?)
   0xB8-0xBC - Battle Video ID(???)

Battle Process Structure

Currently Un-researched.

PKM Data Structure (.bpkm)

Battle Video PKMs are 112 bytes long (not all data is present!!!)
Offsets in Decrypted Battle Video: 
0XCFC: Max Present PKM
0xCFE: Currently Present PKM

PID		0xD00 + 0x70*pkm
Species		0xD06 + 0x70*pkm
Held Item	0xD08 + 0x70*pkm
Trainer ID	0xD0C + 0x70*pkm
Trainer SID	0xD0E + 0x70*pkm
Happiness	0xD14 + 0x70*pkm
Ability		0xD15 + 0x70*pkm
HP-EV		0xD16 + 0x70*pkm
Atk-EV		0xD17 + 0x70*pkm
Def-EV		0xD18 + 0x70*pkm
SpA-EV		0xD19 + 0x70*pkm
SpD-EV		0xD1A + 0x70*pkm
SpE-EV		0xD1B + 0x70*pkm
Move 1		0xD1C + 0x70*pkm
Move 2		0xD1E + 0x70*pkm
Move 3		0xD20 + 0x70*pkm
Move 4		0xD22 + 0x70*pkm
PP 1		0xD24 + 0x70*pkm
PP 2		0xD25 + 0x70*pkm
PP 3		0xD26 + 0x70*pkm
PP 4		0xD27 + 0x70*pkm
IVs		0xD2C + 0x70*pkm
Gender Forme	0xD30 + 0x70*pkm
NickName Field	0xD32 + 0x70*pkm
OTName Field	0xD48 + 0x70*pkm
PokeBall	0xD58 + 0x70*pkm
Origin		0xD59 + 0x70*pkm (01 is Japan, 02 is English)
Level		0xD60 + 0x70*pkm
BatlStat(maxHP)	0xD62 + 0x70*pkm
BatlStat(curHP)	0xD64 + 0x70*pkm
BatlStat(AtK)	0xD66 + 0x70*pkm
BatlStat(Def)	0xD68 + 0x70*pkm
BatlStat(SpA)	0xD6A + 0x70*pkm
BatlStat(SpD)	0xD6C + 0x70*pkm
BatlStat(SpE)	0xD6E + 0x70*pkm

   For Enemy Pokemon, add 4 to the base offset as every trainer has leading Max/Current PKM before the PKM Field. 

Trainers Battling

Somewhere after bpkm

Closing

Currently un-researched.

My posts before the last edit date may not be current information.

Edited June 14, 2011 by Kaphotics

[Kaphotics]

OLD

Did some looking into in the RAM (I know it's not save related but does give some insight as to what is inside the saved video).

VS. Recorder Screenshots of the Battles and Trainer Profiles (data stored on card)

RAM Offsets of Important Information (PKM and Trainer):

Battling Trainers: 0x0226C73C
Trainer PID(???): 0x226C74C
   This data also appears at 0x10 of the VRD
   Opposing Trainer's PID not in VRD.

At 0x0226C84C, the data from 0x18A0 is loaded, and shows the rest of the data.

Team Lineup and OT Trainers of Jenn.vrd in the RAM:

Jenn:            HENRY:
Cofagrigus - Jenn    Reuniclus - HENRY
Excadrill - Jenn    Meinshao - Glacen
Swoobat - Jenn        Banette - Japanese
Scrafty - Jenn        Stoutland - HENRY
Gigalith - MASON    Accelgor - JOHN
Emboar - Jenn        Lucario - Japanese

Pokemon Data in the RAM -- woo!

112 Bytes in Between Each PKM
Brown - Pokemon PID
Green - Species
Dark Red - Happiness (?? Henry's Stoutland is mad)
Orange - Trainer PID (or ID/SID)
Yellow - Move ID
Pink - Move PP
Purple - Gender of Pokemon
Red - Pokemon Name
Blue - Trainer Name
Black - Unknown / Unused
Gray - Max HP & Battle Stats -- Right Before this is Level (32) and something else as a halfword. 

Missing: Pokeball, Met Location, Hatch Location, Version Origin, Language Origin, IVs, Ribbons, EVs, Sheen.

Pretty sure everything is in there somehow. IVs are probably right before gender.

Edited June 14, 2011 by Kaphotics

[Kaphotics]

OLD

Alrighty, after spending more time with the RAM and a few battle videos I have found out how it operates. The Pokemon Data in the RAM was only the tip of the iceberg on what was contained within

Upon clicking on a battle video, the entire encrypted battle video (which I have a few uploaded in the first post) is loaded into the RAM at offsets (0x0226BA0????).

It remains there in its entirety for a split second (one or two frames, 1/60th of a second), in which it is decrypted and left there for easy access.

If you dump the memory and copy the offsets for where the encrypted/decrypted battle video was (like in HxD), you can then just separate it out like I did from the save file. The Encrypted battle video is exactly the same, and the Decrypted battle video is the same size as well.

I would upload a decrypted battle video, but I am only able to post currently (I will upload stuff when I can).

Approximate Layout:

Trainer Profile
FFFFFFFF
Battle Video Summary
==
Battle Moves/Etc
PKM
Trainers
Closing

===========

Pokemon Data occupies 112 bytes of data for each PKM. Strangely, it includes the ingame Stats. In the decrypted battle video, they start at 0xD00. They are there for 6 Trainer#1 PKMs, then there is a 4 byte (Max/Current PKMs Present) gap in between, then the Trainer#2(opponent) PKMs are there.

===========

Battle videos can be copied on top of the others. If you copy Frank's video onto another save file's appropriate offset (to overwrite the previous video), it can be viewed in game as there is no overall checksum on the save file to check (heh). I was able to make Frank's battle video occupy all 3 slots on the "Other Videos" menu (and viewing worked of course).

===========

Confirmed the native battle video locations via battle subway.

===========

I'll have more things (offsets/structure of bpkm) when I am able to upload stuff

I don't know how to make programs/make something to decrypt

Edited June 14, 2011 by Kaphotics

[Poryhack]

Interesting stuff here. Did NulMyre's program decrypt the videos or just backup/restore them?

[evandixon]

Interesting stuff here. Did NulMyre's program decrypt the videos or just backup/restore them?

It would have to decrypt it if you can extract the pokemon from each video.

[Kaphotics]

Research RAR'd up, includes battle pkms, more encrypted videos and everything else that follows and more.

This was done without using NulMyre's program as the structure is entirely different, all that I used from it was the decompiled java just to see how it worked in Platinum.

Decrypted Jenn Video

Overwriting Battle Videos

Reading the BPKM data from the RAM (identical to the decrypted data)

A little tutorial on accessing data within a Battle Video:

Upon loading the battle video, the game loads the entire VRD at 0x0226AFAC.

The video is loaded in its encrypted form, occupying 
0x0226AFAC-0x0226C8BF
Guess what, it gets decrypted by the game. Huzzah!

While in DeSmuME, Open Memory Viewer at the Battle Video Screen.
Dump All. Open .bin in HxD

copy the offsets: 0x0226AFAC-0x0226C8BF
Into a new file.
Bam, decrypted VRD, aka DBV (decrypted battle video)
Now to make sense of what the data is inside!

Program Implications: 
There are no checksums on the entire save file in regards to Battle Videos.
If you overwrite one video in the save with another downloaded one, 
it will be viewable instead! Backup and Share them!

Battle Video Structure:
Surface Summaries
Moves
Pokemon 
Trainers
Closing Summaries (???)

Battle Video PKMs are 112 bytes long (not all data is present!!!)
Offsets in Decrypted Battle Video: 
0XCFC: Max Present PKM
0xCFE: Currently Present PKM

PID		0xD00 + 0x70*pkm
Species		0xD06 + 0x70*pkm
Held Item	0xD08 + 0x70*pkm
Trainer ID	0xD0C + 0x70*pkm
Trainer SID	0xD0E + 0x70*pkm
Happiness	0xD14 + 0x70*pkm
Ability		0xD15 + 0x70*pkm
HP-EV		0xD16 + 0x70*pkm
Atk-EV		0xD17 + 0x70*pkm
Def-EV		0xD18 + 0x70*pkm
SpA-EV		0xD19 + 0x70*pkm
SpD-EV		0xD1A + 0x70*pkm
SpE-EV		0xD1B + 0x70*pkm
Move 1		0xD1C + 0x70*pkm
Move 2		0xD1E + 0x70*pkm
Move 3		0xD20 + 0x70*pkm
Move 4		0xD22 + 0x70*pkm
PP 1		0xD24 + 0x70*pkm
PP 2		0xD25 + 0x70*pkm
PP 3		0xD26 + 0x70*pkm
PP 4		0xD27 + 0x70*pkm
IVs		0xD2C + 0x70*pkm
Gender Forme	0xD30 + 0x70*pkm
NickName Field	0xD32 + 0x70*pkm
OTName Field	0xD48 + 0x70*pkm
PokeBall	0xD58 + 0x70*pkm
Origin		0xD59 + 0x70*pkm (01 is Japan, 02 is English)
Level		0xD60 + 0x70*pkm
BatlStat(maxHP)	0xD62 + 0x70*pkm
BatlStat(curHP)	0xD64 + 0x70*pkm
BatlStat(AtK)	0xD66 + 0x70*pkm
BatlStat(Def)	0xD68 + 0x70*pkm
BatlStat(SpA)	0xD6A + 0x70*pkm
BatlStat(SpD)	0xD6C + 0x70*pkm
BatlStat(SpE)	0xD6E + 0x70*pkm

For Enemy Pokemon, add 4 to the base offset as the 
max/current PKM present shifts it as well.

Some Offsets within the Battle Video that define visual cues:

0x00-0x0F - Trainer Profile (Owner of Video)
0x10-0x25 -- Trainer Profile Data
0x10-0x13 - Trainer PID
0x14 - Trainer Gender (00 Male 01 Female)
0x15 - Trainer Birth Month
0x16 - Trainer Avatar
0x17 - Trainer Nation
0x18 - Trainer SubLocale
0x1C - Trainer Pokemon Displayed (Half Word)
0x1D-0x25 - ???
0x26-0x6F -- FF Pads
0x70-0x7B -- Unused/Unknown
0x80-0xAX -- Battle Overview Data
0x80-0x8B - Team#1
0x8C-0x97 - Team#2
0xA4 - Battle # (Subway Streak)
0xA6 - Battle Mode(???)
0xA7 - Game Modes (Launcher?)
0xB8-0xBC - Battle Video ID(???)

[Kaphotics]

Copying the Native Video onto the Other Videos works:

Comes with it's own blank trainer profile!

Viewing your own native video has the game load the encrypted one too,
it then generates your Profile when it decrypts.

Static Locations
The value at 0xA8 must match the decrypted value at 0x189C, 
which is (always) 81 E2. This signifies "end data"?
The value at 0xAA must be 00 64.
The value at 0x18A6 must match the value at 0x1900.
The value at 0x18A4 is battle video # (1-native/1/2/3)
The Value at 0x1904 is 01 00 00 00 14 19 00 00 27 35 05 31 (decryption vars?)
The value at 0x00C0 is a checksum
The Value at 0x18A0 is a checksum
The Value at 0x18A6 is a checksum
The Value at 0x1900 is a checksum
The value at 0x1912 is a checksum

Encrypted Region
The first value different between Encrypted/Decrypted is 0xC4
The first value that is the same after 0xC4 is 0x18A0

[Kaphotics]

The region 0xC4-0x189F of the decrypted battle video CRC16-CCITT checksum is at 0x18A0.

This spans the only region of data that is different between Encrypted and Decrypted.

[Kyogre1]

Any idea how to decrypt this without the use of an emulator?

[Kaphotics]

well you need the save file to get the video on file.

No idea how to decrypt without an emulator.

[Kyogre1]

I see. No problem.

I looked at the decrypted data, but the only thing I could identify was the value at 0xF0. This seems to be controlling the battle BGM.

Did you make any progress? I really would like to know more about the Battle Process Structure.

[Kaphotics]

Nah I haven't been looking at Battle Videos, trying to finish up on some RNG things for the Smogon Community

BGM = background music? If you could go a little more in depth with what you've found / how to abuse it, we might start to get some Video modding codes like in the HGSS era of display modding.

I will shift my focus back to this after that is done, thanks for your interest/help!

[Kaphotics]

When you are at the point where you can press play on the video, you can modify the values of the decrypted battle video.

0xF8 - Battle Duration (Hex Length)

Moves are (almost) immediately after, obviously.

Turns appear to be 0xB long.

Moves:

I messed around with 0x14D, and was able to change the move the Pokemon did.

0x0226B0CD = mymove on move 3

0x0226B0F9 = mymove on move 6

These may be different depending on the battle video in question.

Some more decrypted battle videos:

http://dl.dropbox.com/u/12206225/Battle%20Video%20Research/Leaf%20Blade.DBV

http://dl.dropbox.com/u/12206225/Battle%20Video%20Research/Blaze%20Kick.DBV

http://dl.dropbox.com/u/12206225/Battle%20Video%20Research/Earthquake.DBV

save states

They are all from the same battle, except with different endings.

For the first one (Leaf Blade), I did not switch and used Leaf Blade to finish off the Pokemon.

For the second one (Blaze Kick), I switched to Blaziken. The next turn, I used Blaze Kick to finish off the Pokemon.

For the third one (Earthquake), I switched to Gyarados. The next turn, I used Earthquake to finish off the Pokemon.

Here's when I modified the 6th turn move:

Here's when I modified the 3rd turn move:

[Kaphotics]

Fooling around with the RAM part 1, translates to the Battle Video data...

0x0226B0AB = 0x82, making it 0x81 doesn't do anything and doesn't make me switch (I pound = move 0x0000)

By forcing Blaziken to stay out with this hex, it makes Virizion switch in on turn 5 instead of Virizion for Blaziken, which makes me think it swaps Pokemon slots not calls out a certain dex#.

0x0226B0A3 =

0x81 double battle.

0x82 regular triple

0x83 rotate triple

0x0226B0A2 = trainer identifier. Changed it to 0x4, and a wild Tirtouga appeared!

It does the introductory battle as how to catch a pokemon, then errors out.

0x5 makes the first Pokemon appear as if it were wild, and the battle still works.

Combining A3 and A2 leads to some weird stuff...

Edited July 24, 2011 by Kaphotics

[Kaphotics]

Figured out how to change the background / pads of the Battle!

0x0226B08C, whole word controls the background. Still haven't figured out how to control it to my desires...

B08F = 01 and 02

B08D = 01

B08C = 00, 05, 06,

B08C = 15, 16, 32

147 127 110

183 -222 325

Background Decimal Numbers (assorted good looking)

Edited July 24, 2011 by Kaphotics

[Kaphotics]

English White (Select) Background / Tile Changer (VS. Recorder)

Moved to RAM board as it is unrelated to saves.

It's a particular offset in the DBV.

Also, the Battle Video has the RNG constants, probably for encryption/decryption.

[Kaphotics]

The Battle RNG seeds (64bit) are located at 0x0226B070 in the RAM (white) right before the standard RNG constants (64bits) of Gen 5. When the battle begins playback it is then loaded to the main Battle RNG interpretation region (used for everything ingame as well), and is advanced there.

So far everything lines up with ingame battle RNG, so I might as well link to it here.

I'm kinda going away from Saves towards RAM because in the RAM it is decrypted...

~Encrypted Zone~

0xCC = Battle RNG Constants (16 bytes)

0xDC = Background/Pad #1 (4 bytes)

0xE0 = Background Pad #2 (4 bytes)

[Kaphotics]

hello old thread

B2W2 structure is the same as BW, if anyone was wondering. Posting a list of the offsets of videos within the save file. Good on GameFreak for eliminating some dead space in B2W2.

Black/White:

0x4A000 - Native Video
Ends: 0x4B913

0x4C000 - Video 1
Ends: 0x4D913

0x4E000 - Video 2
Ends: 0x4F913

0x50000 - Video 3
Ends: 0x51913

=======================


Black 2/White 2:

0x4C000 - Native Video
Ends: 0x4D913

0x4DA00 - Video 1
Ends: 0x4F313

0x4F400 - Video 2
Ends: 0x50D13

0x50E00 - Video 3
Ends: 0x52713

[LEGOanimal22]

The size of turns varies for different battle types.

Turns for double battles are about x18 bytes.

Turns for triple battles are about x24 bytes.

Edited August 31, 2013 by LEGOanimal22

[Kaphotics]

I haven't bothered updating this thread since Pokecheck has added battle video parsing (and fetching!).

however, here's a few tidbits ~ example doubles instruction

92 - turn start

02 - player 0 moves (2)

01 85 00 00

61 3B 00 00

22 - player 2 moves (2)

91 4C 00 00

91 4C 00 00

92 - turn start

02 - player 0 moves (2)

61 3B 00 00

91 4C 00 00

22 - player 2 moves (2)

91 4C 00 00

91 4C 00 00

12 - Switch Instructions

01 - Player 0 switches (1)

03 01 00 00

22 - Player 2 switches (2)

03 01 00 00

93 01 00 00

92 - turn start

02 - player 0 moves (2)

61 3B 00 00

11 06 00 00

22 - player 2 moves (2)

81 4E 00 00

81 4E 00 00

there's a "turnstart" instruction, "player # move" instruction (with how many PKMs instructed to move), and a switch instruction (also with a secondary per-player instruction), different instructions for "rotate" and "launch" exist but meh once you know how to visualize instructions it's easy to figure out the rest.

targeting is a little bit wonky; for moves it's little endian with the rightmost (lowest) 3 bits being flags on who is targeted (iirc).

[LEGOanimal22]

92 - turn start

02 - player 0 moves (2)

01 85 00 00

61 3B 00 00

22 - player 2 moves (2)

91 4C 00 00

91 4C 00 00

What are the 2 lines after "player # moves" ?

[Kaphotics]

the instructions for what the trainer's PKMs do.

instead of saying what move it chose from its movepool; it says what exact move it used and on what target. So stuff like Mimic and sketch can still work (without keeping track of that stuff).

It's just easier to say what move a field pokemon uses rather than referring and looking up stuff.

[LEGOanimal22]

Have you made any progress on decrypting from an EBV file?

[Kaphotics]

As I mentioned earlier, Pokecheck decrypts videos and displays them at the bottom of the page (so does the game when you view a video).

It's just standard encryption.

[codemonkey85]

It's just standard encryption.

You mean it uses the PRNG like Pokémon data? If that's the case, what's the seed?