Pkx: The New Pokemon Format For Gen 6

[Surgo]

  Keplar said:

So you're having trouble using a virtual adapter to broadcast? I was actually considering switching over to that, in favor of a pure software solution that didn't require an extra router.

At the moment, I'm searching for a program that I can easily tweak to swap out sections of packets. It would be nice if this involved HTTP traffic or if there was a simple DNS address I could spoof... It sure would make things a lot easier. UDP modification is relatively new to me.

If you're a Linux user, this is fairly easy and straightforward to do using Netfilter. Packets can be stolen from the kernel using a standard iptables rule, which are then modified by a userspace program that you write and then reinjected back into the network stack.

[Bond697]

from now on, anything posted in here that's not a direct contribution of some kind gets deleted and infracted.

i'm really getting sick of "how i edit packet?"

[evandixon]

After all, this thread is more aimed towards developers and researchers.

A user friendly exploit comes at some unforeseeable time in the future (unforeseeable = don't ask).

Carry on, devs.

[phoenragon]

  xyzman said:

What .NET framework version is required? I don't have access to Windows machine, and WINE + .NET was always a gamble...

WINE and Wineskin aren't compatible with NET framework 4 at all as far as I know. But from the sound of Codemonkey's post, it may not take much to compile a Mac friendly version:

  codemonkey85 said:

Pretty sure it's 4.0. The backend library is vanilla C++ so I could compile a version for Linux / Mac if people need it.

That would be much appreciated, codemonkey, if you have the time. Would like to be able to help in some way if possible.

[er1c1996]

Codemonkey, idk if you're planning on adding move/ability names once they are confirmed but I can confirm that after intercepting my Eevee that moves 39 = Tail Whip, 204 = Charm, 281 = Yawn, and 273 = Wish. Basically the same as previous gens.

[codemonkey85]

The move IDs of moves from previous generations are most likely all the same index numbers as in previous generations (they have been so far anyway). For reference: http://bulbapedia.bulbagarden.net/wiki/List_of_moves

However, if you wish to contribute index numbers for new moves, by all means...

[er1c1996]

  codemonkey85 said:

The move IDs of moves from previous generations are most likely all the same index numbers as in previous generations (they have been so far anyway). For reference: http://bulbapedia.bulbagarden.net/wiki/List_of_moves

However, if you wish to contribute index numbers for new moves, by all means...

I figured as much, just basically confirming it. Problem is you have to Wonder Trade to do this, and I'm not sure if there's a time at which I can receive the packet but not actually trade the Pokemon. If I can figure that out, I'd surely get a few new moves out there.

Otherwise, it's a lot of breeding.

EDIT: If anyone's intersted, here's my Eevee's .pkx. https://www.dropbox.com/s/7jtv2isp4blucf8/eevee.pkx I don't know, might be useful for something.

[bluesun]

I'm surprised they kept the same encryption method for the Pokemon data, to be honest...

Partial list of new items:

#639/0x27F, Weakness Policy

#640/0x280, Assault Vest

#644/0x284, Pixie Plate

#645/0x285, Ability Capsule

#646/0x286, Whipped Dream

#647/0x287, Sachet

#648/0x288, Luminous Moss

#649/0x289, Snowball

#650/0x28A, Safety Goggles

#652/0x28C, Rich Mulch

#653/0x28D, Surprise Mulch

#654/0x28E, Boost Mulch

#655/0x28F, Amaze Mulch

#686/0x2AE, Roseli Berry

#687/0x2AF, Kee Berry

#688/0x2B0, Maranga Berry

#699/0x2BB, Discount Coupon

#704/0x2C0, Strange Souvenir

#708/0x2C4, Lumiose Galette

#709/0x2C5, unknown normal item, some sort of wooden tablet

#710/0x2C6, Jaw Fossil

#711/0x2C7, Sail Fossil

#715/0x2CB, Fairy Gem

656~685 are likely the Mega Stones, if anyone wants to poke around. 28 Mega Stones are known, so there may be two more undiscovered in that gap (and it's easier to poke around 30 items than attempt to form+1 all 700+ Pokemon).

If all the item slots are used, there's around 11 or so items still not known, so they may be worth checking out.

[codemonkey85]

  bluesun said:

I'm surprised they kept the same encryption method for the Pokemon data, to be honest...

I'm not. Anyway, thanks for this! I threw it into the veekun spreadsheet for the time being - which I highly recommend people refer to when trying to discover new items and things.

[er1c1996]

A couple more .pkx's:

Xerneas: https://www.dropbox.com/s/y7v1p27gqisissj/xerneas.pkx

Zygarde: https://www.dropbox.com/s/t1gw60k26h8584y/zygarde.pkx

[theSLAYER]

While this post is completely not helping to contribute (I'll like to, but I don't have the hardware to help as of now),

Has anyone tried to capture packets for mystery gifts?

[evandixon]

  theSLAYER said:

While this post is completely not helping to contribute (I'll like to, but I don't have the hardware to help as of now),

Has anyone tried to capture packets for mystery gifts?

At least you're not asking "whens pokgen being updated??????????" or something.

Now to add something to this post so it's not completely off-topic, what's the "sanity placeholder" on the wiki page? It looks like empty space, but does it have a purpose?

[codemonkey85]

  evandixon said:

Now to add something to this post so it's not completely off-topic, what's the "sanity placeholder" on the wiki page? It looks like empty space, but does it have a purpose?

If you're referring to 0x04 - 0x05, I believe those were runtime flags in the previous games that indicated whether or not data was encrypted. One was for box data and one was for party data.

[Kane49]

Yo guys !

Im new here as you can probably see Im fiddling about with stuff and hope its not to imposing to ask the following question:

So here is my wondertrade packet, data section starts at 0x0057, and i can't seem to find where the pokemon data starts.

Im pretty sure that if i find it once (with help) i will find it on my own later so any help finding it would be appreciated

  Reveal hidden contents

0050  fc cf 92 03 bb cf ca ea  d0 01 03 92 03 11 11 e2   ........ ........
0060  08 1a 00 0d 00 52 5d 86  19 9b ed c2 e8 bd d3 1f   .....R]. ........
0070  05 c5 8e 8b c0 02 01 00  e9 0b 7e 03 02 00 00 00   ........ ..~.....
0080  01 02 00 00 04 01 00 00  01 02 00 00 01 00 00 00   ........ ........
0090  76 03 00 00 0b 79 04 12  00 00 58 40 b4 73 1a ed   v....y.. ..X@.s..
00a0  0c 2b cd ce 09 54 bd 04  33 34 5e 03 85 a6 55 26   .+...T.. 34^...U&
00b0  3f ee 84 c9 ba ea e7 61  d3 a6 3d 92 c4 86 c9 0a   ?......a ..=.....
00c0  1e 64 de c8 10 79 2d a9  d8 ac 5f 7c 27 ea a9 38   .d...y-. .._|'..8
00d0  a1 56 73 14 f4 ba 51 09  10 3d d9 43 85 4a 24 ac   .Vs...Q. .=.C.J$.
00e0  1b 47 f1 cb 12 d4 c8 32  bb 5e 92 e5 3f a9 79 b6   .G.....2 .^..?.y.
00f0  cf 3e 1a 63 9e cc 3f 5a  41 3b c5 df 77 b0 5f 3c   .>.c..?Z A;..w._<
0100  66 67 42 90 ca 1d 13 0b  aa be 83 88 cd 78 33 cf   fgB..... .....x3.
0110  35 cc 9b 75 51 4e d7 c9  26 c8 2e b4 c2 b7 ee dd   5..uQN.. &.......
0120  d1 16 cd 99 ef 9e 94 86  86 eb d6 ab 60 20 c6 02   ........ ....` ..
0130  64 c7 2a f2 e6 c6 70 e0  c6 b8 82 6d ce e1 88 bb   d.*...p. ...m....
0140  6c 3d cf e5 9f f0 c0 06  b1 8a c2 54 59 f3 ad 38   l=...... ...TY..8
0150  f6 cb 38 61 77 a5 d9 89  55 b4 6c 09 48 44 28 53   ..8aw... U.l.HD(S
0160  c5 6b ed ba a7 9b 22 20  d2 d0 10 62 1b f4 c6 dc   .k...."  ...b....
0170  85 10 dc d0 5c d1 cd 64  aa 9a ee 7e 00 00 00 00   ....\..d ...~....
0180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0190  00 00 00 00 00 00 00 00  d1 d9 86 62 19 00 01 01   ........ ...b....
01a0  79 b4 b3 aa 8a e6 bd dd  24 c7 34 4f 71 0f 6d a7   y....... $.4Oq.m.
01b0  24 c7 34 4f 71 0f 6d a7  c2 00 6c 08 00 00 1a 01   $.4Oq.m. ..l.....
01c0  e1 18 a6 60 00 01 00 00  c8 60 09 05 01 cb 08 03   ...`.... .`......
01d0  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
01e0  59 ff 4f ff 59 ff 4f ff  00 00 00 00 00 00 00 00   Y.O.Y.O. ........
01f0  00 00 00 00 00 00 00 00  00 00 88 30 88 30 00 00   ........ ...0.0..
0200  4f ff 00 00 00 00 00 00  00 00 00 00 00 00 00 00   O....... ........
0210  00 00 00 00 6f 30 58 30  81 30 7e 30 57 30 66 30   ....o0X0 .0~0W0f0
0220  00 30 53 30 93 30 6b 30  61 30 6f 30 01 ff 00 00   .0S0.0k0 a0o0....
0230  00 00 00 00 00 00 5f 30  44 30 5b 30 93 30 00 30   ......_0 D0[0.0.0
0240  57 30 7e 30 57 30 87 30  46 30 01 ff 00 00 00 00   W0~0W0.0 F0......
0250  00 00 00 00 00 00 00 00  53 30 46 30 4b 30 93 30   ........ S0F0K0.0
0260  00 30 57 30 7e 30 57 30  87 30 46 30 01 ff 00 00   .0W0~0W0 .0F0....
0270  00 00 00 00 00 00 00 00  00 00 c8 30 ec 30 fc 30   ........ ...0.0.0
0280  ca 30 fc 30 d7 30 ed 30  e2 30 00 30 7f 30 66 30   .0.0.0.0 .0.0.0f0
0290  6d 30 01 ff 00 00 00 00  00 00 00 00 4f 00 d1 30   m0...... ....O..0
02a0  ef 30 fc 30 92 30 00 30  64 30 4b 30 63 30 66 30   .0.0.0.0 d0K0c0f0
02b0  4f 30 60 30 55 30 44 30  01 ff 00 00 00 00 00 00   O0`0U0D0 ........
02c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
02d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
02e0  00 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
02f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0300  00 00 00 00 00 00 00 00  59 43 4e 64 92 55 4b 18   ........ YCNd.UK.
0310  72 cc be 57 a2 36 c1 0f  17 aa 87 88 40 ae 34 11   r..W.6.. ....@.4.
0320  0b 91 ee a7 3a b1 9c 4f  f4 f2 4f 3c df 5a 6c c8   ....:..O ..O<.Zl.
0330  de 75 2a 7e 90 24 4f cc  04 3a a5 27 29 d3 79 0b   .u*~.$O. .:.').y.
0340  8d 1b 80 56 5f b9 52 4e  aa 2c 51 a7 cb 52 69 77   ...V_.RN .,Q..Riw
0350  b6 f3 a7 14 77 bf 5f d5  ae af 9f 8e 80 0a 28 fe   ....w._. ......(.
0360  cb 89 49 73 d1 78 4c 1c  85 dc 54 09 82 4c f7 54   ..Is.xL. ..T..L.T
0370  dd 0c fa ec 4f b4 11 d5  bf 58 2d 8e 36 27 49 c5   ....O... .X-.6'I.
0380  f6 c6 3e 5c 7a f3 ff 8f  fb 39 fe 91 c4 35 51 53   ..>\z... .9...5QS
0390  79 fe 4f 83 22 63 10 42  63 cb 40 15 18 fd 3d 35   y.O."c.B c.@...=5
03a0  e1 3f a5 1f 93 68 5a 8a  d9 b6 03 0e 96 d7 27 ad   .?...hZ. ......'.
03b0  ce 90 34 fb d3 e7 6f 22  d4 f4 ff 18 e0 ce ed 0b   ..4...o" ........
03c0  d9 ac d3 8e 00 08 09 22  34 95 b3 46 cc 83 7b d4   ......." 4..F..{.
03d0  fe 56 fb f5 73 8e 5e 62  23 4c b3 0b 3c 58 0a 5d   .V..s.^b #L..<X.]
03e0  20 ab 32 08 e8 d0 9d c8  a8 75 94 44 a5 05 9d 57    .2..... .u.D...W
03f0  28 f5 f3 2b c6 ad e9 09  01 c4 e3 d5 5e 51 3d 5d   (..+.... ....^Q=]
0400  e0 7e 09 c6 56 b6 d2 bb  0f 00 ee b6 f6 d8         .~..V... ......  

And again i hope this isn't too imposing, i have some time to kill and the whole system is very interesting programmatically

Edited November 3, 2013 by codemonkey85
Spoiler tags to make life easier

[theSLAYER]

  evandixon said:

At least you're not asking "whens pokgen being updated??????????" or something.

I know better than to ask that.

If it's out, it's out. No need to ask, really.

Anyhow, it seems that "Markings" are missing from the structure page.

EDIT:

  Kane49 said:

i can't seem to find where the pokemon data starts.

from 0x94 to 0x17b.

(it's a Pansage belonging to yoyo)

To find it, you'll have to identify the following pattern:

xx xx xx xx 00 xx xx.... xx 00 00 00

The first 00 (I mentioned above) is the "Sanity placeholder" and it'll be seemingly garbled mess till the end, which will be the long cycles of 00 00 00..

The first 4 xx xx xx xx is the PID value.

For simplicity sake, I've attached your encrypted Pansage.

Edited April 27, 2016 by theSLAYER

[Kane49]

  theSLAYER said:

For simplicity sake, I've attached your encrypted Pansage.

Thanks alot man, this helps immensely

/Edit:

For everyone else researching this, the pokemon data in wonder trades always start after:

76 03 00 00[/Code]
 in Hex or for the more visual people
[Code]v   [/Code]
 in Ascii
My sample size is pretty small but it seems to work out 
/E2: 
Trying to figure out how the server tells my 3DS who to trade with, it exchanges port numbers with one of the servers but the IP doesnt seem to be transmitted 
I know that when you connect to the nintendo wifi thingy it requests a DHCP Record, maybe there are some hostname shenanigans going on, lets find out !

[er1c1996]

Has anyone figured out how the GTS packets work? Trading is good and all, but GTS would be a solo job. Here's the data section of what I suspect to be the packet:

  Reveal hidden contents

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  EA D0 01 03 FE 00 AF A1 E2 00 DE 00 09 00 3E 17  êÐ..þ.¯¡â.Þ...>.
00000010  F8 7F ED 75 07 5E 46 72 26 5B 36 01 0C 25 02 01  ø.íu.^Fr&[6..%..
00000020  00 E2 F2 11 13 6E B8 99 71 99 6B 16 A6 2A 61 8D  .âò..n¸™q™k.¦*a.
00000030  E6 3B 33 03 99 B2 2A C0 CF 3D 09 E7 BF 3C 6E 90  æ;3.™²*ÀÏ=.ç¿<n.
00000040  01 B2 FF A9 F2 CB BF 11 71 C8 CB 3A 33 1C CF 0A  .²ÿ©òË¿.qÈË:3.Ï.
00000050  38 F3 5D 1F BC 54 13 33 5A 1A D1 C9 B5 5A BB C8  8ó].¼T.3Z.ÑɵZ»È
00000060  07 25 68 41 2E 1C E1 36 A7 13 BF AB DD 34 32 54  .%hA..á6§.¿«Ý42T
00000070  78 92 03 35 C6 A7 0A E5 E9 E5 E0 60 C4 59 1F C2  x’.5Ƨ.åéåà`ÄY.Â
00000080  3C 16 65 95 87 A1 EA 09 56 84 5B 31 85 83 01 8D  <.e•‡¡ê.V„[1…ƒ..
00000090  48 B2 14 DE C5 33 CE 22 F9 A4 3D 93 25 35 06 82  H².ÞÅ3Î"ù¤=“%5.‚
000000A0  1A D3 0A 60 21 12 A0 C3 14 60 57 20 84 D9 1B 3F  .Ó.`!. Ã.`W „Ù.?
000000B0  89 AB 6F BD 73 40 17 05 69 76 D5 C4 F2 BE 28 D6  ‰«o½s@..ivÕÄò¾(Ö
000000C0  80 BD AE 02 18 1C AE 07 3C BA 8A 19 E7 4E 75 93  €½®...®.<ºŠ.çNu“
000000D0  30 2C E2 7D F9 2A 7F 0B FE E5 23 1E 25 2D 89 2F  0,â}ù*..þå#.%-‰/
000000E0  AC D4 9B 83 54 92 74 BF 56 59 3B B6 28 81 45 3B  ¬Ô›ƒT’t¿VY;¶(.E;
000000F0  E7 F2 0D 45 43 DC 58 D3 1A A0 81 F9 99 6A 8B 5A  çò.ECÜXÓ. .ù™j‹Z
00000100  CA 85 F5 B5 3F D7 EE FA 16 2C E0 E1 6C 86 9C 1A  Ê…õµ?×îú.,àál†œ.
00000110  C6 7C 4A 2A 33 3F B9 7A 25 C1 B3 BF 6E AA C1     Æ|J*3?¹z%Á³¿nªÁ

But I can't for the life of me find anything useful in it. Another suspect, but a much larger packet:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  00 7F 28 06 D7 03 E8 5B 5B 29 E3 9D 08 00 45 00  ..(.×.è[[)ã...E.
00000010  02 EA 0A D2 00 00 3F 11 B5 BF C0 A8 01 05 76 97  .ê.Ò..?.µ¿À¨..v—
00000020  80 2D 27 14 D6 F7 02 D6 57 B8 EA D0 01 03 AD 02  €-'.Ö÷.ÖW¸êÐ....
00000030  AF A1 E2 00 DE 00 0B 00 96 3F 95 20 8C B8 74 01  ¯¡â.Þ...–?• Œ¸t.
00000040  96 8A C4 39 D6 69 23 C0 02 01 00 A6 DD 52 A8 85  –ŠÄ9Öi#À...¦ÝR¨…
00000050  83 83 53 13 D0 01 78 8C 75 ED 44 3F 28 3A 25 59  ƒƒS.Ð.xŒuíD?(:%Y
00000060  8C 71 50 2D 3B 11 DB E0 38 56 82 75 32 4F 30 33  ŒqP-;.Ûà8V‚u2O03
00000070  79 E3 84 69 66 A7 4A 7B 0D 80 3F 4A 5C 7E B6 40  yã„if§J{.€?J\~¶@
00000080  E8 49 CD 5C EA 33 18 29 87 74 DA 17 A7 69 C5 77  èIÍ\ê3.)‡tÚ.§iÅw
00000090  2B A5 D3 E1 48 C8 EE 65 0E 83 49 60 AA BF 15 FC  +¥ÓáHÈîe.ƒI`ª¿.ü
000000A0  72 27 6B DE 4B 1E A1 C0 F1 B3 41 1D 0B 08 65 DF  r'kÞK.¡Àñ³A...eß
000000B0  30 DD 32 2A 6D A9 0F 71 99 E4 70 1B 2C 1D 6D B9  0Ý2*m©.q™äp.,.m¹
000000C0  68 82 A6 6E 85 24 C2 22 AC 64 8C 83 B0 40 02 30  h‚¦n…$Â"¬dŒƒ°@.0
000000D0  6A 56 3B 8F 39 F0 DC 96 4E F3 5F EC AC 4E 8A 6C  jV;.9ðÜ–Nó_ì¬NŠl
000000E0  1F AD 0E 3F 90 1D 49 87 6A 6E 25 05 30 DF 80 EB  ...?..I‡jn%.0߀ë
000000F0  1F B3 31 65 BE FE 29 1E 38 2D 16 62 46 EC 1F 82  .³1e¾þ).8-.bFì.‚
00000100  5D F2 24 F3 C1 9C A1 15 34 97 D5 E7 7A 62 A7 1C  ]ò$óÁœ¡.4—Õçzb§.
00000110  F1 10 C8 C4 40 B8 14 59 90 3F E5 8D 3F E4 3D 42  ñ.ÈÄ@¸.Y.?å.?ä=B
00000120  FD 94 6A FD 1D CC E3 07 AC 28 AB 93 98 A3 2F D8  ý”jý.Ìã.¬(«“˜£/Ø
00000130  FE 33 79 38 80 AF 5D 6B 5D CE BB 1E DA 6A 7B B3  þ3y8€¯]k]λ.Új{³
00000140  41 EB 60 FD CC 44 CF 63 54 E7 A1 23 55 52 DA 6F  Aë`ýÌDÏcTç¡#URÚo
00000150  C2 A5 84 65 97 C4 62 D1 5F F0 86 8D 90 A4 13 56  Â¥„e—ÄbÑ_ð†..¤.V
00000160  4F C0 16 C2 38 B3 D5 01 30 F3 B4 44 5D 17 1B F4  OÀ.Â8³Õ.0ó´D]..ô
00000170  84 0C C7 C8 E2 E7 97 D5 E9 D8 14 3B 08 9C D7 91  „.ÇÈâç—ÕéØ.;.œ×‘
00000180  4F 9F 67 13 8C F2 0D 24 3C 62 89 27 2F 1A B8 3C  OŸg.Œò.$<b‰'/.¸<
00000190  AF B8 77 5A 29 8B 18 A0 33 5D 53 8A 7D 17 98 AC  ¯¸wZ)‹. 3]SŠ}.˜¬
000001A0  D8 C3 C9 72 E4 2E B1 DB FA 9D 1A 10 E9 87 58 B6  ØÃÉrä.±Ûú...é‡X¶
000001B0  E1 6E CD 3F 83 14 7F C5 A1 CC D1 08 36 DD A2 D4  ánÍ?ƒ..Å¡ÌÑ.6Ý¢Ô
000001C0  12 EA D4 F3 22 C6 BA E1 83 93 D3 2E 2D AE 14 18  .êÔó"ƺდÓ.-®..
000001D0  05 9E 07 8F FB B7 9F D2 1E 77 46 36 17 25 25 F1  .ž..û·ŸÒ.wF6.%%ñ
000001E0  DD 2B 58 7A D9 3B C3 29 64 E2 7C 20 1D E6 55 3A  Ý+XzÙ;Ã)dâ| .æU:
000001F0  5E CD 12 B2 3D 5A 88 28 47 C4 80 09 EB 95 53 97  ^Í.²=Zˆ(GÄ€.ë•S—
00000200  F1 AA CE 20 D3 D7 FA A5 9E B5 C8 FD 44 42 8C A4  ñªÎ Ó×ú¥žµÈýDBŒ¤
00000210  33 C8 C6 D8 87 20 23 C5 7F 30 1D 46 B2 53 20 C5  3ÈÆ؇ #Å.0.F²S Å
00000220  05 F3 79 84 75 42 24 2A 54 11 31 CB 94 69 ED 51  .óy„uB$*T.1Ë”iíQ
00000230  C5 E3 AE F3 A5 6F 66 1F 8C D3 60 3F EB DB C0 6B  Åã®ó¥of.ŒÓ`?ëÛÀk
00000240  B9 1C 38 61 20 73 1F 39 44 DC EB 4F 6D EA 50 8B  ¹.8a s.9DÜëOmêP‹
00000250  1C DE 46 D0 15 EE 83 44 74 F5 BE 7D E9 B4 2A 4A  .ÞFÐ.îƒDtõ¾}é´*J
00000260  1E 6E 81 B3 12 54 AE EE 3F 77 59 7E F4 6A 6C 50  .n.³.T®î?wY~ôjlP
00000270  9A C7 24 2F 81 F9 A7 9A 0B C6 DA E2 7D 72 AE A5  šÇ$/.ù§š.ÆÚâ}r®¥
00000280  35 88 85 A9 E8 88 B3 B7 2D 46 AF 2B F5 AF 29 9F  5ˆ…©èˆ³·-F¯+õ¯)Ÿ
00000290  7A 40 F3 88 CF C4 53 FF 70 B9 36 9A 2F 35 68 6C  z@óˆÏÄSÿp¹6š/5hl
000002A0  8D 42 58 B2 EE F2 4E 80 B6 08 50 41 C2 9F A7 F7  .BX²îòN€¶.PAŸ§÷
000002B0  F3 73 35 A4 F8 8B A4 C4 A5 2B 9E AA C3 3C 09 7A  ós5¤ø‹¤Ä¥+žªÃ<.z
000002C0  B9 FC 42 49 EE AE E1 74 55 31 71 FA C5 20 FA 77  ¹üBIî®átU1qúÅ úw
000002D0  18 F8 A9 39 B0 38 1C 2F EE 3B 45 B6 AA EF 88 DD  .ø©9°8./î;E¶ªïˆÝ
000002E0  B9 CE CA F6 54 77 72 3B 20 31 B3 30 0A 0F B4 9A  ¹ÎÊöTwr; 1³0..´š
000002F0  12 9B BC 87 F4 F4 B3 93                          .›¼‡ôô³“

Most likely it's encrypted via TLS and these packets are useless, but it's worth looking at.

Edited November 3, 2013 by codemonkey85
Spoiler tags not just for spoilers

[kelly087]

The GTS is TLS Encrypted, isn't it? Someone correct me if I'm wrong, but I don't think GTS will be as simple as finding the right 232 bytes from the packet.

[Zaneris]

The only thing I'm missing from getting the Wonder Trade to work is the checksum 16 bytes checksum within the EAD header.

Any ideas?

EAD header:

uint magic; //0x0301D0EA // EA D0 01 03

ushort size; // without EAD header

ushort unk1; // wondertrade: 0x1111, gts = 0xAFA1

ushort unk2; // wondertrade: 0x08E2, gts = 0x00E2

ushort unk3;

ushort packetId;

ubyte checksum[16];

ushort unk4; // 02 01

ubyte encryptedFlag; // 00 = plaintext (wondertrade), 01 = encrypted (gts)

Data:

ubyte data;

if it's wondertrade:

byte unk[0x1C];

byte pkx[0xE8];

Otherwise, the actual injection part is easy.

[Bond697]

  evandixon said:

At least you're not asking "whens pokgen being updated??????????" or something.

Now to add something to this post so it's not completely off-topic, what's the "sanity placeholder" on the wiki page? It looks like empty space, but does it have a purpose?

they've been there in every game from gen 3 onward. there's 3 bitflags that are only used in game, so those bytes are always 00 otherwise. the bitflags are:

-pkm is egg

-pkm party data is decrypted

-pkm box data is decrypted

the game uses them to decide whether or not it should encrypt or decrypt data.

  kelly087 said:

The GTS is TLS Encrypted, isn't it? Someone correct me if I'm wrong, but I don't think GTS will be as simple as finding the right 232 bytes from the packet.

yes, it's encrypted somehow.

Edited October 31, 2013 by Bond697

[Codr]

  kelly087 said:

The GTS is TLS Encrypted, isn't it? Someone correct me if I'm wrong, but I don't think GTS will be as simple as finding the right 232 bytes from the packet.

Unless the TLS certificate is obtained (and I don't know if that's even enough by itself), nobody is going to be making fake GTS servers. I'm not sure if the GTS itself is encrypted with TLS, but the initial connection to Nintendo servers that the game requires you to go through is.

[Kane49]

  Codr said:

Unless the TLS certificate is obtained (and I don't know if that's even enough by itself), nobody is going to be making fake GTS servers. I'm not sure if the GTS itself is encrypted with TLS, but the initial connection to Nintendo servers that the game requires you to go through is.

Nintendos TLS Client Certificate, rename to .der:

nintendocertific.txtFetching info...

[Keplar]

  Zaneris said:

The only thing I'm missing from getting the Wonder Trade to work is the checksum 16 bytes checksum within the EAD header.

Any ideas?

EAD header:

uint magic; //0x0301D0EA // EA D0 01 03

ushort size; // without EAD header

ushort unk1; // wondertrade: 0x1111, gts = 0xAFA1

ushort unk2; // wondertrade: 0x08E2, gts = 0x00E2

ushort unk3;

ushort packetId;

ubyte checksum[16];

ushort unk4; // 02 01

ubyte encryptedFlag; // 00 = plaintext (wondertrade), 01 = encrypted (gts)

Data:

ubyte data;

if it's wondertrade:

byte unk[0x1C];

byte pkx[0xE8];

Otherwise, the actual injection part is easy.

16 byte checksum? That sounds more like an MD5 hash, in my opinion. Out of curiosity, I've coded a small script to hash all possible data segments of the packet's payload, and compare these hashes for a possible match. Unfortunately, no hashed data segments of my packet matched. Perhaps a salted MD5 hash is being used?

[Codr]

  Kane49 said:

Nintendos TLS Client Certificate, rename to .der:

The games have a certificate as well. I won't pretend that I understand TLS fully, but I highly doubt it's the same thing. This is also assuming what you just linked is from the TLS server that X/Y use.

[Zaneris]

  Keplar said:

16 byte checksum? That sounds more like an MD5 hash, in my opinion. Out of curiosity, I've coded a small script to hash all possible data segments of the packet's payload, and compare these hashes for a possible match. Unfortunately, no hashed data segments of my packet matched. Perhaps a salted MD5 hash is being used?

This is my thought... but with what?