GTS: website research

[Vetle]

By disabling https i was able to capture the data sent to nas.nintendowifi.net

Log1:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQwOTA3&devname=VgBlAHQAbABlAA**

Reply1:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:10:00 GMT
Connection: close
Server: GameCube
challenge=T0hYWlRHQlk*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTdkExY0crUWtRUUthWGx3ZFBmbjZHU0dnNFZuV1VyL1dhT3BLUHhzaXF4d3cvZzkrYVp6SEpLd3FrbGdsZ3lwYlp0ZVo4ZjBkWTc0UVcrbk5uRjJaVEE9PQ**&datetime=MjAxMDEyMTMxMzEwMDE*

Log2:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQxOTUy&devname=VgBlAHQAbABlAA**

Reply2:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:20:44 GMT
Connection: close
Server: GameCube
challenge=UjFTRkJPQVU*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTSHFSaWVKT1dKTmlOdzBmWnU4bER2Y1BDRnh4WWh2S2hTZzFjUnAwdzhSOGxGemVhSDF3U1BYZlVRdi9PTWF5clMwYlRmenprSkRYaWNxa0QxajR3SWc9PQ**&datetime=MjAxMDEyMTMxMzIwNDU*

Log3:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=bG9naW4*&gsbrcd=&sdkver=MDAyMDAy&userid=MDk1Njc3MTk3NjUxNg**&passwd=NTcx&bssid=MDAxNGJmZDk1NjBi&apinfo=MDE6MDAwMDAwMC0wMA**&gamecd=Q1BVRQ**&makercd=MDE*&unitcd=MA**&macadr=MDAxYjdhNWU4YWRh&lang=MDE*&birth=MDkxZA**&devtime=MTAxMjEzMTQyOTQ3&devname=VgBlAHQAbABlAA**

Reply3:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:30:40 GMT
Connection: close
Server: GameCube
challenge=MlBQWlJNRjc*&locator=Z2FtZXNweS5jb20*&retry=MA**&returncd=MDAx&token=TkRTdHkzRGFEcVBGdk9IY0dkd2tDMWtoOEhBMzlGMWVRM1JkT3RuMWJQRUtuajV2RnlHY3V6OGVSTzRENFZtdFljdzVKTjNJV0U1ODVrTGF2QkRhSERBVHc9PQ**&datetime=MjAxMDEyMTMxMzMwNDA*

?pid=160846812

Im using Pokemon platinum, ssid is linksys using wep with the password 6E0C9157B3

could this be used for something useful?

[Poryhack]

How did you disable HTTPS? I thought the games were hardcoded to use SSL in these cases.

[Vetle]

By using a hex editor i replaced

ht tps://nas.nintendowifi.net/ac

with

ht tp://nas.nintendowifi.net/ac + 00 byte at the end

the server itself has both http and https enabled and doesn't seem to care which one you use.

[Poryhack]

Oh I see. Interesting that that works, too bad it doesn't with the wondercard server.

[M@T]

Nice flaw in their implementation of HTTPS.

Data is base64-encoded with "=" replaced with "*", so it is easy to decode.

Too bad it doesn't work for the wondercard server, indeed; it would have been really helpful.

Here are the decoded requests/replies (\x00 is the null-byte):

Log1:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=login&gsbrcd=&sdkver=002002&userid=0956771976516&passwd=571&bssid=0014bfd9560b&apinfo=01:0000000-00&gamecd=CPUE&makercd=01&unitcd=0&macadr=001b7a5e8ada&lang=01&birth=091d&devtime=101213140907&devname=V\x00e\x00t\x00l\x00e\x00

Reply1:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:10:00 GMT
Connection: close
Server: GameCube
challenge=OHXZTGBY&locator=gamespy.com&retry=0&returncd=001&token=NDSvA1cG+QkQQKaXlwdPfn6GSGg4VnWUr/WaOpKPxsiqxww/g9+aZzHJKwqklglgypbZteZ8f0dY74QW+nNnF2ZTA==&datetime=20101213131001

Log2:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=login&gsbrcd=&sdkver=002002&userid=0956771976516&passwd=571&bssid=0014bfd9560b&apinfo=01:0000000-00&gamecd=CPUE&makercd=01&unitcd=0&macadr=001b7a5e8ada&lang=01&birth=091d&devtime=101213141952&devname=V\x00e\x00t\x00l\x00e\x00

Reply2:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:20:44 GMT
Connection: close
Server: GameCube
challenge=R1SFBOAU&locator=gamespy.com&retry=0&returncd=001&token=NDSHqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==&datetime=20101213132045

Log3:

POST /ac HTTP/1.0
Content-type: application/x-www-form-urlencoded
Host: nas.nintendowifi.net
User-Agent: Nitro WiFi SDK/2.2
HTTP_X_GAMECD: CPUE
Connection: close
Content-Length: 270
action=login&gsbrcd=&sdkver=002002&userid=0956771976516&passwd=571&bssid=0014bfd9560b&apinfo=01:0000000-00&gamecd=CPUE&makercd=01&unitcd=0&macadr=001b7a5e8ada&lang=01&birth=091d&devtime=101213142947&devname=V\x00e\x00t\x00l\x00e\x00

Reply3:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 235
Date: Mon, 13 Dec 2010 13:30:40 GMT
Connection: close
Server: GameCube
challenge=2PPZRMF7&locator=gamespy.com&retry=0&returncd=001&token=NDSty3DaDqPFvOHcGdwkC1kh8HA39F1eQ3RdOtn1bPEKnj5vFyGcuz8eRO4D4VmtYcw5JN3IWE585kLavBDaHDATw==&datetime=20101213133040

The "token" value in replies is another base64-encoded value preceded by "NDS".

It is raw data when decoded, like random bytes.

Edited December 14, 2010 by M@T
Added decoded logs.

[Vetle]

after removing the static "NDS" from the token, it can be decoded using any base64 decoder.

NDSHqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==

>

HqRieJOWJNiNw0fZu8lDvcPCFxxYhvKhSg1cRp0w8R8lFzeaH1wSPXfUQv/OMayrS0bTfzzkJDXicqkD1j4wIg==

>

1e a4 62 78 3f 3f 24 d8 3f c3 47 d9 bb c9 43 bd		.¤bx??$Ø?ÃGÙ»ÉC½
c3 c2 17 1c 58 3f f2 a1 4a 0d 0a 5c 46 3f 30 f1		ÃÂ..X?ò¡J..\F?0ñ
1f 25 17 37 3f 1f 5c 12	3d 77 d4 42 ff ce 31 ac		.%.7?.\.=wÔBÿÎ1¬
ab 4b 46 d3 7f 3c e4 24	35 e2 72 a9 03 d6 3e 30		«KFÓ.<ä$5âr©.Ö>0
22							"

-

action (client)

Using the GTS only "login" is used here.

gsbrcd (client)

not assigned to a value.

sdkver (client)

sdkver tells the server what version of the Nitro SDK the game is using in the following format:

XXXYYY

where 2.2 is

002002

bssid (client)

mac address of your router where ":" is removed. mac address:

00:14:bf:d9:56:0b

becomes

0014bfd9560b

apinfo (client)

In the wifi menu, there is 3 diffrent AP's you can set, it starts counting from 0. format used:

XX:0000000-00

example when connected to the middle AP

01:0000000-00

i think the wifi connector will be id 3 but im not sure.

gamecd (client)

identifies the card by its ID, for pokemon platinum this is

CPUE

makercd (client)

The id of the game maker.

Nintendo uses id

01

unitcd (client)

0 says a lot.

macadr (client)

Sends the mac address where ":" is removed. mac address:

00:1b:7a:5e:8a:da

becomes

001b7a5e8ada

lang (client)

Your language. English is

01

devname (client)

Your name, where each character is followed by a null byte

V\x00e\x00t\x00l\x00e\x00

devtime (client)

microsecounds since adventure start?

-

challenge (server)

8 bytes long, mixed with numbers and upper case letters. - does not seem to be used later. might be used to verify the server.

changes even if the request from the client stays the same.

locator (server)

gamespy.com - something to do with the user agent used when using the gts?

might be requesting gamespy.com/download using https

token (server)

"NDS" + base64(random) - does not seem to be used later. might be used to verify the server.

changes even if the request from the client stays the same.

datetime (server)

NOTE: GMT

datetime displays the date and time when the request was sent formated like this:

YYYYMMDDHHMMSS

example:

20101216003946

NOTE: encrypt values with base64

Edited December 16, 2010 by Vetle
misread previous post

[zxg]

Is there any way that a pokemon can be sent from a DS to the computer/server using a script like this?

[Vetle]

http://code.google.com/p/ir-gts/

[aquaguy34]

Just use Hypergts, it is able to send and recieve from the computer.

[HyperDrill89]

just to be clear the Current HyperGTS/Sendpkm doesn't work on B/W but people are working on it

[Paul2357]

I downloaded hypergts the other day. I looked up how to go about using it and gave it a shot. I have no problem getting my IP address and inputting it into the DNS box. All ports have been forwarded properly and I double checked to make sure I did it correctly. Also my firewall isn't interfering in any way. The only issue I'm having is with hypergts itself. I can start the DNS without a problem however it will not let me start the GTS. I don't know if I'm using something wrong or what but it's driving me nuts. Any help would be greatly appreciated.

[M@T]

Is there any program such as Skype or a webserver running on your computer ?

[Paul2357]

No I made sure everything was closed out and the processes were no longer running. Like I said everything works except for the start gts button.

[HyperDrill89]

Is there any news on a Hyper GTS for Black / White?

[Jinderox]

Is there any news on a Hyper GTS for Black / White?

I wish soon we have a server working, i have been waiting for 2 months already and nothing out.

[Scarface]

I wish soon we have a server working, i have been waiting for 2 months already and nothing out.

There are people working on it, You really need to have some patience. It took years for them to crack it on 4th Gen, we're lucky as it is that we can even send pokemon to our games

[jordsters]

Hi everyone !

I made two VB.NET console applications, one for the DNS Server part, and the other for the Pokémon sending part (fake GTS).

It was ready for quite a while, but I couldn't test it until Saturday.

Now it's been tested and it works well, I was able to send a Pokémon to a friend of mine across the Internet without problem.

I made the GTS server working with threads, so several connections are possible simultaneously.

It is mainly a copypasta of the Python script, but it can be easily improved and included in a window application.

For example, I was planning to make a GUI that would include the ability to make a list of Pokémon to send.

I attached a ZIP file containing the sources and the binaries of the two programs.

Thanks a lot for that. A friend of mine was looking for something like this.

[Guurak]

Regarding the new Black & White GTS...

I've managed to get the details how the games and the server are communicating

Which are the following:

• Checksum is XORed with 0x2db842b2 instead of 0x4a3b2c1d
  
• Hash is calculated from SHA1("HZEdGCzcGGLvguqUEKQN" + token) instead of "sAdeqWo3voLeC5r16DYv" + token
  
• The request from the DS to the BW server is not encrypted (unlike the GRNG with the checksum as seed in DPPt)
  
• Length of the request is 0x0E or 0x0F:
  
  • 0x00 - 0x03: PID Trainer
    
  • 0x04 - 0x07: Total length of the following statements
    
  • 0x08 - 0x09: Pokémon ID
    
  • 0x0A: Gender
    
  • 0x0B: Min. Level
    
  • 0x0C: Max. Level
    
  • 0x0D: Unknown
    
  • 0x0E: Total results
    
  • 0x0F: Country

  [*]Host for BW is the same as DPPt: http://gamestats2.gs.nintendowifi.net/

  [*]Root directory is different: /syachi2ds/web/worldexchange/

  [*]Game ID of Black is 0x14, White is 0x15.

  [*]GTS return data is 296 bytes:

  • 0x000 - 0x001: unknown (2 bytes)
    
  • 0x002 - 0x0DD: Pokémon data (220 bytes)
    
  • 0x0DE - 0x0ED: unknown (always zero?) (16 bytes)
    
  • 0x0EE - 0x127: GTS specific data (58 bytes)
    
    • The only difference is:
      
    • 0x20 - 0x21: Trainer ID
      
    • 0x22 - 0x23: Secret ID
      
    • 0x24 - 0x33: Trainer Name
      
    • For everything behind this point, add 0x02 to the DPPt server

Have fun with it!

Oh... if someone's interested, I've created a program which can search the GTS for a Pokémon like the game itself does. It's B&W compatible as well.

Grtzz!!

Grovyle91

P.S.: For anyone who's using my Mystery Gift Editor, I'm sorry I've been absent for the last six (?) months. Due some personal reasons I wasn't able to be online and fully working on the final version.

Could you post that program please? I am interested.

[Sabresite]

HyperGTS SCREWED UP MY GAME!!!

WTF

WTF2

*SIGH*

[ReignOfComputer]

HyperGTS SCREWED UP MY GAME!!!

WTF

WTF2

*SIGH*

Lol, it's your .pkm. Make sure they're party .pkms (236b), or download the Pokemon to your Storage, not Party.

[Sabresite]

I didn't know either of those... but I quickly realized it. Thanks to Kaphotics, I took my mew to the daycare center and fixed it.

[ceolceol]

Should we start a new thread for Black/White GTS research?

[ceolceol]

I'm getting B/W connections for pokemondpds/web/enc/lobby/checkProfile.asp in addition to the expected syachi2ds/web/*.asp requests, does anyone know what this could be used for?

[Draaza]

Just dropping a little note because of a problem I had (and solved), so that others might not have the same problem:

GTS wouldn't start because port 80 was supposedly being used, netstat gave me PID4, and then tasklist gave me SYSTEM (not very useful).

Long story short, it was World Wide Web Publishing Service (W3SVC) that was occupying the port. Disabled the service and the GTS started - no problem.

While you may not be hosting any webpages or anything, you may not notice that service is running in the background (possibly the computer is second-hand and came with the OS installed already and the service was running, or you simply turned it on at some point by accident somehow), so might be worth checking for.

[HyperDrill89]

any ETA given the progress so far sorry if i sound impatient