653 posts in this topic

Recommended Posts

That's basically hacking the Pokémon; you might as well just sav the Pokémon in the first place.

Share this post


Link to post
Share on other sites
That's basically hacking the Pokémon; you might as well just sav the Pokémon in the first place.

Not really... The pokemon on the GTS are usually legit and so you don't have to worry as much about the legality when compared to SAVing onefrom scratch.

Also, this could be a good resource for those with no AR or flash cart to be able to get what they want w/out having to either sift through the ripoffs(lvl 1 for lv 100 Legendary) and the teases(shiny ... for lvl 9 or lower legendary; impossible to get legitly).

Also, the communication research isn't specifically limited to just the GTS either, look around this subforum a bit more and you'll see what I'm talking about...

Share this post


Link to post
Share on other sites

Like, that guy has his shiny Ho-oh up on the GTS, and then some time later you show him his Ho-oh in your game, while it is still on the GTS.

Share this post


Link to post
Share on other sites

A more valid use, to me, would be the ability to easily search and sift out viable trades which you could then perform on your DS, possibly with the aide of software on your PC.

Share this post


Link to post
Share on other sites
A more valid use, to me, would be the ability to easily search and sift out viable trades which you could then perform on your DS, possibly with the aide of software on your PC.

If I might add to that, instead of alerting you, you could flag the pokemon as traded to your cartridge so that you could simply logon to the GTS and receive your pokemon. Since this program would probably be spoofing the site into thinking it's a DS, would a PokeSav/PokeMod(if it is released before this comes to life) plugin of sorts from which you could create the trader's desired pokemon from be out of the question?... Wouldn't that be a more logical route? I constantly find that after I went and either leveled or caught the pokemon that was desired to trade for my desired trade that it had been snatched away in the short time that I had been gone. If we built the program this way, you wouldn't have to worry about someone else snatching the one you want because you could almost "reserve" it instantaneously via either of the suggested plugins above... Or you could just copy the data and tell the server to send you a copy of the data when you logon with your DS...

Another feature that might be nice is to be able to search through the trades that occurred in recent history and be able to take a copy of any nice pokemon from there since they've already been traded...

Further still, instead of the usual display that is included in the DS, you could include more information like moves, IV's, EV's, ribbons, etc?... Maybe Sabresite could even make legal part of it to check the pokemon to see if it was hacked?...(Can you, Sabresite?...)

Share this post


Link to post
Share on other sites

Well, to me, legit and legal uses of the research we do are the most useful, since they're probably not traceable and don't rip anyone off.

I was just thinking about how neat it would be to have a push notification app on the iPhone that informs you of a trade going through, or an offer being made that you were tracking for. The former would be especially valuable to those outside of Japan, since we don't get to have GTS E-Mail notifications (only Wii messages >_>).

Share this post


Link to post
Share on other sites

Yeah, but if anything, the flag idea should be implemented because even if you have an alert system, you're racing an entire world... Having to boot your DS(i), then log onto the GTS, THEN search out the pokemon leaves the window open for some other person to snatch it away...

Share this post


Link to post
Share on other sites

Okay, so I changed my router's DNS server to resolve gamestats2.gs.nintendowifi.net to point to one of my computers. Had my DS happily connect to it, where a happy python script was waiting to intercept GTS traffic and redirect it to the REAL gamestats2. What I've found is that there are no ssl connections happening and I have niceish (nicer than a pcap, at any rate) dialogs between the DS and gamestats2. The pid seems to be a cart-specific number, probably one you get the first time you connect to wifi, it stays the same every time you reconnect. When doing searches, another GET param comes up, data which seems to be an unencrypted 'action' i.e. same searches produce the same data regardless of connection. What we'd need to figure out to have automated scripts, is how that hash is generated, so that the server takes us for it's own. I'll mess with this more another day, as it is late now so take this post as more of a poke, rather than an informative one, to see if you guys are still here to try and mess with this.

Other potential areas of explorations would be to hex-edit the rom and change gamestats2.gs.nintendowifi to point to your own server for easier debugging, and perhaps, create our own private GTS's that don't do hash checking, or always present the client with the same sekrit string (;

Oh, and I don't have high hopes for how well this could do for sifting through *all* of GTS's pokeymans as the data I saw from the server seems to be just enough for the three odd results the game gives us.

Share this post


Link to post
Share on other sites

Whoa. That's awesome! Great to see progress being made on this.

Regarding our own private GTS servers, I think that would be awesome for ROM hackers trying to create their own Pokémon "economy".

Share this post


Link to post
Share on other sites

You wouldn't need to hack the ROM, though, right? Could it be possible to have a program that resolves gamestats2.gs.nintendowifi.net to one of our own, and use a stock cartridge? This might be more effective with people who still use the Nintendo WiFi connector.

I'd like to see a private GTS server that people can arrange private trades on. With the hash-checking, you could arrange for a specific person to pick it up, and you wouldn't need to both be online at the same time. And you could make requests on the server's website like "Timid Kyogres only" and then the search results on the DS would only return Pokemon that matched.

More sophisticated hack-checking, like a built-in legit.exe could also be added to the server.

Share this post


Link to post
Share on other sites

I don't think you would; however that has been done already. At one point about a year ago I was helping Jason (he hung out on IRC back then, don't think he's ever joined the forums) by doing some searches with an edited ROM that he had pointed to his own server. He had a PHP script to capture and redirect traffic but nothing was ever really accomplished with the capture information.

I'm no expert but I'm wondering if it's really even possible/feasible to code your own server from just watching what the transactions with the real server look like...

Share this post


Link to post
Share on other sites

Why not Poryhack? Isn't that what hackers do? :P

Slightly off-topic:

I'd like to see a private GTS server that people can arrange private trades on. With the hash-checking, you could arrange for a specific person to pick it up, and you wouldn't need to both be online at the same time. And you could make requests on the server's website like "Timid Kyogres only" and then the search results on the DS would only return Pokemon that matched.

More sophisticated hack-checking, like a built-in legit.exe could also be added to the server.

I think that's a fantastic idea. I also think it would be neat to design a more robust notification system, so people can be notified that their trades went through via not just Wii messages or E-Mail, but also SMS, iPhone push notifications, RSS (?), whatever.

Back on topic:

I looked at some of the log files that LordLandon generated by redirecting the NDS / Nintendo WFC connection through his computer, and saw that the search results for a query yield full Pokémon data, stored, encrypted, and shuffled in exactly the same way as they are in the NDS. There's other data in there too; connection logs and all that jazz.

Also, each Pokémon result is actually 292 bytes in length (according to Landon), so there's some extra data there beyond the actual Pokémon data; probably to account for information about the trainer and cart that uploaded the Pokémon in the first place, as well as what they are looking for in return.

Share this post


Link to post
Share on other sites

I looked at some of the log files that LordLandon generated by redirecting the NDS / Nintendo WFC connection through his computer, and saw that the search results for a query yield full Pokémon data, stored, encrypted, and shuffled in exactly the same way as they are in the NDS. There's other data in there too; connection logs and all that jazz.

Nice! That means we can already do a legit.exe check on a GTS Pokemon before trading, as well as view their moves\IVs\EVs. At least as long as you can reroute the traffic. We just need a program that can access the GTS directly without the need for a DS.

Possibly more complicated: finding AR codes that can do the same, at least for IVs\moves.

Share this post


Link to post
Share on other sites

So here's what I have as of now:

because http is used for the communication, every time the DS wants to make a request from the server, (after the initial connect) the exchange is as follows:

DS gets whateverpage.asp?pid=[pid], and the server returns a 32-byte string

the DS then gets whateverpage.asp?pid=[pid]&hash=[40 byte hash of 32-byte string]&data=[encoded request]

the pid is *not* wifiid dependent since it remained after i connected to wifi with a different DS. either way, it's gotta be in the save file somewhere.

the hash is a hash of *only* the secret string the server sends as a challenge - i've tried different combinations of ds/game/pid while keeping the same challenge string, and the hash came out the same each time

the search results include the full 236 bytes of pokemon! (this makes more sense due to the total length per search result is 292 bytes, and because there are 236 bytes reserved for "pokemon in gts" at the end of the save file)

this leaves 56 extra bytes to contain the requested stuff 0x04-0x05 is the national dex # of the requested poke, 0x6 i *think* is the requested gender. 0x7 is the min level, 0x8 is the max level.

we'll post more as we learn more.

attached is a zip of a bunch of the conversations that went on between DS and server, the \ndone---done\n being a separator between each response/request (made it easier for me to parse, not part of the exchange). of small note is that platinum sets some profile thing as part of authenticating to the gts

gtcstuff.zip

gtcstuff.zip

Share this post


Link to post
Share on other sites
the search results include the full 236 bytes of pokemon! (this makes more sense due to the total length per search result is 292 bytes, and because there are 236 bytes reserved for "pokemon in gts" at the end of the save file)

Ah, that does make a lot of sense.

this leaves 56 extra bytes to contain the requested stuff 0x04-0x05 is the national dex # of the requested poke, 0x6 i *think* is the requested gender. 0x7 is the min level, 0x8 is the max level.

Awesome! I'm really excited about the progress being made on this!

Maybe I'll get time sometime this weekend to delve back into those logs and pick apart those 56 bytes. Incidentally, did you take notes on what kind of requests you were making on the DS concurrent to these new logs? That would help a ton.

Share this post


Link to post
Share on other sites

Attached is a script that will allow you to send a .pkm to your game cart without any special hardware, through the GTS. In order to run, you need to have python installed on your machine which is freely available at python.org and should run on any OS. On linux, and osx the script needs superuser privileges because it needs to bind to two ports bellow 1024. I'm not sure, but on vista+ it might need to be run as admin.

EDIT: It's been pointed out to me that it doesn't seem to work on windows after all |= I'll figure it out once I get access to a windows xp machine, but for now - sorry )=

How it works, is you unzip sendpkm.zip, put your .pkm in the same folder as the .py files you get, run sendpkm.py, and enter the full filename of your .pkm when it asks you for it. After that, it'll tell you to set your DS's DNS server to something, you can do that from the title screen of the pokemon games, in WFC settings.

manualSettings.jpg

Tap "no" for auto-obtain DNS, and enter the IP the script gives you for the primary DNS server.

After that, you just head into the GTS, and your .pkm should come flying!

There's some communication error occurring on platinum after you get it, that I've yet to figure out - but regardless, the poke is still there after you restart your DS.

Don't forget to set your WFC settings back when you wanna play with the real server!

Also attached are 56.txt, which is an explanation of all but the last four of the mysterious 56 bytes we were getting appended to the search results, and depundep.txt for anyone who wants to take a shot at the deposit pokemon encoding.

ENJOY YOUR POKEYMANS!

Things left to do (in order of usefulness/importance):

a pokemon info displayer thing to provide detailed info on search results

figure out depositing encoding

figure out hashing algorithm

depundep.txt

56.txt

depundep.txt

56.txt

Edited by LordLandon

Share this post


Link to post
Share on other sites

Y'know, if it's only the last four bytes of that 56 byte structure that are unknown, there's a fair chance that it's a checksum. If that's the case, good luck figuring out that hash check....

Also, great job! Too bad I have Windows. :(

EDIT:

a pokemon info displayer thing to provide detailed info on search results

I think this goes without saying, but feel free to use any part of my PKMDS library or programs to make this. One thing my programs specialized in was the slick and user-friendly display of Pokémon information, so it seems like it might help.

Share this post


Link to post
Share on other sites

Great. Windows issues fixed - unzip the archive, and drag a .pkm or a .zip to sendpkm.py. I seem to have fixed platinum's communication error by making the script wait for the animation to finish before closing, as it seems the game still wants the socket open after that. I now also have sendpkm put together the 56 byte ending, or at least some of it. This fixes some nasty problems, especially in platinum which seem to be anti-cheating measures of some sorts.

Nonetheless, it's still not perfect, and I would advise having a full party when you go to do this, because otherwise you'll end up with the sent over pokemon having a capsule attached, with no easy way to detach it (save sending it to real gts, and picking it back up, or trading to another game). So have a full party, and look in the first box of your PC afterwards and it should be fine.

For those more interested in the details, the second time stamp I found in the 56 bytes seems to be the traded-away time. I still have no clue what the last four bytes are. And I'm starting to think the server-bound encoding involves the PID somehow.

That is all for now.

EDIT: BUT WAIT! THERE'S MORE! Now it seems to work exactly right, no more stupid capsule problems, use with confidence (= (I've updated the attachment.)

sendpkm.zip

sendpkm.zip

Edited by LordLandon

Share this post


Link to post
Share on other sites

You might want to add that it's Python 2.6; I had 3.1 installed previously and it took me a while to figure out what was up.

I was gonna try this but sadly Nintendo's WiFi USB Connector doesn't allow one to tweak DNS settings and stuff. Oh well I have a flashcard. =)

Share this post


Link to post
Share on other sites

Man, that program...

It rocks. Seriously.

We can now get Pokésav'd Pokémon on our game without even having any way of extracting our retail cart save file.

Major congrats here.

We even get the Pokémon's dex entry registered.

Share this post


Link to post
Share on other sites

Hah, yeah, the 'Dex entry. I forgot about that!

This is seriously the most awesome thing ever. Can't wait to try out the Windows-working script tonight.

Share this post


Link to post
Share on other sites

Poryhack: Yes, thanks for the tip about 2.6 (= also, you can be my tester for using the wifi adapter: since it doesn't let you change the dns settings in your ds, it must be using the same settings that your computer uses - try changing the DNS server in your regular network settings.

Pingouin7: I'm glad you're enjoying it! Be sure to post anything that causes it to break, so that it could be fixed.

Share this post


Link to post
Share on other sites

Thanks for the pointer; it worked great. Maybe you could incorporate something into your script that will change the DNS settings on the computer and change them back after the transfer is done.

Share this post


Link to post
Share on other sites
Poryhack: Yes, thanks for the tip about 2.6 (= also, you can be my tester for using the wifi adapter: since it doesn't let you change the dns settings in your ds, it must be using the same settings that your computer uses - try changing the DNS server in your regular network settings.

Pingouin7: I'm glad you're enjoying it! Be sure to post anything that causes it to break, so that it could be fixed.

I can't even use it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now