Jump to content

Recommended Posts

It seems that 0x34 byte in additional GTS data is determining skin during searching. But it works only with specific values:

05 - bug catcher

0B - ace trainer

1F - some tought guy (dont know exactly)

32 - ruins explorer

33 - karate guy

3E - dont know exactly too

46 - this one too

In dec: 5,10,31,50,51,62,70. And I cant see any rule here yet.

Other values in range 00-83 gives default skin. (I hadnt tested others yet)

Also, other 3 trailing bytes seems to have no role here.

Link to post
Share on other sites
  • Replies 652
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

It seems that 0x34 byte in additional GTS data is determining skin during searching. But it works only with specific values:

05 - bug catcher

0B - ace trainer

1F - some tought guy (dont know exactly)

32 - ruins explorer

33 - karate guy

3E - dont know exactly too

46 - this one too

In dec: 5,10,31,50,51,62,70. And I cant see any rule here yet.

Other values in range 00-83 gives default skin. (I hadnt tested others yet)

Also, other 3 trailing bytes seems to have no role here.

It could be the trainer's wifi avatar. like how you see yours friends in union room.

Link to post
Share on other sites
It is done.

DNS: 72.232.182.50

Simple roundtripping GTS. Deposit a Pokémon' date=' and next time you check GTS status it'll come back to you. And no blue screen!

No searching, etc., and I don't save your Pokémon after you take it back.

(Disclaimer: Please don't put anything important in here; this is a proof of concept, and I reserve the right to nuke everything at any time.)[/quote']

That's really awesome! So might this be used to transfer pokemon from the DS to the computer and, if so, when might you allow us access to your program?

Link to post
Share on other sites

Perhaps Projectpokemon could run a GTS server, something like what I am trying to make at http://vlacula.no-ip.com/pokemon/gts/ (if my pc is on the link will work). I guess once events are up it would be neat to have the possibility to get the Pokemon trough PP's custom GTS and with a site interface vote for what event the community want's to download. Going to release the sources soon, when I manage to get it stable. No it's not easy to use but it's at least pretty easy to configure if you know the basics of web-hosting.

This ain't really research but more like the result of it, hehe. Super Veekun, that you managed to make your own server too -it's cool. ;) Easy "trade evolution" for those unable to edit their saves with Pokesav.

Link to post
Share on other sites
So there you have it. I guess the floodgates are open. And now that i've figured out both the challenge-response hash and the data encryption, i'm kind of done with this GTS stuff. Honestly though, i'm a little worried about the SSL connection that takes place. Since we don't know much about it, and aren't even close to being able to spoof it, that means that when Nintendo eventually shuts down the official GTS server, all the fan servers will go with it. Enjoy it while it lasts.

Guess it's time to work on some homebrew servers while the going's good.

Thank you for your research.

Link to post
Share on other sites

hello, I'm Japanese pokemon fan.

I was reserched GTS and BattleTower Wi-Fi system from 2007.

then calc hash, crypt method, and protocol revealed.

but, I thought that protocol published is very dangerous.

I decided that protocol was secret.

But however, that protocol published by magical and イーブイ.

I changed my thinking.

I'm few knowledge write down.

<pid>

called GSPID in "Metroid Prime: Hunters".

pid = friend code 12 digit & 0x7FFFFFFF.

ex. 0773 6429 1465 -> 54880137 (0x03456789)

<The extra 56 bytes are GTS-specific data>

0x10 : Trainer gender. male:0, female:1

0x35 : exchanged flag.

0x36 : rom version. 0x0A:Diamond, 0x0B:Pearl, ...

0x37 : rom language. 1:JPN, 2:ENG, 3:FRA, ...

<search query>

0x01-02 : Pokemon NO.

0x03 : gender. 1:male, 2:female, 3:both

0x04 : LV min.

0x05 : LV max.

0x06 : always 0.

0x07 : result number. 3,5,7

0x08 : geonet country. (only Pt,HG,SS)

<timestamp>

timestamp is PST(GMT-8:00).

-----

(original Japanese sentence)

こんにちは、私は日本のポケモンファンです。

私は、GTSとバトルタワーのWi-Fi通信を2007年に調べました。

hashの算出方法、データの暗号化方法、プロトコルを解きました。

しかし、私はこれらを公開することは、危険な影響があると考えました。

私は、これらのプロトコルを秘密にすることを決めました。

しかし、プロトコルは、magical氏とイーブイ氏により公開されてしまいました。

私は、もう仕方ないと、考えを改めました。

私が知っている事の少しを書きます。

(以下省略)

Link to post
Share on other sites

My goal was to make a page, where people could upload their .pkm files, and have a GTS instance start up, let them download the .pkm, and then have the instance shut off. But, I got lazy, and tired from adding checks everywhere. The main base is here though, so it works! If anybody wants to fix it up, go right ahead :P

http://kowiz.cowxp.com/GTSPHP.zip

It goes via IP address, so it may not work correctly if you're connecting to the GTS server on the same LAN

The sendpkm and pokehaxlib were modified to take a 2nd argument, port number

(doesn't contain the cname version)

(probably should have removed the dnsspoof function due to redundancy)

You're suppose to (manually) run a server GTS server on port 81, maybe with the randomizing pkm files

When somebody submits a pokemon, an instance will start up on port 82

Then they connect to the GTS. Via their IP, they are automatically forwarded to port 82, where they receive the pkm, and the port 82 instanced server shuts down.

If port 82 is being taken up by somebody else submitting, and somebody submits a pokemon, it automatically goes to port 83, and starts the instanced server there.

After the instanced servers shut down, the IP is deleted, and it will let people submit from the first port number(82 in this case)

If they don't have a pokemon submitted, then they'll be sent to port 81.

You can modify the .htaccess file to allow for more instances.

You are required to have a webserver with PHP running on port 80.

Link to post
Share on other sites

I know this may have already been answered but its hard to go through every single thing... but could someone please explain how to actually 'distribute' the .pkm files to more than one person and would the distribution method work the same for any operating system not just windows (i use linux - fedora)

Link to post
Share on other sites

I think the GTS nuker might do what you want, but I am unsure. (I have not actually tried any of this, as the wireless I use uses WPA instead of WEP)

http://projectpokemon.org/forums/showthread.php?780-GTS-website-research&p=71061&viewfull=1#post71061

EDIT: also, I think the one I linked too is for if it is on your network, and no over the internet

(this is my first post)

Edited by Dr.Octagonapus
added something
Link to post
Share on other sites
I know this may have already been answered but its hard to go through every single thing... but could someone please explain how to actually 'distribute' the .pkm files to more than one person and would the distribution method work the same for any operating system not just windows (i use linux - fedora)

Use the python script by lordlandon with a auto re starter i made you can find it here http://projectpokemon.org/forums/showthread.php?780-GTS-website-research&p=74808&viewfull=1#post74808

Link to post
Share on other sites
Do you really need a restarter...? Just make sendpkm.py not exit after sending the Pokémon off.

mainly made it out of general boredom . When you loose your job and have noting better to do because the economy is failing and your waiting for a few things to happen first before you join the military you get very board.

Also i like to know how many times the pokemon im hosting has bin downloaded

Link to post
Share on other sites

OK, there's aaaall this GTSresearch going on, and transferring .pkms is fun and all, but...

Why haven't people started researching Mystery Gift? Surely it connects to Nintendo in the same fashion as the GTS does... But on the computer I'm using I don't have access to hex editing, or else I'd check myself.

But meh, maybe I should be content with just .pkm files for a while... :B

Link to post
Share on other sites
OK, there's aaaall this GTSresearch going on, and transferring .pkms is fun and all, but...

Why haven't people started researching Mystery Gift? Surely it connects to Nintendo in the same fashion as the GTS does... But on the computer I'm using I don't have access to hex editing, or else I'd check myself.

But meh, maybe I should be content with just .pkm files for a while... :B

As said earlier in the thread from vlad on post #123 The mystery gift may use SSL which is hard to crack and act as the server.

So at this point, There will be no Wondercard Distribution Research.

Link to post
Share on other sites

Umm I don't know if this was answered yet but I tried to use my Luxray.PKM file on sendpkm.py, but I couldn't drag and drop it, so I had to use "Run...", and when it encoded I got the DNS 127.0.0.1, I tried to put it on my DS and it didn't work, I saw the other replies and tried what they said but it still didn't work, I don't know if it's because my Modem's ports are not Port Forwarded or if it's my Modem itself, I keep getting the error 52100 when I try to connect to the GTS, my Modem is a Cable Modem: Thomson THG540, can anyone help me with this issue please? Thank you in advance.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...