LordLandon

Yes, the GTS is terribly insecure.. No, the last four bytes at the end of exchange aren't "null" they're the PID of the trainer you want to do the exchange with (remember? stateless.) Yes, you could fsck with the GTS and delete all the pokemon for the lulz - but the reason none of us have released client code (to work against the real GTS) is that we do not advocate it. At all. It's one thing to mess with your own game/server, it's another to go ruining the experience for everyone using the real GTS.

Binary junk with the content-type header of text/html, at that q= my setup is simply dnsspoof substituting replies to gamestats2.gs with my IP, and mod_rewrite in lighttpd url.rewrite =("^/pokemon.+([?].*)" => "/gts.py$1") which rewrites all requests to /pokemon.* to, /gts.py which uses the requested_url environ variable to figure out what to do. I've got a fully working GTS server running there atm, with searching and trading, from within my regular wobserver C=

If the DS can't access conntest, whatever you've got rigged up is terribly borked. (=

That's not an error. Besides gamestats2, the DS connects to conntest, and nas. (The former to test that it has interweb, and the latter to do some sekrit magic voodoo that gives it a PID if it doesn't have one)

If you want dnsspoof to do your public IP, replace s=socket.socket(); s.connect(("bash.org",80)); me="".join(chr(int(x)) for x in s.getsockname()[0].split(".")) print "Please set your DS's DNS server to",s.getsockname()[0] with import urllib2 ip=urllib2.urlopen("http://whatismyip.everdot.org/ip").read() me="".join(chr(int(x)) for x in ip.split(".")) print "Please set your DS's DNS server to",ip Easy!

If it tells you 0.0.0.0 or 127.0.0.1, sorry, but you're going to have to find the IP address of the computer yourself - you can look in your network properties (i think it's under some detailed tab). In the meantime, I'll see if there's a more reliable way of getting that IP.

I don't have a mac, but that error is due to something already listening on port 80. See what you see if you go to http://localhost in your browser.

Well, you found a limitation, but a different one - that .pkm is from a box, and consists of 136 bytes. Atm, the script only works with "party" pkm which consist of 236 bytes. I will fix this soon - sorry!

Could you be more specific?

Poryhack: Yes, thanks for the tip about 2.6 (= also, you can be my tester for using the wifi adapter: since it doesn't let you change the dns settings in your ds, it must be using the same settings that your computer uses - try changing the DNS server in your regular network settings. Pingouin7: I'm glad you're enjoying it! Be sure to post anything that causes it to break, so that it could be fixed.

Great. Windows issues fixed - unzip the archive, and drag a .pkm or a .zip to sendpkm.py. I seem to have fixed platinum's communication error by making the script wait for the animation to finish before closing, as it seems the game still wants the socket open after that. I now also have sendpkm put together the 56 byte ending, or at least some of it. This fixes some nasty problems, especially in platinum which seem to be anti-cheating measures of some sorts. Nonetheless, it's still not perfect, and I would advise having a full party when you go to do this, because otherwise you'll end up with the sent over pokemon having a capsule attached, with no easy way to detach it (save sending it to real gts, and picking it back up, or trading to another game). So have a full party, and look in the first box of your PC afterwards and it should be fine. For those more interested in the details, the second time stamp I found in the 56 bytes seems to be the traded-away time. I still have no clue what the last four bytes are. And I'm starting to think the server-bound encoding involves the PID somehow. That is all for now. EDIT: BUT WAIT! THERE'S MORE! Now it seems to work exactly right, no more stupid capsule problems, use with confidence (= (I've updated the attachment.) sendpkm.zip

Attached is a script that will allow you to send a .pkm to your game cart without any special hardware, through the GTS. In order to run, you need to have python installed on your machine which is freely available at python.org and should run on any OS. On linux, and osx the script needs superuser privileges because it needs to bind to two ports bellow 1024. I'm not sure, but on vista+ it might need to be run as admin. EDIT: It's been pointed out to me that it doesn't seem to work on windows after all |= I'll figure it out once I get access to a windows xp machine, but for now - sorry )= How it works, is you unzip sendpkm.zip, put your .pkm in the same folder as the .py files you get, run sendpkm.py, and enter the full filename of your .pkm when it asks you for it. After that, it'll tell you to set your DS's DNS server to something, you can do that from the title screen of the pokemon games, in WFC settings. Tap "no" for auto-obtain DNS, and enter the IP the script gives you for the primary DNS server. After that, you just head into the GTS, and your .pkm should come flying! There's some communication error occurring on platinum after you get it, that I've yet to figure out - but regardless, the poke is still there after you restart your DS. Don't forget to set your WFC settings back when you wanna play with the real server! Also attached are 56.txt, which is an explanation of all but the last four of the mysterious 56 bytes we were getting appended to the search results, and depundep.txt for anyone who wants to take a shot at the deposit pokemon encoding. ENJOY YOUR POKEYMANS! Things left to do (in order of usefulness/importance): a pokemon info displayer thing to provide detailed info on search results figure out depositing encoding figure out hashing algorithm depundep.txt 56.txt

hi. i'd like to request a .pkm with as many 0 bytes as possible in the encoded structure, but still importable into the game

*high fives guested* for being the only one who's making any sense in this thread.

So here's what I have as of now: because http is used for the communication, every time the DS wants to make a request from the server, (after the initial connect) the exchange is as follows: DS gets whateverpage.asp?pid=[pid], and the server returns a 32-byte string the DS then gets whateverpage.asp?pid=[pid]&hash=[40 byte hash of 32-byte string]&data=[encoded request] the pid is *not* wifiid dependent since it remained after i connected to wifi with a different DS. either way, it's gotta be in the save file somewhere. the hash is a hash of *only* the secret string the server sends as a challenge - i've tried different combinations of ds/game/pid while keeping the same challenge string, and the hash came out the same each time the search results include the full 236 bytes of pokemon! (this makes more sense due to the total length per search result is 292 bytes, and because there are 236 bytes reserved for "pokemon in gts" at the end of the save file) this leaves 56 extra bytes to contain the requested stuff 0x04-0x05 is the national dex # of the requested poke, 0x6 i *think* is the requested gender. 0x7 is the min level, 0x8 is the max level. we'll post more as we learn more. attached is a zip of a bunch of the conversations that went on between DS and server, the \ndone---done\n being a separator between each response/request (made it easier for me to parse, not part of the exchange). of small note is that platinum sets some profile thing as part of authenticating to the gts gtcstuff.zip

Okay, so I changed my router's DNS server to resolve gamestats2.gs.nintendowifi.net to point to one of my computers. Had my DS happily connect to it, where a happy python script was waiting to intercept GTS traffic and redirect it to the REAL gamestats2. What I've found is that there are no ssl connections happening and I have niceish (nicer than a pcap, at any rate) dialogs between the DS and gamestats2. The pid seems to be a cart-specific number, probably one you get the first time you connect to wifi, it stays the same every time you reconnect. When doing searches, another GET param comes up, data which seems to be an unencrypted 'action' i.e. same searches produce the same data regardless of connection. What we'd need to figure out to have automated scripts, is how that hash is generated, so that the server takes us for it's own. I'll mess with this more another day, as it is late now so take this post as more of a poke, rather than an informative one, to see if you guys are still here to try and mess with this. Other potential areas of explorations would be to hex-edit the rom and change gamestats2.gs.nintendowifi to point to your own server for easier debugging, and perhaps, create our own private GTS's that don't do hash checking, or always present the client with the same sekrit string (; Oh, and I don't have high hopes for how well this could do for sifting through *all* of GTS's pokeymans as the data I saw from the server seems to be just enough for the three odd results the game gives us.