Keplar

I both can and will. I'm using ARP poisoning to route all the traffic through my mashine. It just seemed easiest to me. An early, but admittedly half-hearted attempt, to do the same using a proxy failed. The 3DS refused to wonder trade, etc. I will try dropping select packages later, but currently I do unfortunately not have any time at all.

I also suggest we already start working on the checksum, just in case we get injection working soon. I just wanted to start a bruteforce attack using oclHashcat-plus, but appaerantly a salt of 232 bytes (the PKX data) is too much for it to handle. In case anyone knows a program that could bruteforce such a long 'password', I suggest we just have a list of all tried algorithms, so that we can distribute the workload.

The problem is that we aren't even sure how long the salt is, whether the salt is placed before or after the data payload (or both), or even what sections of data are being hashed. If it's anywhere near as long as the 20 character SHA1 salt used in the GTS, then it's not even worth trying to brute-force. You'd have better luck finding/hiring a hardware engineer to reproduce what neimod and smea can do, and pull it out of RAM.

This deeply confuses me. Assuming we're right that this is a hash, and assuming that this hash is absolutely required by the game and that we're not just making mistakes elsewhere in our injection process, then it should've been impossible for bond and xfr to inject an edited Pokemon using wonder trade. Unless, of course, they happen to have the same hardware setup as neimod and smea.

The only thing I'm missing from getting the Wonder Trade to work is the checksum 16 bytes checksum within the EAD header.

Any ideas?

EAD header:

uint magic; //0x0301D0EA // EA D0 01 03

ushort size; // without EAD header

ushort unk1; // wondertrade: 0x1111, gts = 0xAFA1

ushort unk2; // wondertrade: 0x08E2, gts = 0x00E2

ushort unk3;

ushort packetId;

ubyte checksum[16];

ushort unk4; // 02 01

ubyte encryptedFlag; // 00 = plaintext (wondertrade), 01 = encrypted (gts)

Data:

ubyte data;

if it's wondertrade:

byte unk[0x1C];

byte pkx[0xE8];

Otherwise, the actual injection part is easy.

16 byte checksum? That sounds more like an MD5 hash, in my opinion. Out of curiosity, I've coded a small script to hash all possible data segments of the packet's payload, and compare these hashes for a possible match. Unfortunately, no hashed data segments of my packet matched. Perhaps a salted MD5 hash is being used?

So you're having trouble using a virtual adapter to broadcast? I was actually considering switching over to that, in favor of a pure software solution that didn't require an extra router.

At the moment, I'm searching for a program that I can easily tweak to swap out sections of packets. It would be nice if this involved HTTP traffic or if there was a simple DNS address I could spoof... It sure would make things a lot easier. UDP modification is relatively new to me.