Keplar
-
Posts
3 -
Joined
-
Last visited
Content Type
Profiles
Pokédex
Portal
Technical Documentation
Pages
Tutorials
Forums
Events
Downloads
Gallery
Blogs
Posts posted by Keplar
-
-
The only thing I'm missing from getting the Wonder Trade to work is the checksum 16 bytes checksum within the EAD header.
Any ideas?
EAD header:
uint magic; //0x0301D0EA // EA D0 01 03
ushort size; // without EAD header
ushort unk1; // wondertrade: 0x1111, gts = 0xAFA1
ushort unk2; // wondertrade: 0x08E2, gts = 0x00E2
ushort unk3;
ushort packetId;
ubyte checksum[16];
ushort unk4; // 02 01
ubyte encryptedFlag; // 00 = plaintext (wondertrade), 01 = encrypted (gts)
Data:
ubyte data;
if it's wondertrade:
byte unk[0x1C];
byte pkx[0xE8];
Otherwise, the actual injection part is easy.
16 byte checksum? That sounds more like an MD5 hash, in my opinion. Out of curiosity, I've coded a small script to hash all possible data segments of the packet's payload, and compare these hashes for a possible match. Unfortunately, no hashed data segments of my packet matched. Perhaps a salted MD5 hash is being used?
-
So you're having trouble using a virtual adapter to broadcast? I was actually considering switching over to that, in favor of a pure software solution that didn't require an extra router.
At the moment, I'm searching for a program that I can easily tweak to swap out sections of packets. It would be nice if this involved HTTP traffic or if there was a simple DNS address I could spoof... It sure would make things a lot easier. UDP modification is relatively new to me.
Pkx: The New Pokemon Format For Gen 6
in PKM
Posted
The problem is that we aren't even sure how long the salt is, whether the salt is placed before or after the data payload (or both), or even what sections of data are being hashed. If it's anywhere near as long as the 20 character SHA1 salt used in the GTS, then it's not even worth trying to brute-force. You'd have better luck finding/hiring a hardware engineer to reproduce what neimod and smea can do, and pull it out of RAM.
This deeply confuses me. Assuming we're right that this is a hash, and assuming that this hash is absolutely required by the game and that we're not just making mistakes elsewhere in our injection process, then it should've been impossible for bond and xfr to inject an edited Pokemon using wonder trade. Unless, of course, they happen to have the same hardware setup as neimod and smea.