Cu3PO42

Hello everyone, I have taken the time today to document the part of the Pokémon GL API that allows you to get the usage statistics of Pokémon on Battle Spot. You can find my efforts here. Quite possibly I will document a bigger part of the API that I find useful in the future.

Given the 16byte checksum I figured it would be MD5 and bruteforcing like 12-16 bytes is definitely possible on modern hardware. Hail to GPGPU processing Then again we don't even know what of the actual data is hashed. And the previous use of sha1 in the GTS would also make md5 unlikely. Maybe it's just arbitrary data that we don't need to change at all... Or it really is a checksum and calculated from data in other packets which might explain why injecting doesn't work, because even if we use an extracted checksum it is not the correct one... If they had a RAM reading/writing setup why would they have named the gible 'Wireshark'? To confuse us ? Oh well, hardware exploits Didn't think about them... Do you get 1038 or 994 byte frames more often? About 9 out of 10 are 994 for me...

I both can and will. I'm using ARP poisoning to route all the traffic through my mashine. It just seemed easiest to me. An early, but admittedly half-hearted attempt, to do the same using a proxy failed. The 3DS refused to wonder trade, etc. I will try dropping select packages later, but currently I do unfortunately not have any time at all. I also suggest we already start working on the checksum, just in case we get injection working soon. I just wanted to start a bruteforce attack using oclHashcat-plus, but appaerantly a salt of 232 bytes (the PKX data) is too much for it to handle. In case anyone knows a program that could bruteforce such a long 'password', I suggest we just have a list of all tried algorithms, so that we can distribute the workload.

It is, really. That means Bond697 and Xfr have not only managed to inject, but also got their heads around the checksum. Or they found something completely different, which is yet unknown to us. I wonder whether they used a hardware mod... I don't think so though as they nicknamed the Gible "Wireshark". Only time will tell...

I just found some more time to put into this and put together some small programs to programatically extract all wonder traded Pokémon and insert them, well that is what I planned to. I have not figured the checksum thing yet, so I just took ones I extracted earlier of which I knew the checksum. I tried both replacing only the header + actual data and replacing the whole packet. Both did not work as intended however, I still received the random pokemon from someone. I confirmed, using another MitM, that the packets were actually modified. The only reasonable explanation I have is that the data must also be transmitted in other packets which override the 'obvious' ones in case of a conflict. Has anyone managed to inject Pokémon successfully so far?

While extracting PKX files of wonder traded Pokémon once or twice I could only find the incoming packets, but not the outgoing... My wireshark filter should not exclude any significant packages, though. Even with manual scanning I could not find them. Has anyone else encountered this? Anyway, I will try and put together a little program that inserts PKX files into the incoming traffic later, that is when I get some priority stuff done (wish I had more time for this...). I plan to use ones that I extracted earlier (with known checksums and other header values) and check if the game cares about what was named unk3 earlier in terms of the checksum, but I'd suppose it's only the PKX data itself. @Zaneris: In case you already created something it would be a waste of time, of course. In that case: Have you tried that? I would agree it's probably a salted MD5. If it wasn't for the 16 bytes I would have thought of a sha1 hash, as that's what Nintendo used in previous games for the GTS protocol (sha1(salt+data)). I guess the only thing we can really do is use hashcat to bruteforce it, with todays GPU power it shouldn't even take tooooo long. The real problem I see, though, is that Nintendo can easily patch all this and I see it coming down to the good old cat-and-mouse game.