GTS protocol: Difference between revisions

The following is wild conjecture based on LordLandon's sendpkm.py.

Communication with the GTS is done over regular HTTP with http://gamestats2.gs.nintendowifi.net/. The same protocol is used for all five Gen IV games.

HTTP headers

The games don't seem to care about these at all. The GTS sends back a bunch of boilerplate response headers, but the game happily accepts a response with only a Content-Length.

Protocol

All requests to the server are GET requests of the form page.asp?pid=pid&hash=hash&data=data.

pid

The pid is an unsigned 32-bit integer that appears to uniquely identify a game cartridge. When the pid is obtained and whether the pid has any relation to the Pal Pad friend code are unknown.

For the mathematically inclined: Eevee's Platinum pid is 192615460 (0x0b7b1424) and his Pal Pad code is 0904 2026 4621.

Challenge/response

Before each "real" request, the game sends a request of the form page.asp?pid=pid and the server responds with a 32-byte hex challenge token. The game computes sha1("sAdeqWo3voLeC5r16DYv" + token) and uses that as the hash value which it sends to the server. The data parameter is encrypted with an unknown algorithm.

That is, each request looks like the following:

1. Game requests GET /pokemondpds/page.asp?pid=pid
2. Server responds with token
3. Game requests GET /pokemondpds/page.asp?pid=pid&hash=sha1(...)&data=data
4. Server responds with payload

Unfortunately, this means that the exact details of the game's requests are currently not known.

Conversation

The first request the game makes is to /pokemondpds/worldexchange/info.asp. The server responds with 0x0001.

Platinum, Heart Gold, and Soul Silver will then make a request to /pokemondpds/common/setProfile.asp. The server responds with eight NULs (0x00000000 0x00000000).

After the above step(s) or performing any of the tasks below, the game makes a request to /pokemondpds/worldexchange/result.asp. If the game has had a Pokémon sent to it (via a successful trade?), the server responds with the entire encrypted Pokémon save struct. If there is a Pokémon uploaded to the GTS, it responds with 0x0004. Otherwise, it responds with 0x0005.

Receiving a Pokémon

If the game receives a Pokémon from a successful trade as a response from result.asp, it next requests /pokemondpds/worldexchange/delete.asp. The server responds with 0x0001.

A note on sendpkm.py

After doing the above, some Platinum, Heart Gold, and Soul Silver games will report a communication error and dump the player back to the title screen. The Pokémon is still successfully received. At least one person with HG/SS has received a Pokémon from a fake server without getting the error, and Diamond/Pearl have never been reported to have the problem. It's possible that the server should respond with something other than 0x0001.

Offering a Pokémon

Pokémon are offered on the GTS by requesting /pokemondpds/worldexchange/post.asp, followed by /pokemondpds/worldexchange/post_finish.asp.

Retrieving an offered Pokémon

Checking on the currently offered Pokémon is apparently done by /pokemondpds/worldexchange/get.asp. The response appears to be a Pokémon save struct.

Retrieving the currently offered Pokémon is done by /pokemondpds/worldexchange/return.asp. The response is merely 0x0001; the actual Pokémon data is taken from the get.asp request.

Searching

Searching is done through /pokemondpds/worldexchange/search.asp. The payload is 15 bytes long.

The server responds with a full 292-byte Pokémon struct for each result. If there are n results, the response will be 292 * n bytes long.