Gaming Pokemon Sun and Moon - Hacking QR Codes?

[DJ91990]

I'm very curious on how the data in the QR Code is made up.

I used a Web QR Scanner to scan a number of Pokemon QR Codes.
I found something that appears in all of them:

HEX: 50 4F 4B 45
Text: POKE
The data from 0000000000-000000500D contains raw data.

You can take this raw data:

t.º*º#@.a¬..2'...ÿ¢xFbþ..YÝÂ@.à.£.¦ç.`QÈ7......!þ!±¨.\..w.¡@Y~.í>¯/Ø,.k.æ» .KÆÎ.éúÂåÜÝ@%.=å|gÊPOKE

and toss it into a QR Code generator to generate a working QR Code.

This raw data appears as this in HEX:

74 1C BA 2A BA 23 40 00 61 AC 16 00 32 27 19 00 15 FF A2 78 46 62 FE 16 00 59 DD C2 40 00 E0 8F A3 02 A6 E7 02 60 51 C8 37 8D 09 00 00 02 00 21 FE 21 B1 A8 16 5C 00 18 77 00 A1 40 59 7E 03 ED 3E AF 2F D8 2C 02 6B 17 E6 BB 20 1C 4B C6 CE 06 E9 FA C2 E5 DC DD 40 25 00 3D E5 7C 67 CA 50 4F 4B 45

This data is from the Magerna QR Code
Somewhere in that data string is a region lock code. I wonder if anyone else has tried this, and managed to create a USA-Region Magerna QR Code?

If we can find what value indicates region, we could modify the raw data and input that data into a QR Code Generator to make a Magerna QR Code that's region free!

One other thing I'm curious about is Battle Team QR Codes. We won't be able to get out hands on some until the Pokemon Global Link launches for Sun and Moon, but I'd love to see a program that can take Pokemon Generated in PKHeX and turn it into a Battle Team QR Code.

I'm sure it will need to contain at the very least:
Team Name
Pokemon Party Index Number
Pokemon Data {
Movesets
Nature, Shiny & Personality Value (PID)
Base Stats
Forme Info if applicaple
OT Data {Trainer Name, ID, SID, Latest Handler}
Held Item Data
}

It would be awesome if we could reverse engineer this and add a feature in PKHeX that could Generate Specific Wonder QR Codes for Obtaining Pokemon, QR Codes for adding Pokemon to the Seen Dex, and Team QR Codes!

 

[Joshmas]

I'm very curious on how the data in the QR Code is made up.

I used a Web QR Scanner to scan a number of Pokemon QR Codes.
I found something that appears in all of them:

HEX: 50 4F 4B 45
Text: POKE
The data from 0000000000-000000500D contains raw data.

You can take this raw data:

t.º*º#@.a¬..2'...ÿ¢xFbþ..YÝÂ@.à.£.¦ç.`QÈ7......!þ!±¨.\..w.¡@Y~.í>¯/Ø,.k.æ» .KÆÎ.éúÂåÜÝ@%.=å|gÊPOKE

and toss it into a QR Code generator to generate a working QR Code.

This raw data appears as this in HEX:

74 1C BA 2A BA 23 40 00 61 AC 16 00 32 27 19 00 15 FF A2 78 46 62 FE 16 00 59 DD C2 40 00 E0 8F A3 02 A6 E7 02 60 51 C8 37 8D 09 00 00 02 00 21 FE 21 B1 A8 16 5C 00 18 77 00 A1 40 59 7E 03 ED 3E AF 2F D8 2C 02 6B 17 E6 BB 20 1C 4B C6 CE 06 E9 FA C2 E5 DC DD 40 25 00 3D E5 7C 67 CA 50 4F 4B 45

This data is from the Magerna QR Code
Somewhere in that data string is a region lock code. I wonder if anyone else has tried this, and managed to create a USA-Region Magerna QR Code?

If we can find what value indicates region, we could modify the raw data and input that data into a QR Code Generator to make a Magerna QR Code that's region free!

One other thing I'm curious about is Battle Team QR Codes. We won't be able to get out hands on some until the Pokemon Global Link launches for Sun and Moon, but I'd love to see a program that can take Pokemon Generated in PKHeX and turn it into a Battle Team QR Code.

I'm sure it will need to contain at the very least:
Team Name
Pokemon Party Index Number
Pokemon Data {
Movesets
Nature, Shiny & Personality Value (PID)
Base Stats
Forme Info if applicaple
OT Data {Trainer Name, ID, SID, Latest Handler}
Held Item Data
}

It would be awesome if we could reverse engineer this and add a feature in PKHeX that could Generate Specific Wonder QR Codes for Obtaining Pokemon, QR Codes for adding Pokemon to the Seen Dex, and Team QR Codes!

Would be cool or you could just use HANS or NTR to change the region.... a tad easier and even works with this qr code. But Id still say It's worth looking into.

 

[DJ91990]

The Pokemon games are region free.
I was able to get the Magerna QR Code to work when I Region Spoofed my region as JPN using Luma. It's very easy to use that.
You need to become a champion to use it.

I was wondering if it would be possible to modify the QR Code itself to be region free for those that don't have a hacked 3DS or access to homebrew.

 

[Falo]

QR Codes use the same crypto as the save signing algo, but it uses 14 different keys
- 3 for unknown 504 Byte QR Codes (event distributions?)
- 10 are used for pokedex entrys, but so far only 2 types are used, type 3 (Pokedex) and type 4 (GaOle)
- 1 is special, it uses a 1062 * 8 byte entry lookup table to generate a pokedex entry

If you decrypt a pokedex (type 3) qr code, then it looks like this: (#722 Rowlet)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  FF FF FF FF FF FF 00 00 01 00 00 00 01 00 00 00  ÿÿÿÿÿÿ..........
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 00 00 00 D2 02 00 00 00 01 00 00  ........Ò.......
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 50 4F 4B 45 03 00 00 00 00 00  ..POKE......

 

[SciresM]

QR Codes use the same crypto as the save signing algo, but it uses 14 different keys
- 3 for unknown 504 Byte QR Codes (event distributions?)
- 10 are used for pokedex entrys, but so far only 2 types are used, type 3 (Pokedex) and type 4 (GaOle)
- 1 is special, it uses a 1062 * 8 byte entry lookup table to generate a pokedex entry

If you decrypt a pokedex (type 3) qr code, then it looks like this: (#722 Rowlet)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  FF FF FF FF FF FF 00 00 01 00 00 00 01 00 00 00  ÿÿÿÿÿÿ..........
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 00 00 00 D2 02 00 00 00 01 00 00  ........Ò.......
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 50 4F 4B 45 03 00 00 00 00 00  ..POKE......

Magearna event QR is type 5 actually.

 

[Pokem]

inb4 noobs be like "OMG!1!!!!1111111!!!!!!!! THERE R QR CODES IN SUN AND MOON1!!!111 HAX EXPLOIT CONFIRMED."

 

[Procyon]

inb4 noobs be like "OMG!1!!!!1111111!!!!!!!! THERE R QR CODES IN SUN AND MOON1!!!111 HAX EXPLOIT CONFIRMED."

Random QRs are scanned as a random pokémon

 

[azerti1304]

I'm very curious on how the data in the QR Code is made up.

I used a Web QR Scanner to scan a number of Pokemon QR Codes.
I found something that appears in all of them:

HEX: 50 4F 4B 45
Text: POKE
The data from 0000000000-000000500D contains raw data.

You can take this raw data:

t.º*º#@.a¬..2'...ÿ¢xFbþ..YÝÂ@.à.£.¦ç.`QÈ7......!þ!±¨.\..w.¡@Y~.í>¯/Ø,.k.æ» .KÆÎ.éúÂåÜÝ@%.=å|gÊPOKE

and toss it into a QR Code generator to generate a working QR Code.

This raw data appears as this in HEX:

74 1C BA 2A BA 23 40 00 61 AC 16 00 32 27 19 00 15 FF A2 78 46 62 FE 16 00 59 DD C2 40 00 E0 8F A3 02 A6 E7 02 60 51 C8 37 8D 09 00 00 02 00 21 FE 21 B1 A8 16 5C 00 18 77 00 A1 40 59 7E 03 ED 3E AF 2F D8 2C 02 6B 17 E6 BB 20 1C 4B C6 CE 06 E9 FA C2 E5 DC DD 40 25 00 3D E5 7C 67 CA 50 4F 4B 45

This data is from the Magerna QR Code
Somewhere in that data string is a region lock code. I wonder if anyone else has tried this, and managed to create a USA-Region Magerna QR Code?

If we can find what value indicates region, we could modify the raw data and input that data into a QR Code Generator to make a Magerna QR Code that's region free!

One other thing I'm curious about is Battle Team QR Codes. We won't be able to get out hands on some until the Pokemon Global Link launches for Sun and Moon, but I'd love to see a program that can take Pokemon Generated in PKHeX and turn it into a Battle Team QR Code.

I'm sure it will need to contain at the very least:
Team Name
Pokemon Party Index Number
Pokemon Data {
Movesets
Nature, Shiny & Personality Value (PID)
Base Stats
Forme Info if applicaple
OT Data {Trainer Name, ID, SID, Latest Handler}
Held Item Data
}

It would be awesome if we could reverse engineer this and add a feature in PKHeX that could Generate Specific Wonder QR Codes for Obtaining Pokemon, QR Codes for adding Pokemon to the Seen Dex, and Team QR Codes!

 

[DJ91990]

QR Codes use the same crypto as the save signing algo, but it uses 14 different keys
- 3 for unknown 504 Byte QR Codes (event distributions?)
- 10 are used for pokedex entrys, but so far only 2 types are used, type 3 (Pokedex) and type 4 (GaOle)
- 1 is special, it uses a 1062 * 8 byte entry lookup table to generate a pokedex entry

If you decrypt a pokedex (type 3) qr code, then it looks like this: (#722 Rowlet)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  FF FF FF FF FF FF 00 00 01 00 00 00 01 00 00 00  ÿÿÿÿÿÿ..........
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 00 00 00 D2 02 00 00 00 01 00 00  ........Ò.......
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 50 4F 4B 45 03 00 00 00 00 00  ..POKE......

When you mention Crypto, you mean that the data is encrypted and is actually not raw and open to editing correct?
Would it be possible to create fake mystery gift codes based off the Magerna QR Code, provided we could crack the crypto, if that's even at all possible.

I know that it would just be easier to use PKHeX. It would still be nice to send a friend or twenty a QR Code that gave you a hacked event.

The real interesting part is the battle QR Codes that give you rental teams. I wonder if that will eventually get hacked and people just make a team of 6 stupid-powerful Pokemon all with Wonder Guard.

 

[azerti1304]

https://mega.nz/#!UIlnRZSI!Hgzjsty9p1yosUUTbPDH_bE1qeZf2OMN_KoZcoNDamw


Source: https://mobile.twitter.com/SciresM

 

[Apache Thunder]

When you mention Crypto, you mean that the data is encrypted and is actually not raw and open to editing correct?
Would it be possible to create fake mystery gift codes based off the Magerna QR Code, provided we could crack the crypto, if that's even at all possible.

I know that it would just be easier to use PKHeX. It would still be nice to send a friend or twenty a QR Code that gave you a hacked event.

The real interesting part is the battle QR Codes that give you rental teams. I wonder if that will eventually get hacked and people just make a team of 6 stupid-powerful Pokemon all with Wonder Guard.

No I believe it's more like the save crypto. It's a crypto involving the hash of the save/QR. Not necessarily the data contained in the QR. It's how the game "signs" the QR code to make sure it wasn't modified. (He was just saying that the QR used the same signing method as the save file system)

By the way, I wonder how the "team QR" codes works. Could you gen in an entire team with that or does the QR only contain a link on a server?

 

[Falo]

Yes it's encrypted, to edit it you need to decrypt and re-encrypt it.
But the problem is, we only have privatekey03.der, so we can only encrypt type 3 qr's (pokedex) not event or gaole.
Only Game Freak has the RSA Private keys to do this. GaOle is Type 4, Event is Type 5.

Team qr codes are simple, if you do a pgl sync, your entire save is uploaded and you can create online a qr code for this.

 

[DJ91990]

From what I understand, people are able to assemble teams in one of the battle boxes. When you connect to the PGL and get your PGL ID, you can generate a QR Code that allows other players to scan in that code and rent the Pokemon you used in that battle box. I don't know if the QR Code has the data for the rental sitting on a server, or if the QR Code itself contains all the information for the team.

 

[Falo]

From what I understand, people are able to assemble teams in one of the battle boxes. When you connect to the PGL and get your PGL ID, you can generate a QR Code that allows other players to scan in that code and rent the Pokemon you used in that battle box. I don't know if the QR Code has the data for the rental sitting on a server, or if the QR Code itself contains all the information for the team.

The qr code has all the data, Gamefreak uses RSA as Encryption, not as Signing.

 

[Apache Thunder]

Ahh I see. So I guess we won't be able to edit the team QRs either.

 

[hacksn5s4]

the save crypto was easliy cracked for pkhex so i don't see why the same can't happen with these qr codes i mean the event qr codes not the pgl battle team ones

 

[SciresM]

Won't be possible without CFW, because we don't have the signing keys for the non-pokedex QRs.

With CFW, you can edit code...and that means you can make the other QRs try to decrypt with the right key, and if it fails try again with the QR key that we have.



Will probably release the patch I made when I've added more features to it.

Spoiler

 

[SciresM]

Won't be possible without CFW, because we don't have the signing keys for the non-pokedex QRs.

With CFW, you can edit code...and that means you can make the other QRs try to decrypt with the right key, and if it fails try again with the QR key that we have.



Will probably release the patch I made when I've added more features to it.

Spoiler

Here's a proof of concept patch video:

 

[Ghostly_Love]

Hello, i downloaded Pokemon Sun And Moon rar, and it says i need an encryption password, can anybody help me with this? or a better rom download? i only have a phone but really want to play >.<

 

[Sailormaidyn]

Won't be possible without CFW, because we don't have the signing keys for the non-pokedex QRs.

With CFW, you can edit code...and that means you can make the other QRs try to decrypt with the right key, and if it fails try again with the QR key that we have.



Will probably release the patch I made when I've added more features to it.

Spoiler

Could you please post the marshadow qr code?