Hacking Pokémon X/Y Dumper and Editor

kyogre123

Mexican Pride
OP
Member
Joined
Sep 23, 2013
Messages
2,920
Trophies
0
Age
34
XP
1,347
Country
Mexico
Since Nintendo patched Wondertrade adding an encryption to the transmitted data, people from Project Pokemon have been working on a new way to dump PKX files (the new .pkm format for Pokémon X/Y). As for today (7/03/14) a tool for this has been made public, however there are some prerequisites that must be met:

If you own Pokémon X/Y in cartridge format:
  • Your 3DS must be on the OFW 6.3 or above
  • You must have a save dumper like PowerSaves 3DS (which is currently the only public way to dump save files from cartridges)

If you own Pokémon X/Y in digital format, you can simply get your save file from this directory in your SD card (save files made on Gateway 3DS' EmuNAND are compatible):
For Pokémon X:
X:\Nintendo 3DS\*random value*\*random value*\title\00040000\00055d00\data

For Pokémon Y:
Y:\Nintendo 3DS\*random value*\*random value*\title\00040000\00055e00\data

KeySAV
QUG9T.jpg

KeySAV allows you to obtain an important file to read the data of the boxes of your save file, Blank.ekx.

To get the Blank.ekx file you must do the following:
Source: http://www.reddit.com/r/SVExchange/wiki/keysav
  • Clear out boxes 1 & 2 by moving the Pokémon to other boxes.
  • Capture or hatch 6 Pokémon. They have to come from your game.
  • Put those 6 Pokémon on the top row of the first box.
  • Save once, hard reset (switch off/on the 3DS), launch the game and save again.
  • Export your save. Locate your save on your PC. Rename the first save 16.bin or 16.sav, depending on its original extension. If you are using the downloaded copy of the game, remember to copy the save file to another location before renaming. Do not rename the save file on the SD Card.
  • Run the game, and move all 6 Pokémon to the top row of box 2.
  • Save once, hard reset (switch off/on the 3DS), launch the game and save again.
  • Export your save. Locate your save on your PC and rename the second save 26.bin or 26.sav, depending on its original extension.
  • Run KeySav. On the "Box Breaker" tab, click on "Open SAV 1" and load 26.bin or 26.sav. Click on "Open SAV 2" and load 16.bin or 16.sav. Click on "Break".
  • Click on "K1", "K2" and "Blank" to save the files. Store those somewhere safe.


Mass Dumper
Massdumper1.png

Mass Dumper allows you to dump PKX files from your save file by using the Blank.ekx obtained with KeySAV, along with the Key - Box1.bin and Key - Box2.bin files, which work as keys to read the BOX 1 and BOX 2 of your save file respectively.

Just select the save file you want to be read, the Blank.ekx, one of the keys ("Key - Box1.bin" for BOX 1 or "Key - Box2.bin" for BOX 2) for the Concat Key option, making sure to also select the same number of box for the "Key Starts" option and an choose "Truck" to dump the PKX files.

You can also dump all of the 30 boxes by following the instructions in this external thread: http://projectpokemon.org/forums/showthread.php?37316-(X-Y)-Mass-Dumper-Enhanced-Box-Data-Viewer

However, there's a inconvenience with this tool since the output files have .ek6 and .pk6 extensions, instead of the standard .ekx and .pkx extensions, so the extension of the files must be changed in order to be used with PKX viewer/editor tools; this can be done with cmd in Windows.

cmd.png

Just go to the path where the .pk6 or .ek6 files are stored and use the "ren" command as it is shown in the image of the above.


Outdated information:
EDIT: Since the 1.2 update now encrypts the wondertrade data (and since the update is obligatory for online), this project will be pretty much dead,unless someone figures how to decrypt the information.

Good news for the pokehacking community! Codemonkey85 from http://projectpokemon.org and Zaneris have released very useful applications to dump and modify your own Pokémon on a PC. This means you can get the data of your Pokémon from the 3DS to a PC.

PKX Editor
Sin título.png


Created by Codemonkey85. The image is self-explanatory, those are the editable values available at the moment.

You can download the program here:
PKX Editor.zip

Instead of PKM, the new extension for these files in Pokémon X and Pokémon Y is called now PKX. Normally, these files are extracted as encrypted data, so they receive the .pkx extension after being decrypted. This program is able to decrypt and encrypt back PKX files: Files with the extension .bin are assumed as encrypted, and .pkx files are assumed as decrypted.

Automatic PKX Dumper

Created by Zaneris. This can dump the data of your traded Pokemon to your PC without the need of following tedious steps, however, a proper physical set up is needed for this.

http://dev9.ca/ZanDump_x64.zip
http://dev9.ca/ZanDump_x86.zip(Untested)

IMPORTANT: There is no possible (actually public) way to get a Pokémon back to the 3DS, so this currently only works to copy the data of any Pokémon sent through Wondertrade to the PC but not the other way around.

Requeriments:

*Windows 7 or 8

*Visual C++ Redistributable for Visual Studio 2013
English version:​
Spanish version:​

*3DS Traffic passing through PC
3DS ) ) Router -> PC -> Modem -> Internet
Another...​
3DS ) ) Router -> PC ) ) Router -> Modem -> Internet​
... Another ...​
3DS ) ) Router -> PC ) ) Mobile Device ) ) Internet​

How to copy the data of a Pokémon (full method)

If the Automatic PKX Dumper is not working for you and you are willing to get this to work, you can try the next:

*Use a WLAN-dongle like a USB Wireless Adapter to create a Software Access Point.

*Use a program to analyse the network traffic in hexadecimal format while doing a Wondertrade. Wireshark works fine for sniffing the data (tutorial for Wireshark). Select your hostpot to capture the packets. After finishing the Wondertrade, you will get a bunch of packets. To identify the packets we are looking for, just sort the data by Length and it's likely that the second and third packets are the correct ones. Save both packets (or only the one sent if you want) selecting the whole packet by clicking on "Frame" and then File -> Export selected packet bytes and save them as .bin files
Sin título.png

To identify which was sent and which was received, check the source and destination.

Note: Ettercap, windivert, winpkfilter (for Windows) may be used to inject the final data back to the 3DS as well as HexInject (for Linux). This has yet to be done because the calculation of the checksums hasn't been successful

*Find the encrypted Pokemon data inside the packets by opening them on a Hex Editor. It begins with 4 bytes followed by 2 bytes equal to zero, the full data must be 232 bytes.
Sin título.png
(Thanks Zaneris for the hex data)
The first regular 4 bytes are underlined in green and the pair of bytes equal to zero are underlined in orange. Note that generally there won't be another pair of bytes equal to zero close to the beginning within the Pokemon data.
The header is inside the blue rectangle so the encrypted Pokemon is at offset 0x0067 and ends at 0x014E. If you didn't capture the header, the Pokemon will be at offset 0x003D and will end at 0x0124. After finding the data, save each Pokemon in a different file with the same extension (.bin).

The next part is still a work in progress
*After editing and re-encrypting the Pokemon by saving it as a .bin file, the received packets must be altered to include the new Pokemon. Having the received packets of the last Wondertrade, search for the encrypted Pokemon the same way as before and replace the HEX data.
*Inject the packets in another Wondertrade.
 

Attachments

  • PKX Editor.zip
    113.1 KB · Views: 62,148

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
23,803
Trophies
5
Location
Space
XP
14,768
Country
Norway
you don't. there is no way to inject pokemon into the game yet, I assume a gts spoofer like deal is needed as the saves cannot be edited.
I hope they never make one. Hacked pokemon ruin online for me.
Interesting how quickly he cracked the pokemon data encryption and figured out the format though. Though the tool is still very incomplete and a lot of data is not editable and there are no move names.
 

kyogre123

Mexican Pride
OP
Member
Joined
Sep 23, 2013
Messages
2,920
Trophies
0
Age
34
XP
1,347
Country
Mexico
Zaneris is making a proof of concept hack (#106) about transfering Pokemon by using Wondertrade. As far as I can understand, he's recording the network packets between the system and the server.
 

frogboy

lacking both style and grace
Member
Joined
Dec 6, 2011
Messages
2,434
Trophies
3
Age
29
XP
1,767
Country
United States
I really hope this doesn't happen/isn't happening.

Are people really that eager to ruin the game for themselves and for other people? It's only been two weeks.

EDIT: Read on.
 
  • Like
Reactions: sanderdsz

Eyesenish

Well-Known Member
Member
Joined
Sep 12, 2009
Messages
154
Trophies
1
XP
292
Country
Canada
im not whinning hack away my friend but just a question doesnt that take the entire point of playing the game out?

i mean for your own game not online
 

driverdis

I am Justice
Member
Joined
Sep 21, 2011
Messages
2,867
Trophies
2
Age
32
Location
1.048596β
XP
2,849
Country
United States
Zaneris is making a proof of concept hack (#106) about transfering Pokemon by using Wondertrade. As far as I can understand, he's recording the network packets between the system and the server.
Nintendo will fix this same way as they did the Wii Shop Channel user agent spoofing years ago, which is to use SSL. all it will take is a Pokemon X/Y 1.2 update that encrypts Wondertrade communications.
 
  • Like
Reactions: signz

Bond697

Dies, died, will die.
Member
Joined
Jun 7, 2009
Messages
350
Trophies
1
Age
40
Location
CT
XP
484
Country
United States
just because it's not encrypted doesn't mean it's not protected. getting a packet properly.. set up to make it across wonder trade takes more than just swapping in a different pkx. don't start freaking out just yet.
 

DJPlace

i'm too lazy to use an avatar...
Member
Joined
Apr 16, 2008
Messages
5,906
Trophies
2
Age
41
XP
4,914
Country
United States
after i heard about ev's iv's and shit i said fuck it i'm not going sit down and do that shit. so what people are just been piss ass whiny ass bitches. but there's no such thing has a un-hacked game.
 

DJ91990

Grookey Gang!
Member
Joined
Feb 9, 2009
Messages
939
Trophies
1
Age
34
Location
Mom's Basement
Website
www.youtube.com
XP
438
Country
United States
I wanna make a bunch of Level 1 Hoopas so I can troll these jerks posting Yveltals and Xenreas on the GTS for IMPOSSIBLE Pokemon. I did it with Platinum. I released the Pokemon I got in the trade as well, and the mons I traded to the jerks were named LOLHACKED!
 
  • Like
Reactions: tyons and signz
D

Deleted User

Guest
and the whiners come out of the woodwork.

MUH POKEMON! RUINED BY THESE HACKERS.

Get over yourselves. Not everyone has the time to sit their ass down and raise a fucking perfect IV EV'd pokemon.

2 Things, you can't have perfect EV's, you can have ideal EV's (You'd have different EV's per moveset/nature). Second, IV's are not compulsory, playing non competitively doesn't require IV's. If you don't want to IV train the pokemon you shouldn't be playing competitively.

Personally, the hacking doesn't affect me since I actually have friends who play pokemon legitimately, but I can still sympathize with the people who play online competitively then get fucked over by hacked pokemon.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    kijetesantakalu042 @ kijetesantakalu042: https://www.youtube.com/watch?v=9Vl1EGGzVkw