Pokémon X/Y Dumper and Editor

Since Nintendo patched Wondertrade adding an encryption to the transmitted data, people from Project Pokemon have been working on a new way to dump PKX files (the new .pkm format for Pokémon X/Y). As for today (7/03/14) a tool for this has been made public, however there are some prerequisites that must be met:

If you own Pokémon X/Y in cartridge format:

• Your 3DS must be on the OFW 6.3 or above

• You must have a save dumper like PowerSaves 3DS (which is currently the only public way to dump save files from cartridges)

If you own Pokémon X/Y in digital format, you can simply get your save file from this directory in your SD card (save files made on Gateway 3DS' EmuNAND are compatible):
For Pokémon X:
X:\Nintendo 3DS\*random value*\*random value*\title\00040000\00055d00\data

For Pokémon Y:
Y:\Nintendo 3DS\*random value*\*random value*\title\00040000\00055e00\data

KeySAV

KeySAV allows you to obtain an important file to read the data of the boxes of your save file, Blank.ekx.

To get the Blank.ekx file you must do the following:
Source: http://www.reddit.com/r/SVExchange/wiki/keysav

• Clear out boxes 1 & 2 by moving the Pokémon to other boxes.

• Capture or hatch 6 Pokémon. They have to come from your game.

• Put those 6 Pokémon on the top row of the first box.

• Save once, hard reset (switch off/on the 3DS), launch the game and save again.

• Export your save. Locate your save on your PC. Rename the first save 16.bin or 16.sav, depending on its original extension. If you are using the downloaded copy of the game, remember to copy the save file to another location before renaming. Do not rename the save file on the SD Card.

• Run the game, and move all 6 Pokémon to the top row of box 2.

• Save once, hard reset (switch off/on the 3DS), launch the game and save again.

• Export your save. Locate your save on your PC and rename the second save 26.bin or 26.sav, depending on its original extension.

• Run KeySav. On the "Box Breaker" tab, click on "Open SAV 1" and load 26.bin or 26.sav. Click on "Open SAV 2" and load 16.bin or 16.sav. Click on "Break".

• Click on "K1", "K2" and "Blank" to save the files. Store those somewhere safe.

Mass Dumper

Mass Dumper allows you to dump PKX files from your save file by using the Blank.ekx obtained with KeySAV, along with the Key - Box1.bin and Key - Box2.bin files, which work as keys to read the BOX 1 and BOX 2 of your save file respectively.

Just select the save file you want to be read, the Blank.ekx, one of the keys ("Key - Box1.bin" for BOX 1 or "Key - Box2.bin" for BOX 2) for the Concat Key option, making sure to also select the same number of box for the "Key Starts" option and an choose "Truck" to dump the PKX files.

You can also dump all of the 30 boxes by following the instructions in this external thread: http://projectpokemon.org/forums/showthread.php?37316-(X-Y)-Mass-Dumper-Enhanced-Box-Data-Viewer

However, there's a inconvenience with this tool since the output files have .ek6 and .pk6 extensions, instead of the standard .ekx and .pkx extensions, so the extension of the files must be changed in order to be used with PKX viewer/editor tools; this can be done with cmd in Windows.


Just go to the path where the .pk6 or .ek6 files are stored and use the "ren" command as it is shown in the image of the above.


Outdated information:

Spoiler

EDIT: Since the 1.2 update now encrypts the wondertrade data (and since the update is obligatory for online), this project will be pretty much dead,unless someone figures how to decrypt the information.

Good news for the pokehacking community! Codemonkey85 from http://projectpokemon.org and Zaneris have released very useful applications to dump and modify your own Pokémon on a PC. This means you can get the data of your Pokémon from the 3DS to a PC.

PKX Editor


Created by Codemonkey85. The image is self-explanatory, those are the editable values available at the moment.

You can download the program here:
PKX Editor.zip

Instead of PKM, the new extension for these files in Pokémon X and Pokémon Y is called now PKX. Normally, these files are extracted as encrypted data, so they receive the .pkx extension after being decrypted. This program is able to decrypt and encrypt back PKX files: Files with the extension .bin are assumed as encrypted, and .pkx files are assumed as decrypted.

Automatic PKX Dumper

Created by Zaneris. This can dump the data of your traded Pokemon to your PC without the need of following tedious steps, however, a proper physical set up is needed for this.

http://dev9.ca/ZanDump_x64.zip
http://dev9.ca/ZanDump_x86.zip(Untested)

IMPORTANT: There is no possible (actually public) way to get a Pokémon back to the 3DS, so this currently only works to copy the data of any Pokémon sent through Wondertrade to the PC but not the other way around.

Requeriments:

*Windows 7 or 8

*Visual C++ Redistributable for Visual Studio 2013

http://www.microsoft.com/visualstudio/eng/downloads​

English version:​

Spoiler

Visual C++ Redistributable for Visual Studio 2013 (x86)

Spoiler

Visual C++ Redistributable for Visual Studio 2013 (x64)​

Visual C++ Redistributable for Visual Studio 2013 (ARM)​

​

Spanish version:​

Spoiler

Visual C++ Redistributable for Visual Studio 2013 (x86)

Spoiler

Visual C++ Redistributable for Visual Studio 2013 (x64)​

Visual C++ Redistributable for Visual Studio 2013 (ARM)​

​

*3DS Traffic passing through PC

Spoiler

3DS ) ) Router -> PC -> Modem -> Internet

Spoiler

​

Another...​

3DS ) ) Router -> PC ) ) Router -> Modem -> Internet​

​

... Another ...​

3DS ) ) Router -> PC ) ) Mobile Device ) ) Internet​

​

How to copy the data of a Pokémon (full method)

If the Automatic PKX Dumper is not working for you and you are willing to get this to work, you can try the next:

*Use a WLAN-dongle like a USB Wireless Adapter to create a Software Access Point.

*Use a program to analyse the network traffic in hexadecimal format while doing a Wondertrade. Wireshark works fine for sniffing the data (tutorial for Wireshark). Select your hostpot to capture the packets. After finishing the Wondertrade, you will get a bunch of packets. To identify the packets we are looking for, just sort the data by Length and it's likely that the second and third packets are the correct ones. Save both packets (or only the one sent if you want) selecting the whole packet by clicking on "Frame" and then File -> Export selected packet bytes and save them as .bin files

To identify which was sent and which was received, check the source and destination.

Note: Ettercap, windivert, winpkfilter (for Windows) may be used to inject the final data back to the 3DS as well as HexInject (for Linux). This has yet to be done because the calculation of the checksums hasn't been successful

*Find the encrypted Pokemon data inside the packets by opening them on a Hex Editor. It begins with 4 bytes followed by 2 bytes equal to zero, the full data must be 232 bytes.
(Thanks Zaneris for the hex data)
The first regular 4 bytes are underlined in green and the pair of bytes equal to zero are underlined in orange. Note that generally there won't be another pair of bytes equal to zero close to the beginning within the Pokemon data.
The header is inside the blue rectangle so the encrypted Pokemon is at offset 0x0067 and ends at 0x014E. If you didn't capture the header, the Pokemon will be at offset 0x003D and will end at 0x0124. After finding the data, save each Pokemon in a different file with the same extension (.bin).

The next part is still a work in progress
*After editing and re-encrypting the Pokemon by saving it as a .bin file, the received packets must be altered to include the new Pokemon. Having the received packets of the last Wondertrade, search for the encrypted Pokemon the same way as before and replace the HEX data.
*Inject the packets in another Wondertrade.

 

Zaneris is making a proof of concept hack (#106) about transfering Pokemon by using Wondertrade. As far as I can understand, he's recording the network packets between the system and the server.

 

Are you people entitled to ruin every single thread about hacking in Pokemon by whining about it?

 

Yes, I know two persons who did it, however it has only worked to receive data.