Hacking Pokémon X/Y Dumper and Editor

[Chaos]

So it is possible to transfer pokemon from and to a 3ds? Man this was done rater quick. Really want to try this out!

Probably going to test this using a Virtual Machine, don't want to screw up my settings and such.

At the moment you are not transferring anything. In short all you are doing is watching the pokemon trade on the computer. You can take a copy of this transfer data (including the pokemon in the data). Extract the pokemon data so you have like the current .pkm files but for x and y.

You only watched the trade happen and between the 3DS and other 3DS the trade did happen for real so everything on 3ds is how it should be nothing new.

What you do with the data and pokemon when its on your PC is the next step to work out. No one knows how to trade it back all attempts have failed.

 

[Sheimi]

I'll be trying out the trading bit once I get my sister's android device that she doesn't use. I'm gonna try something to trade a hacked one back when I get the android device.

 

[gtaking112]

Hey guys I made a quick video detailing how to do this:

The software I used for the network is Connectify.

 

[Roxas75]

Ok, finally after a day of study and quite 300 wonder trades performed, lol, i was able to arp poison my home network and intercept the trade data.
Finally i have my Solrock pkx file.
I recommend this method to anyone is stuck with the router connection and, like me, have a pc that is unable to share the connection.
So, now the next step is to reverse this checksum alghorithm, right?

 

[kyogre123]

Ok, finally after a day of study and quite 300 wonder trades performed, lol, i was able to arp poison my home network and intercept the trade data.
Finally i have my Solrock pkx file.
I recommend this method to anyone is stuck with the router connection and, like me, have a pc that is unable to share the connection.
So, now the next step is to reverse this checksum alghorithm, right?

Yes, there's a more depth discussion about the checksums in here: http://projectpokemon.org/forums/showthread.php?33024-Pkx-The-New-Pokemon-Format-For-Gen-6/
Someone managed to trade 3 copies of the same Pokemon on three different Wondertrades and the checksums differed from each other. They suggest it's possible that the checksum is affected by the time and location(?) of the trade.

 

[Roxas75]

Yes, there's a more depth discussion about the checksums in here: http://projectpokemon.org/forums/showthread.php?33024-Pkx-The-New-Pokemon-Format-For-Gen-6/

Yeah, i'm already looking at that thread. I'm not so good at hash alghorithms and checksums, i hate them...
Anyways, is Falo still working on his own editor for EAD files? It seems so good from the screens.

EDIT: Also, Smea has discovered 2 new megastones... This is getting more interesting!

 

[kyogre123]

Anyways, is Falo still working on his own editor for EAD files? It seems so good from the screens.

I would like to know that too. The author of PKX Editor seems like he won't update his app for a while, if not at all.

 

[Falo]

I would like to know that too. The author of PKX Editor seems like he won't update his app for a while, if not at all.

I'm still working on it, it's currently only a data viewer and it's not an EAD editor, it can load 947 Byte EAD's to read the pkx, so you don't have to manually extract them.
For the checksum stuff, i don't think this is a checksum, it must be something different.

Here some logs:

Packet ID 3: EA D0 01 00 00 00 AF A1 C4 00 10 00 03 00 45 B7 3B DE 6B 63 7E 7A C5 5E 20 82 A5 15 F4 AE
Packet ID 4: EA D0 01 00 00 00 AF A1 C4 00 10 00 04 00 AB DE 4D 38 68 6B 33 54 B0 B9 12 9B B0 BD 46 F5
Packet ID 5: EA D0 01 00 00 00 AF A1 C4 00 10 00 05 00 DC CD 98 62 58 19 B4 32 39 92 58 91 35 6A 49 21
Packet ID 6: EA D0 01 00 00 00 AF A1 C4 00 10 00 06 00 C9 74 E6 A2 12 AF EB 07 3F 83 EC 9C 2E DF 1A 78
 
Packet ID 3: EA D0 01 00 00 00 AF A1 C4 00 12 00 03 00 73 EB D6 F7 80 4B 6A 70 19 79 07 DD 27 79 64 2C
Packet ID 4: EA D0 01 00 00 00 AF A1 C4 00 12 00 04 00 C0 DA 62 55 DF 8C 15 00 8E B5 2E 3E 40 FD 86 A5
Packet ID 5: EA D0 01 00 00 00 AF A1 C4 00 12 00 05 00 6C 7F 51 4D 0A 54 21 B5 C6 01 84 79 7E BA B0 74
Packet ID 6: EA D0 01 00 00 00 AF A1 C4 00 12 00 06 00 62 DE 75 51 7D CE 60 33 A4 DD EB 37 1C 00 87 32

Whatever that 16 byte stuff is, it can't be a checksum, since all of this packets doesn't have any data, they are just "pings" to other online players, maybe a random time number or some encrypted data?

 

[Bobsplosion]

Kotaku just posted an article linking here, so expect heavy traffic.

 

[Roxas75]

This opinion is interesting, but what can it be if not a checksum?
Btw, what tool do you guys use to try to inject the packet in the game?

 

[Ixvael]

Whatever that 16 byte stuff is, it can't be a checksum, since all of this packets doesn't have any data, they are just "pings" to other online players, maybe a random time number or some encrypted data?

Have your tried checking that against GTS packets? Maybe you could find something in there.

 

[Zaneris]

I'm still working on it, it's currently only a data viewer and it's not an EAD editor, it can load 947 Byte EAD's to read the pkx, so you don't have to manually extract them.
For the checksum stuff, i don't think this is a checksum, it must be something different.

Here some logs:

Packet ID 3: EA D0 01 00 00 00 AF A1 C4 00 10 00 03 00 45 B7 3B DE 6B 63 7E 7A C5 5E 20 82 A5 15 F4 AE
Packet ID 4: EA D0 01 00 00 00 AF A1 C4 00 10 00 04 00 AB DE 4D 38 68 6B 33 54 B0 B9 12 9B B0 BD 46 F5
Packet ID 5: EA D0 01 00 00 00 AF A1 C4 00 10 00 05 00 DC CD 98 62 58 19 B4 32 39 92 58 91 35 6A 49 21
Packet ID 6: EA D0 01 00 00 00 AF A1 C4 00 10 00 06 00 C9 74 E6 A2 12 AF EB 07 3F 83 EC 9C 2E DF 1A 78
 
Packet ID 3: EA D0 01 00 00 00 AF A1 C4 00 12 00 03 00 73 EB D6 F7 80 4B 6A 70 19 79 07 DD 27 79 64 2C
Packet ID 4: EA D0 01 00 00 00 AF A1 C4 00 12 00 04 00 C0 DA 62 55 DF 8C 15 00 8E B5 2E 3E 40 FD 86 A5
Packet ID 5: EA D0 01 00 00 00 AF A1 C4 00 12 00 05 00 6C 7F 51 4D 0A 54 21 B5 C6 01 84 79 7E BA B0 74
Packet ID 6: EA D0 01 00 00 00 AF A1 C4 00 12 00 06 00 62 DE 75 51 7D CE 60 33 A4 DD EB 37 1C 00 87 32

Whatever that 16 byte stuff is, it can't be a checksum, since all of this packets doesn't have any data, they are just "pings" to other online players, maybe a random time number or some encrypted data?

omg, can you get the destination address/mac? That might be what it's salted with, and/or the packet ID?

 

[Ixvael]

omg, can you get the destination address/mac? That might be what it's salted with, and/or the packet ID?

Ethernet II, Src: CENSORED, Dst: 4e:53:50:4f:4f:46 (4e:53:50:4f:4f:46) is this what you were saying?

 

[ReignOfComputer]

Hi,

I'm using Windows Hosted Network to route the 3DS connection through Wireshark, I can see the Pokemon in Wonder Trade just fine (sometimes differing from 989 bytes to 1033) and I can extract the encrypted pkx just fine (using xypkxcrypt to decrypt).

Zaneris' dumper looks far easier than having to use HxD to extract the data though, but using it gives me a whole bunch of 3 digit outputs and no dumps. Any clues?

 

[kyogre123]

and I can extract the encrypted pkx just fine (using xypkxcrypt to decrypt).

Are you aware that the PKX Editor tool can decrypt/encrypt Pokemon files just fine?

 

[Roxas75]

Hi,
Zaneris' dumper looks far easier than having to use HxD to extract the data though, but using it gives me a whole bunch of 3 digit outputs and no dumps. Any clues?

Same here.

 

[ReignOfComputer]

Are you aware that the PKX Editor tool can decrypt/encrypt Pokemon files just fine?

Whoops, didn't notice that. Well this just got slightly easier. Thanks >.<

 

[Zaneris]

Hi,

I'm using Windows Hosted Network to route the 3DS connection through Wireshark, I can see the Pokemon in Wonder Trade just fine (sometimes differing from 989 bytes to 1033) and I can extract the encrypted pkx just fine (using xypkxcrypt to decrypt).

Zaneris' dumper looks far easier than having to use HxD to extract the data though, but using it gives me a whole bunch of 3 digit outputs and no dumps. Any clues?

Your network isn't configured correctly and/or you're using something like connectify or virtual router which won't work.

I'm still working on it, it's currently only a data viewer and it's not an EAD editor, it can load 947 Byte EAD's to read the pkx, so you don't have to manually extract them.
For the checksum stuff, i don't think this is a checksum, it must be something different.

Here some logs:

Packet ID 3: EA D0 01 00 00 00 AF A1 C4 00 10 00 03 00 45 B7 3B DE 6B 63 7E 7A C5 5E 20 82 A5 15 F4 AE
Packet ID 4: EA D0 01 00 00 00 AF A1 C4 00 10 00 04 00 AB DE 4D 38 68 6B 33 54 B0 B9 12 9B B0 BD 46 F5
Packet ID 5: EA D0 01 00 00 00 AF A1 C4 00 10 00 05 00 DC CD 98 62 58 19 B4 32 39 92 58 91 35 6A 49 21
Packet ID 6: EA D0 01 00 00 00 AF A1 C4 00 10 00 06 00 C9 74 E6 A2 12 AF EB 07 3F 83 EC 9C 2E DF 1A 78
 
Packet ID 3: EA D0 01 00 00 00 AF A1 C4 00 12 00 03 00 73 EB D6 F7 80 4B 6A 70 19 79 07 DD 27 79 64 2C
Packet ID 4: EA D0 01 00 00 00 AF A1 C4 00 12 00 04 00 C0 DA 62 55 DF 8C 15 00 8E B5 2E 3E 40 FD 86 A5
Packet ID 5: EA D0 01 00 00 00 AF A1 C4 00 12 00 05 00 6C 7F 51 4D 0A 54 21 B5 C6 01 84 79 7E BA B0 74
Packet ID 6: EA D0 01 00 00 00 AF A1 C4 00 12 00 06 00 62 DE 75 51 7D CE 60 33 A4 DD EB 37 1C 00 87 32

Whatever that 16 byte stuff is, it can't be a checksum, since all of this packets doesn't have any data, they are just "pings" to other online players, maybe a random time number or some encrypted data?

14kB of 0 data packets captured so far to the same IP, not a single one with a matching "checksum"

 

[Zaneris]

Hi,

I'm using Windows Hosted Network to route the 3DS connection through Wireshark, I can see the Pokemon in Wonder Trade just fine (sometimes differing from 989 bytes to 1033) and I can extract the encrypted pkx just fine (using xypkxcrypt to decrypt).

Zaneris' dumper looks far easier than having to use HxD to extract the data though, but using it gives me a whole bunch of 3 digit outputs and no dumps. Any clues?

Found some matching ones.. I should note the UDP headers didn't match.

ead001000000a1af93008c0004008b3d086c8d37bfd2bc9e556f8373ddfc
ead001000000a1af93008c0004008b3d086c8d37bfd2bc9e556f8373ddfc
ead001000000a1af93008c0004008b3d086c8d37bfd2bc9e556f8373ddfc
ead001000000a1af9300ff000400a80cb50b2df825c4a1d19890bba72157
ead001000000a1af9300ff000400a80cb50b2df825c4a1d19890bba72157
ead001000000a1af9300ff000400a80cb50b2df825c4a1d19890bba72157
ead001000000a1af930093000400a9e5d4be3da3e2b0e472e027f16e45ff
ead001000000a1af930093000400a9e5d4be3da3e2b0e472e027f16e45ff
ead001000000a1af930093000400a9e5d4be3da3e2b0e472e027f16e45ff
ead001000000a1af9300020004003d87795e6cad682c430d8751f79fc0f0
ead001000000a1af9300020004003d87795e6cad682c430d8751f79fc0f0
ead001000000a1af9300020004003d87795e6cad682c430d8751f79fc0f0
ead001000000a1af930040000400b8f17af75971928c461bea59a847cbef
ead001000000a1af930040000400b8f17af75971928c461bea59a847cbef
ead001000000a1af930040000400b8f17af75971928c461bea59a847cbef
ead001000000a1af930088000400a480a844a2bab1c1d79bafa9aeefc327
ead001000000a1af930088000400a480a844a2bab1c1d79bafa9aeefc327

All were from 202.32.117.185

 

[codemonke85]

So you're all aware, the source for this project and every other Pokémon hacking project I'm working on is available on GitHub: https://github.com/codemonkey85/PKMDS-G5.

If anyone has any questions about the nature of this or any other of my projects, I invite you to email me at codemonkey85 AT gmail DOT com.

I don't think he is ripping off the Pokegen. He must be doing this by himself and he said he will improve his app on the next days. Take it this way, instead of just doing a show off, he actually released something, that is incomplete of course

Of course I'm not ripping off Pokegen. I've been a member of Project Pokémon since the old days of Pokesav.org, and I've been contributing to the community since.

I don't quite get what you're saying. You mean it's Ability 8 out of the ~300 or whatever total?
Couldn't codemonkey85 just rip the Ability array from Pokegen or something?

...Seriously?

Just uploaded this to the 3DS Utilities section of Filetrip.
Link: http://filetrip.net/3ds-downloads/utilities/download-pkx-editor-10-f32433.html
Told them to leave credit in this thread for codemonkey85!

Thanks!