List of things I've tried and haven't panned out:
- Injecting a modified pokemon from the expected pokemon so PID matches.
- Using a pokemon dumped from another trainer so PID matches.
- Changing 2 bits in the pkx so the checksum also matches.
So... what remains?
- In the zero data EAD0 packets, when the header matches, the 16 byte hash is reproduced.
This is a good sign and easily verifiable, indicating the it likely is indeed some type of hash...
BUT unless someone with kernel/ram access can trade what type it is (HMAC-MD5/Truncated SHA1?), we'd be looking at forever in computing hours to try and brute force it.