Gaming Reverse engineering Pokémon Gen4 wonder card Wi-Fi distribution

Yuuto

New Member
OP
Newbie
Joined
Oct 30, 2017
Messages
1
Trophies
0
Age
27
XP
66
Country
Germany
I have been interested in distributing Gen 4 wonder cards for quite a while now and was amazed by the thought of distributing my own ones.
Using a flash cart is a viable option, but transmitting gifts myself via Wi-Fi sounded far more interesting and since nobody seems to have
done this so far (or I just was not able to find it) I decided to elaborate on how the distribution ROMs work. I don't think this will be
of interest anymore but for the sake of completeness I want to share my results.

I got all information by distributing a huge amount of different/edited wonder cards and capturing the sent packets using Wireshark and by
debugging the 2008 Deoxys Distribution ROM using no$gba.


1. Preparation

The source material for distributing mystery gifts via Wi-Fi is a wonder card in PCD format.
It has a fixed size of 856 (0x358) bytes and can be divided into the following sections:
Code:
  0x0-0x103: [data1]  actual gift data (PGT)
0x104-0x153: [header] card title, card index, supported games
0x154-0x357: [data2]  card description, icons, receive date, redistribution limit


The first step is to prepend the header section to the PCD data to form an extended PCD ("xPCD").
The resulting block of data looks like this:
Code:
0x000-0x04f: header
0x050-0x153: data1
0x154-0x1a3: header
0x1a4-0x3a7: data2


2. Encryption

The xPCD data is encrypted using the stream cipher RC4 (also known as ARC4, ARCFOUR). The encryption key for this algorithm is made of
the distributing system's (or any other transmitting device's) MAC address and a checksum that is calculated over the xPCD block.

The checksum algorithm is a simple add-and-rotate algorithm:
Code:
// the input data is treated as an array of 16-bit words
uint16_t checksum(const uint16_t *data, unsigned int length)
{
    uint16_t c = 0;
   
    while (length--)
    {
        c += *data++;
        c = (c << 1) | (c >> 15);  // rotate c left by 1
    }
   
    return c;
}


The encryption key is then generated as follows:
Code:
// c_low means the lower byte of the checksum, c_high the upper one
uint8_t key[] = { mac[0], mac[1], c_low, c_high, mac[4], mac[5], mac[2], mac[3] };


EDIT: I forgot to mention an important step in the original post:
The 8-byte key array is treated as an array of 4 halfwords and cumulatively XORed with 0x3fa2.
Code:
uint16_t *key_16 = (uint16_t*)key;
uint16_t hw = 0x3fa2;

for (int i = 0; i < 4; ++i)
{
    key_16[i] ^= hw;
    hw = key_16[i];
}


In the next step the actual RC4 encryption is performed. Unfortunately I can't post a link to the algorithm here so please look for it yourself.
The resulting block will be called "ePCD".


3. Transmission

Wonder cards are transmitted using 802.11 beacon frames which are normally used to advertise a wireless access point (AP).
After encryption the ePCD block is split into 9 equal-sized fragments of 104 (0x68) bytes with the corresponding index numbers 0 to 8.
A tenth fragment with index number -1 is made of the unencrypted PCD header padded with zeros to a total size of 104 bytes.
Those 10 distinct fragments are embedded in beacon frames as vendor-specific data.

Below is the format of the vendor-specific element. All values are in little endian order.
Code:
Length  Value/Meaning
     1  0xdd (tag ID)
     1  0x88 (tag length)
     3  0x00 0x09 0xbf (OUI, Nintendo)
     1  0x00 (OUI subtype)
    
   132  --- actual packet ---
    28  --- packet header ---
     4  0xa (frames count?)
     2  0x1
     2  0x1
     4  GGID (language code)
     2  0x0
     2  0x70
     2  0x28
     2  0xc
     2  checksum
     2  fragment index
     4  0x3a8 (payload length)
    
   104  --- packet payload ---


Possible GGID values:
Code:
0x400318 - English
0x8000cd - French
0x8000cf - Italian
0x8000d0 - Spanish
0x345    - Japanese
0xc00018 - Korean
0x8000ce - German


The resulting beacon frames are sent repeatedly by the distribution system ordered by their index in 0.010240 second interval.


4. Result

For the purpose of testing I managed to create a small board consisting of an ATMEGA324PA and an ESP8266.
I succeesfully distributed the german Secret Key to my Platinum version, so I can verify that my results are correct
or at least "correct enough" to achieve a transmission accepted by the Pokémon games.
 
Last edited by Yuuto,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Xdqwerty @ Xdqwerty:
    also im gonna finally install the steam client
  • BigOnYa @ BigOnYa:
    Then uninstall it five minutes later, jk
    +1
  • Xdqwerty @ Xdqwerty:
    ok steam clint still works for some reason
  • Xdqwerty @ Xdqwerty:
    client*
  • Xdqwerty @ Xdqwerty:
    my steam friend id is 1625764420
  • Xdqwerty @ Xdqwerty:
    good night
  • BigOnYa @ BigOnYa:
    Nighty night
  • Sonic Angel Knight @ Sonic Angel Knight:
    Darkness is my friend, I become invisible in the night.
  • Sonic Angel Knight @ Sonic Angel Knight:
    Best camouflaged
  • Psionic Roshambo @ Psionic Roshambo:
    I fear not the dark... the darkness fears me... lol
  • BakerMan @ BakerMan:
    shoot, i'll send you a friend request ig
  • K3Nv2 @ K3Nv2:
    This Facebook?
    +1
  • BigOnYa @ BigOnYa:
    Playing pool alone is pretty boring...wifey out of town tonight. Prob over at K3nv2's house again.
  • K3Nv2 @ K3Nv2:
    She tried thank god for ring
    +1
  • BigOnYa @ BigOnYa:
    Did you know they made black chalk, i had no idea but luckily my man gave me some for free, cause my felt is black.
    2eb22a39-4fda-4594-8b11-da4942b24075_1500x1500.jpeg
  • K3Nv2 @ K3Nv2:
    Race
  • HiradeGirl @ HiradeGirl:
    Hiya
  • GameGenieLabs @ GameGenieLabs:
    oh dear. making codes for nes is kinda stressful. i'm trying to think of cool ideas that haven't been thought of before. it's hard to be original, and i don't wanna make codes that already exist!
  • GameGenieLabs @ GameGenieLabs:
    I may make a post asking for code ideas, and hopefully that would make others happy :)
  • GameGenieLabs @ GameGenieLabs:
    Also, my ADHD keeps me from sleeping, and It bothers me lol
  • GameGenieLabs @ GameGenieLabs:
    Anywho, I've been using my modded Wii to play a few games here and there, and finally installed a custom Wii theme thanks to Larsenv helping me in a call (I have a family edition, and I don't wanna brick the nand since I can't restore it) Went with the basic "Black" Theme, since I'm a huge fan of dark themes, and it's less of an eyesore at night
  • GameGenieLabs @ GameGenieLabs:
    Larsen also helped me with my Dazzle setup, since the drivers for my model weren't online. I also helped dump that DVD with it, since I had a DVD drive.
  • GameGenieLabs @ GameGenieLabs:
    And now pinnacle studio received a new update, and reset my my KEY, and he's trying to figure out why it did that.
    GameGenieLabs @ GameGenieLabs: And now pinnacle studio received a new update, and reset my my KEY, and he's trying to figure...