Close
0%
0%

Pokemon Go Plus DIY

Project to create your own pokemon go plus

Similar projects worth following
This project is intended to collectively create a DIY version of the famous device Nintendo Pokemon Go Plus

Welcome your help and platforms

This project is intended to collectively create a DIY version of the famous device Nintendo Pokemon Go Plus, which can be created with different platforms

Platforms supported:

- ESP32

Possible

- Arduino + BLE
- nRF51822

- Raspberry Pi 

Welcome your help and comments

  • 1 × Wemos ESP32 D1 Mini
  • 1 × Button
  • 1 × Led RGB

  • Pokemon go plus has arrived

    Sabas09/05/2019 at 23:12 3 comments

    Today

    the pokemon go plus that I requested has arrived

    I have proven that it is working correctly and now I have opened it

    Tomorrow I will solder the necessary cables

    see you tomorrow

  • Campaign in Donorbox completed!

    Sabas09/04/2019 at 19:03 0 comments

    Hello everyone

    I am pleased to announce that we have completed the donation campaign, I have already requested a Pokemon Go Plus, as soon as I receive it I will update these logs and upload all the information

    thanks to the sponsors of the campaign, they will be the first to have access to the repository with the code, after that it will be public

    Thanks!

  • Donate for build our Pokemon Go Plus DIY

    Sabas12/02/2018 at 20:14 0 comments

    Hi 

    For two years I started the project "Pokemon Go Plus DIY" in hackaday.io, today thanks to Yohanes Nugroho at TinyHack it has been possible to discover a way to create a DIY version.

    Because the encryption keys for each device are unique as Yohanes Nugroho explains in his post, Today I open a campaign to raise money and buy a  Pokemon Go Plus device to extract the keys from that device and publish it in an open firmware for the ESP32 microcontroller.

    I only need $80 dollars to buy the device, I have the tools and knowledge to extract the firmware.

    If you want to support me, I promise to deliver:

    - Code for ESP32 with keys working.

    - Firmware extracted for further studies by third parties

    WARNING:

    - All devices that have this firmware will have the same MAC and keys, there is a risk that Nintendo will block the accounts that use this device.

    I will start the process as soon as I get the money to buy the device and I will publish all the updates in https://hackaday.io/project/12680-pokemon-go-plus-diy

    If you want to donate from 3 dollars you can do it in the following link

    https://donorbox.org/pokemon-go-plus-diy

    Donate Text or Image HTML

  • Reverse Engineering Pokémon GO Plus

    Sabas11/28/2018 at 05:00 0 comments

    Yohanes Nugroho at TinyHack writes about reverse engineering Pokemon GO Plus:

    Pokemon GO Plus, (which I will refer from now on as PGP) is a wearable Bluetooth Low Energy (BLE) device to be used with the Pokemon GO game for Android or iOS. There have been many attempts to clone this device, but only Datel seems to figure out the algorithm, while the other clones are cloning the exact hardware and firmware.
    I will explain the complete certification algorithm that I obtain from reverse engineering a PGP clone, and then I will explain how I did the reverse engineering and how you can extract your own blob and key if you want to clone your own device. I am providing a reference implementation for ESP32 so you can test this yourself.

    The article talks about the history of cloning and goes into great detail on the process. It does not discuss generating keys or the Bluetooth blob (as that would be proprietary to the company and could have Niantic ban someone’s account).

    https://tinyhack.com/2018/11/21/reverse-engineering-pokemon-go-plus/

  • Pokemon Go Plus reverse engineering write up

    Sabas01/19/2017 at 15:53 0 comments

    The user in reddit BobThePigeon_ to writing an excellent research on the work of the PGO +

    https://www.reddit.com/r/pokemongodev/comments/5ovj04/pokemon_go_plus_reverse_engineering_write_up

    Within your work we can find the certification process

    Certification process

    Current attempts to produce a DIY Pokemon Go Plus have been blocked by a certification process. The device and app will send random data (the "challenge") to each other, and the other side must respond with the correct response in order to certify the app and device as being genuine. Here is what is transacted during the certification (compare with this):

    • Device sends 36 bytes: 03000000 + 32 random bytes to SFIDA_TO_CENTRAL, this is a certification challenge; the device is checking that the app is genuine.
    • Device sends 4 bytes: 03000000 to SFIDA_COMMANDS, this will notify app
    • App sends a response which is 20 bytes: 04000000 + 16 response bytes to CENTRAL_TO_SFIDA.
    • Device sends 4 bytes: 04000100 to SFIDA_COMMANDS to notify app that it has received the response.
    • App sends 36 bytes: 05000000 + 32 random bytes to CENTRAL_TO_SFIDA, this is a certification challenge; the app is checking that the device is genuine.
    • Device sends a response which is 20 bytes: 05000000 + 16 response bytes to SFIDA_TO_CENTRAL.
    • Device sends 4 bytes: 05000000 to SFIDA_COMMANDS to notify app that it has responded to the certification challenge.
    • App sends 5 bytes: 0300000001 to CENTRAL_TO_SFIDA
    • Device sends 4 bytes: 04000200 to SFIDA_COMMANDS

    By using a combination of static analysis and debugging, I have determined the algorithm used to generate a certification response from a challenge:

    1. Split the 32 challenge bytes into two 16 byte halves.
    2. Encrypt the first 16 byte half using AES-128, using the key bda885742bc53918793ade3fa7b6cf3b.
    3. Take the encrypted result and XOR it with the second 16 byte half. This gives the response.

    Here are some test vectors, obtained from a real device: challenge = 7526c9257080ec4b6366635b0ee5416324673e610d38d7f2440662b272db041f leads to response = 2445be74030f584a7a01fa26490a902e, challenge = 5035fb9119b5bb9de2f4f76803fef5152543b95e02c8791c69fb393215418aa5 leads to response = 78393cb801cd71e17ea977bb1c31acd3.


    Thanks BobThePigeon_

  • Hardware Teardown

    deqing09/16/2016 at 18:37 8 comments

    There are 3 non standard screws in the case. If you don't have tools like me. You can scratch of coating, add some flux and add a drop of very hot solder quickly so you don't melt plastic underneath. Then you can solder a pin header to unscrew it easily. You can clean solder and cut a slot for further assemble and disassemble.

    There isn't a lot parts in side. I haven't investigated much but I think there is a PMIC, a SPI flash and DA14580.

    The good thing is all SPI flash pins are exposed. You can even cut the trace to isolate it. This makes it easy to dump the firmware from this flash chip.

    I suppose the encryption can be hacked by static analysis or move the firmware to a dev board for debugging.

  • Start conversation between App and BLE device

    deqing09/14/2016 at 08:13 7 comments

    After installing 0.37 update we can use Pokemon Go plus. However there is a certification protocol before we can connect homemade hardware to Pokemon Go App. Here is my experiment on trying to mimic a real Pokemon Go plus.


    1. Make sure the BLE device can bond with Android device. The device must support paring.

    2. Make sure the UUID_SFIDA_COMMANDS characteristic has NOTIFY property. The Pokemon Go App will not read anything from BLE device until there is a notification

    3. Don't try to reply with by hand with a BLE tool such as "LightBlue", you only have about 10 seconds.

    The following info is the communication between App and device

    1. Device starts advertisting

    2. App connects to device

    3. App pairs with device

    4. App setups notification on SFIDA_COMMANDS

    5. Device writes 3,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    6. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

    7. App writes 4,0,0,0 to CENTRAL_TO_SFIDA

    8. Device writes 4,0,1,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_1) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    9. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

    10. App writes 5,0,0,0 + 32byte (36 bytes total) random data to CENTRAL_TO_SFIDA

    11. Device writes 5,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_2) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    12. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

    13. App writes 3,0,0,0,3 to CENTRAL_TO_SFIDA

    14. Device writes 4,0,2,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY)) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    15. App reads SFIDA_COMMANDS

    16 App disconnects immediately

  • App version 0.37 added support PGO+!!

    Sabas09/11/2016 at 16:16 0 comments

    Yesterday published the latest version 0.37, which already include support PGO+, and good news the DIY version is detected by the application :D

  • Working in nRF51822

    Sabas08/22/2016 at 13:10 0 comments

    I managed run in module BLE nRF51822, thanks to the project nRF5 Arduino Core

    https://github.com/sandeepmistry/arduino-nRF5

    and the branch nRF5 of the library arduino BLEPeripheral

    https://github.com/sandeepmistry/arduino-BLEPeripheral/tree/nRF5

    You can get a module nRF51822 in Alixpress for less than $7 dollars



    We continue to expect the activation of Bluetooth in the application for testing

    Thanks!

  • Working in version CC2541, Hack HAVIR HV-101 & HV-102

    Sabas08/04/2016 at 12:47 4 comments

    @deqing tells us that he is working on a version for CC2541 and founded a interesting device to hack: HAVIR HV-101 & HV-102. It may be the only low cost BLE product with a reprogrammable controller.

    It has a button, 2 LEDs, a buzzer and debug pads. That basically everything we need. I've put it's photo on https://github.com/DeqingSun/CC2541WristBandHack

    Thanks @deqing

View all 20 project logs

  • 1
    Step 1
  • 2
    Step 2

    Clone repository to your computer

  • 3
    Step 3

    Open sketch with Arduino IDE, compile and upload ESP32

View all 4 instructions

Enjoy this project?

Share

Discussions

apkmyboy wrote 11/25/2023 at 18:03 point

Thanks for the exciting update! My Boy APK, a famous GBA Emulator has arrived, and we're thrilled!

  Are you sure? yes | no

saul wrote 12/21/2022 at 06:28 point

Does anyone know if this project worked? I want to try to do this project on a smartwatch

  Are you sure? yes | no

marrz42 wrote 12/25/2020 at 21:25 point

I’d love to see this adapted for the new Flipper Zero

  Are you sure? yes | no

Christian wrote 12/13/2020 at 01:03 point

This project was never created. We just donated him a Go Plus :-D

  Are you sure? yes | no

Christian wrote 12/05/2020 at 23:36 point

Why i cant get the sketch for ESP32 ? Everything is blanked out :-( I succesful extacted the blobs and key from my Pokemon Go plus.

  Are you sure? yes | no

Maximus wrote 10/23/2020 at 19:48 point

Is this project dead? I'm not seeing anything under instructions or a repository.

  Are you sure? yes | no

Tim Bloom wrote 09/29/2019 at 11:30 point

I have a feather huzzah32 (esp32 with all the fixins (LiPo charging via usb on-board) that I have not had much use for. This project would certainly give it a very useful function. 

  Are you sure? yes | no

Suzhou65 wrote 09/04/2019 at 05:22 point

Hi, I really want this project work perfectly, so I don't need to teardown PGP and soldering connect wire, and hope that I didn't burn it out ( Click donate

I was wondering that, if I can get all of bluetooth identifier ( include identifier characteristic and mac address ), could I modify the code to avoid same mac address issue?

  Are you sure? yes | no

lukas wrote 06/04/2019 at 02:09 point

im currently tryin this with a raspberry pi b , but i have some issues.

How do i use the arduinoscript on the pi?
i tried switching to wiringPi, but i cant include it into the script .


how will this work with the bluetoothmodul . even though my pi has none. 

can i attach a stick ?

do i need a button etc.

or can i simulate all the stuff via the script ?

  Are you sure? yes | no

Andrea de'Rose wrote 02/11/2019 at 09:11 point

I wonder if there is a way to make a DIY NintendoDS bluetooth interface to obtain Meltan pack. That would be very useful. I guess the developers of Gotcha started from something like this.

Should anybody having some bluetooth communication knowledge be interested in developing something like that, feel free to contact me on telegram @AndrewD93.

  Are you sure? yes | no

Lee Wilkins wrote 01/07/2019 at 18:41 point

Super cool reverse engineering project. Whats the current status? 

  Are you sure? yes | no

mzramna wrote 10/02/2018 at 12:48 point

have you tryed with the esp 32? it has an inboard ble and,couse it is a single board it could be even easier to be replicated

  Are you sure? yes | no

bobnojio wrote 08/17/2018 at 03:06 point

if I were to get my hands on a Pokemon Go Plus and capture the initial pairing, is this in a working state at this point?

  Are you sure? yes | no

Thomas wrote 08/25/2018 at 17:17 point

No, it's not.

In the initial pairing the device sends the following message:

0x00:00:00:00
+
112 bytes
+
bytewise reverted MAC Adress (MAC: 01:23:45:67:78:90 Message: 90:78:67:45:23:01)
+
Certificate (256 bytes)

The whole message is 378 bytes

You would have to find out what the 112 bytes mean and how the certificate is structured. Then you have to analyze the rest of the process.

  Are you sure? yes | no

atumra wrote 07/24/2018 at 07:10 point

I'm trying to port the project on ESP32. After a while, i found compat ble library for ESP32 board. I was able to enable the display (based on char), the communication between dev and app but unfortunately I banged against a wall... this wall is (i presume) the encryption and the final response to the app...

The comm between app and device work well till the last step... no answer from app....

Btw, i bougth a fresh new PG+ and i've found some differences inside chars...

Primary Service, Generic Attribute and Battery Service are are almost same but:

- Custom SVC 21C50462-67CB-63A3-5C4C-82B5B9939AEB has 5 Chars:

21C50462-67CB-63A3-5C4C-82B5B9939AEC (Write)

21C50462-67CB-63A3-5C4C-82B5B9939AED (Notify)

21C50462-67CB-63A3-5C4C-82B5B9939AEE (Write)

21C50462-67CB-63A3-5C4C-82B5B9939AEF (Write)

21C50462-67CB-63A3-5C4C-82B5B9939AF0 (Read)

and

- Custom SVC BBE87709-5B89-4433-AB7F-8B8EEF0D8E37 has 3 Chars

BBE87709-5B89-4433-AB7F-8B8EEF0D8E38 (Write)

BBE87709-5B89-4433-AB7F-8B8EEF0D8E39 (Notify)

BBE87709-5B89-4433-AB7F-8B8EEF0D8E3A (Read)

I'm trying to figure out for the last step!


  Are you sure? yes | no

Thomas wrote 07/24/2018 at 19:00 point

Hi,

the answer to your problem is pretty easy:

The "Certification process" listed in the Logs is wrong.

It's not the initial pairing process, which you need to register a new device, it's only the repairing process, which is used after the PGP is already paired with your App.

The key "bda885742bc53918793ade3fa7b6cf3b" was exchanged in the initial pairing process, that's why you aren't able to connect.

I would like to help you, I already captured multiple pairings, but I wasn't able to figure out how the key exchange works.

  Are you sure? yes | no

atumra wrote 08/01/2018 at 19:40 point

indeed.... i found this strange pchar value sent from the app.... the same device response (20 bytes) + 4 extra bytes...

  Are you sure? yes | no

burner wrote 08/05/2018 at 10:00 point

did you manage get it work?

  Are you sure? yes | no

Benedikt Hübschen wrote 05/27/2018 at 11:39 point

ESP32 version would be nice

  Are you sure? yes | no

varefaz wrote 12/06/2017 at 14:48 point

what is the status of the project?

is the project working right now?

  Are you sure? yes | no

Howler wrote 09/12/2017 at 20:28 point

I have been following this project for a little while now. I am sad to see that it appears to have stagnated with the certification process. As I was checking in to see if anyone has gotten any further, I saw that there is a new device from a third party. 

https://www.codejunkies.com/Products/Go-tcha-Wristband__EF001250V.aspx

According to a reddit thread, they seem to have traced it back to a "FitGo Prime" fitness tracker flashed with custom Go-tcha firmware.

https://www.reddit.com/r/TheSilphRoad/comments/67f9aj/review_gotcha_pogo_alternative_from_codejunkies/

I was wondering if any of you guys that have more experience than I do has gotten a hold of one of these or if it would be helpful at all? I was considering picking one up from gamestop or amazon, but I don't have a lot hardware hacking experience to dump the firmware or anything. Would it still be potentially helpful for me to get one?

  Are you sure? yes | no

varefaz wrote 12/06/2017 at 13:04 point

  Are you sure? yes | no

DoDo wrote 03/07/2017 at 23:17 point

Is it possible to use the sdk on a misfit shine2

  Are you sure? yes | no

Chris Chua wrote 01/19/2017 at 17:00 point

There is a possibility that the certification key is a per-device value, so that bda885742bc53918793ade3fa7b6cf3b will not work for everyone. To check this, could someone with a Go+ and an Android device enable Bluetooth HCI snoop logging (see http://www.androidcentral.com/all-about-your-phones-developer-options) and post the btsnoop_hci.log of the Go+ and app connecting?

  Are you sure? yes | no

Sabas wrote 01/19/2017 at 17:14 point

  Are you sure? yes | no

Sabas wrote 01/19/2017 at 17:15 point

  Are you sure? yes | no

dsechols wrote 01/20/2017 at 00:26 point

I just tried to pair my Pokémon go plus with the only android device I have - a cheap Amazon fire tablet. Unfortunately it won't pair - it may not have Bluetooth LE. 

  Are you sure? yes | no

dsechols wrote 01/20/2017 at 16:58 point

Hold on.  I just found out that the latest Android version of Pokémon Go has an issue connecting to the Plus. I'll try again when they patch it. 

  Are you sure? yes | no

Chris Chua wrote 01/21/2017 at 02:02 point

By hard resetting my Go+, and then re-pairing it, I've confirmed that the certification key does indeed change. The key bda885742bc53918793ade3fa7b6cf3b will not work for anyone else. Thus more work will be needed to fully understand the certification protocol.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates