Close
0%
0%

Pokemon Go Plus DIY

Project to create your own pokemon go plus

Similar projects worth following
This project is intended to collectively create a DIY version of the famous device Nintendo Pokemon Go Plus

Welcome your help and platforms

This project is intended to collectively create a DIY version of the famous device Nintendo Pokemon Go Plus, which can be created with different platforms

Platforms supported:

- Arduino + BLE
- nRF51822

- CC254X

(Possibly Raspberry Pi 3, Linkit One, Intel Edision and more)

Welcome your help and comments

  • 1 × Arduino Micro or Arduino Leonardo
  • 1 × Bluefruit LE - Bluetooth Low Energy (BLE 4.0) - nRF8001 Breakout - v1.0 https://www.adafruit.com/product/1697
  • 1 × Button
  • 1 × Led RGB
  • 1 × nRF51822
  • 1 × CC254X: HAVIR HV-101 & HV-102

  • Pokemon Go Plus reverse engineering write up

    Sabas01/19/2017 at 15:53 0 comments

    The user in reddit BobThePigeon_ to writing an excellent research on the work of the PGO +

    https://www.reddit.com/r/pokemongodev/comments/5ovj04/pokemon_go_plus_reverse_engineering_write_up

    Within your work we can find the certification process

    Certification process

    Current attempts to produce a DIY Pokemon Go Plus have been blocked by a certification process. The device and app will send random data (the "challenge") to each other, and the other side must respond with the correct response in order to certify the app and device as being genuine. Here is what is transacted during the certification (compare with this):

    • Device sends 36 bytes: 03000000 + 32 random bytes to SFIDA_TO_CENTRAL, this is a certification challenge; the device is checking that the app is genuine.
    • Device sends 4 bytes: 03000000 to SFIDA_COMMANDS, this will notify app
    • App sends a response which is 20 bytes: 04000000 + 16 response bytes to CENTRAL_TO_SFIDA.
    • Device sends 4 bytes: 04000100 to SFIDA_COMMANDS to notify app that it has received the response.
    • App sends 36 bytes: 05000000 + 32 random bytes to CENTRAL_TO_SFIDA, this is a certification challenge; the app is checking that the device is genuine.
    • Device sends a response which is 20 bytes: 05000000 + 16 response bytes to SFIDA_TO_CENTRAL.
    • Device sends 4 bytes: 05000000 to SFIDA_COMMANDS to notify app that it has responded to the certification challenge.
    • App sends 5 bytes: 0300000001 to CENTRAL_TO_SFIDA
    • Device sends 4 bytes: 04000200 to SFIDA_COMMANDS

    By using a combination of static analysis and debugging, I have determined the algorithm used to generate a certification response from a challenge:

    1. Split the 32 challenge bytes into two 16 byte halves.
    2. Encrypt the first 16 byte half using AES-128, using the key bda885742bc53918793ade3fa7b6cf3b.
    3. Take the encrypted result and XOR it with the second 16 byte half. This gives the response.

    Here are some test vectors, obtained from a real device: challenge = 7526c9257080ec4b6366635b0ee5416324673e610d38d7f2440662b272db041f leads to response = 2445be74030f584a7a01fa26490a902e, challenge = 5035fb9119b5bb9de2f4f76803fef5152543b95e02c8791c69fb393215418aa5 leads to response = 78393cb801cd71e17ea977bb1c31acd3.


    Thanks BobThePigeon_

  • Hardware Teardown

    deqing09/16/2016 at 18:37 8 comments

    There are 3 non standard screws in the case. If you don't have tools like me. You can scratch of coating, add some flux and add a drop of very hot solder quickly so you don't melt plastic underneath. Then you can solder a pin header to unscrew it easily. You can clean solder and cut a slot for further assemble and disassemble.

    There isn't a lot parts in side. I haven't investigated much but I think there is a PMIC, a SPI flash and DA14580.

    The good thing is all SPI flash pins are exposed. You can even cut the trace to isolate it. This makes it easy to dump the firmware from this flash chip.

    I suppose the encryption can be hacked by static analysis or move the firmware to a dev board for debugging.

  • Start conversation between App and BLE device

    deqing09/14/2016 at 08:13 7 comments

    After installing 0.37 update we can use Pokemon Go plus. However there is a certification protocol before we can connect homemade hardware to Pokemon Go App. Here is my experiment on trying to mimic a real Pokemon Go plus.


    1. Make sure the BLE device can bond with Android device. The device must support paring.

    2. Make sure the UUID_SFIDA_COMMANDS characteristic has NOTIFY property. The Pokemon Go App will not read anything from BLE device until there is a notification

    3. Don't try to reply with by hand with a BLE tool such as "LightBlue", you only have about 10 seconds.

    The following info is the communication between App and device

    1. Device starts advertisting

    2. App connects to device

    3. App pairs with device

    4. App setups notification on SFIDA_COMMANDS

    5. Device writes 3,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    6. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

    7. App writes 4,0,0,0 to CENTRAL_TO_SFIDA

    8. Device writes 4,0,1,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_1) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    9. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

    10. App writes 5,0,0,0 + 32byte (36 bytes total) random data to CENTRAL_TO_SFIDA

    11. Device writes 5,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_2) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    12. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

    13. App writes 3,0,0,0,3 to CENTRAL_TO_SFIDA

    14. Device writes 4,0,2,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY)) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

    15. App reads SFIDA_COMMANDS

    16 App disconnects immediately

  • App version 0.37 added support PGO+!!

    Sabas09/11/2016 at 16:16 0 comments

    Yesterday published the latest version 0.37, which already include support PGO+, and good news the DIY version is detected by the application :D

  • Working in nRF51822

    Sabas08/22/2016 at 13:10 0 comments

    I managed run in module BLE nRF51822, thanks to the project nRF5 Arduino Core

    https://github.com/sandeepmistry/arduino-nRF5

    and the branch nRF5 of the library arduino BLEPeripheral

    https://github.com/sandeepmistry/arduino-BLEPeripheral/tree/nRF5

    You can get a module nRF51822 in Alixpress for less than $7 dollars



    We continue to expect the activation of Bluetooth in the application for testing

    Thanks!

  • Working in version CC2541, Hack HAVIR HV-101 & HV-102

    Sabas08/04/2016 at 12:47 4 comments

    @deqing tells us that he is working on a version for CC2541 and founded a interesting device to hack: HAVIR HV-101 & HV-102. It may be the only low cost BLE product with a reprogrammable controller.

    It has a button, 2 LEDs, a buzzer and debug pads. That basically everything we need. I've put it's photo on https://github.com/DeqingSun/CC2541WristBandHack

    Thanks @deqing

  • Inside my Pokémon go plus!

    Sabas07/30/2016 at 15:23 0 comments

    The user the youtube shiitakeo a made some interesting videos , but even without free code


    koshi.akutsu to translated:
    I have read his blog entry. http://qiita.com/shiitakeo/items/059c11fe7d1e211ebb18
    He explain how it works. He also knows "in the current official Pokemon Go app still is not set to work with the bluetooth device",
    therefore, create custom android app to link and speak to the Niantic API library.
    First of all, He created Android app, but also mentioned he will create iOS app in the future . What custom app does,
    connect to the device through BLE. and then send / recieve notification(found pokemon, get pokemon, current ongitude latitude, etc ) from the Pokemon Go Server back and forth.

    The main function of the app is following two, it's like intermediary device and the server.


  • Pokémon Go Plus delayed till September

    Sabas07/28/2016 at 04:04 0 comments

    Heard that the wristband's release got delayed to September:

    http://www.androidauthority.com/pokemon-go-plus-delayed-706152/

  • Update Sketch and Instruction

    Sabas07/25/2016 at 03:34 0 comments

    Update sketch with test of battery level and added instructions in hackaday.io

    I welcome your comments, thanks

  • Proof of Concept with Arduino and BLE

    Sabas07/19/2016 at 15:25 0 comments

    I have initiated a proof of concept with Arduino Micro and BLE of Adafruit, you can find it in the repository of the project

    https://github.com/sabas1080/PokemonGODIY

    I have used the library BLE Peripheral of Sandeep Mistry

    https://github.com/sandeepmistry/arduino-BLEPeripheral (available in Manage Library of Arduino)

    Also I have used the Arduino Micro because Arduino UNO have low memory for this project, for the moment I 've only added services and characteristic of Pokemon Go Plus.

    Welcome you help and comments

View all 16 project logs

  • 1

    Add Library "arduino BLEPeripheral" in Manager Library of Arduino IDE


  • 2

    Clone repository to your computer

    git clone https://github.com/sabas1080/PokemonGODIY
  • 3

    Open sketch with Arduino IDE, compile and upload Arduino Leonardo/Micro

View all 4 instructions

Enjoy this project?

Share

Discussions

DoDo wrote 03/07/2017 at 23:17 point

Is it possible to use the sdk on a misfit shine2

  Are you sure? yes | no

Chris Chua wrote 01/19/2017 at 17:00 point

There is a possibility that the certification key is a per-device value, so that bda885742bc53918793ade3fa7b6cf3b will not work for everyone. To check this, could someone with a Go+ and an Android device enable Bluetooth HCI snoop logging (see http://www.androidcentral.com/all-about-your-phones-developer-options) and post the btsnoop_hci.log of the Go+ and app connecting?

  Are you sure? yes | no

Sabas wrote 01/19/2017 at 17:14 point

  Are you sure? yes | no

Sabas wrote 01/19/2017 at 17:15 point

  Are you sure? yes | no

dsechols wrote 01/20/2017 at 00:26 point

I just tried to pair my Pokémon go plus with the only android device I have - a cheap Amazon fire tablet. Unfortunately it won't pair - it may not have Bluetooth LE. 

  Are you sure? yes | no

dsechols wrote 01/20/2017 at 16:58 point

Hold on.  I just found out that the latest Android version of Pokémon Go has an issue connecting to the Plus. I'll try again when they patch it. 

  Are you sure? yes | no

Chris Chua wrote 01/21/2017 at 02:02 point

By hard resetting my Go+, and then re-pairing it, I've confirmed that the certification key does indeed change. The key bda885742bc53918793ade3fa7b6cf3b will not work for anyone else. Thus more work will be needed to fully understand the certification protocol.

  Are you sure? yes | no

McCzarny wrote 01/19/2017 at 15:19 point

Hello. Please check this thread:

https://www.reddit.com/r/pokemongodev/comments/5ovj04/pokemon_go_plus_reverse_engineering_write_up




It should help a lot with this project.

  Are you sure? yes | no

dsechols wrote 01/16/2017 at 20:07 point

I'm interested in helping.  I have a Pokemon Go Plus, but don't have the skills to dump the firmware without help.

  Are you sure? yes | no

Rockofclay wrote 11/26/2016 at 10:33 point

Would someone in Melbourne be able to meet up so I could have a crack at dumping the firmware off a pogo?

  Are you sure? yes | no

Jesus wrote 11/30/2016 at 23:28 point

The project seems dead. Plus its impossible to get your hands on a pogo+ because of Nintendo's "scarcity", so I don't think there's many hackers with Pogo+ units

  Are you sure? yes | no

Rockofclay wrote 11/11/2016 at 15:46 point

What's the current status of the firmware dumps? I would love to get my hands on a unit and dump the flash. Are flash dumps the same between units? Can you post it up here somewhere?

  Are you sure? yes | no

teknogeek1300 wrote 11/04/2016 at 08:15 point

Has anyone played with the accessible leads located under the battery? Intested in doing an Arduino project that can trigger the button, and monitor vibration/light sequences.

  Are you sure? yes | no

richard frowijn wrote 10/26/2016 at 17:15 point

Hi, just followed this project,

got a few nRF51822 dev boards, used for some other project(s),

implemented the needed code, app can connect, but then it is the sound of silence.

anyone got a pg+? if so, can you install the nrf connect app (from nordic, in the playstore)

and do some tests? 

  Are you sure? yes | no

Taylor wrote 10/27/2016 at 22:24 point

Still need someone to run tests?

  Are you sure? yes | no

mastercynder wrote 10/28/2016 at 09:19 point

I ve had the pokemon go plus, and i've installed the nrf connect app, but i don't know well the bluetooth protocol to understand. What test do you want I do ? I can send you the log if you want

  Are you sure? yes | no

richard frowijn wrote 10/28/2016 at 11:44 point

@taylor and mastetcynder, when nrf connect starts, it will show the pg+,

what is the mac-address?

For all the tabs available (services etc), don't know how many there are,

tap them all, and (easiest way), make screenshots of the services and characteristics (UUID and properties). 

Also, when you swipe to the right, the log is shown, change the level from "verbose" to "debug", left under at the screen, and save the log, or email it directly to me, email address has been sent through pm.

  Are you sure? yes | no

mastercynder wrote 10/29/2016 at 09:16 point

@richard : I sent you the email this day

  Are you sure? yes | no

Rockofclay wrote 10/08/2016 at 09:42 point

The project seems dead. I wouldn't get your hopes up.  I think the path of least resistance is to dump the firmware and use it on the same chipset.

  Are you sure? yes | no

Lucas Romeiro wrote 10/08/2016 at 16:50 point

he problem is to get the firmware.

It must be protected ...
even managing the firmware may be that each device has an internal code of verification.
He will be having somebody else working on it ???
It should not take long to leave something!

  Are you sure? yes | no

Rockofclay wrote 10/10/2016 at 06:43 point

The flash chip is wired straight into the Bluetooth SOC, and has traces which can be cut so the memory can be dumped straight off.. There are pads, so the soldering isn't overly hard. All it would require is an arduino programmed with SPIFlash.

I don't have a pogo+ to try this on, so I'm no help, but the silence makes me think that the project has been abandoned.

  Are you sure? yes | no

Sabas wrote 10/11/2016 at 13:58 point

The project is not dead, still looking as firmware dump

  Are you sure? yes | no

Sabas wrote 10/11/2016 at 13:57 point

Hi

Work with advances of https://github.com/DeqingSun/CC2541WristBandHack

but not completely works as pokemon go, even

  Are you sure? yes | no

Rockofclay wrote 09/26/2016 at 04:59 point

Any movement on this? Has anybody got a copy of the flash yet?

  Are you sure? yes | no

Amar wrote 09/21/2016 at 18:31 point

Cool project!  There's a large community of pokemon go developers here: https://www.reddit.com/r/pokemongodev They might be able to assist with some of the server-side interactions.

  Are you sure? yes | no

dzikk wrote 09/21/2016 at 11:21 point

It will be really emulator Pokemon Go Plus?

  Are you sure? yes | no

keithcroshaw wrote 09/19/2016 at 20:46 point

I see this has been asked already but does this actually work yet? I have a micro and would be willing to buy a few more components but I don't see anywhere where it says yup it works pretty much as good as one you buy at the store. Or well I got it to work once...

  Are you sure? yes | no

Sabas wrote 09/19/2016 at 21:34 point

Still trying to get it working.

  Are you sure? yes | no

keithcroshaw wrote 09/19/2016 at 21:55 point

very cool. What about the Bluz platform? (Associated with Particle, like the photon.) Has BT and a RGB LED built in.)

  Are you sure? yes | no

Donne Whitehead wrote 09/18/2016 at 22:03 point

I am such a novice, but I really want to build my own pokemon go plus, not buy one, even if it costs more money to build.  When/can some one put up a detailed step by step, user friendly guide from start to finnish?  It would be awesome!

  Are you sure? yes | no

dzikk wrote 09/17/2016 at 18:01 point

I believe in this project !!! 

  Are you sure? yes | no

ZexMaxwell001 wrote 09/17/2016 at 17:20 point

so is this actually working? or still trying to figure it out.

  Are you sure? yes | no

Blackpoint wrote 09/17/2016 at 18:04 point

Still trying to get it working.

  Are you sure? yes | no

Milt wrote 09/16/2016 at 00:51 point

Would this work with an Arduino Lilypad?

  Are you sure? yes | no

Sabas wrote 09/16/2016 at 03:31 point

Sorry but no, Arduino Lilypad is ATMEGA328 has very little memory to this

  Are you sure? yes | no

tart0p0mme7816 wrote 09/15/2016 at 15:47 point

Do i absolutely need a Bluefruit LE - Bluetooth Low Energy (BLE 4.0) - nRF8001 Breakout - v1.0 with my arduino leonardo or i can use the nRF51822 ? I don't understand if there is a microcontroller in this or not

  Are you sure? yes | no

Sabas wrote 09/15/2016 at 17:24 point

The nRF51822 there is a microcontroller

  Are you sure? yes | no

alberbp21 wrote 09/15/2016 at 13:08 point

can this be done in an Arduino UNO?

  Are you sure? yes | no

Sabas wrote 09/15/2016 at 13:15 point

Sorry but no, the Arduino UNO has very little memory to this

  Are you sure? yes | no

deqing wrote 09/11/2016 at 05:36 point

Just noticed viewing log only need DDMS without any modification on anything.

  Are you sure? yes | no

deqing wrote 09/11/2016 at 06:09 point

D/SfidaPeripheral(8201): discoverServices success:true error:Unknown

This is last messsage I've ever get.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates