Project to create your own pokemon go plus
Already have an account? Log in.
To make the experience fit your profile, pick a username and tell us what interests you.
This project is intended to collectively create a DIY version of the famous device Nintendo Pokemon Go Plus, which can be created with different platforms
Platforms supported:
- ESP32
Possible
- Arduino + BLE
- nRF51822
- Raspberry Pi
Welcome your help and comments
Today
the pokemon go plus that I requested has arrived
I have proven that it is working correctly and now I have opened it
Tomorrow I will solder the necessary cables
see you tomorrow
Hello everyone
I am pleased to announce that we have completed the donation campaign, I have already requested a Pokemon Go Plus, as soon as I receive it I will update these logs and upload all the information
thanks to the sponsors of the campaign, they will be the first to have access to the repository with the code, after that it will be public
Thanks!
Hi
For two years I started the project "Pokemon Go Plus DIY" in hackaday.io, today thanks to Yohanes Nugroho at TinyHack it has been possible to discover a way to create a DIY version.
Because the encryption keys for each device are unique as Yohanes Nugroho explains in his post, Today I open a campaign to raise money and buy a Pokemon Go Plus device to extract the keys from that device and publish it in an open firmware for the ESP32 microcontroller.
I only need $80 dollars to buy the device, I have the tools and knowledge to extract the firmware.
If you want to support me, I promise to deliver:
- Code for ESP32 with keys working.
- Firmware extracted for further studies by third parties
WARNING:
- All devices that have this firmware will have the same MAC and keys, there is a risk that Nintendo will block the accounts that use this device.
I will start the process as soon as I get the money to buy the device and I will publish all the updates in https://hackaday.io/project/12680-pokemon-go-plus-diy
If you want to donate from 3 dollars you can do it in the following link
Yohanes Nugroho at TinyHack writes about reverse engineering Pokemon GO Plus:
Pokemon GO Plus, (which I will refer from now on as PGP) is a wearable Bluetooth Low Energy (BLE) device to be used with the Pokemon GO game for Android or iOS. There have been many attempts to clone this device, but only Datel seems to figure out the algorithm, while the other clones are cloning the exact hardware and firmware.
I will explain the complete certification algorithm that I obtain from reverse engineering a PGP clone, and then I will explain how I did the reverse engineering and how you can extract your own blob and key if you want to clone your own device. I am providing a reference implementation for ESP32 so you can test this yourself.
The article talks about the history of cloning and goes into great detail on the process. It does not discuss generating keys or the Bluetooth blob (as that would be proprietary to the company and could have Niantic ban someone’s account).
https://tinyhack.com/2018/11/21/reverse-engineering-pokemon-go-plus/
The user in reddit BobThePigeon_ to writing an excellent research on the work of the PGO +
https://www.reddit.com/r/pokemongodev/comments/5ovj04/pokemon_go_plus_reverse_engineering_write_up
Within your work we can find the certification process
Certification processCurrent attempts to produce a DIY Pokemon Go Plus have been blocked by a certification process. The device and app will send random data (the "challenge") to each other, and the other side must respond with the correct response in order to certify the app and device as being genuine. Here is what is transacted during the certification (compare with this):
- Device sends 36 bytes: 03000000 + 32 random bytes to SFIDA_TO_CENTRAL, this is a certification challenge; the device is checking that the app is genuine.
- Device sends 4 bytes: 03000000 to SFIDA_COMMANDS, this will notify app
- App sends a response which is 20 bytes: 04000000 + 16 response bytes to CENTRAL_TO_SFIDA.
- Device sends 4 bytes: 04000100 to SFIDA_COMMANDS to notify app that it has received the response.
- App sends 36 bytes: 05000000 + 32 random bytes to CENTRAL_TO_SFIDA, this is a certification challenge; the app is checking that the device is genuine.
- Device sends a response which is 20 bytes: 05000000 + 16 response bytes to SFIDA_TO_CENTRAL.
- Device sends 4 bytes: 05000000 to SFIDA_COMMANDS to notify app that it has responded to the certification challenge.
- App sends 5 bytes: 0300000001 to CENTRAL_TO_SFIDA
- Device sends 4 bytes: 04000200 to SFIDA_COMMANDS
By using a combination of static analysis and debugging, I have determined the algorithm used to generate a certification response from a challenge:
- Split the 32 challenge bytes into two 16 byte halves.
- Encrypt the first 16 byte half using AES-128, using the key bda885742bc53918793ade3fa7b6cf3b.
- Take the encrypted result and XOR it with the second 16 byte half. This gives the response.
Here are some test vectors, obtained from a real device: challenge = 7526c9257080ec4b6366635b0ee5416324673e610d38d7f2440662b272db041f leads to response = 2445be74030f584a7a01fa26490a902e, challenge = 5035fb9119b5bb9de2f4f76803fef5152543b95e02c8791c69fb393215418aa5 leads to response = 78393cb801cd71e17ea977bb1c31acd3.
Thanks BobThePigeon_
There are 3 non standard screws in the case. If you don't have tools like me. You can scratch of coating, add some flux and add a drop of very hot solder quickly so you don't melt plastic underneath. Then you can solder a pin header to unscrew it easily. You can clean solder and cut a slot for further assemble and disassemble.
There isn't a lot parts in side. I haven't investigated much but I think there is a PMIC, a SPI flash and DA14580.
The good thing is all SPI flash pins are exposed. You can even cut the trace to isolate it. This makes it easy to dump the firmware from this flash chip.
I suppose the encryption can be hacked by static analysis or move the firmware to a dev board for debugging.
After installing 0.37 update we can use Pokemon Go plus. However there is a certification protocol before we can connect homemade hardware to Pokemon Go App. Here is my experiment on trying to mimic a real Pokemon Go plus.
1. Make sure the BLE device can bond with Android device. The device must support paring.
2. Make sure the UUID_SFIDA_COMMANDS characteristic has NOTIFY property. The Pokemon Go App will not read anything from BLE device until there is a notification
3. Don't try to reply with by hand with a BLE tool such as "LightBlue", you only have about 10 seconds.
The following info is the communication between App and device
1. Device starts advertisting
2. App connects to device
3. App pairs with device
4. App setups notification on SFIDA_COMMANDS
5. Device writes 3,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
6. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
7. App writes 4,0,0,0 to CENTRAL_TO_SFIDA
8. Device writes 4,0,1,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_1) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
9. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
10. App writes 5,0,0,0 + 32byte (36 bytes total) random data to CENTRAL_TO_SFIDA
11. Device writes 5,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_2) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
12. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
13. App writes 3,0,0,0,3 to CENTRAL_TO_SFIDA
14. Device writes 4,0,2,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY)) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
15. App reads SFIDA_COMMANDS
16 App disconnects immediately
Yesterday published the latest version 0.37, which already include support PGO+, and good news the DIY version is detected by the application :D
I managed run in module BLE nRF51822, thanks to the project nRF5 Arduino Core
https://github.com/sandeepmistry/arduino-nRF5
and the branch nRF5 of the library arduino BLEPeripheral
https://github.com/sandeepmistry/arduino-BLEPeripheral/tree/nRF5
You can get a module nRF51822 in Alixpress for less than $7 dollars
We continue to expect the activation of Bluetooth in the application for testing
Thanks!
@deqing tells us that he is working on a version for CC2541 and founded a interesting device to hack: HAVIR HV-101 & HV-102. It may be the only low cost BLE product with a reprogrammable controller.
It has a button, 2 LEDs, a buzzer and debug pads. That basically everything we need. I've put it's photo on https://github.com/DeqingSun/CC2541WristBandHack
Thanks @deqing
Clone repository to your computer
Open sketch with Arduino IDE, compile and upload ESP32
Found a interesting device to hack: HAVIR HV-101 & HV-102. It may be the only low cost BLE product with a reprogrammable controller.
I ordered one and got it recently. It has a button, 2 LEDs, a buzzer and debug pads. That basically everything we need. I've put it's photo on https://github.com/DeqingSun/CC2541WristBandHack
Excelent, if you 'll allow me to add the repo interest links, material and log, thanks
Seems in 0.31 version there are service that handles BLE in "com.nianticlabs.pokemongoplus.service" with name "BackgroundService" and "ClientService". However my debugger didn't print any info from these 2 classes. And "ClientBridge" seems to be called in libpgpplugin.so.
Also in "methods_pointedto_by_uievents.xml" there is UI elements related to pokemon go plus. If there is a way to trigger it we may test actual hardware.
since the app is the one giving data, wouldn't it be considered the peripheral? Also, if you go back into shiitakeo's videos, he also wrote an app that did the same work as the clone. Maybe there's something there.
Yes, he wrote an app that maybe use functions unimplemented BLE of the app official as a app slave, but not much information.
I have the code running on a RedBear BLE Nano http://redbearlab.com/blenano. I can connect (and bond) to my phone. I can read the battery characteristic in LightBlue Explorer.
Is there more on the services and characteristics? I'd like to try and implement read/write/notify for some of other characteristics.
All information protocol services and characteristics in https://github.com/sabas1080/PokemonGODIY/wiki
According to some decompiled Android 0.29.3 code LED_VIBRATE_CONTROL looks like a big characteristic.
notifyPokemonCaught sends 67 bytes, other messages are smaller, some are larger
https://github.com/FabianTerhorst/PokemonGo/blob/5ff58c444845ad4147b801dc4c49640cebe4874f/java/com/nianticproject/holoholo/sfida/unity/SfidaUnityPlugin.java#L334
https://github.com/FabianTerhorst/PokemonGo/blob/5ff5d14774768019a3d1aeec58320c44aad9b28e/java/com/nianticproject/holoholo/sfida/SfidaMessage.java#L109-L111
How do you think this relates to the protocol? https://github.com/sabas1080/PokemonGODIY/wiki/protocol#led_vibrate_ctrl
wait has anyone seen this video? Dude has it working. I have tried messaging him for the arduino sketch but no response.
Thanks for share, the sketch arduino still not finished , because the official app go pokemon has not yet activated the bluetooth.
The extra app that uses shiitakeo be interesting to see how it works , seems to be an app that implements the hidden functions of bluetooth
If you read his hole post he says he's using Poke.io. To me that means he's not emulating go plus or it's protocol. He's basically running the poke.io bot. Sure he added pebble sport to the bot. And modified to to use real GPS data, but it's still a bot. and it's not using GO PLUS at all.
In the later videos i'm guessing he's using little bluebean bluetooth API instead of pebble watch API.
It's a cool work round, but it's not really a go plus.
ok I made an account just to jump in on this I want to test all this out on something other than arduino. I imagine the easiest way to see if this is possible is to program a small application on OSX first. Make the app work as the peripheral. Connecting to the app seems to be the hardest part. Communicating afterwards seems easy. I'm researching Core Bluetooth now. Any progress on this?
You can use Noble for javascript https://github.com/sandeepmistry/noble
nice. Have you tried putting this together by chance? A small app that notifies when Pokemon spawn would be simple. I might have to try and whip this up.Add a catch button. Done and done. Forget the hardware accessory version. Holllaaa.
Did you get anything to work with the JS suggested by Sabas? Any code to share?
LOL guys, look where this can be ported: https://hackaday.io/project/2386-bluebasic-basic-for-bluetooth. It's basic on CC2540. 100% cheaper (~2.5$ on ebay) and you only need a single chip and a battery. Nothing else. Also a CC debugger emulator from ebay (~10$). Can't get cheaper...
I have read that you can use arduino as a CC debugger, just like you can use it as an ISP programmer.
Oh, good to know!
BTW Fount it: https://github.com/wavesoft/CCLib
btw hm-10 is based on that chip too if I can remember correctly. And there is a good documentation about it on TIs site: http://www.ti.com/product/cc2540
I'm looking at the project "Blue Basic" and it seems that was abandoned by the nrf51822 that it has a similar price and can be used also with Arduino
I think I have one of those nrf51822 chips. It uses swd to flash the chip which I'm not familiar with. I guess you need to buy a programmer for that.
blueperipherals support nrf51822 too (so you won't have to port anything). About running the code on the chip alone, I don't know how this can be done.
Truth is, Blue Basic seems abandoned but we can program it via IAR (a little pricey but we can make it in 30 days :P )
The project arduino-nRF5 compile firmware for nRF5 fron Arduino IDE https://github.com/sandeepmistry/arduino-nRF5
Pff, you're gooood :D
Yea, that minimizes everything (cost, energy, code, space...)
Can this work with other BLE modules too? (for example the much cheaper hm-10)
I was wondering the same. If there would be some detailed information explaining what the BLE peripheral library does and what kind of packets are being sent it could be doable. Also it could be coded and flashed directly to the hm-10 module if somebody is familiar with that.
Flashing the HM-10 is not that fun but yes, it can be done (if not with the HM-10 specifically maybe with another low cost BLE SoC). However you do not save that much space (arduino code can be squizzed on a 8 pin SoIC ATTiny85).
As about the code, I took a (very) quick view and understood that it creates a "custom profile". It's not HID, it's not A2DP, it's pokemon go. I think HM-10 does not support or it REQUIRES you to reflash it to support custom profiles.
Currently searching for other BLE module solutions...
What about doing this project on the Adafruit Feather 32u4 Bluefruit LE? Almost everything needed in one package, and battery charging built in.
Oh yes of course, but for the moment I do not have one, you have your one to try ?
I might get one with a featherWing LED backpack next paycheck..... but that's next month... sorry :( Just making a suggestion for an easier, and more portable setup. And a tiny bit cheaper I think. Would the 8Mhz clock make it harder to run the code or do you think it's still possible? I'm sorta new to open source microcontrollers, been making other electronics for a while though.
I've tried running the code on my Feather 32u4 Bluefruit LE, but unfortunately, it doesn't seem to work.
It shows up in the bluetooth screen as "Adafruit Bluefruit LE <DEVICE ID?>" and pairs fine.
But when I open the Pokemon Go app, there is no PGO+ found.
EDIT: rename the bluetooth device to "Pokemon GO Plus" with At Command: `AT+GAPDEVNAME=Pokemon GO Plus`
But now it makes the app crash, so I'll try to fix that aswell
I had a spare Feather hanging around and unfortunately the API on top of the bluetooth stack doesn't support some of the key commands to allow it to be compatible with the BLEperipheral library.
I think we could maybe use the adafruit library but from what I've read https://github.com/sandeepmistry/arduino-BLEPeripheral/issues/34 it might not support everything we need to emulate the Pokemon Go Plus.
To nRF51822 I'm trying to compile directly into the ARM https://github.com/sandeepmistry/arduino-nRF5 , with version Arduino Ble Peripheral branch nRF5, but I still have not the device to test
Hi to everyone from Spain.
I looked a bit above the link has JuanSaito. I have seen that the application has some kind of certificate to validate the BLE device.
SfidaService has a Certificator object that I supose that this class is used for validate hardware device. I think this process is simple to make, but I have to check it.
[this comment has been deleted]
I'm just gonna leave this right here: https://fccid.io/BKEP
Found this project with Keyword "Sfida" while decompiling the APK.
Interested in moving the code to general CC2540 parts.
Excelent, I 'm testing with intel edison, let us know your progress if you get something, welcome your help
Sabas
Sumit
Brad Spry
Bill Zimmer
Tim Wilkinson
hmm, i've been looking into the communication protocols:
"CERTIFICATE_SERVICE:
SFIDA_COMMANDS
bbe87709-5b89-4433-ab7f-8b8eef0d8e39
CENTRAL_TO_SFIDA
bbe87709-5b89-4433-ab7f-8b8eef0d8e38
SFIDA_TO_CENTRAL
bbe87709-5b89-4433-ab7f-8b8eef0d8e3a"
Perhaps the devices all have a unique (authorized) ID to be paired with a device/account?
If so it might be alot harder to get a 'custom' bracelet working with the pokemon go app, as in pairing problems etc. ?