Close

Start conversation between App and BLE device

A project log for Pokemon Go Plus DIY

Project to create your own pokemon go plus

deqingdeqing 09/14/2016 at 08:137 Comments

After installing 0.37 update we can use Pokemon Go plus. However there is a certification protocol before we can connect homemade hardware to Pokemon Go App. Here is my experiment on trying to mimic a real Pokemon Go plus.


1. Make sure the BLE device can bond with Android device. The device must support paring.

2. Make sure the UUID_SFIDA_COMMANDS characteristic has NOTIFY property. The Pokemon Go App will not read anything from BLE device until there is a notification

3. Don't try to reply with by hand with a BLE tool such as "LightBlue", you only have about 10 seconds.

The following info is the communication between App and device

1. Device starts advertisting

2. App connects to device

3. App pairs with device

4. App setups notification on SFIDA_COMMANDS

5. Device writes 3,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

6. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

7. App writes 4,0,0,0 to CENTRAL_TO_SFIDA

8. Device writes 4,0,1,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_1) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

9. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

10. App writes 5,0,0,0 + 32byte (36 bytes total) random data to CENTRAL_TO_SFIDA

11. Device writes 5,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_2) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

12. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL

13. App writes 3,0,0,0,3 to CENTRAL_TO_SFIDA

14. Device writes 4,0,2,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY)) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App

15. App reads SFIDA_COMMANDS

16 App disconnects immediately

Discussions

esurovin wrote 09/25/2016 at 13:05 point

Can you give some examples of 32 bytes?

I *cough* suspect *cough* that this is 16 bytes nonce followed by 16 bytes plain text, or 16 bytes nonce followed by 16 bytes ciphertext.

They look like being used in some block cipher, like AES in counter mode.

  Are you sure? yes | no

YH wrote 09/19/2016 at 06:09 point

Reporting more observations from iOS game client app:

1. Before the app start communicating with device, it seems that the app inquired the server, using a class called PGPTrustedCertificatesAuthenticator in the URL request session. Maybe it's to inquire the challenge sequence which appeared in Step 10.

2. The 32-byte sequence in Step 10 differs in every connection request.

Though I haven't find any other evidence to show that AES is used in certification, it does look like the case to me. I will try to dig into the server communication to verify my assumption.

  Are you sure? yes | no

Blackpoint wrote 09/17/2016 at 16:55 point

I read that the device uses AES-128, might the certification process be that?

  Are you sure? yes | no

YH wrote 09/16/2016 at 05:04 point

I can reproduce this on iOS game app. I guess the last response to app's 30003 is not correct anymore. According to the decompiled code of older versions of Android app, the app used to write 30001 in step 13.

  Are you sure? yes | no

SCDoc wrote 09/15/2016 at 21:15 point

Is the certification process needed to bond a device to the app?

Also, I am assuming this would fine with the iOS version of Pokémon go correct

  Are you sure? yes | no

deqing wrote 09/16/2016 at 18:39 point

Yes bonding is needed before any communication.

  Are you sure? yes | no

Sabas wrote 09/15/2016 at 13:24 point

Great, thanks, I'll try to repeat this on my device

  Are you sure? yes | no