Pokemon Go Plus reverse engineering write up

A project log for Pokemon Go Plus DIY

Project to create your own pokemon go plus

SabasSabas 01/19/2017 at 15:530 Comments

The user in reddit BobThePigeon_ to writing an excellent research on the work of the PGO +

Within your work we can find the certification process

Certification process

Current attempts to produce a DIY Pokemon Go Plus have been blocked by a certification process. The device and app will send random data (the "challenge") to each other, and the other side must respond with the correct response in order to certify the app and device as being genuine. Here is what is transacted during the certification (compare with this):

By using a combination of static analysis and debugging, I have determined the algorithm used to generate a certification response from a challenge:

  1. Split the 32 challenge bytes into two 16 byte halves.
  2. Encrypt the first 16 byte half using AES-128, using the key bda885742bc53918793ade3fa7b6cf3b.
  3. Take the encrypted result and XOR it with the second 16 byte half. This gives the response.

Here are some test vectors, obtained from a real device: challenge = 7526c9257080ec4b6366635b0ee5416324673e610d38d7f2440662b272db041f leads to response = 2445be74030f584a7a01fa26490a902e, challenge = 5035fb9119b5bb9de2f4f76803fef5152543b95e02c8791c69fb393215418aa5 leads to response = 78393cb801cd71e17ea977bb1c31acd3.

Thanks BobThePigeon_