01/19/2017 at 15:53 •
The user in reddit BobThePigeon_ to writing an excellent research on the work of the PGO +
Within your work we can find the certification process
Current attempts to produce a DIY Pokemon Go Plus have been blocked by a certification process. The device and app will send random data (the "challenge") to each other, and the other side must respond with the correct response in order to certify the app and device as being genuine. Here is what is transacted during the certification (compare with this):
- Device sends 36 bytes: 03000000 + 32 random bytes to SFIDA_TO_CENTRAL, this is a certification challenge; the device is checking that the app is genuine.
- Device sends 4 bytes: 03000000 to SFIDA_COMMANDS, this will notify app
- App sends a response which is 20 bytes: 04000000 + 16 response bytes to CENTRAL_TO_SFIDA.
- Device sends 4 bytes: 04000100 to SFIDA_COMMANDS to notify app that it has received the response.
- App sends 36 bytes: 05000000 + 32 random bytes to CENTRAL_TO_SFIDA, this is a certification challenge; the app is checking that the device is genuine.
- Device sends a response which is 20 bytes: 05000000 + 16 response bytes to SFIDA_TO_CENTRAL.
- Device sends 4 bytes: 05000000 to SFIDA_COMMANDS to notify app that it has responded to the certification challenge.
- App sends 5 bytes: 0300000001 to CENTRAL_TO_SFIDA
- Device sends 4 bytes: 04000200 to SFIDA_COMMANDS
By using a combination of static analysis and debugging, I have determined the algorithm used to generate a certification response from a challenge:
- Split the 32 challenge bytes into two 16 byte halves.
- Encrypt the first 16 byte half using AES-128, using the key bda885742bc53918793ade3fa7b6cf3b.
- Take the encrypted result and XOR it with the second 16 byte half. This gives the response.
Here are some test vectors, obtained from a real device: challenge = 7526c9257080ec4b6366635b0ee5416324673e610d38d7f2440662b272db041f leads to response = 2445be74030f584a7a01fa26490a902e, challenge = 5035fb9119b5bb9de2f4f76803fef5152543b95e02c8791c69fb393215418aa5 leads to response = 78393cb801cd71e17ea977bb1c31acd3.
09/16/2016 at 18:37 •
There are 3 non standard screws in the case. If you don't have tools like me. You can scratch of coating, add some flux and add a drop of very hot solder quickly so you don't melt plastic underneath. Then you can solder a pin header to unscrew it easily. You can clean solder and cut a slot for further assemble and disassemble.
There isn't a lot parts in side. I haven't investigated much but I think there is a PMIC, a SPI flash and DA14580.
The good thing is all SPI flash pins are exposed. You can even cut the trace to isolate it. This makes it easy to dump the firmware from this flash chip.
I suppose the encryption can be hacked by static analysis or move the firmware to a dev board for debugging.
09/14/2016 at 08:13 •
After installing 0.37 update we can use Pokemon Go plus. However there is a certification protocol before we can connect homemade hardware to Pokemon Go App. Here is my experiment on trying to mimic a real Pokemon Go plus.
1. Make sure the BLE device can bond with Android device. The device must support paring.
2. Make sure the UUID_SFIDA_COMMANDS characteristic has NOTIFY property. The Pokemon Go App will not read anything from BLE device until there is a notification
3. Don't try to reply with by hand with a BLE tool such as "LightBlue", you only have about 10 seconds.
The following info is the communication between App and device
1. Device starts advertisting
2. App connects to device
3. App pairs with device
4. App setups notification on SFIDA_COMMANDS
5. Device writes 3,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
6. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
7. App writes 4,0,0,0 to CENTRAL_TO_SFIDA
8. Device writes 4,0,1,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_1) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
9. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
10. App writes 5,0,0,0 + 32byte (36 bytes total) random data to CENTRAL_TO_SFIDA
11. Device writes 5,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_2) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
12. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
13. App writes 3,0,0,0,3 to CENTRAL_TO_SFIDA
14. Device writes 4,0,2,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY)) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
15. App reads SFIDA_COMMANDS
16 App disconnects immediately
09/11/2016 at 16:16 •
Yesterday published the latest version 0.37, which already include support PGO+, and good news the DIY version is detected by the application :D
08/22/2016 at 13:10 •
I managed run in module BLE nRF51822, thanks to the project nRF5 Arduino Core
and the branch nRF5 of the library arduino BLEPeripheral
You can get a module nRF51822 in Alixpress for less than $7 dollars
We continue to expect the activation of Bluetooth in the application for testing
08/04/2016 at 12:47 •
@deqing tells us that he is working on a version for CC2541 and founded a interesting device to hack: HAVIR HV-101 & HV-102. It may be the only low cost BLE product with a reprogrammable controller.
It has a button, 2 LEDs, a buzzer and debug pads. That basically everything we need. I've put it's photo on https://github.com/DeqingSun/CC2541WristBandHack
07/30/2016 at 15:23 •
The user the youtube shiitakeo a made some interesting videos , but even without free code
koshi.akutsu to translated:
I have read his blog entry. http://qiita.com/shiitakeo/items/059c11fe7d1e211ebb18
He explain how it works. He also knows "in the current official Pokemon Go app still is not set to work with the bluetooth device",
therefore, create custom android app to link and speak to the Niantic API library.
First of all, He created Android app, but also mentioned he will create iOS app in the future . What custom app does,
connect to the device through BLE. and then send / recieve notification(found pokemon, get pokemon, current ongitude latitude, etc ) from the Pokemon Go Server back and forth.
The main function of the app is following two, it's like intermediary device and the server.
07/28/2016 at 04:04 •
Heard that the wristband's release got delayed to September:
07/25/2016 at 03:34 •
Update sketch with test of battery level and added instructions in hackaday.io
I welcome your comments, thanks
07/19/2016 at 15:25 •
I have initiated a proof of concept with Arduino Micro and BLE of Adafruit, you can find it in the repository of the project
I have used the library BLE Peripheral of Sandeep Mistry
https://github.com/sandeepmistry/arduino-BLEPeripheral (available in Manage Library of Arduino)
Also I have used the Arduino Micro because Arduino UNO have low memory for this project, for the moment I 've only added services and characteristic of Pokemon Go Plus.
Welcome you help and comments