deqingAfter installing 0.37 update we can use Pokemon Go plus. However there is a certification protocol before we can connect homemade hardware to Pokemon Go App. Here is my experiment on trying to mimic a real Pokemon Go plus.
1. Make sure the BLE device can bond with Android device. The device must support paring.
2. Make sure the UUID_SFIDA_COMMANDS characteristic has NOTIFY property. The Pokemon Go App will not read anything from BLE device until there is a notification
3. Don't try to reply with by hand with a BLE tool such as "LightBlue", you only have about 10 seconds.
The following info is the communication between App and device
1. Device starts advertisting
2. App connects to device
3. App pairs with device
4. App setups notification on SFIDA_COMMANDS
5. Device writes 3,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
6. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
7. App writes 4,0,0,0 to CENTRAL_TO_SFIDA
8. Device writes 4,0,1,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_1) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
9. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
10. App writes 5,0,0,0 + 32byte (36 bytes total) random data to CENTRAL_TO_SFIDA
11. Device writes 5,0,0,0 (SFIDA_RESPONSE_CERTIFICATION_CHALLENGE_2) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
12. App reads SFIDA_COMMANDS then SFIDA_TO_CENTRAL
13. App writes 3,0,0,0,3 to CENTRAL_TO_SFIDA
14. Device writes 4,0,2,0 (SFIDA_RESPONSE_CERTIFICATION_NOTIFY)) to SFIDA_TO_CENTRAL and SFIDA_COMMANDS, this will create a notification to App
15. App reads SFIDA_COMMANDS
16 App disconnects immediately
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.
Can you give some examples of 32 bytes?
I *cough* suspect *cough* that this is 16 bytes nonce followed by 16 bytes plain text, or 16 bytes nonce followed by 16 bytes ciphertext.
They look like being used in some block cipher, like AES in counter mode.
Are you sure? yes | no
Reporting more observations from iOS game client app:
1. Before the app start communicating with device, it seems that the app inquired the server, using a class called PGPTrustedCertificatesAuthenticator in the URL request session. Maybe it's to inquire the challenge sequence which appeared in Step 10.
2. The 32-byte sequence in Step 10 differs in every connection request.
Though I haven't find any other evidence to show that AES is used in certification, it does look like the case to me. I will try to dig into the server communication to verify my assumption.
Are you sure? yes | no
I read that the device uses AES-128, might the certification process be that?
Are you sure? yes | no
I can reproduce this on iOS game app. I guess the last response to app's 30003 is not correct anymore. According to the decompiled code of older versions of Android app, the app used to write 30001 in step 13.
Are you sure? yes | no
Is the certification process needed to bond a device to the app?
Also, I am assuming this would fine with the iOS version of Pokémon go correct
Are you sure? yes | no
Yes bonding is needed before any communication.
Are you sure? yes | no
Great, thanks, I'll try to repeat this on my device
Are you sure? yes | no