pokewalker

2 Articles

Rescuing A Pokémon Off A Pokéwalker After Losing The Game Cartridge

April 6, 2026 by 1 Comment

The Pokéwalker is a gadget that was sold alongside the Pokémon HeartGold and SoulSilver games for the Nintendo DS which players could use to take a Pokémon out on a walk in the real world. Not only would you earn points while walking, but you’d be able to find items, battle wild enemies, etc. The Pokémon inside the device is however linked to the game cartridge. This fact turned into tragedy when [Etchy] found his old Pokéwalker with a treasured Pokémon still on it, but was forced to erase the device as he had lost the cartridge over the years.

Although he had been told repeatedly by then that it was impossible to transfer such a digital pet to a new save file, this never felt right. Although it made some sense that a specific critter would be linked to a specific save file as a level of security, there’s also the question of whether all data of the Pokémon in question would be erased from said save file.

Cloning a Snickers. {Credit: Etchy, YouTube)
Cloning a Snickers. {Credit: Etchy, YouTube)

Fortunately, [Dmitry] has reverse-engineered the Pokéwalker already, including the infrared protocol that uses the IR transceiver in the cartridge itself. As it turns out, only some basic information is sent over to the device, while the Pokémon is simply hidden in the save file, including the data that isn’t sent to the device. Case closed, right?

It would be a sad ending for those who have lost Pokémon on these devices if it was that simple, fortunately. After some digging, [Etchy] found out that the device only checks for three pieces of information to ensure that it is being accessed from a valid game session: the version (HeartGold or SoulSilver), the region (NA, JP, etc.), and the training and secret IDs.

This thus means that if you try long enough, or use an RNG manipulation hack as demonstrated, you can get a new save file created that has the exact same IDs. As long as you make sure that your local critter’s details in terms of species and form are the same as on the device, there’s nothing really stopping the device from happily handing over the critter’s details.

Of course, the real thing that defines a single Pokémon is its ID (PID) that defines its properties, and this is only saved in the save file. The final answer is thus that there’s no way to rescue a trapped Pokémon, as it only really exists on the cartridge that may or may not still exist in some physical form.

Continue reading “Rescuing A Pokémon Off A Pokéwalker After Losing The Game Cartridge”

Reverse Engineering A PokeWalker

November 21, 2020 by 16 Comments

The PokeWalker is part of Nintendo’s long quest to get children (and likely some adults) walking and exercising. There’s the PokeWalker, Pokemon Pikachu, PokeBall Plus, Pokemon Pikachu 2, Pokemon mini, and of course Pokemon Go. Despite being out a decade, there wasn’t a ROM dump for the device and there was minimal documentation on the communication protocol. [Dmitry Grinberg] took it upon himself to change all that and crack the PokeWalker open.

At its heart, the PokeWalker is just a pedometer with an IR port and a 96×64 grayscale screen. It came out in 2009 to accompany the new Pokemon release for the Nintendo DS. Cracking open the device revealed a 64KB EEPROM, a Renesas H8/38606R CPU, a Bosch BMA150 accelerometer, and a generic IR transceiver. The CPU is particularly interesting as in addition to being quite rare, it has a mix of 8, 16, and 32 bits with 24-bit pointers. This gives it a 64K address space. While the CPU is programmable, any attempt to do so erases the onboard flash. The communication protocol packets have an 8-bit header that precedes each packet. The header has a checksum, a command byte, and four bytes of session id, and an unused byte. Curiously enough, every byte is XOR’d with 0xAA before being broadcast.

One command is an EEPROM write, which uses back-referencing compression. Each chunk of data to be written is packaged into 128-byte chunks, though 128 bytes likely won’t be sent thanks to the compression. The command can theoretically reference 4k bytes back, but in practice, it can only reference 256 bytes back. It was this command that laid the foundation for the exploit. By carefully crafting the command to send, the command can overflow the decompression buffer and into executable code. Only a few bytes can be overflowed so the payload needs to be carefully crafted. This allowed for an exploit that reads the system ROM and broadcasts it out the IR port. Only 22k bytes can be dumped before the watchdog reboots the device. By changing the starting address, it was easy to do multiple passes.

After the ROM was stitched together from the different passes, the different IR commands were analyzed. In particular, a command was found that allows direct writes into RAM. This makes for a much easier exploit as you can write your exploit, then override a pointer in the event table, then have the exploit revert the event table once the system naturally jumps to your exploit.

[Dmitry] finishes off this amazing exploit by writing a PalmOS app to dump the ROM from a PokeWalker as well as modify the system state. PalmOS was chosen as it is an easy and cheap way to have a programmable IR transciever. All in all, a gorgeous hack with a meticulous writeup. This isn’t the first video game accessory that’s been reverse engineered with a scrupulous writeup, and we’re sure it won’t be the last.

Continue reading “Reverse Engineering A PokeWalker”