Introduction

After some questions, I wanted to be completely open about how we set up Panthermaps. In this blogpost, I will tell you how we set everything up, where we run this and how we run this. This blogpost is meant as a general overview on how we do everything and a basic overview of how everything works. This is not meant as a guide. I will link some websites where there is actual documentation on how you can set up your own map.

Backstory

Mapping has been around for a very long time. Here is a basic timeline/backstory which tells you how mapping has evolved over the years. Mapping started when the game first released - in 2016. Here is a backstory on how it all went down over the years.

2016 - 2017: In the 2016 era you could use the Pokémon GO API to basically do everything - including mapping. This was a big cat and mouse game, Niantic kept trying things. After some time they “killed” API mapping. Not too long after new solutions were found, you could buy an API key at Bossland, which (again) allows you to do pretty much everything. After some more time Niantic gave API mapping the final blow, because the started to utilize the SafetyNet API - this meant that only real devices were able to run Pokémon GO.

2018-2020: A new type of software was found, it was first called TheRaidMapper (later Map A Droid (MAD for short)). MAD allowed you to spoof the location of real android devices and used an OCR engine to view the raid. This was painfully slow and only allowed for raid scanning. Then the day - 12/16/2018 came. This was the day that MAD introduces their MITM software, which allowed you to scan Pokémon too at a much quicker pace.

2020 - 2023: While MAD was still around, a better solution was found. It was called RealDeviceMap - RDM for short. This software used, the real game’s protos and decodes them. This way you could see everything around you. This does require a MITM (Man In The Middle) program, this was needed to read the protos. This was way quicker and didn’t rely on an OCR engine. RDM was first used with IOS devices, but they were expensive and you had to deal with swollen batteries. Later a new solution for this was found: Android TVs, they were way cheaper (10 - 20$ per board) and they were way smaller. Later custom ROMs for those were built. This is still to this day the most used device around.

2023 - 2025 (and beyond): While RDM and MAD still work, a newer better and fast solution was found. It was called the UnownStack - Unown for short. This still relies on a MITM program, but this allows for much faster scanning. Earlier you could run one worker per device, Unown came with a revolutionary change - you could run multiple workers per device (up to 50!). Some MITM programs brought an even more game-breking change to the mapping game. You can now map without/with way less devices. We do this by “stealing” PlayIntegrity Tokens from the game and using them on emulators, this way we are able to authorize accounts and start mapping. We run those emulators on ARM (Ampère) Servers. Those emulators are Redroid Docker containers.

Hardware Requirements

There are a few things you need to run a map.

1. An Android device to run the MITM software, or more.
2. A (Linux) server to run the scanstack, in this case we use the UnownStack made by team UnownHash - at least 8GB of server RAM is required.

Software Requirements

1. Linux for the standard setup or Docker for the Docker setup - for both ways Linux is preferred.
2. Android on the scandevice.
3. A MariaDB Database on the server, can be in Docker or as a SystemCTL service.
4. A webserver

Knowledge Requirements

For obvious reasons, you can’t just start mapping with zero knowledge on Linux/server related stuff. You need basic knowledge of the Linux commands.

Getting a server

If you want a server there are multiple roads you can go, we chose to rent a server. This is because of the ease and uptime, because we won’t have to deal with power, internet, and more.

You can obviously always get a homeserver, but please make sure everything is secured properly. Set up your firewalls!

Starting with the setup

When we started with the setup, we first setup our database, then we did the standard setup, described on the Unownhash website. Then the annoying part came: getting accounts. I used an account generator in combination with good proxies to create accounts. Those accounts are needed to map (described down below). Then we set up the unownstack, when we were mapping we set up PoracleJS, ReactMap, a TileServer, Grafana, Blissey and more. When that was running we just had to add things to the individual tools and configure them and then we were good to go.

Problems we encountered (and solved)

Accounts: The first and arguably the most annoying problem to solve is getting accounts. Because this is a cat and mouse game we mappers are always struggling to get accounts, authorize and utilize them. The first problem we encountered with accounts was even getting them. There are a few options for creating accounts: Niantic Kids Accounts (NK) and Pokémon Trainer CLub Accounts (PTC). They both have their own advantages and disadvantages, PTC accounts are easer to create on a larger scale but the Pokémon Trainer Club account creation process is guarded by Imperva. Niantic Kids accounts, are harder to create at a larger scale and require superior proxies if you want to create a lot.

Imperva/Incapsula: As you might have heared by now Imperva (used to be called Incapsula) is a bot protection company. Since we don’t do anything other then botting on their website this requires some knowledge on how to bypass it. There are a few ways though. The first way to bypass is a so-called XSS payload. This means you are injecting Javascript code in their site which contains a payload to “kill” Imperva, then you are free to make requests to the PTC account creation endpoint. This however requires a lot of knowledge and is illegal. The second way of bypassing Imperva is by using proxies, high quality proxies. Finding a good provider is hard and requires a lot of time (and money to by proxies to test if they work). However if you manage to find a good provider then you’re fine.

Authorizing PTC Accounts: Another problem we mappers have is to authorize PTC accounts. We don’t log in to the game by just entering a username and a password. We use acces tokens, those acces tokens have to be fetched. We do this with a tool a developer in the mapping community made. We login to the Pokémon account, then ask for an Oauth token. It’s obviously way harder then that, but that is the easiest explenation. Once we have a acces tokens we can use those to log into the game.

Account bans: Since this is a cat and mouse game, Niantic and The Pokémon Company International (TPCI) keeps banning our accounts. This means we have to keep creating and authorizing. Sometimes Imperva hammers down on proxy providers and then we have to find new proxies again.