Edit: I expect to get more senseis within the next few days.
]]>Imaginators signature
Blocks 2, 4, 22 and 3E are a Ed25519 signature (just like in the Kevin Valk thesis). The message that gets signed is the first two blocks (0 and 1). The number 51 also seems to correspond to a yearcode (5) and keyindex (1). I also found that only one key is currently in use. The public key to verify the signature is: 8E567B03734294EE2E491C3A2DEDA46B9E1858C08924699860D229E01287253B
Edit: The tokens I own are from Imaginators. I don't know what wave they belong to but I guess it's the last one.
]]>I have added your suggestions to the script.
https://github.com/RfidResearchGroup/pr … 3clone.lua
Thanks!
]]>1- "local AccAndKeyB = '7F0F0869000000000000'" instead of "local AccAndKeyB = '7F078869000000000000'"
2- "local cmd = (csetuid..'%s 0F01 81 w'):format(result.uid)" instead of "local cmd = (csetuid..'%s 0004 08 w'):format(result.uid)"
After I use the script I have to set block 3 4b0b20107ccb0f0f0f69000000000000 if I want the game to recognize the clone so I would like the script to set block 3 4b0b20107ccb0f0f0f69000000000000 instead of 4b0b20107ccb7F0F0869000000000000 but I don't know how to change the script. It's just that block everything else is fine. I can do it manually (hf mf csetblk 3 4b0b20107ccb7f078869000000000000) but I would like the script to do it automatically.
]]>I am glad you enjoy my videos.
]]>1- "script run tnp3dump -p".
2- "hf mf eload filename" (used file name of .eml archive from step 1).
3- "hf mf cload e"
4- Used the clone in game and restored it (in some days I'll check what changed as I don't undertand what the problem was).
Do they work just on my console/savegame or may I use it on other consoles?
Edit: I tried a new savegame (on the same console) and another console and the clones work fine.
]]>Edit: I tried with Super Shot Stealth Elf
pm3 --> script run tnp3dump -p
[+] Executing: tnp3dump.lua, args '-p'
----------------------------------------
----------------------------------------
#db# Debug level: 0
Found tag NXP MIFARE TNP3xxx Activision Game Appliance
Reading blocks > 8,9,10,12,13,14,16,17,18,20,21,36,37,38,40,41,42,44,45,46,48,49,
----------------------------------------
Wrote a BIN dump to: toydump_2018-12-30_210146-1FCA9E6F.bin
Wrote a EML dump to: toydump_2018-12-30_210146-1FCA9E6F.eml
----------------------------------------
ITEM TYPE : nil - SUPER~SHOT~STEALTH~ELF (LIFE)
UID : 0x1FCA9E6F
CARDID : 0x0000000000000000
----------------------------------------
[+] Finished
I opened the dump and it seems it has all A type keys. After that I tried
pm3 --> script run tnp3dump -k 4b0b20107ccb -n
[+] Executing: tnp3dump.lua, args '-k 4b0b20107ccb -n'
----------------------------------------
----------------------------------------
#db# Debug level: 0
Found tag NXP MIFARE TNP3xxx Activision Game Appliance
[+] Testing known keys. Sector count=16
..
[-] Chunk: 5.7s | found 17/32 keys (21)
[+] Time to check 20 known keys: 6 seconds
[+] enter nested attack
[-] Tag isn't vulnerable to Nested Attack (PRNG is not predictable).
Loading dumpkeys.bin
ERROR: nil
[+] Finished
in order to obtain B type keys but I couldn't. I'd tried with a figure from the first series if I had one.
Edit: I'm still thinking about what you said about the block 0... I can obtain block 0 from my original by using tnp3dump script (I obtained 1FCA9E6F2481010FC433000000000014 for Super Shot Stealth Elf from Superchargers), use csetuid command in order to set it as my clone's block 0 and after that use tnp3clone to make a clone on that tag. I tried it with my Super Shot Stealth Elf and it didn't work but I know these scripts are suppossed to be used with Skylanders tokens from the first series. I guess that´s why it didn't work.
Edit: I got Chill token. I read its block 0 and load it into the magic card
pm3 --> hf mf csetblk 0 3ac44464de81010fc433000000000012
--block number: 0 data:3A C4 44 64 DE 81 01 0F C4 33 00 00 00 00 00 12
And then
pm3 --> script run tnp3clone -t 6a00 -s 0030
[+] Executing: tnp3clone.lua, args '-t 6a00 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Chill - giant (water)
--wipe card:YES uid:3A C4 44 64
[+] old block 0: 3A C4 44 64 DE 81 01 0F C4 33 00 00 00 00 00 12
[+] new block 0: 3A C4 44 64 DE 08 04 00 C4 33 00 00 00 00 00 12
[+] old UID:00 00 00 00
[+] new UID:3A C4 44 64
--block number: 1 data:6A 00 00 00 00 00 00 00 00 00 00 00 00 30 41 BB
--block number: 3 data:4B 0B 20 10 7C CB 7F 07 88 69 00 00 00 00 00 00
--block number: 7 data:96 A5 A4 2D 62 D2 7F 07 88 69 00 00 00 00 00 00
--block number:11 data:B0 C8 70 7E B5 11 7F 07 88 69 00 00 00 00 00 00
--block number:15 data:23 FE 9A D7 5E F0 7F 07 88 69 00 00 00 00 00 00
--block number:19 data:6F 24 32 70 F0 77 7F 07 88 69 00 00 00 00 00 00
--block number:23 data:FC 12 D8 D9 1B 96 7F 07 88 69 00 00 00 00 00 00
--block number:27 data:DA 7F 0C 8A CC 55 7F 07 88 69 00 00 00 00 00 00
--block number:31 data:49 49 E6 23 27 B4 7F 07 88 69 00 00 00 00 00 00
--block number:35 data:D1 FD B7 6C 7A BB 7F 07 88 69 00 00 00 00 00 00
--block number:39 data:42 CB 5D C5 91 5A 7F 07 88 69 00 00 00 00 00 00
--block number:43 data:64 A6 89 96 46 99 7F 07 88 69 00 00 00 00 00 00
--block number:47 data:F7 90 63 3F AD 78 7F 07 88 69 00 00 00 00 00 00
--block number:51 data:BB 4A CB 98 03 FF 7F 07 88 69 00 00 00 00 00 00
--block number:55 data:28 7C 21 31 E8 1E 7F 07 88 69 00 00 00 00 00 00
--block number:59 data:0E 11 F5 62 3F DD 7F 07 88 69 00 00 00 00 00 00
--block number:63 data:9D 27 1F CB D4 3C 7F 07 88 69 00 00 00 00 00 00
[+] Finished
But the game doesn't recognize it. Why does the script chage block zero (the one I set)? Shouldn't it be exactly the same?
Should I use another game from the Skylanders series or am I doing something wrong?
Now if I try tnp3clone script I get
pm3 --> script run tnp3clone -t c301 -s 0030
[+] Executing: tnp3clone.lua, args '-t c301 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Thunderbolt - trapmaster (air)
#db# Auth error
failed reading block with factorydefault key. Trying chinese magic read.
--wipe card:YES uid:01 02 03 04
[+] old block 0: 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
[+] new block 0: 01 02 03 04 04 08 04 00 00 00 00 00 00 00 10 01
[+] old UID:00 00 00 00
[+] new UID:01 02 03 04
--block number: 1 data:C3 01 00 00 00 00 00 00 00 00 00 00 00 30 F1 D2
--block number: 3 data:4B 0B 20 10 7C CB 7F 07 88 69 00 00 00 00 00 00
--block number: 7 data:E2 5A 7C C8 BD A7 7F 07 88 69 00 00 00 00 00 00
--block number:11 data:C4 37 A8 9B 6A 64 7F 07 88 69 00 00 00 00 00 00
--block number:15 data:57 01 42 32 81 85 7F 07 88 69 00 00 00 00 00 00
--block number:19 data:1B DB EA 95 2F 02 7F 07 88 69 00 00 00 00 00 00
--block number:23 data:88 ED 00 3C C4 E3 7F 07 88 69 00 00 00 00 00 00
--block number:27 data:AE 80 D4 6F 13 20 7F 07 88 69 00 00 00 00 00 00
--block number:31 data:3D B6 3E C6 F8 C1 7F 07 88 69 00 00 00 00 00 00
--block number:35 data:A5 02 6F 89 A5 CE 7F 07 88 69 00 00 00 00 00 00
--block number:39 data:36 34 85 20 4E 2F 7F 07 88 69 00 00 00 00 00 00
--block number:43 data:10 59 51 73 99 EC 7F 07 88 69 00 00 00 00 00 00
--block number:47 data:83 6F BB DA 72 0D 7F 07 88 69 00 00 00 00 00 00
--block number:51 data:CF B5 13 7D DC 8A 7F 07 88 69 00 00 00 00 00 00
--block number:55 data:5C 83 F9 D4 37 6B 7F 07 88 69 00 00 00 00 00 00
--block number:59 data:7A EE 2D 87 E0 A8 7F 07 88 69 00 00 00 00 00 00
--block number:63 data:E9 D8 C7 2E 0B 49 7F 07 88 69 00 00 00 00 00 00
[+] Finished
And the game doesn't respond to the tag. The token doesn't appear on screen (not even for 5 seconds).
Edit: Another magic card
pm3 --> script run tnp3clone -t c301 -s 0030
[+] Executing: tnp3clone.lua, args '-t c301 -s 0030'
----------------------------------------
----------------------------------------
Looking up input: Found Thunderbolt - trapmaster (air)
--wipe card:YES uid:01 02 03 04
[+] old block 0: 01 02 03 04 04 08 04 00 00 00 00 00 00 00 10 01
[+] new block 0: 01 02 03 04 04 08 04 00 00 00 00 00 00 00 10 01
[+] old UID:00 00 00 00
[+] new UID:01 02 03 04
--block number: 1 data:C3 01 00 00 00 00 00 00 00 00 00 00 00 30 1F A5
--block number: 3 data:4B 0B 20 10 7C CB 7F 07 88 69 00 00 00 00 00 00
--block number: 7 data:E2 5A 7C C8 BD A7 7F 07 88 69 00 00 00 00 00 00
--block number:11 data:C4 37 A8 9B 6A 64 7F 07 88 69 00 00 00 00 00 00
--block number:15 data:57 01 42 32 81 85 7F 07 88 69 00 00 00 00 00 00
--block number:19 data:1B DB EA 95 2F 02 7F 07 88 69 00 00 00 00 00 00
--block number:23 data:88 ED 00 3C C4 E3 7F 07 88 69 00 00 00 00 00 00
--block number:27 data:AE 80 D4 6F 13 20 7F 07 88 69 00 00 00 00 00 00
--block number:31 data:3D B6 3E C6 F8 C1 7F 07 88 69 00 00 00 00 00 00
--block number:35 data:A5 02 6F 89 A5 CE 7F 07 88 69 00 00 00 00 00 00
--block number:39 data:36 34 85 20 4E 2F 7F 07 88 69 00 00 00 00 00 00
--block number:43 data:10 59 51 73 99 EC 7F 07 88 69 00 00 00 00 00 00
--block number:47 data:83 6F BB DA 72 0D 7F 07 88 69 00 00 00 00 00 00
--block number:51 data:CF B5 13 7D DC 8A 7F 07 88 69 00 00 00 00 00 00
--block number:55 data:5C 83 F9 D4 37 6B 7F 07 88 69 00 00 00 00 00 00
--block number:59 data:7A EE 2D 87 E0 A8 7F 07 88 69 00 00 00 00 00 00
--block number:63 data:E9 D8 C7 2E 0B 49 7F 07 88 69 00 00 00 00 00 00
[+] Finished
No errors, the token appears on screen but desappears after 5 seconds and the game says it may be corrupted. As I said before, I'm using Skylanders Superchargers. Maybe the last games from the Skylanders series look for gen1 magic cards and detects it.
]]>