[FINISHED] A popular toy, Skylander

iceman · 2015-01-14 20:46:45

I get a bit confused.

The usb standard 1.0 operates at 1.5Mbits/s (low bandwith) or 12Mbits/s (full bandwith)
The usb standard 2.0 operates at same as usb 1 plus an extra mode in 480mbits/s (high speed)

So even usb1 should be fast then the 106Kbits / s you are refering to. So what is it I'm missing here?

piwi · 2015-01-15 12:38:36

Yes, you are right. USB speed should be enough and afaik the ARM supports up to 12Mbits/s. However it seems to be much slower (some 10kBits/s ?) but I don't know why. This is an area of the code I have not visited yet.

iceman · 2015-01-15 13:20:50

Could it be a setting in the cdc_usb code?

marshmellow · 2015-01-15 17:42:29

we are emulating a com port in windows - bits per second are defaulted to 9600 for com ports.

iceman · 2015-01-15 18:59:13

Yes, however the com port transferspeed can be raized to 128000 ....

marshmellow · 2015-01-15 19:01:55

True, but not sure what has to be changed in the pm3 to match.

marshmellow · 2015-01-15 19:29:26

usb_cdc.c...
AT91S_CDC_LINE_CODING line = {
  115200, // baudrate
  0,      // 1 Stop Bit
  0,      // None Parity
  8};    // 8 Data bits

looks like it is supposed to be using 115200 bit rate

iceman · 2015-01-16 01:33:15

Interesting... I got an idea.

pm3 device -> windows os (controlling com ports) -> client
A B C

It three parts involved. A and C says 115200.. But B on my setup says 9600... hm what controls it???
I went inside the "device and printers" (on win7) and changed inside the properties of my Pm3 - connected com port. I changed it to 115200...

I thought it can't be this easy.. But I tried anyway. I loaded a dump from file to emulator memory (device) and it just flew right be...

Try it yourself and verify it.

iceman · 2015-01-16 18:21:45

With the help from Asper, I got my magic card back to working.

Got also the magic card to emulate a tnp3xxx tag... However!.. the problem is with the sak & ataq values..
The magic card generation 1, lets you change them so far so good.
but they are saved on Sector 0, Block0 bytes (5-6-7) .. Which is part of the aes encryption key for the portal...

So cudos for the developers of this tag

Is there a possibility for a tag to be a clone without saving sak and ataq values on the mifare accessable memory of the magic card?

piwi · 2015-01-16 18:33:48

Hey, didn't we have that discussion before? SAK and ATQA need not to be equal to Block 0 Bytes 5 - 7.

What you still could do: change the hf mf sim or hf 14a sim (is it Mifare or standard ISO14443a?) command to pass SAK and ATQA as parameters and disregarding Block 0 Bytes 5- 7. Then you should at least be able to use the PM3 as a clone.

iceman · 2015-01-16 18:56:22

yeah, I did that already Piwi with the "hf 14a sim 5 " (where 5 = tnp3xxx) but it times out because the tracebuffer is full..
So I guess I need to modd the "hf 14a sim" arm-code for it to work without traceing..

And the "hf mf sim" just don't work anymore.. Holiman raised an issue "since r854" about it being broken, where you and him had a discussion about field-detection... Nothing happend from it.

piwi · 2015-01-16 19:14:53

iceman wrote:

yeah, I did that already Piwi with the "hf 14a sim 5 " (where 5 = tnp3xxx) but it times out because the tracebuffer is full..
So I guess I need to modd the "hf 14a sim" arm-code for it to work without traceing..

Yeah, just remove the "break;" if it is a standard ISO14443a tag. Or wait until my next commit - you will get roughly 10x bigger traces. However, if you need Mifare Crypto1 encryption, then you need to modify hf mf sim.

iceman wrote:

And the "hf mf sim" just don't work anymore..

Huh? Let me check tonight when I am back home. The discussion with holiman was if we should simulate a powerloss (reset like a real card would) or not. It was still working though (if the signal doesn't always remain below the hard coded threshold - weak antenna?).

Last edited by piwi (2015-01-16 19:22:15)

holiman · 2015-01-16 22:01:20

piwi wrote:

[
The discussion with holiman was if we should simulate a powerloss (reset like a real card would) or not. It was still working though (if the signal doesn't always remain below the hard coded threshold - weak antenna?).

No... The discussion, at least from my side, was that hf mf sim didn't work, because it was too 'picky' about the field, whereas 14a sim worked fine because it wasn't quite as picky about the reader-field (it totally didn't give a crap about it).

And then I other things got in the way, and I didn't follow up on it.

holiman · 2015-01-16 22:03:12

And, to qualify: I'm sure there are circumstances where 'hf mf sim' works. But, with a semi-ok antenna, and a bad reader (as the commercial one tested against ), it invariably failed.

piwi · 2015-01-16 22:27:22

OK, let's pick this up again and start discussign within the broader community.

Fact: a real card stops working if removed from the reader's field. It will start again in a defined state when it approaches the reader again.
My opinion: I still feel that hf mf sim (and hf 14a sim as well!) should mimic this behaviour. Comments?
Fact: ISO14443-2 states: "a PICC shall operate as intended continuiously between H_min and H_max." H_min is defined with a value of 1,5A/m rms. "After the field has been active [...] the PICC shall enter its IDLE state".
Fact: hf mf sim checks for an average voltage of 4V (MF_MINFIELDV) at AMPL_HI. If it drops below that value, the simulation resets to Idle state.
Question: is someone able to verify that 4V is the correct voltage resulting from a field of 1,5A/m rmf? Or is it simply too high?

asper · 2015-01-16 23:06:08

About sniffing (a bit OT but I would like to know the answer): if i snoop a communication between a reader and a card with invalid keys (invalid = not present in the reader) and I apply the reverse crypto algo am I able to obtain the key the reader attempted to use to authenticate?

holiman · 2015-01-16 23:10:41

asper wrote:

About sniffing (a bit OT but I would like to know the answer): if i snoop a communication between a reader and a card with invalid keys (invalid = not present in the reader) and I apply the reverse crypto algo am I able to obtain the key the reader attempted to use to authenticate?

Well, since you can do a reader-attack (with no knowledge about the keys), what you describe should be possible aswell. You need the AR/NR pair.

holiman · 2015-01-16 23:12:54

piwi wrote:

OK, let's pick this up again and start discussign within the broader community.
Fact: a real card stops working if removed from the reader's field. It will start again in a defined state when it approaches the reader again.
My opinion: I still feel that hf mf sim (and hf 14a sim as well!) should mimic this behaviour. Comments?
Fact: ISO14443-2 states: "a PICC shall operate as intended continuiously between H_min and H_max." H_min is defined with a value of 1,5A/m rms. "After the field has been active [...] the PICC shall enter its IDLE state".
Fact: hf mf sim checks for an average voltage of 4V (MF_MINFIELDV) at AMPL_HI. If it drops below that value, the simulation resets to Idle state.
Question: is someone able to verify that 4V is the correct voltage resulting from a field of 1,5A/m rmf? Or is it simply too high?

I agree to mimic cards, however, my experience was that the reader could read cards just fine, just not our simulation of a card.

However, how would one verify that voltage/field? Sounds like pretty specific measurements, not something to check with an oscilloscope.

piwi · 2015-01-16 23:59:50

Rephrasing the question: is there a HF guru who knows the theoretic relationship between H and V given the PM3 HF antenna (three windings, rectangular, approx. standard card dimension)?

iceman · 2015-01-17 14:20:52

to answer a question a little bit earlier from Piwi, yes, I would like to have crypto-1 decoding aswell.. So I would love for the "hf mf sim" to work but since it doesn't Im fallling back to "hf 14a sim" instead.

piwi · 2015-01-28 08:14:28

piwi wrote:

Yeah, just remove the "break;" if it is a standard ISO14443a tag. Or wait until my next commit - you will get roughly 10x bigger traces.

Pushed to master today. You are now able to do quite big traces.

It was hard to keep up with your, marshmellow's and holiman's commit frequency I had to merge quite a lot and I hope I didn't break anything else.

I will now have a look into hf mf sim...

iceman · 2015-01-28 13:34:23

@Piwi, Impressive work with the new BigBuff management. The whole Pm3 is way better now.

iceman · 2015-02-25 21:45:33

I can now verify that the fixes for "HF MF SIM" from @Holiman @Pwpiwi works and it is possible to simulate a tag I'll have to remake the lua script for the needed changes.

iceman · 2015-03-03 10:20:55

With the possiblity to simulate a toytag on the PM3 opened up a whole new range of possibilities.

- you can get all keys need, from combining the reader-only attack (ie. "hf mf sim x") from Holiman and updating the emulation memory with the correct keys as the portal start requesting them.

The series1 tags could be attacked with the darkside attack. (ie. "hf mf mifare / hf mf nested")
but the later series2-3-4 seems to have a better prng, and the attacks usually fails.

This new way negates this problem!

iceman · 2015-03-03 10:32:41

And, yes, it can be made in the form of a lua-script, which automates the process...

asper · 2015-03-03 13:45:06

The algo is really complex and it is totally different from the one already available to encrypt/decrypt data stored on toys.
From a known value data must be processed under more-than-one different maths to obtain the key for each sector. The complete algo is still unknown but there actually are 2 ways to obtain the results, the "hardware way" (what iceman said) and the software way (pre-computed tables without still knowing the full process - still wip).

iceman · 2015-03-03 14:52:20

If we talk about knowing the algo yes, the hardware version doesn't require it. However, you will need a PM3...
The pre-calculated tables is a different story all in all but also solves the problem. Very few people (3?) know about the process.

Buying a PM3 is easier We might even get people into RFID security that way.

iceman · 2015-03-08 18:43:33

Lets recapitulate, these four months of testing.

- getting keys from these toys, works mostly for the first series of toys. Since then it seems to be upgraded mifare prngs, rendering the mifare attack & nested useless.
- Found out the "hf mf sim" was faulty, @Piwi came up with a fix.
- Found out that the ATQA & SAK, is not used by the portal, i:e: you can use whatever 1k tag you want.
- Found out that you only need a valid sector 0, and all sector keyA's to clone a toy.
- Found out that a reader-only attack via "hf mf sim" and mfkey32 will get you all keys no matter what kind of series.
(lua works great in doing this automatic)
- Found out that xoring all keyA with eachother gives you an insight to XOR and which CRC that is in use.
- Found out that one person already figured out the key-generation algo (in january 2015) but wants to be anon.
- Found out that people with extreme math skills are really good to know.
- Found out that the WebCode is just a Base-29 (with a custom charset) transformation
- Found out that this toy uses a lot of different CRC implementations. (Crc16-ciitt, crc-64)

---what does that give you?
If you have pm3 or magic tag or a blank s50 will enable you to backup your current tags. If you ever will break one of these things you can feel save.

...What I don't know...

I would like to have the UID from a Series 2-3-4 toy, to validate a point. [EDIT: Point valided. great.]
I would like to hear what is these small trap toys? It doesn't answer to a "hf 14a reader" command. [EDIT: circular antenna with the trap put inside of it, in the middle. Never got a good read with the PM3]
I would like to thank Asper for lots and lots information.
I would like to thank Someone in the States, who sent an toy-portal-package. //my kids loves it//
I would like to thank Someone in France, for sharing insights.

Its been an very interesting journey. I suppose this will be end of this thread.

Last edited by iceman (2015-03-09 16:10:15)

rickbutton · 2015-03-24 07:05:22

I think I might be able to answer some questions. I'm back a year later! I've managed to perform a timing attack and get they keys of an older Gen #2 toy.

With these keys you have the keys to the kingdom! It seems that the games don't have any checks to make sure that the UID and toy type match, and it seems that the encryption key algo is purely based on the UID and nothing more. With the keys from any toy and the correct UID we can emulate any toy (including the traps) if you use something like a "magic" card.

I have written a small application that allows you to create emulated skylanders and write them to a magic card (using libnfc), as well as back them up. I am considering picking up a proxmark and writing some code to be able to quickly switch between toys and emulate the toys.

@iceman you mentioned that the algo has been found? Can you contact me regarding this?

iceman · 2015-03-24 09:52:25

My email is littered all over this forum.

ch4dg · 2015-04-03 23:09:53

hi, newbie here, ive have re-read this thread 3 or 4 time and spent all day researching this and admittedly a lot went straight over my head but did you manage to get it hacked as in did you manage to clone char or rewrite one char to a different one, or was it just the same as the skymodder/editor where you can just change the stats (name, level, money etc).

i have loads of figures to mess around with but having no luck gettting anything to read them even gen#1 toys, every app or prog just says unrecognized tag

iceman · 2015-04-05 11:59:23

The answer to all your questions is yes.

ch4dg · 2015-04-06 00:12:08

iceman wrote:

The answer to all your questions is yes.

any help on how and where to get started? really struggling because i dont know the tech/programmes that well, im not even sure if im reading the tags correctly as i dont get that much ifo of the reads

also once a manage to scan some correctly, can i get some blank magic cards, and write a specific char to it?
thanks

iceman · 2015-04-06 08:09:36

If you do your homework by reading up on the matter first, you will understand the subject better.

asper · 2015-05-31 23:20:47

What do you mean with "that went fast"?

iceman · 2015-06-01 00:11:34

hm, I got some other threads sent to me, where people claiming stuff..
however, the links from above seem to have a pure nfc solution... where I only seen it here before.

The wiiuhax is different from the maxlander, but they are the same if you look at the picture.. looking at the video for maxlanders (on their site) where they show of a nfc reader demo.. all other solutions Ive seen before was related to the portal and doing stuff thru it. The chinese cloner doesn't use the portal.. there is few places where they could have gotten that knowledge, and so fast in having a tool and windows software packaged and for sale. I didn't mean something else.

asper · 2015-06-01 00:14:11

Thanks for the explanation.

securitoys · 2015-06-13 23:28:21

iceman wrote:

The pre-calculated tables is a different story all in all but also solves the problem. Very few people (3?) know about the process.
Buying a PM3 is easier We might even get people into RFID security that way.

Well, it made me just order a PM3, at least. I started doing similar work around the same time y'all started, got a couple figures' keys with a PN532, but it seems all y'all made it all the way, now.

I don't understand this bit about pre-calculating the tables, though. Are you saying someone should be able to pre-generate the tables without understanding the algorithm? Or that one of the three people who did, could, and maybe that's being done? I don't understand how it's possible if it's the former.

Assuming I wanted to find my own friends with extreme maths skills, what sort of maths are we talking about here?

iceman · 2015-06-13 23:54:29

rainman skilz

Its remakable how much you can learn if you read all source code here...

legolas · 2016-01-21 03:04:50

Iceman an update for one of your lua scripts
http://pastebin.com/MQCU0LrP

iceman · 2016-01-21 07:37:28

Sweet, I've added them to the list. Thanks!

belette · 2016-01-21 09:12:48

haaaa wait me for the last episode

piotr · 2016-05-20 21:04:55

hi everyone & sorry for revitalizing this thread

first: thanks to everyone doing researches on these toys, especially iceman.

i'm following this thread for a long time and with the help of all the infos found here i make my rough way in revealing keys.
in the thread there was mentioned that the algo has been found by an anon math genius.
i'd really appreciate to get to know this secret :-)

many thanks in advance & regards to everyone
piotr

iceman · 2016-05-21 07:57:53

its all there, in the code.

piotr · 2016-05-21 19:20:04

hi iceman, thx for your reply.

i'm using the source based on the research someone named bra... did.
it contains the formulas to de-/encrypt each block but not the algo to reveal key-a for the 16 sectors.

maybe u can point me to the code u mentioned.
i'd really appreciate your replay
(btw. i already sent u a mail )

thanks in advance & regards
piotr

piotr · 2016-06-08 21:08:59

@asper & @iceman

i'd really appreciate if u could share your knowledge about the keyA algo.

thanks in advance & regards
piotr

iceman · 2016-06-12 18:11:00

If you read this thread, you will know where to look. Its in some lua scripts.

Kurapika666 · 2016-08-26 23:15:36

Hi !

I tried to understand it too, but I'm a bit lost, even with multiple reading, and already success backup management with Lego Dimensions tags.

So first question : is it possible to make a backup without a PM3 or other hardware ? For LD, I use a NFC editor on android for example.
All I have is my android tablet with NFC, and connecting the portal to Windows. I try with HIDAPI, but don't manage to read my skylander toys.

So I'd like to know if there is some "easy" way to do the backup, like for LD

iceman · 2016-08-27 05:46:51

there should be many other applications out by now, like maxlanders. Not quite a proxmark3 related question.

Kurapika666 · 2016-08-27 08:57:37

yeah I know about the maxlander, but I found it expensive and abusive. 10$ per backup slot

That's why I'd like to be able to do it myself on blank tags, and if there's no app for this, try to make an android app

Last edited by Kurapika666 (2016-08-27 09:03:49)

Proxmark3 community

Announcement

#51 2015-01-14 20:46:45

Re: [FINISHED] A popular toy, Skylander

#52 2015-01-15 12:38:36

Re: [FINISHED] A popular toy, Skylander

#53 2015-01-15 13:20:50

Re: [FINISHED] A popular toy, Skylander

#54 2015-01-15 17:42:29

Re: [FINISHED] A popular toy, Skylander

#55 2015-01-15 18:59:13

Re: [FINISHED] A popular toy, Skylander

#56 2015-01-15 19:01:55

Re: [FINISHED] A popular toy, Skylander

#57 2015-01-15 19:29:26

Re: [FINISHED] A popular toy, Skylander

#58 2015-01-16 01:33:15

Re: [FINISHED] A popular toy, Skylander

#59 2015-01-16 18:21:45

Re: [FINISHED] A popular toy, Skylander

#60 2015-01-16 18:33:48

Re: [FINISHED] A popular toy, Skylander

#61 2015-01-16 18:56:22

Re: [FINISHED] A popular toy, Skylander

#62 2015-01-16 19:14:53

Re: [FINISHED] A popular toy, Skylander

#63 2015-01-16 22:01:20

Re: [FINISHED] A popular toy, Skylander

#64 2015-01-16 22:03:12

Re: [FINISHED] A popular toy, Skylander

#65 2015-01-16 22:27:22

Re: [FINISHED] A popular toy, Skylander

#66 2015-01-16 23:06:08

Re: [FINISHED] A popular toy, Skylander

#67 2015-01-16 23:10:41

Re: [FINISHED] A popular toy, Skylander

#68 2015-01-16 23:12:54

Re: [FINISHED] A popular toy, Skylander

#69 2015-01-16 23:59:50

Re: [FINISHED] A popular toy, Skylander

#70 2015-01-17 14:20:52

Re: [FINISHED] A popular toy, Skylander

#71 2015-01-28 08:14:28

Re: [FINISHED] A popular toy, Skylander

#72 2015-01-28 13:34:23

Re: [FINISHED] A popular toy, Skylander

#73 2015-02-25 21:45:33

Re: [FINISHED] A popular toy, Skylander

#74 2015-03-03 10:20:55

Re: [FINISHED] A popular toy, Skylander

#75 2015-03-03 10:32:41

Re: [FINISHED] A popular toy, Skylander

#76 2015-03-03 13:45:06

Re: [FINISHED] A popular toy, Skylander

#77 2015-03-03 14:52:20

Re: [FINISHED] A popular toy, Skylander

#78 2015-03-08 18:43:33

Re: [FINISHED] A popular toy, Skylander

#79 2015-03-24 07:05:22

Re: [FINISHED] A popular toy, Skylander

#80 2015-03-24 09:52:25

Re: [FINISHED] A popular toy, Skylander

#81 2015-04-03 23:09:53

Re: [FINISHED] A popular toy, Skylander

#82 2015-04-05 11:59:23

Re: [FINISHED] A popular toy, Skylander

#83 2015-04-06 00:12:08

Re: [FINISHED] A popular toy, Skylander

#84 2015-04-06 08:09:36

Re: [FINISHED] A popular toy, Skylander

#85 2015-05-31 23:20:47

Re: [FINISHED] A popular toy, Skylander

#86 2015-06-01 00:11:34

Re: [FINISHED] A popular toy, Skylander

#87 2015-06-01 00:14:11

Re: [FINISHED] A popular toy, Skylander

#88 2015-06-13 23:28:21

Re: [FINISHED] A popular toy, Skylander

#89 2015-06-13 23:54:29

Re: [FINISHED] A popular toy, Skylander