Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2015-01-14 20:46:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

I get a bit confused. 

The usb standard 1.0 operates at 1.5Mbits/s (low bandwith)  or 12Mbits/s (full bandwith)
The usb standard 2.0 operates at same as usb 1 plus an extra mode in 480mbits/s  (high speed)

So even usb1 should be fast then the 106Kbits / s you are refering to.   So what is it I'm missing here?

Offline

#52 2015-01-15 12:38:36

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [FINISHED] A popular toy, Skylander

Yes, you are right. USB speed should be enough and afaik the ARM supports up to 12Mbits/s. However it seems to be much slower (some 10kBits/s ?) but I don't know why. This is an area of the code I have not visited yet.

Offline

#53 2015-01-15 13:20:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

Could it be a setting in the cdc_usb code?

Offline

#54 2015-01-15 17:42:29

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] A popular toy, Skylander

we are emulating a com port in windows - bits per second are defaulted to 9600 for com ports.

Offline

#55 2015-01-15 18:59:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

Yes, however the com port transferspeed can be raized to 128000 ....

Offline

#56 2015-01-15 19:01:55

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] A popular toy, Skylander

True,  but not sure what has to be changed in the pm3 to match.

Offline

#57 2015-01-15 19:29:26

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] A popular toy, Skylander

usb_cdc.c...
AT91S_CDC_LINE_CODING line = {
  115200, // baudrate
  0,      // 1 Stop Bit
  0,      // None Parity
  8};    // 8 Data bits

looks like it is supposed to be using 115200 bit rate

Offline

#58 2015-01-16 01:33:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

Interesting...  I got an idea.

pm3 device  ->  windows os (controlling com ports) -> client
   A                             B                                            C

It three parts involved.  A and C says 115200..  But B on my setup says 9600...  hm what controls it???
I went inside the "device and printers" (on win7)  and changed inside the properties of my Pm3 - connected com port.   I changed it to 115200...

I thought it can't be this easy..   But I tried anyway.    I loaded a dump from file to emulator memory (device) and it just flew right be... 

Try it yourself and verify it.

Offline

#59 2015-01-16 18:21:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

With the help from Asper, I got my magic card back to working.  smile

Got also the magic card to emulate a  tnp3xxx tag...  However!..  the problem is with the sak & ataq values..
The magic card generation 1,  lets you change them so far so good. 
but they are saved on Sector 0, Block0 bytes (5-6-7)  ..   Which is part of the aes encryption key for the portal... 

So cudos for the developers of this tag smile

Is there a possibility for a tag to be a clone without saving sak and ataq values  on the mifare accessable memory of the magic card?

Offline

#60 2015-01-16 18:33:48

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [FINISHED] A popular toy, Skylander

Hey, didn't we have that discussion before?  smile  SAK and ATQA need not to be equal to Block 0 Bytes 5 - 7.

What you still could do: change the hf mf sim or hf 14a sim (is it Mifare or standard ISO14443a?) command to pass SAK and ATQA as parameters and disregarding Block 0 Bytes 5- 7. Then you should at least be able to use the PM3 as a clone.

Offline

#61 2015-01-16 18:56:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

yeah, I did that already Piwi with the "hf 14a sim 5 "   (where 5 = tnp3xxx)   but it times out because the tracebuffer is full..
So I guess I need to modd the "hf 14a sim"  arm-code for it to work without traceing..

And the "hf mf sim" just don't work anymore..   Holiman raised an issue "since r854" about it being broken, where you and him had a discussion about field-detection...  Nothing happend from it.  sad

Offline

#62 2015-01-16 19:14:53

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [FINISHED] A popular toy, Skylander

iceman wrote:

yeah, I did that already Piwi with the "hf 14a sim 5 "   (where 5 = tnp3xxx)   but it times out because the tracebuffer is full..
So I guess I need to modd the "hf 14a sim"  arm-code for it to work without traceing..

Yeah, just remove the "break;" if it is a standard ISO14443a tag. Or wait until my next commit - you will get roughly 10x bigger traces. However, if you need Mifare Crypto1 encryption, then you need to modify hf mf sim.

iceman wrote:

And the "hf mf sim" just don't work anymore..

Huh? Let me check tonight when I am back home. The discussion with holiman was if we should simulate a powerloss (reset like a real card would) or not. It was still working though (if the signal doesn't always remain below the hard coded threshold - weak antenna?).

Last edited by piwi (2015-01-16 19:22:15)

Offline

#63 2015-01-16 22:01:20

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: [FINISHED] A popular toy, Skylander

piwi wrote:

[
The discussion with holiman was if we should simulate a powerloss (reset like a real card would) or not. It was still working though (if the signal doesn't always remain below the hard coded threshold - weak antenna?).

No... The discussion, at least from my side, was that hf mf sim didn't work, because it was too 'picky' about the field, whereas 14a sim worked fine because it wasn't quite as picky about the reader-field (it totally didn't give a crap about it).

And then I other things got in the way, and I didn't follow up on it.

Offline

#64 2015-01-16 22:03:12

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: [FINISHED] A popular toy, Skylander

And, to qualify: I'm sure there are circumstances where 'hf mf sim' works. But, with a semi-ok antenna, and a bad reader (as the commercial one tested against ), it invariably failed.

Offline

#65 2015-01-16 22:27:22

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [FINISHED] A popular toy, Skylander

OK, let's pick this up again and start discussign within the broader community.

Fact: a real card stops working if removed from the reader's field. It will start again in a defined state when it approaches the reader again.
My opinion: I still feel that hf mf sim (and hf 14a sim as well!) should mimic this behaviour. Comments?
Fact: ISO14443-2 states: "a PICC shall operate as intended continuiously between H_min and H_max." H_min is defined with a value of 1,5A/m rms. "After the field has been active [...] the PICC shall enter its IDLE state".
Fact: hf mf sim checks for an average voltage of 4V (MF_MINFIELDV) at AMPL_HI. If it drops below that value, the simulation resets to Idle state.
Question: is someone able to verify that 4V is the correct voltage resulting from a field of 1,5A/m rmf? Or is it simply too high?

Offline

#66 2015-01-16 23:06:08

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] A popular toy, Skylander

About sniffing (a bit OT but I would like to know the answer): if i snoop a communication between a reader and a card with invalid keys (invalid = not present in the reader) and I apply the reverse crypto algo am I able to obtain the key the reader attempted to use to authenticate?

Offline

#67 2015-01-16 23:10:41

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: [FINISHED] A popular toy, Skylander

asper wrote:

About sniffing (a bit OT but I would like to know the answer): if i snoop a communication between a reader and a card with invalid keys (invalid = not present in the reader) and I apply the reverse crypto algo am I able to obtain the key the reader attempted to use to authenticate?

Well, since you can do a reader-attack (with no knowledge about the keys), what you describe should be possible aswell. You need the AR/NR pair.

Offline

#68 2015-01-16 23:12:54

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: [FINISHED] A popular toy, Skylander

piwi wrote:

OK, let's pick this up again and start discussign within the broader community.

Fact: a real card stops working if removed from the reader's field. It will start again in a defined state when it approaches the reader again.
My opinion: I still feel that hf mf sim (and hf 14a sim as well!) should mimic this behaviour. Comments?
Fact: ISO14443-2 states: "a PICC shall operate as intended continuiously between H_min and H_max." H_min is defined with a value of 1,5A/m rms. "After the field has been active [...] the PICC shall enter its IDLE state".
Fact: hf mf sim checks for an average voltage of 4V (MF_MINFIELDV) at AMPL_HI. If it drops below that value, the simulation resets to Idle state.
Question: is someone able to verify that 4V is the correct voltage resulting from a field of 1,5A/m rmf? Or is it simply too high?

I agree to mimic cards, however, my experience was that the reader could read cards just fine, just not our simulation of a card.

However, how would one verify that voltage/field? Sounds like pretty specific measurements, not something to check with an oscilloscope.

Offline

#69 2015-01-16 23:59:50

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [FINISHED] A popular toy, Skylander

Rephrasing the question: is there a HF guru who knows the theoretic relationship between H and V given the PM3 HF antenna (three windings, rectangular, approx. standard card dimension)?

Offline

#70 2015-01-17 14:20:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

to answer a question a little bit earlier from Piwi,  yes, I would like to have crypto-1 decoding aswell.. So I would love for the "hf mf sim" to work  but since it doesn't Im fallling back to "hf 14a sim" instead.

Offline

#71 2015-01-28 08:14:28

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: [FINISHED] A popular toy, Skylander

piwi wrote:

Yeah, just remove the "break;" if it is a standard ISO14443a tag. Or wait until my next commit - you will get roughly 10x bigger traces.

Pushed to master today. You are now able to do quite big traces.

It was hard to keep up with your, marshmellow's and holiman's commit frequency smile I had to merge quite a lot and I hope I didn't break anything else.

I will now have a look into hf mf sim...

Offline

#72 2015-01-28 13:34:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

@Piwi, Impressive work with the new BigBuff management. The whole Pm3 is way better now.

Offline

#73 2015-02-25 21:45:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

I can now verify that the fixes for "HF MF SIM" from @Holiman @Pwpiwi  works and it is possible to simulate a tag smile   I'll have to remake the lua script for the needed changes.

Offline

#74 2015-03-03 10:20:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

With the possiblity to simulate a toytag on the PM3 opened up a whole new range of possibilities.

- you can get all keys need, from combining the  reader-only attack (ie.  "hf mf sim x") from Holiman and updating the emulation memory with the correct keys as the portal start requesting them.

The series1 tags could be attacked with the darkside attack. (ie.  "hf mf mifare / hf mf nested")
but the later series2-3-4 seems to have a better prng,  and the attacks usually fails.

This new way negates this problem!   big_smile

Offline

#75 2015-03-03 10:32:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

And, yes, it can be made in the form of a lua-script, which automates the process...

Offline

#76 2015-03-03 13:45:06

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] A popular toy, Skylander

The algo is really complex and it is totally different from the one already available to encrypt/decrypt data stored on toys.
From a known value data must be processed under more-than-one different maths to obtain the key for each sector. The complete algo is still unknown but there actually are 2 ways to obtain the results, the "hardware way" (what iceman said) and the software way (pre-computed tables without still knowing the full process - still wip).

Offline

#77 2015-03-03 14:52:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

If we talk about knowing the algo yes,  the hardware version doesn't require it. However, you will need a PM3...
The pre-calculated tables is a different story all in all but also solves the problem.  Very few people (3?) know about the process. 

Buying a PM3 is easier smile    We might even get people into RFID security that way.

Offline

#78 2015-03-08 18:43:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

Lets recapitulate,  these four months of testing.

- getting keys from these toys,  works mostly for the first series of toys. Since then it seems to be upgraded mifare prngs, rendering the mifare attack & nested useless.
- Found out the "hf mf sim" was faulty,  @Piwi came up with a fix.
- Found out that the  ATQA & SAK,  is not used by the portal,  i:e:  you can use whatever 1k tag you want.
- Found out that you only need a valid sector 0,  and all sector keyA's to clone a toy.
- Found out that a reader-only attack via "hf mf sim" and  mfkey32  will get you all keys no matter what kind of series.
  (lua works great in doing this automatic)
- Found out that xoring all keyA with eachother gives you an insight to XOR and which CRC that is in use.
- Found out that one person already figured out the key-generation algo (in january 2015)  but wants to be anon.
- Found out that people with extreme math skills are really good to know.
- Found out that the WebCode is just a Base-29 (with a custom charset) transformation
- Found out that this toy uses a lot of different CRC implementations. (Crc16-ciitt,  crc-64)

---what does that give you?
If you have pm3 or magic tag or a blank s50 will enable you to backup your current tags.  If you ever will break one of these things you can feel save.



...What I don't know...

I would like to have the UID from a  Series 2-3-4 toy,  to validate a point. [EDIT:  Point valided. great.]
I would like to hear what is these small trap toys?  It doesn't answer to a "hf 14a reader" command. [EDIT: circular antenna with the trap put inside of it, in the middle.  Never got a good read with the PM3]
I would like to thank Asper for lots and lots information.
I would like to thank Someone in the States, who sent an toy-portal-package.   //my kids loves it//
I would like to thank Someone in France, for sharing insights.

Its been an very interesting journey.  I suppose this will be end of this thread.

Last edited by iceman (2015-03-09 16:10:15)

Offline

#79 2015-03-24 07:05:22

rickbutton
Member
Registered: 2013-12-31
Posts: 7

Re: [FINISHED] A popular toy, Skylander

I think I might be able to answer some questions. I'm back a year later! I've managed to perform a timing attack and get they keys of an older Gen #2 toy.

With these keys you have the keys to the kingdom! It seems that the games don't have any checks to make sure that the UID and toy type match, and it seems that the encryption key algo is purely based on the UID and nothing more. With the keys from any toy and the correct UID we can emulate any toy (including the traps) if you use something like a "magic" card.

I have written a small application that allows you to create emulated skylanders and write them to a magic card (using libnfc), as well as back them up. I am considering picking up a proxmark and writing some code to be able to quickly switch between toys and emulate the toys.

@iceman you mentioned that the algo has been found? Can you contact me regarding this?

Offline

#80 2015-03-24 09:52:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

My email is littered all over this forum.

Offline

#81 2015-04-03 23:09:53

ch4dg
Member
Registered: 2015-04-03
Posts: 2

Re: [FINISHED] A popular toy, Skylander

hi, newbie here, ive have re-read this thread 3 or 4 time and spent all day researching this and admittedly a lot went straight over my head but did you manage to get it hacked as in did you manage to clone char or rewrite one char to a different one, or was it just the same as the skymodder/editor where you can just change the stats (name, level, money etc).

i have loads of figures to mess around with but having no luck gettting anything to read them even gen#1 toys, every app or prog just says unrecognized tag

Offline

#82 2015-04-05 11:59:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

The answer to all your questions is yes.

Offline

#83 2015-04-06 00:12:08

ch4dg
Member
Registered: 2015-04-03
Posts: 2

Re: [FINISHED] A popular toy, Skylander

iceman wrote:

The answer to all your questions is yes.

any help on how and where to get started? really struggling because i dont know the tech/programmes that well, im not even sure if im reading the tags correctly as i dont get that much ifo of the reads

also once a manage to scan some correctly, can i get some blank magic cards, and write a specific char to it?
thanks

Offline

#84 2015-04-06 08:09:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

If you do your homework by reading up on the matter first, you will understand the subject better.

Offline

#85 2015-05-31 23:20:47

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] A popular toy, Skylander

What do you mean with "that went fast"?

Offline

#86 2015-06-01 00:11:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

hm,  I got some other threads sent to me,  where people claiming stuff..
however,  the links from above seem to have a pure nfc solution...  where I only seen it here before.

The wiiuhax is different from the maxlander, but they are the same if you look at the picture..  looking at the video for maxlanders (on their site)  where they show of a nfc reader demo..   all other solutions Ive seen before was related to the portal and doing stuff thru it.  The chinese cloner doesn't use the portal..    there is few places where they could have gotten that knowledge, and so fast in having a tool and windows software packaged and for sale. I didn't mean something else.

Offline

#87 2015-06-01 00:14:11

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] A popular toy, Skylander

Thanks for the explanation.

Offline

#88 2015-06-13 23:28:21

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: [FINISHED] A popular toy, Skylander

iceman wrote:

The pre-calculated tables is a different story all in all but also solves the problem.  Very few people (3?) know about the process.
Buying a PM3 is easier smile    We might even get people into RFID security that way.

Well, it made me just order a PM3, at least.  I started doing similar work around the same time y'all started, got a couple figures' keys with a PN532, but it seems all y'all made it all the way, now.

I don't understand this bit about pre-calculating the tables, though.  Are you saying someone should be able to pre-generate the tables without understanding the algorithm?  Or that one of the three people who did, could, and maybe that's being done?  I don't understand how it's possible if it's the former.

Assuming I wanted to find my own friends with extreme maths skills, what sort of maths are we talking about here?

Offline

#89 2015-06-13 23:54:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

rainman skilz  wink

Its remakable how much you can learn if you read all source code here...

Offline

#90 2016-01-21 03:04:50

legolas
Member
Registered: 2015-01-20
Posts: 4

Re: [FINISHED] A popular toy, Skylander

Iceman an update for one of your lua scripts
http://pastebin.com/MQCU0LrP

Offline

#91 2016-01-21 07:37:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

Sweet, I've added them to the list.  Thanks!

Offline

#92 2016-01-21 09:12:48

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Skylander

haaaa wait me for the last episode smile

Offline

#93 2016-05-20 21:04:55

piotr
Member
Registered: 2016-05-19
Posts: 3

Re: [FINISHED] A popular toy, Skylander

hi everyone & sorry for revitalizing this thread hmm

first: thanks to everyone doing researches on these toys, especially iceman.

i'm following this thread for a long time and with the help of all the infos found here i make my rough way in revealing keys.
in the thread there was mentioned that the algo has been found by an anon math genius.
i'd really appreciate to get to know this secret :-)

many thanks in advance & regards to everyone
piotr

Offline

#94 2016-05-21 07:57:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

its all there, in the code.

Offline

#95 2016-05-21 19:20:04

piotr
Member
Registered: 2016-05-19
Posts: 3

Re: [FINISHED] A popular toy, Skylander

hi iceman, thx for your reply.

i'm using the source based on the research someone named bra... did.
it contains the formulas to de-/encrypt each block but not the algo to reveal key-a for the 16 sectors.

maybe u can point me to the code u mentioned.
i'd really appreciate your replay
(btw. i already sent u a mail smile )

thanks in advance & regards
piotr

Offline

#96 2016-06-08 21:08:59

piotr
Member
Registered: 2016-05-19
Posts: 3

Re: [FINISHED] A popular toy, Skylander

@asper & @iceman

i'd really appreciate if u could share your knowledge about the keyA algo.

thanks in advance & regards
piotr

Offline

#97 2016-06-12 18:11:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

If you read this thread, you will know where to look.  Its in some lua scripts.

Offline

#98 2016-08-26 23:15:36

Kurapika666
Contributor
Registered: 2016-02-16
Posts: 22

Re: [FINISHED] A popular toy, Skylander

Hi !

I tried to understand it too, but I'm a bit lost, even with multiple reading, and already success backup management with Lego Dimensions tags.

So first question : is it possible to make a backup without a PM3 or other hardware ? For LD, I use a NFC editor on android for example.
All I have is my android tablet with NFC, and connecting the portal to Windows. I try with HIDAPI, but don't manage to read my skylander toys.

So I'd like to know if there is some "easy" way to do the backup, like for LD

Offline

#99 2016-08-27 05:46:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] A popular toy, Skylander

there should be many other applications out by now, like maxlanders.  Not quite a proxmark3 related question.

Offline

#100 2016-08-27 08:57:37

Kurapika666
Contributor
Registered: 2016-02-16
Posts: 22

Re: [FINISHED] A popular toy, Skylander

yeah I know about the maxlander, but I found it expensive and abusive. 10$ per backup slot smile

That's why I'd like to be able to do it myself on blank tags, and if there's no app for this, try to make an android app

Last edited by Kurapika666 (2016-08-27 09:03:49)

Offline

Board footer

Powered by FluxBB