[FINISHED] A popular toy, Disney Infinity

iceman · 2016-01-22 17:08:09

I think you can find some di usb emulators on github, you'll need those usb commands.

bettse · 2016-01-22 17:50:53

The character list is already maintained at http://disneyinfinity.wikia.com/wiki/Disney_Infinity/Model_Numbers by fans of the game who noticed the model numbers are on the bottom of the character base. The same number is used internally, although its encrypted on the token.

belette · 2016-01-23 10:06:36

hum what i have forgot

hf 14a sniff

hf list 14a

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
9549696 | 9550752 | Rdr |26 | | REQA
19100080 | 19101136 | Rdr |26 | | REQA
28649952 | 28651008 | Rdr |26 | | REQA
38199184 | 38200240 | Rdr |26 | | REQA
47122436 | 47122692 | Tag |00! | |
47748864 | 47749920 | Rdr |26 | | REQA
57298000 | 57299056 | Rdr |26 | | REQA
66360788 | 66360980 | Tag |01 | |
66847776 | 66848832 | Rdr |26 | | REQA
75772084 | 75772276 | Tag |01 | |
75826020 | 75826532 | Tag |02 | |
75909380 | 75909700 | Tag |03! | |
76396912 | 76397968 | Rdr |26 | | REQA
76399156 | 76401524 | Tag |44 00 | |
76454080 | 76456544 | Rdr |93 20 | | ANTICOLL
76457732 | 76463620 | Tag |88 04 28 56 f2 | |
76528560 | 76539024 | Rdr |93 70 88 04 28 56 f2 46 ed | ok | SELECT_UID
76540276 | 76543796 | Tag |04 da 17 | |
76593488 | 76595952 | Rdr |95 20 | | ANTICOLL-2
76597140 | 76602964 | Tag |52 8b 3a 80 63 | |
76667984 | 76678448 | Rdr |95 70 52 8b 3a 80 63 45 27 | ok | ANTICOLL-2
76679700 | 76683220 | Tag |09 3f cc | |
76731360 | 76736128 | Rdr |50 00 57 cd | ok | HALT
76946896 | 76947952 | Rdr |26 | | REQA
85871604 | 85871796 | Tag |01 | |
86498592 | 86499648 | Rdr |26 | | REQA
86500836 | 86503204 | Tag |44 00 | |
86555680 | 86558144 | Rdr |93 20 | | ANTICOLL
86559332 | 86565220 | Tag |88 04 28 56 f2 | |
86630160 | 86640624 | Rdr |93 70 88 04 28 56 f2 46 ed | ok | SELECT_UID
86641876 | 86645396 | Tag |04 da 17 | |
86695792 | 86697552 | Rdr |f1 0e | | ?
86698724 | 86704548 | Tag |52 8b 3a 80 63 | |
86769584 | 86780048 | Rdr |95 70 52 8b 3a 80 63 45 27 | ok | ANTICOLL-2
86781300 | 86784820 | Tag |09 3f cc | |
86833056 | 86837824 | Rdr |50 00 57 cd | ok | HALT
87048480 | 87049536 | Rdr |26 | | REQA
96599568 | 96600624 | Rdr |26 | | REQA

i don't find pwd

Last edited by belette (2016-01-23 10:07:29)

securitoys · 2016-01-23 11:32:35

@belette, I don't use sniff and list, I do

hf 14a sim u <UID> t 6 x

using iceman's fork, which does additional processing to determine the key A. I don't know if that's been rolled into mainline yet.

belette · 2016-01-23 11:38:46

Ho thank .i try this afternoon

belette · 2016-01-23 14:34:12

ok i think i have "good" dump "ahsoka tano" raw and decrypted did you need share?

but no work "with hf mf eload 0 ..."

works 10sec with:

hf mf eload 0 "file"
hf 14a sim t 6 u 040ECBB28C3A81

Last edited by belette (2016-01-23 15:07:11)

iceman · 2016-01-23 17:43:03

when you are simulating then you'll need a encrypted (raw?) dump.

belette · 2016-01-23 18:34:53

i have use left part of your didump script

iceman · 2016-01-23 20:35:41

does it say that it reached 1000 commands?
and is the sectortrailor filled with the keyA?...

belette · 2016-01-23 21:01:06

"does it say that it reached 1000 commands?" yes
"and is the sectortrailor filled with the keyA?..." i don't know i didn't look

iceman · 2016-01-23 21:07:45

if you want to simulate longer... you comment out that part in iso14443a.c /armsrc

securitoys · 2016-01-24 01:05:14

Also, I believe the game caches UIDs so if you've failed to successfully simulate a given UID, you have to exit and restart whatever portion of the game you're in (possibly the entire game, although I just had to go back to the main menu on PS3) to get it to properly try again.

belette · 2016-01-24 07:58:55

@iceman

this?

# if(cmdsRecvd > 999) {
# DbpString("1000 commands later...");
# break;
# }

@all

have you find a mifare uid double size or what else to try ?

iceman · 2016-01-24 10:04:51

yeap, thats your 1000 command limit...

belette · 2016-01-24 11:09:27

i have comment line, compile and flash pm3, but always pm3's relay "clac" after 10 20 sec (simutation work 10 20 sec)

Last edited by belette (2016-01-24 11:10:55)

iceman · 2016-01-24 15:53:13

the click/reset is the WatchDogTimer not being triggered..
add this in the beginning of the loop .. should work better.

for(;;) {
	WDT_HIT();

belette · 2016-01-24 18:37:46

sorry but no work more (same bug) it's not a real problem , i can test dump for future

iceman · 2016-01-24 20:04:29

I know that someone else in this thread modified the sim and was successful in running it for whole level. It shouldn't be a problem to do it. The watchdog timer reset shouldn't happen. Im curious about it.

belette · 2016-01-24 20:49:07

ok i wait, i have 5 character (3 for V2 and 2 for V2) one trophy for each if somebody need and i have a office colleague who can share me for help i think.

i repeat i'm not a dev but if i can help you in one way or other ...

belette · 2016-01-27 10:40:06

What is that it is possible to have one summarize what we know (sniff key betwen portal and token) dump (didump?) dump data map ? calculate checksum? generate token with blank s20 uid ....

belette · 2016-01-29 13:40:38

have you try this:

https://www.reddit.com/r/Disney_Infinity/comments/3jbrvd/i_think_my_iphone_6_plus_unlocked_disney_partners/

belette · 2016-02-04 11:52:55

can you compare sector 3 block 0 (and 1) betwen uncrypted dump

DI 3 tag
0000000000000000FEE05E077507544D

DI 2 tag
0000000000000000FEE05E06020064DB

Last edited by belette (2016-02-04 11:55:37)

belette · 2016-02-05 17:31:20

and sector 0 block 1

di 2.0

878AB009706DC38511B8DF50A58E6410 000F42A5 0E0A1502 0002D11F 290A4409 figurine
7696BACE1381DFC02302216A5B3A6220 000F42A6 0E060A02 0002D11F 25A7A2F6 figurine in starter pack
10EA0E46B8CBD82BE568571E7E56FA9D 000F42A7 0E060A02 0002D11F 32DCB6B5 figurine in starter pack
C5A04531FE2852E38D9DDE4CD47B3E07 000F42AD 0E060602 0002D11F D030FC50 figurine in starter pack
CE5CA6EBCBE80E70BCEC81AEDEEC9625 001E84E4 0E060502 0002D11F 3E4C5E4F trophy in starter pack
76611D2860F078A39ED82D37737D09B6 001E84E7 0E060402 0002D11F CC9DB12F powerdisc in starter pack
0ED8942F95C5AFCB4969998607625837 001E84E8 0E051E02 0002D11F 8081459E powerdisc in starter pack

di 3.0

EE4DC7A748142A0D3EAA67C636ADE1E1 000F4308 0F041802 0003D11F F2EA48A6 figurine in starter pack
DAD83D2C6FBA004E8CE566AE6DD29405 000F430B 0F041802 0003D11F CB677463 figurine in starter pack
A0349F138852C4AC87ADCC40C382AC7B 000F432E 0F080F02 0003D11F DA72EBD8 figurine
2C63B3CEE544E1C9172FCCB9AF537A04 001E854A 0F041202 0003D11F B9CC25AC trophy in starter pack

iceman · 2016-02-10 10:55:00

Was anyone able to get the DI portal firmware?

junglipar · 2016-02-14 20:35:37

iceman wrote:

Was anyone able to get the DI portal firmware?

No. I spent several days trying/analyzing different methods to extract the firmware but none of them worked or would work. I ended up modifying my DI base so that it outputs the calculated MIFARE key whenever a DI tag is scanned.

https://youtu.be/tNnkrzhVFCU

iceman · 2016-02-14 20:54:54

hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?

junglipar · 2016-02-14 21:36:19

iceman wrote:

hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?

No. The DI firmware (STM32F102) calculates the key and gives it to the NFC frontend (MFRC630) which handles the MIFARE authentication. I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.

belette · 2016-02-15 09:35:10

possible to share schema and microcontrolleur code? or it's dev board like this : http://www.kubii.fr/cartes-extension-cameras-raspberry-pi/84-carte-embedded-pi-arduino-like-3170111000545.html

asper · 2016-02-16 13:26:09

junglipar wrote:

iceman wrote:
hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?
No. The DI firmware (STM32F102) calculates the key and gives it to the NFC frontend (MFRC630) which handles the MIFARE authentication. I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.

Very good P.O.C. ! Did you test some STM32F vulnerabilities ? If so can you share them even if they won't work with DI base ?

Christian22 · 2016-04-20 19:05:46

iceman wrote:

----------------------------------------------------------------------------------
DI uses Mifare Mini 0.3K, same diversified key for all sectors.
sim and sniff is one way of getting key. use Nested to get a dumpkeys-file.
or use didump.lua with key.

Could you give my a hint, what's your command for the nested attack?
I took the command "hf mf nested 0 0 A FFFFFFFFFFFF d" and got an authorization failure.
When I took the command "hf mf hardnested 0 A FFFFFFFFFFFF 4 A w" it's the same.

iceman · 2016-04-20 19:18:56

Don't know the diversification algo, I only sniff the traffic between DI portal and toy token, and got the key from there.
Then you get one key, and you know how to do it from there.

Christian22 · 2016-04-20 20:12:35

Okay, then I have to buy a DI portal - today I have only the toy token.
Thank you.

iceman · 2016-04-21 06:22:05

if you don't have a friend who has the DI portal? or visit the store
other yes, thats the only option at this moment in time get hold of the keys for a DI token. Since hardnested needs a known key.

Christian22 · 2016-04-21 19:58:56

No, I haven't a friend with a DI portal.
But my DI portal comes tomorrow. :-) Hopefully I can it plug in my PC.

securitoys · 2016-09-19 15:41:57

junglipar wrote:

I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.

Have you been able to inject a UID into the SPI bus as well? Would like to talk with you about this, if so.

iceman · 2017-04-28 22:08:07

Amazing!
There seems to be some real progress in DI keygen algo. I'm excited!

junglipar · 2017-04-28 23:24:39

Someone figured out the algorithm? Really? This person must be a genius!

iceman · 2017-04-28 23:31:52

True genius, DI keygen algo has been searched for a long time.
if that someone only could tell how s/he did it... Like hardcore and with details so all of us might learn something.

Do you have some insights to share?

and yes, I will publish my changes to some lua scripts soon.

junglipar · 2017-04-28 23:42:49

I obviously don't know how this genius did it, but this is how I would do it.

- Find STM32 read-out protection exploit and dump firmware
- Disassemble firmware
- Look for uid-to-key algorithm code
- Profit

iceman · 2017-04-28 23:52:06

what a genius.
One of these days I'need to learn about STm32 read-out exploitation.
Its like my rfid skills is not enough.

Proxmark3 community

Announcement

#51 2016-01-22 17:08:09

Re: [FINISHED] A popular toy, Disney Infinity

#52 2016-01-22 17:50:53

Re: [FINISHED] A popular toy, Disney Infinity

#53 2016-01-23 10:06:36

Re: [FINISHED] A popular toy, Disney Infinity

#54 2016-01-23 11:32:35

Re: [FINISHED] A popular toy, Disney Infinity

#55 2016-01-23 11:38:46

Re: [FINISHED] A popular toy, Disney Infinity

#56 2016-01-23 14:34:12

Re: [FINISHED] A popular toy, Disney Infinity

#57 2016-01-23 17:43:03

Re: [FINISHED] A popular toy, Disney Infinity

#58 2016-01-23 18:34:53

Re: [FINISHED] A popular toy, Disney Infinity

#59 2016-01-23 20:35:41

Re: [FINISHED] A popular toy, Disney Infinity

#60 2016-01-23 21:01:06

Re: [FINISHED] A popular toy, Disney Infinity

#61 2016-01-23 21:07:45

Re: [FINISHED] A popular toy, Disney Infinity

#62 2016-01-24 01:05:14

Re: [FINISHED] A popular toy, Disney Infinity

#63 2016-01-24 07:58:55

Re: [FINISHED] A popular toy, Disney Infinity

#64 2016-01-24 10:04:51

Re: [FINISHED] A popular toy, Disney Infinity

#65 2016-01-24 11:09:27

Re: [FINISHED] A popular toy, Disney Infinity

#66 2016-01-24 15:53:13

Re: [FINISHED] A popular toy, Disney Infinity

#67 2016-01-24 18:37:46

Re: [FINISHED] A popular toy, Disney Infinity

#68 2016-01-24 20:04:29

Re: [FINISHED] A popular toy, Disney Infinity

#69 2016-01-24 20:49:07

Re: [FINISHED] A popular toy, Disney Infinity

#70 2016-01-27 10:40:06

Re: [FINISHED] A popular toy, Disney Infinity

#71 2016-01-29 13:40:38

Re: [FINISHED] A popular toy, Disney Infinity

#72 2016-02-04 11:52:55

Re: [FINISHED] A popular toy, Disney Infinity

#73 2016-02-05 17:31:20

Re: [FINISHED] A popular toy, Disney Infinity

#74 2016-02-10 10:55:00

Re: [FINISHED] A popular toy, Disney Infinity

#75 2016-02-14 20:35:37

Re: [FINISHED] A popular toy, Disney Infinity

#76 2016-02-14 20:54:54

Re: [FINISHED] A popular toy, Disney Infinity

#77 2016-02-14 21:36:19

Re: [FINISHED] A popular toy, Disney Infinity

#78 2016-02-15 09:35:10

Re: [FINISHED] A popular toy, Disney Infinity

#79 2016-02-16 13:26:09

Re: [FINISHED] A popular toy, Disney Infinity

#80 2016-04-20 19:05:46

Re: [FINISHED] A popular toy, Disney Infinity

#81 2016-04-20 19:18:56

Re: [FINISHED] A popular toy, Disney Infinity

#82 2016-04-20 20:12:35

Re: [FINISHED] A popular toy, Disney Infinity

#83 2016-04-21 06:22:05

Re: [FINISHED] A popular toy, Disney Infinity

#84 2016-04-21 19:58:56

Re: [FINISHED] A popular toy, Disney Infinity

#85 2016-09-19 15:41:57

Re: [FINISHED] A popular toy, Disney Infinity

#86 2017-04-28 22:08:07

Re: [FINISHED] A popular toy, Disney Infinity

#87 2017-04-28 23:24:39

Re: [FINISHED] A popular toy, Disney Infinity

#88 2017-04-28 23:31:52

Re: [FINISHED] A popular toy, Disney Infinity

#89 2017-04-28 23:42:49

Re: [FINISHED] A popular toy, Disney Infinity