Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2016-01-22 17:08:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

I think you can find some di usb emulators on github, you'll need those usb commands.

Offline

#52 2016-01-22 17:50:53

bettse
Contributor
From: Portland, OR, USA
Registered: 2015-02-16
Posts: 32

Re: [FINISHED] A popular toy, Disney Infinity

The character list is already maintained at http://disneyinfinity.wikia.com/wiki/Disney_Infinity/Model_Numbers by fans of the game who noticed the model numbers are on the bottom of the character base.  The same number is used internally, although its encrypted on the token.

Offline

#53 2016-01-23 10:06:36

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

hum what i have forgot

hf 14a sniff

hf list 14a

         
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|         
          0 |       1056 | Rdr |26                                                               |     | REQA         
    9549696 |    9550752 | Rdr |26                                                               |     | REQA         
   19100080 |   19101136 | Rdr |26                                                               |     | REQA         
   28649952 |   28651008 | Rdr |26                                                               |     | REQA         
   38199184 |   38200240 | Rdr |26                                                               |     | REQA         
   47122436 |   47122692 | Tag |00!                                                              |     |           
   47748864 |   47749920 | Rdr |26                                                               |     | REQA         
   57298000 |   57299056 | Rdr |26                                                               |     | REQA         
   66360788 |   66360980 | Tag |01                                                               |     |           
   66847776 |   66848832 | Rdr |26                                                               |     | REQA         
   75772084 |   75772276 | Tag |01                                                               |     |           
   75826020 |   75826532 | Tag |02                                                               |     |           
   75909380 |   75909700 | Tag |03!                                                              |     |           
   76396912 |   76397968 | Rdr |26                                                               |     | REQA         
   76399156 |   76401524 | Tag |44  00                                                           |     |           
   76454080 |   76456544 | Rdr |93  20                                                           |     | ANTICOLL         
   76457732 |   76463620 | Tag |88  04  28  56  f2                                               |     |           
   76528560 |   76539024 | Rdr |93  70  88  04  28  56  f2  46  ed                               |  ok | SELECT_UID         
   76540276 |   76543796 | Tag |04  da  17                                                       |     |           
   76593488 |   76595952 | Rdr |95  20                                                           |     | ANTICOLL-2         
   76597140 |   76602964 | Tag |52  8b  3a  80  63                                               |     |           
   76667984 |   76678448 | Rdr |95  70  52  8b  3a  80  63  45  27                               |  ok | ANTICOLL-2         
   76679700 |   76683220 | Tag |09  3f  cc                                                       |     |           
   76731360 |   76736128 | Rdr |50  00  57  cd                                                   |  ok | HALT         
   76946896 |   76947952 | Rdr |26                                                               |     | REQA         
   85871604 |   85871796 | Tag |01                                                               |     |           
   86498592 |   86499648 | Rdr |26                                                               |     | REQA         
   86500836 |   86503204 | Tag |44  00                                                           |     |           
   86555680 |   86558144 | Rdr |93  20                                                           |     | ANTICOLL         
   86559332 |   86565220 | Tag |88  04  28  56  f2                                               |     |           
   86630160 |   86640624 | Rdr |93  70  88  04  28  56  f2  46  ed                               |  ok | SELECT_UID         
   86641876 |   86645396 | Tag |04  da  17                                                       |     |           
   86695792 |   86697552 | Rdr |f1  0e                                                           |     | ?         
   86698724 |   86704548 | Tag |52  8b  3a  80  63                                               |     |           
   86769584 |   86780048 | Rdr |95  70  52  8b  3a  80  63  45  27                               |  ok | ANTICOLL-2         
   86781300 |   86784820 | Tag |09  3f  cc                                                       |     |           
   86833056 |   86837824 | Rdr |50  00  57  cd                                                   |  ok | HALT         
   87048480 |   87049536 | Rdr |26                                                               |     | REQA         
   96599568 |   96600624 | Rdr |26                                                               |     | REQA

i don't find pwd

Last edited by belette (2016-01-23 10:07:29)

Offline

#54 2016-01-23 11:32:35

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: [FINISHED] A popular toy, Disney Infinity

@belette, I don't use sniff and list, I do

hf 14a sim u <UID> t 6 x

using iceman's fork, which does additional processing to determine the key A.  I don't know if that's been rolled into mainline yet.

Offline

#55 2016-01-23 11:38:46

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

Ho thank .i try this afternoon

Offline

#56 2016-01-23 14:34:12

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

ok i think i have "good" dump "ahsoka tano" raw and decrypted did you need share?

but no work "with hf mf eload  0 ..."

works 10sec with:


hf mf eload 0 "file"
hf  14a sim t 6 u 040ECBB28C3A81

Last edited by belette (2016-01-23 15:07:11)

Offline

#57 2016-01-23 17:43:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

when you are simulating then you'll need a encrypted (raw?) dump.

Offline

#58 2016-01-23 18:34:53

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

i have use left part of your didump script

Offline

#59 2016-01-23 20:35:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

does it say that it reached 1000 commands?   
and is the sectortrailor filled with the keyA?...

Offline

#60 2016-01-23 21:01:06

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

"does it say that it reached 1000 commands?"   yes
"and is the sectortrailor filled with the keyA?..." i don't know  i didn't look hmm

Offline

#61 2016-01-23 21:07:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

if you want to simulate longer... you comment out that part in  iso14443a.c  /armsrc

Offline

#62 2016-01-24 01:05:14

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: [FINISHED] A popular toy, Disney Infinity

Also, I believe the game caches UIDs so if you've failed to successfully simulate a given UID, you have to exit and restart whatever portion of the game you're in (possibly the entire game, although I just had to go back to the main menu on PS3) to get it to properly try again.

Offline

#63 2016-01-24 07:58:55

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

@iceman

this?

# if(cmdsRecvd > 999) {
#                       DbpString("1000 commands later...");
#                        break;
#                }

@all

have you find a mifare uid double size or what else to try ?

Offline

#64 2016-01-24 10:04:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

yeap, thats your 1000 command limit...

Offline

#65 2016-01-24 11:09:27

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

i have comment line, compile and flash pm3, but always pm3's relay "clac" after 10 20 sec (simutation work 10 20 sec)

Last edited by belette (2016-01-24 11:10:55)

Offline

#66 2016-01-24 15:53:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

the click/reset is the WatchDogTimer not being triggered..
add this in the beginning of the loop ..  should work better.

for(;;) {
	WDT_HIT();

Offline

#67 2016-01-24 18:37:46

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

sorry but no work more (same bug) it's not a real problem , i can test dump for future

Offline

#68 2016-01-24 20:04:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

I know that someone else in this thread modified the sim and was successful in running it for whole level.  It shouldn't be a problem to do it.  The watchdog timer reset shouldn't happen.  Im curious about it.

Offline

#69 2016-01-24 20:49:07

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

ok i wait, i have 5 character (3 for V2 and 2 for V2) one trophy for each if somebody need and i have a  office colleague who can share me for help i think.

i repeat i'm not a dev but if i can help you in one way or other ...

Offline

#70 2016-01-27 10:40:06

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

What is that it is possible to have one summarize what we know (sniff key betwen portal and token) dump (didump?) dump data map ? calculate checksum? generate token with blank s20 uid ....

Offline

#71 2016-01-29 13:40:38

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

have you try this:

https://www.reddit.com/r/Disney_Infinity/comments/3jbrvd/i_think_my_iphone_6_plus_unlocked_disney_partners/

Offline

#72 2016-02-04 11:52:55

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

can you compare sector 3 block 0 (and 1) betwen uncrypted dump smile

DI 3 tag
0000000000000000FEE05E077507544D

DI 2 tag
0000000000000000FEE05E06020064DB

Last edited by belette (2016-02-04 11:55:37)

Offline

#73 2016-02-05 17:31:20

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

and sector 0 block 1


di 2.0

878AB009706DC38511B8DF50A58E6410        000F42A5        0E0A1502        0002D11F        290A4409        figurine
7696BACE1381DFC02302216A5B3A6220        000F42A6        0E060A02        0002D11F        25A7A2F6        figurine in starter pack
10EA0E46B8CBD82BE568571E7E56FA9D        000F42A7        0E060A02        0002D11F        32DCB6B5        figurine in starter pack
C5A04531FE2852E38D9DDE4CD47B3E07        000F42AD        0E060602        0002D11F        D030FC50        figurine in starter pack
CE5CA6EBCBE80E70BCEC81AEDEEC9625        001E84E4        0E060502        0002D11F        3E4C5E4F        trophy in starter pack
76611D2860F078A39ED82D37737D09B6        001E84E7        0E060402        0002D11F        CC9DB12F        powerdisc in starter pack
0ED8942F95C5AFCB4969998607625837        001E84E8        0E051E02        0002D11F        8081459E        powerdisc in starter pack

di 3.0

EE4DC7A748142A0D3EAA67C636ADE1E1        000F4308        0F041802        0003D11F        F2EA48A6        figurine in starter pack
DAD83D2C6FBA004E8CE566AE6DD29405        000F430B        0F041802        0003D11F        CB677463        figurine in starter pack
A0349F138852C4AC87ADCC40C382AC7B        000F432E        0F080F02        0003D11F        DA72EBD8        figurine 
2C63B3CEE544E1C9172FCCB9AF537A04        001E854A        0F041202        0003D11F        B9CC25AC        trophy in starter pack

Offline

#74 2016-02-10 10:55:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

Was anyone able to get the DI portal firmware?

Offline

#75 2016-02-14 20:35:37

junglipar
Contributor
Registered: 2016-01-02
Posts: 7

Re: [FINISHED] A popular toy, Disney Infinity

iceman wrote:

Was anyone able to get the DI portal firmware?

No. I spent several days trying/analyzing different methods to extract the firmware but none of them worked or would work. I ended up modifying my DI base so that it outputs the calculated MIFARE key whenever a DI tag is scanned.

https://youtu.be/tNnkrzhVFCU

Offline

#76 2016-02-14 20:54:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?

Offline

#77 2016-02-14 21:36:19

junglipar
Contributor
Registered: 2016-01-02
Posts: 7

Re: [FINISHED] A popular toy, Disney Infinity

iceman wrote:

hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?

No. The DI firmware (STM32F102) calculates the key and gives it to the NFC frontend (MFRC630) which handles the MIFARE authentication. I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.

Offline

#78 2016-02-15 09:35:10

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] A popular toy, Disney Infinity

possible to share schema and microcontrolleur code? or it's dev board like this : http://www.kubii.fr/cartes-extension-cameras-raspberry-pi/84-carte-embedded-pi-arduino-like-3170111000545.html

Offline

#79 2016-02-16 13:26:09

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] A popular toy, Disney Infinity

junglipar wrote:
iceman wrote:

hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?

No. The DI firmware (STM32F102) calculates the key and gives it to the NFC frontend (MFRC630) which handles the MIFARE authentication. I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.

Very good P.O.C. ! Did you test some STM32F vulnerabilities ? If so can you share them even if they won't work with DI base ?

Offline

#80 2016-04-20 19:05:46

Christian22
Contributor
Registered: 2016-04-11
Posts: 13

Re: [FINISHED] A popular toy, Disney Infinity

iceman wrote:

----------------------------------------------------------------------------------
DI uses Mifare Mini 0.3K,   same diversified key for all sectors.

sim and sniff is one way of getting key.  use Nested to get a dumpkeys-file.
or use didump.lua with key.


Could you give my a hint, what's your command for the nested attack?
I took the command "hf mf nested 0 0 A FFFFFFFFFFFF d" and got an authorization failure.
When I took the command "hf mf hardnested 0 A FFFFFFFFFFFF 4 A w" it's the same.

Offline

#81 2016-04-20 19:18:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

Don't know the diversification algo,  I only sniff the traffic between DI portal and toy token, and got the key from there.
Then you get one key, and you know how to do it from there.

Offline

#82 2016-04-20 20:12:35

Christian22
Contributor
Registered: 2016-04-11
Posts: 13

Re: [FINISHED] A popular toy, Disney Infinity

Okay, then I have to buy a DI portal - today I have only the toy token.
Thank you.

Offline

#83 2016-04-21 06:22:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

if you don't have a friend who has the DI portal?  or visit the store smile
other yes, thats the only option at this moment in time get hold of the keys for a DI token.  Since hardnested needs a known key.

Offline

#84 2016-04-21 19:58:56

Christian22
Contributor
Registered: 2016-04-11
Posts: 13

Re: [FINISHED] A popular toy, Disney Infinity

No, I haven't a friend with a DI portal.
But my DI portal comes tomorrow. :-) Hopefully I can it plug in my PC.

Offline

#85 2016-09-19 15:41:57

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: [FINISHED] A popular toy, Disney Infinity

junglipar wrote:

I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.

Have you been able to inject a UID into the SPI bus as well?  Would like to talk with you about this, if so.

Offline

#86 2017-04-28 22:08:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

Amazing!
There seems to be some real progress in DI keygen algo.  smile  I'm excited!

Offline

#87 2017-04-28 23:24:39

junglipar
Contributor
Registered: 2016-01-02
Posts: 7

Re: [FINISHED] A popular toy, Disney Infinity

Someone figured out the algorithm? Really? This person must be a genius! smile

Offline

#88 2017-04-28 23:31:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

True genius, DI keygen algo has been searched for a long time. 
if that someone only could tell how s/he did it...  Like hardcore and with details so all of us might learn something.

Do you have some insights to share?

and yes, I will publish my changes to some lua scripts soon.

Offline

#89 2017-04-28 23:42:49

junglipar
Contributor
Registered: 2016-01-02
Posts: 7

Re: [FINISHED] A popular toy, Disney Infinity

I obviously don't know how this genius did it, but this is how I would do it.

- Find STM32 read-out protection exploit and dump firmware
- Disassemble firmware
- Look for uid-to-key algorithm code
- Profit

Offline

#90 2017-04-28 23:52:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] A popular toy, Disney Infinity

what a genius.
One of these days I'need to learn about STm32 read-out exploitation.
Its like my rfid skills is not enough.

Offline

Board footer

Powered by FluxBB