Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2013-12-31 17:44:51

rickbutton
Member
Registered: 2013-12-31
Posts: 7

New Type of Tag?

I scanned a popular toy figure (Skylanders) and most Android apps say that it is a Mifare Classic, but the ATQA and SAK were not anything I'd seen before.

ATQA: 0F 01
SAK: 01

I did some research and according to this document:

http://www.nxp.com/documents/application_note/AN10833.pdf

Those values indicate a TNP3xxx (whatever that is, because there is no other reference to it anywhere). Is this a case of a custom chip being made for the game figures, or a rebranding? Does anyone else have access to one of these chips? If so, is it vulnerable to the same weaknesses as the Mifare Classic?

Offline

#2 2013-12-31 19:16:03

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: New Type of Tag?

You can Hack it - think mfoc will work as may contain a default key:
http://forum.darkspyro.net/spyro/viewposts.php?topic=72838
http://kotaku.com/5871789/man-hacks-skylanders-gets-nasty-letter-from-activision
http://www.maxconsole.com/maxcon_forums/threads/188959-Skylander-Editor-v2-0-released

But warning Activision do not like you messing with their toys:
http://brandonw.net/skylanders/

Offline

#3 2013-12-31 19:21:03

rickbutton
Member
Registered: 2013-12-31
Posts: 7

Re: New Type of Tag?

Unfortunately it looks like most of the people who are getting access to the data on these toys are getting it via the "Portal" that comes with the game. The accessory contains the keys, and the editors that have been released only interface with the portal. I contacted NXP about obtaining some more information about the specs of the card, but I doubt they will respond.

Offline

#4 2013-12-31 19:53:59

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: New Type of Tag?

try key: 000000000000 wink

Offline

#5 2013-12-31 21:03:13

rickbutton
Member
Registered: 2013-12-31
Posts: 7

Re: New Type of Tag?

I will try that as soon as I get access to my Proxmark again. The official NXP android app shows 000000000000 as the B key for the entire card, but a dump of the card from the portal via Brandon Wilson shows access bits of 0F0F0F and 7F0F08, which means that key B can't read anyway. Hopefully it is crackable via mfoc! I will keep everyone updated with as much info as I can find on these cards. They are very intriguing because of the fact that there is literally no information about them (at least available to the public).

Offline

#6 2013-12-31 23:05:36

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: New Type of Tag?

Odd 0F0F0F69 = Readonly & 7F0F0869 = Read/Write Key A/B maybe try key A instead of B???

Offline

#7 2014-01-01 01:58:37

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New Type of Tag?

This is a new type of tag and i'don't know if it can be cracked like 1k; "old" mifare 1k have all keyB to 00, a common block0 keyA and other blocks keyA different from toy to toy (there probably is an algo generating them but I was not able to find it). Data contained in toys are AES ecrypted but algo and key can be found if you use google the right way (some copies of the original Brandon works contain them with sources). Portal only receives very simple commands from the game and data are already encrypted while passing on the usb cable so all the "security work" is done by the portal; if crack fails you can always try to log a transaction with pm3, it will works.

Offline

#8 2014-01-01 03:25:16

rickbutton
Member
Registered: 2013-12-31
Posts: 7

Re: New Type of Tag?

By "old" are you  referring to the older generation of toys? If so I should probably pick some of the earlier ones up. So far I only have access to the recently made toys.

From my research, it seems that the portal handles just the card itself (Mifare authentication and crypto1) and the software (game) handles the AES encryption of the card data. The PC driver recieves the AES encrypted blocks, and the driver decrypts them, so the portal probably has no knowledge of the block level encryption.

Offline

#9 2014-01-01 08:42:22

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New Type of Tag?

rickbutton wrote:

By "old" are you  referring to the older generation of toys? If so I should probably pick some of the earlier ones up. So far I only have access to the recently made toys.

From my research, it seems that the portal handles just the card itself (Mifare authentication and crypto1) and the software (game) handles the AES encryption of the card data. The PC driver recieves the AES encrypted blocks, and the driver decrypts them, so the portal probably has no knowledge of the block level encryption.

Yes, old toys have mifare calssic inside.
Yes, AES encryption is made by the game (AES key is generated by md5 hash of a 3 "parts" string made of 2 fixed value and 1 variable value for each tag (last one is the sector number)); the portal act as a reader and answers to simple commands sent over USB (the command syntax is slightly different between wireless and wired portal version).


EDIT
Can you provide a dump or at least detailed infos (size, lock bits, etc) of that new tag so I can add it to the database list ? You can use TagInfo for android if you have a NFC capable phone.

Last edited by asper (2014-01-01 12:46:14)

Offline

#10 2014-01-03 01:55:35

rickbutton
Member
Registered: 2013-12-31
Posts: 7

Re: New Type of Tag?

Just got quick access to an ACR122u to test some things out, and mfoc (after some modifications to ignore the card type) and mfcuk don't really like the card at all. mfoc tends to just crap out with "Input /Output" errors, and mfcuk can't find keys (so far anyway, been running for a few hours). mfcuk also has a hard time narrowing down the nonces, and so far I've gotten a different nonce every auth attempt.

Offline

#11 2014-09-14 05:17:30

n3rd
Contributor
Registered: 2013-03-30
Posts: 38

Re: New Type of Tag?

rickbutton wrote:

By "old" are you  referring to the older generation of toys? If so I should probably pick some of the earlier ones up. So far I only have access to the recently made toys.

From my research, it seems that the portal handles just the card itself (Mifare authentication and crypto1) and the software (game) handles the AES encryption of the card data. The PC driver recieves the AES encrypted blocks, and the driver decrypts them, so the portal probably has no knowledge of the block level encryption.


I might be misunderstanding, but I read that only the Xbox version of the base has encrypted USB, the WII, PC, Playstation, and NDS versions do not (wired or wireless).

The key is plaintext and is known.

Last edited by n3rd (2014-09-14 05:19:52)

Offline

#12 2014-12-05 17:37:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Type of Tag?

You can read more in this thread http://www.proxmark.org/forum/viewtopic.php?id=2155 about reading the tags from a PM3

Offline

Board footer

Powered by FluxBB