Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
The character list is already maintained at http://disneyinfinity.wikia.com/wiki/Disney_Infinity/Model_Numbers by fans of the game who noticed the model numbers are on the bottom of the character base. The same number is used internally, although its encrypted on the token.
Offline
hum what i have forgot
hf 14a sniff
hf list 14a
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 1056 | Rdr |26 | | REQA
9549696 | 9550752 | Rdr |26 | | REQA
19100080 | 19101136 | Rdr |26 | | REQA
28649952 | 28651008 | Rdr |26 | | REQA
38199184 | 38200240 | Rdr |26 | | REQA
47122436 | 47122692 | Tag |00! | |
47748864 | 47749920 | Rdr |26 | | REQA
57298000 | 57299056 | Rdr |26 | | REQA
66360788 | 66360980 | Tag |01 | |
66847776 | 66848832 | Rdr |26 | | REQA
75772084 | 75772276 | Tag |01 | |
75826020 | 75826532 | Tag |02 | |
75909380 | 75909700 | Tag |03! | |
76396912 | 76397968 | Rdr |26 | | REQA
76399156 | 76401524 | Tag |44 00 | |
76454080 | 76456544 | Rdr |93 20 | | ANTICOLL
76457732 | 76463620 | Tag |88 04 28 56 f2 | |
76528560 | 76539024 | Rdr |93 70 88 04 28 56 f2 46 ed | ok | SELECT_UID
76540276 | 76543796 | Tag |04 da 17 | |
76593488 | 76595952 | Rdr |95 20 | | ANTICOLL-2
76597140 | 76602964 | Tag |52 8b 3a 80 63 | |
76667984 | 76678448 | Rdr |95 70 52 8b 3a 80 63 45 27 | ok | ANTICOLL-2
76679700 | 76683220 | Tag |09 3f cc | |
76731360 | 76736128 | Rdr |50 00 57 cd | ok | HALT
76946896 | 76947952 | Rdr |26 | | REQA
85871604 | 85871796 | Tag |01 | |
86498592 | 86499648 | Rdr |26 | | REQA
86500836 | 86503204 | Tag |44 00 | |
86555680 | 86558144 | Rdr |93 20 | | ANTICOLL
86559332 | 86565220 | Tag |88 04 28 56 f2 | |
86630160 | 86640624 | Rdr |93 70 88 04 28 56 f2 46 ed | ok | SELECT_UID
86641876 | 86645396 | Tag |04 da 17 | |
86695792 | 86697552 | Rdr |f1 0e | | ?
86698724 | 86704548 | Tag |52 8b 3a 80 63 | |
86769584 | 86780048 | Rdr |95 70 52 8b 3a 80 63 45 27 | ok | ANTICOLL-2
86781300 | 86784820 | Tag |09 3f cc | |
86833056 | 86837824 | Rdr |50 00 57 cd | ok | HALT
87048480 | 87049536 | Rdr |26 | | REQA
96599568 | 96600624 | Rdr |26 | | REQA
i don't find pwd
Last edited by belette (2016-01-23 10:07:29)
Offline
@belette, I don't use sniff and list, I do
hf 14a sim u <UID> t 6 x
using iceman's fork, which does additional processing to determine the key A. I don't know if that's been rolled into mainline yet.
Offline
ok i think i have "good" dump "ahsoka tano" raw and decrypted did you need share?
but no work "with hf mf eload 0 ..."
works 10sec with:
hf mf eload 0 "file"
hf 14a sim t 6 u 040ECBB28C3A81
Last edited by belette (2016-01-23 15:07:11)
Offline
Also, I believe the game caches UIDs so if you've failed to successfully simulate a given UID, you have to exit and restart whatever portion of the game you're in (possibly the entire game, although I just had to go back to the main menu on PS3) to get it to properly try again.
Offline
I know that someone else in this thread modified the sim and was successful in running it for whole level. It shouldn't be a problem to do it. The watchdog timer reset shouldn't happen. Im curious about it.
Offline
ok i wait, i have 5 character (3 for V2 and 2 for V2) one trophy for each if somebody need and i have a office colleague who can share me for help i think.
i repeat i'm not a dev but if i can help you in one way or other ...
Offline
What is that it is possible to have one summarize what we know (sniff key betwen portal and token) dump (didump?) dump data map ? calculate checksum? generate token with blank s20 uid ....
Offline
can you compare sector 3 block 0 (and 1) betwen uncrypted dump
DI 3 tag
0000000000000000FEE05E077507544D
DI 2 tag
0000000000000000FEE05E06020064DB
Last edited by belette (2016-02-04 11:55:37)
Offline
and sector 0 block 1
di 2.0
878AB009706DC38511B8DF50A58E6410 000F42A5 0E0A1502 0002D11F 290A4409 figurine
7696BACE1381DFC02302216A5B3A6220 000F42A6 0E060A02 0002D11F 25A7A2F6 figurine in starter pack
10EA0E46B8CBD82BE568571E7E56FA9D 000F42A7 0E060A02 0002D11F 32DCB6B5 figurine in starter pack
C5A04531FE2852E38D9DDE4CD47B3E07 000F42AD 0E060602 0002D11F D030FC50 figurine in starter pack
CE5CA6EBCBE80E70BCEC81AEDEEC9625 001E84E4 0E060502 0002D11F 3E4C5E4F trophy in starter pack
76611D2860F078A39ED82D37737D09B6 001E84E7 0E060402 0002D11F CC9DB12F powerdisc in starter pack
0ED8942F95C5AFCB4969998607625837 001E84E8 0E051E02 0002D11F 8081459E powerdisc in starter pack
di 3.0
EE4DC7A748142A0D3EAA67C636ADE1E1 000F4308 0F041802 0003D11F F2EA48A6 figurine in starter pack
DAD83D2C6FBA004E8CE566AE6DD29405 000F430B 0F041802 0003D11F CB677463 figurine in starter pack
A0349F138852C4AC87ADCC40C382AC7B 000F432E 0F080F02 0003D11F DA72EBD8 figurine
2C63B3CEE544E1C9172FCCB9AF537A04 001E854A 0F041202 0003D11F B9CC25AC trophy in starter pack
Offline
Was anyone able to get the DI portal firmware?
No. I spent several days trying/analyzing different methods to extract the firmware but none of them worked or would work. I ended up modifying my DI base so that it outputs the calculated MIFARE key whenever a DI tag is scanned.
https://youtu.be/tNnkrzhVFCU
Offline
hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?
No. The DI firmware (STM32F102) calculates the key and gives it to the NFC frontend (MFRC630) which handles the MIFARE authentication. I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.
Offline
possible to share schema and microcontrolleur code? or it's dev board like this : http://www.kubii.fr/cartes-extension-cameras-raspberry-pi/84-carte-embedded-pi-arduino-like-3170111000545.html
Offline
iceman wrote:hm, did you change your DI base firmware?!? or do you call it with one of those node.js-usb projects I've seen and tested on Lego?
No. The DI firmware (STM32F102) calculates the key and gives it to the NFC frontend (MFRC630) which handles the MIFARE authentication. I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.
Very good P.O.C. ! Did you test some STM32F vulnerabilities ? If so can you share them even if they won't work with DI base ?
Offline
----------------------------------------------------------------------------------
DI uses Mifare Mini 0.3K, same diversified key for all sectors.sim and sniff is one way of getting key. use Nested to get a dumpkeys-file.
or use didump.lua with key.
Could you give my a hint, what's your command for the nested attack?
I took the command "hf mf nested 0 0 A FFFFFFFFFFFF d" and got an authorization failure.
When I took the command "hf mf hardnested 0 A FFFFFFFFFFFF 4 A w" it's the same.
Offline
Offline
Okay, then I have to buy a DI portal - today I have only the toy token.
Thank you.
Offline
if you don't have a friend who has the DI portal? or visit the store
other yes, thats the only option at this moment in time get hold of the keys for a DI token. Since hardnested needs a known key.
Offline
No, I haven't a friend with a DI portal.
But my DI portal comes tomorrow. :-) Hopefully I can it plug in my PC.
Offline
I simply attached my own microcontroller (STM32F103) to the SPI bus and wrote a small program that outputs the key via UART.
Have you been able to inject a UID into the SPI bus as well? Would like to talk with you about this, if so.
Offline
True genius, DI keygen algo has been searched for a long time.
if that someone only could tell how s/he did it... Like hardcore and with details so all of us might learn something.
Do you have some insights to share?
and yes, I will publish my changes to some lua scripts soon.
Offline
I obviously don't know how this genius did it, but this is how I would do it.
- Find STM32 read-out protection exploit and dump firmware
- Disassemble firmware
- Look for uid-to-key algorithm code
- Profit
Offline