[FINISHED] a popular toy Lego Dimensions

bettse · 2016-01-15 16:42:55

To the best of my knowledge, it hasn't been released publicly yet, but I was not alone in working to find it. I wrote some of the code to prove it out, but finding it was an effort by many people on many fronts.

Someone corrected me that the algorithm is available on Github, but I leave it up to them to provide more details if they desire. I created a webservice to calculate the PWD at http://ldpwd.ericbetts.org . If you visit with your browser, it will return the curl command to use the service. You post a 7 byte UID as a hex string and it will return the 4 byte PWD as a hex string.

Last edited by bettse (2016-01-16 02:49:33)

atkinchris · 2016-01-24 13:35:41

Thanks for the work you guys have done so far, and for making it publicly available.

Has anyone figured out the algorithm used for pages 0x24 & 0x25?

Last edited by atkinchris (2016-01-27 10:51:10)

ags131 · 2016-01-24 14:21:37

Pages 24 & 26 for vehicles is upgrade constant
for characters its encrypted character ID using a key derived from the UID. I plan to add code for upgrade calculation and character encrypt/decrypt to the repo, just haven't had a chance yet.

sllabgib · 2016-01-26 21:20:09

So I thought moving into a new build house would be fun and easy - well, not even close.... Just started to look back at the LD stuff and you guys have made some awesome progress.... (Glad I could at least help at the start)

Atkinchris - Just wanted to let you know, great little app - It does make reading the tokens in much easier than dealing with the PM3, not that the PM3 way is difficult, but yours is just so easy and quick.

Now, I am going over what was done - Is there an easy summary of what we still "need"???

ags131 · 2016-01-26 21:21:54

At the moment, I think the only thing we are needing is a map of which upgrades are available for each vehicle (Missing ones effect values), otherwise, everything is pretty much known

trasixes · 2016-01-27 06:54:59

atkinchris wrote:

Thanks for the work you guys have done so far, and for making it publicly available.
Building on ags131's published pwdgen, I've written a tool for Android to read and dump tags. I own the xbox version, so I'm not able to connect my portal to a computer - so I wanted a more convenient way to read tags, without having to use a few different NFC apps and write things down. It was written for personal use - Java is not my daily language - so the code is not ideal.
https://github.com/atkinchris/ld-tag-tool/releases/tag/v0.1-alpha
Has anyone figured out the algorithm used for pages 0x24 & 0x25?

Your link is 404. Can you please update?

atkinchris · 2016-01-27 09:23:33

trasixes wrote:

Your link is 404. Can you please update?

Sorry, development has ceased on it. Better apps to read tags already exist on this forum and the store.

blofeld · 2016-01-27 22:35:36

thanks to ags131

Have now got aquaman and gamer kid in game using some blank tags I bought wrote to pages 36, 37 and 43.

How did the algorithms get found ? I liked reading the posts "[UL-EV1] [SOLVED] italian public transportation system" and seeing you guys work it out was it similar?

legolas · 2016-01-28 00:40:59

Ditto big thanks ags131.
Just need to get vehicles working...

trasixes · 2016-01-28 04:36:38

I have the Xbox portal, so I am unable to do anything with that. Can anyone recommend a suitable android app to dump/examine the various characters?

legolas · 2016-01-29 01:04:05

legolas wrote:

Ditto big thanks ags131.
Just need to get vehicles working...

Sorted , had to make my namesake as well.

lupin3rd · 2016-02-01 15:08:26

If I understand correctly, if I acquire some blank NTAG213 tags -- all that is necessary is to discover the tag's LD key by running its UID through the algorithm (does this key get stored on the tag via an NFC writer?), and then using the LD key to write correct character/vehicle data to the right pages with either the toy pad or NFC writer?

trasixes · 2016-02-02 10:00:56

Let me preface this post with - I'm a novice coder, a complete newbie to NFC, and an intermediate level tinkerer.

With that out of the way, I have a question. I was able to read my batman character however in all attempts I only get a portion of the data, and not a full dump. I am currently using an android phone and NFC Tools Pro to read the taga. Am I doing something wrong or missing something? Any advice, help, or point in the right direction would be greatly appreciated.

legolas · 2016-02-04 14:12:40

lupin3rd wrote:

If I understand correctly, if I acquire some blank NTAG213 tags -- all that is necessary is to discover the tag's LD key by running its UID through the algorithm (does this key get stored on the tag via an NFC writer?), and then using the LD key to write correct character/vehicle data to the right pages with either the toy pad or NFC writer?

I bought some tags from 2 different suppliers.
One looked more like the original tags used, with a larger antenna than the other.
The smaller one could only be read in the left and right of the portal, not in the middle, so couldn't be a vehicle.

lupin3rd · 2016-02-04 21:58:09

blofeld wrote:

thanks to ags131
Have now got aquaman and gamer kid in game using some blank tags I bought wrote to pages 36, 37 and 43.
How did the algorithms get found ? I liked reading the posts "[UL-EV1] [SOLVED] italian public transportation system" and seeing you guys work it out was it similar?

Question: I understand writing the character's ID to one of the pages, but what did you write to the other 2 pages?

lupin3rd · 2016-02-04 23:55:52

spluton wrote:

lupin3rd wrote:
blofeld wrote:
thanks to ags131
Have now got aquaman and gamer kid in game using some blank tags I bought wrote to pages 36, 37 and 43.
How did the algorithms get found ? I liked reading the posts "[UL-EV1] [SOLVED] italian public transportation system" and seeing you guys work it out was it similar?
Question: I understand writing the character's ID to one of the pages, but what did you write to the other 2 pages?
pages 36 and 37 - character's ID encrypted (8 byte)
page 43 - PWD (4 byte)
or
page 38 - {0x00,0x01,0x00,0x00} (Vehicle or gadget tag)

Thanks, spluton!

trasixes · 2016-02-06 05:58:07

I've been exploring ags131's awesome work, however, I am unable to get dumptag.js to do much beyond returning the following.

XU 550f0000286329204c45474f2032303134460000000000000000000000000000
XU 5506000000ffffff580000000000000000000000000000000000000000000000

It's not reading nor dumping tags. Any help would be GREATLY appreciated. If you'd prefer not to post here, you can shoot a mail to rafminix at gmail dot com.

ags131 · 2016-02-06 06:27:26

@trasixes grab the latest version and try it again, that was a really old rendition of dumptag before I had a full class to work from

sllabgib · 2016-02-06 07:01:31

Some awesome / quick work - Just started to play again and trying the 213's I bought way back when I started the LD stuff - So from the updates, I need to use the script in the Git and edit :
var raw = new Buffer('b27cc8c717a8b4e1','hex') // Page 25+26
var uid = '040b4922a34881'

The VAR UID, I assume is the UID from the real token, not my 213 - What gets put into the buffer?

Its late and I'm beat - Tomorrow is a fresh look though

Thanks to everyone for the work...

ags131 · 2016-02-06 07:10:50

sllabgib Use the real token UID to decrypt, then the new token UID to encrypt. The buffer is pages 25 and 26 of the real token, decrypted it will be 8bytes, with the 1st and 5th being the character ID

trasixes · 2016-02-06 08:02:46

ags131 wrote:

@trasixes grab the latest version and try it again, that was a really old rendition of dumptag before I had a full class to work from

Works perfectly, thank you very much!

sllabgib · 2016-02-06 18:37:45

ags - AH that makes sense! Thanks ... its a weekend, and I'm lazy - so its NFC day ..... Miss this stuff, doing too much house work for the new house (and 3D printing custom stuff for the house)

trasixes · 2016-02-07 02:08:19

I feel like a complete noob asking this but I'm not finding any answers elsewhere.

I'm at a loss to what you guys mean when you refer to "page 25/26" or "pages" in general. I've worked with hex editors/hex addresses, but this is obviously different.

bettse · 2016-02-07 02:09:27

http://www.nxp.com/documents/data_sheet/NTAG213_215_216.pdf

trasixes · 2016-02-07 02:11:03

bettse wrote:

http://www.nxp.com/documents/data_sheet/NTAG213_215_216.pdf

Thank you! It was right under my nose. That really helps.

sllabgib · 2016-02-07 03:07:25

trasixes - Bettse's link is very helpful - One of the first docs that helped to kick this off (at least for me). The only thing that can get a bit confusing is certain members refer to locations in HEX and some in Decimal - Just an FYI.

Ags / Bettse - I know the XB1 portal doesn't work with the tools, but does it work with custom tags? Mine all say Update required so I was going to pull my WiiU version out to test, but was curious. My tags with the UUIDs on them all return the correct decrypted value for the tag, but just wont work on the XB.... So I'm off to try on the WiiU ... Just have to....

trasixes · 2016-02-07 03:18:15

sllabgib wrote:

trasixes - Bettse's link is very helpful - One of the first docs that helped to kick this off (at least for me). The only thing that can get a bit confusing is certain members refer to locations in HEX and some in Decimal - Just an FYI.
Ags / Bettse - I know the XB1 portal doesn't work with the tools, but does it work with custom tags? Mine all say Update required so I was going to pull my WiiU version out to test, but was curious. My tags with the UUIDs on them all return the correct decrypted value for the tag, but just wont work on the XB.... So I'm off to try on the WiiU ... Just have to....

Thanks, Ive been attempting to encrypt a character ID to a new tab using the new UID, but I think this may be over my head. Unless this suddenly "clicks" for me, I will probably have to wait for the smarter people to release a tool to handle the character cloning operations.

sllabgib · 2016-02-07 03:23:38

Yeah theres some work involved - and that doc WILL help a lot ..... I spent 1/2 the day trying tokens on my XB1 and that was a waste - They work on my WiiU version perfectly -- So not sure if that will help someone else out here....

trasixes · 2016-02-07 04:22:59

sllabgib wrote:

Yeah theres some work involved - and that doc WILL help a lot ..... I spent 1/2 the day trying tokens on my XB1 and that was a waste - They work on my WiiU version perfectly -- So not sure if that will help someone else out here....

Ouch! Those are blanks you purchased, or original vehicle tags rewritten? Can vehicle tags be used for characters?

The only thing holding me back with characters is my lack of understanding as to where in the tag dump to find the data used in CharCryptoExample.js. What should I be using to view the tag dump? Hex editor?

This data from the tag dump is where I'm stuck

var raw = new Buffer('b27cc8c717a8b4e1','hex') // Page 25+26

I think the highlighted data is correct?

Last edited by trasixes (2016-02-07 09:40:48)

ags131 · 2016-02-07 04:31:17

Yes, thats the right spot

trasixes · 2016-02-07 04:53:58

ags131 wrote:

Yes, thats the right spot

Ok great. So I plugged the info from the dump above into CharCryptoExample.js and the output is

This is where it gets fuzzy for me.

Do I take F10F181ECD6F73E5 from the output above, plug it into CharCryptoExample.js, along with the UID of the new tag, run it, then write the 8 bytes from the "buffer" output to the same location in the hex editor image in the post above?

Last edited by trasixes (2016-02-07 09:41:10)

ags131 · 2016-02-07 05:09:13

Your UID in charCryptoExample is wrong, have to grab 8 bytes but chop out the 4th. you only grabbed 7
the 4th byte is a weird checksum byte for that part of the UID

trasixes · 2016-02-07 05:24:37

ags131 wrote:

Your UID in charCryptoExample is wrong, have to grab 8 bytes but chop out the 4th. you only grabbed 7
the 4th byte is a weird checksum byte for that part of the UID

Ok, so that is what I've been missing.

So the output was correct now 15h/21. So how do I encrypt that with a new UID using CharCryptoExample?

ags131 · 2016-02-07 05:25:43

just change uid right before the cc.encrypt line

trasixes · 2016-02-07 05:50:37

ags131 wrote:

just change uid right before the cc.encrypt line

Ok that appears to have worked. I really appreciate all of the help, ags131. Is it not possible to use a vehicle tag as a character tag?

ags131 · 2016-02-07 05:51:25

No, the page that determines whether its a vehicle or character is write locked

trasixes · 2016-02-07 05:54:04

ags131 wrote:

No, the page that determines whether its a vehicle or character is write locked

Ok great, well that puts me on hold until my tags arrive. Gotta love Amazon Prime!

On a side note, how would I edit the character ID in the decrypted data?

ags131 · 2016-02-07 06:35:40

try changing the id variable?

trasixes · 2016-02-07 06:39:44

ags131 wrote:

try changing the id variable?

Ha! I completely overlooked that!

Ok no more questions, you were a huge help. Thanks again

sllabgib · 2016-02-07 07:31:21

Ill keep the group posted - I have 4 tags working in the WiiU and Ill retest on the XB - I know my first issue was a typo, and there seems to be be an issue once the game sees a UUID, if the data changes it can act "odd"... So Ill test the working tags on the XB1 tomorrow again.

trasixes · 2016-02-07 08:23:06

sllabgib wrote:

Ill keep the group posted - I have 4 tags working in the WiiU and Ill retest on the XB - I know my first issue was a typo, and there seems to be be an issue once the game sees a UUID, if the data changes it can act "odd"... So Ill test the working tags on the XB1 tomorrow again.

Good luck! Definitely keep us posted.

sllabgib · 2016-02-07 14:59:08

Trasixes - You all good now? I know ags rocks, but just in case - I can help out - To be honest, I just wasn't sure how much direct pointing we were going to do Once you figure it out its cake from there.....

sllabgib · 2016-02-07 15:13:33

Ok, so I apologize for my quick note about the XB1 and the tokens - All of them work this morning. But what led to me that assumption was a symptom I had in December, so that first.

If you used a "real" token on the game and then used a token with the same UUID and PWD challenge, it worked - I had that "success" way back but discovered it meant nothing after a reboot. So the whole reading of the token must have been only once, then it knew the UUID and just worked.

Yesterday I had a typo in a bit since I'm using my android to enter 24/25 on the chip - I tried the token and of course it said you require an upgrade. I fixed the token and it said the same thing - I played with that same token, knowing I should just use another one to test but I kept going. Finally, I swapped to the WiiU and had no issues, until a 4th test where it had an upgrade error due to a bit that I had a typo on (again).

So in all - False alarm, as Bettse has said - it should have made no difference on the extra security chip the XB1 portal uses, that's for a different purpose, but that was also something that led me to jump too quick at the false alarm. So - All good on the XB Front .... (Which is good, I'm further along in the game, I haven't even started in the WiiU version, purchasing just for the portal and PC connection.)

trasixes · 2016-02-07 17:38:46

sllabgib wrote:

Trasixes - You all good now? I know ags rocks, but just in case - I can help out - To be honest, I just wasn't sure how much direct pointing we were going to do Once you figure it out its cake from there.....

I'm definitely good now!

I have something similar to A.D.D. that makes it very tough to focus, so putting together pieces of the puzzle can be a challenge sometimes. Once ags131 set me straight, it was downhill. I'm now working on (for personal-use) adding pop-up boxes to choose what I want to do, along with input boxes where needed/useful. This will streamline things, and help me get a better understanding of ags131's work.

This is all very interesting, and really fun. It definitely inspires me to explore NFC further! I haven't done anything like this since the old satellite/smart card days .

sllabgib wrote:

Ok, so I apologize for my quick note about the XB1 and the tokens - All of them work this morning. But what led to me that assumption was a symptom I had in December, so that first.
If you used a "real" token on the game and then used a token with the same UUID and PWD challenge, it worked - I had that "success" way back but discovered it meant nothing after a reboot. So the whole reading of the token must have been only once, then it knew the UUID and just worked.
Yesterday I had a typo in a bit since I'm using my android to enter 24/25 on the chip - I tried the token and of course it said you require an upgrade. I fixed the token and it said the same thing - I played with that same token, knowing I should just use another one to test but I kept going. Finally, I swapped to the WiiU and had no issues, until a 4th test where it had an upgrade error due to a bit that I had a typo on (again).
So in all - False alarm, as Bettse has said - it should have made no difference on the extra security chip the XB1 portal uses, that's for a different purpose, but that was also something that led me to jump too quick at the false alarm. So - All good on the XB Front .... (Which is good, I'm further along in the game, I haven't even started in the WiiU version, purchasing just for the portal and PC connection.)

Ahh good to hear. I have a PS3 pad for dumping/writing, but the actual "play" pad is for my son's Xbox 360. Any problems with the XB1 version would've likely been a problem for the 360 version too, so I was hoping you'd get things sorted.

Last edited by trasixes (2016-02-07 17:45:26)

sllabgib · 2016-02-07 23:27:47

I know whats that like - I have a similar type to ADD but mine is more of an issue with too many projects and focusing..... and from that I have a bad habit of not giving up for far too long before asking for help.

I did the same for the script - made it easier for myself with some different inputs / etc - Great to hear you go it all working!

trasixes · 2016-02-10 00:47:30

Anyone have any luck with blank tags?

ags131 · 2016-02-10 00:48:11

Yep.

trasixes · 2016-02-10 00:54:01

ags131 wrote:

Yep.

Are you writing to them with the toy pad? Any attempt to write apparently fails, and dumps are completely empty. I'm sure I am doing something wrong, of course

Edit: I've been able to write data to the tag with android, but dumps are still empty using the toy pad, nor can I write to the tag with the toy pad. LD doesn't react to the tag at all.

Last edited by trasixes (2016-02-10 01:08:53)

trasixes · 2016-02-10 02:01:33

Not looking for spoon-feeding, just a nudge in the right direction.

I can read/write using my android phone. However, using the toy pad I cannot write to the blank tags. The toypad/dumptag.js are reading the UID just fine, but the actual bin file is full of zeros.

I'm guessing either these particular tags are not compatible (ntag213), or (more likely, I'm guessing) I need to refer to the datasheet. I'm thinking some type of config bits need to be set? Am I even in the ballpark? lol

ags131 · 2016-02-10 02:17:43

ntag213 tags are what I've used, for me it was as simple as writing the pwd to page 0x2B (Toypad can't do this) then writing the 0x23-0x26 with the appropriate data

Last edited by ags131 (2016-02-13 07:59:34)

Proxmark3 community

Announcement

#101 2016-01-15 16:42:55

Re: [FINISHED] a popular toy Lego Dimensions

#102 2016-01-24 13:35:41

Re: [FINISHED] a popular toy Lego Dimensions

#103 2016-01-24 14:21:37

Re: [FINISHED] a popular toy Lego Dimensions

#104 2016-01-26 21:20:09

Re: [FINISHED] a popular toy Lego Dimensions

#105 2016-01-26 21:21:54

Re: [FINISHED] a popular toy Lego Dimensions

#106 2016-01-27 06:54:59

Re: [FINISHED] a popular toy Lego Dimensions

#107 2016-01-27 09:23:33

Re: [FINISHED] a popular toy Lego Dimensions

#108 2016-01-27 22:35:36

Re: [FINISHED] a popular toy Lego Dimensions

#109 2016-01-28 00:40:59

Re: [FINISHED] a popular toy Lego Dimensions

#110 2016-01-28 04:36:38

Re: [FINISHED] a popular toy Lego Dimensions

#111 2016-01-29 01:04:05

Re: [FINISHED] a popular toy Lego Dimensions

#112 2016-02-01 15:08:26

Re: [FINISHED] a popular toy Lego Dimensions

#113 2016-02-02 10:00:56

Re: [FINISHED] a popular toy Lego Dimensions

#114 2016-02-04 14:12:40

Re: [FINISHED] a popular toy Lego Dimensions

#115 2016-02-04 21:58:09

Re: [FINISHED] a popular toy Lego Dimensions

#116 2016-02-04 23:55:52

Re: [FINISHED] a popular toy Lego Dimensions

#117 2016-02-06 05:58:07

Re: [FINISHED] a popular toy Lego Dimensions

#118 2016-02-06 06:27:26

Re: [FINISHED] a popular toy Lego Dimensions

#119 2016-02-06 07:01:31

Re: [FINISHED] a popular toy Lego Dimensions

#120 2016-02-06 07:10:50

Re: [FINISHED] a popular toy Lego Dimensions

#121 2016-02-06 08:02:46

Re: [FINISHED] a popular toy Lego Dimensions

#122 2016-02-06 18:37:45

Re: [FINISHED] a popular toy Lego Dimensions

#123 2016-02-07 02:08:19

Re: [FINISHED] a popular toy Lego Dimensions

#124 2016-02-07 02:09:27

Re: [FINISHED] a popular toy Lego Dimensions

#125 2016-02-07 02:11:03

Re: [FINISHED] a popular toy Lego Dimensions

#126 2016-02-07 03:07:25

Re: [FINISHED] a popular toy Lego Dimensions

#127 2016-02-07 03:18:15

Re: [FINISHED] a popular toy Lego Dimensions

#128 2016-02-07 03:23:38

Re: [FINISHED] a popular toy Lego Dimensions

#129 2016-02-07 04:22:59

Re: [FINISHED] a popular toy Lego Dimensions

#130 2016-02-07 04:31:17

Re: [FINISHED] a popular toy Lego Dimensions

#131 2016-02-07 04:53:58

Re: [FINISHED] a popular toy Lego Dimensions

#132 2016-02-07 05:09:13

Re: [FINISHED] a popular toy Lego Dimensions

#133 2016-02-07 05:24:37

Re: [FINISHED] a popular toy Lego Dimensions

#134 2016-02-07 05:25:43

Re: [FINISHED] a popular toy Lego Dimensions

#135 2016-02-07 05:50:37

Re: [FINISHED] a popular toy Lego Dimensions

#136 2016-02-07 05:51:25

Re: [FINISHED] a popular toy Lego Dimensions

#137 2016-02-07 05:54:04

Re: [FINISHED] a popular toy Lego Dimensions

#138 2016-02-07 06:35:40

Re: [FINISHED] a popular toy Lego Dimensions

#139 2016-02-07 06:39:44

Re: [FINISHED] a popular toy Lego Dimensions