nfc bank skylanders

We talked about NFC toys, which are toys, which have NFC tags embedded in them. There are slide numbers on each slide you can reference. We're going to talk about NFC toys, which are toys, which have NFC tags embedded in them. Here, we can see it's an NXP tag, too, specifically a MIFARE Classic (MF1S20) tag. 5. for commercial advantage or private financial gain. You could have a giant Pikachu toy with the credentials to your production environment at work. and code have been published across the internet since. I hope you will. Just like in the payment card, you can see the access bits on every fourth line. playing cards, and cereal, is still going strong. If we listen in, we can get the keys. Whereas criminal willfulness requires a specific intent to violate “a known legal duty,” civil cases require a more specific intent to violate copyright laws; that is that willfulness is not just an intent to copy, but rather an intent to infringe. Just to make sure, let's try it with an even later model Trap Team figure, and we get: That's a valid key for block 9 (sector 2), and you can repeat that for a block in each of the remaining sectors. We're less fortunate working with Disney Infinity figures. You could have a Kickoff Countdown toy store your World Cup predictions. We will only be using GUIs on Windows, so no Linux, command prompt, or coding … Knowing one in advance is not as difficult a task as it might seem like. Disney Infinity let you play with characters from many different Disney properties, all together in an open-world sandbox environment called the Toy Box. In court, "effectively" basically means "does it exist to do this.". There are higher-level, easier-to-use libraries in various languages which use libnfc under the hood, and so it provides security researchers and hobbyists alike with a standard platform. but Table 2 describes another MIFARE tag with 1kB memory, the MIFARE Classic. So, how do you figure out what that formula is? It was possible to get into a Skylanders figure with just a toy, a thesis, and a research paper, but not so for figuring out Disney Infinity. 49. A Proxmark3 will let us place our own antenna right up against the antenna in the NFC reader and the antenna in the NFC toy, and listen in on the communication between the figure and the base. for commercial advantage or private financial gain. ), New interoperability for Activision Skylanders NFC toys, Toys only store data: Skylanders Giants character figures. For everyone else, Disney Infinity was Disney's entry into the toys-to-life genre, launched in 2013. Let's start by looking at what copyright protects. Please fill out your feedback forms, and pass them forward or hand them to me as you exit. As discussed in the case study, by knowing the algorithm used to set the read/write passwords (keys A), we can interoperably read/write our own data to a Skylanders NFC toy.Read New interoperability for Activision Skylanders NFC toys for details on the algorithm, and a demonstration video showing it in use. Moreover, when doing an exclusive or operation between a key and the key that follows (K[i] ⊕ K[i + 1]), it becomes apparent that there is indeed some pattern, this can be seen in Table 4. (This is the same as for any MIFARE tag.). Furthermore, NXP does not recommend to design in MIFARE® Classic in any security relevant application. They're not creative expressions. Skylanders is a toys-to-life action-adventure video game series published by Activision. save. “Financial gain” is broadly defined to include not only a monetary transaction, but also the “receipt, or expectation of receipt, of anything of value, including the receipt of other copyrighted works.”. What technologies do the Skylanders figurines use? Verification of this hypothesis is shown in Table 5 and holds for all tested NUIDs. Eager to talk about Skylanders with fellow Portal Masters? I have a Donkey Kong amiibo, and I want to edit its stats I already have the editor but I don't know how to get the BIND file of my amiibo. Unfortunately, that also means we're going to need the video game. Fantastic, great. That's it for my talk, we don't have time to do Q&A, but I'll reply on nfc.toys to any questions submitted. When you have a Proxmark listen in on the toy-base communication, you learn that Disney Infinity NFC toys use one key for the entire toy, both key A and key B for all five sectors is the same. https://open.spotify.com/user/official_star_wars/playlist/0mJWJsZTz0I1iXFFeyRzcS. The sample algorithm implementation can output a hexadecimal, Proxmark emulator format (EML), which we can convert. It turns out that K[i] ⊕ K[i + 1] for i in range [2, 16) has the same outcome for every NUID. Slide 33's toys are Lego Dimensions, a toys-to-life video game where assembling and re-assembling the portal and the figures' accessories is part of the gameplay. They are simply there by virtue of arbitrary technical decisions to make it easier or harder to work with the toys as data storage devices. What's a key? share. Let's talk about Disney Infinity next. This entire business card appears writable, meaning we could put anything we want on it, even replacing Moo's online service with our own. Even though they're technically no different than a bare NFC tag, storing the same amount of data in the same way, communicating the same way, the novelty and playful aspect of NFC toys supports us in thinking about unique and fun uses for NFC tags in a way that NFC tags by themselves don't. To prove a violation of 17 U.S.C. Each block can store sixteen bytes. Likewise, NFC toys offer the ability to store digital content, undetected inside a figurine, stuffed animal, playing card, or box of cereal. We're set for Skylanders. Nintendo making Skylanders-like NFC figurines for Wii U, 3DS. Those are the 16 keys A necessary to read or write the Skylanders NFC toy, generated algorithmically, instead of using an exploit. Giant sized controller ahoy. (This is the same as for any MIFARE tag.). None of the ten keys are standard keys, so any exploit that relies on knowing a key won't work. Okay, thanks to two research papers, we have a known key, and we have an attack vector, now we need software to run it that works with libnfc. We're using the keys as intended. ), Restore the original contents of the toy using nfc-mfclassic. I have the necessary nfc tags and capsules to make my tokens. Here's a pair of Bluetooth headphones, which embed an NFC tag for easy pairing with your phone. I don't need to buy a bunch of Disney Infinity toys to get a bunch of keys to see if there are patterns. When a tag, or your phone talking like a tag, is near enough to a reader, generally millimeters to centimeters, the reader's radio frequency transmissions provide enough wireless power. Thus, copyright law protects a novel or poem written on paper or typed in a computer, a song recorded in a studio or written on sheet music, a sculpture modeled in clay or bronze, or a computer program on a computer’s hard disk. The thesis never says Skylanders by name, but knowing what we know now, it's easy to recognize that's what it's about. Being careful about changing things in game means we can figure out which blocks are likely to store many of our character's variables. The first key, key A, in every toy is the same. Most of you probably know it for section 512, which establishes the "safe harbor" provisions for online hosts. We talked a little bit about them, about the toys-to-life genre of video games, and about NFC tags in general. These support new interoperability of Nintendo Amiibo NFC toys. See the colophon for image attributions and credits. Let's look for Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards libnfc. These are blocks that Skylanders: Giants writes to the Ninjini toy during gameplay: By watching the clock, we can see that these two blocks probably store some sort of playtime counter: (00:00 playtime, 00:31 playtime, 00:34 playtime). We'll refer to them as PWD 0 through PWD 3. Curiously, it doesn't have any other information. The photo in slide 9 is by Matt Biddulph. By testing different nicknames, we can see that these two blocks store the nickname, and that they change depending on its length: ("Ninjini" (default), "Securitoy", "bob"). For lines that aren't 32 characters long, pad them out with zeros. A work must be an original, creative expression of an idea or concept, and it must be recorded in tangible form. While you can beat the game with what comes in the starter kit, to reach 100% completion, and to collect every achievement, you need to buy additional types of characters and expansion toys. A show of hands, who was personally into Disney Infinity. One side is for Q&A, the other is for talk or speaker feedback. So, what happens when we swipe an NFC toy against an appropriate Android phone? MaxLander allows you to get data for every Skylander figurine for cheap 0 … and when you find the author's home page, you also find the fact that he worked with Toys for Bob, developers of Skylanders, for a year. The third screen has detailed information about the NFC tag itself, and the fourth screen again shows us all the raw memory content that it's getting all that information from, again in a pages structure. We also see the serial number for the tag, also called the UID, and the ATQA and SAK, which help identify the type of tag it is. I am not a lawyer, and this is not legal advice. Wikipedia describes something like nine different papers and presentations, starting from 2007, which provide various attacks on and compromises to MIFARE Classic tags. We can't ever read each key A, so we always have to know them in advance. This is a "Ninjini" figure from Activision Skylanders, when swiped against an Android phone with NFC support, running the app NFC Tools. Water is one of the tenelements introduced in the Skylanders series. It's simple enough that you can do it by hand, with pen and paper, enabling us to write 428 bytes of our own data onto any Amiibo NFC toy. The second password, key B, is the factory default key, and it's readable, which means we can see it, and probably also means we can only use it to see what data is on the tag, but not change it. (Now, we might be eligible for other charges under other laws, but not a DMCA violation.). Activision Skylanders Giants Triple Pack #1: Pop Fizz, Whirlwind, Trigger Happy price S$ 17. NFC-Bank has a fantastic collection which you can find on this website, and is the most complete to date. This output is also really detailed. The fourth screen again shows us all the raw memory content that it's getting all that information from, again laid out how it's stored on the tag, in this case in rows of four bytes each, called pages. That it may be intended to protect copyrighted content is what makes any possible circumvention illegal. For everyone else, Nintendo launched Amiibo in 2014, and in classic Nintendo fashion, treats them as much as rare collectables for obsessive adults as video game accessories for kids, resulting in lines in front of stores on release days, and toys selling out and never being reissued. Skylanders was a huge success. Every NFC toy we've looked at uses keys and passwords in different ways, but they are all able to perform that same function in that same combination, despite those differences. An ATQA of 0f 01 with an SAK of 01 means an Activision Skylander NFC toy. Maybe that's an issue? Remember, all of these data transfers are happening wirelessly, over the air, even though the toy and the base are just a few millimeters of plastic apart. Convert the MIFARE Dump to hex to view it, using mfd2eml.py and the standard Unix tool cat. Inside that badge, just like inside an NFC toy, is what's called a tag. We talked about various off-the-shelf hardware and software you can use to explore these NFC toys, how that exploration can lead to determining read/write credentials, and how to write your own data to three different types of NFC toy. Even if buying the toy legally doesn't grant us the right to crack its keys and put our own data on it, once we have the keys, we're not bypassing anything. Alright, so why are we suddenly talking about legal trouble, when I've just discussed a long history of security research and academic scholarship. Question. And when you do this, for dozens of keys in regular patterns, you find there's no pattern at all. We'll be working in hexadecimal, which is easier for people to read, but the tools use the "MIFARE Dump" format. The other nice thing about having a Proxmark is it can simulate a MIFARE tag. In other words, circumvention of an access control occurs when someone bypasses the technological measure’s gatekeeping capacity, thereby precluding the copyright owner from determining which users have permission to access the digital copyrighted work and which do not. NFC toys are physical toys which embed NFC tags to support some sort of interaction. This is a "Duck Hunt" figure from Nintendo Amiibo as seen in NXP TagInfo. Second, this is America, where you can be sued by anyone at any time for any reason, and then you're stuck having to defend yourself. You can find people who are holding polls or achievements in certain levels. NFC tags are more like tiny, slow, wireless flash drives. You can then plug these into any libnfc MIFARE reading app, or into MIFARE reading apps on your supported Android phone, assuming the apps recognize the Skylanders as MIFARE Classic tags, and see the full contents of the toy. The new User Squad Skylanders are based off of real users on the actual Skylanders Fan Wiki. With a method to obtain all the keys A, we have full read and write access to every available block, that's fifteen sectors, three writable blocks of 16 bytes each. This one is great, the second screen explains a lot of the technical details of the content, like the manufacturer, the model of the headset, the kinds of Bluetooth protocols it supports, and more. The reason is that, legally, some NFC toys may not count as regular NFC tags. Then, we'll see how to write our own data to those three different types of NFC toy, and talk about the legal implications of doing so. We're going to start with Activision Skylanders. We'll refer to them as UID 0 through UID 6. This is an introductory level talk, but there were also more advanced and related talks at HOPE this year: In addition, at HOPE X in 2014, artist Joshua Fried put forth the idea that skeuomorphism, often experienced as extreme, historical realism, may offer a natural home for steganography, the practice of hiding messages in plain sight. Each Skylander has their own unique personality. If you've been searching for a way to clone any skylander to 10 cent NFC cards or modify their data (modify data coming soon), look no further! When there aren't any patterns, the only solution left is to reverse-engineer the algorithm by figuring out where it lives, and then extracting it from the software or firmware, and as a liberal arts major, I don't really have the engineering experience for that. Skylanders Giants: Portal Owners Pack Xbox 360 Video Games, Microsoft Xbox 360 Skylanders NFC Reader, Portal Toys to Life Products, Skylanders Portal, Portal 2 Microsoft Xbox 360 Video Games, Skylanders Portal Wii, Microsoft Xbox 360 Skylanders Spyro's Adventure Video Games, Xbox 360 Bundle, Xbox 360 With Kinect, Before I hand out the worksheets, though, it's important to consider those legal subtleties I mentioned. Explore never before seen areas of Skylands, meet new friends and battle fierce enemies. Because NFC is a subset of RFID, it works for NFC toys, too. I am indebted to the hobbyists and researchers who went before me, and to everyone who publishes their notes, their documentation, and their software for others to learn from and build upon, but especially the Proxmark community, Adafruit's NFC and MIFARE explainer and the RFIDIOt Python library. This algorithm supports new interoperability of Disney Infinity NFC toys. IMPORTANT. Those would be original creative expressions. The first thing we see is it's an NXP brand tag. So, I gotta say, these screens are kinda empty. By knowing an algorithm used to set the read/write passwords (keys A and B), we can interoperably read/write our own data to an Infinity NFC toy, using our own NFC hardware and software, without tedious manual simulation and sniffing on a per-toy basis. So, how can we tell if the data is uncopyrightable facts and figures, or copyrightable content? In addition, Disney Infinity came out in 2013, well after NXP hardened the MIFARE Classic. There's one other concern, we touched on it briefly before. "Willfully" has a specific legal meaning, but let's just go with the idea that since you're all in this room, you can't argue that you didn't know it might not be okay for you to do this. Finally, for the in-person audience, I've provided speaker feedback forms and pens. But this is a talk focusing just on the NFC tag in an NFC toy, and it turns out there's a lot we can learn without doing any additional work at all. So, maybe, let's take this seriously, and see how the DMCA concerns us, based on excerpts from the 2013 Department of Justice Prosecuting Intellectual Property Crimes manual, fourth edition. (Switch) Skylanders Imaginators - Joy-Con + NFC + Gameplay This channel is all about gaming in the best possible way. we find it in this PDF describing ways to identify NXP MIFARE tags, so it's a MIFARE tag. This is a "Kanan Jarrus" figure from Disney Infinity as seen in NXP TagInfo. Hell, if you want older gen Skylanders, Five Below has them brand new for $5. (This is similar to the data we saw on the toy in the case study and in Toys only store data: Skylanders Giants character figures.). While the Skylanders math was pretty gnarly, the Amiibo math, as presented, is a bitwise exclusive OR operation. Sector zero key is static and by using the sector one key all other sector keys can be derived. Yesterday's announcement of Skylanders Giants for Wii naturally led to … What would it take to hack that? You'll need to compile libnfc's utilities from source. To play the game, you place a figure on the portal, and that's the character you play as. You'll need the tnp3xxx.py Python 2 program, which is an example implementation of the key generation algorithm, listed in New interoperability for Activision Skylanders NFC toys. The resulting PWD is four digits in hexadecimal, e.g. and a little ways down on the page, we have an implementation of the paper's algorithms suitable for use with libnfc, by security researcher Aram Verstegen. Sixteen sectors, a key A and key B each, means there can be up to thirty-two passwords you need to uncover to get access to a completely locked-down 1k MIFARE Classic tag, but what this paper tells us, is we only need to know one, and due to vulnerabilities in the tag's logic, it can figure out the rest from there. There were also separate story-based environments for specific franchises and characters, such as a Pirates of the Caribbean play set. This tag is set up to send a notification to my phone when someone taps it, and then direct them to nfc.toys. (This is the same as for any MIFARE tag. or vehicle figures, resulting in over 350 Skylanders NFC toys of all types. To say Skylanders is a hit for Activision is like saying that fish like water. Toys that use NFC to support interactions, typically digital ones, means the toy may contain, affect, or involve digital content, which may be covered by copyright. (This is the same as for any MIFARE tag. Obviously, an NFC tag's keys or passwords are "technological measures." Every NFC toy that controls access to content in a video game requires at least its initial presence on an NFC reader to access that content, suggesting the access control for the game content is the NFC toy as a physical object, in combination with the reader, plus the code in the game, all together. If we were figuring out Amiibo ourselves, we'd have to work it like we did Disney Infinity, but we're luckier here in two ways. Their community is very active, and it's possible someone has already figured out the tag you're looking at, although you'll need technical expertise to translate something that works on the Proxmark to something that works for a general-purpose NFC reader. That doesn't mean we can't be sued for this anyway! Raise your hands. Using a static key for sector zero shows a misunderstanding of the NFC technology. Does anyone have a copy, or a replacement site? NXP is a major manufacturer of NFC tags, and they've promoted the use of their NFC tags in games like Skylanders since at least 2011. You could have a Maleficent toy holding within it the original curse from the Grimm fairy tale. This is lawsuit as threat model. the original curse from the Grimm fairy tale, unreleased toys have made their way to online sellers, this PDF describing ways to identify NXP MIFARE tags, something like nine different papers and presentations, the one from this paper, published in 2015, led NXP to tell people to stop using them, Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards libnfc, an implementation of the paper's algorithms suitable for use with libnfc, a sample implementation of this algorithm, Proxmark was an open source design for RFID test equipment, Prosecuting Intellectual Property Crimes manual, the content on nfc.toys is deeded to the public domain, 3. a technological measure that effectively controls access (i.e., an access control). News Skylanders Developer "Looking at Wii U NFC Technology". or vehicle figures, resulting in over 350 Skylanders NFC toys of all types. NFC is a subset of the RFID technology that your badge probably uses. You could have a Kylo Ren toy with a playlist of emo songs. So, a show of hands, who has paid for something using an iPhone with Apple Pay. To get into these figures, we're going to have upgrade to the third of three standard tools I'll be discussing: specialized RFID testing equipment. You can also use the emlinsert.py Python 2 program to do the same thing automatically. Well, if you're like me, or like the security researchers who eventually figured it out, you buy and crack a lot more toys. Convert the EML file to MIFARE Dump using eml2mfd.py, then write the contents of the file using the libnfc standard tool nfc-mfclassic, using the generated keys. The second screen explains the technical details of the content, in this case the Moo URL that provides all the custom functionality through their online service. That is, the point of the NFC tag keys and passwords isn't to protect the game content, they're there only to protect the data on the tag. Skylanders Battlegrounds™ Free War-Torn lands from Kaos' evil warlord army! We could search documentation and source code for common MIFARE keys and try each one of them against the key A and key B for every sector, and, spoiler alert, it'll eventually work, you'll eventually find one. It's like that all the way down, for all 320 bytes. Some researchers might reverse-engineer the video game or its support code to understand what data gets read or written. For people watching the livestream or anyone in the audience who would prefer subtitles, the transcript, slides, and supporting materials for this talk are now live at nfc.toys. They're not really a full-on microprocessor. Everything we're going to cover is a grey area, and I'll be positioning it as such, because it's things that can only be decided by a judge in a court. Cool, hands down. While I will be discussing legal matters, I am not a lawyer, and this is not legal advice. The UID of this figure is 04 8b 9f 38. Whether a defendant actually makes a profit is beside the point: what matters is that he intended to profit. Earlier, we said that some Android phones, ones that support Google Pay, can talk NFC, and so an Android phone will be the first of three standard tools I'll be discussing. Valk's thesis even included the fact that patterns in the keys could be discovered, documenting that there were patterns, but he did not go so far as to document what the patterns meant. There's one more thing, going back to that quote we pulled from the Valk thesis. Create your own data to write, up to 720 bytes, and save it. Every other sector is writable by its key A. In 1998, the United States passed the Digital Millennium Copyright Act, or DMCA. This is the same as how a MIFARE Classic tag is laid out, in sixteen sectors, numbered zero through fifteen: Each of those rows in each sector is called a block. Being able to do things you want with things you own, even if they have electronics or software inside them, is a core tenet of the Right to Repair, and there was a, James Chambers presented more in-depth, technical work on Nintendo Amiibo toys in, a technological measure that effectively controls access (i.e., an access control). But, we know that it has memory, the third tab says so. I can have the Proxmark pretend to be a tag with a randomly generated ID, and then have it listen in on what key the base would use for it. Everyone understands that toys are toys, so when a toy does something that a toy wouldn't normally do, that's visually interesting, that's stimulating. Let's define NFC toys in a way that might help clarify this. If the data is just "This is a Ninjini toy, with this health and this experience level," those are discrete facts and figures. We can see its ID, ATQA, and SAK. Your local bar association can usually refer you to an appropriate attorney, often with a free or reduced-cost initial conversation. Show of hands, who waves a security badge against a reader to get into their building at work? By knowing an algorithm used to set the read/write passwords (keys A), we can interoperably read/write our own data to a Skylanders NFC toy, using our own NFC hardware and software, without tedious manual cracking on a per-toy basis. So for about sixteen months, I ran a web service that accepted a Disney Infinity toy UID, passed it along to the Proxmark for simulation, listened in for the key, and then posted it publicly. (If you are interested in exploring the USB reader hardware, the end of the DMCA concerns documentation has some analysis and references which may be useful.). These courts held that the mere purchase and use of such a device [unauthorized satellite and cable television decoders] for the defendant’s own benefit and that of his family and friends does not constitute “gain” within the meaning of that statute. So, what's up? If we look in NXP's MIFARE Classic documentation, we see we have to turn it into binary, and we'll learn this: Sector 0, the first four blocks on the toy, is completely read only. MIFARE Classic encryption has been compromised; see below for details. Circumvention does not occur, however, by properly using the technological measure’s gatekeeping capacity without the copyright owner’s permission. The DMCA’s anti-circumvention prohibition does not apply to someone who circumvents access controls to a work in the public domain, like a book of Shakespeare, because such a protection measure controls access to a work that is not copyrighted. For subsequent offenses, the maximum penalty is ten years’ imprisonment, a $1 million fine or twice the monetary gain or loss, or both imprisonment and a fine. It just means if we can afford to defend ourselves, we might have a defensible case. We should be able to play with our toys as we see fit, and it's up to us to assert our rights to do so. Each Skylander is aligned to a single element: Air, Dark, Earth, Fire, Life, Light, Magic, Tech, Undead, or Water. Those are the same 16 keys A, plus the UID, written "in place", where they'd be in a hexadecimal dump of the tag. to allow the tag to communicate back and forth, often just tens to a few hundred bytes. They're not telling us much more than NFC Tools did, and that's actually a little unusual. The protection of a copyrighted work is an essential element. So we're looking for a known key for a Skylanders toy, and some not-so-creative searching nets us an interesting paper, Comprehensive security analyses of a toys-to-life game and possible countermeasures. If we're only talking about the toy right now, and only about the existing data on the toy, because we need to tick all the boxes, if the data on the NFC toy is not a copyrighted work, then maybe we're not violating the DMCA, either civilly or criminally! We'll talk about how that affects our risk later. 17 U.S.C. Most references are linked inline. There are also editable areas, which you can change however you want (with a User Skyla… They can also be ranked up to Admins. This is the data dumped off of Skylanders. Open up the ninjini-keys.eml file, replace the 00000000000000000000000000000000 blocks with your hex content, and save it as a new file, such as ninjini-new.eml.