API tools faq
paste
Advertisement
Guest User

skylanders portal demystified

a guest
Dec 31st, 2011
4,683
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.90 KB | None | 0 0
raw download clone embed print report
  1. original url : http://brandonw.net/consoles/skylanders/
  2. specs + code : http://freakshare.com/files/payrqavo/SkylanderEditor.zip.html
  3.  
  4. the skylanders portal demystified
  5.  
  6. If you haven't heard of the game Skylanders: Spyro's Adventure, google
  7. it.
  8.  
  9. It's a video game for the PC/Mac, Wii, PS3, Xbox 360, and 3DS which
  10. comes with a USB "Portal of Power", a small platform that wirelessly
  11. reads and writes to Skylanders toys. Whatever toy you put on there, the
  12. character it represents will magically appear in-game where you can play
  13. with it, upgrade its stats, etc. Character data is saved wirelessly
  14. back to the toy itself.
  15.  
  16. This page attempts to explain how this all works (as I understand it so
  17. far).
  18.  
  19. the portal
  20. There are two main versions of the portal that I've encountered so far
  21. -- the wired one (PC/Mac, Xbox 360) and the wireless one (PS3/Wii/3DS).
  22.  
  23. They work basically the same way -- the portal (or wireless USB
  24. receiver, in the case of the wireless ones) constantly transmits status
  25. data back to the host, and also responds to read/write toy data
  26. requests.
  27.  
  28. The protoocol couldn't be simpler -- the first byte of the data is a
  29. character representing the command, and then the data comes after it.
  30. For the wired version, 0B 14 is placed before the command character.
  31.  
  32. I don't have the wired version with me at the moment, so forgive the
  33. crappy specifics at the moment about that one.
  34.  
  35. The commands are:
  36. R -- run? restart? I don't know. It's necessary to send this to start
  37. the status responses flying across. Responds with empty R packet.
  38. A -- activate? I don't know. I send it after the R, but I don't know
  39. that it's really necessary. Responds with empty A packet.
  40. S -- status. This is the packet the portal/dongle keeps sending back to
  41. the host (PC/360/PS3/Mac/Wii/whatever). Toy placement/removal is
  42. reported here, but I haven't looked into it all that closely yet.
  43. C -- color. The next 3 bytes after this are the RGB values for the color
  44. you want to set. No response sent back.
  45. Z -- sleeping. The dongle for the wireless version reports this when it
  46. can't find the portal.
  47. Q -- query. This is sent when you want to request a block of data from
  48. the toy. Responds with Q packet of the requested data.
  49. W -- write. This is sent when you want to write data to a block on the
  50. toy. Responds with empty R packet.
  51. The PC/Xbox 360 version of the portal reports vendor ID 0x1430, product
  52. ID 0x1F17. The Wii wireless version of the portal reports vendor ID
  53. 0x1430, product ID 0x0150. This is probably the same as the others, but
  54. I'm not sure.
  55.  
  56. The wired version contains two interrupt endpoints, incoming is 0x01 and
  57. outgoing is 0x02. Commands are sent/received over these. Responses are
  58. always 0x20 bytes and padded with zeroes.
  59.  
  60. The wireless version's dongle is a standard HID device, so it only
  61. contains one incoming endpoint (0x01). Statuses and responses are
  62. received over this endpoint, but to send commands, it's done through a
  63. standard USB control request (bmRequestType 0x21, bRequest 0x09, wValue
  64. 0x0200, wIndex zero). It's also possible for the Wii to send requests
  65. 0x0A and 0x0B with no data attached, I don't know yet what these are.
  66. Both commands and responses are always 0x20 bytes, padded with zeroes.
  67.  
  68.  
  69.  
  70. Request Format/Details
  71. R 52
  72. A 41 <1 byte, unknown, always 0x01>
  73. S 53 <4 bytes, status data?> <1 byte, auto-incrementing
  74. sequence>
  75. C 43 <3 bytes, R/G/B value>
  76. Z 5A
  77. W 57 10 <block number> <0x10 bytes of data>
  78.  
  79. Q is tricky.
  80. When a NEW skylander is placed on the portal the skylander must be read via:
  81. Q 51 21 0 <0x10 bytes of data> i.e. The zero block must be read with 0x21.
  82. Q 51 11 <block number> <0x10 bytes of data>
  83.  
  84. When an OLD skylander that is already on the portal must be read we use:
  85. Q 51 20 0 <0x10 bytes of data> i.e. The zero block must be read with 0x20.
  86. Q 51 10 <block number> <0x10 bytes of data>
  87.  
  88. Q should come back with a response of the form
  89. 51 11 <block number> <data> for a NEW skylander
  90. 51 10 <block number> <data> for an OLD skylander
  91.  
  92. A response like 51 01 ... indicates an error.
  93.  
  94. If you find that the write isn't working (especially on the wired
  95. version), pad the request out to 0x20 bytes and specify 0x20 instead of
  96. 0x10 with the command. It's dumb like that (off-by-one bug, I suspect); I
  97. haven't tested if that would break the wireless version or not.
  98.  
  99. The wireless version has a tendency to just not respond, so if you write
  100. your own application that does this stuff, try commands multiple times,
  101. and if writing data, query the block immediately afterward to make sure
  102. the write took. The game and web site do this as well.
  103.  
  104. Be aware that the Xbox 360 version has an Infineon security chip (method
  105. 3, version 1.00), so if you intend to emulate the portal on the Xbox
  106. 360, you're going to have to resort to some weird trickery.
  107.  
  108. raw toy data
  109. The character itself can store up to 1KB of data, separated into 64
  110. 16-byte "blocks" (64 * 16 = 1024 bytes). A group of 4 blocks is
  111. (traditionally) a "sector." All data is stored Little Endian.
  112.  
  113. Below is a decrypted dump of one of my characters, Gill Grunt (some
  114. sensitive information masked out with "XX"):
  115.  
  116. Block 00: XX XX XX XX CA 81 01 0F C3 85 14 91 55 50 10 11
  117. Block 01: 0E 00 00 00 XX XX XX XX XX XX XX XX 00 00 58 E3
  118. Block 02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  119. Block 03: 00 00 00 00 00 00 0F 0F 0F 69 00 00 00 00 00 00
  120. Block 04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  121. Block 05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  122. Block 06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  123. Block 07: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  124. Block 08: 00 00 00 00 00 6D 01 00 00 78 2E DF 3F 18 2C DD
  125. Block 09: 00 00 00 01 00 00 00 00 AF 2A BC 87 21 A8 63 9A
  126. Block 0A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  127. Block 0B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  128. Block 0C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  129. Block 0D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
  130. Block 0E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  131. Block 0F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  132. Block 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  133. Block 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  134. Block 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  135. Block 13: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  136. Block 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  137. Block 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  138. Block 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  139. Block 17: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  140. Block 18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  141. Block 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  142. Block 1A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  143. Block 1B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  144. Block 1C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  145. Block 1D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  146. Block 1E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  147. Block 1F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  148. Block 20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  149. Block 21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  150. Block 22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  151. Block 23: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  152. Block 24: 00 00 00 00 00 70 01 00 00 79 F8 ED 3F 18 C8 7A
  153. Block 25: 00 00 00 01 00 00 00 00 AF 2A BC 87 21 A8 63 9A
  154. Block 26: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  155. Block 27: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  156. Block 28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  157. Block 29: 35 14 16 0A DB 07 00 00 00 00 00 00 00 00 00 01
  158. Block 2A: 35 14 16 0A DB 07 00 00 00 00 00 00 00 00 00 00
  159. Block 2B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  160. Block 2C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  161. Block 2D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  162. Block 2E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  163. Block 2F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  164. Block 30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  165. Block 31: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  166. Block 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  167. Block 33: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  168. Block 34: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  169. Block 35: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  170. Block 36: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  171. Block 37: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  172. Block 38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  173. Block 39: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  174. Block 3A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  175. Block 3B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  176. Block 3C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  177. Block 3D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  178. Block 3E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  179. Block 3F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  180.  
  181. Part of the character data is encrypted, and nearly all of it is
  182. protected by several CRC16 checksums.
  183.  
  184. Blocks 0x00 and 0x01 are special. These two blocks contain part of the
  185. decryption key, as well as other data unique to the character (such as
  186. the toy's unique serial number, trading card ID, etc.).
  187.  
  188. The last block of every sector (so blocks 0x03, 0x07, 0x0B, 0x0F, etc.)
  189. are known as "access control blocks", indicating the read/write status
  190. of that sector. It is mostly zeroes except for a 4-byte value at offset
  191. 0x06 of the access control block. Take block 0x03, for example:
  192.  
  193. 00 00 00 00 00 00 0F 0F 0F 69 00 00 00 00 00 00
  194.  
  195. If you notice 0x06 bytes into it, you see 0F 0F 0F 69. This tells you
  196. whether the first sector (blocks 0x00 to 0x03) is read-only.
  197.  
  198. Read-only access: 0F 0F 0F 69
  199. Read-write access: 7F 0F 08 69
  200. Full access (whatever that means): FF 07 80 69
  201. Almost all blocks have read-write access except for the first sector.
  202. This does NOT indicate whether it's physically protected, it's more of a
  203. guideline. :) Not all four blocks are necessarily writable; I'm not
  204. sure what's actually enforcing the protection on the others, perhaps the
  205. portal itself.
  206.  
  207. There are two main data "areas" where arbitrary data can be written.
  208. Each contain a block-sized header: the first data area's header is block
  209. 0x08, and the second header is block 0x24. At offset 0x09 of the data
  210. area header block, there is an 8-bit sequence number that somehow
  211. indicates which block is complete/most recent/valid/whatever.
  212.  
  213. As far as I can tell, everything else is free to use.
  214.  
  215. data encryption
  216. Every block from 0x08 onward (with the exception of the access control
  217. blocks) is encrypted using a key unique to that block. The algorithm is
  218. 128-bit AES, ECB mode and zero-byte padding. As that's a symmetric key
  219. algorithm, the same key is used to both encrypt and decrypt.
  220.  
  221. The key itself is the MD5 hash of the following 0x56 bytes:
  222.  
  223. <first 0x20 bytes of sector 0> <1-byte block index>
  224. <0x35-byte constant>
  225.  
  226. I leave it up to you to find the constant.
  227.  
  228. data checksums
  229. The checksums are a mess. There are four "types" of checksums:
  230. Type 0: this is a CRC16 checksum of the first 0x1E bytes of sector 0.
  231. The checksum itself is stored in block 0x01, offset 0x0E.
  232. Type 1: this is a CRC16 checksum of the data area header. As there are
  233. two data areas, there are two of these checksums. One is at block 0x08,
  234. offset 0x0E, and the other is at block 0x24, offset 0x0E.
  235. Type 2: this is a CRC16 checksum of the data area. As there are two data
  236. areas, there are two of these checksums. One is at block 0x08, offset
  237. 0x0C, and the other is at block 0x24, offset 0x0C.
  238. Type 3: this is another CRC16 checksum of the data area, except padded
  239. with zeroes. As there are two data areas, there are two of these
  240. checksums. One is at block 0x08, offset 0x0A, and the other is at block
  241. 0x24, offset 0x0A.
  242. As type 0 is a checksum of a *supposedly* read-only sector, it's not all
  243. that important. It's also very straightforward to understand.
  244.  
  245. The type 1 checksum is a checksum of just one block, the data area
  246. header (0x08 and 0x24). As it's also stored WITHIN the data area header,
  247. a default value must be supplied for the checksum before actually
  248. calculating it. That value is 0x0005.
  249.  
  250. The type 2 checksum is actually only a checksum of the first 4 blocks
  251. (EXCLUDING the data area header, and the access control blocks).
  252.  
  253. The type 3 checksum is a checksum of the next 4 blocks (EXCLUDING the
  254. data area header, and the access control blocks), and then 0x0E blocks
  255. of zeroes.
  256.  
  257. Just to re-iterate, the encryption is applied AFTER all this checksum
  258. mess is done.
  259.  
  260. character data contents
  261. Even though there are two "data areas" (headers at blocks 0x08 and 0x24,
  262. data starts at blocks 0x09 and 0x25), some data is stored outside of
  263. the area, so here's a breakdown of the whole 1KB:
  264.  
  265. Block Block Offset Size Description
  266. Area 0 Area 1 (bytes)
  267. 0x00 N/A 0x00 0x02 Unique serial number for the toy.
  268. 0x00 N/A 0x04 0x0E Unknown.
  269. 0x01 N/A 0x00 0x02 Identifier for the character/toy type. In the dump
  270. above, you can see it's 0E 00 (Little Endian), or 0x000E (Gill Grunt).
  271. 0x01 N/A 0x04 0x08 Trading card ID.
  272. 0x01 N/A 0x0C 0x02 Unknown. Zeroes for me.
  273. 0x01 N/A 0x0E 0x02 Type 0 CRC16 checksum.
  274. 0x08 0x24 0x00 0x03 24-bit experience/level value. Maximum unknown. Set
  275. this really high to max out the level.
  276. 0x08 0x24 0x03 0x02 16-bit money value. Maximum 65000. Set it higher and
  277. the game rounds down to 65000.
  278. 0x08 0x24 0x05 0x02 Unknown.
  279. 0x08 0x24 0x07 0x02 Unknown. Zeroes for me.
  280. 0x08 0x24 0x09 0x01 8-bit sequence value for this data area. I'm not
  281. totally sure how it works yet, but I think the area with the higher
  282. value is the "primary" one at the moment.
  283. 0x08 0x24 0x0A 0x02 Type 3 CRC16 checksum.
  284. 0x08 0x24 0x0C 0x02 Type 2 CRC16 checksum.
  285. 0x08 0x24 0x0E 0x02 Type 1 CRC16 checksum.
  286. 0x09 0x25 0x00 0x04 Unknown. 0x04 for me. This has to do with the skills given by Fairy.
  287. 0x09 0x25 0x01 0x02 Unknown. Zeroes for me.
  288. 0x09 0x25 0x03 0x01 8-bit value, bitmap of platforms the character has
  289. touched. Bit 0 is the Wii and bit 1 is the Xbox 360, evidently.
  290. 0x09 0x25 0x04 0x02 ID of hat the character is currently wearing.
  291. 0x09 0x25 0x06 0x02 Unknown. Zeroes for me.
  292. 0x09 0x25 0x08 0x08 Unknown. I've seen FF BF 1B 7F FF 2F B9 7E and FF 83
  293. EE 7E FF 19 30 7F.
  294. 0x0A 0x26 0x00 0x10 First half of Unicode name of character,
  295. zero-terminated, maximum 14 characters.
  296. 0x0C 0x28 0x00 0x10 Second half of Unicode name of character,
  297. zero-terminated, maximum 14 characters.
  298. 0x0D 0x29 0x00 0x06 Unknown. Some kind of sequence number?
  299. 0x0D 0x29 0x06 0x04 32 bits flagging heroic challenges completed. Can't just change this tho', there is another checksum in the file on it.
  300. 0x0D 0x29 0x0A 0x02 16-bit hero points value. Maximum 100.
  301. 0x0D 0x29 0x0C 0x03 Unknown. Zeroes for me.
  302. 0x0D 0x29 0x0E 0x01 Unknown. 01 for me.
  303. 0x10 0x2C 0x00 0x0C Unknown. Zeroes for me.
  304. 0x10 0x2C 0x0C 0x04 32-bit value indicating challenge level. I think
  305. this lets you unlock new challenges, or something.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!