Advertisement
Guest User

Skylanders RFID Protocol

a guest
Nov 18th, 2013
3,648
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.12 KB | None | 0 0
  1. If you haven't heard of the game Skylanders: Spyro's Adventure, google
  2. it.
  3.  
  4. It's a video game for the PC/Mac, Wii, PS3, Xbox 360, and 3DS which
  5. comes with a USB "Portal of Power", a small platform that wirelessly
  6. reads and writes to Skylanders toys. Whatever toy you put on there, the
  7. character it represents will magically appear in-game where you can play
  8. with it, upgrade its stats, etc. Character data is saved wirelessly
  9. back to the toy itself.
  10.  
  11. This page attempts to explain how this all works (as I understand it so
  12. far).
  13.  
  14. the portal
  15. There are two main versions of the portal that I've encountered so far
  16. -- the wired one (PC/Mac, Xbox 360) and the wireless one (PS3/Wii/3DS).
  17.  
  18.  
  19.  
  20. They work basically the same way -- the portal (or wireless USB
  21. receiver, in the case of the wireless ones) constantly transmits status
  22. data back to the host, and also responds to read/write toy data
  23. requests.
  24.  
  25. The protoocol couldn't be simpler -- the first byte of the data is a
  26. character representing the command, and then the data comes after it.
  27. For the wired version, 0B 14 is placed before the command character.
  28.  
  29. The commands are:
  30. R -- run? restart? I don't know. It's necessary to send this to start
  31. the status responses flying across. Responds with empty R packet.
  32. A -- activate? I don't know. I send it after the R, but I don't know
  33. that it's really necessary. Responds with empty A packet.
  34. S -- status. This is the packet the portal/dongle keeps sending back to
  35. the host (PC/360/PS3/Mac/Wii/whatever). Toy placement/removal is
  36. reported here, but I haven't looked into it all that closely yet.
  37. C -- color. The next 3 bytes after this are the RGB values for the color
  38. you want to set. No response sent back.
  39. Z -- sleeping. The dongle for the wireless version reports this when it
  40. can't find the portal.
  41. Q -- query. This is sent when you want to request a block of data from
  42. the toy. Responds with Q packet of the requested data.
  43. W -- write. This is sent when you want to write data to a block on the
  44. toy. Responds with empty R packet.
  45. The PC/Xbox 360 version of the portal reports vendor ID 0x1430, product
  46. ID 0x1F17. The Wii wireless version of the portal reports vendor ID
  47. 0x1430, product ID 0x0150. This is probably the same as the others, but
  48. I'm not sure.
  49.  
  50. The wired version contains two interrupt endpoints, incoming is 0x01 and
  51. outgoing is 0x02. Commands are sent/received over these. Responses are
  52. always 0x20 bytes and padded with zeroes.
  53.  
  54. The wireless version's dongle is a standard HID device, so it only
  55. contains one incoming endpoint (0x01). Statuses and responses are
  56. received over this endpoint, but to send commands, it's done through a
  57. standard USB control request (bmRequestType 0x21, bRequest 0x09, wValue
  58. 0x0200, wIndex zero). It's also possible for the Wii to send requests
  59. 0x0A and 0x0B with no data attached, I don't know yet what these are.
  60. Both commands and responses are always 0x20 bytes, padded with zeroes.
  61.  
  62.  
  63.  
  64. Request Format/Details
  65. R 52
  66. A 41 <1 byte, unknown, always 0x01>
  67. S 53 <4 bytes, status data?> <1 byte, auto-incrementing
  68. sequence>
  69. C 43 <3 bytes, R/G/B value>
  70. Z 5A
  71. W 57 10 <block number> <0x10 bytes of data>
  72.  
  73. Q 51 <20 + skylander number> <block number> <0x10 bytes of data>
  74.  
  75. Basically when a new Skylander is placed on the portal the portal sends a status
  76. signal, S, that a new Skylander has arrived with the ID # of the new Skylander.
  77. (10 = Read first Skylander placed after portal turned on, response is labelled as 20,
  78. 11 = Second Skylander/ response = 21, etc.)
  79.  
  80. To read and write Skylanders via Q and W you must specify which Skylander you
  81. want the portal to work with. The code here doesn't much bother with this, it assumes
  82. you plug the portal in and just edit a single Skylander.
  83.  
  84. E.g. to read the first skylander placed on the portal use:
  85. Q 51 10 <block number> <0x10 bytes of data>
  86.  
  87. Q should come back with a response of the form
  88. 51 20 <block number> <data> for an OLD skylander (1st on portal)
  89.  
  90. A response like 51 01 ... indicates an error.
  91.  
  92.  
  93. If you find that the write isn't working (especially on the wired
  94. version), pad the request out to 0x20 bytes and specify 0x20 instead of
  95. 0x10 with the command. It's dumb like that (off-by-one bug, I suspect); I
  96. haven't tested if that would break the wireless version or not.
  97.  
  98. The wireless version has a tendency to just not respond, so if you write
  99. your own application that does this stuff, try commands multiple times,
  100. and if writing data, query the block immediately afterward to make sure
  101. the write took. The game and web site do this as well.
  102.  
  103. Be aware that the Xbox 360 version has an Infineon security chip (method
  104. 3, version 1.00), so if you intend to emulate the portal on the Xbox
  105. 360, you're going to have to resort to some weird trickery.
  106.  
  107. raw toy data
  108. The character itself can store up to 1KB of data, separated into 64
  109. 16-byte "blocks" (64 * 16 = 1024 bytes). A group of 4 blocks is
  110. (traditionally) a "sector." All data is stored Little Endian.
  111.  
  112. Below is a decrypted dump of one of my characters, Gill Grunt (some
  113. sensitive information masked out with "XX"):
  114.  
  115. Block 00: XX XX XX XX CA 81 01 0F C3 85 14 91 55 50 10 11
  116. Block 01: 0E 00 00 00 XX XX XX XX XX XX XX XX 00 00 58 E3
  117. Block 02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  118. Block 03: 00 00 00 00 00 00 0F 0F 0F 69 00 00 00 00 00 00
  119. Block 04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  120. Block 05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  121. Block 06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  122. Block 07: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  123. Block 08: 00 00 00 00 00 6D 01 00 00 78 2E DF 3F 18 2C DD
  124. Block 09: 00 00 00 01 00 00 00 00 AF 2A BC 87 21 A8 63 9A
  125. Block 0A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  126. Block 0B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  127. Block 0C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  128. Block 0D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
  129. Block 0E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  130. Block 0F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  131. Block 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  132. Block 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  133. Block 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  134. Block 13: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  135. Block 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  136. Block 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  137. Block 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  138. Block 17: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  139. Block 18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  140. Block 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  141. Block 1A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  142. Block 1B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  143. Block 1C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  144. Block 1D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  145. Block 1E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  146. Block 1F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  147. Block 20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  148. Block 21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  149. Block 22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  150. Block 23: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  151. Block 24: 00 00 00 00 00 70 01 00 00 79 F8 ED 3F 18 C8 7A
  152. Block 25: 00 00 00 01 00 00 00 00 AF 2A BC 87 21 A8 63 9A
  153. Block 26: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  154. Block 27: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  155. Block 28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  156. Block 29: 35 14 16 0A DB 07 00 00 00 00 00 00 00 00 00 01
  157. Block 2A: 35 14 16 0A DB 07 00 00 00 00 00 00 00 00 00 00
  158. Block 2B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  159. Block 2C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  160. Block 2D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  161. Block 2E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  162. Block 2F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  163. Block 30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  164. Block 31: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  165. Block 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  166. Block 33: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  167. Block 34: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  168. Block 35: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  169. Block 36: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  170. Block 37: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  171. Block 38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  172. Block 39: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  173. Block 3A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  174. Block 3B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  175. Block 3C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  176. Block 3D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  177. Block 3E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  178. Block 3F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  179.  
  180. Part of the character data is encrypted, and nearly all of it is
  181. protected by several CRC16 checksums.
  182.  
  183. Blocks 0x00 and 0x01 are special. These two blocks contain part of the
  184. decryption key, as well as other data unique to the character (such as
  185. the toy's unique serial number, trading card ID, etc.).
  186.  
  187. The last block of every sector (so blocks 0x03, 0x07, 0x0B, 0x0F, etc.)
  188. are known as "access control blocks", indicating the read/write status
  189. of that sector. It is mostly zeroes except for a 4-byte value at offset
  190. 0x06 of the access control block. Take block 0x03, for example:
  191.  
  192. 00 00 00 00 00 00 0F 0F 0F 69 00 00 00 00 00 00
  193.  
  194. If you notice 0x06 bytes into it, you see 0F 0F 0F 69. This tells you
  195. whether the first sector (blocks 0x00 to 0x03) is read-only.
  196.  
  197. Read-only access: 0F 0F 0F 69
  198. Read-write access: 7F 0F 08 69
  199. Full access (whatever that means): FF 07 80 69
  200. Almost all blocks have read-write access except for the first sector.
  201. This does NOT indicate whether it's physically protected, it's more of a
  202. guideline. :) Not all four blocks are necessarily writable; I'm not
  203. sure what's actually enforcing the protection on the others, perhaps the
  204. portal itself.
  205.  
  206. There are two main data "areas" where arbitrary data can be written.
  207. Each contain a block-sized header: the first data area's header is block
  208. 0x08, and the second header is block 0x24. At offset 0x09 of the data
  209. area header block, there is an 8-bit sequence number that somehow
  210. indicates which block is complete/most recent/valid/whatever.
  211.  
  212. As far as I can tell, everything else is free to use.
  213.  
  214. data encryption
  215. Every block from 0x08 onward (with the exception of the access control
  216. blocks) is encrypted using a key unique to that block. The algorithm is
  217. 128-bit AES, ECB mode and zero-byte padding. As that's a symmetric key
  218. algorithm, the same key is used to both encrypt and decrypt.
  219.  
  220. The key itself is the MD5 hash of the following 0x56 bytes:
  221.  
  222. <first 0x20 bytes of sector 0> <1-byte block index>
  223. <0x35-byte constant>
  224.  
  225. unsigned char hashConst[] = {
  226. 0x20, 0x43, 0x6F, 0x70, 0x79, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x28, 0x43, 0x29, 0x20, 0x32, // Copyright (C) 2
  227. 0x30, 0x31, 0x30, 0x20, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x73, 0x69, 0x6F, 0x6E, 0x2E, 0x20, // 010 Activision.
  228. 0x41, 0x6C, 0x6C, 0x20, 0x52, 0x69, 0x67, 0x68, 0x74, 0x73, 0x20, 0x52, 0x65, 0x73, 0x65, 0x72, // All Rights Reser
  229. 0x76, 0x65, 0x64, 0x2E, 0x20}; // ved.
  230.  
  231.  
  232. data checksums
  233. The checksums are a mess. There are four "types" of checksums:
  234. Type 0: this is a CRC16 checksum of the first 0x1E bytes of sector 0.
  235. The checksum itself is stored in block 0x01, offset 0x0E.
  236. Type 1: this is a CRC16 checksum of the data area header. As there are
  237. two data areas, there are two of these checksums. One is at block 0x08,
  238. offset 0x0E, and the other is at block 0x24, offset 0x0E.
  239. Type 2: this is a CRC16 checksum of the data area. As there are two data
  240. areas, there are two of these checksums. One is at block 0x08, offset
  241. 0x0C, and the other is at block 0x24, offset 0x0C.
  242. Type 3: this is another CRC16 checksum of the data area, except padded
  243. with zeroes. As there are two data areas, there are two of these
  244. checksums. One is at block 0x08, offset 0x0A, and the other is at block
  245. 0x24, offset 0x0A.
  246. As type 0 is a checksum of a *supposedly* read-only sector, it's not all
  247. that important. It's also very straightforward to understand.
  248.  
  249. The type 1 checksum is a checksum of just one block, the data area
  250. header (0x08 and 0x24). As it's also stored WITHIN the data area header,
  251. a default value must be supplied for the checksum before actually
  252. calculating it. That value is 0x0005.
  253.  
  254. The type 2 checksum is actually only a checksum of the first 4 blocks
  255. (EXCLUDING the data area header, and the access control blocks).
  256.  
  257. The type 3 checksum is a checksum of the next 4 blocks (EXCLUDING the
  258. data area header, and the access control blocks), and then 0x0E blocks
  259. of zeroes.
  260.  
  261. When computing the checksums, they have to be done in the following order.
  262. Compute checksum 3 and 2, then increment the area sequence number by 1,
  263. then compute checksum 1.
  264.  
  265. Just to re-iterate, the encryption is applied AFTER all this checksum
  266. mess is done.
  267.  
  268. character data contents
  269. Even though there are two "data areas" (headers at blocks 0x08 and 0x24,
  270. data starts at blocks 0x09 and 0x25), some data is stored outside of
  271. the area, so here's a breakdown of the whole 1KB:
  272.  
  273. Block Block Offset Size Description
  274. Area 0 Area 1 (bytes)
  275. 0x00 N/A 0x00 0x02 Unique serial number for the toy.
  276. 0x00 N/A 0x04 0x0E Unknown.
  277. 0x01 N/A 0x00 0x02 Identifier for the character/toy type. In the dump
  278. above, you can see it's 0E 00 (Little Endian), or 0x000E (Gill Grunt).
  279. 0x01 N/A 0x04 0x08 Trading card ID.
  280. 0x01 N/A 0x0C 0x02 Unknown. Zeroes for me.
  281. 0x01 N/A 0x0E 0x02 Type 0 CRC16 checksum.
  282. 0x08 0x24 0x00 0x03 24-bit experience/level value. Maximum unknown. Set
  283. this really high to max out the level.
  284. 0x08 0x24 0x03 0x02 16-bit money value. Maximum 65000. Set it higher and
  285. the game rounds down to 65000.
  286. 0x08 0x24 0x05 0x02 Unknown.
  287. 0x08 0x24 0x07 0x02 Unknown. Zeroes for me.
  288. 0x08 0x24 0x09 0x01 8-bit sequence value for this data area. I'm not
  289. totally sure how it works yet, but I think the area with the higher
  290. value is the "primary" one at the moment.
  291. 0x08 0x24 0x0A 0x02 Type 3 CRC16 checksum.
  292. 0x08 0x24 0x0C 0x02 Type 2 CRC16 checksum.
  293. 0x08 0x24 0x0E 0x02 Type 1 CRC16 checksum.
  294. 0x09 0x25 0x00 0x02 Skills given by Fairy. Bit 7 = path chosen. FD0F = Left, FF0F = Right
  295. 0x09 0x25 0x02 0x01 Unknown. Zeroes for me.
  296. 0x09 0x25 0x03 0x01 8-bit value, bitmap of platforms the character has
  297. touched. Bit 0 is the Wii and bit 1 is the Xbox 360, evidently.
  298. 0x09 0x25 0x04 0x01 ID of hat the character is currently wearing.
  299. 0x09 0x25 0x06 0x02 Unknown. Zeroes for me.
  300. 0x09 0x25 0x08 0x08 Unknown. I've seen FF BF 1B 7F FF 2F B9 7E and FF 83
  301. EE 7E FF 19 30 7F.
  302. 0x0A 0x26 0x00 0x10 First half of Unicode name of character,
  303. zero-terminated, maximum 14 characters.
  304. 0x0C 0x28 0x00 0x10 Second half of Unicode name of character,
  305. zero-terminated, maximum 14 characters.
  306. 0x0D 0x29 0x00 0x06 Unknown. Some kind of sequence number?
  307. 0x0D 0x29 0x06 0x04 32 bits flagging heroic challenges completed.
  308. 0x0D 0x29 0x0A 0x02 16-bit hero points value. Maximum 100.
  309. 0x0D 0x29 0x0C 0x03 Unknown. Zeroes for me.
  310. 0x0D 0x29 0x0E 0x01 Unknown. 01 for me.
  311. 0x10 0x2C 0x00 0x0C Unknown. Zeroes for me.
  312.  
  313.  
  314. If you want to understand more about how the protocol works go to the Spyro website and
  315. download the portal driver from there (this is included with the binary as spyrowebworldportaldriver.exe).
  316. This will install code to C:\Program Files\FS\Spyro Portal. Run FlashPortal.exe and SpyroLibrary.dll through a
  317. .NET decompiler like .NET Reflector to see how Activision communicates with the portal.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement