Instructions

[AwsmSteve]

I know this doesn't really belong in the Issues section, but I'd like to help with this project and I have no idea how to use HID API. Do you have instructions I could follow to get this project working? I've been trying on both Mac and Windows. Thanks.

[silicontrip]

This code should build without modification on OSX, as this is where I developed it. There is an Xcode project. The HID API is included, it's distributed as source. If you just want an OSX intel (or PPC) binary I could supply one.

If you are after a linux version there are forks of this code which build for Linux.

As for windows, I do not know much about their build environment and could not offer any guidance on how to build on that platform. This code was derived from a windows tool, (although it had less flexibility) and that tool is still available.

[AwsmSteve]

Hey Mark — thanks for the quick response!

I have actually been able to build the binary through Xcode, but I can’t get the USB portal to read anything. (Freezes at “Reading Skylander” or returns “No Skylander detected on portal.) I thought that was maybe what the HID API helped with? I did get it to partially work once when I looped through a read command; after about the 15th time it gave me this error:

"Checksum failure for checksum type 3, data area 0Checksum failure for checksum type 2, data area 0Checksum failure for checksum type 1, data area 0Checksum failure for checksum type 3, data area 1Checksum failure for checksum type 2, data area 1Checksum failure for checksum type 1, data area 1Warning. Skylander data read from portal, but checksums are incorrect. File may be corrupt. Writing Skylander. Success!”

Any help would be greatly appreciated.

Thanks again!

On Tue, Jul 2, 2013 at 4:04 PM, Mark Heath notifications@github.com wrote: This code should build without modification on OSX, as this is where I developed it. There is an Xcode project. The HID API is included, it's distributed as source. If you just want an OSX intel (or PPC) binary I could supply one.

If you are after a linux version there are forks of this code which build for Linux.

As for windows, I do not know much about their build environment and could not offer any guidance on how to build on that platform. This code was derived from a windows tool, (although it had less flexibility) and that tool is still available.

— Reply to this email directly or view it on GitHub.

[silicontrip]

It sounds like everything did build ok. I don't think that there is any problem with the HIDAPI or your connection to your portal.

What kind of portal do you have? (from what console)

I am aware of issues with XBOX portals, having an extra layer of security that I did not implement. I have a Wii portal with a wireless usb dongle. Which did not have any security issues.

If you do have an xbox portal then this is the cause of the issue. You may have to do some hacking to get it to work, this is the site where I forked the code from: http://www.maxconsole.com/maxcon_forums/showthread.php?188959-Skylander-Editor-v2.0-released

You may be able to integrate the xbox portal code into this version. I'm sorry I can't help much with xbox portal integration.

If you have another kind of portal (or specifically a Wii portal, which I have tested on) you may need to insert some debug statements into the code to find out what is going wrong. It sounds like something to do with your portal communicating with your skylanders.

Let me know what you can find out and we'll see if we can resolve the issue.

Mark

[FunThomas76]

Hello, i have problems reading the new swapforce, i always get checksum errors. Other series 3 figures are working:( Do you know any news about the checksums of swapforce figures ? best regards, Thomas

[silicontrip]

I do not have the swapforce game so I can not test it. If the older skylanders read but the swapforce do not, I would say that there is a different data structure on these skylanders. This thread seems to be discussing it http://forum.darkspyro.net/spyro/viewposts.php?topic=90875 they seem to have no issue reading/editing the swapforce figures. Unfortunately without a swapforce figure I cannot determine why there is a checksum error.

[FunThomas76]

Hi Mark,

thanx for your fast answer. I will try to get some more information from the ppl in the other thread.

best regards, Thomas

Am 13.12.2013 08:19, schrieb Mark Heath:

I do not have the swapforce game so I can not test it. If the older skylanders read but the swapforce do not, I would say that there is a different data structure on these skylanders. This thread seems to be discussing it http://forum.darkspyro.net/spyro/viewposts.php?topic=90875 they seem to have no issue reading/editing the swapforce figures. Unfortunately without a swapforce figure I cannot determine why there is a checksum error.

— Reply to this email directly or view it on GitHub https://github.com/silicontrip/SkyReader/issues/2#issuecomment-30491092.

[jlvcm]

@silicontrip , i've been searching for the linux fork but i cannot find it, any help?

[abased]

I am also getting errors reading skylanders giant (gill grunt) using the wii wired portal

output from editor:

ndeyoungs-macbook:Debug nickdeyoung$ ./editor -p -D Reading Skylander

Checksum failure for checksum type 3, data area 0Checksum failure for checksum type 2, data area 0Checksum failure for checksum type 1, data area 0Checksum failure for checksum type 3, data area 1Checksum failure for checksum type 2, data area 1Checksum failure for checksum type 1, data area 1Warning. Skylander data read from portal, but checksums are incorrect. File may be corrupt. Serial Number: 1D96 Toy Type: UNKNOWN (100) trading ID: 0000: 51 5b 15 68 33 d8 00 00 Q[.h3...
Area 0 sequence: 159 Area 1 sequence: 249 Area 1 selected. Experience: 4515459 Money: 57741 Skills: 3DC9 Platforms: UNKNOWN Name: ??a???:???\K Hat: 815 Hero Points: 26845 Heroic Challenges: f8ecc3d2

[FunThomas76]

The checksum errors will come when the figure is not really used in the game and nothing is written to it. So play a while in the game and the checksum failure will leave. Also for the swapforce the bottom part will have no crc errors when you choose something from ther upgrade path for the bottom part. Only the upgrade path for the bottom is stored there. XP and Money ... is stored on the upper part and there is more often written to.

[abased]

to be clear, this works on skylanders giants? as I look through the code it looks like it was developed against spyro's adventure.

[FunThomas76]

the checksums are all the same for skylanders from spyros adventure, giants and swapforce, so read and write some backups works the same way. The only difference is the maximising of some stats (some positions of experience over level 10, heroics ...)

[JonathanFly]

This also doesn't really belong in issues, but not sure where else to ask.

Can SkyReader read regular NFC tags in any capacity? Or is any tag that isn't a Skylander's figure invisible to the portal? Even if I could just get UIDs and nothing else I'd find it useful for a project I'm working on.

[silicontrip]

I believe you can use other NFC tags of the same capacity, I've heard that people have "replicated" skylanders this way. You cannot do this with a normal skylander because some parts of the tag are write protected. I do not know how the write protected areas are implemented, either in the portal or on the tag. So it may prevent you from completely writing to your tag. I do not know about other sized tags.

[JonathanFly]

I only need a unique UID from every tag so I can tell the tags apart -- no need for writing data at all, or reading any other part of the 1k data.

Looks like the tags that match the Skylander figures are MiFare Classic 1k. From looking at the code here, the first few blocks aren't encrypted on the figures anyway and this includes the UID tag. But it's still quite possible that any tag which doesn't fit the skylander format according to the checksum or whatnot may still be completely ignored by the portal. Promising enough anyway, I'l get some MiFare and give it a go.

I suppose an alternative approach is to 'replicate' Skylander data onto the tags so that portal acknowledges them, since that does seem to be one thing that other people have figured out already.

Delighted to see how easy it is to change the color LEDs on the portal.

[JonathanFly]

Tried it. Using the hidapi library and some of your source to monitor the input I see that a regular tag the portal sends the same status change it does normally when you place a figure on there, but it never responds to any read requests. Looks like it doesn't work, at least without some work on either the tags or the portal.

[silicontrip]

I've done some reading on this. (attempting to read a skylander with my mobile phone's NFC) The portal handles the MiFare encryption keys. The keys are algorithmically generated from the UID. Unless you know the relation between the UID and the keys for the blocks (which would be proprietary activision code) you will not be able to read other tags without the correct encryption keys.

[JonathanFly]

As I understand it MiFare classic encryption has been basically broken. So if it was just having the right encryption key on a regular NFC tag that might be possible. But if the portal is looking some other particular attributes stored in sector zero (perhaps the ATQA and SAK fields) then there's no way to trick the portal into reading regular tags where this will never be changed.

I also checked into Skylander prices... if you buy them in bulk they are almost down to a dollar. Which isn't much more than a regular NFC tag anyway...

[silicontrip]

Having broken encryption simply means that you can determine the keys for an existing skylander if you have the right equipment. However you would still need to know how the portal determines what the keys are from the UID. Any custom UID you wanted to use would be next to impossible without knowing this algorithm.

As you've mentioned it would probably be simpler to buy second hand skylanders and use the tags from inside them. You could even store a few bytes of information on the write enabled areas.

[JonathanFly]

Appreciate you taking a look. I'll think about using regular skylanders. I also want to use regular Android device NFC readers, which seem to be able to read a UID from a skylander, so they might work fine as long as they can be bought at a price not too much more than a tag.

[bettse]

I've tried using the portal as a generic reader and gotten to the same point (the status message shows a new tag, read commands fail). Using an NFC reader that I can control the firmware on, I found that the SAK is 01, which creates an initial point of incompatibility between regular readers/tags and these. Even adapting the firmware for that, the read commands still failed due to having (I believe) an incorrect mifare key as previously discussed.

I think the SAK issue is fairly well known:

• https://plus.google.com/+ThomasChristensen/posts/ZaS7yvoPLLq
• http://www.proxmark.org/forum/viewtopic.php?id=1818
• http://www.proxmark.org/forum/viewtopic.php?id=2155
• http://www.proxmark.org/forum/viewtopic.php?id=2015

[iceman1001]

The SAK & ATQA shouldn't be a issue. However you would need all keys from a toytag, which you need to use libnfc or a proxmark3 for.

[bobox59]

did this program working for anyone with swap-force or trap-team toys ? no problems with windows version, but same problems as @abased with decryption

[bobox59]

i've found the origin: Crypt::ComputeMD5 function

if i put this code for testing on main() ` unsigned char test[16]; MD5 md5b; MD5Open(&md5b); MD5Digest(&md5b, "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456", 86); MD5Close(&md5b, test);

printf("MD5 digest : ");
for(int compteur = 0; compteur <= 15; compteur++) {
    printf("%02X ",test[compteur]);
}

`

It responds MD5 digest : AF 64 FF 7B C2 7E 8C 39 78 7E 8E E4 18 F4 A9 A8 but the correct MD5 digest of 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456 is 5cdfce0bd8d611bc54d2865c5c5b4a7f.

when i put the same code on windows version source and compile it under visualc++ the response is ok (5cdfce0bd8d611bc54d2865c5c5b4a7f)

i really don't understand why the same code md5.h md5.cpp did not the same response on xcode/mac !

[dulsi]

I'm using https://github.com/reedstrm/SkyReader/. I have the same checksum problem. I noticed LITTLE_ENDIAN was undefined in md5.cpp. I tried adding the define. The MD5 digest was different but still not correct. I replaced the md5 code with the openssl library. The checksum is now correct. I have the correct amount of money so it seems to work.