Nearly all Skylanders (including Imaginators) ready to clone + How to

Thumbnail

Rating: 0
Favourites: 1

Report File

Nearly all Skylanders (including Imaginators) ready to clone + How to


File Information

  • Author lovefromfrance
  • Uploaded 05-05-2020, 01:48 PM
  • Last Updated 05-05-2020, 03:06 PM
  • Category Skylander
  • Total Downloads 573


Files   




Hi guys,

During covid-19 i got interested in Skylanders, since I played it 2/3 times with a friend on his Xbox some time ago.
I have a cracked WII U and I wanted to try Skelanders coop with my girlfriend so I looked into it.
I downloaded the cracked game and bought an used portal on Amazon (6€)
Since I'm a bit familiar with NFC, I spent some time figuring what are the security mecanisms and how to bypass them.

To sum up, you must :
* Have an NFC reader
* Android : MCT (Mifare Classic Tool) AND special NFC cards/tags with changeable UID but in version 2 (CUID)
* Linux : using libnfc, a compatible reader like SCL3711 (ACR122 ? Proxmark3 ? didn't test) AND special NFC cards/tag with changeable UID (version 1 OK)
*Have dump files INCLUDING the A key

Thanks to https://nfc-bank.com I got dumps (without key) for a bunch of figurines, and with keys too (I don't remember where) and thanks to https://nfc.toys/ to find how keys where generated.

How to write your dumps to a Mifare 1K card/tag :
* Android (not tested) :
* on Mifare Classic Tool, in the settings, select "Save dump and key files to the internal storage"
* copy the files on this directory : /data/MifareClassic/tool/dump-files
* Tap "Edit/Analyze dump file", select your dump and tap "open dump file", tap the "..." icon, tap "Write dump", check "Show options" and then check both options (I think, the second one is mandatory, but not sure about the first one), and finaly "Write dump"
* Linux :
* Using Kali, libnfc should already be installed
* I had to disable the kernel module pn533_usb because the connection to the reader failed
* vim /etc/modprobe.d/blacklist-libnfc.conf
* added the following line : "blacklist pn533_usb"
* Write the dump to the tag : nfc-mfclassic W a the_skylander_dump.bin
* a small one-liner to write all dumps in a directory "for file in `ls` ; do echo $file; nfc-mfclassic W a $file ; read ; done"


Done !

From France with love (but not too much) =)

Note : Some dumps already have some data (like lvl6 with 1954 gold) but you can reset your character or take ownership in-game.






If you need to generate these files again from dumps without keys, read this :

Obviously, can you modify, redistribute and improve this shitty bash script ^^

Here is the script I created to convert dump files without keys to hexadecimal, generate keys based on uid, insert keys into hex file and export hex files to hex and bin :

You need to have in a folder the following files and folders :
* File : keygenerator.py (create key from UID)
* File : key-injector.sh (insert key and create .mdf and .bin)
* Folder : ORIGINAL_DUMPS (paste your dumps without key here)
* Folder : NEW_DUMPS_WITH_KEY (the new dumps including keys will be there)

================================================== =============================================
key-injector.sh
================================================== =============================================

#!/bin/bash

# variables
original_dumps="ORIGINAL_DUMPS"
export_folder="NEW_DUMPS_WITH_KEY"

# set folders
currentpath=`pwd`
sourcefolder="$currentpath"'/'"$original_dumps"
destfolder="$currentpath"'/'"$export_folder"

for file in `ls $sourcefolder`
do
# set source file full path
sourcefile="$sourcefolder"/"$file"
# remove extension and add .mfd
file=`echo $file |cut -d '.' -f1`
hexfile="$destfolder"/"$file".mfd
# convert to hexadecimal
xxd -c 16 -p $sourcefile > $hexfile
# extract UID
uid=`head -n 1 $hexfile |cut -c1-8`
# Keys generation plus insert replace key every 4 lines on the first 12 characters
for key in `$currentpath/keygenerator.py $uid`
do
keyline=$((keyline+4))
sed -i ""$keyline"s/^.\{12\}/"$key"/" $hexfile
done
keyline=0
# .bin creation
xxd -r -p < $hexfile > $destfolder/$file.bin
# add "tmp" every 4 row into the hex file (to be replaced after)
sed -i '1~4 i\tmp\' $hexfile
# Find the string "tmp" and change it to "+Sectors: " and add number 1 to 15

for sector in {0..15}
do
sed -i '0,/tmp/s//+Sector: '"$sector"/ $hexfile
done

done









================================================== =============================================
keygenerator.py
================================================== =============================================


#!/usr/bin/python

## tnp3xxx.py - Compute a key A
##
## Written in 2016 and 2017 and 2018 by Vitorio Miliano
##
## To the extent possible under law, the author has dedicated all
## copyright and related and neighboring rights to this software to
## the public domain worldwide. This software is distributed without
## any warranty.
##
## You should have received a copy of the CC0 Public Domain
## Dedication along with this software. If not, see
## <http://creativecommons.org/publicdomain/zero/1.0/>.

import binascii, re, struct, sys

uidre = re.compile('^[0-9a-f]{8}$', re.IGNORECASE)
magic_nums = [2, 3, 73, 1103, 2017, 560381651, 12868356821]

# Standard MSB CRC pseudocode e.g. https://en.wikipedia.org/w/index.php...8endianness.29
# CRC64 ECMA-182 e.g. http://stackoverflow.com/a/29241216
def pseudo_crc48(crc, data):
POLY = 0x42f0e1eba9ea3693
MSB = 0x800000000000
TRIM = 0xffffffffffff
for x in data:
crc = crc ^ (x << 40)
for k in range(0, 8):
if crc & MSB:
crc = (crc << 1) ^ POLY
else:
crc = crc << 1
crc = crc & TRIM
return crc

def calc_keya(uid, sector):
if sector == 0:
return format(magic_nums[2] * magic_nums[4] * magic_nums[5], '012x')

if uidre.match(uid) is None:
raise ValueError('invalid UID (four hex bytes)')

if sector < 0 or sector > 15:
raise ValueError('invalid sector (0-15)')

PRE = magic_nums[0] * magic_nums[0] * magic_nums[1] * magic_nums[3] * magic_nums[6]
ints = [ord(a) for a in uid.decode('hex')] + [sector]

key = pseudo_crc48(PRE, ints)

return binascii.hexlify(struct.pack('<Q', key))[0:12]

if __name__ == '__main__':
if len(sys.argv) > 1:
keysa = []
for sector in range(0, 16):
keysa.append(calc_keya(sys.argv[1], sector))
if len(sys.argv) > 2 and sys.argv[2] == '-eml':
print ('0'*20+'\n'+('0'*32+'\n')*3).join(keysa).join([(sys.argv[1]+'0'*24+'\n')+(('0'*32+'\n')*2), '0'*20])
else:
print '\n'.join(keysa)
  1. Calldt98
    So what's the difference between me using the skylanders ultimate tutorial on NFC bank and me looking up how to clone mifare 1k tag?
  2. lovefromfrance
    @MockyLock

    Woops ^^
    Seems like the upload didn't work 1st time.
    Here it is =)


    @Calldt98
    The dumps works for Skylanders figurines, so it's not related to a specific platform.
    All the instructions needed are already detailed, so make some search on Google like "how to clone mifare 1k".
  3. Calldt98
    Hi i recently saw your post on here about making skylanders and forgive me for asking will this work with the nintendo switch version of skylanders imaginators? if so can you simplify the steps for me please (noob), i have dump files to use its it just getting them on the nfc tag and working becuse i have folloed a few fourms on here like the skylanders ultimate tutorial but like i said they dont work when i go to add them to the game it tells me that they are not compatable with the game.

    hope you stay safe during covid. Thanks
  4. MockyLock
    Hello and thank you for your work.
    Wasn't a download archive supposed to be with this thread ?
    The title leads to think this way.

Report File

Reason








Report Comment

Reason






Report Link

Reason





about us

Here at NFC-BANK.com you will find the all figurines you will ever need in your daily gaming life, just search and grab the ones you want, with no need for an account, only if you wish to share your own figurines and giveback to others then register an account and upload them.

Thanks and hope you enjoy your stay, any questions or problems just contact us!

-=(NFC Bank Staff)=-

disclaimer

All Posts, Links and Downloads are subject to each author on this website and are no way affiliated with the operations of NFC-Bank.com


NFC-Bank.com © 2014-2020