Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2015-12-03 15:44:03

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

I have take the portal/reader appart.

There are 3 chips inside :

- LPC11U2x Cortex-M0 @33Mhz with 32 kB flash 2kB EEPROM 6kB SRAM 2kB USB SRAM
- MFRC630 High performance MIFARE reader solution
- HEF4049B Hex inverting buffers (for driving RGB leds)

There are 3 antennas. The LPC11U2x seems to switch them on/off through mosfet.

The portal, when connected to a GNU/Linux box, show as a simple HID device, as I expected.
So USB data can be easy to read.
I have a Beagle USB 12 somewhere. I will give a try tonight, to check for passwords in USB data, if it's work (Beagle 12 is USB 1, sometime ok if device fallback to USB 1.0 at low or full speed).

Offline

#52 2015-12-03 17:01:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Lego Dimensions

You'll need to map the usb protocol used.  Its already been done,

Offline

#53 2015-12-04 00:28:37

AntiCat
Contributor
Registered: 2010-01-01
Posts: 22

Re: [FINISHED] a popular toy Lego Dimensions

DRRB wrote:

So, here it is :
What about NDEF data ?
I have "en9575748S2315" for Gandalf, but sllabgib have "en9537910R1115". This is perhaps used for password generation, no ?

I suspect the bytes 144-152 to contain the character data and not the en* fields.

Offline

#54 2015-12-04 04:50:41

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

Good progress - Ive had a hell week at work, so I'm hoping to play some this weekend on this.   I had any token working with a modified Firmware and a modified eload command - but that only helps out so much.  Like Iceman said, we need a bigger base and at least more are being posted to help that out.  From my small pool I cant see anything for the PWD ALGO yet... but haven't don't much in a few days.

Offline

#55 2015-12-04 08:20:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Lego Dimensions

Since 1 bit make so much difference in the pwd, the level of diffusion, is an indication that some kind of hash, crc or even  a crypto been applied.  I have heard rumors of the crypto algo TEA (the original one) and are looking into it.

Offline

#56 2015-12-05 03:06:10

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

I thought the Character data was in memory locations 36, 37, 38?    Its the three locations read with authentication in a sniff?

Offline

#57 2015-12-05 03:12:19

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

Sorry, I actually meant to say memory 1a,1b,1c - These are different on tags and on blank 213 tags you cant write to those locations....

Offline

#58 2015-12-06 23:31:02

bettse
Contributor
From: Portland, OR, USA
Registered: 2015-02-16
Posts: 32

Re: [FINISHED] a popular toy Lego Dimensions

The running theory on the NDEF data is that its a batch number, letter, then the week and year number of manufacturer.  For all the tokens I've owned, the letter was "R", but I see the example in this thread has an "S".  Could be different manufacturing plants or something else.  In short, I think the NDEF data is pretty unimportant.

Offline

#59 2015-12-07 00:08:46

AntiCat
Contributor
Registered: 2010-01-01
Posts: 22

Re: [FINISHED] a popular toy Lego Dimensions

sllabgib wrote:

I thought the Character data was in memory locations 36, 37, 38?    Its the three locations read with authentication in a sniff?

Sorry, I was using the byte offset not the block index.
36*4 = 144

DRRB wrote:

I have take the portal/reader appart.
The portal, when connected to a GNU/Linux box, show as a simple HID device, as I expected.
So USB data can be easy to read.
I have a Beagle USB 12 somewhere. I will give a try tonight, to check for passwords in USB data, if it's work (Beagle 12 is USB 1, sometime ok if device fallback to USB 1.0 at low or full speed).

Did you have success?

Btw. some one already wrote a basic library https://github.com/mpetrov/node-dimensions
It reports UIDs as well as Pad Location.

Offline

#60 2015-12-07 15:41:59

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

Beagle 12 is very limited on USB 2.0, miss USB packets and is not good for class-level decoding
I have a Beagle 480 on it's way.

Offline

#61 2015-12-07 20:27:49

AntiCat
Contributor
Registered: 2010-01-01
Posts: 22

Re: [FINISHED] a popular toy Lego Dimensions

I guess we are stuck at a similar stage. The decoder I'm currently using (sigrok) is capable of decoding the packets but nothing further.

Edit: Figure removed. It contained an erroneous trace.

Last edited by AntiCat (2015-12-08 00:16:41)

Offline

#62 2015-12-07 22:04:47

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

I have a Beagle MX that I'm going to through a USB Sniffer on - It will capture wireshark  compatible packets, but I need to get over to my storage (where all my house items are.... Never knew I would need anything like this while building the house....) - I should have that by weeks end... Maybe I can get some information then.

Offline

#63 2015-12-07 22:16:29

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: [FINISHED] a popular toy Lego Dimensions

Naive question but have you tried to see if the JTAG port of the Cortex M0 was available?
Dumping the firmware and analyzing it might be faster than blindly analyzing the USB protocol, right?
I'm not highly familiar with NXP LPC family especially regarding whether the JTAG port can be locked or not (through eFuses or SW locks).

Offline

#64 2015-12-07 22:16:31

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

Did you guys happen to see what this??  https://github.com/woodenphone/lego_dimensions_protocol

Hes doing a ton of work on the USB protocol and has a lot of information there.     I have the Xbox One portal. so it looks like I cant use his code for anything to play ....

Offline

#65 2015-12-08 20:46:49

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

Jump - I had the same question, I meant to ask it when the post came up on the chip type inside the portal.    I haven't taken mine apart yet (Didn't want to break anything, and didn't look close enough at how it comes apart but I might tonight...)

Offline

#66 2015-12-08 21:14:00

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

Ok, couldn't wait - part of my ADD I think ...   At first glance it didn't look like it had anything, but upon taking the boards out of the portal, there is a SINGLE row of pads on the back labeled J2 that could be a JTAG connection - Ill have to look to see if I can trace them to verify and I'm not sure If I can get that done tonight or not ....

JTAG???

The Datasheet for the LPC11U2x Cortex-M0 says it has standard JTAG connectors and a quick meter shows connections, Ill map them out in a few minutes

Last edited by sllabgib (2015-12-08 21:30:07)

Offline

#67 2015-12-08 21:56:33

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: [FINISHED] a popular toy Lego Dimensions

6 pins looks just the right amount for JTAG indeed (TMS, TCK, TDI, TDO, TRST, GND)

Offline

#68 2015-12-08 22:42:10

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

jump wrote:

6 pins looks just the right amount for JTAG indeed (TMS, TCK, TDI, TDO, TRST, GND)

Agreed - I thought the same.... So a few things -

1.   I believe the chip is actually a LPC11U3x   not a LPC11U2x   (At least my chip is)  Not too relevant for this so far, same package layout.
2.   I did a quick meter with what I could since I'm still in a hotel for 3 more weeks and have just cheap meters and no magnifying equipment - and the 6 pads do not seem to link to the JTAG pins on the chip.   

Ill check this again, but again with what I have access to - its what I found so far.

So looking at the pads (The right Most X being the pad by the J2 Writing)


X               X                 X                      X                   X                  X
GND(33)    Reset(2)       PIO0_9(18)       SWCLK(19)     SWD(25)       VDD(6)

So the pinout looks more to be serial debugging than a JTAG - Assuming I can see the pins while metering, they are kind of small with the naked eye smile

Now with that said, the chip does in fact JTAG pins on it, so we could still wire to the chip or trace out where those pins go (if they do) to get a JTAG dump.

Offline

#69 2015-12-08 23:04:17

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: [FINISHED] a popular toy Lego Dimensions

According to the LPC11Uxx datasheet, "The JTAG interface cannot be used for debug purposes.".

It's only meant for boundary scan and requires to fully erase the chip.

On the other hand, SWD interface is meant for debug... The drawback is that access to this port (as well as the ISP port) can be protected through "CRP" (Code Read Protection). This is a magic value that is set at the address 0x2FC on the internal flash.

If they set one of the magic values, this could disable ISP commands and some if not all the access the RAM and/or flash.

I don't remember seeing any paper to attack those chips.

Sounds like a dead-end if the SWD doesn't work straight out of the box...

Offline

#70 2015-12-09 00:56:23

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

And of course, In the Hotel I have the pads all wired up, but I do not have any serial to USB adapters here - SO I cant test any access until beginning of January .... sad    The big question is, would they even bother to set that - I wonder if they would ever consider this as an attempt to figure out the tokens....

Offline

#71 2015-12-22 00:06:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Lego Dimensions

I just remembered that I have a Jlink-Segger,  I bought it last year to be able to de-brick a pm3.

However I'm not very good hardware things,  so if someone more experienced with this kind of tools would like to guide me in how to hook up against the SWD or jtag...     Even if the jtag might not be used for debugging purposes, I might just test it away.

Offline

#72 2015-12-22 02:13:38

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: [FINISHED] a popular toy Lego Dimensions

Wiring is not that hard smile
Follow the SWD section here: https://www.segger.com/interface-description.html

Not being familiar with LPC tools, I don't which tool is the best to interact with such target. I reckon openocd would still work to bridge GDB.

Offline

#73 2015-12-27 13:26:36

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

Hi,
I've got some news.
First, passwords are never seen on USB data... at least in clear text.
From https://github.com/woodenphone/lego_dimensions_protocol and https://github.com/mpetrov/node-dimensions i've managed to get the portal to work under Linux with some C code. I can play with light and get tags UIDs from the portal.

HID reports data look like this :
- From host to portal :
0x55, payload size, command, msg number, payload..., checksum, padding (0x00)
- Response from portal to host :
0x55, payload size, msg number, payload..., checksum, padding (0x00)
- when tag is placed/removed, portal to host :
0x56, payload size, pad zone, ??, ??, placed/removed, tag UID, checksum, padding (0x00)

d2 is tag reading related, d3 is tag writing related.
Exemple : "55 04 d2 08 00 26 59"
55 : magic byte
04 : payload size
d2 : command
08 : message number
00 : right pad (vs center:01, left:02)
26 : argument
59 : checksum

All d2 commands have argument as 0x2b, 0x26 or 0x23 : decimal 43, 38, 35.
All d3 commands have argument as 0x24, 0x23, 0x25 : decimal 36,35,37

According to "hf 14a snoop" :

  5070976  |   5075744 | Rdr | a0  24  79  d6     |     | WRITEBLOCK(36)
  6841024  |   6845792 | Rdr | a0  23  c6  a2     |     | WRITEBLOCK(35)
  8611664  |   8616432 | Rdr | a0  25  f0  c7     |     | WRITEBLOCK(37)
  9626928  |   9631696 | Rdr | 30  2b  d3  37     |     | READBLOCK(43)
  11328688 |  11333456 | Rdr | 30  26  36  ec     |     | READBLOCK(38)
  12275792 |  12280496 | Rdr | 30  23  9b  bb     |     | READBLOCK(35)

Here is the fun part : d2 commands from my hiddev c code never works (portal allways respond "55 02 08 F0 4F", "F0" payload). And the portal do nothing and never try to read the tag (checked by snooping).
d2 commands sniffed on USB allways works, and the portal use the password and read the tag.

Something is missing. I think there is some kind of authentication between console and the portal, at least for reading and writing tags.
"b" messages are related to this.

When you plug the portable you have a "b0" message from console to portal :
"55 0F B0 01 28 63 29 20 4C 45 47 4F 20 32 30 31 34 F7" (including ascii "(c) LEGO 2014"). This never change.
But next, you have a "b1" and "b3" message, different each time you connect the portal. "b1" and "b3" are here too when you update a tag, just before "d3" commands for writing.

B1 & B3 payload (without magic, size, command, msg num... and checksum) :
('>' from console to portal, '<' from portal to console)

Before shelob write:
> D4 C1 C5 0B 64 56 32 70
< 8E D0 7F DF 92 90 85
> 58 77 C8 20 3C 78 89 20
< 5B 7D 94 A5 02 15 34

portal connect:
> 78 C3 C4 2F 3A 06 49 C7
< 90 56 1B 13 74 72 77
> 3E A9 E4 F0 24 15 24 03
< 4B 32 CC 46 E8 10 4D

portal connect 12/27/2015 12:14:
> AA 6F C8 CD 21 1E F8 CE
< 65 BA E2 A6 5A 33 E9
> 29 43 7A E1 69 B0 30 8B
< D7 0A EF 7F 71 CE 76

portal connect 12/27/2015 12:20:
> 00 9F 05 26 02 2E A9 9C
< 61 D4 E4 6E D2 30 F8
> 05 D8 98 E8 A7 9A B6 30
< 70 83 33 DF E3 02 C5

Looks like some kind of challenge... something part of the USB HID init process to activate read/write operations with de tags.

Offline

#74 2015-12-27 17:01:23

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

Jump - Too true, I was going to but with the house stuff and Christmas just got too busy - Good news is, we move in on Wednesday, so starting Jan 2 or so I should have access to all my tools and I plan to get started on that.   I have all my USB to Serial adapters packed too, so wiring it up now wouldn't haven helped much (and I have no desire to buy another USB to Serial adapter locally, too damn $$$ and a I have so many in storage).

DRRB -

I would agree with what you found form my playing too - I even picked up a non XB1 version of the game since nothing seems to work with the XB1 portal on Windows/Linux (I believe its due to it being ID'd in Linux/Windows as an Xbox Device and not a HID device).  So now I have the Wii-U version and since I'm on 5.3 FW I can also use Gecko and Caffine to snoop a bit at the RAM of the WiiU and the files that are accessed on the disc while playing (Which I have already - Just need to dump them over). 

I know that in the game no special files are accessed when you place a character on the portal - So placing Marty, Dr Who, Gandalf, etc ... Nothing triggered any special file reads of an "empty" virtual token / etc.  So, It appears to simply have that in RAM at all times from some file, and I have to assume its one of the few files that are loaded at the start of the game (For the menu screen).  This at least helps to narrow down what files might be required to look at and RAM contents.

The whole USB thing is exciting for an opposite side of the NFC side - I hate having to get up to change token placement / etc... Not that I'm lazy, but I planned to have my electronics downstairs since my new house has that tubing run for the Family Room.  We know we can get the password from Sniffs, and while I want to know the generation / etc from the NFC side, Id still like to create a quick and dirty app that could simply send the token data through USB to the location on the portal for the figures I have.  I think we have most of whats needed for that to, at least, become a good side project.

We know the memory it reads / etc - and as you have stated - you know the USB conversion for the calls.

Cant wait to get into the house and get back to this - A few more days.... Ive been delaying packing the hotel room and my tech toys, I might get today and tomorrow to toy some more - but Tuesday morning I need to pack it up for Wednesday smile

I have my USB Sniffer up and working and if you want any specific sniffs straight from the Portal -> Console, let me know and Ill create some - they are all in a format for Wireshark.   I did that with the XB1 portal, but I think its useless since we cant do much after that anyway with Windows or Linux.   So I can do some with the WiiU....

Offline

#75 2015-12-27 19:26:50

bettse
Contributor
From: Portland, OR, USA
Registered: 2015-02-16
Posts: 32

Re: [FINISHED] a popular toy Lego Dimensions

@DRRB Did you try sending the 0xB0 command to the toy pad from your hiddev c code?  After that, did you see any unprompted messages from the toy pad when you placed a token?

Offline

#76 2015-12-27 20:17:41

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

@bettse Yes. 0xb0 message look like an init message to wake up the portal.

Here is what i do :
- init with 0xb0 message
- send some color/light message (don't work without 0xb0 init)
- loop on hid report query

When a tag is placed, i get message/report giving tag UID like this :

56 0b 03 00 00 00 04 2a b5 d2 a2 40 80 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
56 magic
   0b payload size
      03 right pad (vs center:01, left:02)
         00 ??
            00 previous pad ?
               00 tag placed (vs removed:01)
                  04 2a b5 d2 a2 40 80 tag UID
                                       7b checksum

(not my discovery, it just confirm this : https://github.com/woodenphone/lego_dimensions_protocol/blob/master/command%20notes/NFC/NFC%20Notes.txt)

This works fine with my code. But sniffed messages goes like this after that :
# PS3 -> portal ("please read tag on the right, page 0x26")
55 04 d2 08 00 26 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# portal -> PS3 ("ok here is the data")
55 12 08 00 00 00 00 00 00 00 00 00 60 0c 3f bd 04 00 00 1e f9 00 00 00 00 00 00 00 00 00 00 00

I've checked, le portal reply is not the page data. "60 0c 3f bd 04" is nowhere in my Gollum tag

In my code, when i send "55 04 d2 08 00 26 59", the portal reply  "55 02 08 F0 4F".

Right now, i'm trying to replay 0xb1 and 0xb3 messages from sniffed transactions... and get my code cleaner, it's a mess...
My goal is to check if, with 0xb1 and 0xb3 i can make the portal auth to the tag and read a protected page (like 0x26).

Offline

#77 2015-12-27 21:02:58

bettse
Contributor
From: Portland, OR, USA
Registered: 2015-02-16
Posts: 32

Re: [FINISHED] a popular toy Lego Dimensions

What is on page 40 (decimal) of your Gollum tag?  That looks like reasonable values for the NTAG213 dynamic lock bytes page

Offline

#78 2015-12-27 22:00:55

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

That's it !!

Page 40 : "60 0c 3f bd"

The request was "gimmy page 0x26" and the reply is : 55 12 08 00 00 00 00 00 00 00 00 00 60 0c 3f bd 04 00 00 1e f9

So :

55 12 08 00 : magic byte, size, msg number, 0x00 (?)
00 00 00 00 : page 38 (0x26)
00 00 00 00 : page 39
60 0c 3f bd : page 40
04 00 00 1e : page 41
f9 : checksum

Nice ! Thanks !

I can replay B0, B1 & B3 messages and get the same responses from portal as sniffed on USB between console and portal.
But portal don't answer "page request" messages with my code. Something is still missing. I will do more spying on USB...

Offline

#79 2015-12-27 22:04:24

bettse
Contributor
From: Portland, OR, USA
Registered: 2015-02-16
Posts: 32

Re: [FINISHED] a popular toy Lego Dimensions

Awesome.  You should drop me an email (bettse@fastmail.fm) and we can compare notes on the 0xD2 read command.

Offline

#80 2015-12-28 00:31:26

sllabgib
Contributor
Registered: 2015-10-22
Posts: 53

Re: [FINISHED] a popular toy Lego Dimensions

Bettse  /  DRRB -

Any chance you can include me on the findings - Just to avoid any rework once I'm in the house?   smile

Offline

#81 2015-12-28 04:25:35

ags131
Contributor
Registered: 2015-12-28
Posts: 33

Re: [FINISHED] a popular toy Lego Dimensions

So, you guys will probably find this repo enlightening smile https://github.com/ags131/node-ld

Offline

#82 2015-12-28 08:52:54

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

Enlightening... that's the word !
That's brilliant. Well done !

Offline

#83 2015-12-28 20:11:53

ags131
Contributor
Registered: 2015-12-28
Posts: 33

Re: [FINISHED] a popular toy Lego Dimensions

http://imgur.com/a/l4hAe
Portal emulation is also now possible smile

Offline

#84 2015-12-29 12:02:54

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

Here is an updated tags list from multiple sources (previous posts/pastbin data, legoshop rebuilt names, etc).

Page 36 got the value. Exemple with Shelob :

    36  144/90 : 12 04 00 00  ....

12 04 => 04 12 => 0x0412 => 1042 => "Shelob the Great"

http://pastebin.com/KUBRtaxi

Offline

#85 2015-12-29 15:27:26

ags131
Contributor
Registered: 2015-12-28
Posts: 33

Re: [FINISHED] a popular toy Lego Dimensions

Heres a full list of character IDs also. These are returned from the portal Encrypted in the 0xD4 packet.
They also correspond exactly to the positions in the character chart in game.
http://pastebin.com/aEbx83YP

Offline

#86 2015-12-30 20:41:32

lupin3rd
Member
Registered: 2015-12-30
Posts: 9

Re: [FINISHED] a popular toy Lego Dimensions

Would there be any use to having a dump of the PS4 game files?  If so, I can dump later and look for additional IDs that weren't identified in the pastebin posts.  If somebody has already dumped from another console, I won't bother, as there wouldn't be any significant differences.  I'm wondering if there may have been some developer figures or unreleased items, though.

I guess the only problem with dumping the retail disc is that the unlatched versions probably only have data for waves 1 and/or maybe 2 on the disc.  It might be interesting to see if additional IDs are in there, though...

Offline

#87 2015-12-30 21:09:42

ags131
Contributor
Registered: 2015-12-28
Posts: 33

Re: [FINISHED] a popular toy Lego Dimensions

All characters and vehicles for future (announced) waves are on disc, but the levels are downloaded at launch of the wave.
For example, ghostbusters vehicles and characters work, but the level won't open.
I would like a dump if you dont mind, PPC ASM (WiiU) really sucks and PS4 is regular X86 smile

Offline

#88 2015-12-30 21:37:06

lupin3rd
Member
Registered: 2015-12-30
Posts: 9

Re: [FINISHED] a popular toy Lego Dimensions

ags131 wrote:

All characters and vehicles for future (announced) waves are on disc, but the levels are downloaded at launch of the wave.
For example, ghostbusters vehicles and characters work, but the level won't open.
I would like a dump if you dont mind, PPC ASM (WiiU) really sucks and PS4 is regular X86 smile

Okay, when I get home I'll dump the disc and extract the .pkg file and see what the file structure looks like.  I might post the structure first before sending anything (letting you choose what seems relevant) -- as my bandwidth is a little on the slow side (6Mb Down/1Mb Up).  I'll be poking around too, looking for figure IDs to fill gaps that are in the posted pastebins.

Assuming that they haven't changed or revised the pkg format (or keys) since the 1st gen PS4 titles, I should be able to get at the files without any issue.

Offline

#89 2015-12-31 06:38:03

lupin3rd
Member
Registered: 2015-12-30
Posts: 9

Re: [FINISHED] a popular toy Lego Dimensions

Well, I dumped the disc; but when I extracted the pkg, it only appears to have extracted the non-game content.  I guess they've changed something in the pkg file format.  I've uploaded what did extract here:

https://file.io/p00wWY (Sorry, I can't post links yet)

Hey, at least there's a kickass wallpaper or two in it.  I'm currently scouring around looking for a newer more complete pkg extractor.  Might see if I luck out by just using a hex editor to look at the 15GB .pkg file.

Offline

#90 2015-12-31 21:58:28

ags131
Contributor
Registered: 2015-12-28
Posts: 33

Re: [FINISHED] a popular toy Lego Dimensions

that link is 404ing for me

Offline

#91 2016-01-01 10:01:52

DRRB
Contributor
Registered: 2015-10-29
Posts: 10

Re: [FINISHED] a popular toy Lego Dimensions

Hi,
Here is where i am : https://github.com/Lefinnois/legopad_hid
The code is not very pretty, it's just a draft implementation of what i've understood of the protocol (README.protocol.md)

Offline

#92 2016-01-04 17:07:35

lupin3rd
Member
Registered: 2015-12-30
Posts: 9

Re: [FINISHED] a popular toy Lego Dimensions

ags131 wrote:

that link is 404ing for me

Sorry about that, evidently I used a file sharing service that automatically deletes after the first download of the file.  When I get back home, I'll reupload using a slightly more persistent service.

Offline

#93 2016-01-05 17:18:35

lupin3rd
Member
Registered: 2015-12-30
Posts: 9

Re: [FINISHED] a popular toy Lego Dimensions

Here is a new link for the file:

https://www.dropbox.com/s/kz1iutyxrbf0x4r/Archive.zip?dl=0

I'll remove the file after you have successfully retrieved it.

Offline

#94 2016-01-05 17:34:10

ags131
Contributor
Registered: 2015-12-28
Posts: 33

Re: [FINISHED] a popular toy Lego Dimensions

Got it, thanks

Offline

#95 2016-01-09 08:11:48

bettse
Contributor
From: Portland, OR, USA
Registered: 2015-02-16
Posts: 32

Re: [FINISHED] a popular toy Lego Dimensions

The pwd generation algorithm has been found.

Offline

#96 2016-01-09 10:44:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Lego Dimensions

*dang* You are the man!  Great work!

Offline

#97 2016-01-12 13:06:55

Olfan
Member
Registered: 2016-01-12
Posts: 7

Re: [FINISHED] a popular toy Lego Dimensions

Anyone knows how to decrypt the character code located in pages 36 and 37 of character tags?

Offline

#98 2016-01-12 13:27:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Lego Dimensions

There are some lists out on the net, which maps it all.  I usually seach on github

Offline

#99 2016-01-12 13:41:40

Olfan
Member
Registered: 2016-01-12
Posts: 7

Re: [FINISHED] a popular toy Lego Dimensions

I'm actually interested on knowing the algorithm used to encrypt the character code into the actual contents of the character tag. I guess the tag uid takes some role into it too, because two different tags for the same character show different encrypted character codes. I would like to create my own NTAG213 tags writing to them the encrypted character codes.

Offline

#100 2016-01-15 16:39:14

lupin3rd
Member
Registered: 2015-12-30
Posts: 9

Re: [FINISHED] a popular toy Lego Dimensions

bettse wrote:

The pwd generation algorithm has been found.

Did you find it personally, or is it hanging out on the web somewhere?  I understand not wanting to just reveal everything, but what can you tell us about it?

Thanks, bettse!

Offline

Board footer

Powered by FluxBB