Posted on

Skylanders, in detail

Why are Skylanders so hard to hack? Well. Without revealing anything that isn’t already actually public, here are some details on what’s going on.

Skylanders are MiFare classic compatible.
(What I am about to say here is public knowledge and in no way secret or hacking related).
Mifare Classic has 16 sectors (each with 4 blocks of 16 bytes) on the chip. Each Sector has an access key (2 actually but nobody ever uses the second).
You can NOT read a block without it’s key (each Sector of 4 blocks has one key so 16 keys per chip). It is impossible to get a single byte of data off a Skylander without the key for the block you are trying to read.
The only data you can get is the UID of the figure (it’s RFID Address/SN) and a couple other bytes used to pick which card you are trying to read. All this is part of the NXP MiFare standard and can be researched with not a mention of Skylanders. It’s a well understood technology.
The portal has some math deep inside it that it uses to calculate the figures keys, once it has done this it can read any data block on the figure. This means the keys are NOT sent to the portal via USB or even stored in the firmware on the portal. You can’t extract them that way.

Data stored on the chip (figure) is sent back to the console from the portal after reading but it is STILL encrypted. Activision chose to encrypt the data on the figure AS WELL knowing that the portal could be used to retrieve that data by almost anybody.

This is NOT part of the MiFare standard, it’s an added layer of encryption put on the data that is stored itself.

The first block is not encrypted by Activision, this contains the figure ID and a few other bits that never change. All editable data is encrypted. This is the bit that the “first” hacker worked out making everything else possible. However, even reading the data doesn’t let you change it as there are checksums that prevent writing without knowing the formula to put the correct checksum byte back on the figure. Without that the new data is “corrupt” when viewed in game.

So, with only a Portal and basic skills with USB you can read all the data from a figure but it’s useless except the basic info on what figure it is (which is write protected).

I have yet to see the Amiibo or Disney Infinity figures to know if they are the same but would imagine if they use MiFare Classic that it’s not going to be a huge leap to assume something similar.