Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Topic http://www.proxmark.org/forum/viewtopic.php?id=2657 is full of information about LEGO Dimensions, and how the NTAG213 tags can be written. But after reading the topic, I can't help but wonder HOW you people discovered the password algorithm, HOW you discovered that the Tiny Encryption Algorithm is involved, HOW you discovered how to scramble.
Timeline/clues:
Blofeld 2015-12-03 00:21:34 #46 managed to sniff passwords for a lot UIDs.
Iceman 2015-12-03 09:20:34 #49 presumes CRC/hash.
DRRB 2015-12-03 15:44:03 #51 Notes chip LPC11U2x Cortex-M0 @33Mhz with 32 kB flash inside the toypad.
jump 2015-12-07 22:16:29 #63 suggest JTAG on Cortex-M0 and download firmware.
sllabgib 2015-12-08 21:14:00 #66 notices J2 inside the toypad. Possibly being the JTAG connector.
sllabgib 2015-12-08 22:42:10 #68 suspects J2 is serial, not JTAG. Suggests attaching wires to JTAG pins of Cortex-M0.
jump 2015-12-08 23:04:17 #69 concludes JTAG cannot work, but SWD (Serial Wire Debug) might still work. Might.
DRRB 2015-12-27 13:26:36 #73 sees no clear text password between game console and toypad. This might mean passwords are generated inside the Cortex-M0.
ags131 2015-12-28 04:25:35 #81 points to url https://github.com/ags131/node-ld (https://github.com/AlinaNova21/node-ld nowadays). Does not contain pwdgen nor TEA in 2015.
bettse 2016-01-09 08:11:48 #95 states "The pwd generation algorithm has been found."
bettse 2016-01-15 16:42:55 #101 adds "To the best of my knowledge, it hasn't been released publicly yet, but I was not alone in working to find it. I wrote some of the code to prove it out, but finding it was an effort by many people on many fronts."
bettse 2016-02-10 18:13:23 #158 states "Toypad firmware. It won't write to any page 0x28 or above." This might indicate bettse has knowledge of the toypad firmware which might indicate he/she obtained it somehow.
bettse 2016-02-20 22:27:36 199 talks about different layers between console and tag. This might be proof he/she investigated all those layers to find the correct one computing the passwords and encrypting/decrypting character ID.
Those are the clues I have after reading http://www.proxmark.org/forum/viewtopic.php?id=2657.
I used all my Google Fu to find the firmware, or other hints how you people discovered pwdgen/tea/scramble, but couldn't find it. Said topic contains the best clues. User bettse seems to be part of the group who figured it all out.
Being a LEGO Dimensions fan, a mathematician, an amateur hacker, a security minded person, I'm would love to obtain the firmware of the toypad and "rediscover" the password algorithm by disassembling the firmware myself. (And if it is not in the firmware, I would guess the algorithm was found by disassembling the code for the Play Station console, being x86.)
Thanks!
Offline