[WIP] Emulating Skylander Portal with Arduino

Discussion in 'Wii - Hacking' started by dpad_5678, Feb 23, 2017.

  1. dpad_5678
    OP

    dpad_5678 GBAtemp's Memelord

    Member
    1,631
    1,171
    Nov 19, 2015
    United States
    NOTE: We are trying the emulate the Skylanders Portal for the Wii/WiiU/PS3/PS4 games! Xbox 360 (and most likely ONE, as well) looks for a certain security chip in any USB peripheral attached. This is most likely impossible to emulate with an Arduino


    If you're skeptical right away, here's a video:



    Download The Portable Arduino Environment (with example code)
    Download The Test GUI Program
    Download Zadig 2.0.1


    So I wanted to figure out a way to get the Skylanders Swap Force game to recognize my Arduino Micro (Micro and Leonardo have Atmega32u4 which are capable of emulating USB devices). I plugged the Portal into my Windows machine and saw that the Portal was recognized as a Raw HID device. I opened up USBVIEW (lsusb for Windows, basically) and copied down the Vendor ID and Product ID. I searched through my Arduino Installation to find the main USB core code. Finally, I found USBCore.cpp located in \hardware\arduino\avr\cores\arduino\.

    I finally found some interesting code in the file:
    Code:
    D_DEVICE(0x00,0x00,0x00,64,USB_VID,USB_PID,0x100,IMANUFACTURER,IPRODUCT,ISERIAL,1);

    As you can see, by changing USB_VID and USB_PID in the line of code, you can change the VID and PID of your Arduino board. I changed mine to the VID and PID of my Portal (all Swap Force Portals have the same PID and VID)

    At the end, both lines 75 and 78 read the following:

    Code:
    D_DEVICE(0x00,0x00,0x00,64,0x1430,0x0150,0x100,IMANUFACTURER,IPRODUCT,ISERIAL,1);

    Now, I did brick my Arduino Micro quite a few times messing around with the Keyboard.h's library's main code. Luckily I had my Uno (clone) which I was able to reflash the Micro's bootloader with. If you try this, I recommend you have the same.

    So I put together a minimal sketch that includes the Keyboard.h library:

    Code:
    #include <Keyboard.h>
    
    void setup(){
    
    Keyboard.begin();
    
    }
    
    
    void loop(){
    
    //nothing to see here
    
    }

    And uploaded this to my Micro. I fired up Skylanders Swap Force on my Wii and plugged in the Arduino Micro into the USB port of the Wii. Here's where I got excited: THE GAME RECOGNIZED IT AS A PORTAL! Now I got excited I fired up a Test GUI from a library called HIDAPI, and I plugged in my main Portal. I started placing figures on the Portal and the Portal would send data to the computer (however, the colors of the Portal were not changing based off of the type of character I placed on the Portal).

    I used Serial.write(); to try to replicate the data that the Portal was sending to my PC, but I forgot that the Portal used a Raw HID method of data transfer, not Serial. So Serial wouldn't work.

    I ripped my copy of Skylanders Swap Force to a WBFS file and started the game in Dolphin. It recognized the (real) Portal, but it wouldn't recognize figures. So I followed these instructions to get the Portal working, and got it. Make sure to use Zadig 2.0.1! So now Dolphin is recognizing the Portal and it's working just like a real console. Because we replaced the driver in Zadig, the Test GUI won't recognize our Portal anymore, so I used USBlyzer to see the data.

    I think all we need now is a way to write RAW (!) HID data from the Arduino, because that's the protocol the Portal uses.

    I'd really like to get this figured out and get a character emulated.



    I used a fresh and portable Arduino environment to do this. You can download it here. This includes the test.ino sketch.
     
    Last edited by dpad_5678, Feb 23, 2017
  2. PokeAcer

    PokeAcer Banned

    Banned
    1,430
    1,061
    May 28, 2015
    United Kingdom
    Wales
    AWESOME! :D
    also sidenote, change your signature, 11.3 is unhackable ;)
     
    dpad_5678 likes this.
  3. dpad_5678
    OP

    dpad_5678 GBAtemp's Memelord

    Member
    1,631
    1,171
    Nov 19, 2015
    United States
    Was just about to do that, hehe.



    EDIT: Uploading the Arduino environment..... Sorry for the delay.
     
  4. dpad_5678
    OP

    dpad_5678 GBAtemp's Memelord

    Member
    1,631
    1,171
    Nov 19, 2015
    United States
    Can a mod change the title to "[WIP/PoC] Emulating Skylanders Portal with Arduino"?
     
  5. dpad_5678
    OP

    dpad_5678 GBAtemp's Memelord

    Member
    1,631
    1,171
    Nov 19, 2015
    United States
    Bump
     
  6. bennyman123abc

    bennyman123abc Master of the Script Kiddies

    Member
    594
    245
    Mar 21, 2013
    United States
    Training some more Script Kiddies
    I like the idea. Could you possibly finish this and, if possible, use the same PoC for amiibos? That would be amazing if you could :D
     
  7. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    950
    444
    Jun 10, 2006
    United States
    I believe the Dropbox link is not reliable.


    Also, I'll add this here ( I think there is a YouTube demo)
    https://github.com/brandonlw/USBSimulator
    http://www.brandonw.net/360bridge/doc.php
    http://www.brandonw.net

    I believe this shows USBSimulator and discusses xbox360 workaround but with Disney Infinity

     
    Last edited by Bug_Checker_, Feb 26, 2017 - Reason: Updated
  8. dpad_5678
    OP

    dpad_5678 GBAtemp's Memelord

    Member
    1,631
    1,171
    Nov 19, 2015
    United States
    Unfortunatley this method is based on emulating the Skylanders USB Portal. Amiibo's use external readers/writers (O3DS (XL), 2DS) and built in readers/writers (Switch, Wii U N3DS (XL). So for now, just use the NTAG215 method.
     
  9. bennyman123abc

    bennyman123abc Master of the Script Kiddies

    Member
    594
    245
    Mar 21, 2013
    United States
    Training some more Script Kiddies
    Would it be possible with a rewritable and attached NTAG?
     
  10. dpad_5678
    OP

    dpad_5678 GBAtemp's Memelord

    Member
    1,631
    1,171
    Nov 19, 2015
    United States
    There are no rewritable NTAGs afaik (at least when an Amino has been written to it)
     
  11. obiima

    obiima Newbie

    Newcomer
    1
    0
    May 14, 2017
    Netherlands
    Did you make any progress? I am working on something similar.

     
  12. naed06

    naed06 Newbie

    Newcomer
    4
    0
    May 16, 2017
    Any update on this?
     
  13. bengalih

    bengalih Advanced Member

    Newcomer
    82
    9
    Jun 28, 2009
    United States
    So this is totally related - but I didn't want to start a new one as this thread isn't super old and also there doesn't seem to be that much interest.

    I'm just curious as to why someone wasn't able to create a gct cheat code or something that simply bypasses the portal tricks the game into thinking a particular figure is mounted? I of course wouldn't know where to begin with this, but with all the wizards working on this stuff I'm surprised this was so difficult to do.
     
  14. GreyWolf

    GreyWolf GBAtemp Psycho!

    Member
    3,969
    766
    Mar 2, 2015
    United States
    I'm not certain but I think the game also stores data on the figures, not just reading them.