ICT Consulting ICT Consulting helpdesk Knowledgebase
Skylanders portal demystified
Articoli suggeriti della knowledgebase:

Skylanders portal demystified

  1. original url : http://brandonw.net/consoles/skylanders/
  2. specs + code : http://freakshare.com/files/payrqavo/SkylanderEditor.zip.html
  3.  
  4. the skylanders portal demystified
  5.  
  6. If you haven't heard of the game Skylanders: Spyro's Adventure, google
  7. it.
  8.  
  9. It's a video game for the PC/Mac, Wii, PS3, Xbox 360, and 3DS which
  10. comes with a USB "Portal of Power", a small platform that wirelessly
  11. reads and writes to Skylanders toys. Whatever toy you put on there, the
  12. character it represents will magically appear in-game where you can play
  13.  with it, upgrade its stats, etc. Character data is saved wirelessly
  14. back to the toy itself.
  15.  
  16. This page attempts to explain how this all works (as I understand it so
  17. far).
  18.  
  19. the portal
  20. There are two main versions of the portal that I've encountered so far
  21. -- the wired one (PC/Mac, Xbox 360) and the wireless one (PS3/Wii/3DS).
  22.  
  23. They work basically the same way -- the portal (or wireless USB
  24. receiver, in the case of the wireless ones) constantly transmits status
  25. data back to the host, and also responds to read/write toy data
  26. requests.
  27.  
  28. The protoocol couldn't be simpler -- the first byte of the data is a
  29. character representing the command, and then the data comes after it.
  30. For the wired version, 0B 14 is placed before the command character.
  31.  
  32. I don't have the wired version with me at the moment, so forgive the
  33. crappy specifics at the moment about that one.
  34.  
  35. The commands are:
  36. R -- run? restart? I don't know. It's necessary to send this to start
  37. the status responses flying across. Responds with empty R packet.
  38. A -- activate? I don't know. I send it after the R, but I don't know
  39. that it's really necessary. Responds with empty A packet.
  40. S -- status. This is the packet the portal/dongle keeps sending back to
  41. the host (PC/360/PS3/Mac/Wii/whatever). Toy placement/removal is
  42. reported here, but I haven't looked into it all that closely yet.
  43. C -- color. The next 3 bytes after this are the RGB values for the color
  44.  you want to set. No response sent back.
  45. Z -- sleeping. The dongle for the wireless version reports this when it
  46. can't find the portal.
  47. Q -- query. This is sent when you want to request a block of data from
  48. the toy. Responds with Q packet of the requested data.
  49. W -- write. This is sent when you want to write data to a block on the
  50. toy. Responds with empty R packet.
  51. The PC/Xbox 360 version of the portal reports vendor ID 0x1430, product
  52. ID 0x1F17. The Wii wireless version of the portal reports vendor ID
  53. 0x1430, product ID 0x0150. This is probably the same as the others, but
  54. I'm not sure.
  55.  
  56. The wired version contains two interrupt endpoints, incoming is 0x01 and
  57.  outgoing is 0x02. Commands are sent/received over these. Responses are
  58. always 0x20 bytes and padded with zeroes.
  59.  
  60. The wireless version's dongle is a standard HID device, so it only
  61. contains one incoming endpoint (0x01). Statuses and responses are
  62. received over this endpoint, but to send commands, it's done through a
  63. standard USB control request (bmRequestType 0x21, bRequest 0x09, wValue
  64. 0x0200, wIndex zero). It's also possible for the Wii to send requests
  65. 0x0A and 0x0B with no data attached, I don't know yet what these are.
  66. Both commands and responses are always 0x20 bytes, padded with zeroes.
  67.  
  68.  
  69.  
  70. Request Format/Details
  71. R       52
  72. A       41 <1 byte, unknown, always 0x01>
  73. S       53 <4 bytes, status data?> <1 byte, auto-incrementing
  74. sequence>
  75. C       43 <3 bytes, R/G/B value>
  76. Z       5A
  77. W       57 10 <block number> <0x10 bytes of data>
  78.  
  79. Q is tricky.
  80. When a NEW skylander is placed on the portal the skylander must be read via:
  81. Q       51 21 0 <0x10 bytes of data>       i.e. The zero block must be read with 0x21.
  82. Q       51 11 <block number> <0x10 bytes of data>
  83.  
  84. When an OLD skylander that is already on the portal must be read we use:
  85. Q       51 20 0 <0x10 bytes of data>       i.e. The zero block must be read with 0x20.
  86. Q       51 10 <block number> <0x10 bytes of data>
  87.  
  88. Q should come back with a response of the form
  89. 51 11 <block number> <data>  for a NEW skylander
  90. 51 10 <block number> <data>  for an OLD skylander
  91.  
  92. A response like 51 01 ... indicates an error.
  93.  
  94. If you find that the write isn't working (especially on the wired
  95. version), pad the request out to 0x20 bytes and specify 0x20 instead of
  96. 0x10 with the command. It's dumb like that (off-by-one bug, I suspect); I
  97.  haven't tested if that would break the wireless version or not.
  98.  
  99. The wireless version has a tendency to just not respond, so if you write
  100.  your own application that does this stuff, try commands multiple times,
  101.  and if writing data, query the block immediately afterward to make sure
  102.  the write took. The game and web site do this as well.
  103.  
  104. Be aware that the Xbox 360 version has an Infineon security chip (method
  105.  3, version 1.00), so if you intend to emulate the portal on the Xbox
  106. 360, you're going to have to resort to some weird trickery.
  107.  
  108. raw toy data
  109. The character itself can store up to 1KB of data, separated into 64
  110. 16-byte "blocks" (64 * 16 = 1024 bytes). A group of 4 blocks is
  111. (traditionally) a "sector." All data is stored Little Endian.
  112.  
  113. Below is a decrypted dump of one of my characters, Gill Grunt (some
  114. sensitive information masked out with "XX"):
  115.  
  116. Block 00: XX XX XX XX CA 81 01 0F C3 85 14 91 55 50 10 11
  117. Block 01: 0E 00 00 00 XX XX XX XX XX XX XX XX 00 00 58 E3
  118. Block 02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  119. Block 03: 00 00 00 00 00 00 0F 0F 0F 69 00 00 00 00 00 00
  120. Block 04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  121. Block 05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  122. Block 06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  123. Block 07: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  124. Block 08: 00 00 00 00 00 6D 01 00 00 78 2E DF 3F 18 2C DD
  125. Block 09: 00 00 00 01 00 00 00 00 AF 2A BC 87 21 A8 63 9A
  126. Block 0A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  127. Block 0B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  128. Block 0C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  129. Block 0D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
  130. Block 0E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  131. Block 0F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  132. Block 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  133. Block 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  134. Block 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  135. Block 13: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  136. Block 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  137. Block 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  138. Block 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  139. Block 17: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  140. Block 18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  141. Block 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  142. Block 1A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  143. Block 1B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  144. Block 1C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  145. Block 1D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  146. Block 1E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  147. Block 1F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  148. Block 20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  149. Block 21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  150. Block 22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  151. Block 23: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  152. Block 24: 00 00 00 00 00 70 01 00 00 79 F8 ED 3F 18 C8 7A
  153. Block 25: 00 00 00 01 00 00 00 00 AF 2A BC 87 21 A8 63 9A
  154. Block 26: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  155. Block 27: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  156. Block 28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  157. Block 29: 35 14 16 0A DB 07 00 00 00 00 00 00 00 00 00 01
  158. Block 2A: 35 14 16 0A DB 07 00 00 00 00 00 00 00 00 00 00
  159. Block 2B: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  160. Block 2C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  161. Block 2D: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  162. Block 2E: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  163. Block 2F: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  164. Block 30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  165. Block 31: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  166. Block 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  167. Block 33: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  168. Block 34: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  169. Block 35: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  170. Block 36: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  171. Block 37: 00 00 00 00 00 00 7F 0F 08 69 00 00 00 00 00 00
  172. Block 38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  173. Block 39: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    174. Questo articolo è stato d'aiuto? | No

Dettagli articolo

Codice articolo:
116
Categoria:
Knowledgebase
Data di inserimento:
3-Lug-2013 12:33pm
Visualizzazioni:
618
Valutazione (Voti):
(13)

Articoli correlati