Disney MagicBand Hacking Part 2 -RF Firmware reversing
ฝัง
- เผยแพร่เมื่อ 20 ต.ค. 2024
- In this Part 2 of the Disney MagicBand Hacking I will show you how I reversed the firmware of the nRF31512 8051 SoC step by step in a shaky video format.
The NFC part of the band is not locked into as this is not the interesting part.
Demo code on GitHub:
github.com/atc...
Part 1 of the Hardware hacking and Firmware extracting can be found here:
• Hacking the Disney Mag...
You can find a Tweet writeup here on twitter:
/ 1662192314649833472
Honestly didn't expect part 2 to come out, I was sure the mouse had sent a hitman out. This is great! Thanks for the video!
Thank you🙂
Lets see what happens now😅
@@atc1441 u88 ook
The mouse doesn't knowns yet where he's located. Is just a matter of time.
Turned of the Wristband already so they cant track me 🤣
Heck yeah! Nice to see it doing something other than being passive all the time. Interesting that it would have any sort of active mode at all considering the small internal battery and being 100% sealed with no way to replenish the joules. I do remember Mission: Space used to have an astronaut leaderboard when you got off the attraction that would show your name and how many times you've ridden. It would have had to have sent its ID over this protocol as you neared the display, as it would have been far outside the NFC range.
It's A Small World also did (or still does) display guest's names on video screens in the fairwell ending of the attraction
That was intriguing to see. I loved taking that journey with you. I'm very happy to see smaller channels getting recognition. Subscribed and I can't wait for your next video! Great job!
Thank you!
I know at one point they were planning (or potentially implemented) a feature to identify guests in crowded areas, and then send them a discount code in the app to a restaurant in a less crowded area in order to even out the crowds, super cool stuff!
I also know all of the wait time tracking in the parks is done by magic band now as well, I believe that's one of the main uses for the tech
@@dvdcd Likewise, if you have a band, rumor has it that you can pre-order a meal for a restaurant. When you go in and sit, the band is automagically read and your food just shows up, and they know which seat you are at.
Nice work!
Good to knew that the only information that is stored in the device is the serial number that it transmits when needed, and that all personal information is stored in the backend.
Not rambling, this is great information!
So, understanding the band's nature, I would think that the "3" function is transmitted by the park to "wake" the device. This prevents others from seeing the messages the band transmits without being in the park. Other functions might control which Disney Park and, therefore, more information.
I wonder if the band also reads any NRF of other nearby chips. I would also think there is a clock set function, maybe a part of the 3 functions, to give timing.
This would give Disney knowledge of who is nearby this band for contact tracing.
Hey, since the firmware only listens on Ch82 but never transmits on it i dont think that would work.
Also the listening time is only at around 500us max, that timing would need to be way to presice
They can still somewhat do contact tracing by looking who is at the same position in the park
@@nm999999991 Generically the nRF31512 is listed under FCC as broadcast control. He is saying the firmware written for this device does not transmit on CH82, it just listens.
Somebody needs to get this guy a McDonald's ice cream machine. If he can do this with a magic band I have to imagine he can finally since the ice cream crisis.
Last time I head, taylor icream machine that mcdonard use have (intentionaly ?) Confusing error so that the employee have no idea what going wrong with manual only tell them to call technician, theres a good video about it th-cam.com/video/SrDEtSlqJC4/w-d-xo.html
Great information and an interesting look into what you can find out with limited information.
I've had a go at reproducing your results with a couple of MagicBand+ from around the time this video was released (i.e. probably similar firmware age) and they don't seem to respond to the magic number or any value which can go into that first byte of dataOut. I think I need a MB+ to disassemble and attach a power profiler to next and if that doesn't get me anywhere then I'll be trying to dump the MB+ firmware. My assumption is that the firmware is the same as on the non-plus bands and the bands simply lack the extra hardware (leds and a vibration motor).
Hey, MB+ works completely different
@@atc1441 That figures. Almost as soon as I'd finished writing the comments I realised the non-replacable battery means the wake-up conditions have to be completely different so they almost certainly need to have a different and more frequent beacon interval from the parks and the bands have to be aware of whether they're a MB or MB+.
Very cool! Congratulations on your findings!
Did you happen to test the range? Sorry if you mentioned this in the video. I skipped around a bit.
This reminds me of some Sim games like Roller Coaster Tycoon and Theme Park Simulator. There is someone at a computer watching you walk around the park. Soon they will now how happy you are, your hunger lvl, and know when you need to go to the bathroom.
Disney now uses MagicBand+ which combines NFC with BLE for interactive experiences throughout the park. Basically, it has 5 RGB LEDs and a vibration motor which activate when riding certain rides or near certain statues in the park. I am desperately trying to figure out what Disney does to trigger these animations. I have already toyed with the NFC and using it home w/Raspberry Pi, but I'm a novice when it comes to BT comms. I would be willing to help get you one of these bands if you'd be interested in trying to figure out the BT proto/commands the trigger the affects.
Hey, yes the new one is way more advanced, it uses an EFR32BG21 SoC and i would love to get my hands on one
Mail: band@43u.de
@@atc1441 you might also be interested in the interactive hats/wands Disney made in the 2010s. Lots of cool tech in them as they could both transmit and receive. The final generation ~2018 had bluetooth and IR and could be controlled with an android app. th-cam.com/video/IIIjR5prez0/w-d-xo.html
Great content, super instructive! Thanks Aaron
Amazing what is capable with some time! For Ghidra and the decompile, what programming language does it go to? Pthyon C or C++? This is all new to me.
Sounds like the band was triggered to go through and find a new channel to talk to some AP - like finding a clear channel, but that AP never responds, so it keeps searching for AP. Maybe it’s looking for autoack or some special ack w/ payload. I have seen something _like_ this while working with nrf24L01-based remotes for articulating bedframes. Since you. Have the most of the code reversed, you can see all the program flow where it’s working with NRF24 module registers, and find out how it sets up the TX & RX (autoack, payload settings, reading status registers, etc)
Auto ACK is disabled :) it can only every listen on Ch82 and TXes on the 4 Channel list in a loop
god damn this is awesome man
Publicly showing the magicband owner's ID can't get the person into trouble?
Really impressive. Well done 👍
The plus band has leds and haptics, wonder if some of the other functions trigger those. World be great to trigger some of the plus bands to alert the wearer about something
I need this!
I'll see if I can find mine and get some pictures of the internals
It seems to use an EFR32BG21 as main SoC very powerfull, like a smartwatch
In the Disney outlets outside the parks they were selling various magic bands from older promotions for very little money compared to what they charged for the current bands in the parks. I nearly bought a load just to experiment with but opted against it in the end as my hands were literally already full. Wish I'd gone back to get a some now.
Have found it. Will see if I can get the bead open later.
is the id identical to the 1 on the back of the band?
Its a different one
how did you get to this level of understanding of electronics engineering
Does the ID that is in the firmware match was is printed on the back of the magic band?
No, it is a different one but you can read the correct one via NFC
That’s brilliant thank you
Hi, thanks for this! I've been attempting to get it working with a Wemos D1 R32, which is an Uno shaped ESP32 board. The sketch compiles and uploads and runs, but no bands are found. Here's my pin configuration. Do you have any ideas of what I may be doing wrong?
const static uint8_t PIN_RADIO_CE = 16;
const static uint8_t PIN_RADIO_CSN = 5;
const static uint8_t PIN_RADIO_MOSI = 23;
const static uint8_t PIN_RADIO_MISO = 19;
const static uint8_t PIN_RADIO_SCK = 18;
Thanks!
Thanks for trying to use it, so far i heard that some fake nRF24 make problems so maybe try another one if one hand.
Also you could try to send the wakeup signal for a long time and then reupload with the default code, maybe the wakeup is too short
D1 is Wifi, 803. I think. RF24 is 2.4.
@@rcstl8815 I'm not using the ESP32 for its wifi or ble capabilities, I'm using it plugged into an nRF24 via the pins I noted. Aaron is doing the same
Hello, I saw your video of the e20 error on the fenix vaporizer, did you find any solution?
Hey, as you can see it the video the fix did not work :)
Wow it would be good if you make a arduino library to use all the functions of the magicbands? but im not a programmer so if you did a library can you also convert t into a microblock library witch is a arduino base programming in block for meny difference board witch support ESP32. Tim
Nice work! I presume the 'continuous TX' function is triggered in a lost child situation...
The period sending is at 1 Second already so fast enough.
The continous Tx is more to let the AP know faster when the band is online
What software did you used to reverse the machine code to C source code?
Thats Ghidra
Can you upload the decompiled firmware for the band?
No :(
Entertaining! Guter Start. Gern öfter so was :)
Are you planning on putting the binary anywhere?
Unfortunately not, thats where the legal stuff ends ^^
@@atc1441 I figured, thanks for the series!
Soooo.. you could theoretically go to the mouse house and generate a LOT of fake visitors, right?
Yes
@@atc1441 imagine all of the attack vectors.
$someone could try to find out what they are doing with this data. If it's only for internal benchmarking or if it's used for crowd control. Maybe the backend rejects unknown ids. In that case you'd need to log all of the valid IDs and replay them.
And did I get that right? The nfc id is identical to the radio id? If these bands are used for payment (are they?) that could cause mayhem.
Maybe that's worth investigating further. Not in a malicious way, of course but for responsible disclosure reasons.
Could it be used if you lose a child, then they can track the child and tell you where they are?
Yes, that could be done.
But no idea is they have implemented it
@@atc1441 They did on Disney Cruise Line! Every child enrolled in childcare is given a magic band (previously a pre-magic band RF device) and the cast members can look up which area of child care (or even what area on the wider ship) the child is at
Damn, I was hoping you could modify it to do something cool like tell the scanner thing to light up a custom light.
wow we could mass overwrite all with uniform id ? :D :D
what product is next?
nice big screen setup
M O I R E
If you manage to reverse engineer this in a complete, what we can do with that?
Like get faster to an attraction ?
fully reverse is pretend to be someone else, and steal their idenity and credit card, have a free shopping trip and day at disney, maybe even get into club 33/dvc or higher level areas. Yeah I think I'd hang out at club 33, steal an id of someone that looks a little like me, wait for them to leave, then go back in, or maybe go the next day or something.
thanks for your research
Wonder if the developer choose the number 3, due to what iconic pair of ears it looks like :)
Great work on the video and reversing, really interesting to look at
This is FULL tracking of underage children with fingerprint ID on band wearer.
Nowhere else but America would this be legal.
I'm guessing that the band came from the Paris park.
It's a contract you consent to when you buy a ticket. There's an option to not use this if you are worried about the in park and on property tracking, but you'll lose access to a bunch of convenient services. There's no actual nefarious tracking going on besides the minimum required to enable services (fast pass, room entry, personalization, etc.)
@@TheRealBobHickman No nefarious tracking, then you list fast pass and personalization. First is a way to get people to pay double or simply have to stand in line an entire day and second I wonder if personalization includes ads... I know it's a "contract you agree to" but it's nasty. I guess you are getting so used to it in the US that you don't see it. Apparently a frog doesn't jump out of the pot if you raise the temperature slowly.
@@TheRealBobHickman Btw, apparently 100 fastpass users get to ride for every 1 normal visitor. Think what that does to the kids whos parents can't afford fastpass? The kids who can loops around like crazy and gets to ride 20 times, while the other kid has to select 3 rides for the entire day of waiting.
@@TheRealBobHickman I guess most my resentment to the system comes from when I was treated to this visiting Florida. Reading about it later I think the Fastpass were supposed to be a free service, but we were charged over the double cost of normal park entry for it. I never visited a Disney-themed park again.
Very cool
So it is in a deep sleep until woken up by entering a park...Then it will send it's ID to track (crowd control,ride photo linking,etc) and when you leave the park (no more rf triggers) it goes to sleep (battery is supposed to run for 3-4 years)..thanks for the insights
Hey,
Yes it works exactly like that
Well done
Disney did send out a hitman but he goofed it up.
Nice!
very nice hack
If you can steal peoples band id's can you pretend you're them? Also can you get the lights to go on, I guess this is a higher $ band that does that? Disney sells toys or devices which causes them to go off at home right? I think Disney almost better recall them at this point, maybe you just cost them millions of $ Since in wdw especially magic band id's are tied to credit cards for fast checkout getting this far is pretty scary. I knew this shit wasnt safe, why I never bought one. I think it's not too long now till black hats try to get free disney vacations based on this.
You shouldn't have showed your face! The mouse will find you now!
Would you be interested in working on a provisional patent with me? ( note: nothing on my channel is about what I ask of you. I have other interests besides my channel. So please don't judge me on it's content.)
I think it would be cool to have a way to activate the MB+ from home. like when the popcorn is done or someone's birthday. but do it in a way that doesn't interfere with the band so it can still be used at the parks.(re Disney;s interactive fireworks show)
Do you live in Berlin? Lets meet up! :)
Near Hamburg
@@atc1441 Ok, that's pretty close. I can just use the Deutschland ticket to go there :)
Yeah sounds doable, whats the plan to do? ^^
@@atc1441 Well, just talk about electronics in general :) I've done a lot of playing around with esp8266 and esp32. Mainly coded flight controllers for drones in C, but also home automation stuff. Also hacked some devices laying around. Mostly cameras running tiny Linux installs. It's always nice to meet likeminded people :) Lately been playing around with making airtag-like trackers on esp32.
Lets continue via PM
Write me a mail if you like: atc@43u.de
Kind of like an apple AirTag. 😶
your recording your screen with a camera when theres screen recorder what a dope!