Would-Be Skylanders Hacker Handed Cease and Desist


A programmer has been stopped from even posting about his research prior to actually performing it.

Brandon Wilson is a graphing calculator programmer with a small, but loyal, fan base. For years, he’s worked on a variety of interesting projects involving calculators and computers, posting his results to the community for free on his stylishly trim website. Recently, Brandon branched out and decided to work on something a little different: Skylanders: Spyro’s Adventure. After discovering the security protocol the game’s pieces used to interact with the player’s computer, it wasn’t long before he came home to a hand-delivered cease and desist letter straight from Activision’s lawyers.

If you aren’t familiar with Skylanders, the game is spin-off of the Spyro series, in which players buy physical character packs which connect with a specialized USB peripheral to connect the creature to the game world. Activision has, of course, taken multiple precautions to protect this data transfer (as a breach would mean players no longer need to buy figurines). While Wilson’s research into this data was still incomplete, the company was quick to act before a final solution was reached.

More of a good-natured tinkerer than malicious pirate determined to take down Activision, Wilson was happy to comply. The following is his original post on the matter:

Why am I talking about [Skylanders?] Because I documented the protocol it uses, and the encryption method used to store data on the toys.

I plan to work on emulating the portal using an 84+/SE or 89Ti for all the major consoles. And for the Xbox 360, it’s especially interesting because I’ll have to work around the Infineon security chip that protects the Xbox 360 from third-party USB peripherals.

I could go into further detail, but then I’d sound more and more crazy, so perhaps I’ll wait until I get basic portal emulation working. Stay tuned!

UPDATE: And here come the Activision lawyers! Suffice it to say, I’ve been shut down, so uh…nevermind. 🙂

The only strange thing about this case, is that (as Wilson himself points out) none of the research posted on his site was actually in any violation of Activision’s stated policies, noting that its examples pointed to leaks that weren’t even his. Wilson went on to further explain that the only thing he had was a .zip file of a data dump from one figurine which was neither posted online nor even announced.

I understand why companies like Activision need to take quick and decisive action against people who could single-handedly destroy a product line, but perhaps they should wait until violations actually occur as to avoid some awkward Minority Report-type scary legal tactics. Granted, once Wilson complied there was no further action, but should tinkerers not even be allowed to post about their private tinkering without incurring the threatened wrath of a multimillion dollar legal team?


About the author