Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2015-05-04 15:07:05

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

[FINISHED] a popular toy Amiibo

Someone here on the forum has started to scan the Amiiboo toys.

ref:  http://www.proxmark.org/forum/viewtopic … 775#p15775

What we know right know is:

Tag should be:
- Mifare NTAG 215
- NOT NDEF data layout.
- size 504bytes.
- you can read much from the "hf mfu" commands,

- PWD is based on UID
- UID -> PWD algo is known.
- DATA encryption is also known,

Last edited by iceman (2015-08-03 13:07:17)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2015-05-04 16:37:43

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

Let's get things started with an Amiibo dump:

04 D2 57 09 7A E3 3E 80 27 48 0F E0 F1 10 FF EE A5 00 00 00 96 9D 6E C6 9D E0 AF E0 71 86 45 1A C3 54 A1 AD E2 70 BE 11 BF 64 FD 9C 11 14 93 71 31 F3 8B 84 A5 F9 EF 91 00 5B 1E C0 61 58 4A BE 7E 0F 18 E0 F3 34 2A 29 AC 88 9A 45 64 D5 1E B7 7F 5C E6 4E 32 00 00 00 00 30 00 02 05 12 C4 17 3B 2E 12 D0 E1 5E 95 DA 10 2C 64 9E 27 09 C2 EE E9 FF 41 C3 A3 BC BD 5F CC C0 8B A0 9C 68 D5 09 71 13 B7 A7 AD C9 4D 22 1C F5 E3 67 1C DE 20 5D 0D 52 4C AE 3D 37 8B 57 9B 76 D5 DE 31 05 5A 8B 1E 2C 72 3A 11 D6 09 63 8E F9 B2 2C B7 DA CF CA E4 22 DF 74 DB 6F 46 8E 69 C9 05 6A 8E EA 3E E0 EF 33 01 87 68 5D 6B 35 AF B2 06 26 B8 1E 5F 9A 52 9D 89 C7 23 53 1F B3 0A 6E C4 DA 72 17 2B 4E 98 13 E0 C2 1D 30 94 97 A0 F8 E8 EF 41 04 2C 4B 61 44 7B 1F DD 26 BF 3D EB 0F 24 DE 6F FF A6 4C 63 6B 56 DE 00 49 7B 85 8B 33 3A 9D 5D AE 71 96 91 B7 39 9F 09 BD CA 74 C1 41 88 7F FF 35 1C B2 3D BF 31 74 FF 03 D8 F3 E5 41 44 46 FB 3F 95 D1 EF C9 C3 31 C2 62 B6 A0 C1 15 56 21 13 1F 53 8D 46 99 6D 66 FD E6 30 EE CB 63 CF 9B AC 79 7A 11 FC 7C F6 71 1A 2B DA ED EF 24 80 F0 23 8A 42 95 95 1D E6 06 A4 10 E4 45 47 EB 5E 71 38 21 23 A3 30 F7 28 76 1A 42 13 41 BD E9 6A 9E 9C 9B 3C 52 8B 25 80 F0 85 27 5D 6A B7 2F D8 6E 76 6C 21 E6 A9 94 88 33 A8 4E 7F 97 5B E8 23 8B C4 5B 55 C9 16 0C 33 92 8B 1C 3A EE B2 B9 AE A7 00 80 3E 4D 85 B0 95 06 AB 96 5D 15 2B A2 D4 61 82 2C 60 5F 4A 9F 9A 67 C3 E6 AB 2E 14 3E DB 2B 1E 7B 92 4A 47 A2 FF 79 4E C3 5E E1 6D CA 6C 5C 83 C6 F2 EC 33 51 9B 25 16 93 FA E8 53 08 03 3C B2 4C 4B 39 67 4E B8 BC CD 0E 19 33 06 8D C9 13 04 2D C3 F2 32 E7 36 85 23 96 D9 BF 01 00 0F BD 00 00 00 04 5F 00 00 00 00 00 00 00 00 00 00 00

And having just done that.... what's the best way to share dumps and snooped traffic between reader/tag? Paste in forum as "code"? Paste it in a gist and share the link?

Offline

#3 2015-05-04 16:48:10

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

some people uses pastebin..  or ghostbin..

however, your dump is not complete. 
You only dumped the normal page 0x4-0xF.  A NTAG_215 has 504bytes of data and you should be able to read up to page 0x86 ..
user readable should be up to 0x7F pages.

if you break the lines around 8bytes in each,  that would be easier to read smile   thanks!


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2015-05-04 16:53:24

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

iceman, that's from 00h to 86h for a total of 540 bytes

I'll see what I can do about breaking the lines every 8bytes.

Offline

#5 2015-05-06 09:05:54

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

The password limit feature is usually set on Amiibo's to 7tries.   So pwd guessing is out  of the question.

First step is to sniff traffic and get PWD for the Amiibo,  this enables you to do more.

*) will need to verify if you can write a new configuration turning of the pwd-limit. 

Dumping a tag is not an issue.   Writing back data usually needs PWD.

The data is most likely protected with encryption,  this encryption needs to be identified,  and figured out.
Usually a hash (sha2/md5) and 3des/aes is used to protect data.


-- important step --   Figuring out the password-generation algo.

1. sim a amiibo with PM3 or a clone tag.

2. sniff the traffic between valid reader & sim,
   a) is UID based?
   b)  collect the used PWD for a fake UID.
   c)  gather nnn samples of  UID & PWD

3. analysing datasamples, to find some correlations. smile

----
step 1, simulating a NTAG215,   it needs to be able to answer to a "GET_VERSION", "READ", ..   Need to see the traffic between a valid tag & reader to see exact which commands the sim needs to be able to do.

step 2,  simulating a KNOWN UID (and known PWD)  to verify that we get the same PWD for our simulation from valid reader.

---

then when it comes to the data protection, someone needs to look at game-software and find the stuff we need there smile


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2015-05-07 22:27:21

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

I saw from your samples, that the PACK is the same.

0x05,0x22,0xE6,0xB4 // PACK 0x80,0x80 -- Amiiboo (sniffed)
0x02,0xe1,0xee,0x36 // PACK 0x80,0x80 -- AMiiboo (sniffed)

PACK could be static.  Can you try some more tokens?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2015-05-08 03:27:08

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

Here you go, the reset operation for 4 previously empty amiibos:

https://gist.github.com/borjaburgos/55f … be1a82b631

Different PWD, but same PACK for all of them.

Offline

#8 2015-05-09 08:58:23

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

configuration pages from dump above:

83] 00  00  00  04   == All pages above 4, needs authentication.
84] 5f  00  00  00    ==
 5f  (  0101 1111  )
                    111 authentication limit  is 7
                   1   MFC counter pwd protected
               1  NFC counter disabled
              0 
             1 user configuration is permanently locked against write (except PWD nad PACK)
           0   PROT (read and write access need pwd
                                          
85] 00  00  00  00   == pwd (all correct zerod)
86] 00  00  00  00   == pack (all correct zerod)

So a amiibo is quite locked down.


---
Just realised another feature of NTAG,   if it is used for public transportation like ticketing it,  the special feature of authlim, can help perma-block a usermemory page..  smile  like a ticket maybe?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2015-05-26 16:06:36

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

With the latest changes to "HF MFU",  the new dump command can, with a sniffed pwd, dump a NTAG215.
And the "hf mfu info" should print all configuration data from a NTAG215.

If someone with a amiboo token could test then that would be great.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2015-05-31 23:05:49

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2015-06-13 20:05:20

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

Hello! Sorry for going MIA. It was a busy few weeks at work.

Iceman, got the latest code, and this is the result for one of the new Splatoon Amiibos.

proxmark3> hf mfu info

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : NTAG 215 504bytes (NT2H1511G0DU)
       UID : 04 ba 44 ba a0 40 80
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 72, Ok
      BCC1 : DA, Ok
  Internal : 48, default
      Lock : 0f e0  - 1110000000001111
OneTimePad : f1 10 ff ee  - 11101110111111110001000011110001


--- Tag Signature
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : 56 06 a6 4f 43 32 53 6f 43 da 45 d6 61 38 aa 1e cf d3 61 36 ca 5f bb 05 ce 21 24 5b a6 7a 79 07

--- Tag Version
       Raw bytes : 00 04 04 02 01 00 11 03
       Vendor ID : 04, NXP Semiconductors Germany
    Product type : 04, NTAG
 Product subtype : 02, 50pF
   Major version : 01
   Minor version : 00
            Size : 11, (512 <-> 256 bytes)
   Protocol type : 03

--- Tag Configuration
  cfg0 [131/0x83] : 00 00 00 04
                    - page 4 and above need authentication
                    - strong modulation mode disabled
  cfg1 [132/0x84] : 5f 00 00 00
                    - Max number of password attempts is 7
                    - user configuration permanently locked
                    - write access is protected with password
                    - 00, Virtual Card Type Identifier is not default
  PWD  [133/0x85] : 00 00 00 00 - (cannot be read)
  PACK [134/0x86] : 00 00       - (cannot be read)
  RFU  [134/0x86] :       00 00 - (cannot be read)

Offline

#12 2015-06-13 20:28:01

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

Hey Iceman,

So first I did this to make sure I had the right PWD. As you can see the I get PACK 0x80 0x80:

proxmark3> hf 14a raw -s -c 60
received 7 octets
04 A6 16 72 61 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9E
proxmark3> hf 14a raw -s -c 1b7e22e6b4
received 7 octets
04 A6 16 72 61 3E 80
received 4 octets
80 80 64 16

Then I tried the new hf mfu info with the key. This is the result:

proxmark3> hf mfu info k 7E22E6B4

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : NTAG 215 504bytes (NT2H1511G0DU)
       UID : 04 a6 16 72 61 3e 80
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 3C, Ok
      BCC1 : AD, Ok
  Internal : 48, default
      Lock : 0f e0  - 1110000000001111
OneTimePad : f1 10 ff ee  - 11101110111111110001000011110001


--- Tag Signature
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : e5 28 85 16 5b a8 60 06 ee ee 04 d8 3d 1c 6a 92 07 dc c1 d4 69 13 6d 1d fd 58 97 b1 47 9d 4e 91

--- Tag Version
       Raw bytes : 00 04 04 02 01 00 11 03
       Vendor ID : 04, NXP Semiconductors Germany
    Product type : 04, NTAG
 Product subtype : 02, 50pF
   Major version : 01
   Minor version : 00
            Size : 11, (512 <-> 256 bytes)
   Protocol type : 03

--- Tag Configuration
  cfg0 [131/0x83] : 00 00 00 04
                    - page 4 and above need authentication
                    - strong modulation mode disabled
  cfg1 [132/0x84] : 5f 00 00 00
                    - Max number of password attempts is 7
                    - user configuration permanently locked
                    - write access is protected with password
                    - 00, Virtual Card Type Identifier is not default
  PWD  [133/0x85] : 00 00 00 00 - (cannot be read)
  PACK [134/0x86] : 00 00       - (cannot be read)
  RFU  [134/0x86] :       00 00 - (cannot be read)

Offline

#13 2015-06-13 20:46:03

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Thanks!
Looks like the "info" command works as expected.   And you need the password to dump it. You can snoop the trafic and get the pwd of it.   Try the dump card and if you can share it..


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2015-06-13 21:06:11

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

Here you go, the 540 byte dump. It's the same as I was able to get manually by snooping the device <-> tag communication.  You can download .bin here: http://cl.ly/0D1h282z3o1v

Last edited by borjaburgos (2015-06-13 21:07:43)

Offline

#15 2015-06-13 21:29:43

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Thanks!
can you collect all uid/pwd for yr tokens?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#16 2015-06-13 22:44:27

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

I can do that, I'll post them here:

https://gist.github.com/borjaburgos/55f … be1a82b631

Offline

#17 2015-06-13 23:12:53

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Interesting,
Seems like your pwd changed for the pichacu..    Something with block3.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2015-06-13 23:22:27

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

Why do you say it changed? It hasn't. Do note that I have two Pikachu tags. Iceman, are you on IRC?

Offline

#19 2015-06-13 23:31:00

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

>sorry,,   i missed that the uid changed.  one uid byte change <-> one byte changed in pwd..
very interesting.

IRC: Yes, I am


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#20 2015-06-13 23:37:29

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

According to http://3dbrew.org/wiki/Amiibo :

"PWD_AUTH. Key is based on UID."

Offline

#21 2015-08-02 21:27:25

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Some feedback,   the uid-pwd algo seems to be solved now.  smile


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#22 2015-08-02 22:31:04

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

@borjaburgos,

I'm having a hard time verifying your tag's data...   Three of your tokens, seems to have the wrong PWD..

###     Performing test - AMIBOO UID -> PWD
NAME         UID             PWD       CALC      OK
Megaman      041a9b82c23e80  320c1617  320C1617  true
Pikachu B    04a61672613e80  0522e6b4  7E22E6B4  false
Pikachu A    04dd1672613e80  7e22e6b4  0522E6B4  false
Sonic        04d2577ae33e80  E1EE36CD  02E1EE36  false
Wario        046a02f2714084  322618A0  322618A0  true
Inkling Boy  04ba44baa04080  AAB15075  AAB15075  true
Squid        044befeaa04080  0B1A0075  0B1A0075  true
Inkling Girl 04ebf0e2a04080  a3050875  A3050875  true
Sheik        0421ae7ac23e81  f139ee16  F139EE16  true
Link         04864362173c80  4e01f4c2  4E01F4C2  true
Toon Link    0450437a043f80  8012efd1  8012EFD1  true
Kirby        0429b752403e80  d1a2c695  D1A2C695  true
Diddy Kong   041f98ea1e3e81  5fd37eca  5FD37ECA  true

[edit]
I saw the trace log for Sonic and the pwd is cut 'nd pasted wrong in the list. off-by-one
And the pikachu trace logs shows that the pwd is swapped.
The uid-pwd algo works perfect. [/edit]

Last edited by iceman (2015-08-03 13:23:15)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#23 2015-08-03 13:05:50

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Hm, does someone have a PM3 and a amiibo toy?  I have a script I need tested..


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#24 2015-08-03 19:21:39

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] a popular toy Amiibo

None yet, I am sorry sad

Offline

#25 2015-08-08 09:36:24

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Summary:
------------
PM3 can simulate ntag215  (newer toytokens uses this,  reports of older toytoken uses ultralight)
Amiibo pwd algo is known (thanks anon8888)

PM3 can load a raw dump, and configured with the pwd,  it should be able to act as a toytoken. (not verified but should work)

The encryption of the data layer is also known,  however if you want the keys needed you gonna need some serious firmware decompilation of the 3ds.  All encryption/hashing of the tag data is very high.

---
Cloning, is harder,  since the toytoken has some locked pages where is saves sha256 hashes of tagdata.
Maybe if re-hashing/re-encryption  the data of a uninitialised toytoken, can be done and saved to a blank ntag215 but that is me speculating now


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#26 2015-08-08 16:14:22

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] a popular toy Amiibo

Which pages are locked? I can check with a blank ntag.

Offline

#27 2015-08-08 16:19:54

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

just look at the layout here: http://3dbrew.org/wiki/Amiibo


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#28 2015-08-10 22:40:39

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] a popular toy Amiibo

They are probably unlocked in a virgin tag (i don't have a 215 but i have similars which are unlocked). Need to spoof to see if the locking bits are required for the tag to be read.

Offline

#29 2015-08-18 21:31:50

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

With alot of help from someone anon who figured out the key-gen and the needed keys to enc-/decrypt a amiibo token, so are we pretty soon there. It feels close but still so far.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#30 2015-09-03 00:22:57

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] a popular toy Amiibo

I'm back! What's new Iceman?

Offline

#31 2015-09-04 17:44:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] a popular toy Amiibo

Thanks to some great help Amiibo can be considered almost understood.
The auth password can be found looking at "Inkling Boy" and "Squid" data posted in the previous page (a little hint: xor !).
About encryption it was really really hard and long to find the needed data (those data, as stated in the previously linked thread on reddit, are Nintendo properties so cannot be shared).

Offline

#32 2015-09-06 07:21:36

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

yes, its like @asper says. One of these days maybe someone starts doing the datamapping part. 
Not me, I'm swamped with work and don't own a amiibo / nintendo controller. Somone else have to do that.
With regards to makeing a script,  the dumping is easy but the enc/dec cryption is not so easy to get inside lua so I just don't feel like putting in the effort.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#33 2015-09-29 16:36:19

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

hi

sorry for my english, i have a pm3, amiibo (bowser) and wiiu
can i help you?

Offline

#34 2015-09-29 17:57:45

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

No really, the rfid part is solved.

Whats left is the data-mapping part where you identify the meaning of the datadump.  Ie which bytes does what,  but that is for ppl who is interested in increasing levels, add expericene etc etc. 

Are you up for that?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#35 2015-09-30 09:00:05

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

yes of course, but i just start with pm3 and acr122u, juste use mfoc and mfcuk to dump access door

Offline

#36 2015-09-30 12:07:50

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

U can sniff the communication between amibo and gamepad with your PM3,
there you get the pwd.
Then dump the tag,   then you need to decrypt the dumpdata...

Someone made a service, where you can upload your dump and get a decrypted one back for amiibo.

Then its back to mapping data..   ie try something in game,  dump, look at changes, etc etc


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#37 2015-09-30 12:47:30

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] a popular toy Amiibo

To get the amiibo password without sniffing you can use this online tool.

Offline

#38 2015-09-30 12:53:45

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Sorry, forgot about that one.  So many new things to focus at.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#39 2015-09-30 15:38:47

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

ok go test by sniff and verify pwd by php scrypt

hum did you work on dis*ey infi*ity?

Offline

#40 2015-10-01 10:59:20

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

i think i have problem:
proxmark3> hf mfu info k 87669812

--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 215 504bytes (NT2H1511G0DU)         
Error: Authentication Failed UL-EV1/NTAG         
proxmark3> hf mfu info k 87669813

--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 215 504bytes (NT2H1511G0DU)         
       UID : 04 57 f5 7a c6 48 80           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 2E, Ok         
      BCC1 : 74, Ok         
  Internal : 48, default         
      Lock : 0f e0  - 1110000000001111         
OneTimePad : f1 10 ff ee  - 11101110111111110001000011110001
         

--- Tag Signature         
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61         
    Elliptic curve parameters : secp128r1         
            Tag ECC Signature : 0e e6 19 ec b6 b7 d5 9d d4 4b e3 96 5f 7f 2a 26 10 8f 35 42 95 03 f4 d5 8c 4f 28 5c 50 27 f4 0f           

--- Tag Version         
       Raw bytes : 00 04 04 02 01 00 11 03           
       Vendor ID : 04, NXP Semiconductors Germany         
    Product type : 04, NTAG         
Product subtype : 02, 50pF         
   Major version : 01         
   Minor version : 00         
            Size : 11, (512 <-> 256 bytes)         
   Protocol type : 03         

--- Tag Configuration         
  cfg0 [131/0x83] : 00 00 00 04           
                    - page 4 and above need authentication         
                    - strong modulation mode disabled         
  cfg1 [132/0x84] : 5f 00 00 00           
                    - Max number of password attempts is 7         
                    - user configuration permanently locked         
                    - write access is protected with password         
                    - 00, Virtual Card Type Identifier is not default         
  PWD  [133/0x85] : 00 00 00 00 - (cannot be read)         
  PACK [134/0x86] : 00 00       - (cannot be read)         
  RFU  [134/0x86] :       00 00 - (cannot be read)

but

hf mfu dump k 87669814
TYPE : NTAG 215 504bytes (NT2H1511G0DU)         
Reading tag memory...         
#db# Pages 135                 
#db# Pages read 135                 
Waiting for a response from the proxmark...         
Don't forget to cancel its operation first by pressing on the button

and  few second and pm3's relay clic (and change ttyACM0 to ttyACM1)

Offline

#41 2015-10-01 15:41:40

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

hf mfu info k 87669812
hf mfu info k 87669813
hf mfu dump k 87669814

you don't use the same pwd in your commands...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#42 2015-10-01 15:43:11

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

And D.I. is enc/dec of data is solved,  but keygen algo is still unknown.
There should be a seperate thread for D.I. on the forum..


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#43 2015-10-01 15:53:35

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

oups mistake

hf mfu info k 87669812 and hf mfu info k 87669813 it's just to say  i have thr right key

but dump crash pm3 (right or wrong key)

Offline

#44 2015-10-01 16:39:25

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

If you run:

"hf mf dbg 4"
"hf mfu dump k xxxxxx"
"hf list 14a"


Whats the output?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#45 2015-10-01 16:55:36

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

proxmark3> hf mf dbg 4
#db# Debug level: 4                 
proxmark3> hf mfu dump k 87669813
#db# ISO14443A Timeout set to 1050 (9ms)                 
#db# ISO14443A Timeout set to 1050 (9ms)                 
TYPE : NTAG 215 504bytes (NT2H1511G0DU)         
Reading tag memory...         
#db# Pages 135                 
#db# ISO14443A Timeout set to 1050 (9ms)                 
#db# Pages read 135                 
Waiting for a response from the proxmark...         
Don't forget to cancel its operation first by pressing on the button

"relay clic"

i lost conection
i restart proxmark

hf list 14a
Recorded Activity (TraceLen = 0 bytes)         
         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
         
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|

Offline

#46 2015-10-01 17:08:25

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

after hf mfu info k 87669813


hf list 14a
Recorded Activity (TraceLen = 338 bytes)         
         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
         
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|         
         0 |       992 | Rdr | 52                                                              |     | WUPA         
      2228 |      4596 | Tag | 44  00                                                          |     |           
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL         
     10676 |     16500 | Tag | 88  04  57  f5  2e                                              |     |           
     18560 |     29024 | Rdr | 93  70  88  04  57  f5  2e  2f  be                              |     | SELECT_UID         
     30260 |     33780 | Tag | 04  da  17                                                      |     |           
     35072 |     37536 | Rdr | 95  20                                                          |     | ANTICOLL-2         
     38708 |     44532 | Tag | 7a  c6  48  80  74                                              |     |           
     46720 |     57184 | Rdr | 95  70  7a  c6  48  80  74  92  d1                              |     | ANTICOLL-2         
     58420 |     62004 | Tag | 00  fe  51                                                      |     |           
    491776 |    499936 | Rdr | 1b  87  66  98  13  a6  af                                      |     | PWD-AUTH KEY: 0x87669813         
    555572 |    560308 | Tag | 80  80  64  16                                                  |     |           
    991488 |    996256 | Rdr | 30  00  02  a8                                                  |     | READBLOCK(0)         
   1054772 |   1075572 | Tag | 04  57  f5  2e  7a  c6  48  80  74  48  0f  e0  f1  10  ff  ee  |     |           
           |           |     | 4c  af                                                          |     |           
   1507328 |   1512096 | Rdr | 3c  00  a2  01                                                  |     | READ_SIG         
   1513268 |   1552564 | Tag | 0e  e6  19  ec  b6  b7  d5  9d  d4  4b  e3  96  5f  7f  2a  26  |     |           
           |           |     | 10  8f  35  42  95  03  f4  d5  8c  4f  28  5c  50  27  f4  0f  |     |           
           |           |     | d6  07                                                          |     |           
   1982848 |   1986464 | Rdr | 60  f8  32                                                      |     | EV1 VERSION         
   1987636 |   1999284 | Tag | 00  04  04  02  01  00  11  03  01  9e                          |     |           
   2431232 |   2435936 | Rdr | 30  83  91  1e                                                  |     | READBLOCK(131)         
   2437172 |   2457972 | Tag | 00  00  00  04  5f  00  00  00  00  00  00  00  00  00  00  00  |     |           
           |           |     | 4f  95                                                          |

Offline

#47 2015-10-01 17:22:57

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Hm, it reads all data without a problem. (Pages read 135 message)
Its in the sending it back from the device to the client it seems to get stuck.

Which firmware version are you running?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#48 2015-10-02 09:32:16

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

iceman you right after flash dump work's

where can i upload dump for knowledge ?

Offline

#49 2015-10-02 10:59:47

iceman
Administrator
Registered: 2013-04-25
Posts: 6,654
Website

Re: [FINISHED] a popular toy Amiibo

Use
files: sendspace.com
logs: pastebin.com

or which services you need, then add a link here.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#50 2015-10-02 11:35:37

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

https://www.sendspace.com/file/jek3xd need other?

Offline

Board footer

Powered by FluxBB