Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-11-17 15:41:24

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 15

Ntag 215 & Amiibo dump

Hi guys,
i'm playing with Ntag Magic tag and Amiibo.
Now, i can clone a amiibo with Magic Ntag. It works.
The next step is to use amiibo dump found on web generate with TagMo (Android amiboo app cloning).
Dumps on web and proxmark's dumps are differents on HEX editor.
So, i get one of this dumps, load in TagMo, i save the data then compare with dump and its not same.
But when i compare saved data and proxmark's dumps they are pretty similare.
Only ECC Signature, pwd and pack are missing !
I can add password (based on UID) and pack (always the same on amiibo).
But how can i calculate ECC Signature and validate her ?

Sorry for my terrible english ...

Last edited by yugnat (2017-11-21 13:44:23)

Offline

#2 2017-11-21 12:46:53

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 15

Re: Ntag 215 & Amiibo dump

Ok, i have worked a lot on this, i have readed the NXP data-sheet for ntag and here i am.
ECC Signature is builded from UID with NXP private key.
Public key valide the signature.
So, i can use any couple of valide pub key and signature
I used Iceman's magic script to wipe then write (type, uid, signature and pwd) on my magic tag.
Then i used tagmo with a amiibo's dump to write the data.
The processus failed to write the pwd but the data are on tag !
Finaly i write the pwd, cfg1 & cfg2, pack and lock with my proxmark et voila !
I have a fully fonctional amiibo's tag.

Now what i don't understand yet wink :
datas amiibo's dump are differents from datas magic's dump...
I think tagmo use nintendo's keys to transforme amiibo's dump before write the data.
Here an archive with 2 dumps : https://www.sendspace.com/file/rmuqh6

I don't know if amiibo's datas have to be decrypted or encrypted (or something else) before writing them ?

I don't want use tagmo to write datas anymore, but how use amiibo's dump with my PM3 ?

Offline

#3 2017-11-24 11:21:28

iceman
Administrator
Registered: 2013-04-25
Posts: 6,175
Website

Re: Ntag 215 & Amiibo dump

The dumpformat is different from different devices,   on PM3 we added extra fields like Signature, Version, Pwd, Pck etc in order to have simulation possibilities.  Other devices, dumps only user memory on tag.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2017-11-25 09:31:11

somemadeupname
Contributor
From: Western Australia
Registered: 2016-05-25
Posts: 19

Re: Ntag 215 & Amiibo dump

Amiibo dumps used to only contain the basic user memory, but more recent versions also contain the signature IIRC

There are parts of an amiibo that are encrypted (using the UID) and TagMo knows how to re-encrypt to match the UID on the card you're burning the image to

Last edited by somemadeupname (2017-11-25 09:33:10)

Offline

Board footer

Powered by FluxBB