Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-08-25 19:36:27

axfla
Contributor
Registered: 2018-08-22
Posts: 4

Amiibo simulation

Hello,

I am trying to understand how Amiibos work, and use the simulator of the Proxmark3 to simulate them.

I first wrote a shared dump to a NTAG215 blank tag using TagMo, which adapts the datas to the UID of the blank tag. Comparing the original dump and the dump of my tag showed that most of the datas were different.

In order to understand what TagMo does, I have tried to decrypt the original dump, change the UID with the one from my blank tag in the decrypted version, and then encrypt it again (I got the 9-byte UID from there : https://dynamoreason.com/res/g/amiibo/uid/ , which I think calculated the BCC0 and BCC1, according to this structure https://wiki.gbatemp.net/wiki/Amiibo ).

The generated encrypted binary was pretty similar to the one written by TagBo, except two parts : from 34h to 53h, and from 80h to 9Fh, according to the structure on page 7 of this document : https://recon.cx/2018/montreal/schedule/system/event_attachments/attachments/000/000/046/original/RECON-MTL-2018-Hacking_Amiibo_with_SDR.pdf

Is there something wrong in my approach which leads to this difference ?

Also, when trying to emulate the dump from my tag written with TagMo, the proxmark is not recognized as an Amiibo by the Nintendo Switch (even if my blank NTAG215 written with TagMo works with the switch).

I am using :
script run dumptoemul-mfu -i dump.bin
hf mf eload u *EML file*
hf 14a sim t 7 u *UID of the dumped tag*

Again, is there something wrong ? I have also found that the dumps from the internet are only 540B, because they don't contain the "special" informations. But if I assume correctly, they are related to a unique tag. So, taking those special informations (version, tearing, pack, signature 1 and 2) from any NTAG215 and adding them to a 540B dump should work ?

Also, I get an "Authentication failed" when dumping my tag written with TagMo, but unfortunately I don't know how password works with Mifare Ultralight. Is authentification only necessary to write to the tag ?

Thank you and sorry for this pretty long post, it was not easy to write something clear.

Last edited by axfla (2018-08-25 23:33:56)

Offline

#2 2018-08-26 11:39:36

axfla
Contributor
Registered: 2018-08-22
Posts: 4

Re: Amiibo simulation

For the first part of the question, the two different sectors are called Locked hash and Unfixed hash ( https://wiki.gbatemp.net/wiki/Amiibo ). Do we know how they are generated ?

Offline

#3 2018-08-26 17:56:54

axfla
Contributor
Registered: 2018-08-22
Posts: 4

Re: Amiibo simulation

Changing the PACK in the dump of my tag to 0x8080 solved my simulation problem, I misunderstood the hf 14a sim documentation (option t 7 is described as "AMIIBO (NTAG 215),  pack 0x8080", I assumed wrong and thought that this pack was automatically used when emulating with this function).

Offline

Board footer

Powered by FluxBB