[FINISHED] a popular toy Amiibo

iceman · 2015-05-04 15:07:05

Someone here on the forum has started to scan the Amiiboo toys.

ref: http://www.proxmark.org/forum/viewtopic … 775#p15775

What we know right know is:

Tag should be:
- Mifare NTAG 215
- NOT NDEF data layout.
- size 504bytes.
- you can read much from the "hf mfu" commands,

- PWD is based on UID
- UID -> PWD algo is known.
- DATA encryption is also known,

Last edited by iceman (2015-08-03 13:07:17)

borjaburgos · 2015-05-04 16:37:43

Let's get things started with an Amiibo dump:

04 D2 57 09 7A E3 3E 80 27 48 0F E0 F1 10 FF EE A5 00 00 00 96 9D 6E C6 9D E0 AF E0 71 86 45 1A C3 54 A1 AD E2 70 BE 11 BF 64 FD 9C 11 14 93 71 31 F3 8B 84 A5 F9 EF 91 00 5B 1E C0 61 58 4A BE 7E 0F 18 E0 F3 34 2A 29 AC 88 9A 45 64 D5 1E B7 7F 5C E6 4E 32 00 00 00 00 30 00 02 05 12 C4 17 3B 2E 12 D0 E1 5E 95 DA 10 2C 64 9E 27 09 C2 EE E9 FF 41 C3 A3 BC BD 5F CC C0 8B A0 9C 68 D5 09 71 13 B7 A7 AD C9 4D 22 1C F5 E3 67 1C DE 20 5D 0D 52 4C AE 3D 37 8B 57 9B 76 D5 DE 31 05 5A 8B 1E 2C 72 3A 11 D6 09 63 8E F9 B2 2C B7 DA CF CA E4 22 DF 74 DB 6F 46 8E 69 C9 05 6A 8E EA 3E E0 EF 33 01 87 68 5D 6B 35 AF B2 06 26 B8 1E 5F 9A 52 9D 89 C7 23 53 1F B3 0A 6E C4 DA 72 17 2B 4E 98 13 E0 C2 1D 30 94 97 A0 F8 E8 EF 41 04 2C 4B 61 44 7B 1F DD 26 BF 3D EB 0F 24 DE 6F FF A6 4C 63 6B 56 DE 00 49 7B 85 8B 33 3A 9D 5D AE 71 96 91 B7 39 9F 09 BD CA 74 C1 41 88 7F FF 35 1C B2 3D BF 31 74 FF 03 D8 F3 E5 41 44 46 FB 3F 95 D1 EF C9 C3 31 C2 62 B6 A0 C1 15 56 21 13 1F 53 8D 46 99 6D 66 FD E6 30 EE CB 63 CF 9B AC 79 7A 11 FC 7C F6 71 1A 2B DA ED EF 24 80 F0 23 8A 42 95 95 1D E6 06 A4 10 E4 45 47 EB 5E 71 38 21 23 A3 30 F7 28 76 1A 42 13 41 BD E9 6A 9E 9C 9B 3C 52 8B 25 80 F0 85 27 5D 6A B7 2F D8 6E 76 6C 21 E6 A9 94 88 33 A8 4E 7F 97 5B E8 23 8B C4 5B 55 C9 16 0C 33 92 8B 1C 3A EE B2 B9 AE A7 00 80 3E 4D 85 B0 95 06 AB 96 5D 15 2B A2 D4 61 82 2C 60 5F 4A 9F 9A 67 C3 E6 AB 2E 14 3E DB 2B 1E 7B 92 4A 47 A2 FF 79 4E C3 5E E1 6D CA 6C 5C 83 C6 F2 EC 33 51 9B 25 16 93 FA E8 53 08 03 3C B2 4C 4B 39 67 4E B8 BC CD 0E 19 33 06 8D C9 13 04 2D C3 F2 32 E7 36 85 23 96 D9 BF 01 00 0F BD 00 00 00 04 5F 00 00 00 00 00 00 00 00 00 00 00

And having just done that.... what's the best way to share dumps and snooped traffic between reader/tag? Paste in forum as "code"? Paste it in a gist and share the link?

iceman · 2015-05-04 16:48:10

some people uses pastebin.. or ghostbin..

however, your dump is not complete.
You only dumped the normal page 0x4-0xF. A NTAG_215 has 504bytes of data and you should be able to read up to page 0x86 ..
user readable should be up to 0x7F pages.

if you break the lines around 8bytes in each, that would be easier to read thanks!

borjaburgos · 2015-05-04 16:53:24

iceman, that's from 00h to 86h for a total of 540 bytes

I'll see what I can do about breaking the lines every 8bytes.

iceman · 2015-05-06 09:05:54

The password limit feature is usually set on Amiibo's to 7tries. So pwd guessing is out of the question.

First step is to sniff traffic and get PWD for the Amiibo, this enables you to do more.

*) will need to verify if you can write a new configuration turning of the pwd-limit.

Dumping a tag is not an issue. Writing back data usually needs PWD.

The data is most likely protected with encryption, this encryption needs to be identified, and figured out.
Usually a hash (sha2/md5) and 3des/aes is used to protect data.

-- important step -- Figuring out the password-generation algo.

1. sim a amiibo with PM3 or a clone tag.

2. sniff the traffic between valid reader & sim,
a) is UID based?
b) collect the used PWD for a fake UID.
c) gather nnn samples of UID & PWD

3. analysing datasamples, to find some correlations.

----
step 1, simulating a NTAG215, it needs to be able to answer to a "GET_VERSION", "READ", .. Need to see the traffic between a valid tag & reader to see exact which commands the sim needs to be able to do.

step 2, simulating a KNOWN UID (and known PWD) to verify that we get the same PWD for our simulation from valid reader.

---

then when it comes to the data protection, someone needs to look at game-software and find the stuff we need there

iceman · 2015-05-07 22:27:21

I saw from your samples, that the PACK is the same.

0x05,0x22,0xE6,0xB4 // PACK 0x80,0x80 -- Amiiboo (sniffed)
0x02,0xe1,0xee,0x36 // PACK 0x80,0x80 -- AMiiboo (sniffed)

PACK could be static. Can you try some more tokens?

borjaburgos · 2015-05-08 03:27:08

Here you go, the reset operation for 4 previously empty amiibos:

https://gist.github.com/borjaburgos/55f … be1a82b631

Different PWD, but same PACK for all of them.

iceman · 2015-05-09 08:58:23

configuration pages from dump above:

83] 00  00  00  04   == All pages above 4, needs authentication.
84] 5f  00  00  00    ==
 5f  (  0101 1111  )
                    111 authentication limit  is 7
                   1   MFC counter pwd protected
               1  NFC counter disabled
              0 
             1 user configuration is permanently locked against write (except PWD nad PACK)
           0   PROT (read and write access need pwd
                                          
85] 00  00  00  00   == pwd (all correct zerod)
86] 00  00  00  00   == pack (all correct zerod)

So a amiibo is quite locked down.

---
Just realised another feature of NTAG, if it is used for public transportation like ticketing it, the special feature of authlim, can help perma-block a usermemory page.. like a ticket maybe?

iceman · 2015-05-26 16:06:36

With the latest changes to "HF MFU", the new dump command can, with a sniffed pwd, dump a NTAG215.
And the "hf mfu info" should print all configuration data from a NTAG215.

If someone with a amiboo token could test then that would be great.

iceman · 2015-05-31 23:05:49

http://www.reddit.com/r/amiibros/commen … gineering/

borjaburgos · 2015-06-13 20:05:20

Hello! Sorry for going MIA. It was a busy few weeks at work.

Iceman, got the latest code, and this is the result for one of the new Splatoon Amiibos.

proxmark3> hf mfu info

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : NTAG 215 504bytes (NT2H1511G0DU)
       UID : 04 ba 44 ba a0 40 80
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 72, Ok
      BCC1 : DA, Ok
  Internal : 48, default
      Lock : 0f e0  - 1110000000001111
OneTimePad : f1 10 ff ee  - 11101110111111110001000011110001


--- Tag Signature
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : 56 06 a6 4f 43 32 53 6f 43 da 45 d6 61 38 aa 1e cf d3 61 36 ca 5f bb 05 ce 21 24 5b a6 7a 79 07

--- Tag Version
       Raw bytes : 00 04 04 02 01 00 11 03
       Vendor ID : 04, NXP Semiconductors Germany
    Product type : 04, NTAG
 Product subtype : 02, 50pF
   Major version : 01
   Minor version : 00
            Size : 11, (512 <-> 256 bytes)
   Protocol type : 03

--- Tag Configuration
  cfg0 [131/0x83] : 00 00 00 04
                    - page 4 and above need authentication
                    - strong modulation mode disabled
  cfg1 [132/0x84] : 5f 00 00 00
                    - Max number of password attempts is 7
                    - user configuration permanently locked
                    - write access is protected with password
                    - 00, Virtual Card Type Identifier is not default
  PWD  [133/0x85] : 00 00 00 00 - (cannot be read)
  PACK [134/0x86] : 00 00       - (cannot be read)
  RFU  [134/0x86] :       00 00 - (cannot be read)

borjaburgos · 2015-06-13 20:28:01

Hey Iceman,

So first I did this to make sure I had the right PWD. As you can see the I get PACK 0x80 0x80:

proxmark3> hf 14a raw -s -c 60
received 7 octets
04 A6 16 72 61 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9E
proxmark3> hf 14a raw -s -c 1b7e22e6b4
received 7 octets
04 A6 16 72 61 3E 80
received 4 octets
80 80 64 16

Then I tried the new hf mfu info with the key. This is the result:

proxmark3> hf mfu info k 7E22E6B4

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : NTAG 215 504bytes (NT2H1511G0DU)
       UID : 04 a6 16 72 61 3e 80
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 3C, Ok
      BCC1 : AD, Ok
  Internal : 48, default
      Lock : 0f e0  - 1110000000001111
OneTimePad : f1 10 ff ee  - 11101110111111110001000011110001


--- Tag Signature
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : e5 28 85 16 5b a8 60 06 ee ee 04 d8 3d 1c 6a 92 07 dc c1 d4 69 13 6d 1d fd 58 97 b1 47 9d 4e 91

--- Tag Version
       Raw bytes : 00 04 04 02 01 00 11 03
       Vendor ID : 04, NXP Semiconductors Germany
    Product type : 04, NTAG
 Product subtype : 02, 50pF
   Major version : 01
   Minor version : 00
            Size : 11, (512 <-> 256 bytes)
   Protocol type : 03

--- Tag Configuration
  cfg0 [131/0x83] : 00 00 00 04
                    - page 4 and above need authentication
                    - strong modulation mode disabled
  cfg1 [132/0x84] : 5f 00 00 00
                    - Max number of password attempts is 7
                    - user configuration permanently locked
                    - write access is protected with password
                    - 00, Virtual Card Type Identifier is not default
  PWD  [133/0x85] : 00 00 00 00 - (cannot be read)
  PACK [134/0x86] : 00 00       - (cannot be read)
  RFU  [134/0x86] :       00 00 - (cannot be read)

iceman · 2015-06-13 20:46:03

Thanks!
Looks like the "info" command works as expected. And you need the password to dump it. You can snoop the trafic and get the pwd of it. Try the dump card and if you can share it..

borjaburgos · 2015-06-13 21:06:11

Here you go, the 540 byte dump. It's the same as I was able to get manually by snooping the device <-> tag communication. You can download .bin here: http://cl.ly/0D1h282z3o1v

Last edited by borjaburgos (2015-06-13 21:07:43)

iceman · 2015-06-13 21:29:43

Thanks!
can you collect all uid/pwd for yr tokens?

borjaburgos · 2015-06-13 22:44:27

I can do that, I'll post them here:

https://gist.github.com/borjaburgos/55f … be1a82b631

iceman · 2015-06-13 23:12:53

Interesting,
Seems like your pwd changed for the pichacu.. Something with block3.

borjaburgos · 2015-06-13 23:22:27

Why do you say it changed? It hasn't. Do note that I have two Pikachu tags. Iceman, are you on IRC?

iceman · 2015-06-13 23:31:00

>sorry,, i missed that the uid changed. one uid byte change <-> one byte changed in pwd..
very interesting.

IRC: Yes, I am

borjaburgos · 2015-06-13 23:37:29

According to http://3dbrew.org/wiki/Amiibo :

"PWD_AUTH. Key is based on UID."

iceman · 2015-08-02 21:27:25

Some feedback, the uid-pwd algo seems to be solved now.

iceman · 2015-08-02 22:31:04

@borjaburgos,

I'm having a hard time verifying your tag's data... Three of your tokens, seems to have the wrong PWD..

###     Performing test - AMIBOO UID -> PWD
NAME         UID             PWD       CALC      OK
Megaman      041a9b82c23e80  320c1617  320C1617  true
Pikachu B    04a61672613e80  0522e6b4  7E22E6B4  false
Pikachu A    04dd1672613e80  7e22e6b4  0522E6B4  false
Sonic        04d2577ae33e80  E1EE36CD  02E1EE36  false
Wario        046a02f2714084  322618A0  322618A0  true
Inkling Boy  04ba44baa04080  AAB15075  AAB15075  true
Squid        044befeaa04080  0B1A0075  0B1A0075  true
Inkling Girl 04ebf0e2a04080  a3050875  A3050875  true
Sheik        0421ae7ac23e81  f139ee16  F139EE16  true
Link         04864362173c80  4e01f4c2  4E01F4C2  true
Toon Link    0450437a043f80  8012efd1  8012EFD1  true
Kirby        0429b752403e80  d1a2c695  D1A2C695  true
Diddy Kong   041f98ea1e3e81  5fd37eca  5FD37ECA  true

[edit]
I saw the trace log for Sonic and the pwd is cut 'nd pasted wrong in the list. off-by-one
And the pikachu trace logs shows that the pwd is swapped.
The uid-pwd algo works perfect. [/edit]

Last edited by iceman (2015-08-03 13:23:15)

iceman · 2015-08-03 13:05:50

Hm, does someone have a PM3 and a amiibo toy? I have a script I need tested..

asper · 2015-08-03 19:21:39

None yet, I am sorry

iceman · 2015-08-08 09:36:24

Summary:
------------
PM3 can simulate ntag215 (newer toytokens uses this, reports of older toytoken uses ultralight)
Amiibo pwd algo is known (thanks anon8888)

PM3 can load a raw dump, and configured with the pwd, it should be able to act as a toytoken. (not verified but should work)

The encryption of the data layer is also known, however if you want the keys needed you gonna need some serious firmware decompilation of the 3ds. All encryption/hashing of the tag data is very high.

---
Cloning, is harder, since the toytoken has some locked pages where is saves sha256 hashes of tagdata.
Maybe if re-hashing/re-encryption the data of a uninitialised toytoken, can be done and saved to a blank ntag215 but that is me speculating now

asper · 2015-08-08 16:14:22

Which pages are locked? I can check with a blank ntag.

iceman · 2015-08-08 16:19:54

just look at the layout here: http://3dbrew.org/wiki/Amiibo

asper · 2015-08-10 22:40:39

They are probably unlocked in a virgin tag (i don't have a 215 but i have similars which are unlocked). Need to spoof to see if the locking bits are required for the tag to be read.

iceman · 2015-08-18 21:31:50

With alot of help from someone anon who figured out the key-gen and the needed keys to enc-/decrypt a amiibo token, so are we pretty soon there. It feels close but still so far.

borjaburgos · 2015-09-03 00:22:57

I'm back! What's new Iceman?

asper · 2015-09-04 17:44:33

Thanks to some great help Amiibo can be considered almost understood.
The auth password can be found looking at "Inkling Boy" and "Squid" data posted in the previous page (a little hint: xor !).
About encryption it was really really hard and long to find the needed data (those data, as stated in the previously linked thread on reddit, are Nintendo properties so cannot be shared).

iceman · 2015-09-06 07:21:36

yes, its like @asper says. One of these days maybe someone starts doing the datamapping part.
Not me, I'm swamped with work and don't own a amiibo / nintendo controller. Somone else have to do that.
With regards to makeing a script, the dumping is easy but the enc/dec cryption is not so easy to get inside lua so I just don't feel like putting in the effort.

belette · 2015-09-29 16:36:19

hi

sorry for my english, i have a pm3, amiibo (bowser) and wiiu
can i help you?

iceman · 2015-09-29 17:57:45

No really, the rfid part is solved.

Whats left is the data-mapping part where you identify the meaning of the datadump. Ie which bytes does what, but that is for ppl who is interested in increasing levels, add expericene etc etc.

Are you up for that?

belette · 2015-09-30 09:00:05

yes of course, but i just start with pm3 and acr122u, juste use mfoc and mfcuk to dump access door

iceman · 2015-09-30 12:07:50

U can sniff the communication between amibo and gamepad with your PM3,
there you get the pwd.
Then dump the tag, then you need to decrypt the dumpdata...

Someone made a service, where you can upload your dump and get a decrypted one back for amiibo.

Then its back to mapping data.. ie try something in game, dump, look at changes, etc etc

asper · 2015-09-30 12:47:30

To get the amiibo password without sniffing you can use this online tool.

iceman · 2015-09-30 12:53:45

Sorry, forgot about that one. So many new things to focus at.

belette · 2015-09-30 15:38:47

ok go test by sniff and verify pwd by php scrypt

hum did you work on dis*ey infi*ity?

belette · 2015-10-01 10:59:20

i think i have problem:
proxmark3> hf mfu info k 87669812

--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 215 504bytes (NT2H1511G0DU)
Error: Authentication Failed UL-EV1/NTAG
proxmark3> hf mfu info k 87669813

--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 215 504bytes (NT2H1511G0DU)
UID : 04 57 f5 7a c6 48 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 2E, Ok
BCC1 : 74, Ok
Internal : 48, default
Lock : 0f e0 - 1110000000001111
OneTimePad : f1 10 ff ee - 11101110111111110001000011110001

--- Tag Signature
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptic curve parameters : secp128r1
Tag ECC Signature : 0e e6 19 ec b6 b7 d5 9d d4 4b e3 96 5f 7f 2a 26 10 8f 35 42 95 03 f4 d5 8c 4f 28 5c 50 27 f4 0f

--- Tag Version
Raw bytes : 00 04 04 02 01 00 11 03
Vendor ID : 04, NXP Semiconductors Germany
Product type : 04, NTAG
Product subtype : 02, 50pF
Major version : 01
Minor version : 00
Size : 11, (512 <-> 256 bytes)
Protocol type : 03

--- Tag Configuration
cfg0 [131/0x83] : 00 00 00 04
- page 4 and above need authentication
- strong modulation mode disabled
cfg1 [132/0x84] : 5f 00 00 00
- Max number of password attempts is 7
- user configuration permanently locked
- write access is protected with password
- 00, Virtual Card Type Identifier is not default
PWD [133/0x85] : 00 00 00 00 - (cannot be read)
PACK [134/0x86] : 00 00 - (cannot be read)
RFU [134/0x86] : 00 00 - (cannot be read)

but

hf mfu dump k 87669814
TYPE : NTAG 215 504bytes (NT2H1511G0DU)
Reading tag memory...
#db# Pages 135
#db# Pages read 135
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button

and few second and pm3's relay clic (and change ttyACM0 to ttyACM1)

iceman · 2015-10-01 15:41:40

hf mfu info k 87669812
hf mfu info k 87669813
hf mfu dump k 87669814

you don't use the same pwd in your commands...

iceman · 2015-10-01 15:43:11

And D.I. is enc/dec of data is solved, but keygen algo is still unknown.
There should be a seperate thread for D.I. on the forum..

belette · 2015-10-01 15:53:35

oups mistake

hf mfu info k 87669812 and hf mfu info k 87669813 it's just to say i have thr right key

but dump crash pm3 (right or wrong key)

iceman · 2015-10-01 16:39:25

If you run:

"hf mf dbg 4"
"hf mfu dump k xxxxxx"
"hf list 14a"

Whats the output?

belette · 2015-10-01 16:55:36

proxmark3> hf mf dbg 4
#db# Debug level: 4
proxmark3> hf mfu dump k 87669813
#db# ISO14443A Timeout set to 1050 (9ms)
#db# ISO14443A Timeout set to 1050 (9ms)
TYPE : NTAG 215 504bytes (NT2H1511G0DU)
Reading tag memory...
#db# Pages 135
#db# ISO14443A Timeout set to 1050 (9ms)
#db# Pages read 135
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button

"relay clic"

i lost conection
i restart proxmark

hf list 14a
Recorded Activity (TraceLen = 0 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|

belette · 2015-10-01 17:08:25

after hf mfu info k 87669813

hf list 14a
Recorded Activity (TraceLen = 338 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 44 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16500 | Tag | 88 04 57 f5 2e | |
18560 | 29024 | Rdr | 93 70 88 04 57 f5 2e 2f be | | SELECT_UID
30260 | 33780 | Tag | 04 da 17 | |
35072 | 37536 | Rdr | 95 20 | | ANTICOLL-2
38708 | 44532 | Tag | 7a c6 48 80 74 | |
46720 | 57184 | Rdr | 95 70 7a c6 48 80 74 92 d1 | | ANTICOLL-2
58420 | 62004 | Tag | 00 fe 51 | |
491776 | 499936 | Rdr | 1b 87 66 98 13 a6 af | | PWD-AUTH KEY: 0x87669813
555572 | 560308 | Tag | 80 80 64 16 | |
991488 | 996256 | Rdr | 30 00 02 a8 | | READBLOCK(0)
1054772 | 1075572 | Tag | 04 57 f5 2e 7a c6 48 80 74 48 0f e0 f1 10 ff ee | |
| | | 4c af | |
1507328 | 1512096 | Rdr | 3c 00 a2 01 | | READ_SIG
1513268 | 1552564 | Tag | 0e e6 19 ec b6 b7 d5 9d d4 4b e3 96 5f 7f 2a 26 | |
| | | 10 8f 35 42 95 03 f4 d5 8c 4f 28 5c 50 27 f4 0f | |
| | | d6 07 | |
1982848 | 1986464 | Rdr | 60 f8 32 | | EV1 VERSION
1987636 | 1999284 | Tag | 00 04 04 02 01 00 11 03 01 9e | |
2431232 | 2435936 | Rdr | 30 83 91 1e | | READBLOCK(131)
2437172 | 2457972 | Tag | 00 00 00 04 5f 00 00 00 00 00 00 00 00 00 00 00 | |
| | | 4f 95 |

iceman · 2015-10-01 17:22:57

Hm, it reads all data without a problem. (Pages read 135 message)
Its in the sending it back from the device to the client it seems to get stuck.

Which firmware version are you running?

belette · 2015-10-02 09:32:16

iceman you right after flash dump work's

where can i upload dump for knowledge ?

iceman · 2015-10-02 10:59:47

Use
files: sendspace.com
logs: pastebin.com

or which services you need, then add a link here.

belette · 2015-10-02 11:35:37

https://www.sendspace.com/file/jek3xd need other?

Proxmark3 community

Announcement

#1 2015-05-04 15:07:05

[FINISHED] a popular toy Amiibo

#2 2015-05-04 16:37:43

Re: [FINISHED] a popular toy Amiibo

#3 2015-05-04 16:48:10

Re: [FINISHED] a popular toy Amiibo

#4 2015-05-04 16:53:24

Re: [FINISHED] a popular toy Amiibo

#5 2015-05-06 09:05:54

Re: [FINISHED] a popular toy Amiibo

#6 2015-05-07 22:27:21

Re: [FINISHED] a popular toy Amiibo

#7 2015-05-08 03:27:08

Re: [FINISHED] a popular toy Amiibo

#8 2015-05-09 08:58:23

Re: [FINISHED] a popular toy Amiibo

#9 2015-05-26 16:06:36

Re: [FINISHED] a popular toy Amiibo

#10 2015-05-31 23:05:49

Re: [FINISHED] a popular toy Amiibo

#11 2015-06-13 20:05:20

Re: [FINISHED] a popular toy Amiibo

#12 2015-06-13 20:28:01

Re: [FINISHED] a popular toy Amiibo

#13 2015-06-13 20:46:03

Re: [FINISHED] a popular toy Amiibo

#14 2015-06-13 21:06:11

Re: [FINISHED] a popular toy Amiibo

#15 2015-06-13 21:29:43

Re: [FINISHED] a popular toy Amiibo

#16 2015-06-13 22:44:27

Re: [FINISHED] a popular toy Amiibo

#17 2015-06-13 23:12:53

Re: [FINISHED] a popular toy Amiibo

#18 2015-06-13 23:22:27

Re: [FINISHED] a popular toy Amiibo

#19 2015-06-13 23:31:00

Re: [FINISHED] a popular toy Amiibo

#20 2015-06-13 23:37:29

Re: [FINISHED] a popular toy Amiibo

#21 2015-08-02 21:27:25

Re: [FINISHED] a popular toy Amiibo

#22 2015-08-02 22:31:04

Re: [FINISHED] a popular toy Amiibo

#23 2015-08-03 13:05:50

Re: [FINISHED] a popular toy Amiibo

#24 2015-08-03 19:21:39

Re: [FINISHED] a popular toy Amiibo

#25 2015-08-08 09:36:24

Re: [FINISHED] a popular toy Amiibo

#26 2015-08-08 16:14:22

Re: [FINISHED] a popular toy Amiibo

#27 2015-08-08 16:19:54

Re: [FINISHED] a popular toy Amiibo

#28 2015-08-10 22:40:39

Re: [FINISHED] a popular toy Amiibo

#29 2015-08-18 21:31:50

Re: [FINISHED] a popular toy Amiibo

#30 2015-09-03 00:22:57

Re: [FINISHED] a popular toy Amiibo

#31 2015-09-04 17:44:33

Re: [FINISHED] a popular toy Amiibo

#32 2015-09-06 07:21:36

Re: [FINISHED] a popular toy Amiibo

#33 2015-09-29 16:36:19

Re: [FINISHED] a popular toy Amiibo

#34 2015-09-29 17:57:45

Re: [FINISHED] a popular toy Amiibo

#35 2015-09-30 09:00:05

Re: [FINISHED] a popular toy Amiibo

#36 2015-09-30 12:07:50

Re: [FINISHED] a popular toy Amiibo

#37 2015-09-30 12:47:30

Re: [FINISHED] a popular toy Amiibo

#38 2015-09-30 12:53:45

Re: [FINISHED] a popular toy Amiibo

#39 2015-09-30 15:38:47

Re: [FINISHED] a popular toy Amiibo