Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2015-10-02 12:09:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

There is a link inside that reddit,   

https://www.reddit.com/r/amiibo/comment … acter_ids/


If you need decrypt your ami-dump..   https://github.com/socram8888/amiitool

Offline

#52 2015-10-02 17:10:17

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

i need contact socram to clone, and need ultralight uid changeable?

Offline

#53 2015-10-02 19:53:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

Yes, you'll need a key to use his service.  You can reference this thread,.

and use your pm3 to sim...  smile

I don't know if a magic UL can pretend to be a NTAG...

Offline

#54 2015-10-03 17:39:37

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

sorry for my ignorance but i can't sim

i haven't the right syntaxe for hf mfu eload or hf 14a sim  to sim my dump to wiiu gamepad

Offline

#55 2015-10-04 12:31:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

No?

What does your "hf 14a sim h" say?

Don't know if thie ntag sim is in the PM3 master,   I have it in my fork and I also know that @Marshmellow has it in his.

Offline

#56 2015-10-04 15:10:56

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

hf  14a sim h

Emulating ISO/IEC 14443 type A tag with 4 or 7 byte UID
         
Usage: hf 14a sim t <type> u <uid> x         
  Options :           
    h     : this help         
    t     : 1 = MIFARE Classic         
            2 = MIFARE Ultralight         
            3 = MIFARE Desfire         
            4 = ISO/IEC 14443-4         
            5 = MIFARE Tnp3xxx         
            6 = MIFARE Mini         
            7 = AMIIBO (NTAG 215),  pack 0x8080         
    u     : 4 or 7 byte UID         
    x     : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader         

   sample : hf 14a sim t 1 u 1122344         
          : hf 14a sim t 1 u 1122344 x
         
pm3 --> hf  14a sim t 7 u 0457F57AC64880 x
Emulating ISO/IEC 14443 type A tag with 7 byte UID (0457f57ac64880)         
Press pm3-button to abort simulation         
#db# Error: unkown tagtype (7)                 

hmm

Offline

#57 2015-10-04 18:18:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

hm, you are using two different builds..   When you do stuff, you'll need to use and flash the fullimage.elf from the same build as the client you are going to use.

Offline

#58 2015-10-05 06:28:14

securitoys
Contributor
Registered: 2015-06-13
Posts: 19

Re: [FINISHED] a popular toy Amiibo

I don't have a Wii U, but I do have three figures, so I picked up this Datel/CodeJunkies "Powersaves" reader/software, which can backup and change the data on them: http://codejunkies.com/powersaves-for-amiibo/ (USD 25 on Amazon)

Unfortunately, `hf 14a sim u 0453F6CA9A3D80 t 7 x` doesn't seem to work with this reader/software.  The Datel reader flashes like the simulated token is being placed and removed, placed and removed, and the PM3 only reports a lot of unknown commands without transactions to get a key from.

Offline

#59 2015-10-05 08:56:31

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

ok iceman i think i'm ok now

pm3 flashed whith your fullimage.elf fork

but

hf  14a sim t 7 u 0457F57AC64880 x

wiiu game pad say it's not amiibot

hmm

Offline

#60 2015-10-05 10:01:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

One step at the time.  Now the sim works for type 7 (ntag/amiibo),  that is good.

The hf 14a sim, only present the iso14443a part normally,  but for a reader you would need a complete dump to pretend being a token.

So next step would be to load a toydump (with the same UID)  into the pm3 device. ie "hf mf eload"..
after that you should use the sim command...

Offline

#61 2015-10-05 12:25:11

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

houhouuuuu
when i test why amiidex for android my bowser dump it's a "villager"

Offline

#62 2015-10-05 12:47:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

Now I'm confused,  is it good or is it bad?

Offline

#63 2015-10-05 13:36:59

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

mfu eload 0457F57AC64880.bin  (my bowser dump)

hf  14a sim t 7 u 0457F57AC64880 x

no error it'ok

take pm3 on my android phone with amiidex apk

amiidex show "villager" amiibo not bowser amiibo

i haven't test on wiiu gamepad (I am in the office)

Offline

#64 2015-10-05 20:50:05

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

I'l going to become crazy

i use you fork iceman, i have flash pm3 with your fullimage

when i sniff:


          0 |        992 | Rdr |52                                                               |     | WUPA         
       2228 |       4596 | Tag |44  00                                                           |     |           
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL         
      10676 |      16500 | Tag |88  04  57  f5  2e                                               |     |           
      18560 |      29024 | Rdr |93  70  88  04  57  f5  2e  2f  be                               |  ok | SELECT_UID         
      30260 |      33780 | Tag |04  da  17                                                       |     |           
      35072 |      37536 | Rdr |95  20                                                           |     | ANTICOLL-2         
      38708 |      44532 | Tag |7a  c6  48  80  74                                               |     |           
      46720 |      57184 | Rdr |95  70  7a  c6  48  80  74  92  d1                               |  ok | ANTICOLL-2         
      58420 |      62004 | Tag |00  fe  51                                                       |     |           
      63872 |      72032 | Rdr |1b  87  66  98  13  a6  af                                       |  ok | PWD-AUTH KEY: 0x87669813

uid = 0457F57AC64880 pwd = 8769813   right

i dump whith:

hf mfu dump k 87669813  right?

mfu eload 0457F57AC64880.bin  (my bowser dump)

hf  14a sim t 7 u 0457F57AC64880 x     

right ?

put on amiidex it's "villager"

put on wiiu game pad it's not recognize (not a amiiibo)

Offline

#65 2015-10-05 21:04:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

[!!EDIT!!]

...lets see, 


- the  "HF MF ELOAD" works with  .EML files.  Not bin.
- you don't need the "x" parameter..  that is not for ultralight/ntag cards,  that is for Mifare Classic.

there is a luascript "dumptoemul-mfu.lua"  in my fork (from @marshmellow)  which converts a bin -> eml for 4bytes...


--- The "hf mfu eload" doesnt work.
--- use the "hf mf eload" instead!.


pm3 --> hf mf eload
It loads emul dump from the file `filename.eml`
Usage:  hf mf eload [card memory] <file name w/o `.eml`>
  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL

 sample: hf mf eload filename
         hf mf eload 4 filename
pm3 --> sc r dumptoemul-mfu -h
--- Executing: ./scripts/dumptoemul-mfu.lua, args'-h'
This script takes a dumpfile from 'hf mf dump' and converts it to a format that can be used
by the emulator

Arguments:
        -h              This help
        -i <file>       Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
        -o <filename>   Specifies the output file. If omitted, <uid>.eml is used.


Example usage
script run dumptoemul-mfu -i dumpdata-foobar.bin

Last edited by iceman (2015-10-05 21:13:38)

Offline

#66 2015-10-05 21:15:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

You should do something like:

hf mfu dump k 87669813 
script run dumptoemul-mfu -i 0457F57AC64880.bin    (bowser dump)
hf mf eload u 0457F57AC64880
hf  14a sim t 7 u 0457F57AC64880

Last edited by iceman (2015-10-05 21:16:29)

Offline

#67 2015-10-06 10:40:51

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

haaaan you have commit your fork for me ?  (dumptoemul-mfu)
it' work's (with amiidex)
just
.......................................................................................................................................File reading error.         
after hf mf eload u 0457F57AC64880

but amiidex say it's bowser amiibo

test with other dump and amiidex recognize amiibo charactere

in simulation mode wiiu game can write on .eml ?

Thank you for learning me and for the time dedicated

Offline

#68 2015-10-06 10:46:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

Yes,  I commited my fork for you.

The "file reading error" is troublesome..   Was it the luascript or the "hf mf eload"?   
Sometimes there is a last "newline" in the eml from the lua script conversion that might interrupt the "eload"...


-- The dump is in binary,   gets converted to ascii by the lua script (.eml)
-- the eload uploads from ascii to binary on the device.
-- the sim is pure binary on the device.

Offline

#69 2015-10-06 21:47:18

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

script run dumptoemul-mfu -i /home/belette/Téléchargements/SSB-Bowser.bin
--- Executing: ./scripts/dumptoemul-mfu.lua, args'-i SSB-Bowser.bin'
Wrote an emulator-dump to the file 04C3DB94.eml

hf mf eload u 04C3DB94
.......................................................................................................................................File reading error.

hf 14a sim t 7 u 04C3DB94
Emulating ISO/IEC 14443 type A tag with 4 byte UID (04c3db94)         
Press pm3-button to abort simulation

so i don't understand all amibo dump found on net work's with  dumptoemul-mfu, mf eload , 14a sim with amiidex

but no on wiiu game pad ( ssb)

Offline

#70 2015-10-06 22:12:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

You should take more notice to error messages...

If you can share your "04C3DB94.eml"  file, I can take a look at it.

Offline

#71 2015-10-06 22:15:10

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

And amiidex maybe only reads the token data...
where as the Wiiu game pad might write to it...  I'm not sure the "hf 14a sim" has write capacities for emulator memory..

Offline

#72 2015-10-06 22:26:21

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

https://www.sendspace.com/file/g6fnxo

Offline

#73 2015-10-06 22:31:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

...And I checked,  the "hf 14a sim" doesn't have  "write" capabilites.  Nor does it increase the counters if it gets a inc_counter..
so you can't make a complete simulation with a pm3 at this moment.

Offline

#74 2015-10-06 22:32:36

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

ok i have order a mifare ul uid changeable for test

but we can find pwd with amiibo uid? right?

we can decrypt  an uncrypt dump by socram ? right?

if we use ul tag (not uid changeable) we can know uid and pwd and unncrypt ul tag? no?

Offline

#75 2015-10-06 22:44:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

No, an Mifare Ultralight tag is not the same as a NTAG 215 tag.

You would need to buy NTAG215 cards,  set the PWD according to the amiibo keygen algo and set the PACK to the fixed value.
The encryption/decryption of the dump is an entirely different story since it involves @Socram.

Good luck!

Offline

#76 2015-10-06 22:59:45

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

NTAG215 (NFC forum type 2 tag) this?

Offline

#77 2015-10-07 08:36:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

yes

Offline

#78 2015-10-08 16:15:28

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

if i understand

dump amiboo and create eml

hf mfu dump k xxxxxxxx
script run dumptoemul-mfu -i uid.bin

i put ntag215 on pm3
hf mfu info  to get uid
use http://amiibo.reboot.ms/ to get pwd for ntag215's uid

edit dump and change key ligne 0000210  (search old key)

right?

but how to write to ntag215 ?

http://www.proxmark.org/forum/viewtopic.php?id=2443 #7

block by block?

Last edited by belette (2015-10-08 16:41:11)

Offline

#79 2015-10-08 16:54:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

yeah, there is no "restore" command among the "hf mfu" ...  So you are back to write block for block,...


and don't forget to write the PACK aswell wink

Last edited by iceman (2015-10-08 16:54:27)

Offline

#80 2015-10-08 17:46:59

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

Write pack ?  hmm

Offline

#81 2015-10-08 18:47:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

You know,  it helps to read the datasheet for the NTAG215....

Offline

#82 2015-10-08 20:25:27

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

http://www.nxp.com/documents/data_sheet/NTAG213_215_216.pdf#G4106129

8.8.1 Programming of PWD and PACK

8.5.7   Configuration pages

i'm walking to the right way?

Last edited by belette (2015-10-08 20:26:45)

Offline

#83 2015-10-08 20:31:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

Always good to read since it will help you in your way to understanding.

Offline

#84 2015-10-09 15:35:09

belette
Contributor
Registered: 2015-09-29
Posts: 56

Re: [FINISHED] a popular toy Amiibo

ok smile

pack are the same on each amiboo

hf 14a raw -s -c 1bXXXXXXXX
received 7 octets         
and tag give uid
received 4 octets
and tag give pack + rfui

edit dump and change uid at the start ( 3 first caractere jump next and 4 next  ) and pwd + pack + rfui  at he and of dump

right?


         







i think in my dump

Offline

#85 2018-07-01 20:50:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [FINISHED] a popular toy Amiibo

An interesting reading on how to approach Amiibo.

https://recon.cx/2018/montreal/schedule … th_SDR.pdf

Offline

Board footer

Powered by FluxBB