[FINISHED] a popular toy Amiibo

iceman · 2015-10-02 12:09:29

There is a link inside that reddit,

https://www.reddit.com/r/amiibo/comment … acter_ids/

If you need decrypt your ami-dump.. https://github.com/socram8888/amiitool

belette · 2015-10-02 17:10:17

i need contact socram to clone, and need ultralight uid changeable?

iceman · 2015-10-02 19:53:34

Yes, you'll need a key to use his service. You can reference this thread,.

and use your pm3 to sim...

I don't know if a magic UL can pretend to be a NTAG...

belette · 2015-10-03 17:39:37

sorry for my ignorance but i can't sim

i haven't the right syntaxe for hf mfu eload or hf 14a sim to sim my dump to wiiu gamepad

iceman · 2015-10-04 12:31:42

No?

What does your "hf 14a sim h" say?

Don't know if thie ntag sim is in the PM3 master, I have it in my fork and I also know that @Marshmellow has it in his.

belette · 2015-10-04 15:10:56

hf 14a sim h

Emulating ISO/IEC 14443 type A tag with 4 or 7 byte UID

Usage: hf 14a sim t <type> u <uid> x
Options :
h : this help
t : 1 = MIFARE Classic
2 = MIFARE Ultralight
3 = MIFARE Desfire
4 = ISO/IEC 14443-4
5 = MIFARE Tnp3xxx
6 = MIFARE Mini
7 = AMIIBO (NTAG 215), pack 0x8080
u : 4 or 7 byte UID
x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader

sample : hf 14a sim t 1 u 1122344
: hf 14a sim t 1 u 1122344 x

pm3 --> hf 14a sim t 7 u 0457F57AC64880 x
Emulating ISO/IEC 14443 type A tag with 7 byte UID (0457f57ac64880)
Press pm3-button to abort simulation
#db# Error: unkown tagtype (7)

iceman · 2015-10-04 18:18:24

hm, you are using two different builds.. When you do stuff, you'll need to use and flash the fullimage.elf from the same build as the client you are going to use.

securitoys · 2015-10-05 06:28:14

I don't have a Wii U, but I do have three figures, so I picked up this Datel/CodeJunkies "Powersaves" reader/software, which can backup and change the data on them: http://codejunkies.com/powersaves-for-amiibo/ (USD 25 on Amazon)

Unfortunately, `hf 14a sim u 0453F6CA9A3D80 t 7 x` doesn't seem to work with this reader/software. The Datel reader flashes like the simulated token is being placed and removed, placed and removed, and the PM3 only reports a lot of unknown commands without transactions to get a key from.

belette · 2015-10-05 08:56:31

ok iceman i think i'm ok now

pm3 flashed whith your fullimage.elf fork

but

hf 14a sim t 7 u 0457F57AC64880 x

wiiu game pad say it's not amiibot

iceman · 2015-10-05 10:01:12

One step at the time. Now the sim works for type 7 (ntag/amiibo), that is good.

The hf 14a sim, only present the iso14443a part normally, but for a reader you would need a complete dump to pretend being a token.

So next step would be to load a toydump (with the same UID) into the pm3 device. ie "hf mf eload"..
after that you should use the sim command...

belette · 2015-10-05 12:25:11

houhouuuuu
when i test why amiidex for android my bowser dump it's a "villager"

iceman · 2015-10-05 12:47:31

Now I'm confused, is it good or is it bad?

belette · 2015-10-05 13:36:59

mfu eload 0457F57AC64880.bin (my bowser dump)

hf 14a sim t 7 u 0457F57AC64880 x

no error it'ok

take pm3 on my android phone with amiidex apk

amiidex show "villager" amiibo not bowser amiibo

i haven't test on wiiu gamepad (I am in the office)

belette · 2015-10-05 20:50:05

I'l going to become crazy

i use you fork iceman, i have flash pm3 with your fullimage

when i sniff:

0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16500 | Tag |88 04 57 f5 2e | |
18560 | 29024 | Rdr |93 70 88 04 57 f5 2e 2f be | ok | SELECT_UID
30260 | 33780 | Tag |04 da 17 | |
35072 | 37536 | Rdr |95 20 | | ANTICOLL-2
38708 | 44532 | Tag |7a c6 48 80 74 | |
46720 | 57184 | Rdr |95 70 7a c6 48 80 74 92 d1 | ok | ANTICOLL-2
58420 | 62004 | Tag |00 fe 51 | |
63872 | 72032 | Rdr |1b 87 66 98 13 a6 af | ok | PWD-AUTH KEY: 0x87669813

uid = 0457F57AC64880 pwd = 8769813 right

i dump whith:

hf mfu dump k 87669813 right?

mfu eload 0457F57AC64880.bin (my bowser dump)

hf 14a sim t 7 u 0457F57AC64880 x

right ?

put on amiidex it's "villager"

put on wiiu game pad it's not recognize (not a amiiibo)

iceman · 2015-10-05 21:04:59

[!!EDIT!!]

...lets see,

- the "HF MF ELOAD" works with .EML files. Not bin.
- you don't need the "x" parameter.. that is not for ultralight/ntag cards, that is for Mifare Classic.

there is a luascript "dumptoemul-mfu.lua" in my fork (from @marshmellow) which converts a bin -> eml for 4bytes...

--- The "hf mfu eload" doesnt work.
--- use the "hf mf eload" instead!.

pm3 --> hf mf eload
It loads emul dump from the file `filename.eml`
Usage:  hf mf eload [card memory] <file name w/o `.eml`>
  [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL

 sample: hf mf eload filename
         hf mf eload 4 filename

pm3 --> sc r dumptoemul-mfu -h
--- Executing: ./scripts/dumptoemul-mfu.lua, args'-h'
This script takes a dumpfile from 'hf mf dump' and converts it to a format that can be used
by the emulator

Arguments:
        -h              This help
        -i <file>       Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used
        -o <filename>   Specifies the output file. If omitted, <uid>.eml is used.


Example usage
script run dumptoemul-mfu -i dumpdata-foobar.bin

Last edited by iceman (2015-10-05 21:13:38)

iceman · 2015-10-05 21:15:35

You should do something like:

hf mfu dump k 87669813 
script run dumptoemul-mfu -i 0457F57AC64880.bin    (bowser dump)
hf mf eload u 0457F57AC64880
hf  14a sim t 7 u 0457F57AC64880

Last edited by iceman (2015-10-05 21:16:29)

belette · 2015-10-06 10:40:51

haaaan you have commit your fork for me ? (dumptoemul-mfu)
it' work's (with amiidex)
just
.......................................................................................................................................File reading error.
after hf mf eload u 0457F57AC64880

but amiidex say it's bowser amiibo

test with other dump and amiidex recognize amiibo charactere

in simulation mode wiiu game can write on .eml ?

Thank you for learning me and for the time dedicated

iceman · 2015-10-06 10:46:25

Yes, I commited my fork for you.

The "file reading error" is troublesome.. Was it the luascript or the "hf mf eload"?
Sometimes there is a last "newline" in the eml from the lua script conversion that might interrupt the "eload"...

-- The dump is in binary, gets converted to ascii by the lua script (.eml)
-- the eload uploads from ascii to binary on the device.
-- the sim is pure binary on the device.

belette · 2015-10-06 21:47:18

script run dumptoemul-mfu -i /home/belette/Téléchargements/SSB-Bowser.bin
--- Executing: ./scripts/dumptoemul-mfu.lua, args'-i SSB-Bowser.bin'
Wrote an emulator-dump to the file 04C3DB94.eml

hf mf eload u 04C3DB94
.......................................................................................................................................File reading error.

hf 14a sim t 7 u 04C3DB94
Emulating ISO/IEC 14443 type A tag with 4 byte UID (04c3db94)
Press pm3-button to abort simulation

so i don't understand all amibo dump found on net work's with dumptoemul-mfu, mf eload , 14a sim with amiidex

but no on wiiu game pad ( ssb)

iceman · 2015-10-06 22:12:44

You should take more notice to error messages...

If you can share your "04C3DB94.eml" file, I can take a look at it.

iceman · 2015-10-06 22:15:10

And amiidex maybe only reads the token data...
where as the Wiiu game pad might write to it... I'm not sure the "hf 14a sim" has write capacities for emulator memory..

belette · 2015-10-06 22:26:21

https://www.sendspace.com/file/g6fnxo

iceman · 2015-10-06 22:31:43

...And I checked, the "hf 14a sim" doesn't have "write" capabilites. Nor does it increase the counters if it gets a inc_counter..
so you can't make a complete simulation with a pm3 at this moment.

belette · 2015-10-06 22:32:36

ok i have order a mifare ul uid changeable for test

but we can find pwd with amiibo uid? right?

we can decrypt an uncrypt dump by socram ? right?

if we use ul tag (not uid changeable) we can know uid and pwd and unncrypt ul tag? no?

iceman · 2015-10-06 22:44:46

No, an Mifare Ultralight tag is not the same as a NTAG 215 tag.

You would need to buy NTAG215 cards, set the PWD according to the amiibo keygen algo and set the PACK to the fixed value.
The encryption/decryption of the dump is an entirely different story since it involves @Socram.

Good luck!

belette · 2015-10-06 22:59:45

NTAG215 (NFC forum type 2 tag) this?

iceman · 2015-10-07 08:36:31

yes

belette · 2015-10-08 16:15:28

if i understand

dump amiboo and create eml

hf mfu dump k xxxxxxxx
script run dumptoemul-mfu -i uid.bin

i put ntag215 on pm3
hf mfu info to get uid
use http://amiibo.reboot.ms/ to get pwd for ntag215's uid

edit dump and change key ligne 0000210 (search old key)

right?

but how to write to ntag215 ?

http://www.proxmark.org/forum/viewtopic.php?id=2443 #7

block by block?

Last edited by belette (2015-10-08 16:41:11)

iceman · 2015-10-08 16:54:06

yeah, there is no "restore" command among the "hf mfu" ... So you are back to write block for block,...

and don't forget to write the PACK aswell

Last edited by iceman (2015-10-08 16:54:27)

belette · 2015-10-08 17:46:59

Write pack ?

iceman · 2015-10-08 18:47:25

You know, it helps to read the datasheet for the NTAG215....

belette · 2015-10-08 20:25:27

http://www.nxp.com/documents/data_sheet/NTAG213_215_216.pdf#G4106129

8.8.1 Programming of PWD and PACK

8.5.7 Configuration pages

i'm walking to the right way?

Last edited by belette (2015-10-08 20:26:45)

iceman · 2015-10-08 20:31:09

Always good to read since it will help you in your way to understanding.

belette · 2015-10-09 15:35:09

ok

pack are the same on each amiboo

hf 14a raw -s -c 1bXXXXXXXX
received 7 octets
and tag give uid
received 4 octets
and tag give pack + rfui

edit dump and change uid at the start ( 3 first caractere jump next and 4 next ) and pwd + pack + rfui at he and of dump

right?

i think in my dump

iceman · 2018-07-01 20:50:47

An interesting reading on how to approach Amiibo.

https://recon.cx/2018/montreal/schedule … th_SDR.pdf

Proxmark3 community

Announcement

#51 2015-10-02 12:09:29

Re: [FINISHED] a popular toy Amiibo

#52 2015-10-02 17:10:17

Re: [FINISHED] a popular toy Amiibo

#53 2015-10-02 19:53:34

Re: [FINISHED] a popular toy Amiibo

#54 2015-10-03 17:39:37

Re: [FINISHED] a popular toy Amiibo

#55 2015-10-04 12:31:42

Re: [FINISHED] a popular toy Amiibo

#56 2015-10-04 15:10:56

Re: [FINISHED] a popular toy Amiibo

#57 2015-10-04 18:18:24

Re: [FINISHED] a popular toy Amiibo

#58 2015-10-05 06:28:14

Re: [FINISHED] a popular toy Amiibo

#59 2015-10-05 08:56:31

Re: [FINISHED] a popular toy Amiibo

#60 2015-10-05 10:01:12

Re: [FINISHED] a popular toy Amiibo

#61 2015-10-05 12:25:11

Re: [FINISHED] a popular toy Amiibo

#62 2015-10-05 12:47:31

Re: [FINISHED] a popular toy Amiibo

#63 2015-10-05 13:36:59

Re: [FINISHED] a popular toy Amiibo

#64 2015-10-05 20:50:05

Re: [FINISHED] a popular toy Amiibo

#65 2015-10-05 21:04:59

Re: [FINISHED] a popular toy Amiibo

#66 2015-10-05 21:15:35

Re: [FINISHED] a popular toy Amiibo

#67 2015-10-06 10:40:51

Re: [FINISHED] a popular toy Amiibo

#68 2015-10-06 10:46:25

Re: [FINISHED] a popular toy Amiibo

#69 2015-10-06 21:47:18

Re: [FINISHED] a popular toy Amiibo

#70 2015-10-06 22:12:44

Re: [FINISHED] a popular toy Amiibo

#71 2015-10-06 22:15:10

Re: [FINISHED] a popular toy Amiibo

#72 2015-10-06 22:26:21

Re: [FINISHED] a popular toy Amiibo

#73 2015-10-06 22:31:43

Re: [FINISHED] a popular toy Amiibo

#74 2015-10-06 22:32:36

Re: [FINISHED] a popular toy Amiibo

#75 2015-10-06 22:44:46

Re: [FINISHED] a popular toy Amiibo

#76 2015-10-06 22:59:45

Re: [FINISHED] a popular toy Amiibo

#77 2015-10-07 08:36:31

Re: [FINISHED] a popular toy Amiibo

#78 2015-10-08 16:15:28

Re: [FINISHED] a popular toy Amiibo

#79 2015-10-08 16:54:06

Re: [FINISHED] a popular toy Amiibo

#80 2015-10-08 17:46:59

Re: [FINISHED] a popular toy Amiibo

#81 2015-10-08 18:47:25

Re: [FINISHED] a popular toy Amiibo

#82 2015-10-08 20:25:27

Re: [FINISHED] a popular toy Amiibo

#83 2015-10-08 20:31:09

Re: [FINISHED] a popular toy Amiibo

#84 2015-10-09 15:35:09

Re: [FINISHED] a popular toy Amiibo

#85 2018-07-01 20:50:47

Re: [FINISHED] a popular toy Amiibo

Board footer