Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi guys,
i'm playing with Ntag Magic tag and Amiibo.
Now, i can clone a amiibo with Magic Ntag. It works.
The next step is to use amiibo dump found on web generate with TagMo (Android amiboo app cloning).
Dumps on web and proxmark's dumps are differents on HEX editor.
So, i get one of this dumps, load in TagMo, i save the data then compare with dump and its not same.
But when i compare saved data and proxmark's dumps they are pretty similare.
Only ECC Signature, pwd and pack are missing !
I can add password (based on UID) and pack (always the same on amiibo).
But how can i calculate ECC Signature and validate her ?
Sorry for my terrible english ...
Last edited by yugnat (2017-11-21 13:44:23)
Offline
Ok, i have worked a lot on this, i have readed the NXP data-sheet for ntag and here i am.
ECC Signature is builded from UID with NXP private key.
Public key valide the signature.
So, i can use any couple of valide pub key and signature
I used Iceman's magic script to wipe then write (type, uid, signature and pwd) on my magic tag.
Then i used tagmo with a amiibo's dump to write the data.
The processus failed to write the pwd but the data are on tag !
Finaly i write the pwd, cfg1 & cfg2, pack and lock with my proxmark et voila !
I have a fully fonctional amiibo's tag.
Now what i don't understand yet :
datas amiibo's dump are differents from datas magic's dump...
I think tagmo use nintendo's keys to transforme amiibo's dump before write the data.
Here an archive with 2 dumps : https://www.sendspace.com/file/rmuqh6
I don't know if amiibo's datas have to be decrypted or encrypted (or something else) before writing them ?
I don't want use tagmo to write datas anymore, but how use amiibo's dump with my PM3 ?
Offline
The dumpformat is different from different devices, on PM3 we added extra fields like Signature, Version, Pwd, Pck etc in order to have simulation possibilities. Other devices, dumps only user memory on tag.
Offline
Amiibo dumps used to only contain the basic user memory, but more recent versions also contain the signature IIRC
There are parts of an amiibo that are encrypted (using the UID) and TagMo knows how to re-encrypt to match the UID on the card you're burning the image to
Last edited by somemadeupname (2017-11-25 09:33:10)
Offline
Pages: 1