Hacking NTAG216 Amiibo collaboration thread

KingOfTaurus

Well-Known Member
OP
Member
Joined
Feb 19, 2016
Messages
174
Trophies
0
Age
40
Location
Las Vegas
XP
220
Country
United States
Okay. Not saying you're wrong. Just trying to understand because you can only write to 504 bytes on the ntag215 even if the data is 540 bytes in the bin file of the amiibo backup, because you cannot change the data that contains the manufacture data. My guess is that your writing the 540 bytes to the free 888 bytes on the ntag216 giving it an actual 1:1 copy plus the bytes your locking and the original manufacturer data.

I received this directly from NXP the creator of the NTAG's

Who provided you with the explanation? Did you mean 384 bytes? That is the difference in user memory from NTAG215 to NTAG216.

Creating a partition must be something related to your specific program. Both tag types are read and written with the same low level commands, the difference is the available user space and the page addresses for the dynamic lock bytes and configuration pages. See the details in Section 8.5 Memory organization in the datasheet:

http://cache.nxp.com/documents/data_sheet/NTAG213_215_216.pdf

So, you need to know more about the program itself or ask your colleague what he means by creating partitions. The specification for Type 2 tags is available directly from the NFC Forum page:

http://nfc-forum.org/product-category/specification/page/2/

Regards!

Basically there's no such thing as a partition and if you lock the last 384 bytes with FF's and then write with tagmo, it should work. I'll try it in a bit. The program I use to write to the cards is not user friendly whatsoever.

Edit:

FF3F7FBD on page 226 (the dynamic lock) of ntag216 would lock the pages 16-224 and then block 16-225


However:

The ntag215 has 01000FBD written to its page 132 (the dynamic lock) which means:

16-31 are locked (not everything)
16-129 are blocked (everything)


Perhaps what we need is 01007FBD written to 216

16-31 locked (not everything)
16-225 blocked (everything)


Edit again:

I found an anomaly

on the successfully written 215's there's a page 135 (that according to the datasheet, does not exist)

Where is this extra ghost page coming from?
 
Last edited by KingOfTaurus,

gualala

Well-Known Member
Newcomer
Joined
May 2, 2011
Messages
64
Trophies
0
XP
188
Country
United States
What method did you used to read the '215 tag that page 135 appeared? READ command grabs 4 pages and will roll-over at the end.
 

KingOfTaurus

Well-Known Member
OP
Member
Joined
Feb 19, 2016
Messages
174
Trophies
0
Age
40
Location
Las Vegas
XP
220
Country
United States
What method did you used to read the '215 tag that page 135 appeared? READ command grabs 4 pages and will roll-over at the end.

Just a simple reading program obtained on the markeplace. After seeing that 135th page, I see that it does mirror the 1st page. Perhaps that's the key to tricking the 216 to read like a 215.

mirror that page 135 with the 1st. trying now

Edit: that failed.
 
Last edited by KingOfTaurus,

Phantisy

Well-Known Member
Newcomer
Joined
Feb 12, 2016
Messages
90
Trophies
0
XP
134
Country
United States
Just a simple reading program obtained on the markeplace. After seeing that 135th page, I see that it does mirror the 1st page. Perhaps that's the key to tricking the 216 to read like a 215.

mirror that page 135 with the 1st. trying now

Edit: that failed.
When I read the tag info with the app on my phone I see page 0-134. You are able to create an NDEF "partition", but I am not sure this is what needs to be done to take up those "extra" 384 bytes and you just fill them with FF's. I do not have any 216 tags to try anything though. All I have are 215's.
 

KingOfTaurus

Well-Known Member
OP
Member
Joined
Feb 19, 2016
Messages
174
Trophies
0
Age
40
Location
Las Vegas
XP
220
Country
United States
When I read the tag info with the app on my phone I see page 0-134. You are able to create an NDEF "partition", but I am not sure this is what needs to be done to take up those "extra" 384 bytes and you just fill them with FF's. I do not have any 216 tags to try anything though. All I have are 215's.

Ill try making a 384 byte ndef message on a 216 then write with tagmo and see what happens. Give me a minute to update this post

Edit: I wrote a 384 byte ndef and "locked" it, but I guess it was not a permanent lock and tagmo overwrote it and messed it all up again as if I had not wrote anything. Trying again and going to manually lock those pages. Wish me luck on the next attempt
 
Last edited by KingOfTaurus,

Phantisy

Well-Known Member
Newcomer
Joined
Feb 12, 2016
Messages
90
Trophies
0
XP
134
Country
United States
Ill try making a 384 byte ndef message on a 216 then write with tagmo and see what happens. Give me a minute to update this post

It may be possible that it has to be done after page 134. Do you know what the pages look like on a blank 215 tag?

EDIT:

It looks like there is a way to write to specific bytes. I am sure you would need to lock those pages/bytes once you write to them as well.
 
Last edited by Phantisy,

KingOfTaurus

Well-Known Member
OP
Member
Joined
Feb 19, 2016
Messages
174
Trophies
0
Age
40
Location
Las Vegas
XP
220
Country
United States
It may be possible that it has to be done after page 134. Do you know what the pages look like on a blank 215 tag?

EDIT:

It looks like there is a way to write to specific bytes. I am sure you would need to lock those pages/bytes once you write to them as well.

Here's a blank 215 tag ignore the last page

Edit: If I were to write 348 bytes from page 225 of a 216 backwards going up, id write 87 pages of data and land on page 138. I cannot lock page 139 and beyond, due to the way the locks work. If I were to lock page 138, I'd also be locking 112-143 in the process.

If I were to write 384, id write 96 pages and land on page 129, which would write into the area that an Amiibo needs. and again I could not lock page 130 and beyond.


Here's a spreadsheet explaining the locks for 216, 215, and a written Amiibo for you guys to look at

https://docs.google.com/spreadsheets/d/1jAAgJD8ENUqq827NXMye6j3SuU0oJJPCK4vnfCJL1uw/edit?usp=sharing
 

Attachments

  • BLANK.txt.zip
    195 bytes · Views: 244
Last edited by KingOfTaurus,

KingOfTaurus

Well-Known Member
OP
Member
Joined
Feb 19, 2016
Messages
174
Trophies
0
Age
40
Location
Las Vegas
XP
220
Country
United States
I found something online about having multiple NDEF messages:


So just to wrap this up: I've hacked together a tag containing two separate NDEF messages as opposed to one message with two records. At the byte level directly on the tag, this looks as follows:

0x03<length1><message1>...0x03<length2><message2>...0xFE
 

asper

Well-Known Member
Member
Joined
May 14, 2010
Messages
942
Trophies
1
XP
2,028
Country
United States
Still could not get my compiled app to run correctly. Familiar with Java/C++/Embedded C but new to Android. I guess NDK is needed for amiitool, anyone got a brief instructions on how to generate the apk?

@KingOfTaurus: Have you tried:
1. writePages(mifare, 3, 129, pages); as normal
2. write the config data to data pages 130, 131 & 132
3. writePassword(mifare); to pages 230 & 229
4. writeLockInfo(mifare); to pages 2, 226, 227 & 228

Judging from the read procedure on 3DBrew, the read results should be identical with '215 except GET_VERSION. However the second step "READ, startpage=0x03." looks strange, this reads 4 bytes from 0x03 to 0x06 which does not contain the UID required by the next step.
  • Read procedure
    • GET_VERSION
    • READ, startpage=0x03.
    • PWD_AUTH. Key is based on UID.
    • FAST_READ: startpage=0x00, endpage=0x3B
    • FAST_READ: startpage=0x3C, endpage=0x77
    • FAST_READ: startpage=0x78, endpage=0x86
Does anyone know any proxmark3 services so we could send in the tagmo-written '216 (and a new3DS, if they don't have a console) so to check whether the consoles continue reading the tag even GET_VERSION did not match '215?

Here it is what a pm3 listen to a pad<->ntag216 transaction:
Code:
40662432 |   40663488 | Rdr |26                                                               |     | REQA
   40664676 |   40667044 | Tag |44  00                                                           |     |
   41114480 |   41119248 | Rdr |50  00  57  cd                                                   |  ok | HALT
   41183824 |   41184816 | Rdr |52                                                               |     | WUPA
   41186068 |   41188436 | Tag |44  00                                                           |     |
   41196928 |   41199392 | Rdr |93  20                                                           |     | ANTICOLL
   41200580 |   41206404 | Tag |88  04  40  27  eb                                               |     |
   41215008 |   41225536 | Rdr |93  70  88  04  40  27  eb  95  4a                               |  ok | SELECT_UID
   41226708 |   41230228 | Tag |04  da  17                                                       |     |
   41238704 |   41241168 | Rdr |95  20                                                           |     | ANTICOLL-2
   41242340 |   41248228 | Tag |9a  98  3c  81  bf                                               |     |
   41256832 |   41267296 | Rdr |95  70  9a  98  3c  81  bf  9e  03                               |  ok | ANTICOLL-2
   41268532 |   41272116 | Tag |00  fe  51                                                       |     |
   41296864 |   41300480 | Rdr |60  f8  32                                                       |  ok | EV1 VERSION
   41301652 |   41313300 | Tag |00  04  04  02  01  00  13  03  b1  ad                           |  ok |
   41364896 |   41369664 | Rdr |3c  00  a2  01                                                   |  ok | READ_SIG
   41370868 |   41410164 | Tag |c9  bd  e2  fa  c4  5c  58  be  50  c2  fc  4b  9e  05  b1  d3   |     |
            |            |     |6d  60  f8  8d  83  7a  49  a4  fb  5d  d1  a7  10  68  3e  2d   |     |
            |            |     |d4  a2                                                           |  ok |
   41432816 |   41437520 | Rdr |30  03  99  9a                                                   |  ok | READBLOCK(3)
   41438756 |   41459556 | Tag |e1  10  6d  00  03  00  fe  00  00  00  00  00  00  00  00  00   |     |
            |            |     |4a  93                                                           |  ok |
   41963584 |   41964640 | Rdr |26                                                               |     | REQA
   41965828 |   41968196 | Tag |44  00                                                           |     |
   42415728 |   42420496 | Rdr |50  00  57  cd                                                   |  ok | HALT
   42485072 |   42486064 | Rdr |52                                                               |     | WUPA
   42487300 |   42489668 | Tag |44  00                                                           |     |
   42498176 |   42500640 | Rdr |93  20                                                           |     | ANTICOLL
   42501812 |   42507636 | Tag |88  04  40  27  eb                                               |     |
   42516256 |   42526784 | Rdr |93  70  88  04  40  27  eb  95  4a                               |  ok | SELECT_UID
   42527972 |   42531492 | Tag |04  da  17                                                       |     |
   42539968 |   42542432 | Rdr |95  20                                                           |     | ANTICOLL-2
   42543604 |   42549492 | Tag |9a  98  3c  81  bf                                               |     |
   42558048 |   42568512 | Rdr |95  70  9a  98  3c  81  bf  9e  03                               |  ok | ANTICOLL-2
   42569748 |   42573332 | Tag |00  fe  51                                                       |     |
   42602192 |   42605808 | Rdr |60  f8  32                                                       |  ok | EV1 VERSION
   42606980 |   42618628 | Tag |00  04  04  02  01  00  13  03  b1  ad                           |  ok |
   42674560 |   42679328 | Rdr |3c  00  a2  01                                                   |  ok | READ_SIG
   42680500 |   42719796 | Tag |c9  bd  e2  fa  c4  5c  58  be  50  c2  fc  4b  9e  05  b1  d3   |     |
            |            |     |6d  60  f8  8d  83  7a  49  a4  fb  5d  d1  a7  10  68  3e  2d   |     |
            |            |     |d4  a2                                                           |  ok |
   42738048 |   42742752 | Rdr |30  03  99  9a                                                   |  ok | READBLOCK(3)
   42743988 |   42764788 | Tag |e1  10  6d  00  03  00  fe  00  00  00  00  00  00  00  00  00   |     |
            |            |     |4a  93                                                           |  ok |
   72994336 |   72995392 | Rdr |26                                                               |     | REQA

The pad gets the UID, read the tag signature to see if it is authentic, then it reads block 3: in that case without finding any good information to consider it an amiibo so it starts again to see if an amiibo pops in. Tested by a friend with 2 amiibo-compatible game titles. Reading that the pad is not looking specifically for an ntag215 so an ntag216 could do the job if correctly programmed.
 
Last edited by asper,

gualala

Well-Known Member
Newcomer
Joined
May 2, 2011
Messages
64
Trophies
0
XP
188
Country
United States
Here it is what a pm3 listen to a pad<->ntag216 transaction:
Code:
40662432 |   40663488 | Rdr |26                                                               |     | REQA
   40664676 |   40667044 | Tag |44  00                                                           |     |
   41114480 |   41119248 | Rdr |50  00  57  cd                                                   |  ok | HALT
   41183824 |   41184816 | Rdr |52                                                               |     | WUPA
   41186068 |   41188436 | Tag |44  00                                                           |     |
   41196928 |   41199392 | Rdr |93  20                                                           |     | ANTICOLL
   41200580 |   41206404 | Tag |88  04  40  27  eb                                               |     |
   41215008 |   41225536 | Rdr |93  70  88  04  40  27  eb  95  4a                               |  ok | SELECT_UID
   41226708 |   41230228 | Tag |04  da  17                                                       |     |
   41238704 |   41241168 | Rdr |95  20                                                           |     | ANTICOLL-2
   41242340 |   41248228 | Tag |9a  98  3c  81  bf                                               |     |
   41256832 |   41267296 | Rdr |95  70  9a  98  3c  81  bf  9e  03                               |  ok | ANTICOLL-2
   41268532 |   41272116 | Tag |00  fe  51                                                       |     |
   41296864 |   41300480 | Rdr |60  f8  32                                                       |  ok | EV1 VERSION
   41301652 |   41313300 | Tag |00  04  04  02  01  00  13  03  b1  ad                           |  ok |
   41364896 |   41369664 | Rdr |3c  00  a2  01                                                   |  ok | READ_SIG
   41370868 |   41410164 | Tag |c9  bd  e2  fa  c4  5c  58  be  50  c2  fc  4b  9e  05  b1  d3   |     |
            |            |     |6d  60  f8  8d  83  7a  49  a4  fb  5d  d1  a7  10  68  3e  2d   |     |
            |            |     |d4  a2                                                           |  ok |
   41432816 |   41437520 | Rdr |30  03  99  9a                                                   |  ok | READBLOCK(3)
   41438756 |   41459556 | Tag |e1  10  6d  00  03  00  fe  00  00  00  00  00  00  00  00  00   |     |
            |            |     |4a  93                                                           |  ok |
   41963584 |   41964640 | Rdr |26                                                               |     | REQA
   41965828 |   41968196 | Tag |44  00                                                           |     |
   42415728 |   42420496 | Rdr |50  00  57  cd                                                   |  ok | HALT
   42485072 |   42486064 | Rdr |52                                                               |     | WUPA
   42487300 |   42489668 | Tag |44  00                                                           |     |
   42498176 |   42500640 | Rdr |93  20                                                           |     | ANTICOLL
   42501812 |   42507636 | Tag |88  04  40  27  eb                                               |     |
   42516256 |   42526784 | Rdr |93  70  88  04  40  27  eb  95  4a                               |  ok | SELECT_UID
   42527972 |   42531492 | Tag |04  da  17                                                       |     |
   42539968 |   42542432 | Rdr |95  20                                                           |     | ANTICOLL-2
   42543604 |   42549492 | Tag |9a  98  3c  81  bf                                               |     |
   42558048 |   42568512 | Rdr |95  70  9a  98  3c  81  bf  9e  03                               |  ok | ANTICOLL-2
   42569748 |   42573332 | Tag |00  fe  51                                                       |     |
   42602192 |   42605808 | Rdr |60  f8  32                                                       |  ok | EV1 VERSION
   42606980 |   42618628 | Tag |00  04  04  02  01  00  13  03  b1  ad                           |  ok |
   42674560 |   42679328 | Rdr |3c  00  a2  01                                                   |  ok | READ_SIG
   42680500 |   42719796 | Tag |c9  bd  e2  fa  c4  5c  58  be  50  c2  fc  4b  9e  05  b1  d3   |     |
            |            |     |6d  60  f8  8d  83  7a  49  a4  fb  5d  d1  a7  10  68  3e  2d   |     |
            |            |     |d4  a2                                                           |  ok |
   42738048 |   42742752 | Rdr |30  03  99  9a                                                   |  ok | READBLOCK(3)
   42743988 |   42764788 | Tag |e1  10  6d  00  03  00  fe  00  00  00  00  00  00  00  00  00   |     |
            |            |     |4a  93                                                           |  ok |
   72994336 |   72995392 | Rdr |26                                                               |     | REQA

The pad gets the UID, read the tag signature to see if it is authentic, then it reads block 3: in that case without finding any good information to consider it an amiibo so it starts again to see if an amiibo pops in. Tested by a friend with 2 amiibo-compatible game titles. Reading that the pad is not looking specifically for an ntag215 so an ntag216 could do the job if correctly programmed.

Wow, interesting read. That matches the 3Dbrew description. Perhaps writing the correct data in CC (page 0x03) would trigger next stage of the read routine and we will know we are stalled by which data page. [I could donate a few (<10) '216s if you want]
 

dpad_5678

Ape weak on own. Ape strong in unity.
Member
Joined
Nov 19, 2015
Messages
2,219
Trophies
1
XP
2,880
Country
United States
Yes, if by "partition" in this context you mean "NDEF record"...
Yep, but a lot of people refer to them as "partitions". It's the same concept of partitions on digital storage. Maybe you have an 8GB drive but need it to be partitioned as FAT. FAT has a partition limit of 2GB.You would make a 6GB second partition to be able to format the first 2GB partition as FAT.
 

Sliter

Well-Known Member
Member
Joined
Dec 7, 2013
Messages
3,264
Trophies
0
Location
ᕕ( ᐛ )ᕗ
XP
1,770
Country
Brazil
nice that it's happening XD when I get any nfc writting device I would like to try to help here o3o


Apologies to anyone I pissed off.
(...)
roy.png
(lol)
Hell, I even apologized for not explaining earlier and causing tension between me and other members.
yeah, you avatar and signature tell that you really don't like to make fun of people trying to do stuff and not being able to xp
You know that it would not only bring piracy, but help a lot with accessibility (amiibos aren cheap all over the world, do you undestand that, right? and also importing nTAG215 in'st easy to find or to import is a problem) portability and collection stuff (the ones that don't want to get the amiibos out the box but want the functionality ...)

Anyway I think we discussed this too much, but with this attitude I still see you as a bad pirate, that wnat all the gold only for you and laugh at poors, not a copyright and legal stuff defensor hahaha
at least are giving hints now... if being truth or not xp

Also you tell it was an easy task and eveverybody with a good known of the Ntag stuff can't do it, this is the strange part but anyway, I have other stuff to care about xp

edit:
You quoted me from a post I made over a month ago.
Its my first post on this thread, if you don't noticed, I haven't saw this post a month ago, just now =A= see you can help the others but want to hide the gold? you proved yourself how is being helpful xD nice job

also I'm not going to waste more posts with you xP
 
Last edited by Sliter,
  • Like
Reactions: TotalInsanity4

dpad_5678

Ape weak on own. Ape strong in unity.
Member
Joined
Nov 19, 2015
Messages
2,219
Trophies
1
XP
2,880
Country
United States
nice that it's happening XD when I get any nfc writting device I would like to try to help here o3o



View attachment 43431
(lol)

yeah, you avatar and signature tell that you really don't like to make fun of people trying to do stuff and not being able to xp
You know that it would not only bring piracy, but help a lot with accessibility (amiibos aren cheap all over the world, do you undestand that, right? and also importing nTAG215 in'st easy to find or to import is a problem) portability and collection stuff (the ones that don't want to get the amiibos out the box but want the functionality ...)

Anyway I think we discussed this too much, but with this attitude I still see you as a bad pirate, that wnat all the gold only for you and laugh at poors, not a copyright and legal stuff defensor hahaha
at least are giving hints now... if being truth or not xp

Also you tell it was an easy task and eveverybody with a good known of the Ntag stuff can't do it, this is the strange part but anyway, I have other stuff to care about xp

You quoted me from a post I made over a month ago.

I've always revealed THIS which made a lot of people happy.
 

Nephiel

Artificer
Member
Joined
Nov 3, 2002
Messages
253
Trophies
2
XP
783
Country
Yep, but a lot of people refer to them as "partitions". It's the same concept of partitions on digital storage. Maybe you have an 8GB drive but need it to be partitioned as FAT. FAT has a partition limit of 2GB.You would make a 6GB second partition to be able to format the first 2GB partition as FAT.
I see. It's just that I have never heard the term "partition" applied to NFC storage before.

(Actually, in the FAT example, you don't really need to make a second partition. You can simply leave the remaining 6GB as unpartitioned space, unused. But I get the point.)
 
  • Like
Reactions: dpad_5678

Kafluke

Well-Known Member
Member
Joined
May 6, 2006
Messages
5,474
Trophies
0
Age
47
XP
4,636
Country
United States
Bought as listed, but in the end it was mislabelled.

I'll buy one another time. The shipping time was retarded on this one.
Exact thing happened to me. Listed as 215s showed up as 216s. Not worth the hassel to send back. I got some 215s now but I still have a stack of 216s collecting dust
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    maaaaan that's so awesome but I also don't want to fork over a hundo for it
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Leo could not withstand communism.
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
    SylverReZ @ SylverReZ: Its OUR products to begin with lol.