Hacking DIY amiibo cards

[Julizi]

For dump I use Amiiqo app in Android or PC with https://github.com/socram8888/ulread this last recommended because it works to write blank tags

I don't understand. I don't have a NFC writer for PC at all so I have to do anything with my android smartphone. I heard it's possible, isn't it?
The amiiqo app doesn't work because it needs a blank tag to do so.

 

[Deleted User]

No, you can dump with amiiqo. Scan, hit dump, then scan again.

 

[Julizi]

Everytime I want to scan an amiibo amiiqo app says that it found an unsupported tag which is really strange. So I concluded that it has to be a blank tag. Maybe it's my smartphones fault.

 

[Deleted User]

OOOH you're talking about writing them, yes that doesn't work in Amiiqo.

 

[Julizi]

OOOH you're talking about writing them, yes that doesn't work in Amiiqo.

No. Writing is a later problem.
For now I want to dump my amiibos decrypt and reencyrpt them before I deal with writing.

 

[Deleted User]

Then dumping a regular amiibo will work. Or, you can use that ISO site for the handheld console that amiibo work with, and get every Amiibo ever.

 

[Julizi]

Naah I don't really wanna to use dat iso site. So just put my amiibo on my phone to dump with amiiqo app? It doesn't work maybe I should try on another smartphone.

EDIT: Same error on another S3 Mini. I will try on S4 this evening.

 

[Deleted User]

Can I use 216 instead of 215?

 

[Banzai]

Can I use 216 instead of 215?

no

 

[Deleted User]

Not at all. 215 has 540 bytes, Amiibo needs 540 bytes, and NTAG215s are 540 bytes. All others are lesser, on in the case with NTAG216s, too much

 

[clank]

A few days ago I made some code to calculate UID3. If anybody wants to give it a try, here's an online c++ shell with the code in it: http://cpp.sh/66oz

 

[fiveighteen]

You need to send this ISO14443A APDU:

1B+4bytes-PWD+2bytes ISO14443A-CRC (7 bytes total).

and you should get 2bytes-PACK back as answer if the command got executed correctly.
I suggest you to find and app that is able to manage ALL the NTAG215 command set (not only ISO14443A standard commands because 1B command is not standard, it is NXP proprietary) or to send the raw command with or without automatically calculating the ISO14443A-CRC.

1) Decrypted the Amiibo dump
2) Read the NTAG215 with Android app NFC TagInfo to get the 7-byte UID.
3) Calculated the UID3 byte.
4) Opened the decrypted Amiibo dump in a hex editor and changed the UID to match the NTAG215
5) Created the keyfile for amiitool
6) Re-encrypted the Amiibo dump with "amiitool -e -k keys.bin -i decrypted.bin -o encrypted.bin"

Now where does this part that you posted come into play? I'm trying to make sure I have all of my ducks in a row so I don't waste any tags here.

 

[Deleted User]

A few days ago I made some code to calculate UID3. If anybody wants to give it a try, here's an online c++ shell with the code in it: http://cpp.sh/66oz

It works! It calculates the correct one. I compiled it for Linux x64 with a few modifications, such as removal of 0x and the pause changed to sleep.
Download for Linux x64: http://download.pokeacer.tk/amiibo/x64/calc-uid

 

[Julizi]

I successfully dumped my amiibos via a Android S4 phone. Now I need to compile amiitool and try to decrypt them.

 

[javiMaD]

Now with the correct PACK0 and PACK1 (0x80, 0x80) I get an error 168-0413

 

[Supercool330]

Now with the correct PACK0 and PACK1 (0x80, 0x80) I get an error 168-0413

I think there is another piece (hmac hash or something) that we are missing. I have checked everything about my clones, PWD, PACK, HMAC at 0x80, settings, etc. and everything checks out but they still don't work. As far as I can tell, 168-0413 is the Wii U equivalent of the 3DS 037-0524 error I have been getting. Has anybody successfully gotten a clone to work?

Not at all. 215 has 540 bytes, Amiibo needs 540 bytes, and NTAG215s are 540 bytes. All others are lesser, on in the case with NTAG216s, too much

Actually the problem isn't the size exactly, the problem is that the GET_VERSION command returns a different value on the NTAG216.

 

[Deleted User]

@Supercool330 well @_Tim_ did.

 

[aracom]

I'd like to order a few tags as well and try them out, but it's a shame they're not rewritable. I don't want to pay 1$ for every false attempt, so I'm just gonna wait till the method is more refined.

 

[Deleted User]

...They are rewritable!

 

[Supercool330]

@Supercool330 well @_Tim_ did.

True, but he was using a modified version of amiitool that I'm guessing corrected one of the other signatures. My gut says that it is likely the 0x20 block at 0x34 as that is locked, and isn't used as part of the per amiibo key generation. It could also be the section at 0x60 using a different HMAC key though (like the master one, or another all together).

...They are rewritable!

No they aren't. Once you set the lock bits (which must be set to attempt a clone), the locked areas can't be rewritten.