Hacking DIY amiibo cards

[fiveighteen]

First decrypt Amiibo and go to offset 0x1D4 (8 bytes UID BCC0)

So the NTAG215 UID is 7 bytes, but the Amiibo UID is 8 bytes? How does that work - pad the end with 00?

 

[fraret]

Alright, so I'm equipped with everything I need to give this a shot today:
- blank NTAG215 tags
- Amiibo dump
- hex editor
- the key to encrypt it
- Android smartphone with AmiiWrite

1) I decrypted the Amiibo dump
2) I read the NTAG215 with Android app NFC TagInfo to get the 7-byte UID.
3) I opened the Amiibo dump in a hex editor...

Where is the location of the UID to change it?

The UID is the first seven bytes of the encrypted dump, so you can search it the decrypted dump and change it.

EDIT: javiMaD is right. The location of the UID in the decrypted dump starts at 0x1d4. Also, are you using the API or amiitool?

 

[fiveighteen]

NTAG 215 UID:
04 C3 7A 52 C2 3E 80

DUCK HUNT DUO UID:
04 FC 30 40 82 03 49 80

It concerns me that they both start with 04 and end with 80 but there's an extra byte in the middle of the Amiibo.

Should I be changing Duck Hunt Duo to:
04 C3 7A 52 C2 3E 80 80 ??

 

[LightyKD]

I'd be wiling to buy a few pre made tags so that I can attach them to figures

 

[javiMaD]

NTAG 215 UID:
04 C3 7A 52 C2 3E 80

DUCK HUNT DUO UID:
04 FC 30 40 82 03 49 80

It concerns me that they both start with 04 and end with 80 but there's an extra byte in the middle of the Amiibo.

Should I be changing Duck Hunt Duo to:
04 C3 7A 52 C2 3E 80 80 ??

Extra byte is BCC0 = 0x88 xor UID0 xor UID1 xor UID2

88 xor 04 xor C3 xor 7A = 35

04 C3 7A 35 52 C2 3E 80

 

[fiveighteen]

Extra byte is BCC0 = 0x88 xor UID0 xor UID1 xor UID2

88 xor 04 xor C3 xor 7A = 35

04 C3 7A 35 52 C2 3E 80

Oh, that's what you meant. I apologize for not understanding. Thanks so much for the info!

 

[Julizi]

Does this work with every smartphone? I installed amiiWrite on my S3 mini (NFC version) but everytime I want to dump an amiibo it says "Woops! Please retry!"

 

[javiMaD]

Does this work with every smartphone? I installed amiiWrite on my S3 mini (NFC version) but everytime I want to dump an amiibo it says "Woops! Please retry!"

For dump I use Amiiqo app in Android or PC with https://github.com/socram8888/ulread this last recommended because it works to write blank tags

 

[Supercool330]

Hmm, is there another signature or something that needs to be fixed besides the one at 0x80 (page 0x20)? I wrote an android app, and everything seems to be working; the decrypted dump from the fake matches the real one exactly except for the aforementioned hash and the UID, and the signature check and pwd seem fine, but when I scan it with the 3DS I get error 037-0524 "This is an invalid amiibo". Any ideas?

 

[Drejjmit]

Isn't it easier to buy these cards and put a sticker on it?
NFC Card
And this should work as a writer? NFC Reader/Writer

 

[Deleted User]

EDIT: I'm essentially asking if someone knows an easy way to calculate that extra byte.

--------------------- MERGED ---------------------------

Isn't it easier to buy these cards and put a sticker on it?
NFC Card

http://www.aliexpress.com/item/100p...ll-NFC-Mobile-Phone-NFC-Card/32258165667.html

Yes those are NTAG215s apparently so they should work.

And this should work as a writer? NFC Reader/Writer

Well that depends upon if there's any tool for it. I'd personally just use AmiiWrite and a cheap android with NFC.

 

[Supercool330]

EDIT: I'm essentially asking if someone knows an easy way to calculate that extra byte.

The first 10 bytes of the tag are determined by the NFC type A spec.

0: UID0 - the manufacturer code, always 0x04 for any NXP tag
1: UID1
2: UID2
3: BCC0 - CT ^ UID0 ^ UID1 ^ UID2 (CT is 0x88)
4: UID3 - Can't be CT (0x88)
5: UID4
6: UID5
7: UID6
8: BCC1 - UID3 ^ UID4 ^ UID5 ^ UID6
9: Internal - Always 0x48

Note that you can't actually write to any of these bytes on an actual NTAG, the first two pages are locked at the factory, and trying to write values to the first two bytes of the 3rd page does nothing (thus the static lock bytes can be set without worrying about the first two bytes of the write). Also note, that tags with 4 or 10 byte UIDs have a different layout (all NTAG21x tags have 7 byte UIDs).

 

[Deleted User]

3: BCC0 - CT ^ UID0 ^ UID1 ^ UID2 (CT is 0x88)

How would you put that into something like PHP?

 

[fiveighteen]

EDIT: I'm essentially asking if someone knows an easy way to calculate that extra byte.

(example for the UID I was using)

Extra byte UID3:
= 0x88 xor UID0 xor UID1 xor UID2
= 88 xor 04 xor C3 xor 7A
= ((10001000 xor 00000100) xor 11000011) xor 01111010
= (10001100 xor 11000011) xor 01111010
= 01001111 xor 01111010
= 00110101
= 35

XOR Truth Table:
AB | Q
00 | 0
01 | 1
10 | 1
11 | 0

 

[Deleted User]

My head hurts from this xD
If someone can make a way to calculate this either online or as a program, I swear I will <3 you forever

 

[fiveighteen]

My head hurts from this xD
If someone can make a way to calculate this either online or as a program, I swear I will <3 you forever

You can use http://xor.pw/ and the same logic as my above post.

88 xor UID0 = VAL1
VAL1 xor UID1 = VAL2
VAL 2 xor UID2 = UID3

Ex:
88 xor 04 = 8C
8C xor C3 = 4F
4F xor 7A = 35

 

[Supercool330]

How would you put that into something like PHP?

PHP (which is the worst langauge ever) actually supports xor, it is literally just "xor". It also supports hex litterals, so your code could look something like:

$bcc0 = 0x88 xor $uid[0] xor $uid[1] xor $uid[2]
$bcc1 = $uid[3] xor $uid[4] xor $uid[5] xor $uid[6]

...I think I need to take a shower; I hate PHP

 

[Deleted User]

That was easy, and I was able to calculate the value correctly, thanks!
Also, PHP I like simply because it lets me make small mistakes (as long as it isn't forgetting ; or ") then IK what I messed up upon.

 

[javiMaD]

After four failed attempts I can't recognize my cloned amiibo, always the same message of "The Device You Are Using Is Not an amiibo Figure"

 

[Deleted User]

Odd. Maybe it's the stickers?