Hacking DIY amiibo cards

[Azel]

First, congrats, been following you guys progress and it's been amazing ^^

I hate to be that guy, and I don't wanna jump the gun, but how likely is it to be at some point able to use the wii u drc/new 3ds to write tags from scratch? (or you can't write everything with the 3ds/n3ds/wii u nfc chip?)

sorry for the noob question.

 

[Supercool330]

If you're stuck in the UI you could open-source it and post a thread in the mobile technology subforum

Not so much stuck as unmotivated XD

I hate to be that guy, and I don't wanna jump the gun, but how likely is it to be at some point able to use the wii u drc/new 3ds to write tags from scratch? (or you can't write everything with the 3ds/n3ds/wii u nfc chip?)

Not really a noob question at all. It should be possibleish, but we would need pretty low level access to use the NFC hardware directly. Any type 2 nfc reader can theoretically write these tags (there isn't really an inherit difference between reading and writing an nfc tag, they are both just messages sent to the tag), the issue is just getting the software to talk to the nfc chip correctly.

 

[aracom]

pretty low level access to use the NFC hardware directly.

We have, at least on the Wii U. There's NTAG.rpl, and it looks like it's for game developers to implement their own NFC toys/cards for use with the DRC NFC-module. I can try to write a little sample app, if anyone wants me to.

 

[Supercool330]

We have, at least on the Wii U. There's NTAG.rpl, and it looks like it's for game developers to implement their own NFC toys/cards for use with the DRC NFC-module. I can try to write a little sample app, if anyone wants me to.

Interesting, are there any docs for that module? I'm not sure it will be low level enough as we need to be able to write the config pages, and set the password. That might work though. If that doesn't work, I suspect it would be possible with nfc.rpl for sure.

 

[mznova]

I think most of us don't care about UI. You can have clickable text on a black screen.

 

[Supercool330]

I think most of us don't care about UI. You can have clickable text on a black screen.

I care about UI

I'm not actually comfortable posting code to do this (don't want to get in trouble with anybody, and the previous code I posted is really just a python port of amiitool with some added nfc stuff). The missing piece however is in fact using the locked secret keys to generate another derived keyset, and then using the hmac key from that keyset to hash the last two pieces hashed for the key at 0x80 (0x00 to 0x08 and 0x54 to 0x80). I actually just guessed this, and it was essentially my first guess after I thought to use the locked secret keys. I'll let somebody else write up the final code and share it.

 

[aracom]

Interesting, are there any docs for that module? I'm not sure it will be low level enough as we need to be able to write the config pages, and set the password. That might work though. If that doesn't work, I suspect it would be possible with nfc.rpl for sure.

NFC.rpl is the way to go, it has NFCRead(), NFCSetLockBitsForT1T(), NFCWrite(), NFCSendRawData, NFCGetUID() and some more useful stuff. I might build a little sample app today if I can get it to work

 

[nurofen]

Hi, I am after some help again. I am eventually trying to write an android app to write NTAG215 tags. At the moment I am seeing the responses I get back from using the app amiiWrite, but I have hit a problem.
I can't seem to get past the authentication stage when the part of the program uses tag.transceive to send 0x1B, and the 4 bytes PWD (these 5 bytes look ok to me) it just throws an exception, no idea why. Has anyone else come across this?

Is there a different method you have to use with a blank tag as opposed to an actual amiibo?

Any help appreciated..


*** It is OK problem solved ***

 

[Deleted User]

I care about UI

I'm not actually comfortable posting code to do this (don't want to get in trouble with anybody, and the previous code I posted is really just a python port of amiitool with some added nfc stuff). The missing piece however is in fact using the locked secret keys to generate another derived keyset, and then using the hmac key from that keyset to hash the last two pieces hashed for the key at 0x80 (0x00 to 0x08 and 0x54 to 0x80). I actually just guessed this, and it was essentially my first guess after I thought to use the locked secret keys. I'll let somebody else write up the final code and share it.

As long as you dont post the keys or give direct links to them (you can say which keys), you're fine.

 

[javiMaD]

We have, at least on the Wii U. There's NTAG.rpl, and it looks like it's for game developers to implement their own NFC toys/cards for use with the DRC NFC-module. I can try to write a little sample app, if anyone wants me to.

NTAG.rpl is included in WiiU SDK? or you need to dump from WiiU NAND? Because my Wii U version is 5.5.0 and I can do nothing
I'm currently working with the Old3DS nfc system-module (TitleID 0004013000004002)

 

[rena2019]

The SCL011's drivers integrate it into the pc/sc API, so I'm just using a .NET wrapper around that API to access it. Most card readers should be supported that way. I'll try nfcpy sometime tomorrow and report back.

Have you tried to use SCL011 with NTags?

 

[dibas]

@rena2019 Amiibos are ntag215/type 2-ntags, so yeah, i did. If you are asking about blank ntags, I haven't received them to test yet, but they should work pretty much the same way.

 

[rena2019]

@rena2019 Amiibos are ntag215/type 2-ntags, so yeah, i did. If you are asking about blank ntags, I haven't received them to test yet, but they should work pretty much the same way.

Hmmm.....today I tried it again (because it was not working for me last week) and it is working with the STORAGE_CARD_CMDS_READ_BINARY. APDU to read out first page is 0xFF 0xB0 0x00 0x00 0x00

 

[dibas]

Hmmm.....today I tried it again (because it was not working for me last week) and it is working with the STORAGE_CARD_CMDS_READ_BINARY. APDU to read out first page is 0xFF 0xB0 0x00 0x00 0x00

Just have a look at this: http://www.identive-infrastructure.com/fileadmin/products/datasheets/SCL01x.MANUAL.VER2.1.pdf
You'll find all necessary specifications in that manual

 

[Mazamin]

Can you emulate a tag via android nfc?

 

[SuperSVGA]

Can you emulate a tag via android nfc?

Not with any phone I know of, the chipset has limitations.

 

[Mazamin]

Not with any phone I know of, the chipset has limitations.

I have an LG G3 D855

 

[Mazamin]

Another question: can I rewrite an amiibo card? And what android app can I use for writing tags?

 

[Deleted User]

no, none atm.

 

[rena2019]

Can you emulate a tag via android nfc?

You can only emulate NFC Forum Type 4 Tags (alias contactless smartcards) with Andoid HCE. amiibos are NFC Forum Type 2 Tags