Hacking DIY amiibo cards

[fraret]

I am stuck again, I think I am getting closer, but I want to check my keys file (The locked secret one, not the unfixed infos) can someone help me out here, maybe an md5 checksum or something?

I posted the md5 checksum of the keyfile in this thread:

Md5 of my keyfile: 2551afc7c8813008819836e9b619f7ed

 

[nurofen]

I posted the md5 checksum of the keyfile in this thread:

Thanks, but I need the 'Locked secret' key file, not the 'Unfixed infos'.

 

[fraret]

Thanks, but I need the 'Locked secret' key file, not the 'Unfixed infos'.

There's only one keyfile to use with amiitools

 

[fiveighteen]

There's only one keyfile to use with amiitools

Re-read the last few pages of this thread. We're obviously missing extra pieces to be able to write the bins back to NTAG215s.

Mhetralla's post summed it up nicely.

 

[derthomas]

Sorry, didnt follow the whole thread, but what I understand so far: its not possible to recreate OPs cards so far? Not sure, if I should buy the stickers already.

 

[nurofen]

As I say, I am pretty close. I think I understand, but really need a few more clues / help from @Supercool330 as he has got this to work.
Basically I understand using the 'unfixed infos' key and hashing against 0x011:0x034,0x0A0:0x208,0x034:0x054,0x000:0x008 and 0x054:0x080 to produce the Unfixed HASH for the data at 0x80:0xA0

Now what I think we need before we do this is create the 'Locked secret' HASH at 0x034:0x054. This is where I am stuck, I know we use the 'Locked secret' keyset but I can't work out which areas to HASH against , my guess would be the areas that are not updateable, i.e. 0x208:0x21c ,0x000:0x008 and 0x054:0x080.

As the area 0x034:0x054 is not encrypted I should be able to check the generated data against the actual data. However I am not having much luck. It could be that my keyfile is incorrect.
If anyone can give us some more clues that would be great.

 

[javiMaD]

As I say, I am pretty close. I think I understand, but really need a few more clues / help from @Supercool330 as he has got this to work.
Basically I understand using the 'unfixed infos' key and hashing against 0x011:0x034,0x0A0:0x208,0x034:0x054,0x000:0x008 and 0x054:0x080 to produce the Unfixed HASH for the data at 0x80:0xA0

Now what I think we need before we do this is create the 'Locked secret' HASH at 0x034:0x054. This is where I am stuck, I know we use the 'Locked secret' keyset but I can't work out which areas to HASH against , my guess would be the areas that are not updateable, i.e. 0x208:0x21c ,0x000:0x008 and 0x054:0x080.

As the area 0x034:0x054 is not encrypted I should be able to check the generated data against the actual data. However I am not having much luck. It could be that my keyfile is incorrect.
If anyone can give us some more clues that would be great.

Using 'locked secret' keyset.

'tag' format:
Calc hash of (0x000:0x007 + 0x054:0x07F) (52 bytes), put this hash (32 bytes) at 0x034

'internal' format:
Calc hash of (0x1D4:0x207) (52 bytes), put this hash (32 bytes) at 0x1B4

 

[nurofen]

Thanks, I don't suppose you can give the md5 of the locked secret file?

 

[Deleted member 356526]

Using 'locked secret' keyset.

'tag' format:
Calc hash of (0x000:0x007 + 0x054:0x07F) (52 bytes), put this hash (32 bytes) at 0x034

'internal' format:
Calc hash of (0x1D4:0x207) (52 bytes), put this hash (32 bytes) at 0x1B4

SHA1 please

 

[javiMaD]

Thanks, I don't suppose you can give the md5 of the locked secret file?

MD5 0ad86557c7ba9e75c79a7b43bb466333
SHA1 ad676ac04c6e7861924093654bd67ff4807ebc53

 

[HiddenRambler]

MD5 0ad86557c7ba9e75c79a7b43bb466333
SHA1 ad676ac04c6e7861924093654bd67ff4807ebc53

looks like my file is wrong: md5= 33d0dbefcb660732feadea8fc6921a7b

Could you tell me which parts are wrong from this hexdump snippet:

0C 0D 0E 0F

b6 a3 c2 05
74 00 00 10
f2 cf d2 9b
96 0f ae d4
45 05 47 66

 

[HiddenRambler]

i think i found the key

 

[HiddenRambler]

Holy Cow it worked. Managed to write to a blank NTAG and get to work on 3DS. . Thanks to @javiMaD @Supercool330 @_Tim_ @socram8888 and others in this thread who posted all the useful information.

 

[derthomas]

Holy Cow it worked. Managed to write to a blank NTAG and get to work on 3DS. . Thanks to @javiMaD @Supercool330 @_Tim_ @socram8888 and others in this thread who posted all the useful information.

Can you Share in Detail, how you did it? I'd like to Order The ntags

 

[javiMaD]

I uploaded a modified version of amitool, which calculates the hash missing. Use one key file (160 bytes), simply concatenate the "unfixed info" followed by "secret locked" into one file.

https://github.com/javimadgit/amiitool

 

[HiddenRambler]

I uploaded a modified version of amitool, which calculates the hash missing. Use one key file (160 bytes), simply concatenate the "unfixed info" followed by "secret locked" into one file.

https://github.com/javimadgit/amiitool

When did you upload this. :s Would've saved me some time if I'd seen this earlier .

 

[Deleted User]

@HiddenRambler how did you do it? (MAke a tutorial) @javiMaD does the amitool make BIN files that can be written correctly? Cold you PM me the key?

 

[javiMaD]

@HiddenRambler how did you do it? (MAke a tutorial) @javiMaD does the amitool make BIN files that can be written correctly? Cold you PM me the key?

This new amiitool generate both hashes correctly, but for write the tag must be careful with password, PACK0/1 and write order, check page 12 from this thread.

 

[Pecrow]

Omg omg omg, Can you share? Or PM if yo ucannot yet. Is this a simple app or how are you doing this?

 

[javiMaD]

Omg omg omg, Can you share? Or PM if yo ucannot yet. Is this a simple app or how are you doing this?

It's a few post above