Hacking Spoofing an amiibo using Android+NFC?

NWPlayer123 · Dec 3, 2014

Well I just read my untouched Mario Amiibo with my HTC One M8 and this.
EDIT: Also running Cyanogenmod.
Not sure how accurate data reading is, it (kinda) matches up with what the Pokemon Rumble U info is (http://wiiubrew.org/wiki/Wii_U_GamePad)

RF Technology: Type A (ISO/IEC 14443 Type A)
Tag Type: NTAG215 (NT2H1511)
ATQA: 0044
SAK: 00
Memory Size: 540 bytes
Page Size: 4 Bytes
Number of Pages: 135
Product Vendor: NXP Semiconductors (Germany)
Product Type: NTAG (0x04 - matches up with the NTAG dynamic library on the system)
Product Subtype: 50 pF (0x02)
Product Version: 1.0
User Memory size: 256 bytes
Communication Protocol: 0x03
ASCII Mirror: no ASCII mirror
NFC Counter enabled: yes
Maximum negative password verification attempts: 7
First page that requires password verification: 4
IC Signature: e2a7ceef7344c734868cbe75fe515adb1ba3b5e58bb40bb95bb341233e997a59
IC Signature Public Key: NXP NTAG21x 2013
IC Signature Public Key Value: 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptical Curve Parameters: secp128r1
IC Signature Status: valid

Page 0-1 (UID)
read-only (factory locked)

Page 2 (reserved/lock bits)
read-only (locked)

Page 3 (OTP)
read-only (locked)

Page 4-12 (data)
writable (locked)
Authentication required: write

Page 13-31 (data)
read-only (locked)

Page 32-129 (data)
writable (locked)
Authentication required: write

Page 130 (reserved/lock bits)
read-only (locked)

Page 131-132 (configuration)
read-only (locked)

Page 133 (authentication password)
write-only (not locked)
Authentication required: write

Page 134 (password acknowledge)
write-only (not locked)
Authentication required: write

Page 0 (UID)
04f0b8c4
Page 1 (UID)
8a7d3980
Page 2 (reserved/ lock bits)
4e480fe0
Page 3 (OTP)
f110ffee
Page 4 (data)
a5000000
Page 5 (data)
c6b3a2e9
Page 6 (data)
1ef516ac
Page 7 (data)
256c76a4
Page 8 (data)
5ae6d0e0
Page 9 (data)
5d2acb81
Page 10 (data)
f7106e38
Page 11 (data)
4f0b71ed
Page 12 (data)
afaadf0b
Page 13 (data)
f207e630
Page 14 (data)
7982e40d
Page 15 (data)
9c4eb28e
Page 16 (data)
e3f7da2b
Page 17 (data)
9297906c
Page 18 (data)
d98a718f
Page 19 (data)
c64f3c26
Page 20 (data)
ad17dbfd
Page 21 (data)
00000000
Page 22 (data)
00000002
Page 23 (data)
0412840b
Page 24 (data)
479d324f
Page 25 (data)
34a61208
Page 26 (data)
17b32d9b
Page 27 (data)
14c0b945
Page 28 (data)
43ae2aa3
Page 29 (data)
0e41fbe5
Page 30 (data)
c55c3ddc
Page 31 (data)
1c9453c3
Page 32 (data)
12275587
Page 33 (data)
ae5ad652
Page 34 (data)
3bd3948d
Page 35 (data)
75abad23
Page 36 (data)
5c692199
Page 37 (data)
f6294f46
Page 38 (data)
ac90da60
Page 39 (data)
daa448ef
Page 40 (data)
a7424a7d
Page 41 (data)
1d2ced79
Page 42 (data)
af9a7df4
Page 43 (data)
f7dd6feb
Page 44 (data)
025aed85
Page 45 (data)
e88c624b
Page 46 (data)
05288bbd
Page 47 (data)
8b33d228
Page 48 (data)
0d68c959
Page 49 (data)
2b1de601
Page 50 (data)
9617cc38
Page 51 (data)
1a009ba6
Page 52 (data)
455eda47
Page 53 (data)
0c1715f5
Page 54 (data)
a38467b5
Page 55 (data)
db7c4354
Page 56 (data)
9dfd6cca
Page 57 (data)
33ea6dd7
Page 58 (data)
d8fcb9a4
Page 59 (data)
237a4827
Page 60 (data)
85a8cf08
Page 61 (data)
a68031e0
Page 62 (data)
8af9161f
Page 63 (data)
dc073a00
Page 64 (data)
d25c96f4
Page 65 (data)
b6f62611
Page 66 (data)
686801bf
Page 67 (data)
968cf75e
Page 68 (data)
584bc1e1
Page 69 (data)
0d07ab24
Page 70 (data)
216adcb5
Page 71 (data)
448752fc
Page 72 (data)
b33061a8
Page 73 (data)
60ca15ba
Page 74 (data)
305e2e77
Page 75 (data)
8095f22d
Page 76 (data)
449306de
Page 77 (data)
0ea3ab8a
Page 78 (data)
c48435ef
Page 79 (data)
edcecd1e
Page 80 (data)
c7a63bea
Page 81 (data)
0afb84bb
Page 82 (data)
84782cb3
Page 83 (data)
db142c4f
Page 84 (data)
0b4b4c37
Page 85 (data)
3b79a86f
Page 86 (data)
9c5a70b1
Page 87 (data)
65761dab
Page 88 (data)
bf63901d
Page 89 (data)
e5dbb52c
Page 90 (data)
8e562ca4
Page 91 (data)
5691482b
Page 92 (data)
7a7fa52a
Page 93 (data)
8f71c7ec
Page 94 (data)
c6204d84
Page 95 (data)
fcdf8fe4
Page 96 (data)
9c186331
Page 97 (data)
60caa874
Page 98 (data)
b99b272e
Page 99 (data)
60564443
Page 100 (data)
298e7c98
Page 101 (data)
e36d7ca0
Page 102 (data)
1171f7c7
Page 103 (data)
4888354c
Page 104 (data)
3e8c2502
Page 105 (data)
c60dfc48
Page 106 (data)
a0683e2a
Page 107 (data)
9b17edf4
Page 108 (data)
091d1a37
Page 109 (data)
f485aa3d
Page 110 (data)
85d849b5
Page 111 (data)
49bf9ba9
Page 112 (data)
f22e5736
Page 113 (data)
af0afbf1
Page 114 (data)
fa08ee36
Page 115 (data)
cb564cc7
Page 116 (data)
d1f6ca3c
Page 117 (data)
e6692ba2
Page 118 (data)
461038c3
Page 119 (data)
90376fc1
Page 120 (data)
3c7746a6
Page 121 (data)
781f8bfd
Page 122 (data)
c683ce42
Page 123 (data)
858fa666
Page 124 (data)
e4842415
Page 125 (data)
76e2e8dd
Page 126 (data)
fbca8d76
Page 127 (data)
1116519d
Page 128 (data)
5320e6f5
Page 129 (data)
e8eafb01
Page 130 (reserved/ lock bits)
01000fbd
Page 131 (configuration)
00000004
Page 132 (configuration)
5f000000

I copypasted the datablob into a hex editor, doesn't seem readable at first, but who knows. Also, keep in mind, this has never touched a Wii U, I just took it out of the package.

EDIT: Oh look, NXP has their own Android app too, how convenient

IC Manufacturer: NXP Semiconductors
IC Type: NTAG215

Memory Size: 504 bytes user memory
>126 pages, with 4 bytes per page

IC detailed information:
Full product name: NT2H1511G0DUx
Capacitance: 50 pF

Version information:
Vendor ID: NXP
Type: NTAG
Subtype: 50 pF
Version: 1.0
Storage size: 504 bytes
Protocol: ISO/IEC 14443-3

Configuration information:
ASCII mirror disabled
NFC counter: protected (no tearing)
Wrong password attempts allows: 7
Strong load modulation disabled
Configuration locked
VERIFIED WITH NXP PUBLIC KEY

Detailed protocol information:
ID: 04:F0:B8:8A:7D:39:80
ATQA: 0x4400
SAK: 0x00

Slartibartfast42 · Dec 3, 2014

But Amiibo's are useless. All they do is change your outfit in Mario Kart. They do mostly useless things in your other games too. They should give you a new character and a new track. Anything less than that is not worth bothering with.

luney · Dec 3, 2014

mixelpixx said:
Luney -- does this app have a name? Does it exist for the rest of the peoples on here..?

I just searched for "NFC Tag Info" (someone mentioned this app earlier in this thread or maybe another on the same subject) in google play and found several free apps plus a couple pay ones. Again though, without blank tags, I have no idea if their claim about cloning is accurate. I have read several tags in so far. I don't know if it stores the data somewhere so that it can be transmitted at will or not. Didn't really play with it much. Just scanned several tags and skimmed through the data. I have no idea wth I was looking at either, heh.

Reecey · Dec 3, 2014

The Real Jdbye said:
I don't think that actually works.

Yes it does, I've seen it been done on the police program, on Pick channel

Zananok · Dec 3, 2014

luney said:
So i found the app for my S4 that allows reading, writing, and supposedly cloning of the tags. It says it can clone tags but I have no way to test since I don't have blank tags. I want this more to have all of my Pokemon figures in one place. Zananok, can your app just transmit the data without having to clone a tag? That would be ideal instead of carrying a bunch of tags around. For me the whole point would be to just have like a catalog of my characters to choose the one I want from and load it into the game. Then be able to write the data back to my catalog if it has been upgraded.

Edit: and yes I will eventually buy every one of them. I always said that if they ever took the skylanders approach with pokemon I would be screwed. I would definitely want them all. OCD is a bitch when it comes to pokemon, heh.

It can't due to hardware limitations, i have no problems in generating a specified android OS to emulate a NFC tag, however the official OS offers simulation of just a specific tag exactly because of the hardware limitation offered on any NFC phone. Thus my meaning of that I was in the middle of developing something to clear up the need of having many tags. I'm making a simple compact hardware/tag (size of a tag) to emulate any NFC tag even pose read only data, which can of course be changed underneath it, as I said it just emulates the output data and receives the changes to allowed sectors. I also plan to add a small short range wifi module to load whatever I want from my mysql database and I don't have to use my phone everytime to change the tag data, it will use just a small watch battery to power it; but that's another story.

Point is, no, it cannot emulate the tag due to the tag type and limitations of any phone out there.

Anyway, just came back to say that I got a Samus amiibo and my gf opened it anyway, so I'm fine now.

Regards,
Zananok

syntaxyz · Dec 3, 2014

I wonder if this NFC Tag Cloner Android App gives us the results we expect.
https://play.google.com/store/apps/details?id=com.skjolberg.nfc.clone2

I currently have no Amiibo and I would need to get a writable TAG somewhere.
If you do, I am very curious about the results.

Deleted member 194275 · Dec 3, 2014

I'm not a specialist here... but now that 3DS is being hacked, why android should be a better path than the 3DS itself? I dont have a WiiU but, I imagine that you can transfer your ~~dolls~~ figures from 3DS to WiiU without problems right? so if a hacked 3DS transfer an amiibo to a WiiU using legit methods, it might work, right?

NWPlayer123 · Dec 3, 2014

lokomelo said:
I'm not a specialist here... but now that 3DS is being hacked, why android should be a better path than the 3DS itself? I dont have a WiiU but, I imagine that you can transfer your ~~dolls~~ figures from 3DS to WiiU without problems right? so if a hacked 3DS transfer an amiibo to a WiiU using legit methods, it might work, right?

Except that only the New 3DS has NFC capabilities and it isn't even out yet in the US.

duffmmann · Dec 3, 2014

NWPlayer123 said:
Except that only the New 3DS has NFC capabilities and it isn't even out yet in the US.

Well there is the peripheral coming out for the original 3DS models that communicates wirelessly with your 3DS to scan in NFC figures.

Deleted User · Dec 3, 2014

I got the Fox amiibo, The detail is pretty good

Master0fBlunt · Dec 4, 2014

Slartibartfast42 said:
But Amiibo's are useless. All they do is change your outfit in Mario Kart. They do mostly useless things in your other games too. They should give you a new character and a new track. Anything less than that is not worth bothering with.

They're awesome brah!!!1!

. Be positive1!!

Amiibro · Dec 4, 2014

Registered just to post. Very interested in this topic. I'm willing to say no apps on the Android Market has what we need. There are some apps that can read amiibos. But I've tried over 10, none will emulate the amiibo. Not for this tag type at least. I'm a CS student with a decent knowledge of java and data structures. If someone wants to team up and get me up to speed I'll be of use. I'll be initiating my research after finals. I have limited knowledge in mobile development but I can start. I have a Wii U. Marth and Mario amiibos. A rooted OnePlus One. And Smash 4 of course.

Master0fBlunt · Dec 4, 2014

Amiibro said:
Registered just to post. Very interested in this topic. I'm willing to say no apps on the Android Market has what we need. There are some apps that can read amiibos. But I've tried over 10, none will emulate the amiibo. Not for this tag type at least. I'm a CS student with a decent knowledge of java and data structures. If someone wants to team up and get me up to speed I'll be of use. I'll be initiating my research after finals. I have limited knowledge in mobile development but I can start. I have a Wii U. Marth and Mario amiibos. A rooted OnePlus One. And Smash 4 of course.

Stumbling through a workaround that will omit the use of blank physical tags. Got wii u to pick up miibo off a flashed/written tag, but not in the way i wanted. Buggy as a Kardashians crotch lol.... Ultimately need to utilize an NFC capable device to broadcast, vs having to buy tags/chips. Im thinking about modding the gamepad and manually inserting an rfid that i can flash on command via mobile/wireless hardware... Thus getting rid of the need to broadcast, and buy chips. Just pop one in gamepad, load up libray of miibos on pc/droid, flash, enjoy....

Edit: was trying to find a more streamline user friendly method, but in the end this may be the simplest way to date...

Slychocobo · Dec 4, 2014

Certainly interesting stuff, shall be watching this thread with some interest.

A technical breakdown of your findings would be great to see as well, even if its not very technically friendly.

Amiibro · Dec 4, 2014

Master0fBlunt said:
Stumbling through a workaround that will omit the use of blank physical tags. Got wii u to pick up miibo off a flashed/written tag, but not in the way i wanted. Buggy as a Kardashians crotch lol.... Ultimately need to utilize an NFC capable device to broadcast, vs having to buy tags/chips. Im thinking about modding the gamepad and manually inserting an rfid that i can flash on command via mobile/wireless hardware... Thus getting rid of the need to broadcast, and buy chips. Just pop one in gamepad, load up libray of miibos on pc/droid, flash, enjoy....

Edit: was trying to find a more streamline user friendly method, but in the end this may be the simplest way to date...

I see, hardware mods is no bueno for me. What ever happened to HCE. Has no one attempted it yet?

Slychocobo · Dec 4, 2014

I would suspect that a hardware mod might be a tad.. extreme. What sort of issue's are you running into with using simple tags?

shinkodachi · Dec 4, 2014

Handshake...

elmoemo · Dec 4, 2014

Modded files work with Disney infinity, maybe same will work here (although the console had to be able to run unsigned code).

Amiibro · Dec 5, 2014

http://forum.xda-developers.com/showthread.php?t=2281112

I can't really find the answer, seems that HCE for Mifare Ultralight is not possible due to hardware. The only way around would to read and write it on other tags.

yodasoja · Dec 5, 2014

Master0fBlunt said:
Stumbling through a workaround that will omit the use of blank physical tags. Got wii u to pick up miibo off a flashed/written tag, but not in the way i wanted. Buggy as a Kardashians crotch lol.... Ultimately need to utilize an NFC capable device to broadcast, vs having to buy tags/chips. Im thinking about modding the gamepad and manually inserting an rfid that i can flash on command via mobile/wireless hardware... Thus getting rid of the need to broadcast, and buy chips. Just pop one in gamepad, load up libray of miibos on pc/droid, flash, enjoy....

Edit: was trying to find a more streamline user friendly method, but in the end this may be the simplest way to date...

Is there any way you can send me an .apk with the amiibo files? I've got plenty of free tags to test it out on.

Also, I'd love to help out in any way. I'm about to graduate with a Bachelors in Computer Science and have a small amount of experience with android apps. I also have a Nexus 5 unrooted (in case we want to see if that works with the app).

Hacking Spoofing an amiibo using Android+NFC?

Well-Known Member

Well-Known Member

Well-Known Member

Mario 64 (favorite game of all time)

Member

Well-Known Member

Edson Arantes do Nascimento

Well-Known Member

Well-Known Member

Deleted User

Guest

Well-Known Member

Member

Well-Known Member

New Member

Member

New Member

On permanent leave

Well-Known Member

Member

New Member

Similar threads

Popular threads in this forum