Toggle sidebar

Hacking DIY amiibo cards

  • Thread starter Thread starter _Tim_
  • Start date Start date
  • Views Views 565,915
  • Replies Replies 825
  • Likes Likes 47
Julizi said:
Then it's clear why decrypting by tool never works :rofl2:
From 2010 to 2011 Germany gave some NFC readers/writers with linux drivers away for free (intrtoduction of NFC-ID-Card), maybe those readers will work on @Supercool330 tool too. SCM SCL011.
Click to expand...
The nPA BSI version of the SCL011 reader only supports Mifare Classic, Ultralight and DESFire. No NTag21x support.
 
rena2019 said:
The nPA BSI version of the SCL011 reader only supports Mifare Classic, Ultralight and DESFire. No NTag21x support.
Click to expand...

I successfully dumped an amiibo with one of those though. It should be possible to send custom commands, too, but I haven't really looked into writing data yet, although it should likely work finely once we know what the missing piece is.
 
rena2019 said:
The nPA BSI version of the SCL011 reader only supports Mifare Classic, Ultralight and DESFire. No NTag21x support.
Click to expand...
Hmmm... There is an entry on the SCM-Website saying that those readers support NFC Forum Tags.
 
The SCL011 can definitely interact with an NTag (as it can interact with any type 2 tag), I'm just not sure if the open source library I'm using supports it, or if any open source library supports it for that matter. It isn't listed on the support list for either nfcpy or libnfc. It is worth giving it a try though as other SCM readers are supported.
 
The SCL011's drivers integrate it into the pc/sc API, so I'm just using a .NET wrapper around that API to access it. Most card readers should be supported that way. I'll try nfcpy sometime tomorrow and report back.
 
Supercool330 said:
The SCL011 can definitely interact with an NTag (as it can interact with any type 2 tag), I'm just not sure if the open source library I'm using supports it, or if any open source library supports it for that matter. It isn't listed on the support list for either nfcpy or libnfc. It is worth giving it a try though as other SCM readers are supported.
Click to expand...
I only tried the SCL011 under Windows and not even an ATR works with an amiibo. Maybe libnfc can directly talk to the PN512 inside the reader without the firmware?

The other nPA reader SDI011 (that also supports contact cards) has a better firmware because it works with NTag215 tags
 
Last edited by rena2019,
jrk190 said:
Now package it as an android app and profit. NFC on phone to read and write!
Click to expand...
Imagine if everyone who made homebrews and hacks possible charged for their work. not that I dont think they do have the right to do so, but I regards to this topic 15$ per amiibo to unlock launch day DLC is just bad...
 
  • Like
Reactions: TotalInsanity4
Pecrow said:
Imagine if everyone who made homebrews and hacks possible charged for their work. not that I dont think they do have the right to do so, but I regards to this topic 15$ per amiibo to unlock launch day DLC is just bad...
Click to expand...
Well, I mean he could do a free version with a pay to unlock special or beta features, or just donate. Or adfree. But android app would rock, either way.

I thought of it from more of an android standpoint vs homebrew. if smea charged for hax I'd be so poor.
 
  • Like
Reactions: TotalInsanity4
jrk190 said:
Well, I mean he could do a free version with a pay to unlock special or beta features, or just donate. Or adfree. But android app would rock, either way.

I thought of it from more of an android standpoint vs homebrew. if smea charged for hax I'd be so poor.
Click to expand...
Actually I would be okay with a donation in exchange for android app :)
--edit--
A free-will donation sounds better then a forced pay :)

either way, this is so exiting :D I cant wait for this to be ready.. I want to finally play games with out having to buy an amiibo :(
 
Last edited by Pecrow,
Supercool330 said:
I have an android app that I'm working on, but I'm not sure I'll ever finish it (UI development is frustrating...). Even If I do I probably won't release it on the app store (I'll put the code up somewhere), and if I do I definitely wont charge for it.
Click to expand...
To be honest if it works I dont think people would mind if it looks like windows 3.5
 
  • Like
Reactions: Deleted User
Supercool330 said:
I have an android app that I'm working on, but I'm not sure I'll ever finish it (UI development is frustrating...). Even If I do I probably won't release it on the app store (I'll put the code up somewhere), and if I do I definitely wont charge for it.
Click to expand...
Pecrow said:
To be honest if it works I dont think people would mind if it looks like windows 3.5
Click to expand...
Aye, I wouldn't care if it was ugly as balls and an attached apk for manual install, so long as it got the job done.
It's not something people need more than once (per tag) anyway.
 
  • Like
Reactions: Deleted User and TotalInsanity4
Supercool330 said:
I have an android app that I'm working on, but I'm not sure I'll ever finish it (UI development is frustrating...). Even If I do I probably won't release it on the app store (I'll put the code up somewhere), and if I do I definitely wont charge for it.
Click to expand...
Yeah I don't think that would be too well-received in the Google Play Store. Congrats on getting it to work and for having the patience and dedication to figure it out!

If you get another minute to explain, I'm curious which part it was that was the final piece? Guessing that you finally got the right combination figured out? >

Supercool330 said:
I just came to a realization. I was thinking about different sections of memory that could be hashed with the derived per amiibo hmac key, and I realized that you can't actually use that key since part of the seed is the write counter from the amiibo. However, the write counter isn't used with the "locked secret" keyset as the magic is 16 bytes long. This also totally explains why there are two sets of keys, the "unfixed infos" is used for the unfixed parts of the amiibo that can change, and the "locked secret" is used for the locked parts that can only be written once. This also explains why none of my hashing turned up any results; I was using the wrong keyset. I suspect we need to build a seed using the "locked secret" keyset, and then either hash it with the "locked secret" hmac key, take the first 32 bytes from the drbg, or generate a key with the drbg and decrypt/hash something. Regardless, the "locked secret" seed will still use the portion of the amiibo at 0x60, so almost certainly the target block of memory is 0x34-0x54. We just need to try various things until we get something that matches.
Click to expand...
 
  • Like
Reactions: Pecrow
Supercool330 said:
I have an android app that I'm working on, but I'm not sure I'll ever finish it (UI development is frustrating...). Even If I do I probably won't release it on the app store (I'll put the code up somewhere), and if I do I definitely wont charge for it.
Click to expand...
If you're stuck in the UI you could open-source it and post a thread in the mobile technology subforum
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Strange Blue Blinking Wii U

Hacking Homebrew Project  Modernized YouTube for Wii U

[discussion] what game do you wanna see next?

Wii Games Performance on Wii U (vWii C2W Overclock) – Community Testing & Results Sharing

[discussion] Paper Mario Wii U or Mario Kart 64 wii u?

Gaming Homebrew Misc Project  Roséverse - a 1:1 Miiverse revival by Project Rosé!

Can the Wii u pro controller works for Wii games ?

[PRERELEASE] Sonic 3 A.I.R. (finally) Wii U