Hacking DIY amiibo cards

EmanueleBGN

Well-Known Member
Member
Joined
Jul 22, 2015
Messages
1,264
Trophies
0
Website
www.facebook.com
XP
2,893
Country
Italy
Also, I don't understand how to create the key file for Tagmo. Any simple tutorial?
To find the key file Google: Use this to Encrypt your custom Amiibo NTag pastebin
You'll find a .bin file, open in HxD and "split" it in two parts (the first 5 rows and the second 5 rows), then save the first part to "unfixed key.bin" and the second to "locked key.bin". Put the three .bin files (unfixed, key and amiibo) into your Android Phone, boot TagMo2, place a NFC tag under the phone and write the new amiibo
 
  • Like
Reactions: Casaro

thelucap97

Well-Known Member
Newcomer
Joined
Nov 1, 2015
Messages
52
Trophies
0
Age
26
XP
178
Country
Italy
To find the key file Google: Use this to Encrypt your custom Amiibo NTag pastebin
You'll find a .bin file, open in HxD and "split" it in two parts (the first 5 rows and the second 5 rows), then save the first part to "unfixed key.bin" and the second to "locked key.bin". Put the three .bin files (unfixed, key and amiibo) into your Android Phone, boot TagMo2, place a NFC tag under the phone and write the new amiibo
Grazie mille ;)
 
D

Deleted User

Guest
Checksum for the unfixed info: MD5: 2551AFC7C8813008819836E9B619F7ED
Checksum for locked secret: MD5: 0AD86557C7BA9E75C79A7B43BB466333

If you look on my download server (in description) in the amiibo folder, you might find something ;)
 
Last edited by ,

HiddenRambler

Well-Known Member
Member
Joined
Nov 20, 2015
Messages
148
Trophies
0
XP
650
Country
Last edited by HiddenRambler,

Pecrow

Well-Known Member
Member
Joined
Jun 23, 2015
Messages
1,137
Trophies
0
Age
33
XP
640
Country
United States

HiddenRambler

Well-Known Member
Member
Joined
Nov 20, 2015
Messages
148
Trophies
0
XP
650
Country
I've merged @javiMaD's modification into upstream. Thanks!

@socram8888 there is a bug in your latest code. the pack function does not calculate the data checksum correctly.

Code:
sha256hmac(tagKeys.hmacKey, sizeof(tagKeys.hmacKey), plain + 0x1D4, 0x34, *****cipher***** + HMAC_POS_TAG); 
sha256hmac(dataKeys.hmacKey, sizeof(dataKeys.hmacKey), ******plain***** + 0x029, 0x1DF, cipher + HMAC_POS_DATA);

the tag checksum is used by the data checksum. however since the plain data is never updated the data checksum still uses the invalid checksum.

if you look at @javiMaD's original code he does it correctly. Also @javiMaD your latest code is also wrong due to merging the changes from upstream with this bug.
 

Kupie

Well-Known Member
Member
Joined
Jun 9, 2013
Messages
320
Trophies
1
Age
31
XP
906
Country
United States
I get how to decrypt a bin I get, encrypt it with the UID of a blank NTAG215 tag (bought 20 off ebay now)... My question: Where in the hex editor of a bin file is the UID? Is the UID the same for all blank NTAG215 tags?
 

Celeryyy

Member
Newcomer
Joined
Jul 7, 2015
Messages
7
Trophies
0
Age
30
XP
66
Country
United States
I've updated TagMo to 2.1:

Bug Fix: If you write a valid tag dump you can now use the tag without resetting. Fixed a bug where checksum wasn't calculated properly (Thanks @javiMaD)
Feature change: There is now only a single "Load key" menu option which can be used to load either the combined key or seperate keys (by using it twice).

https://drive.google.com/file/d/0BwV_DUnv_6kxVkJLRFpfaU9aNTQ/view?usp=sharing

Is the source for TagMo available anywhere? I'd like to make some additions to it.
 

Pecrow

Well-Known Member
Member
Joined
Jun 23, 2015
Messages
1,137
Trophies
0
Age
33
XP
640
Country
United States
I know this is incredible. It is so simple now that it is scary. Open TagMo2.1 - Load Key *first time only* - Load Tag file - Write to tag Auto ... I think that is right... right? I havent received my tags yet, so I haven't tested it.
 
D

Deleted User

Guest
Hmm. I got a corruption error in my amiibo I made via autowrite, however after a reset it was fine!
Just wanted to let you all know
 
  • Like
Reactions: Pecrow

HiddenRambler

Well-Known Member
Member
Joined
Nov 20, 2015
Messages
148
Trophies
0
XP
650
Country
It was shown in the original post but got hidden in the spoiler tag. The code is in github. https://github.com/HiddenRambler/TagMo

--------------------- MERGED ---------------------------

Is the source for TagMo available anywhere? I'd like to make some additions to it.

Will your additions be free or paid ;)

--------------------- MERGED ---------------------------

Hmm. I got a corruption error in my amiibo I made via autowrite, however after a reset it was fine!
Just wanted to let you all know

Was this with the latest version (2.1)? if so was the original tag file a legitimate one with valid data? I thought i just fixed the corruption error :huh:.
 

Celeryyy

Member
Newcomer
Joined
Jul 7, 2015
Messages
7
Trophies
0
Age
30
XP
66
Country
United States
Will your additions be free or paid ;)

Free of course, I don't feel like getting offed by Nintendo's lawyers. Just wanted to try adding some extra error handling since I burned a chip in testing.
 

javiMaD

Active Member
Newcomer
Joined
Jan 31, 2015
Messages
37
Trophies
0
Location
0's and 1's
XP
315
Country
@socram8888 there is a bug in your latest code. the pack function does not calculate the data checksum correctly.

Code:
sha256hmac(tagKeys.hmacKey, sizeof(tagKeys.hmacKey), plain + 0x1D4, 0x34, *****cipher***** + HMAC_POS_TAG);
sha256hmac(dataKeys.hmacKey, sizeof(dataKeys.hmacKey), ******plain***** + 0x029, 0x1DF, cipher + HMAC_POS_DATA);

the tag checksum is used by the data checksum. however since the plain data is never updated the data checksum still uses the invalid checksum.

if you look at @javiMaD's original code he does it correctly. Also @javiMaD your latest code is also wrong due to merging the changes from upstream with this bug.
Thanks, I made a quick/dirty update in my git
 

Pecrow

Well-Known Member
Member
Joined
Jun 23, 2015
Messages
1,137
Trophies
0
Age
33
XP
640
Country
United States
Free of course, I don't feel like getting offed by Nintendo's lawyers. Just wanted to try adding some extra error handling since I burned a chip in testing.
Lol Not to make myself feel dumb, but I tried reading one of my amiibos and after 10 minutes I realized that it was not working because I had NFC off...lol Maybe a quick check aswell, atleast I know it wont happen to me again, lol
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    LeoTCK @ LeoTCK: yes for nearly a month i was officially a wanted fugitive, until yesterday when it ended