Hacking DIY amiibo cards

[fraret]

Basically we just compile socrams git with the encryption key,

Where do you put the key?

 

[_Tim_]

Just to be clear... I do not sell DIY amiibo cards so please do not PM me about it. Thanks.

 

[OctopusRift]

Where do you put the key?

up the nose. you actually have to think here.

--------------------- MERGED ---------------------------

Just to be clear... I do not sell DIY amiibo cards so please do not PM me about it. Thanks.

DAMN. Close.

 

[fraret]

up the nose. you actually have to think here.

I see the key. But I don't know how to use it. I made a key.bin file with it, and it tells me it's an invalid key.

 

[OctopusRift]

I see the key. But I don't know how to use it. I made a key.bin file with it, and it tells me it's an invalid key.

lol follow the steps

 

[izy]

Well either way how fixable this is by nintendo we will see.

I do like the idea of amiibo trading cards , easier to share with friends


https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https://www.reboot.ms/forum/threads/amiiqo.523/&edit-text=&act=url


The sx3 chip is running as the bank but essentially it is a rewritable tag with some modifications, im assuming because SX3 is the security in amiibos that the chip is writing a new the amibo dump and UID directly to the tag via keypress and thats why its limited to 200.


Either way if you get a RRW tag you could essentially just make an app to write dumps you jsut wouldnt get the switching etc

just need someone to acquire and test it <3

 

[Supercool330]

You need more than just the HMAC key, you also need 16 magic bytes, and a 32 byte xorpad (unless there is some way to run the algorithms without them).

 

[Supercool330]

@_Tim_: could you try writing an amiibo with a couple pages different from normal? For page 0x02, make the last two bytes 0 (to disable static locking), leave the capability container (page 0x03) default (0xE1 0x10 0x3E 0x00) (the values on 3DSbrew don't really make sense given the spec), leave page 0x82 0 (to disable dynamic locking). Set page 0x83 to 0x00 0x00 0x00 0xFF to disable password checking, and page 0x84 to 0x10 0x00 0x00 0x00 to disable the config lock, count protection, and auth limit. I'm curious if the Wii U will read an Amiibo with all of the protection disabled (and a more standard capability container), or not (I suspect it checks at least some of these). I find it very interesting that the last byte of the capability container is 0xEE as 0xE is a proprietary value according to the spec (and the first byte being 0xF1 makes no sense as the spec says 0xE1 is a magic value).

 

[_Tim_]

@_Tim_: could you try writing an amiibo with a couple pages different from normal? For page 0x02, make the last two bytes 0 (to disable static locking), leave the capability container (page 0x03) default (0xE1 0x10 0x3E 0x00) (the values on 3DSbrew don't really make sense given the spec), leave page 0x82 0 (to disable dynamic locking). Set page 0x83 to 0x00 0x00 0x00 0xFF to disable password checking, and page 0x84 to 0x10 0x00 0x00 0x00 to disable the cfglck, count protection, and auth limit. I'm curious if the Wii U will read an Amiibo with all of the protection disabled (and a more standard capability container), or not (I suspect it checks at least some of these). I find it very interesting that the last byte of the capability container is 0xEE as 0xE is a proprietary value according to the spec (and the first byte being 0xF1 makes no sense as the spec says 0xE1 is a magic value).

I already tried this, if one of the bits you mentioned is not set -> invalid amiibo.

 

[Supercool330]

Huh, even the capability container ones? That really confuses me as like every byte (except 0x1) doesn't really make sense. Byte 0x0 should be 0xE1 according to the spec, 0xFF in byte 0x2 would mean that the chip can store 2040 bytes (significantly more than it actually can), and 0xEE in byte 0x3 that the chip has proprietary read and write access conditions of some sort.

 

[_Tim_]

Huh, even the capability container ones? That really confuses me as like every byte (except 0x1) doesn't really make sense. Byte 0x0 should be 0xE1 according to the spec, 0xFF in byte 0x2 would mean that the chip can store 2040 bytes (significantly more than it actually can), and 0xEE in byte 0x3 that the chip has proprietary read and write access conditions of some sort.

I checked the 3DS code and it checks everything except CC, so those 4 bytes can be left untouched but they do not matter anyway. The lock bits needs to be set though.

 

[Slartibartfast42]

Do we really even need to fake Amiibo anymore? Can't we just mod the games to think we already have them?

 

[fraret]

lol follow the steps

Steps:
- decrypt amiibo dump
- use hex editor to change UID in amiibo dump to UID of blank NTAG215 tag
- encrypt amiibo dump
- write amiibo dump to blank NTAG215 tag
- print amiibo picture and cut it out
- put NTAG215 tag sticker on the back of amiibo picture

I can't decrypt, because I don't know how to compile amiitool with the key. And if I put the key as an HEX file, and I use amiitool with the -k parameter, passing it the file with the key, it says me it's an invalid key.
Also, why the key is 20 bytes long? Shoudn't it be 16bytes(128 bits) long?

 

[OctopusRift]

I can't decrypt, because I don't know how to compile amiitool with the key. And if I put the key as an HEX file, and I use amiitool with the -k parameter, passing it the file with the key, it says me it's an invalid key.
Also, why the key is 20 bytes long? Shoudn't it be 16bytes(128 bits) long?

_tim_ uses a modified version of amiitool... So... Think about that.

 

[ronopotomus]

Pretty amazing. I was kind of expecting something like this after reading and dumping my own Amiibos. Great job!

 

[Deleted User]

Does anyone know how I could dump the amiibo as BIN files via Android?

 

[windwakr]

Relevant?
http://pastebin.com/aTMF2Btd

Found that on pastebin.

 

[OctopusRift]

Does anyone know how I could dump the amiibo as BIN files via Android?

Amiiqo.

--------------------- MERGED ---------------------------

Relevant?

http://pastebin.com/aTMF2Btd

AES CTR MODE. YES. I NEED THIS. I LOVE YOU.

 

[Deleted User]

Which key in that set is for Amiibo?
(Wow I'm being a noob again.)

 

[OctopusRift]

Which key in that set is for Amiibo?
(Wow I'm being a noob again.)

all. It's not one key lmao.