Hacking DIY amiibo cards

[fiveighteen]

I made this Amiibo UID Calculator that only requires you pasting in the 7-byte UID from your NTAG215. It provides you with the 9-byte output that you replace in the decrypted Amiibo bin.

[Download Here]

Consider this to be an offline alternative to SuperSVGA's tool.

EDIT2: Now does correct 9-byte output.

 

[SuperSVGA]

I made this Amiibo UID Calculator that only requires you pasting in the 7-byte UID from your NTAG215. It provides you with the 8-byte output that you replace in the decrypted Amiibo bin.

[Download Here]

But isn't UID 9 bytes, 7 bytes + 2 bytes BCC?

 

[Saiyan Lusitano]

Very tempting but the NFC Reader is my roadblock. Got to see if I know anyone with a smartphone that's compatible with NFC Reader.

Thanks for posting it!

 

[javiMaD]

But isn't UID 9 bytes, 7 bytes + 2 bytes BCC?

Yes, BCC1 = UID4 xor UID5 xor UID6 xor UID7

--------------------- MERGED ---------------------------

I made another attempt and I'm still blocked with error 168-0413, @_Tim_ hopefully could shed some light

 

[fiveighteen]

But isn't UID 9 bytes, 7 bytes + 2 bytes BCC?

Yes, BCC1 = UID4 xor UID5 xor UID6 xor UID7

So we need to write the first 9 bytes every time, not 8? Easy change to make, but nobody mentioned it before except Supercool330 on Page 10. I kind of thought it was done during the encryption or something for some reason. I'll make changes..

The first 10 bytes of the tag are determined by the NFC type A spec.

0: UID0 - the manufacturer code, always 0x04 for any NXP tag
1: UID1
2: UID2
3: BCC0 - CT ^ UID0 ^ UID1 ^ UID2 (CT is 0x88)
4: UID3 - Can't be CT (0x88)
5: UID4
6: UID5
7: UID6
8: BCC1 - UID3 ^ UID4 ^ UID5 ^ UID6
9: Internal - Always 0x48

Note that you can't actually write to any of these bytes on an actual NTAG, the first two pages are locked at the factory, and trying to write values to the first two bytes of the 3rd page does nothing (thus the static lock bytes can be set without worrying about the first two bytes of the write). Also note, that tags with 4 or 10 byte UIDs have a different layout (all NTAG21x tags have 7 byte UIDs).

 

[SuperSVGA]

http://wiki.gbatemp.net/wiki/Amiibo

I wrote this wiki article up a while ago, but no one ever adds anything up to it. So I'm posting just in case you guys don't know it exists.

 

[Supercool330]

There are a number of things you need:
You have to update all 9 bytes of the UID, including the 2 BCC bytes.
You need to update the HMAC signature at 0x80 (amiitool does this for you on reencryption).
You have to re-encrypt the two encrypted segments (this is the main thing amiitool does on reencryption).
You have to properly set the configuration pages on the clone (including the static lock bytes, CC, dynamic lock bytes, CFG0 and CFG1).
You have to properly set the password on the cloned card (based on the UID)
You have to properly set the pack on the cloned card (always the same value)
And something else that we don't know about (my guess is the HMAC at 0x34).
Until we know what that last piece is, it isn't actually possible to create a valid clone.

 

[javiMaD]

So we need to write the first 9 bytes every time, not 8? Easy change to make, but nobody mentioned it before except Supercool330 on Page 10. I kind of thought it was done during the encryption or something for some reason. I'll make changes..

In my tests I do the following: ["Step by step" guide]

- Dump Amiibo
- Decrypt Amiibo and save to amiibo_mod
- Get UID and BCC0/1 from the blank tag
- Put UID1/2/3 + BCC0 + UID4/5/6/7 at offset 0x1D4 (8 bytes)
- Put BCC1 at offset 0x000 (1 byte)
- Put write password at 0x214 (4 byte)
- Put PACK0/1 at 0x218 (2 byte)
- Save file and copy in a new file (amiibo_base)
Now in amiibo_base
- Change at 0x002 to 0x00 0x00 (2 bytes), default blank tag LOCK0/1
- Change at 0x208 to 0x00 0x00 0x00 0xBD 0x04 0x00 0x00 0xFF 0x00 0x05 (10 bytes), default blank tag LOCK2-3-4/CFG/MIRROR/AUTH/ACCESS
- Save
- Encrypt amiibo_mod and amiibo_base
- Write amiibo_base to blank tag
- Write amiibo_mod to blank tag

 

[Supercool330]

That looks about the same as my process. I do the encryption differently than amiitool so that everything is done in place (my dumps have the same layout as the original tags), but I think that matches up. I also write the pages in a different order so that the lock and cfg changes happen last in case of a tear.

 

[SuperSVGA]

Someone test this to make sure I didn't screw up: http://dynamoreason.com/res/g/amiibo/uid/

 

[javiMaD]

Someone test this to make sure I didn't screw up: http://dynamoreason.com/res/g/amiibo/uid/

BCC0 appears at 5th position, the correct is 4th position

UID1 UID2 UID3 BCC0 UID4 UID5 UID6 UID7 BCC1

 

[SuperSVGA]

BCC0 appears at 5th position, the correct is 4th position

UID1 UID2 UID3 BCC0 UID4 UID5 UID6 UID7 BCC1

Sorry, I was off by one because I wasn't paying attention. Fixed now.

 

[fiveighteen]

Someone test this to make sure I didn't screw up: http://dynamoreason.com/res/g/amiibo/uid/

Looks good to me now.

7-byte NTAG215 UID: 04C37A52C23E80

BCC0 = 0x88 ^ UID0 ^ UID1 ^ UID2 = 0x88 ^ 0x04 ^ 0xC3 ^ 0x7A = 35
BCC1 = UID3 ^ UID4 ^ UID5 ^ UID6 = 0x52 ^ 0xC2 ^ 0x3E ^ 0x80 = 2E

9-byte UID: 04C37A3552C23E802E

(That last "E" on yours doesn't get capitalized, but the rest of the letters do)

 

[SuperSVGA]

(That last "E" on yours doesn't get capitalized, but the rest of the letters do)

I didn't make any changes to capitalization so bin2hex just outputs lowercase. I can make it uppercase though.

Edit: It converts the output to uppercase regardless of the input now.

 

[CaptainRex]

Has anyone (other than tim) managed to get this working? Would love to be able to do this.

 

[Pecrow]

i want this soooooooo bad/////////// will there ever be a noob guide for this/

 

[Supercool330]

Has anyone (other than tim) managed to get this working? Would love to be able to do this.

Nope, we are still missing something.

i want this soooooooo bad/////////// will there ever be a noob guide for this/

If we figure out how to do it, yes.

 

[SuperSVGA]

Once I find some money I'll order some tags and write a program and try to figure it out.

 

[Julizi]

In what case you need a 9-byte-UID?
I thought you need to replace the 8-byte-UID at 0x1D4 with your extended 8-byte-UID from your Tag?

I will order some tags in a few days. They won't spoil.

 

[SuperSVGA]

In what case you need a 9-byte-UID?
I thought you need to replace the 8-byte-UID at 0x1D4 with your extended 8-byte-UID from your Tag?

I will order some tags in a few days. They won't spoil.

Page Byte 0 Byte 1 Byte 2 Byte 3
Page 0 UID 0 UID 1 UID 2 BCC 0
Page 1 UID 3 UID 4 UID 5 UID 6
Page 2 BCC 1

It's a 7 byte UID with 2 bytes of collision checking.

See http://dynamoreason.com/res/g/amiibo/uid to calculate the 9 byte UID from a 7 byte UID