[Idea/Question] Possibility of using Mii Amiibos to launch payload.

Discussion in 'Switch - Hacking & Homebrew' started by NitroCipher, May 26, 2017.

  1. NitroCipher
    OP

    NitroCipher Advanced Member

    Newcomer
    95
    82
    Jan 24, 2016
    United States
    I was creating a Mii on my Switch today, and I noticed that you can copy a Mii over from an Amiibo.

    Could you create a fake Mii Amiibo (using a nfc tag), that overflows executing a payload? I am not quite sure if this would work at all, or if it is even slightly feasible. I am a novice to the whole console hacking scene, so sorry if this isn't useful.
     
  2. SANIC

    SANIC GBATemp's Sonic Fan in Residence, 後

    Member
    906
    569
    Jan 13, 2017
    United States
    Last Seen: Green Hill
    Except that no payloads exist
     
    :-infern:, ogioto and badpix11 like this.
  3. Somebody Whoisbored

    Somebody Whoisbored it's all okeydokey

    Member
    478
    166
    May 12, 2016
    United States
    hypeland
    Well no shit. He is asking if it's possible to make one.
     
  4. itsjch

    itsjch Advanced Member

    Newcomer
    82
    15
    Feb 22, 2016
    Australia
    Sydney
    Maybe like if someone made one and injected via blank NFC or amiiqo that would be great but lets keep dreaming.
     
  5. badpix11

    badpix11 Member

    Newcomer
    13
    6
    Mar 14, 2017
    Serbia, Republic of
    Fairy World
    The Amiibo structure has a fix size/length, so beside no payload exists there is no overflow either.

    For more information about the structure:
    https://3dbrew.org/wiki/Amiibo
     
    Alkéryn likes this.
  6. Seelbreaker

    Seelbreaker GBAtemp Regular

    Member
    103
    20
    Mar 22, 2010
    Gambia, The

    sooo...
    as long as the size/lenght are somehow get spoofed you could try to load code trough Games which reads Amiibo-Data like Breath of the Wild - IF Games like Breath of the Wild even allow running Code from that amiibos?
     
  7. TiMeBoMb4u2

    TiMeBoMb4u2 GBAtemp Maniac

    Member
    1,322
    213
    Oct 25, 2008
    United States
    Well... At the moment, the only amiibo I'm thinking this may be a possibility with is Wolf Link, in Breath of the Wild. Since the game reads in the Heart Container data from the amiibo, and not just the amiibo ID, someone might be able to reverse-engineer how this Heart Container data is handled in memory. I say this very loosely, since I can't recall hearing of any amiibo attack vectors in the past (I'd like someone to correct me on this, though).
     
  8. urherenow

    urherenow GBAtemp Psycho!

    Member
    3,040
    902
    Mar 8, 2009
    United States
    Japan
    504 bytes. Not kilobytes. BYTES.

    Not no, but hell no.
     
  9. migles

    migles Mei the sexiest bae

    Member
    GBAtemp Patron
    migles is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    7,000
    4,704
    Sep 19, 2013
    Saint Kitts and Nevis
    my dad works for nintendo.
    INb4, hey newbie here!!! couldn't couldn't just just....
    couldn't you just stick 2 amibbo fake cards taped togheter to create extra memory so could overflow????
     
    Jacklack3 likes this.
  10. Seelbreaker

    Seelbreaker GBAtemp Regular

    Member
    103
    20
    Mar 22, 2010
    Gambia, The
    And this part seems to be bugged afair?

    i played TP but never got all heart pieces there and tried the dark cave of shadows with... i dunno 10? Hearts and didn't even finished and my Wolf Link in BotW has 20 Heart Pieces...
     
  11. DeadlyFoez

    DeadlyFoez GBAtemp Guru

    Member
    5,441
    1,476
    Apr 12, 2009
    United States
    Even better, if you tape a 3.5" floppy disk to it then you will get even more data through.
     
    :-infern: and TheDarkGreninja like this.
  12. TheDarkGreninja

    TheDarkGreninja How could you hate that face?

    Member
    2,284
    970
    Aug 25, 2014
    On his bed
    Yeah, 504 bytes is just a great size for a payload, yep /s
     
  13. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,966
    3,249
    Nov 18, 2012
    United States
    Las Vegas
    Even if there were an overflow, ASLR makes this kind of overflow not viable because you'd need an address leak (ie data coming out and incorrectly) for it to possibly work. Generally only doable using something like JavaScript where it can leak addresses and craft ROP on the console itself based on the leaks.