Spoofing an amiibo using Android+NFC?

Discussion in 'Wii U - Hacking & Backup Loaders' started by dude22072, Nov 30, 2014.

  1. Pecrow

    Pecrow GBAtemp Maniac

    Member
    4
    Jun 23, 2015
    United States
    where is the thread?
     
  2. elmoemo

    elmoemo GBAtemp Advanced Fan

    Member
    4
    Dec 4, 2012
  3. fiveighteen

    fiveighteen GBAtemp Advanced Maniac

    Member
    9
    Jun 30, 2008
    United States
    So what kind of NFC tag does this Amiiqo use that nobody else can seem to find?
     
  4. mdmwii

    mdmwii Newbie

    Newcomer
    2
    Nov 9, 2009
    Italy
  5. fiveighteen

    fiveighteen GBAtemp Advanced Maniac

    Member
    9
    Jun 30, 2008
    United States
  6. fiveighteen

    fiveighteen GBAtemp Advanced Maniac

    Member
    9
    Jun 30, 2008
    United States
    I found a product (unrelated to Wii U/Android) that shows:
    Communication Interfaces: RS232 / RS485 ciphered with AES-128bits (SX2 / SX3)

    So it seems like SX3 is for security? RS232 works for ISO14443A (Amiibo chips).

    Someone has created an Amiibo Decryption Service, where you send your encrypted amiibo.bin file to a server and it decrypts it for you. I made a bash script that runs through Cygwin (requires nc; netcat) so you can easily decrypt a single file or decrypt all files in a folder. Open with Notepad++ or similar and change your location folder and your decrypted location folder (where the .bin files are, and where you want the decrypted .bin files to go). Double-click it to run from anywhere.
     

    Attached Files:

    NWPlayer123 likes this.
  7. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    17
    Feb 17, 2012
    United States
    The Everfree Forest
    Well that makes my life easier, may as well translate the full including what's on the servers to python now.
     
  8. asper

    asper GBAtemp Advanced Fan

    Member
    7
    May 14, 2010
    United States
    NWPlayer what is the format of the amiibo dump ? Raw nfc block content ?
     
  9. socram8888

    socram8888 Member

    Newcomer
    2
    Apr 6, 2009
    Valencia, Spain
    Yes
     
    KiiWii, NWPlayer123 and asper like this.
  10. KungFuzion

    KungFuzion GBAtemp Fan

    Member
    5
    Feb 5, 2015
    I ordered my amiiqo 2 days ago. Check out the nfc bank, there's loads of dumps on there.
     
  11. asper

    asper GBAtemp Advanced Fan

    Member
    7
    May 14, 2010
    United States
    Well, with amiiqo (the "q" is a reversed "b", have you ever noticed it ;) ) everyone can have a full load of virtual toys...
    But with socram888 service it will be fun to see how data is stored inside toys !

    Are amiibo useful for online gaming or are they totally unuseful ?
     
  12. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    17
    Feb 17, 2012
    United States
    The Everfree Forest
    Using @golden45's Cafiine dump I dumped the NFP backup loaded in Splatoon, which contains the raw decrypted data now (I know since it's the same format as the stuff in @socram8888's thread)
    [​IMG]
     
    asper likes this.
  13. asper

    asper GBAtemp Advanced Fan

    Member
    7
    May 14, 2010
    United States
    What's an "NFP" backup ? You mean NFC ? Can you tell us where in memory the decrypted dump is stored ?

    Anyway if you change the data in memory then the game will write them re-encrypted for you ! Great finding man !!!!
     
  14. Rubyheart

    Rubyheart Advanced Member

    Newcomer
    2
    Feb 8, 2014
    United States
    NFP was the code name for the amiibos. Nintendo Figurine Platform.
     
    asper and NWPlayer123 like this.
  15. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    17
    Feb 17, 2012
    United States
    The Everfree Forest
    Yes, and that's also what the library's called. The Wii U has like 3 different libraries, a very low level NFC library, a higher level NTAG library, and then their specialized nn_nfp (Nintendo Network Nintendo Figurine Platform) library that needs C++. I haven't looked to see where it's loaded yet.
     
    asper likes this.
  16. asper

    asper GBAtemp Advanced Fan

    Member
    7
    May 14, 2010
    United States
    So there is a file called nfp_backup.dat somewhere in memory during the game... really good finding man !
     
  17. socram8888

    socram8888 Member

    Newcomer
    2
    Apr 6, 2009
    Valencia, Spain
    Actually they would be even more suitable, given you could use them as simple keys and store data on a remote server, protected from cheating and replay attacks, and without using the scarce tag memory, which would mean you could use them with several games also. You would need permanent internet connection to use these amiibos, though.
    I can't speak for the Wii U, but on 3DS that file is stored on NAND, not on RAM, so it'll be there when not playing too.
     
  18. asper

    asper GBAtemp Advanced Fan

    Member
    7
    May 14, 2010
    United States
    A kind of "virtual Amiibo" ! Cool ! Even if spoofing the simple UID/key will make a real-time perfect clone without needing to know the algos... so this will not be a great idea at last... anyway this is a new world to explore ! :)
     
  19. pizzatime

    pizzatime Member

    Newcomer
    1
    Jan 28, 2014
    Italy
  20. asper

    asper GBAtemp Advanced Fan

    Member
    7
    May 14, 2010
    United States
    ...but data cannot be modified if you cannot decrypt/encrypt back them... you can copy back a previously dumped amiibo but I am not sure the game is not able to recognize it as "bad"... did someone test that ?
     
    Last edited by asper, Sep 16, 2015
Quick Reply
Draft saved Draft deleted
Loading...