3dbrew

Amiibo: Difference between revisions

← Older editNewer edit →
No edit summary
Line 1: Line 1:
'''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] [[NFC_adapter|peripheral]].
'''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] [[NFC_adapter|peripheral]].


== Technical specifications ==
= Tag information =
See also [http://wiiubrew.org/wiki/Wii_U_GamePad here].
* Model: [http://www.nxp.com/products/identification_and_security/smart_label_and_tag_ics/ntag/series/NTAG213_215_216.html NTAG215]
* Manufacturer: NXP Semiconductor
* Page size: 4 bytes
* Page count: 135 pages (540 bytes)
* Data pages: 126 pages (504 bytes)


Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo":
= Page layout =
[[File:Amiibonfctaginfo.png|500px]]
Excluiding the configuration pages at the end, the structure of the NFC pages is as following:
 
See here regarding the Amiibo [[Process_Services_PXI|encryption]].
 
The NFC tag for Amiibo is NTAG215.
 
=== AUTH_PWD ===
The NFC 32bit password for the PWD_AUTH command(for enabling write-access to the encrypted NFC pages / etc), appears to be generated from unknown data that doesn't change when the Amiibo data pages are being updated.
 
=== NTAG215 commands ===
==== Amiibo reading ====
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
* PWD_AUTH
* FAST_READ: startpage=0x00, endpage=0x3B
* FAST_READ: startpage=0x3C, endpage=0x77
* FAST_READ: startpage=0x78, endpage=0x86


Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end.
==== Amiibo writing ====
* Use the same commands under the above reading section, then use those first 3 commands again.
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
* Multiple WRITE commands for writing to pages 0x20..0x81.
* Use the last 3 commands from the above reading section.
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
* FAST_READ: startpage=0x04, endpage=0x04
=== NFC pages ===
Each page is 4-bytes, there is a total of 0x87/135 pages. Minus the configuration pages at the end, the total is 0x82/130 pages. The following is the structure of the NFC pages:
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 41: Line 17:
!  Raw byte offset in EEPROM
!  Raw byte offset in EEPROM
!  Total byte size
!  Total byte size
!  Writable
!  Description
!  Description
|-
|-
Line 47: Line 24:
| 0x10
| 0x10
| 0x10
| 0x10
| style="background: red" | No
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
|-
|-
Line 53: Line 31:
| 0x10
| 0x10
| 0x4
| 0x4
| style="background: green" | Yes
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
|-
|-
Line 59: Line 38:
| 0x14
| 0x14
| 0x20
| 0x20
| style="background: green" | Yes
| The system crypts 0x1A0-bytes with some data from here, see below.
| The system crypts 0x1A0-bytes with some data from here, see below.
|-
|-
Line 65: Line 45:
| 0x34
| 0x34
| 0x20
| 0x20
| style="background: red" | No
| SHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer.
| SHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer.
|-
|-
Line 71: Line 52:
| 0x54
| 0x54
| 0x2C
| 0x2C
| style="background: red" | No
| This is plaintext data, see below.
| This is plaintext data, see below.
|-
|-
Line 77: Line 59:
| 0x80
| 0x80
| 0x20
| 0x20
| SHA256-HMAC hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data.
| style="background: green" | Yes
| SHA256-(HMAC?) hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data.
|-
|-
| 0x28
| 0x28
Line 83: Line 66:
| 0xA0
| 0xA0
| 0x114
| 0x114
| style="background: green" | Yes
| This is section1 in the encrypted buffer.
| This is section1 in the encrypted buffer.
|-
|-
Line 89: Line 73:
| 0x1B4
| 0x1B4
| 0x54
| 0x54
| style="background: green" | Yes
| This is section2 in the encrypted buffer.
| This is section2 in the encrypted buffer.
|}
|}


==== Structure of the data starting at page 0x15 ====
Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo":
[[File:Amiibonfctaginfo.png|500px]]
 
See here regarding the Amiibo [[Process_Services_PXI|encryption]].
 
= Data structures =
 
== Structure of the data starting at page 0x15 ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 105: Line 97:
| 0xC
| 0xC
| 0x20
| 0x20
| Probably a SHA256-(HMAC?) hash.
| Probably a SHA256-HMAC hash.
|}
|}


==== Encrypted data buffer structure ====
== Encrypted data buffer structure ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 142: Line 134:
|}
|}


==== Structure of the plaintext data ====
== Structure of the plaintext data ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 162: Line 154:
|}
|}


==== Structure of Amiibo settings ====
== Structure of Amiibo settings ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 238: Line 230:
| Year, relative to 2000.
| Year, relative to 2000.
|}
|}
= 3DS read/write procedure =
Note this is the procedure used by the console, but isn't the only way of reading them.
== Read procedure ==
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
* PWD_AUTH. Key is based on UID.
* FAST_READ: startpage=0x00, endpage=0x3B
* FAST_READ: startpage=0x3C, endpage=0x77
* FAST_READ: startpage=0x78, endpage=0x86
Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end.
== Write procedure ==
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
* PWD_AUTH. Key is based on UID.
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
* Multiple WRITE commands for writing to pages 0x20..0x81.
* Use the last 3 commands from the above reading section.
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
* FAST_READ: startpage=0x04, endpage=0x04
= External links =
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].
Retrieved from "https://www.3dbrew.org/wiki/Amiibo"