Line 1: |
Line 1: |
− | '''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] peripheral. | + | '''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] [[NFC_adapter|peripheral]]. |
| | | |
− | == Technical specifications == | + | = Tag information = |
− | See also [http://wiiubrew.org/wiki/Wii_U_GamePad here].
| + | * Model: [http://www.nxp.com/products/identification_and_security/smart_label_and_tag_ics/ntag/series/NTAG213_215_216.html NTAG215] |
| + | * Manufacturer: NXP Semiconductor |
| + | * Page size: 4 bytes |
| + | * Page count: 135 pages (540 bytes) |
| + | * Data pages: 126 pages (504 bytes) |
| + | |
| + | = Page layout = |
| + | Excluding the auth-related configuration pages at the end, the structure of the NFC pages is the following: |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! NFC page |
| + | ! Total pages |
| + | ! Raw byte offset in EEPROM |
| + | ! Total byte size |
| + | ! Writable |
| + | ! Description |
| + | |- |
| + | | 0x0 |
| + | | 0x3 |
| + | | 0x0 |
| + | | 0xC |
| + | | style="background: red" | No |
| + | | Standard NTAG215: 9-byte serial-number, "internal" u8 value, then the two lock bytes which must match raw binary "0F E0". |
| + | |- |
| + | | 0x3 |
| + | | 0x1 |
| + | | 0xC |
| + | | 0x4 |
| + | | style="background: red" | No |
| + | | Standard NTAG215: "Capability Container (CC)". Must match raw binary "F1 10 FF EE". |
| + | |- |
| + | | 0x4 |
| + | | 0x1 |
| + | | 0x10 |
| + | | 0x4 |
| + | | style="background: green" | Yes |
| + | | Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Offset |
| + | ! Size |
| + | ! Description |
| + | |- |
| + | | 0x0 |
| + | | 0x1 |
| + | | Magic (Always 0xA5) |
| + | |- |
| + | | 0x1 |
| + | | 0x2 |
| + | | Incremented each time the Amiibo is written to. |
| + | |- |
| + | | 0x3 |
| + | | 0x1 |
| + | | Figure version (always 0x00) |
| + | |} |
| + | |- |
| + | | 0x5 |
| + | | 0x8 |
| + | | 0x14 |
| + | | 0x20 |
| + | | style="background: green" | Yes |
| + | | The system crypts 0x1A0-bytes with some data from here, see below. |
| + | |- |
| + | | 0xD |
| + | | 0x8 |
| + | | 0x34 |
| + | | 0x20 |
| + | | style="background: red" | No |
| + | | SHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer. |
| + | |- |
| + | | 0x15 |
| + | | 0xB |
| + | | 0x54 |
| + | | 0x2C |
| + | | style="background: red" | No |
| + | | This is plaintext data, see below. |
| + | |- |
| + | | 0x20 |
| + | | 0x8 |
| + | | 0x80 |
| + | | 0x20 |
| + | | style="background: green" | Yes |
| + | | SHA256-HMAC hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data. |
| + | |- |
| + | | 0x28 |
| + | | 0x45 |
| + | | 0xA0 |
| + | | 0x114 |
| + | | style="background: green" | Yes |
| + | | This is section1 in the encrypted buffer. |
| + | |- |
| + | | 0x6D |
| + | | 0x15 |
| + | | 0x1B4 |
| + | | 0x54 |
| + | | style="background: green" | Yes |
| + | | This is section2 in the encrypted buffer. |
| + | |- |
| + | | 0x82 |
| + | | 0x1 |
| + | | 0x208 |
| + | | 0x4 |
| + | | style="background: red" | No |
| + | | Standard NTAG215: first 3-bytes are dynamic lock bytes. Must match raw binary "01 00 0F". |
| + | |- |
| + | | 0x83 |
| + | | 0x1 |
| + | | 0x20C |
| + | | 0x4 |
| + | | style="background: red" | No |
| + | | Standard NTAG215: CFG0. Must match raw binary "00 00 00 04". |
| + | |- |
| + | | 0x84 |
| + | | 0x1 |
| + | | 0x210 |
| + | | 0x4 |
| + | | style="background: red" | No |
| + | | Standard NTAG215: CFG1. Must match raw binary "5F 00 00 00". |
| + | |} |
| | | |
| Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo": | | Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo": |
| [[File:Amiibonfctaginfo.png|500px]] | | [[File:Amiibonfctaginfo.png|500px]] |
| | | |
− | Most of the NFC pages are [[Process_Services_PXI|encrypted]]. This includes the actual Mii data for the owner, an UTF-16 string for the Amiibo nickname, etc.
| + | See here regarding the Amiibo [[Process_Services_PXI|encryption]]. |
| | | |
− | The NFC tag for Amiibo is NTAG215.
| + | = Data structures = |
| | | |
− | Each page is 4-bytes, the following is the structure of the NFC page:
| + | == Structure of the data starting at page 0x15 == |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
− | ! NFC page | + | ! Offset |
− | ! Total pages | + | ! Size |
− | ! Raw byte offset in EEPROM
| |
− | ! Total byte size
| |
| ! Description | | ! Description |
| |- | | |- |
− | | 0 | + | | 0x0 |
− | | 4 | + | | 0x8 |
− | | 0x10 | + | | Amiibo Identification Block |
− | | 0x10 | + | |- |
− | | Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page. | + | | 0x8 |
| + | | 0x4 |
| + | | ? |
| |- | | |- |
− | | 4 | + | | 0xC |
− | | 8
| |
− | | 0x10
| |
| | 0x20 | | | 0x20 |
− | | SHA256-HMAC over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[12], the rest is over the first 0x1DC-bytes of the plaintext data following this hash(see page[13]). | + | | Probably a SHA256-(HMAC?) hash. |
| + | |} |
| + | |
| + | ===Structure of Amiibo Identification Block=== |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Offset |
| + | ! Size |
| + | ! Description |
| + | ! Notes |
| + | |- |
| + | | 0x0 |
| + | | 0x2 |
| + | | Game & Character ID |
| + | | First 10 bits are the Game ID and last 6 bits are Character ID. |
| + | |- |
| + | | 0x2 |
| + | | 0x1 |
| + | | Character variant |
| + | | |
| + | |- |
| + | | 0x3 |
| + | | 0x1 |
| + | | Amiibo Figure Type |
| + | | |
| |- | | |- |
− | | 12
| |
− | | 1
| |
− | | 0x30
| |
| | 0x4 | | | 0x4 |
− | | Unknown. Last 3-bytes here are used with the above HMAC. | + | | 0x2 |
| + | | Amiibo Model Number |
| + | | |
| + | |- |
| + | | 0x6 |
| + | | 0x1 |
| + | | Amiibo Series |
| + | | |
| + | |- |
| + | | 0x7 |
| + | | 0x1 |
| + | | Format Version |
| + | | Always 0x02 |
| + | |} |
| + | |
| + | == Encrypted data buffer structure == |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Encrypted buffer offset |
| + | ! Raw byte offset in NFC EEPROM |
| + | ! NFC page |
| + | ! Byte size |
| + | ! Notes |
| + | |- |
| + | | 0x0 |
| + | | 0x14 |
| + | | 0x5 |
| + | | 0x20 |
| + | | |
| + | |- |
| + | | 0x20 |
| + | | 0xA0 |
| + | | 0x28 |
| + | | 0x114 |
| + | | |
| |- | | |- |
− | | 13 | + | | 0x134 |
| + | | 0x1B4 |
| + | | 0x6D |
| + | | 0x54 |
| | | | | |
| + | |- |
| + | | 0x188 |
| | 0x34 | | | 0x34 |
− | | | + | | 0xD |
− | | The system crypts 0x1A0-bytes starting here. | + | | 0x18 |
| + | | This data is included in the crypto buffer, even though this data isn't actually encrypted(this is part of a hash). |
| |} | | |} |
| | | |
− | === Structure of plaintext data from page13 ===
| + | == Structure of the plaintext data == |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
Line 58: |
Line 235: |
| | 0xB0 | | | 0xB0 |
| | 0xD8 | | | 0xD8 |
− | | AppData, for the user-application with the programID specified in the above Amiibo settings. The data stored here is application-specific. | + | | AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific. The data stored here is normally all big-endian, even when the user-application is only for 3DS systems. Note that this data is initially uninitialized, and at least some of it will stay that way unless an application clears/initializes *all* of it. |
| |- | | |- |
| | 0x188 | | | 0x188 |
Line 65: |
Line 242: |
| |} | | |} |
| | | |
− | === Structure of Amiibo settings ===
| + | == Structure of Amiibo settings == |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
Line 73: |
Line 250: |
| |- | | |- |
| | 0x0 | | | 0x0 |
− | | 0x20 | + | | 0x1 |
− | | ? | + | | Flags. The low 4-bits here are copied to the struct used with [[NFC:GetAmiiboSettings]]. The below setup date is only loaded when bit4 and/or bit5 here are set, otherwise value 0 is used instead for the date. Bit4=1 indicates that the Amiibo was setup with [[amiibo Settings]]: [[NFC:GetAmiiboSettings]] will return an all-zero struct when this is not set. |
| + | Bit5=1 indicates that the AppData was [[NFC:InitializeWriteAppData|initialized]]. [[NFC:InitializeWriteAppData]] will return an error if this is value 1, when successful that command will then set this bit to value 1. |
| + | |- |
| + | | 0x1 |
| + | | 0x1 |
| + | | Country Code ID, [[Config_Savegame|from]] the system which setup this amiibo. This is copied to the struct used with [[NFC:GetAmiiboSettings]]. |
| + | |- |
| + | | 0x2 |
| + | | 0x2 |
| + | | This big-endian u16 counter is incremented each time that the CRC32 at offset 0x8 gets updated by [[NFC:InitializeWriteAppData]], due to that value not matching the calculated one. When this value is already 0xFFFF, this counter won't be updated anymore. |
| + | |- |
| + | | 0x4 |
| + | | 0x2 |
| + | | u16 big-endian date value, see below. This is the date for when the Amiibo was initially setup in [[amiibo Settings]]. This is also written by [[NFC:InitializeWriteAppData]]. |
| + | |- |
| + | | 0x6 |
| + | | 0x2 |
| + | | u16 big-endian date value, see below. This is the date for when the Amiibo was last written to. |
| + | |- |
| + | | 0x8 |
| + | | 0x4 |
| + | | Big-endian CRC32 value with initialval=~0, with the 8-byte output from [[Cfg:GenHashConsoleUnique]]. This is written by [[NFC:InitializeWriteAppData]], when the current value doesn't match the calculated one. |
| + | |- |
| + | | 0xC |
| + | | 0x14(10*2) |
| + | | UTF-16BE Amiibo nickname. |
| |- | | |- |
| | 0x20 | | | 0x20 |
Line 82: |
Line 284: |
| | 0x80 | | | 0x80 |
| | 0x8 | | | 0x8 |
− | | Application programID for the AppData, zero otherwise. | + | | Big-endian application programID/titleID from the application which [[NFC:InitializeWriteAppData|initialized]] the AppData, zero otherwise. This is only written, not compared with the user application titleID: doing the latter would break games' cross-platform compatibility with 3DS<>Wii U(Super Smash Bros 3DS/Wii U for example). |
| |- | | |- |
| | 0x88 | | | 0x88 |
| + | | 0x2 |
| + | | u16 big-endian. This value is incremented each time the Amiibo is written to. When this value is already 0xFFFF, this counter won't be updated anymore. |
| + | |- |
| + | | 0x8A |
| | 0x4 | | | 0x4 |
− | | ? | + | | Big-endian u32 Amiibo AppID. |
| |- | | |- |
− | | 0x8C | + | | 0x8E |
− | | 0x4 | + | | 0x2 |
| | ? | | | ? |
| |- | | |- |
Line 96: |
Line 302: |
| | Probably a SHA256-HMAC hash. | | | Probably a SHA256-HMAC hash. |
| |} | | |} |
| + | |
| + | Format of the big-endian date values: |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Bit |
| + | ! Description |
| + | |- |
| + | | 0-4 |
| + | | Day |
| + | |- |
| + | | 5-8 |
| + | | Month |
| + | |- |
| + | | 9-15 |
| + | | Year, relative to 2000. |
| + | |} |
| + | |
| + | = 3DS read/write procedure = |
| + | Note this is the procedure used by the console, but isn't the only way of reading them. |
| + | |
| + | == Read procedure == |
| + | * GET_VERSION |
| + | * READ, startpage=0x03. |
| + | * PWD_AUTH. Key is based on UID. |
| + | * FAST_READ: startpage=0x00, endpage=0x3B |
| + | * FAST_READ: startpage=0x3C, endpage=0x77 |
| + | * FAST_READ: startpage=0x78, endpage=0x86 |
| + | |
| + | Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end. |
| + | |
| + | == Write procedure == |
| + | * GET_VERSION |
| + | * READ, startpage=0x03. |
| + | * PWD_AUTH. Key is based on UID. |
| + | * Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here. |
| + | * Multiple WRITE commands for writing to pages 0x20..0x81. |
| + | * Use the last 3 commands from the above reading section. |
| + | * WRITE: page=0x04, same data as before except first byte is 0xA5 this time. |
| + | * FAST_READ: startpage=0x04, endpage=0x04 |
| + | |
| + | =Games using Amiibo AppData= |
| + | The following is a list of games which actually store game-specific data on Amiibo, not *just* using Amiibo for checking character IDs: |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Name |
| + | ! Available for (New)3DS |
| + | ! Available for Wii U |
| + | ! Amiibo AppID |
| + | ! AppData structure / link to info |
| + | ! AppData modification for exploitation notes. |
| + | |- |
| + | | Super Smash Bros |
| + | | Yes |
| + | | Yes |
| + | | 0x10110E00 |
| + | | [https://github.com/yellows8/smash3ds-tools/wiki/SmashAmiiboAppData] |
| + | | No crash ever triggered via AppData fuzzing. |
| + | |- |
| + | | Mario Party 10 |
| + | | No |
| + | | Yes |
| + | | ? |
| + | | N/A |
| + | | N/A |
| + | |- |
| + | | Animal Crossing: Happy Home Designer |
| + | | Yes |
| + | | No |
| + | | 0x0014F000 |
| + | | N/A |
| + | | The initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted. |
| + | |- |
| + | | Chibi-Robo!: Zip Lash |
| + | | Yes |
| + | | No |
| + | | 0x00152600 |
| + | | The entire AppData is read by the game, but only the first 0x10-bytes are actually used. |
| + | | No crash ever triggered via AppData fuzzing. |
| + | |- |
| + | | Mario & Luigi: Paper Jam |
| + | | Yes |
| + | | No |
| + | | 0x00132600 |
| + | | Starts with the process-name("MILLION"). The rest seems to be bitmasks maybe? |
| + | | No crash ever triggered via AppData fuzzing, when viewing "character cards"(just unlocks various cards). |
| + | |- |
| + | | The Legend of Zelda: Twilight Princess HD |
| + | | No |
| + | | Yes |
| + | | 0x1019C800 |
| + | | Unknown. |
| + | | No crash/hang ever occurred when using amiibo in-game for "Cave of Shadows". |
| + | With the amiibo quick-start option at the title-screen, only errors ever occurred(<quick-start data not found> / <quick-start data is for another user>). |
| + | |} |
| + | |
| + | = External links = |
| + | * [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew]. |