Amiibo: Difference between revisions
Socram8888 (talk | contribs) No edit summary |
Create table for nfc page 0x4 |
||
| (20 intermediate revisions by 4 users not shown) | |||
| Line 9: | Line 9: | ||
= Page layout = | = Page layout = | ||
Excluding the auth-related configuration pages at the end, the structure of the NFC pages is the following: | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| Line 21: | Line 20: | ||
|- | |- | ||
| 0x0 | | 0x0 | ||
| 0x3 | |||
| 0x0 | |||
| 0xC | |||
| style="background: red" | No | |||
| Standard NTAG215: 9-byte serial-number, "internal" u8 value, then the two lock bytes which must match raw binary "0F E0". | |||
|- | |||
| 0x3 | |||
| 0x1 | |||
| 0xC | |||
| 0x4 | | 0x4 | ||
| style="background: red" | No | | style="background: red" | No | ||
| | | Standard NTAG215: "Capability Container (CC)". Must match raw binary "F1 10 FF EE". | ||
|- | |- | ||
| 0x4 | | 0x4 | ||
| Line 32: | Line 38: | ||
| 0x4 | | 0x4 | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. | | Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. | ||
{| class="wikitable" border="1" | |||
|- | |||
! Offset | |||
! Size | |||
! Description | |||
|- | |||
| 0x0 | |||
| 0x1 | |||
| Magic (Always 0xA5) | |||
|- | |||
| 0x1 | |||
| 0x2 | |||
| Incremented each time the Amiibo is written to. | |||
|- | |||
| 0x3 | |||
| 0x1 | |||
| Figure version (always 0x00) | |||
|} | |||
|- | |- | ||
| 0x5 | | 0x5 | ||
| Line 60: | Line 84: | ||
| 0x20 | | 0x20 | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| SHA256- | | SHA256-HMAC hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data. | ||
|- | |- | ||
| 0x28 | | 0x28 | ||
| Line 75: | Line 99: | ||
| style="background: green" | Yes | | style="background: green" | Yes | ||
| This is section2 in the encrypted buffer. | | This is section2 in the encrypted buffer. | ||
|- | |||
| 0x82 | |||
| 0x1 | |||
| 0x208 | |||
| 0x4 | |||
| style="background: red" | No | |||
| Standard NTAG215: first 3-bytes are dynamic lock bytes. Must match raw binary "01 00 0F". | |||
|- | |||
| 0x83 | |||
| 0x1 | |||
| 0x20C | |||
| 0x4 | |||
| style="background: red" | No | |||
| Standard NTAG215: CFG0. Must match raw binary "00 00 00 04". | |||
|- | |||
| 0x84 | |||
| 0x1 | |||
| 0x210 | |||
| 0x4 | |||
| style="background: red" | No | |||
| Standard NTAG215: CFG1. Must match raw binary "5F 00 00 00". | |||
|} | |} | ||
| Line 92: | Line 137: | ||
|- | |- | ||
| 0x0 | | 0x0 | ||
| | | 0x8 | ||
| Amiibo Identification Block | |||
|- | |||
| 0x8 | |||
| 0x4 | |||
| ? | | ? | ||
|- | |- | ||
| 0xC | | 0xC | ||
| 0x20 | | 0x20 | ||
| Probably a SHA256-HMAC hash. | | Probably a SHA256-(HMAC?) hash. | ||
|} | |||
===Structure of Amiibo Identification Block=== | |||
{| class="wikitable" border="1" | |||
|- | |||
! Offset | |||
! Size | |||
! Description | |||
! Notes | |||
|- | |||
| 0x0 | |||
| 0x2 | |||
| Game & Character ID | |||
| First 10 bits are the Game ID and last 6 bits are Character ID. | |||
|- | |||
| 0x2 | |||
| 0x1 | |||
| Character variant | |||
| | |||
|- | |||
| 0x3 | |||
| 0x1 | |||
| Amiibo Figure Type | |||
| | |||
|- | |||
| 0x4 | |||
| 0x2 | |||
| Amiibo Model Number | |||
| | |||
|- | |||
| 0x6 | |||
| 0x1 | |||
| Amiibo Series | |||
| | |||
|- | |||
| 0x7 | |||
| 0x1 | |||
| Format Version | |||
| Always 0x02 | |||
|} | |} | ||
| Line 147: | Line 235: | ||
| 0xB0 | | 0xB0 | ||
| 0xD8 | | 0xD8 | ||
| AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific. | | AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific. The data stored here is normally all big-endian, even when the user-application is only for 3DS systems. Note that this data is initially uninitialized, and at least some of it will stay that way unless an application clears/initializes *all* of it. | ||
|- | |- | ||
| 0x188 | | 0x188 | ||
| Line 168: | Line 256: | ||
| 0x1 | | 0x1 | ||
| 0x1 | | 0x1 | ||
| | | Country Code ID, [[Config_Savegame|from]] the system which setup this amiibo. This is copied to the struct used with [[NFC:GetAmiiboSettings]]. | ||
|- | |- | ||
| 0x2 | | 0x2 | ||
| Line 236: | Line 324: | ||
== Read procedure == | == Read procedure == | ||
* GET_VERSION | * GET_VERSION | ||
* READ, startpage=0x03 | * READ, startpage=0x03. | ||
* PWD_AUTH. Key is based on UID. | * PWD_AUTH. Key is based on UID. | ||
* FAST_READ: startpage=0x00, endpage=0x3B | * FAST_READ: startpage=0x00, endpage=0x3B | ||
| Line 246: | Line 334: | ||
== Write procedure == | == Write procedure == | ||
* GET_VERSION | * GET_VERSION | ||
* READ, startpage=0x03 | * READ, startpage=0x03. | ||
* PWD_AUTH. Key is based on UID. | * PWD_AUTH. Key is based on UID. | ||
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here. | * Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here. | ||
| Line 253: | Line 341: | ||
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time. | * WRITE: page=0x04, same data as before except first byte is 0xA5 this time. | ||
* FAST_READ: startpage=0x04, endpage=0x04 | * FAST_READ: startpage=0x04, endpage=0x04 | ||
=Games using Amiibo AppData= | |||
The following is a list of games which actually store game-specific data on Amiibo, not *just* using Amiibo for checking character IDs: | |||
{| class="wikitable" border="1" | |||
|- | |||
! Name | |||
! Available for (New)3DS | |||
! Available for Wii U | |||
! Amiibo AppID | |||
! AppData structure / link to info | |||
! AppData modification for exploitation notes. | |||
|- | |||
| Super Smash Bros | |||
| Yes | |||
| Yes | |||
| 0x10110E00 | |||
| [https://github.com/yellows8/smash3ds-tools/wiki/SmashAmiiboAppData] | |||
| No crash ever triggered via AppData fuzzing. | |||
|- | |||
| Mario Party 10 | |||
| No | |||
| Yes | |||
| ? | |||
| N/A | |||
| N/A | |||
|- | |||
| Animal Crossing: Happy Home Designer | |||
| Yes | |||
| No | |||
| 0x0014F000 | |||
| N/A | |||
| The initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted. | |||
|- | |||
| Chibi-Robo!: Zip Lash | |||
| Yes | |||
| No | |||
| 0x00152600 | |||
| The entire AppData is read by the game, but only the first 0x10-bytes are actually used. | |||
| No crash ever triggered via AppData fuzzing. | |||
|- | |||
| Mario & Luigi: Paper Jam | |||
| Yes | |||
| No | |||
| 0x00132600 | |||
| Starts with the process-name("MILLION"). The rest seems to be bitmasks maybe? | |||
| No crash ever triggered via AppData fuzzing, when viewing "character cards"(just unlocks various cards). | |||
|- | |||
| The Legend of Zelda: Twilight Princess HD | |||
| No | |||
| Yes | |||
| 0x1019C800 | |||
| Unknown. | |||
| No crash/hang ever occurred when using amiibo in-game for "Cave of Shadows". | |||
With the amiibo quick-start option at the title-screen, only errors ever occurred(<quick-start data not found> / <quick-start data is for another user>). | |||
|} | |||
= External links = | = External links = | ||
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew]. | * [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew]. | ||