1
edit
Changes
Jump to navigation
Jump to search
Line 9:
Line 9: − Excluiding the configuration pages at the end, the structure of the NFC pages is as following:+ − Line 21:
Line 20: + + + + + + + + + − | 0x10 − | 0x10 − + Line 75:
Line 81: + + + + + + + + + + + + + + + + + + + + + Line 92:
Line 119: − + + + + + Line 98:
Line 129: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 147:
Line 217: − + Line 168:
Line 238: − + Line 236:
Line 306: − + Line 246:
Line 316: − + Line 253:
Line 323: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Structure of Amiibo Identification Block
= Page layout =
= Page layout =
Excluding the auth-related configuration pages at the end, the structure of the NFC pages is the following:
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
|-
|-
| 0x0
| 0x0
| 0x3
| 0x0
| 0xC
| style="background: red" | No
| Standard NTAG215: 9-byte serial-number, "internal" u8 value, then the two lock bytes which must match raw binary "0F E0".
|-
| 0x3
| 0x1
| 0xC
| 0x4
| 0x4
| style="background: red" | No
| style="background: red" | No
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
| Standard NTAG215: "Capability Container (CC)". Must match raw binary "F1 10 FF EE".
|-
|-
| 0x4
| 0x4
| style="background: green" | Yes
| style="background: green" | Yes
| This is section2 in the encrypted buffer.
| This is section2 in the encrypted buffer.
|-
| 0x82
| 0x1
| 0x208
| 0x4
| style="background: red" | No
| Standard NTAG215: first 3-bytes are dynamic lock bytes. Must match raw binary "01 00 0F".
|-
| 0x83
| 0x1
| 0x20C
| 0x4
| style="background: red" | No
| Standard NTAG215: CFG0. Must match raw binary "00 00 00 04".
|-
| 0x84
| 0x1
| 0x210
| 0x4
| style="background: red" | No
| Standard NTAG215: CFG1. Must match raw binary "5F 00 00 00".
|}
|}
|-
|-
| 0x0
| 0x0
| 0xC
| 0x8
| Amiibo Identification Block
|-
| 0x8
| 0x4
| ?
| ?
|-
|-
| 0x20
| 0x20
| Probably a SHA256-(HMAC?) hash.
| Probably a SHA256-(HMAC?) hash.
|}
===Structure of Amiibo Identification Block===
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
! Notes
|-
| 0x0
| 0x2
| Game & Character ID
| First 10 bits are the Game ID and last 6 bits are Character ID.
|-
| 0x2
| 0x1
| Character variant
|
|-
| 0x3
| 0x1
| Amiibo Figure Type
|
|-
| 0x4
| 0x2
| Amiibo Model Number
|
|-
| 0x6
| 0x1
| Amiibo Series
|
|-
| 0x7
| 0x1
| Unknown
| Always 0x02
|}
|}
| 0xB0
| 0xB0
| 0xD8
| 0xD8
| AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific.
| AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific. The data stored here is normally all big-endian, even when the user-application is only for 3DS systems. Note that this data is initially uninitialized, and at least some of it will stay that way unless an application clears/initializes *all* of it.
|-
|-
| 0x188
| 0x188
| 0x1
| 0x1
| 0x1
| 0x1
| Unknown. The low 4-bits here are copied to the struct used with [[NFC:GetAmiiboSettings]].
| Country Code ID, [[Config_Savegame|from]] the system which setup this amiibo. This is copied to the struct used with [[NFC:GetAmiiboSettings]].
|-
|-
| 0x2
| 0x2
== Read procedure ==
== Read procedure ==
* GET_VERSION
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
* READ, startpage=0x03.
* PWD_AUTH. Key is based on UID.
* PWD_AUTH. Key is based on UID.
* FAST_READ: startpage=0x00, endpage=0x3B
* FAST_READ: startpage=0x00, endpage=0x3B
== Write procedure ==
== Write procedure ==
* GET_VERSION
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
* READ, startpage=0x03.
* PWD_AUTH. Key is based on UID.
* PWD_AUTH. Key is based on UID.
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
* FAST_READ: startpage=0x04, endpage=0x04
* FAST_READ: startpage=0x04, endpage=0x04
=Games using Amiibo AppData=
The following is a list of games which actually store game-specific data on Amiibo, not *just* using Amiibo for checking character IDs:
{| class="wikitable" border="1"
|-
! Name
! Available for (New)3DS
! Available for Wii U
! Amiibo AppID
! AppData structure / link to info
! AppData modification for exploitation notes.
|-
| Super Smash Bros
| Yes
| Yes
| 0x10110E00
| [https://github.com/yellows8/smash3ds-tools/wiki/SmashAmiiboAppData]
| No crash ever triggered via AppData fuzzing.
|-
| Mario Party 10
| No
| Yes
| ?
| N/A
| N/A
|-
| Animal Crossing: Happy Home Designer
| Yes
| No
| 0x0014F000
| N/A
| The initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted.
|-
| Chibi-Robo!: Zip Lash
| Yes
| No
| 0x00152600
| The entire AppData is read by the game, but only the first 0x10-bytes are actually used.
| No crash ever triggered via AppData fuzzing.
|-
| Mario & Luigi: Paper Jam
| Yes
| No
| 0x00132600
| Starts with the process-name("MILLION"). The rest seems to be bitmasks maybe?
| No crash ever triggered via AppData fuzzing, when viewing "character cards"(just unlocks various cards).
|-
| The Legend of Zelda: Twilight Princess HD
| No
| Yes
| 0x1019C800
| Unknown.
| No crash/hang ever occurred when using amiibo in-game for "Cave of Shadows".
With the amiibo quick-start option at the title-screen, only errors ever occurred(<quick-start data not found> / <quick-start data is for another user>).
|}
= External links =
= External links =
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].