2
edits
Changes
Create table for nfc page 0x4
| 0x4
| 0x4
| style="background: green" | Yes
| style="background: green" | Yes
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte must be 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init.
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
|-
| 0x0
| 0x1
| Magic (Always 0xA5)
|-
| 0x1
| 0x2
| Incremented each time the Amiibo is written to.
|-
| 0x3
| 0x1
| Figure version (always 0x00)
|}
|-
|-
| 0x5
| 0x5
|-
|-
| 0x0
| 0x0
| 0xC
| 0x8
| Amiibo Identification Block
|-
| 0x8
| 0x4
| ?
| ?
|-
|-
| 0x20
| 0x20
| Probably a SHA256-(HMAC?) hash.
| Probably a SHA256-(HMAC?) hash.
|}
===Structure of Amiibo Identification Block===
{| class="wikitable" border="1"
|-
! Offset
! Size
! Description
! Notes
|-
| 0x0
| 0x2
| Game & Character ID
| First 10 bits are the Game ID and last 6 bits are Character ID.
|-
| 0x2
| 0x1
| Character variant
|
|-
| 0x3
| 0x1
| Amiibo Figure Type
|
|-
| 0x4
| 0x2
| Amiibo Model Number
|
|-
| 0x6
| 0x1
| Amiibo Series
|
|-
| 0x7
| 0x1
| Format Version
| Always 0x02
|}
|}
| 0x1
| 0x1
| 0x1
| 0x1
| Unknown. The low 4-bits here are copied to the struct used with [[NFC:GetAmiiboSettings]].
| Country Code ID, [[Config_Savegame|from]] the system which setup this amiibo. This is copied to the struct used with [[NFC:GetAmiiboSettings]].
|-
|-
| 0x2
| 0x2
| Yes
| Yes
| No
| No
| ?
| 0x0014F000
| N/A
| N/A
| The initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted.
| The initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted.
| Yes
| Yes
| No
| No
| ?
| 0x00152600
| The entire AppData is read by the game, but only the first 0x10-bytes are actually used.
| The entire AppData is read by the game, but only the first 0x10-bytes are actually used.
| No crash ever triggered via AppData fuzzing.
| No crash ever triggered via AppData fuzzing.
|-
| Mario & Luigi: Paper Jam
| Yes
| No
| 0x00132600
| Starts with the process-name("MILLION"). The rest seems to be bitmasks maybe?
| No crash ever triggered via AppData fuzzing, when viewing "character cards"(just unlocks various cards).
|-
| The Legend of Zelda: Twilight Princess HD
| No
| Yes
| 0x1019C800
| Unknown.
| No crash/hang ever occurred when using amiibo in-game for "Cave of Shadows".
With the amiibo quick-start option at the title-screen, only errors ever occurred(<quick-start data not found> / <quick-start data is for another user>).
|}
|}
= External links =
= External links =
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].