3dbrew

Changes

Amiibo (edit)

Revision as of 14:47, 21 September 2022

2,706 bytes added ,  14:47, 21 September 2022
Create table for nfc page 0x4
Line 9: Line 9:     
= Page layout =
 
= Page layout =
Excluiding the configuration pages at the end, the structure of the NFC pages is as following:
+
Excluding the auth-related configuration pages at the end, the structure of the NFC pages is the following:
 
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 21: Line 20:  
|-
 
|-
 
| 0x0
 
| 0x0
 +
| 0x3
 +
| 0x0
 +
| 0xC
 +
| style="background: red" | No
 +
| Standard NTAG215: 9-byte serial-number, "internal" u8 value, then the two lock bytes which must match raw binary "0F E0".
 +
|-
 +
| 0x3
 +
| 0x1
 +
| 0xC
 
| 0x4
 
| 0x4
| 0x10
  −
| 0x10
   
| style="background: red" | No
 
| style="background: red" | No
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
+
| Standard NTAG215: "Capability Container (CC)". Must match raw binary "F1 10 FF EE".
 
|-
 
|-
 
| 0x4
 
| 0x4
Line 32: Line 38:  
| 0x4
 
| 0x4
 
| style="background: green" | Yes
 
| style="background: green" | Yes
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
+
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init.
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Offset
 +
!  Size
 +
!  Description
 +
|-
 +
| 0x0
 +
| 0x1
 +
| Magic (Always 0xA5)
 +
|-
 +
| 0x1
 +
| 0x2
 +
| Incremented each time the Amiibo is written to.
 +
|-
 +
| 0x3
 +
| 0x1
 +
| Figure version (always 0x00)
 +
|}
 
|-
 
|-
 
| 0x5
 
| 0x5
Line 75: Line 99:  
| style="background: green" | Yes
 
| style="background: green" | Yes
 
| This is section2 in the encrypted buffer.
 
| This is section2 in the encrypted buffer.
 +
|-
 +
| 0x82
 +
| 0x1
 +
| 0x208
 +
| 0x4
 +
| style="background: red" | No
 +
| Standard NTAG215: first 3-bytes are dynamic lock bytes. Must match raw binary "01 00 0F".
 +
|-
 +
| 0x83
 +
| 0x1
 +
| 0x20C
 +
| 0x4
 +
| style="background: red" | No
 +
| Standard NTAG215: CFG0. Must match raw binary "00 00 00 04".
 +
|-
 +
| 0x84
 +
| 0x1
 +
| 0x210
 +
| 0x4
 +
| style="background: red" | No
 +
| Standard NTAG215: CFG1. Must match raw binary "5F 00 00 00".
 
|}
 
|}
   Line 92: Line 137:  
|-
 
|-
 
| 0x0
 
| 0x0
| 0xC
+
| 0x8
 +
| Amiibo Identification Block
 +
|-
 +
| 0x8
 +
| 0x4
 
| ?
 
| ?
 
|-
 
|-
Line 98: Line 147:  
| 0x20
 
| 0x20
 
| Probably a SHA256-(HMAC?) hash.
 
| Probably a SHA256-(HMAC?) hash.
 +
|}
 +
 +
===Structure of Amiibo Identification Block===
 +
{| class="wikitable" border="1"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 +
! Notes
 +
|-
 +
| 0x0
 +
| 0x2
 +
| Game & Character ID
 +
| First 10 bits are the Game ID and last 6 bits are Character ID.
 +
|-
 +
| 0x2
 +
| 0x1
 +
| Character variant
 +
|
 +
|-
 +
| 0x3
 +
| 0x1
 +
| Amiibo Figure Type
 +
|
 +
|-
 +
| 0x4
 +
| 0x2
 +
| Amiibo Model Number
 +
|
 +
|-
 +
| 0x6
 +
| 0x1
 +
| Amiibo Series
 +
|
 +
|-
 +
| 0x7
 +
| 0x1
 +
| Format Version
 +
| Always 0x02
 
|}
 
|}
   Line 147: Line 235:  
| 0xB0
 
| 0xB0
 
| 0xD8
 
| 0xD8
| AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific.
+
| AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific. The data stored here is normally all big-endian, even when the user-application is only for 3DS systems. Note that this data is initially uninitialized, and at least some of it will stay that way unless an application clears/initializes *all* of it.
 
|-
 
|-
 
| 0x188
 
| 0x188
Line 168: Line 256:  
| 0x1
 
| 0x1
 
| 0x1
 
| 0x1
| Unknown. The low 4-bits here are copied to the struct used with [[NFC:GetAmiiboSettings]].
+
| Country Code ID, [[Config_Savegame|from]] the system which setup this amiibo. This is copied to the struct used with [[NFC:GetAmiiboSettings]].
 
|-
 
|-
 
| 0x2
 
| 0x2
Line 236: Line 324:  
== Read procedure ==
 
== Read procedure ==
 
* GET_VERSION
 
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
+
* READ, startpage=0x03.
 
* PWD_AUTH. Key is based on UID.
 
* PWD_AUTH. Key is based on UID.
 
* FAST_READ: startpage=0x00, endpage=0x3B
 
* FAST_READ: startpage=0x00, endpage=0x3B
Line 246: Line 334:  
== Write procedure ==
 
== Write procedure ==
 
* GET_VERSION
 
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
+
* READ, startpage=0x03.
 
* PWD_AUTH. Key is based on UID.
 
* PWD_AUTH. Key is based on UID.
 
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
 
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
Line 253: Line 341:  
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
 
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
 
* FAST_READ: startpage=0x04, endpage=0x04
 
* FAST_READ: startpage=0x04, endpage=0x04
 +
 +
=Games using Amiibo AppData=
 +
The following is a list of games which actually store game-specific data on Amiibo, not *just* using Amiibo for checking character IDs:
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Name
 +
!  Available for (New)3DS
 +
!  Available for Wii U
 +
!  Amiibo AppID
 +
!  AppData structure / link to info
 +
!  AppData modification for exploitation notes.
 +
|-
 +
| Super Smash Bros
 +
| Yes
 +
| Yes
 +
| 0x10110E00
 +
| [https://github.com/yellows8/smash3ds-tools/wiki/SmashAmiiboAppData]
 +
| No crash ever triggered via AppData fuzzing.
 +
|-
 +
| Mario Party 10
 +
| No
 +
| Yes
 +
| ?
 +
| N/A
 +
| N/A
 +
|-
 +
| Animal Crossing: Happy Home Designer
 +
| Yes
 +
| No
 +
| 0x0014F000
 +
| N/A
 +
| The initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted.
 +
|-
 +
| Chibi-Robo!: Zip Lash
 +
| Yes
 +
| No
 +
| 0x00152600
 +
| The entire AppData is read by the game, but only the first 0x10-bytes are actually used.
 +
| No crash ever triggered via AppData fuzzing.
 +
|-
 +
| Mario & Luigi: Paper Jam
 +
| Yes
 +
| No
 +
| 0x00132600
 +
| Starts with the process-name("MILLION"). The rest seems to be bitmasks maybe?
 +
| No crash ever triggered via AppData fuzzing, when viewing "character cards"(just unlocks various cards).
 +
|-
 +
| The Legend of Zelda: Twilight Princess HD
 +
| No
 +
| Yes
 +
| 0x1019C800
 +
| Unknown.
 +
| No crash/hang ever occurred when using amiibo in-game for "Cave of Shadows".
 +
With the amiibo quick-start option at the title-screen, only errors ever occurred(<quick-start data not found> / <quick-start data is for another user>).
 +
|}
    
= External links =
 
= External links =
 
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].
 
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/12438...21968"