Line 34: |
Line 34: |
| | | |
| === NFC pages === | | === NFC pages === |
− | Each page is 4-bytes, there is a total of 0x87/135 pages. The following is the structure of the NFC pages: | + | Each page is 4-bytes, there is a total of 0x87/135 pages. Minus the configuration pages at the end, the total is 0x82/130 pages. The following is the structure of the NFC pages: |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
| |- | | |- |
Line 43: |
Line 43: |
| ! Description | | ! Description |
| |- | | |- |
− | | 0 | + | | 0x0 |
− | | 4 | + | | 0x4 |
| | 0x10 | | | 0x10 |
| | 0x10 | | | 0x10 |
| | Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page. | | | Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page. |
| |- | | |- |
− | | 4 | + | | 0x4 |
− | | 1 | + | | 0x1 |
| | 0x10 | | | 0x10 |
| | 0x4 | | | 0x4 |
| | Last 3-bytes here are used with the following HMAC. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2] here is increased each time the Amiibo is written to. | | | Last 3-bytes here are used with the following HMAC. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2] here is increased each time the Amiibo is written to. |
| |- | | |- |
− | | 5 | + | | 0x5 |
− | | | + | | 0x8 |
| | 0x14 | | | 0x14 |
− | | | + | | 0x20 |
− | | The system crypts 0x1A0-bytes with a buffer containing data loaded from here. | + | | The system crypts 0x1A0-bytes with some data from here, see below. |
| + | |- |
| + | | 0xD |
| + | | 0x8 |
| + | | 0x34 |
| + | | 0x20 |
| + | | SHA256-HMAC. The first 0x18-bytes of this hash is section3 in the encrypted buffer. |
| + | |- |
| + | | 0x15 |
| + | | 0xB |
| + | | 0x54 |
| + | | 0x2C |
| + | | Unknown, this is plaintext data. |
| |- | | |- |
− | | 0x20/32 | + | | 0x20 |
− | | 8 | + | | 0x8 |
| | 0x80 | | | 0x80 |
| | 0x20 | | | 0x20 |
| | SHA256-HMAC over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data. | | | SHA256-HMAC over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data. |
| + | |- |
| + | | 0x28 |
| + | | 0x45 |
| + | | 0xA0 |
| + | | 0x114 |
| + | | This is section1 in the encrypted buffer. |
| + | |- |
| + | | 0x6D |
| + | | 0x15 |
| + | | 0x1B4 |
| + | | 0x54 |
| + | | This is section2 in the encrypted buffer. |
| |} | | |} |
| | | |
Line 72: |
Line 96: |
| |- | | |- |
| ! Encrypted buffer offset | | ! Encrypted buffer offset |
− | ! Byte offset in the actual NFC data, relative to page[5]
| |
| ! Raw byte offset in NFC EEPROM | | ! Raw byte offset in NFC EEPROM |
| ! NFC page | | ! NFC page |
Line 78: |
Line 101: |
| ! Notes | | ! Notes |
| |- | | |- |
− | | 0x0
| |
| | 0x0 | | | 0x0 |
| | 0x14 | | | 0x14 |
Line 86: |
Line 108: |
| |- | | |- |
| | 0x20 | | | 0x20 |
− | | 0x8C
| |
| | 0xA0 | | | 0xA0 |
| | 0x28 | | | 0x28 |
Line 93: |
Line 114: |
| |- | | |- |
| | 0x134 | | | 0x134 |
− | | 0x1A0
| |
| | 0x1B4 | | | 0x1B4 |
| | 0x6D | | | 0x6D |
Line 100: |
Line 120: |
| |- | | |- |
| | 0x188 | | | 0x188 |
− | | 0x20
| |
| | 0x34 | | | 0x34 |
| | 0xD | | | 0xD |