48
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + − See also [http://wiiubrew.org/wiki/Wii_U_GamePad here].+ + + + + − Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo":+ − [[File:Amiibonfctaginfo.png|500px]]+ − − See here regarding the Amiibo [[Process_Services_PXI|encryption]]. − − The NFC tag for Amiibo is NTAG215. − − === AUTH_PWD === − The NFC 32bit password for the PWD_AUTH command(for enabling write-access to the encrypted NFC pages / etc), appears to be generated from unknown data that doesn't change when the Amiibo data pages are being updated. − − === NTAG215 commands === − ==== Amiibo reading ==== − * GET_VERSION − * READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1. − * PWD_AUTH − * FAST_READ: startpage=0x00, endpage=0x3B − * FAST_READ: startpage=0x3C, endpage=0x77 − * FAST_READ: startpage=0x78, endpage=0x86 − Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end. − − ==== Amiibo writing ==== − * Use the same commands under the above reading section, then use those first 3 commands again. − * Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here. − * Multiple WRITE commands for writing to pages 0x20..0x81. − * Use the last 3 commands from the above reading section. − * WRITE: page=0x04, same data as before except first byte is 0xA5 this time. − * FAST_READ: startpage=0x04, endpage=0x04 − − === NFC pages === − Each page is 4-bytes, there is a total of 0x87/135 pages. Minus the configuration pages at the end, the total is 0x82/130 pages. The following is the structure of the NFC pages: Line 41:
Line 17: + Line 47:
Line 24: + Line 53:
Line 31: + Line 59:
Line 38: + Line 65:
Line 45: + Line 71:
Line 52: + Line 77:
Line 59: − + + Line 83:
Line 66: + Line 89:
Line 73: + − + + + + + + + + Line 105:
Line 97: − + − ==== Encrypted data buffer structure ====+ Line 142:
Line 134: − ==== Structure of the plaintext data ====+ Line 162:
Line 154: − ==== Structure of Amiibo settings ====+ Line 238:
Line 230: + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
'''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] [[NFC_adapter|peripheral]].
'''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] [[NFC_adapter|peripheral]].
== Technical specifications ==
= Tag information =
* Model: [http://www.nxp.com/products/identification_and_security/smart_label_and_tag_ics/ntag/series/NTAG213_215_216.html NTAG215]
* Manufacturer: NXP Semiconductor
* Page size: 4 bytes
* Page count: 135 pages (540 bytes)
* Data pages: 126 pages (504 bytes)
= Page layout =
Excluiding the configuration pages at the end, the structure of the NFC pages is as following:
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! Raw byte offset in EEPROM
! Raw byte offset in EEPROM
! Total byte size
! Total byte size
! Writable
! Description
! Description
|-
|-
| 0x10
| 0x10
| 0x10
| 0x10
| style="background: red" | No
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
|-
|-
| 0x10
| 0x10
| 0x4
| 0x4
| style="background: green" | Yes
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
|-
|-
| 0x14
| 0x14
| 0x20
| 0x20
| style="background: green" | Yes
| The system crypts 0x1A0-bytes with some data from here, see below.
| The system crypts 0x1A0-bytes with some data from here, see below.
|-
|-
| 0x34
| 0x34
| 0x20
| 0x20
| style="background: red" | No
| SHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer.
| SHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer.
|-
|-
| 0x54
| 0x54
| 0x2C
| 0x2C
| style="background: red" | No
| This is plaintext data, see below.
| This is plaintext data, see below.
|-
|-
| 0x80
| 0x80
| 0x20
| 0x20
| SHA256-HMAC hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data.
| style="background: green" | Yes
| SHA256-(HMAC?) hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data.
|-
|-
| 0x28
| 0x28
| 0xA0
| 0xA0
| 0x114
| 0x114
| style="background: green" | Yes
| This is section1 in the encrypted buffer.
| This is section1 in the encrypted buffer.
|-
|-
| 0x1B4
| 0x1B4
| 0x54
| 0x54
| style="background: green" | Yes
| This is section2 in the encrypted buffer.
| This is section2 in the encrypted buffer.
|}
|}
==== Structure of the data starting at page 0x15 ====
Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo":
[[File:Amiibonfctaginfo.png|500px]]
See here regarding the Amiibo [[Process_Services_PXI|encryption]].
= Data structures =
== Structure of the data starting at page 0x15 ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| 0xC
| 0xC
| 0x20
| 0x20
| Probably a SHA256-(HMAC?) hash.
| Probably a SHA256-HMAC hash.
|}
|}
== Encrypted data buffer structure ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
|}
|}
== Structure of the plaintext data ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
|}
|}
== Structure of Amiibo settings ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| Year, relative to 2000.
| Year, relative to 2000.
|}
|}
= 3DS read/write procedure =
Note this is the procedure used by the console, but isn't the only way of reading them.
== Read procedure ==
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
* PWD_AUTH. Key is based on UID.
* FAST_READ: startpage=0x00, endpage=0x3B
* FAST_READ: startpage=0x3C, endpage=0x77
* FAST_READ: startpage=0x78, endpage=0x86
Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end.
== Write procedure ==
* GET_VERSION
* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
* PWD_AUTH. Key is based on UID.
* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
* Multiple WRITE commands for writing to pages 0x20..0x81.
* Use the last 3 commands from the above reading section.
* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
* FAST_READ: startpage=0x04, endpage=0x04
= External links =
* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].