48
edits
Changes
Jump to navigation
Jump to search
no edit summary
Line 1:
Line 1:
See also [http://wiiubrew.org/wiki/Wii_U_GamePad here].+Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo":+[[File:Amiibonfctaginfo.png|500px]]+
−See here regarding the Amiibo [[Process_Services_PXI|encryption]].
−
−The NFC tag for Amiibo is NTAG215.
−
−=== AUTH_PWD ===
−The NFC 32bit password for the PWD_AUTH command(for enabling write-access to the encrypted NFC pages / etc), appears to be generated from unknown data that doesn't change when the Amiibo data pages are being updated.
−
−=== NTAG215 commands ===
−==== Amiibo reading ====
−* GET_VERSION
−* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
−* PWD_AUTH
−* FAST_READ: startpage=0x00, endpage=0x3B
−* FAST_READ: startpage=0x3C, endpage=0x77
−* FAST_READ: startpage=0x78, endpage=0x86
−Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end.
−==== Amiibo writing ====
−* Use the same commands under the above reading section, then use those first 3 commands again.
−* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
−* Multiple WRITE commands for writing to pages 0x20..0x81.
−* Use the last 3 commands from the above reading section.
−* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
−* FAST_READ: startpage=0x04, endpage=0x04
−=== NFC pages ===
−Each page is 4-bytes, there is a total of 0x87/135 pages. Minus the configuration pages at the end, the total is 0x82/130 pages. The following is the structure of the NFC pages:
+
+
+==== Encrypted data buffer structure ====+==== Structure of the plaintext data ====+==== Structure of Amiibo settings ====+
'''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] [[NFC_adapter|peripheral]].
'''Amiibo''' are [[NFC_Services|NFC]] figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an [[IR_Services|IR]] [[NFC_adapter|peripheral]].
−== Technical specifications ==
+= Tag information =
−* Model: [http://www.nxp.com/products/identification_and_security/smart_label_and_tag_ics/ntag/series/NTAG213_215_216.html NTAG215]
+* Manufacturer: NXP Semiconductor
+* Page size: 4 bytes
+* Page count: 135 pages (540 bytes)
+* Data pages: 126 pages (504 bytes)
−= Page layout =
−Excluiding the configuration pages at the end, the structure of the NFC pages is as following:
−{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 41:
Line 17:
! Raw byte offset in EEPROM
! Raw byte offset in EEPROM
! Total byte size
! Total byte size
+! Writable
! Description
! Description
|-
|-
Line 47:
Line 24:
| 0x10
| 0x10
| 0x10
| 0x10
+| style="background: red" | No
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
| Same as standard NTAG215: 9-byte serial-number, "internal" u8 value, two lock bytes then the "Capability Container (CC)" page.
|-
|-
Line 53:
Line 31:
| 0x10
| 0x10
| 0x4
| 0x4
+| style="background: green" | Yes
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
| Last 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo [[Process_Services_PXI|crypto]] init. The first byte is normally 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
|-
|-
Line 59:
Line 38:
| 0x14
| 0x14
| 0x20
| 0x20
+| style="background: green" | Yes
| The system crypts 0x1A0-bytes with some data from here, see below.
| The system crypts 0x1A0-bytes with some data from here, see below.
|-
|-
Line 65:
Line 45:
| 0x34
| 0x34
| 0x20
| 0x20
+| style="background: red" | No
| SHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer.
| SHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer.
|-
|-
Line 71:
Line 52:
| 0x54
| 0x54
| 0x2C
| 0x2C
+| style="background: red" | No
| This is plaintext data, see below.
| This is plaintext data, see below.
|-
|-
Line 77:
Line 59:
| 0x80
| 0x80
| 0x20
| 0x20
−| SHA256-HMAC hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data.
+| style="background: green" | Yes
+| SHA256-(HMAC?) hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data.
|-
|-
| 0x28
| 0x28
Line 83:
Line 66:
| 0xA0
| 0xA0
| 0x114
| 0x114
+| style="background: green" | Yes
| This is section1 in the encrypted buffer.
| This is section1 in the encrypted buffer.
|-
|-
Line 89:
Line 73:
| 0x1B4
| 0x1B4
| 0x54
| 0x54
+| style="background: green" | Yes
| This is section2 in the encrypted buffer.
| This is section2 in the encrypted buffer.
|}
|}
−==== Structure of the data starting at page 0x15 ====
+Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App "NFC TagInfo":
+[[File:Amiibonfctaginfo.png|500px]]
+See here regarding the Amiibo [[Process_Services_PXI|encryption]].
+= Data structures =
+== Structure of the data starting at page 0x15 ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 105:
Line 97:
| 0xC
| 0xC
| 0x20
| 0x20
−| Probably a SHA256-(HMAC?) hash.
+| Probably a SHA256-HMAC hash.
|}
|}
−== Encrypted data buffer structure ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 142:
Line 134:
|}
|}
−== Structure of the plaintext data ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 162:
Line 154:
|}
|}
−== Structure of Amiibo settings ==
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 238:
Line 230:
| Year, relative to 2000.
| Year, relative to 2000.
|}
|}
+
+= 3DS read/write procedure =
+Note this is the procedure used by the console, but isn't the only way of reading them.
+
+== Read procedure ==
+* GET_VERSION
+* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
+* PWD_AUTH. Key is based on UID.
+* FAST_READ: startpage=0x00, endpage=0x3B
+* FAST_READ: startpage=0x3C, endpage=0x77
+* FAST_READ: startpage=0x78, endpage=0x86
+
+Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end.
+
+== Write procedure ==
+* GET_VERSION
+* READ, startpage=0x03. The read page data for page[0x3] must match little-endian 0xEEFF10F1.
+* PWD_AUTH. Key is based on UID.
+* Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
+* Multiple WRITE commands for writing to pages 0x20..0x81.
+* Use the last 3 commands from the above reading section.
+* WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
+* FAST_READ: startpage=0x04, endpage=0x04
+
+= External links =
+* [http://wiiubrew.org/wiki/Wii_U_GamePad Wii U Gamepad and Amiibo information on WiiUBrew].