这篇文章每段都附有英文翻译,一般情况下这个博客我只会用中文写,但是这个问题无论在中文还是英文论坛上的记录都不足,所以我决定同时用英文记录以供参考。我在之前的一篇文章中就记录了模拟Amiibo的方法,但是在最近的测试中发现了之前方法存在的不足,和新的方法,在此作以整理。
This article is written in both Chinese and English. Normally I’d only use Chinese on this blog, but since I’m seeing lack of proper documentation on both Chinese and English forums and communities, I decided that I should document my process in both languages. There’s been a rough discription on how to simulate Amiibo in my previous blog, but during recent tests I found that the method I used before has certain problems, and I have found better solutions. So hereby I’m writing this as a summary to my previous efforts.
之前的模拟方法 Previous attempts
Amiimicyou
在2018年的REcon上,James Chambers发布了一个研究成果,是一个对于Amiibo的各项操作进行模拟的项目。这个项目后来被开源在这里。这个项目本来是尝试利用Amiibo进行注入的攻击,但是为了实现这个目标就需要先能够让设备接受修改过的Amiibo,于是他实现了一个Amiibo的模拟工具。这个项目是基于原版的Proxmark3固件的修改版,主要的改动在于它能够利用一个脚本解密Amiibo的dump文件,并且允许PM3在正确模拟成NTAG215的时候还能响应其读写指令。本来只响应读卡指令就可以,但是Amiibo在使用之前需要将拥有者设置为游戏玩家,所以还需要进行写卡操作。
On REcon 2018, James Chambers introduced his research on Amiibo simulations. This project was later open sourced in here. Originally he was aiming for a fuzzing, or injection attack with tailored Amiibo, but to do so he needed a method to trick console into accepting that. Thus, he made an Amiibo simulation tool. This project is based on the original Proxmark3 firmware, added a script and corresponding function to allow correct decryption and simulation of NTAG215. Furthermore, it can respond to not only just read command, but also write command, to facilitate the operation of setting the owner of an Amiibo.
使用方法 How to use it
从上文中提供的仓库地址拉取源码,随后如果你已经编译成功过RRG的固件,就应该已经有全部的依赖,直接make就可以。
然后就会发现报错了=_=目前我发现的报错原因有:
- 在新版Kali上编译,可能报错需要提供绝对路径,因为Qt是用精简路径模式编译的。这个要改起来很麻烦,得修改全部的路径,或者重装Qt,所以简单解决办法是不要在这个系统上编译,毕竟Kali也不是拿来搞开发的。
- 报错
-Werror相关错误,具体是bitwise comparison恒为0,这是因为在C中,如果要用bit mask的方法,与1比较,需要mask本身等于1,否则比较结果恒为0。例如:
tag.pages[1][2]&0x80)==1
- 这样的比较结果就将恒为0,因为mask值0x80不是1。此时正确的写法应该是:
tag.pages[1][2]&0x80)!=0
- 与0比较时mask可以是任意值。严格来说这是个warning,但是因为makefile里面有
-Werror,所有的warning将被视为error。最简单的方法是把./common/Makefile.common中的-Werror去掉,但是并不解决问题,还是建议改过来。 - 报错
-Werror相关错误,具体是对boolean变量进行了算数操作。这是因为./armsrc/hfsnoop.c里面类型定义错误,改为int就可以。同样也可以修改makefile。这个报错和上面的那个我在我的fork里都有改正,因为这个仓库很久不再维护就没有提交PR,想要的可以直接拉取我的仓库。 - 重复定义,一般是哪个库版本不对,根据对应的报错找找看,或者卸掉装旧版的库编译完了再升级也可以。这个固件会将所有的依赖编译成动态链接库,所以编译完成之后不再依赖系统的库。
一番功夫解决编译问题之后,更新(其实是回退)PM3的固件,就可以在客户端使用
script run amiibo load <path/to/amiibo.bin>
然后可能看到新的报错:
can't open libluamiibo.so。这是因为预编译好的这个库是x86构架的,所以如果你在例如树莓派,或者Mac M1上运行的时候就会遇到这个报错,需要你重新编译这个库。在这里拉取lua-lib分支,在其中执行./build.sh就能看到新的报错,一般是类型错误或不完整。这是因为它是用libopenssl1.0-dev编译的,不幸的是这个版本在近几年大部分发行版中已经弃用,同时也与1.1版本冲突,所以需要手动卸载openssl1.1之后才能从网上下载对应的包安装。编译完成之后将编译好的libluamiibo.so复制到./client/下就可以运行。
Pull the source code from the provided repository above, and that’s about everything you need. If you’ve compiled the firmware developed by RRG previously on the system, you should have all the dependency installed. Just run make under the newly cloned folder…
And you’ll get a bunch of errors. From my personal experience they could be:
"You must build your code with position independent code if Qt was built with -reduce-relocations."When compiling on new versions of Kali Linux, you could see this. This is due to Kali using a customly precompiled Qt version that has-reduce-relocationenabled. This is hard to fix, so the easiest solution is DON’T COMPILE IT ON KALI. It’s not meant for development anyway.-Werrorerror,bitwise comparison always false. This is because a bug in the code. In C, in order to bit mask a value and compare it to 1, the mask must be equal to 1 as well, or the comparison will always be false. For example, in the following code:
tag.pages[1][2]&0x80)==1
- The comparison will be false, because the mask is 0x80. The proper way of doing this is:
tag.pages[1][2]&0x80)!=0
- Logically they’re the same, but since it’s comparing with 0 the mask can be any value. Think of this as an error induced by the C language. Also, technically this is just a warning, but the makefile has flag
-Werrorenabled, making all important warnings treated as error. You CAN remove it from./common/Makefile.common, but this won’t fix the actual problem. - Another
-Werrorerror,addition operation to Boolean values. This is most likely a typo, located in./armsrc/hfsnoop.c. Just change its type to int and you’re good to go. And yes you can modify the makefile too. This and the previous problem is fixed in my fork of this repo, but since the upstream repo hasn’t been maintained for quite some time, I didn’t make a PR. - Multiple definition. This is most likely some library version issue, try roll back into a previous version.
After solving all those problems, you can flash the firmware into PM3, and run in client:
script run amiibo load <path/to/amiibo.bin>
Sit back, and have new errors:
can't open libluamiibo.so. This is most likely happening when the running architecture is not x86, or the system is using some unique library management methods. The precompiledlibluamiibo.sois not properly linked, or can’t be opened. When this happens you need to pull the source from here, and run./build.sh. This will most likely result in some sort oferror type, because it’s based onlibopenssl1.0-dev, which is outdated bylibopenssl-dev, the1.1version. You need to manually uninstall 1.1 version of OpenSSL, and download the package manually because most OS now is not providing this package anymore. After compiling copylibluamiibo.sointo./client/and you should be good.
3DS和Switch使用区别 Differences on 3DS and Switch
这个项目在3DS上可以正常使用,但是在Switch上不行,Switch不能识别PM3,终端也会收到提示
Unknown command 93 21 30
或者类似的提示。我一开始以为Switch用了什么特别的方法来读取Amiibo,因为这并不是NTAG215手册中的指令;后来我发现这个指令不断在变,所以我推测应该是时序问题,这应该是防碰撞指令,只是接收时序有误。所以可以说,这个固件在最新的Switch硬件和系统下无法正常使用。
同时,在作者的演示和项目中特别提到了Switch会检测NTAG215的签名。但是在实际使用中我发现了不一样的地方。
NOTE: For Switch system version 5.0.0 or above you need to provide the correct ECC signature for the tag. To do this add the 32 byte signature to the end of the tag dump file. The total file size should be 572 (540 bytes tag dump, 32 bytes signature).
NTAG215卡片由NXP发行,手册在这里可以找到。NTAG215包含一个32位的签名,这个签名是用序列号和NXP的私钥生成的,可以用其公钥解密。私钥只在发卡的时候使用,所以从未被存储在任何用户能接触到的设备上,也就无法从其他地方提取,基本可以断定不可仿造。而因为序列号和Amiibo内容(理论上)是一一对应的,也就无法随机生成,或用别的取代。但是有趣的是,因为网上购买的NTAG215白卡是没有签名的,而网上流传的Amiibo数据不包含签名;但即便如此,很多人都成功用各种方法自制了Amiibo卡片,给了我理由怀疑Switch其实不检验签名。经过测试(测试结果见附录),我验证了这个结论。上面的通信记录是使用自制的Amiibo在Switch上的过程,可以看到Switch读取了签名,但即使签名全部是0,也允许了Amiibo的使用。
This project works nicely on 3DS, but unfortunately not on Switch. If you try it, most likely the Switch won’t react to PM3, and you’ll get something like this on your terminal:
Unknown command 93 21 30
At first I assumed that Switch is using some special sequence to read Amiibo, like signal overlapping or special modulation, because this command is not detailed in the NTAG215 manuals. Later I noticed that this message is changing, very much like a timing error. It’s supposed to be the anti-collision command, just that some bug or incompatibility caused the message to be wrongly interpreted into this. So it’s safe to say that this project can’t be used on PM3 RDV4 with the latest Switch and Switch Firmware.
Meanwhile, in the presentation and GitHub repository James specifically mentioned that Switch will check for the signature of NTAG215. But during the actual test I noticed things to be different.
NOTE: For Switch system version 5.0.0 or above you need to provide the correct ECC signature for the tag. To do this add the 32 byte signature to the end of the tag dump file. The total file size should be 572 (540 bytes tag dump, 32 bytes signature).
NTAG215 RFID tags are released by NXP, the manual of it can be found here。NTAG215 contains a 32 bytes signature generated from its serial and a private key of NXP, if decrypted with the corresponding public key one can verify its serial. This private key is only used when manufacturing the tags, so it was never stored on any device accessible to the public, thus can’t be extracted from somewhere. And (theoretically) an Amiibo should be strictly corresponding to its serial, so there’s no way to randomly generate or forge this signature. Interestingly, the blank NTAG215 tags purchased online do not contain signatures, and the old format of Amiibo dumps that’s all over the internet doesn’t contain the signature either. Despite of this, many people still successfully created Amiibo tags from them. This promotes a reasonable doubt that Switch doesn’t actually check the signature. After some test (see the Appendix) I verified the conclusion. We can see that even the signature is empty, Switch still accepted the Amiibo.
冰人固件模拟 ICEMAN firmware
Iceman和其他开发者一同为PM3开发了非常强大的固件,目前的最新也在维护的版本是RRG推行的固件。在近期的一次更新中,他为Mifare Ultra Light添加了专门的支持。在此之前他的固件无法响应NTAG215特有的指令,只能支持ISO14443A通用的指令,为模拟带来了很大困难。但是现在支持很完善。执行
hf mfu info
固件会提示这张卡的大量信息。因为Amiibo的读取密码生成方式是固定的——
这里有一点需要注意,Amiibo涉及到多个不同的密码或密钥。为了表述统一,在这里说明一下:NTAG215支持加密,使用一个存储在133号块的4字节密码来保护数据。这个密码在读卡过程中使用,读卡器需要使用这个密码才能让卡发回有效的数据。在此我们将其称为读取密码。同时发回的数据其实也是加密的,需要一个密钥解密才能被游戏机识别,其中包含拥有者信息,游戏数据等,这个密钥被分为两部分存储在游戏机内,分别是unfixed infos和locked secret,合并起来是key retail。这个密钥被一些高手从游戏机中获取,可以在一些地方下载(但是涉及知识产权所以我不提供)。以及上文提到的NXP公私钥,一共有三套不同的密钥。
——所以PM3可以尝试用这个密钥解密并且验证。生成方式是:
password[1] = uid[2] ^ uid[4] ^ 0xAA;
password[2] = uid[3] ^ uid[5] ^ 0x55;
password[3] = uid[4] ^ uid[6] ^ 0xAA;
password[4] = uid[5] ^ uid[7] ^ 0x55;
之后可以执行
hf mfu dump -k <password>
来提取数据,随后利用一个脚本data_bin2eml可以转换为PM3能接受的.eml格式,就可以开始模拟。这个过程不需要解密内部数据,所以无需key-retail。而对于从网上获取的Amiibo数据,如果按照上面的方法操作,游戏机会提示无效的Amiibo。于是就引出了下面的内容。
Iceman, along with other developers have created quite a powerful firmware for PM3, the latest and still maintained version is the one released by RRG. In a (relatively) recent update there’s special support for Mifare Ultra Light tags, unlike in the previous versions MFU tags could only use the standard ISO14443A protocol, which doesn’t include the commands specific to NTAG215. The simulation has become much easier. Simply run
hf mfu info
And you’ll see extensive information on the tag. And since Amiibo uses a known method to generate its password–
There’s something to be noted. When it comes to Amiibo there’re multiple different keys/passwords, for the clarity of language I’d like to detail them here. NTAG215, like many other RFID tags, supports password authentication, and uses a 4 bytes password which is stored in Block 133. This password is only used in the process of reading/writing tags, and is required for the tag to respond to read command. Here we just refer to it as password. The actual data inside the NTAG215 is encrypted too, it contains some Amiibo data like name, owner, game data, etc. This can only be read and modified with an encryption key owned by Nintendo. I short version, this key is dumped from a game console, and consists of two parts, the unfixed infos and locked secret, combined into key retail. I can’t provide this here due to copyright issues, but remember Google is always your friend on this. Including the NXP public/private keys, there’re in total 3 sets of passwords and keys.
——PM3 could try this password when it gets a NTAG215 to see if it’s an Amiibo. The keygen method is:
password[1] = uid[2] ^ uid[4] ^ 0xAA;
password[2] = uid[3] ^ uid[5] ^ 0x55;
password[3] = uid[4] ^ uid[6] ^ 0xAA;
password[4] = uid[5] ^ uid[7] ^ 0x55;
Then one could use
hf mfu dump -k <password>
To dump the data. With the help of a script named data_bin2eml one can convert the binary dump into an .eml file PM3 can use in simulation, and you’re good to go ^_^ This process doesn’t involve modifying the data of am Amiibo, so no need for key-retail. However if you do this with a dump found online instead of a dump made from the latest firmware, you’ll get something like invalid Amiibo from your console. Hence, here’s my method of doing this.
我的方法 My approach
通信过程分析 Analysis of the communication process
有许多的软件和工具能将Amiibo的数据文件写入空白NTAG215,因为我用的是iPhone,所以我选择了Ally,是一个收费工具,但是支持导入bin格式的数据文件,并且能够写入白卡。用PM3对写卡过程进行嗅探,我们得到了这样的结果:
(嗅探结果见附录)
可以看到写卡过程基本分为这样几个部分:
- 选卡验证。这部分是标准的14443A流程,Ally会先询问卡是否存在,然后用防碰撞询问卡的UID,之后读取Version字段。NTAG215的Version字段主要说明卡的类型和支持的协议。所有的Amiibo这个字段都是相同的。Ally进行了两次这个流程。
- 读取签名。因为这是白卡,所以签名为空;目前还不确定为什么Ally会读取签名,按理来说只是写卡是不需要的。
- 写入4\~129区块。这一部分是Amiibo的真实数据,与卡片配置关系不大,具体内容在下文讲解。
- 写入134和133区块。134区块包含
PACK值,也就是password acknowledge,是卡在收到正确密码之后的回应值,Amiibo用的是0x8080。133区块包含密码,用之前提到的算法生成。 - 写入3区块。3区块包含
CC,也就是Capability Container,控制哪些数据是可用数据。 - 写入131,132,130区块。131和132区块控制安全认证,这一操作配置了UID Mirror功能并且开启了密码认证,配置了最高尝试次数,和读写保护。这一步操作之后用户数据的读写就需要密码了。
- 写入2区块。2区块包含锁止位,配置之后对应的区块将变为只读,也就是NTAG215的封卡操作。
- 再次选卡并验证2区块。
这个过程不仅对后面使用PM3批量写卡的开发提供了参考价值,也证明了以下几点:
- Ally读取了UID之后重新加密了Amiibo数据,写入的数据和原本提供给Ally的不同,而且也读取了两次卡号。Amiibo数据包含HMAC签名,卡的UID也参与了运算。游戏机在读取的时候会验证这个签名,所以软件需要先解密Amiibo数据,修改签名重新加密。具体内容在下文讨论。
- 任天堂不参与ECC签名。ECC签名在卡做好之后不可修改,网上买到的白卡大多不是NXP的正版卡,所以不包含签名。Ally也没有尝试修改(因为压根没有改这个签名的指令),在读取到签名为空之后仍然继续,证明ECC签名并没有被验证。
- 即使是可修改的NTAG白卡也没有办法修改UID。与平时我们更熟悉的CUID,FUID等卡不一样,MFU卡目前没有能够修改UID的版本,可能是因为比较小众很少有人开发这个。所以真正写卡的时候必须解密Amiibo数据,也就必须要
key- retail密钥。
进一步将自制的Amiibo在Switch上读取,可以嗅探到通信过程:
(嗅探结果见附录)
可以看到Switch读取Amiibo时分为以下几个部分:
- 选卡验证。这一步和之前一样,请求UID之后验证了Version,也读取了ECC签名。
- 读取3区块。在读卡过程中需要3区块的内容来判断哪些是需要读取的数据,哪些是未修改或者配置字节。有可能3区块的内容也参与了验证Amiibo是否是正版的过程。
- 密码认证。Switch会从UID生成密码,来读取卡内的数据。
- 批量读取0\~134区块。Switch读取了整个卡的内存,虽然似乎只看数据的话并不需要这么做。推测可能的原因是,一方面HMAC签名需要UID信息,另一方面Switch会验证2区块的
lock位,确保对应的区块已经被设定为只读,这就是为什么不配置2区块的仿制Amiibo无法被接受。
对读写过程进行分析之后,因为上文提到能通过PM3提取现有Amiibo数据并且成功模拟,下一步就是分析eml文件了。
There’re many software or tools that can write the data dump of Amiibo into a blank NTAG215. Since I’m using an iPhone, I chose Ally, a charged but quite useful app. It supports importing dumps in bin format and writing them into blank tags. I sniff the transmissions between iPhone and a tag with PM3, and got this:
(Please see the appendix for full transcript)
We can see the entire process consists of these parts:
- Card selection and verification. This part is standard 14443A process. Ally will first make an inquiry for existence of tags, then uses anti-collision to inquiry the UID of the card. After thin Version section is read, which contains the type and protocols this tag supports. The Version section is the same in all Amiibos.
- Signature verification. Since this is a blank tag, the signature is also blank. It’s unclear that why Ally is reading the signature, it has no effect on tag writing.
- Write Block 4\~129. This is the data section of Amiibo, and I’ll leave the elaboration to the next part.
- Write Block 134 and 133. Block 134 contains
PACK, aka password acknowledge, is the value used in the response for correct password. Amiibos are using0x8080. Block 133 contains the password, generated with the mentioned algorithm above. - Write Block 3. Block 3 contains
CC, aka Capability Container, controls the useable data in the tag. - Write Block 131,132,130. Block 131 and 132 controls the authentication, this configures the UID Mirror function (as in not enabled) and enabled password, as well as set the maximum attempt and R/W protection. From now on all R/W operations against the data blocks would require password. Note on the maximum attempt, this only logs the attempt in one power-up, meaning that once the EM field is down, the counter is reset. This is the basis of brute-force based attack, however we don’t need it anymore on Amiibos.
- Write Block 2. Block 2 contains the lock bits, after configuration the corresponding blocks will be read-only. This is also known as the “tag sealing” operation.
- Select the card again and verify Block 2.
This information not only provides reference value on future development of a script to batch write tags with PM3, but also proves that:
- Ally re-encrypted Amiibo data after reading UID. The data written into the tag is different bitwise from the provided data. Amiibo contains HMAC signatures, which is relevant to the UID of the tag. Thus to make it work, the signature has to match the UID. This will be explained further later.
- Nintendo is not involved in ECC signature. ECC signature can’t be changed after a tag is manufactured, so there’s technically no way for them to do so. The blank tags we got online are most likely fake NXP tags, thus don’t contain any signature. Ally wouldn’t modify it either (for there’s no command to do so).
- Even the blank NTAG doesn’t have modifiable UID. Different from the CUID, FUID tags we’re familiar with, MFU tags currently have no UID-changeable variants. This could be because of no enough attention paid to this type of tags. So when writing a tag,
key-retailis necessary.
Then put the DIY Amiibo on Switch and read it, we can sniff the process:
(Please see the appendix for full transcription)
We can see that when reading Amiibo tags, there’re following steps:
- Tag select and verification. Like Ally, Switch also read the Version section, and the ECC signature. Also like Ally, the blank signature passed the verification.
- Read Block 3. When reading a NTAG215, block 3 need to be read first to determine which part is user data, and which is default meaningless values or configuration bytes. It’s possible that Block 3 is also used to verify the tag is actually Amiibo.
- Password authentication. Switch will generate the password from UID to read the tag.
- Bulk read Block 0\~134. Switch read all of the memory of the card, which is unnecessary for just getting the data. The speculated reason is, for one, Switch need UID for HMAC verification. Also, Switch may also verify Block 2, this is possibly why if Block 2 is not set, Switch will not accept the tag.
Now since we know PM3 can successfully simulate NTAG215 from the dumped data, we now need to analyze the eml files.
eml文件结构分析 eml file analysis
既然PM3能成功模拟Amiibo并被Switch识别,我们就可以确定目前的冰人固件能够支持NTAG215的模拟,时序和指令等支持基本完善。但是直接从网上下载的数据经过脚本处理之后却无法成功模拟,那么符合逻辑的步骤就是分析比较这两种情况下的eml文件有何区别。
(完整的文件内容见附录)
首先最明显的区别就是从已有Amiibo复制出的数据文件比网上下载的大,数据部分一共596字节。原始的bin文件一般是540或者532字节,这8字节的差异是末尾两个区块带来的,它们包含密码和PACK,因为Amiibo的密码和PACK都可以生成,一些旧版的数据文件没有包含。尝试读取网上下载和自己提取出的数据文件转换为的eml文件,可以发现下载的文件读取时PM3没有正确模拟卡片的版本信息等部分。比较可以发现,目前PM3接受的eml文件可以有一个文件头,包含Version和ECC签名,56字节长。测试发现每一个Amiibo除了签名不同,这一部分的文件头是相同的,那么就可以修改脚本生成对应的文件头,同时也生成最后8字节的密码和PACK。完成的C++程序见附录。
Since PM3 can successfully simulate NTAG215 and be accepted by Switch, we can confirm that the current RRG firmware is capable of dealing with the logic and timing of NTAG215. However, the eml file generated from downloaded dump doesn’t work, so a logical step is to compare the files for differences.
(Please see the appendix for full transcript)
The most obvious difference is the new dump is larger than the downloaded one, in 596 bytes. The downloaded binary files are mostly 540 or 532 bytes, the 8 bytes difference comes from the last 2 Blocks containing password and PACK. Since password can be generated and PACK is the same, some tools doesn’t include them in the dump. If we load the two eml files into PM3, we can see that the downloaded one couldn’t set the Version section correctly. By comparison we can notice that the new version of PM3 dump contains a 56 bytes header, including the Version section and ECC signature. Thus, I wrote a simple program myself to convert the dump correctly. See the appendix for full C++ program.
Amiibo数据分析 Amiibo data analysis
能够进行模拟之后,最后一步就是分析Amiibo内的数据。在2015年左右一位大佬Marcos Del Sol Vives就对3DS的固件进行了逆向,分析出了Amiibo内部数据的加密解密流程,并完成了amiitool项目,一个用于对Amiibo内部数据加密解密和复制的工具。从他的分析来看,游戏机内包含两套密钥:
- Data密钥,用于加密/解密实际数据,例如Amiibo昵称,游戏数据等等。包含:
- 14字节
type string,内容是"unfixed infos"。 - 14字节
magic bytes,伪随机。 - 32字节异或表,用AES128生成。
- 16字节
HMAC密钥。
- 14字节
- Tag密钥,只用于签名。
- 14字节
type string,内容是"locked secret"。 - 16字节
magic bytes,伪随机。 - 32字节异或表,用AES128生成。
- 16字节
HMAC密钥。
- 14字节
这两套密钥并不直接被用于加密解密,而是送进一个随机数生成器来生成真正的密钥。首先构建这样的种子:
- Data种子
- 14字节
type string。 - 16字节
magic bytes,是由两字节的计数器内容加在14字节的magic bytes前生成的,计数器记录在Amiibo中。 - 16字节UID,是8字节UID重复两遍,这个UID包括
BCC1。 - 32位计算结果,是异或表和
Amiibo Salt异或的结果。
- 14字节
- Tag种子
- 14字节
type string。 - 16字节
magic bytes。 - 16字节UID,是8字节UID重复两遍,这个UID包括
BCC1。 - 32位计算结果,是异或表和
Amiibo Salt异或的结果。
- 14字节
之后两个种子将被加上2字节前缀,用HMAC-SHA256处理得到真正的密钥,这一步用的是各自的HMAC密钥。处理之后格式如下:
| HMAC-SHA256输入 | 长度 | HMAC-SHA256输出 | 作用 |
|---|---|---|---|
| 0x0000 + "Data种子" | 16字节 | AES Key | 用AES-128-CTR加密/解密Amiibo数据 |
| 16字节 | AES IV | ||
| 0x0001 + "Data种子" | 16字节 | HMAC Key | 用HMAC-256签名 |
| 16字节 | - | - | |
| 0x0000 + "Tag种子" | 16字节 | AES Key | 没有使用 |
| 16字节 | AES IV | ||
| 0x0001 + "Tag种子" | 16字节 | HMAC Key | 用HMAC-256签名 |
| 16字节 | - | - |
具体的数据内容因每个Amiibo对应的游戏不同也不一样,可以通过重复测试来找出规律。
Now we can successfully simulate NTAG215, the last part is to analyze the data in Amiibo. In 2015, an expert goes by Marcos Del Sol Vives successfully reverse engineered the firmware of 3DS, and recovered the encryption and decryption process of Amiibo. He then released amiitool, a project to encrypt, decrypt and copy the data in Amiibo. From his analysis, there’re two set of keys in the console:
- Data key, used for encrypting and decrypting the actual data, like nickname, game data, etc. Including:
- 14 Bytes
type string, literally"unfixed infos". - 14 Bytes
magic bytes, which is pseudo random. - 32 Bytes xor-pad, generated with AES128.
- 16 Bytes
HMACkey.
- 14 Bytes
- Tag key, only used in signatures.
- 14 Bytes
type string, literally"locked secret". - 16 Bytes
magic bytes, which is pseudo random. - 32 Bytes xor-pad, generated with AES128.
- 16 Bytes
HMACkey.
- 14 Bytes
These two set of keys are not used directly in encrypting and decrypting, but actually goes through a DRBG to generate the real key. First construct seeds like this:
- Data seed
- 14 Bytes
type string. - 16 Bytes
magic bytes, constructed with 2 Bytes of counter padding before 14 Bytes ofmagic bytes. The counter is read from Amiibo. - 16 Bytes UID, which is 8 Bytes of UID repeating twice. This UID contains
BCC1. - 32 Bytes XOR result of xor-pad and
Amiibo Salt.
- 14 Bytes
- Tag seed
- 14 Bytes
type string. - 16 Bytes
magic bytes. - 16 Bytes UID, which is 8 Bytes of UID repeating twice. This UID contains
BCC1. - 32 Bytes XOR result of xor-pad and
Amiibo Salt.
- 14 Bytes
Then the two seeds will be padded with 2 bytes at the front, and processed by HMAC-SHA256 algorithm to get the actual key. Here they use their own HMAC to sign for the process. Like this:
| HMAC-SHA256 input | Length | HMAC-SHA256 output | Usage |
|---|---|---|---|
| 0x0000 + "Data seed" | 16 Bytes | AES Key | Use with AES-128-CTR to encrypt/decrypt Amiibo data |
| 16 Bytes | AES IV | ||
| 0x0001 + "Data seed" | 16 Bytes | HMAC Key | For HMAC-256 signing |
| 16 Bytes | - | - | |
| 0x0000 + "Tag seed" | 16 Bytes | AES Key | Not used |
| 16 Bytes | AES IV | ||
| 0x0001 + "Tag Seed" | 16 Bytes | HMAC Key | For HMAC-256 signing |
| 16 Bytes | - | - |
The actual data differs because of different games, one could probably use repetitive testing to find the pattern.
随机化UID Randomize UID
有些游戏有一定的限制,例如《塞尔达传说 荒野之息》,限制了同一个Amiibo每天能使用的最多次数。对于真实的NTAG215,其UID是无法改变的,所以游戏机也通过验证UID来判断是否使用的是同一个Amiibo。但是既然我们使用PM3模拟Amiibo,要修改其UID就相对容易了。通过上文的分析,我们知道UID参与了卡片的加密运算,所以修改UID必须要key retail密钥,也需要amiitool。
首先我们需要了解NTAG215的UID结构。通过查阅NTAG215的手册可以知道,UID的结构符合14443-3标准,如下:
- 第0字节是0x04,这是生产厂家的代码
- 第1~2字节是随机的UID部分
- 第3字节是
BCC0,生成方法是CT XOR SN0 XOR SN1 XOR SN2,其中CT是Cascade Tag,值是0x88 - 第4\~7字节还是随机的UID部分
- 第8字节是
BCC1,生成的方法是SN3 XOR SN4 XOR SN5 XOR SN6
通过这个标准可以生成随机的UID。之后只需利用amiitool解密Amiibo,替换掉UID,再重新加密即可。为了方便起见我修改了amiitool的源码,加入了随机UID的功能,同时也让Amiitool针对PM3的兼容性提高了。因为amiitool是操作二进制文件,我没有添加上文提到的补充文件头功能,以保持最大兼容性。修改过的amiitool可以在这里找到。
There’re restrictions in some games, like Legend of Zelda Breath of the Wild, which restricts the same Amiibo to only be used once per day. For real Amiibos, the UID is the only thing that can’t physically change, so most games and console uses UID to determine if the same Amiibo is being used. But since we’re simulating Amiibo with PM3, it’s relatively easy to modify the UID. From the analysis above we know that UID is used in signing, so modifying UID requires the key-retail key, and the help of amiitool.
First we need to understand the UID structure of NTAG215. By going through the manual we can see that it complies with 14443-3 standard, like this:
- Byte 0 is 0x04, this is the manufacturer code.
- Byte 1~2 is the random part of UID.
- Byte 3 is
BCC0, generated asCT XOR SN0 XOR SN1 XOR SN2, the CT, akaCascade Tag, is0x88. - Byte 4\~7 is the random part of UID.
- Byte 8 is
BCC1, generated asSN3 XOR SN4 XOR SN5 XOR SN6.
This is how we can generate a random UID. We only need to decrypt an Amiibo dump with amiitool, replace UID, and re-encrypt it. To simplify the process I modified the source code of amiitool, added the randomize function. You can find the modified version here.
总结 Conclusion
经过上述的分析,可能很多人已经有点晕了,在这里把完整的方法总结一遍。已有真正的Amiibo要进行dump和模拟非常简单,就不在这里说明,这里只针对网上下载的Amiibo文件介绍。首先在开始之前要确保你有:
- Proxmark3 RDV4。其他版本PM3或许也行,但是没试过。
- Amiibo文件。显然需要。
- Linux系统或者能访问串口的Linux环境,例如Msys或者虚拟机。Android上的
RFID Tools客户端版本太低没法用。 - 编译好的RRG固件和客户端并烧录进PM3,具体方法查看官方教程。
随后使用附录中的转换工具,编译之后运行,命令是:
convert <path/to/amiibo>.bin <path/to/output>.eml
来转换单个文件。如果需要批量转换,可以自己写一个脚本,这里不提供。之后就可以使用PM3读取eml文件来正常模拟NTAG215。如果需要随机UID,可以从上文地址拉取我修改过的amiitool,执行:
amiitool -r -k retail.bin -i "original.bin" -o "save.bin"
就可以生成一个数据一样但是UID不同的二进制文件。
After a load of analysis one could be confused, so I’d like to sum things up a little here. To dump and simulate from a owned Amiibo is easy, basically the same as any other tags. Thus let’s only focus on the downloaded dumps. Before we start make sure you have:
- Proxmark3 RDV4. You could probably use another model but I never tested any of it.
- Amiibo dumps. Obviously.
- Linux or Linux environments that have access to Serial Ports, like Msys or virtual machines. The
RFID Toolson Android is using an obsolete version of client. - Compiled RRG firmware and a flashed PM3. See the official guide for this.
Then use the converter in the appendix, like:
convert <path/to/amiibo>.bin <path/to/output>.eml
To convert a single file. If you want to batch convert the easiest way is to write a bash script yourself. Then the eml file can be used for simulating NTAG215. If you need to randomize the UID, you may pull the modified amiitool from the above address and compile it. Run:
amiitool -r -k retail.bin -i "original.bin" -o "save.bin"
To generate a binary file that has the same data but different UID.
附录 Appendix
Amiibo结构 Amiibo structure
| Page | Byte Offset in Page | |||
|---|---|---|---|---|
| 0 | 1 | 2 | 3 | |
| 0 | UID | |||
| 1 | ||||
| 2 | BCC1 | Internal | Lock Bytes | |
| 3 | Capability Container | |||
| 4 | Tag Settings Write Counter, Init Date, Tag Nickname? |
|||
| ... | ||||
| 12 | ||||
| 13 | Tag HMAC Hash UID + Amiibo Model Info + Keygen Salt |
|||
| ... | ||||
| 20 | ||||
| 21 | Amiibo Model Info Amiibo series, game series, character, variation |
|||
| 22 | ||||
| 23 | ||||
| 24 | Keygen Salt Hardcoded from factory |
|||
| ... | ||||
| 31 | ||||
| 32 | Data HMAC Hash Tag Settings + Decrypted Amiibo Data + Tag HMAC Hash + UID + Keygen Salt |
|||
| ... | ||||
| 39 | ||||
| 40 | Encrypted Amiibo Data Character customizations, level-ups, etc |
|||
| ... | ||||
| 129 | ||||
| 130 | Dynamic Lock Bytes | - | ||
| 131 | MIRROR | - | MIRROR_PAGE | AUTH0 |
| 132 | ACCESS | - | ||
| 133 | PWD | |||
| 134 | PACK | - | ||
卡片信息 Tag Info
这是对于一张能正常使用的仿制Amiibo卡的信息读取,这张卡由Ally写成,包含
8 bit Link的Amiibo信息。 This is the reading result of a working DIY Amiibo made by Ally. It contains the information of8 bit Link.
[usb] pm3 --> hf mfu info
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: NTAG 215 504bytes (NT2H1511G0DU) ( magic Gen 1b )
[+] UID: 04 E2 0B 66 10 02 89
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 65 (ok)
[+] BCC1: FD (ok)
[+] Internal: 48 (default)
[+] Lock: 0F E0 - 0000111111100000
[+] OneTimePad: F1 10 FF EE - 11110001000100001111111111101110
[=] --- Tag Counter
[=] [02]: 00 00 00
[+] - 00 tearing ( fail )
[=] --- Tag Signature
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000
[+] Signature verification ( fail )
[=] --- Tag Version
[=] Raw bytes: 00 04 04 02 01 00 11 03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: 04, NTAG
[=] Product subtype: 02, 50pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 11, (512 <-> 256 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant
[=] --- Tag Configuration
[=] cfg0 [131/0x83]: 00 00 00 04
[=] - strong modulation mode disabled
[=] - page 4 and above need authentication
[=] cfg1 [132/0x84]: 5F 00 00 00
[=] - Max number of password attempts is 7
[=] - NFC counter enabled
[=] - NFC counter password protection enabled
[=] - user configuration permanently locked
[=] - write access is protected with password
[=] - 00, Virtual Card Type Identifier is not default
[=] PWD [133/0x85]: 00 00 00 00 - (cannot be read)
[=] PACK [134/0x86]: 00 00 - (cannot be read)
[=] RFU [134/0x86]: 00 00 - (cannot be read)
[?] Hint: try `hf mfu pwdgen -r` to get see known pwd gen algo suggestions
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[+] Found Amiibo
[?] Use `hf mfu dump -k 2e4ececc`
[=] ------------------------------------------------------------
写卡嗅探记录 Write Sniff
这是Ally执行写卡操作的时候PM3嗅探到的通信记录。 This is the PM3 sniffing transcript of Ally writing tags.
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 4676 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
2244 | 4612 | Tag |44 00 | |
11776 | 16544 | Rdr |50 00 57 cd | ok | HALT
39072 | 40064 | Rdr |52(7) | | WUPA
41316 | 43684 | Tag |44 00 | |
50848 | 53312 | Rdr |93 20 | | ANTICOLL
54500 | 60324 | Tag |88 04 e2 0b 65 | |
67504 | 77968 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
79220 | 82740 | Tag |04 da 17 | |
89904 | 92368 | Rdr |95 20 | | ANTICOLL-2
93556 | 99444 | Tag |66 10 02 89 fd | |
106560 | 117088 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
118276 | 121860 | Tag |00 fe 51 | |
264976 | 268592 | Rdr |60 f8 32 | ok | EV1 VERSION
269780 | 281428 | Tag |00 04 04 02 01 00 11 03 01 9e | ok |
328544 | 333312 | Rdr |50 00 57 cd | ok | HALT
473920 | 474912 | Rdr |52(7) | | WUPA
476164 | 478532 | Tag |44 00 | |
485696 | 496160 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
497412 | 500932 | Tag |04 da 17 | |
508112 | 518640 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
519828 | 523412 | Tag |00 fe 51 | |
617488 | 621104 | Rdr |55 d6 54 | ok |
5804160 | 5805216 | Rdr |26(7) | | REQA
5806404 | 5808772 | Tag |44 00 | |
5815936 | 5820704 | Rdr |50 00 57 cd | ok | HALT
5843232 | 5844224 | Rdr |52(7) | | WUPA
5845476 | 5847844 | Tag |44 00 | |
5855008 | 5857472 | Rdr |93 20 | | ANTICOLL
5858660 | 5864484 | Tag |88 04 e2 0b 65 | |
5871664 | 5882128 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
5883380 | 5886900 | Tag |04 da 17 | |
5894064 | 5896528 | Rdr |95 20 | | ANTICOLL-2
5897716 | 5903604 | Tag |66 10 02 89 fd | |
5910720 | 5921248 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
5922436 | 5926020 | Tag |00 fe 51 | |
5981008 | 5984624 | Rdr |60 f8 32 | ok | EV1 VERSION
5985812 | 5997460 | Tag |00 04 04 02 01 00 11 03 01 9e | ok |
6045760 | 6050528 | Rdr |50 00 57 cd | ok | HALT
6140912 | 6141904 | Rdr |52(7) | | WUPA
6143156 | 6145524 | Tag |44 00 | |
6152704 | 6163168 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
6164420 | 6167940 | Tag |04 da 17 | |
6175104 | 6185632 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
6186820 | 6190404 | Tag |00 fe 51 | |
6249920 | 6253536 | Rdr |60 f8 32 | ok | EV1 VERSION
6254724 | 6266372 | Tag |00 04 04 02 01 00 11 03 01 9e | ok |
6331984 | 6336752 | Rdr |3c 00 a2 01 | ok | READ SIG
6337940 | 6377236 | Tag |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 da | ok |
6437840 | 6443760 | Rdr |3a 00 03 5b 62 | ok | READ RANGE (0-3)
6444948 | 6465812 | Tag |04 e2 0b 65 66 10 02 89 fd 48 00 00 e1 10 3e 00 e6 f4 | ok |
6536464 | 6540080 | Rdr |60 f8 32 | ok | EV1 VERSION
6541268 | 6552916 | Tag |00 04 04 02 01 00 11 03 01 9e | ok |
6615104 | 6619872 | Rdr |3c 00 a2 01 | ok | READ SIG
6621060 | 6660356 | Tag |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 da | ok |
6732768 | 6742080 | Rdr |a2 04 a5 00 0a 00 2d a3 | ok | WRITEBLOCK(4)
6795172 | 6795748 | Tag |0a(3) | |
6860400 | 6869712 | Rdr |a2 05 a8 e1 08 b7 1f 82 | ok | WRITEBLOCK(5)
6922804 | 6923380 | Tag |0a(3) | |
6988320 | 6997632 | Rdr |a2 06 c8 da 08 49 ce b7 | ok | WRITEBLOCK(6)
7050724 | 7051300 | Tag |0a(3) | |
7114224 | 7123600 | Rdr |a2 07 02 97 96 f9 32 94 | ok | WRITEBLOCK(7)
7176628 | 7177204 | Tag |0a(3) | |
7242944 | 7252320 | Rdr |a2 08 92 e2 82 7e 22 ab | ok | WRITEBLOCK(8)
7305364 | 7305940 | Tag |0a(3) | |
7367920 | 7377296 | Rdr |a2 09 4c 0f a9 c0 ec 9b | ok | WRITEBLOCK(9)
7430324 | 7430900 | Tag |0a(3) | |
7496768 | 7506080 | Rdr |a2 0a 76 7d 03 01 16 a6 | ok | WRITEBLOCK(10)
7559172 | 7559748 | Tag |0a(3) | |
7624528 | 7633904 | Rdr |a2 0b 79 ab 94 11 a9 02 | ok | WRITEBLOCK(11)
7686932 | 7687508 | Tag |0a(3) | |
7751408 | 7760784 | Rdr |a2 0c 7d b5 54 70 32 6d | ok | WRITEBLOCK(12)
7813812 | 7814388 | Tag |0a(3) | |
7881360 | 7890736 | Rdr |a2 0d c2 74 80 ab 50 b5 | ok | WRITEBLOCK(13)
7943780 | 7944356 | Tag |0a(3) | |
8008096 | 8017472 | Rdr |a2 0e b8 7c c7 d3 14 1c | ok | WRITEBLOCK(14)
8070516 | 8071092 | Tag |0a(3) | |
8140112 | 8149488 | Rdr |a2 0f bb b1 7d 51 7c a7 | ok | WRITEBLOCK(15)
8202516 | 8203092 | Tag |0a(3) | |
8265104 | 8274416 | Rdr |a2 10 e5 6d b4 44 a6 72 | ok | WRITEBLOCK(16)
8327508 | 8328084 | Tag |0a(3) | |
8392752 | 8402064 | Rdr |a2 11 12 f7 78 04 e5 82 | ok | WRITEBLOCK(17)
8455172 | 8455748 | Tag |0a(3) | |
8518800 | 8528176 | Rdr |a2 12 20 81 b1 3b 6a 68 | ok | WRITEBLOCK(18)
8581204 | 8581780 | Tag |0a(3) | |
8643744 | 8653056 | Rdr |a2 13 18 85 98 55 36 d7 | ok | WRITEBLOCK(19)
8706148 | 8706724 | Tag |0a(3) | |
8770336 | 8779712 | Rdr |a2 14 f5 aa 5a 38 ea d0 | ok | WRITEBLOCK(20)
8832756 | 8833332 | Tag |0a(3) | |
8894608 | 8903984 | Rdr |a2 15 01 00 00 00 88 31 | ok | WRITEBLOCK(21)
8957028 | 8957604 | Tag |0a(3) | |
9021856 | 9031232 | Rdr |a2 16 03 4f 09 02 89 ad | ok | WRITEBLOCK(22)
9084276 | 9084852 | Tag |0a(3) | |
9146832 | 9156208 | Rdr |a2 17 0d 12 96 13 8e ef | ok | WRITEBLOCK(23)
9209236 | 9209812 | Tag |0a(3) | |
9273600 | 9282912 | Rdr |a2 18 2b f0 39 c6 b5 50 | ok | WRITEBLOCK(24)
9336004 | 9336580 | Tag |0a(3) | |
9395616 | 9404928 | Rdr |a2 19 7d f3 95 1d 18 44 | ok | WRITEBLOCK(25)
9458036 | 9458612 | Tag |0a(3) | |
9524304 | 9533680 | Rdr |a2 1a db ce a6 81 8d 0b | ok | WRITEBLOCK(26)
9586708 | 9587284 | Tag |0a(3) | |
9648112 | 9657424 | Rdr |a2 1b ab 7b 6a a8 ba 36 | ok | WRITEBLOCK(27)
9710516 | 9711092 | Tag |0a(3) | |
9773776 | 9783088 | Rdr |a2 1c 5f 2f ea 0e d3 af | ok | WRITEBLOCK(28)
9836180 | 9836756 | Tag |0a(3) | |
9899824 | 9909200 | Rdr |a2 1d d0 f1 24 89 19 04 | ok | WRITEBLOCK(29)
9962244 | 9962820 | Tag |0a(3) | |
10026480 | 10035792 | Rdr |a2 1e d4 d2 d8 ad e8 35 | ok | WRITEBLOCK(30)
10088884 | 10089460 | Tag |0a(3) | |
10154288 | 10163664 | Rdr |a2 1f 0a 53 93 16 30 97 | ok | WRITEBLOCK(31)
10216708 | 10217284 | Tag |0a(3) | |
10277616 | 10286928 | Rdr |a2 20 71 98 a8 99 84 be | ok | WRITEBLOCK(32)
10340020 | 10340596 | Tag |0a(3) | |
10406176 | 10415488 | Rdr |a2 21 b5 f2 e0 84 00 c9 | ok | WRITEBLOCK(33) (?)
10468580 | 10469156 | Tag |0a(3) | |
10527920 | 10537232 | Rdr |a2 22 b6 31 f8 20 80 ac | ok | WRITEBLOCK(34) (?)
10590324 | 10590900 | Tag |0a(3) | |
10655872 | 10665184 | Rdr |a2 23 6f f9 e1 b9 46 21 | ok | WRITEBLOCK(35) (?)
10718276 | 10718852 | Tag |0a(3) | |
10782624 | 10791936 | Rdr |a2 24 b1 0b 01 91 ff 3a | ok | WRITEBLOCK(36) (?)
10845028 | 10845604 | Tag |0a(3) | |
10909904 | 10919216 | Rdr |a2 25 77 37 aa 2c cc 47 | ok | WRITEBLOCK(37) (?)
10972308 | 10972884 | Tag |0a(3) | |
11036464 | 11045776 | Rdr |a2 26 1a 52 88 db 28 e7 | ok | WRITEBLOCK(38) (?)
11098884 | 11099460 | Tag |0a(3) | |
11161168 | 11170480 | Rdr |a2 27 f1 eb dc 22 76 50 | ok | WRITEBLOCK(39) (?)
11223572 | 11224148 | Tag |0a(3) | |
11281760 | 11291072 | Rdr |a2 28 58 9c 64 62 a3 db | ok | WRITEBLOCK(40) (?)
11344164 | 11344740 | Tag |0a(3) | |
11403952 | 11413328 | Rdr |a2 29 71 07 16 6c 02 2c | ok | WRITEBLOCK(41) (?)
11466372 | 11466948 | Tag |0a(3) | |
11532128 | 11541440 | Rdr |a2 2a 98 46 9e f6 52 59 | ok | WRITEBLOCK(42) (?)
11594532 | 11595108 | Tag |0a(3) | |
11656736 | 11666048 | Rdr |a2 2b 1a 16 92 ce 86 d1 | ok | WRITEBLOCK(43) (?)
11719140 | 11719716 | Tag |0a(3) | |
11784928 | 11794240 | Rdr |a2 2c 1e d8 7e 65 d7 d2 | ok | WRITEBLOCK(44) (?)
11847332 | 11847908 | Tag |0a(3) | |
11913984 | 11923360 | Rdr |a2 2d 65 a5 3d 15 ed 23 | ok | WRITEBLOCK(45) (?)
11976388 | 11976964 | Tag |0a(3) | |
12039344 | 12048720 | Rdr |a2 2e 73 ec ac 18 12 f7 | ok | WRITEBLOCK(46) (?)
12101764 | 12102340 | Tag |0a(3) | |
12165600 | 12174976 | Rdr |a2 2f 0a f2 77 e5 07 5d | ok | WRITEBLOCK(47) (?)
12228004 | 12228580 | Tag |0a(3) | |
12292080 | 12301456 | Rdr |a2 30 db 68 60 49 84 2a | ok | WRITEBLOCK(48) (?)
12354484 | 12355060 | Tag |0a(3) | |
12422256 | 12431568 | Rdr |a2 31 f1 5c 8c da d9 71 | ok | WRITEBLOCK(49) (?)
12484660 | 12485236 | Tag |0a(3) | |
12546560 | 12555872 | Rdr |a2 32 8e df ac 37 f9 78 | ok | WRITEBLOCK(50) (?)
12608980 | 12609556 | Tag |0a(3) | |
12674448 | 12683824 | Rdr |a2 33 0f 51 a0 e5 a0 02 | ok | WRITEBLOCK(51) (?)
12736852 | 12737428 | Tag |0a(3) | |
12799248 | 12808624 | Rdr |a2 34 2e a4 75 35 13 e3 | ok | WRITEBLOCK(52) (?)
12861652 | 12862228 | Tag |0a(3) | |
12927824 | 12937136 | Rdr |a2 35 d8 d1 06 4b d6 2d | ok | WRITEBLOCK(53) (?)
12990228 | 12990804 | Tag |0a(3) | |
13058816 | 13068192 | Rdr |a2 36 3a 70 45 1b 66 d6 | ok | WRITEBLOCK(54) (?)
13121236 | 13121812 | Tag |0a(3) | |
13186400 | 13195712 | Rdr |a2 37 42 d1 65 02 c7 99 | ok | WRITEBLOCK(55) (?)
13248820 | 13249396 | Tag |0a(3) | |
13316112 | 13325488 | Rdr |a2 38 18 0c 07 3a dd 61 | ok | WRITEBLOCK(56) (?)
13378516 | 13379092 | Tag |0a(3) | |
13440080 | 13449456 | Rdr |a2 39 1f 58 c7 b8 8a b0 | ok | WRITEBLOCK(57) (?)
13502484 | 13503060 | Tag |0a(3) | |
13569264 | 13578640 | Rdr |a2 3a a6 5a 63 65 f6 45 | ok | WRITEBLOCK(58) (?)
13631684 | 13632260 | Tag |0a(3) | |
13694128 | 13703504 | Rdr |a2 3b d8 c7 4a c9 fe 57 | ok | WRITEBLOCK(59) (?)
13756548 | 13757124 | Tag |0a(3) | |
13823376 | 13832688 | Rdr |a2 3c e5 56 98 39 fe e8 | ok | WRITEBLOCK(60) (?)
13885780 | 13886356 | Tag |0a(3) | |
13952080 | 13961392 | Rdr |a2 3d 79 3a 11 11 31 cc | ok | WRITEBLOCK(61) (?)
14014484 | 14015060 | Tag |0a(3) | |
14079088 | 14088400 | Rdr |a2 3e 05 15 a2 81 ff d1 | ok | WRITEBLOCK(62) (?)
14141508 | 14142084 | Tag |0a(3) | |
14203312 | 14212624 | Rdr |a2 3f d2 05 c6 25 6c 11 | ok | WRITEBLOCK(63) (?)
14265732 | 14266308 | Tag |0a(3) | |
14328576 | 14337888 | Rdr |a2 40 71 85 32 e1 3f 7e | ok | WRITEBLOCK(64) (?)
14390996 | 14391572 | Tag |0a(3) | |
14457600 | 14466912 | Rdr |a2 41 55 0a 48 01 55 24 | ok | WRITEBLOCK(65) (?)
14520020 | 14520596 | Tag |0a(3) | |
14580880 | 14590192 | Rdr |a2 42 0e a6 e5 cc 80 84 | ok | WRITEBLOCK(66) (?)
14643300 | 14643876 | Tag |0a(3) | |
14710336 | 14719648 | Rdr |a2 43 8f 7d 80 33 2d 0c | ok | WRITEBLOCK(67) (?)
14772756 | 14773332 | Tag |0a(3) | |
14834832 | 14844208 | Rdr |a2 44 8d 9c 77 4d 03 fd | ok | WRITEBLOCK(68) (?)
14897236 | 14897812 | Tag |0a(3) | |
14962960 | 14972336 | Rdr |a2 45 7f 1e ce ad 36 0b | ok | WRITEBLOCK(69) (?)
15025380 | 15025956 | Tag |0a(3) | |
15090704 | 15100016 | Rdr |a2 46 16 85 d3 e0 aa 6a | ok | WRITEBLOCK(70) (?)
15153108 | 15153684 | Tag |0a(3) | |
15218400 | 15227776 | Rdr |a2 47 43 c0 c1 b5 6d 46 | ok | WRITEBLOCK(71) (?)
15280820 | 15281396 | Tag |0a(3) | |
15346544 | 15355856 | Rdr |a2 48 d3 21 40 85 b4 35 | ok | WRITEBLOCK(72) (?)
15408948 | 15409524 | Tag |0a(3) | |
15472320 | 15481696 | Rdr |a2 49 76 cf 7c 77 bf 20 | ok | WRITEBLOCK(73) (?)
15534724 | 15535300 | Tag |0a(3) | |
15600064 | 15609376 | Rdr |a2 4a de bf cc 30 9b f6 | ok | WRITEBLOCK(74) (?)
15662484 | 15663060 | Tag |0a(3) | |
15725152 | 15734528 | Rdr |a2 4b 0e 64 82 b6 46 9e | ok | WRITEBLOCK(75) (?)
15787572 | 15788148 | Tag |0a(3) | |
15853696 | 15863072 | Rdr |a2 4c d7 7d b0 99 ed ea | ok | WRITEBLOCK(76) (?)
15916100 | 15916676 | Tag |0a(3) | |
15977792 | 15987168 | Rdr |a2 4d 6b ac 23 6d 4c 40 | ok | WRITEBLOCK(77) (?)
16040196 | 16040772 | Tag |0a(3) | |
16105328 | 16114640 | Rdr |a2 4e 1a 5a bb 19 ad a3 | ok | WRITEBLOCK(78) (?)
16167732 | 16168308 | Tag |0a(3) | |
16233696 | 16243008 | Rdr |a2 4f a8 95 25 13 49 9c | ok | WRITEBLOCK(79) (?)
16296116 | 16296692 | Tag |0a(3) | |
16359728 | 16369040 | Rdr |a2 50 fc 82 45 03 4b 99 | ok | WRITEBLOCK(80) (?)
16422148 | 16422724 | Tag |0a(3) | |
16490208 | 16499584 | Rdr |a2 51 bd 48 ca 66 4c da | ok | WRITEBLOCK(81) (?)
16552612 | 16553188 | Tag |0a(3) | |
16613872 | 16623248 | Rdr |a2 52 a1 ff 62 ea 09 ba | ok | WRITEBLOCK(82) (?)
16676276 | 16676852 | Tag |0a(3) | |
16741856 | 16751168 | Rdr |a2 53 7f 6e c8 6a 55 e2 | ok | WRITEBLOCK(83) (?)
16804260 | 16804836 | Tag |0a(3) | |
16866736 | 16876112 | Rdr |a2 54 cc 06 93 47 ef 98 | ok | WRITEBLOCK(84) (?)
16929140 | 16929716 | Tag |0a(3) | |
16995616 | 17004992 | Rdr |a2 55 96 57 06 7c 99 ab | ok | WRITEBLOCK(85) (?)
17058036 | 17058612 | Tag |0a(3) | |
17125280 | 17134592 | Rdr |a2 56 28 ee fb 63 d1 4b | ok | WRITEBLOCK(86) (?)
17187684 | 17188260 | Tag |0a(3) | |
17252864 | 17262176 | Rdr |a2 57 c0 dd b7 06 60 a3 | ok | WRITEBLOCK(87) (?)
17315268 | 17315844 | Tag |0a(3) | |
17381936 | 17391248 | Rdr |a2 58 7d 9b f1 61 2f f6 | ok | WRITEBLOCK(88) (?)
17444340 | 17444916 | Tag |0a(3) | |
17506592 | 17515904 | Rdr |a2 59 d4 aa 58 1c c2 aa | ok | WRITEBLOCK(89) (?)
17568996 | 17569572 | Tag |0a(3) | |
17636000 | 17645312 | Rdr |a2 5a 0f c2 48 3e 6d db | ok | WRITEBLOCK(90) (?)
17698420 | 17698996 | Tag |0a(3) | |
17760880 | 17770256 | Rdr |a2 5b 3d c7 b6 86 cb 43 | ok | WRITEBLOCK(91) (?)
17823284 | 17823860 | Tag |0a(3) | |
17888016 | 17897328 | Rdr |a2 5c cf 4e fd 2a 10 60 | ok | WRITEBLOCK(92) (?)
17950420 | 17950996 | Tag |0a(3) | |
18011168 | 18020544 | Rdr |a2 5d f7 f6 ab 64 a3 a2 | ok | WRITEBLOCK(93) (?)
18073588 | 18074164 | Tag |0a(3) | |
18139360 | 18148672 | Rdr |a2 5e ba f9 cc 6b 3a b8 | ok | WRITEBLOCK(94) (?)
18201780 | 18202356 | Tag |0a(3) | |
18266016 | 18275328 | Rdr |a2 5f 56 44 58 57 2f 60 | ok | WRITEBLOCK(95) (?)
18328436 | 18329012 | Tag |0a(3) | |
18392320 | 18401632 | Rdr |a2 60 1d 56 75 0b 2f 33 | ok | WRITEBLOCK(96) (?)
18454724 | 18455300 | Tag |0a(3) | |
18521872 | 18531184 | Rdr |a2 61 50 8b e8 a3 44 55 | ok | WRITEBLOCK(97) (?)
18584276 | 18584852 | Tag |0a(3) | |
18647328 | 18656640 | Rdr |a2 62 32 a0 b7 34 8e 72 | ok | WRITEBLOCK(98) (?)
18709748 | 18710324 | Tag |0a(3) | |
18775936 | 18785312 | Rdr |a2 63 eb 4b 59 9d 94 13 | ok | WRITEBLOCK(99) (?)
18838356 | 18838932 | Tag |0a(3) | |
18899472 | 18908784 | Rdr |a2 64 1d 5a 2c e5 03 b1 | ok | WRITEBLOCK(100) (?)
18961892 | 18962468 | Tag |0a(3) | |
19028496 | 19037872 | Rdr |a2 65 a9 f2 f5 8b 79 62 | ok | WRITEBLOCK(101) (?)
19090916 | 19091492 | Tag |0a(3) | |
19158112 | 19167424 | Rdr |a2 66 55 d2 00 a5 5d 56 | ok | WRITEBLOCK(102) (?)
19220516 | 19221092 | Tag |0a(3) | |
19283840 | 19293216 | Rdr |a2 67 54 f6 e1 7e e7 b9 | ok | WRITEBLOCK(103) (?)
19346244 | 19346820 | Tag |0a(3) | |
19410528 | 19419904 | Rdr |a2 68 5b 37 f1 a6 f0 fe | ok | WRITEBLOCK(104) (?)
19472932 | 19473508 | Tag |0a(3) | |
19536960 | 19546272 | Rdr |a2 69 11 d4 82 53 e6 a3 | ok | WRITEBLOCK(105) (?)
19599364 | 19599940 | Tag |0a(3) | |
19666352 | 19675728 | Rdr |a2 6a 3b cd e6 24 51 f1 | ok | WRITEBLOCK(106) (?)
19728756 | 19729332 | Tag |0a(3) | |
19790896 | 19800208 | Rdr |a2 6b 0d 1a 53 c0 8b 1b | ok | WRITEBLOCK(107) (?)
19853300 | 19853876 | Tag |0a(3) | |
19920128 | 19929504 | Rdr |a2 6c 8f ec 93 a8 46 40 | ok | WRITEBLOCK(108) (?)
19982532 | 19983108 | Tag |0a(3) | |
20043968 | 20053280 | Rdr |a2 6d be 65 5c de 6a d4 | ok | WRITEBLOCK(109) (?)
20106372 | 20106948 | Tag |0a(3) | |
20172528 | 20181904 | Rdr |a2 6e 3a 84 52 08 f2 ec | ok | WRITEBLOCK(110) (?)
20234948 | 20235524 | Tag |0a(3) | |
20296784 | 20306160 | Rdr |a2 6f b0 cd 73 db e3 52 | ok | WRITEBLOCK(111) (?)
20359188 | 20359764 | Tag |0a(3) | |
20422624 | 20431936 | Rdr |a2 70 bd 91 7b 20 0c a6 | ok | WRITEBLOCK(112) (?)
20485028 | 20485604 | Tag |0a(3) | |
20551920 | 20561296 | Rdr |a2 71 4f 61 e4 25 19 a2 | ok | WRITEBLOCK(113) (?)
20614324 | 20614900 | Tag |0a(3) | |
20677520 | 20686832 | Rdr |a2 72 b8 e6 d3 b1 31 36 | ok | WRITEBLOCK(114) (?)
20739924 | 20740500 | Tag |0a(3) | |
20807440 | 20816816 | Rdr |a2 73 20 d6 6a 1d dc 32 | ok | WRITEBLOCK(115) (?)
20869844 | 20870420 | Tag |0a(3) | |
20931072 | 20940448 | Rdr |a2 74 a8 de c8 d5 7f da | ok | WRITEBLOCK(116) (?)
20993476 | 20994052 | Tag |0a(3) | |
21057600 | 21066912 | Rdr |a2 75 4a fa 84 65 d0 66 | ok | WRITEBLOCK(117) (?)
21120004 | 21120580 | Tag |0a(3) | |
21184992 | 21194304 | Rdr |a2 76 c1 e4 69 69 64 90 | ok | WRITEBLOCK(118) (?)
21247396 | 21247972 | Tag |0a(3) | |
21313744 | 21323056 | Rdr |a2 77 7b 05 ae be ff 50 | ok | WRITEBLOCK(119) (?)
21376148 | 21376724 | Tag |0a(3) | |
21440144 | 21449520 | Rdr |a2 78 ad 47 f1 03 7e 04 | ok | WRITEBLOCK(120) (?)
21502548 | 21503124 | Tag |0a(3) | |
21565648 | 21574960 | Rdr |a2 79 ea f5 e7 ca da eb | ok | WRITEBLOCK(121) (?)
21628052 | 21628628 | Tag |0a(3) | |
21694240 | 21703616 | Rdr |a2 7a ff ed 37 c8 9e 64 | ok | WRITEBLOCK(122) (?)
21756644 | 21757220 | Tag |0a(3) | |
21818368 | 21827744 | Rdr |a2 7b d6 25 e1 4d fc 0d | ok | WRITEBLOCK(123) (?)
21880788 | 21881364 | Tag |0a(3) | |
21946512 | 21955888 | Rdr |a2 7c d5 a3 6e 54 9c 40 | ok | WRITEBLOCK(124) (?)
22008916 | 22009492 | Tag |0a(3) | |
22073136 | 22082448 | Rdr |a2 7d 57 66 72 2c 19 af | ok | WRITEBLOCK(125) (?)
22135540 | 22136116 | Tag |0a(3) | |
22201984 | 22211360 | Rdr |a2 7e 6d 10 4c cc 34 bf | ok | WRITEBLOCK(126) (?)
22264404 | 22264980 | Tag |0a(3) | |
22329728 | 22339104 | Rdr |a2 7f a1 1f c0 31 5c 5b | ok | WRITEBLOCK(127) (?)
22392132 | 22392708 | Tag |0a(3) | |
22456352 | 22465664 | Rdr |a2 80 da 7a 5e 3a 38 35 | ok | WRITEBLOCK(128) (?)
22518756 | 22519332 | Tag |0a(3) | |
22586224 | 22595600 | Rdr |a2 81 5c da e4 1e 67 f7 | ok | WRITEBLOCK(129) (?)
22648628 | 22649204 | Tag |0a(3) | |
22711312 | 22720688 | Rdr |a2 86 80 80 00 00 68 2f | ok | WRITEBLOCK(134) (?)
22773716 | 22774292 | Tag |0a(3) | |
22840480 | 22849792 | Rdr |a2 85 2e 4e ce cc 80 78 | ok | WRITEBLOCK(133) (?)
22902884 | 22903460 | Tag |0a(3) | |
22964432 | 22973744 | Rdr |a2 03 f1 10 ff ee 5e bd | ok | WRITEBLOCK(3)
23026836 | 23027412 | Tag |0a(3) | |
23093488 | 23102864 | Rdr |a2 83 00 00 00 04 9a 6e | ok | WRITEBLOCK(131) (?)
23155892 | 23156468 | Tag |0a(3) | |
23222160 | 23231536 | Rdr |a2 84 5f 00 00 00 8d 7f | ok | WRITEBLOCK(132) (?)
23284564 | 23285140 | Tag |0a(3) | |
23348512 | 23357824 | Rdr |a2 82 01 00 0f bd e7 d2 | ok | WRITEBLOCK(130) (?)
23410916 | 23411492 | Tag |0a(3) | |
23475344 | 23484720 | Rdr |a2 02 fd 48 0f e0 79 f1 | ok | WRITEBLOCK(2)
23537748 | 23538324 | Tag |0a(3) | |
23605248 | 23610016 | Rdr |50 00 57 cd | ok | HALT
63458960 | 63460016 | Rdr |26(7) | | REQA
63461204 | 63463572 | Tag |44 00 | |
63470736 | 63475504 | Rdr |50 00 57 cd | ok | HALT
63498032 | 63499024 | Rdr |52(7) | | WUPA
63500276 | 63502644 | Tag |44 00 | |
63509808 | 63512272 | Rdr |93 20 | | ANTICOLL
63513476 | 63519300 | Tag |88 04 e2 0b 65 | |
63526464 | 63536928 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
63538180 | 63541700 | Tag |04 da 17 | |
63548864 | 63551328 | Rdr |95 20 | | ANTICOLL-2
63552532 | 63558420 | Tag |66 10 02 89 fd | |
63565520 | 63576048 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
63577236 | 63580820 | Tag |00 fe 51 | |
63663280 | 63667984 | Rdr |30 02 10 8b | ok | READBLOCK(2)
63721092 | 63741956 | Tag |fd 48 0f e0 f1 10 ff ee a5 00 0a 00 a8 e1 08 b7 4f 67 | ok |
63937632 | 63938688 | Rdr |26(7) | | REQA
63939876 | 63942244 | Tag |44 00 | |
63949408 | 63954176 | Rdr |50 00 57 cd | ok | HALT
读卡嗅探记录 Read sniff
这是Switch读取仿制Amiibo卡的时候PM3嗅探到的通信记录。 This is a PM3 sniffing transcript of Switch reading DIY Amiibo.
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 1329 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
1980400 | 1981456 | Rdr |26(7) | | REQA
2180640 | 2181696 | Rdr |26(7) | | REQA
4161120 | 4162176 | Rdr |26(7) | | REQA
6142112 | 6143168 | Rdr |26(7) | | REQA
6144356 | 6146724 | Tag |44 00 | |
6346112 | 6347168 | Rdr |26(7) | | REQA
6348356 | 6350724 | Tag |44 00 | |
8330656 | 8331712 | Rdr |26(7) | | REQA
8332900 | 8335268 | Tag |44 00 | |
10311728 | 10312784 | Rdr |26(7) | | REQA
10313972 | 10316340 | Tag |44 00 | |
10510576 | 10511632 | Rdr |26(7) | | REQA
10512820 | 10515188 | Tag |44 00 | |
10526160 | 10530928 | Rdr |50 00 57 cd | ok | HALT
11424320 | 11425312 | Rdr |52(7) | | WUPA
11426564 | 11428932 | Tag |44 00 | |
11441744 | 11444208 | Rdr |93 20 | | ANTICOLL
11445396 | 11451220 | Tag |88 04 e2 0b 65 | |
11463632 | 11474096 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
11475348 | 11478868 | Tag |04 da 17 | |
11490144 | 11492608 | Rdr |95 20 | | ANTICOLL-2
11493812 | 11499700 | Tag |66 10 02 89 fd | |
11511584 | 11522112 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
11523316 | 11526900 | Tag |00 fe 51 | |
12705616 | 12710384 | Rdr |50 00 57 cd | ok | HALT
14660080 | 14661136 | Rdr |26(7) | | REQA
14662324 | 14664692 | Tag |44 00 | |
14675648 | 14680416 | Rdr |50 00 57 cd | ok | HALT
15574064 | 15575056 | Rdr |52(7) | | WUPA
15576308 | 15578676 | Tag |44 00 | |
15591488 | 15593952 | Rdr |93 20 | | ANTICOLL
15595140 | 15600964 | Tag |88 04 e2 0b 65 | |
15613376 | 15623840 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
15625108 | 15628628 | Tag |04 da 17 | |
15639904 | 15642368 | Rdr |95 20 | | ANTICOLL-2
15643556 | 15649444 | Tag |66 10 02 89 fd | |
15661344 | 15671872 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
15673060 | 15676644 | Tag |00 fe 51 | |
16766704 | 16770320 | Rdr |60 f8 32 | ok | EV1 VERSION
16771508 | 16783156 | Tag |00 04 04 02 01 00 11 03 01 9e | ok |
16809952 | 16814720 | Rdr |3c 00 a2 01 | ok | READ SIG
16815924 | 16855220 | Tag |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 da | ok |
16886672 | 16891376 | Rdr |30 03 99 9a | ok | READBLOCK(3)
16944484 | 16965348 | Tag |f1 10 ff ee a5 00 0a 00 a8 e1 08 b7 c8 da 08 49 13 91 | ok |
16993280 | 17001504 | Rdr |1b 2e 4e ce cc 5c 98 | ok | PWD-AUTH KEY: 0x2e4ececc
17054548 | 17059284 | Tag |80 80 64 16 | |
17086144 | 17092064 | Rdr |3a 00 3b 90 df | ok | READ RANGE (0-59)
17093252 | 17093252 | Tag |04 e2 0b 65 66 10 02 89 fd 48 0f e0 f1 10 ff ee a5 00 | |
| | |0a 00 a8 e1 08 b7 c8 da 08 49 02 97 96 f9 92 e2 82 7e | |
| | |4c 0f a9 c0 76 7d 03 01 79 ab 94 11 7d b5 54 70 c2 74 | |
| | |80 ab b8 7c c7 d3 bb b1 7d 51 e5 6d b4 44 12 f7 78 04 | |
| | |20 81 b1 3b 18 85 98 55 f5 aa 5a 38 01 00 00 00 03 4f | |
| | |09 02 0d 12 96 13 2b f0 39 c6 7d f3 95 1d db ce a6 81 | |
| | |ab 7b 6a a8 5f 2f ea 0e d0 f1 24 89 d4 d2 d8 ad 0a 53 | |
| | |93 16 71 98 a8 99 b5 f2 e0 84 b6 31 f8 20 6f f9 e1 b9 | |
| | |b1 0b 01 91 77 37 aa 2c 1a 52 88 db f1 eb dc 22 58 9c | |
| | |64 62 71 07 16 6c 98 46 9e f6 1a 16 92 ce 1e d8 7e 65 | |
| | |65 a5 3d 15 73 ec ac 18 0a f2 77 e5 db 68 60 49 f1 5c | |
| | |8c da 8e df ac 37 0f 51 a0 e5 2e a4 75 35 d8 d1 06 4b | |
| | |3a 70 45 1b 42 d1 65 02 18 0c 07 3a 1f 58 c7 b8 a6 5a | |
| | |63 65 d8 c7 4a c9 e9 9d | ok |
17415584 | 17421440 | Rdr |3a 3c 77 fa 48 | ok | READ RANGE (60-119)
17422692 | 17422692 | Tag |e5 56 98 39 79 3a 11 11 05 15 a2 81 d2 05 c6 25 71 85 | |
| | |32 e1 55 0a 48 01 0e a6 e5 cc 8f 7d 80 33 8d 9c 77 4d | |
| | |7f 1e ce ad 16 85 d3 e0 43 c0 c1 b5 d3 21 40 85 76 cf | |
| | |7c 77 de bf cc 30 0e 64 82 b6 d7 7d b0 99 6b ac 23 6d | |
| | |1a 5a bb 19 a8 95 25 13 fc 82 45 03 bd 48 ca 66 a1 ff | |
| | |62 ea 7f 6e c8 6a cc 06 93 47 96 57 06 7c 28 ee fb 63 | |
| | |c0 dd b7 06 7d 9b f1 61 d4 aa 58 1c 0f c2 48 3e 3d c7 | |
| | |b6 86 cf 4e fd 2a f7 f6 ab 64 ba f9 cc 6b 56 44 58 57 | |
| | |1d 56 75 0b 50 8b e8 a3 32 a0 b7 34 eb 4b 59 9d 1d 5a | |
| | |2c e5 a9 f2 f5 8b 55 d2 00 a5 54 f6 e1 7e 5b 37 f1 a6 | |
| | |11 d4 82 53 3b cd e6 24 0d 1a 53 c0 8f ec 93 a8 be 65 | |
| | |5c de 3a 84 52 08 b0 cd 73 db bd 91 7b 20 4f 61 e4 25 | |
| | |b8 e6 d3 b1 20 d6 6a 1d a8 de c8 d5 4a fa 84 65 c1 e4 | |
| | |69 69 7b 05 ae be d9 af | ok |
17745024 | 17750944 | Rdr |3a 78 86 fa 8f | ok | READ RANGE (120-134)
17752132 | 17752132 | Tag |ad 47 f1 03 ea f5 e7 ca ff ed 37 c8 d6 25 e1 4d d5 a3 | |
| | |6e 54 57 66 72 2c 6d 10 4c cc a1 1f c0 31 da 7a 5e 3a | |
| | |5c da e4 1e 01 00 0f bd 00 00 00 04 5f 00 00 00 00 00 | |
| | |00 00 00 00 00 00 92 e5 | ok |
20028016 | 20032784 | Rdr |50 00 57 cd | ok | HALT
无效的数据文件装载记录 Invalid file loading
这是PM3读取无效的数据文件的记录。 This is a transcript of PM3 loading an invalid dump converted
emlfile.
[usb] pm3 --> hf mfu eload --ul -f Alm.eml
[=] 255 blocks ( 1020 bytes ) to upload
[+] loaded 540 bytes from text file Alm.eml
[=] detected plain mfu dump format
[+] plain mfu dump format was converted to 135 blocks
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 00 00 00 00 00 00 00
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 133 (536 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 AC 2B 0B | | . +.
[=] 1/0x01 | BA E8 4C 80 | | L
[=] 2/0x02 | 9E 48 0F E0 | | H.
[=] 3/0x03 | F1 10 FF EE | 1 | .
[=] 4/0x04 | A5 00 01 00 | 0 | ...
[=] 5/0x05 | AB 74 D7 E8 | 0 | t
[=] 6/0x06 | 8F C0 16 BB | 0 | .
[=] 7/0x07 | 05 A4 A1 F5 | 0 | .
[=] 8/0x08 | 0A 6D 95 3C | 0 | .m <
[=] 9/0x09 | 5E 96 90 A9 | 0 | ^
[=] 10/0x0A | 50 38 E3 B4 | 0 | P8
[=] 11/0x0B | 96 7F 06 1A | 0 | ...
[=] 12/0x0C | AB 53 7C 48 | 0 | S|H
[=] 13/0x0D | D3 39 84 DA | 1 | 9
[=] 14/0x0E | 84 5D 5C E3 | 1 | ]\
[=] 15/0x0F | 5F CB 52 B4 | 1 | _ R
[=] 16/0x10 | FF 11 65 2D | 0 | .e-
[=] 17/0x11 | A3 10 8E 60 | 0 | . `
[=] 18/0x12 | B6 FC B1 3F | 0 | ?
[=] 19/0x13 | 87 6E BF 8B | 0 | n
[=] 20/0x14 | 65 AB A1 6E | 0 | e n
[=] 21/0x15 | 21 06 00 00 | 0 | !...
[=] 22/0x16 | 03 60 12 02 | 0 | .`..
[=] 23/0x17 | 0D 12 C6 1E | 0 | .. .
[=] 24/0x18 | 30 A5 6B 79 | 0 | 0 ky
[=] 25/0x19 | 0B FE 50 1C | 0 | . P.
[=] 26/0x1A | 45 8A 34 3B | 0 | E 4;
[=] 27/0x1B | 3D 10 83 47 | 0 | =. G
[=] 28/0x1C | 72 CE 3E 1C | 0 | r >.
[=] 29/0x1D | C3 3B 01 7B | 0 | ;.{
[=] 30/0x1E | 46 27 C6 29 | 0 | F' )
[=] 31/0x1F | E5 4B 74 3B | 0 | Kt;
[=] 32/0x20 | 95 68 11 B6 | 0 | h.
[=] 33/0x21 | 53 0C 47 B4 | 0 | S.G
[=] 34/0x22 | 4C 90 D1 00 | 0 | L .
[=] 35/0x23 | BB EC BE DF | 0 |
[=] 36/0x24 | 9F 38 2E 75 | 0 | 8.u
[=] 37/0x25 | 13 64 5F 4D | 0 | .d_M
[=] 38/0x26 | A2 C4 CE 00 | 0 | .
[=] 39/0x27 | 61 93 B1 AD | 0 | a
[=] 40/0x28 | DA C6 B3 76 | 0 | Ƴv
[=] 41/0x29 | 2E A5 A7 67 | 0 | . g
[=] 42/0x2A | E8 52 86 42 | 0 | R B
[=] 43/0x2B | 37 DF 5B 2A | 0 | 7 [*
[=] 44/0x2C | 5C F0 EF 23 | 0 | \ #
[=] 45/0x2D | 26 5E 3C 0B | 0 | &^<.
[=] 46/0x2E | D8 83 69 54 | 0 | iT
[=] 47/0x2F | 29 F0 4E 22 | 0 | ) N"
[=] 48/0x30 | 08 C1 5F 6C | 0 | . _l
[=] 49/0x31 | F2 F7 95 73 | 0 | s
[=] 50/0x32 | 2B 42 AB 00 | 0 | +B .
[=] 51/0x33 | 09 47 C8 62 | 0 | .G b
[=] 52/0x34 | 05 51 0E 05 | 0 | .Q..
[=] 53/0x35 | 60 E5 49 33 | 0 | ` I3
[=] 54/0x36 | D5 42 1F 52 | 0 | B.R
[=] 55/0x37 | EE B8 F4 50 | 0 | P
[=] 56/0x38 | D7 7B 04 60 | 0 | {.`
[=] 57/0x39 | A8 D6 CB 64 | 0 | d
[=] 58/0x3A | DC 96 09 DA | 0 | ܖ.
[=] 59/0x3B | 9C 0A 6A EB | 0 | .j
[=] 60/0x3C | 1D 34 93 E7 | 0 | .4
[=] 61/0x3D | 62 84 7C 07 | 0 | b |.
[=] 62/0x3E | 3A D2 DE FF | 0 | :
[=] 63/0x3F | D2 BF 05 A3 | 0 | ҿ.
[=] 64/0x40 | 3C D5 FC 54 | 0 | < T
[=] 65/0x41 | CA B8 7F 1F | 0 | ʸ..
[=] 66/0x42 | 2E 5B 7B 8E | 0 | .[{
[=] 67/0x43 | D5 FD 87 D7 | 0 |
[=] 68/0x44 | DA 5D 63 2A | 0 | ]c*
[=] 69/0x45 | 29 63 76 32 | 0 | )cv2
[=] 70/0x46 | F7 8C 9C 91 | 0 |
[=] 71/0x47 | F3 C4 23 41 | 0 | #A
[=] 72/0x48 | 04 11 E5 05 | 0 | .. .
[=] 73/0x49 | 8F AD AC 76 | 0 | v
[=] 74/0x4A | F1 83 A0 C9 | 0 |
[=] 75/0x4B | 55 00 E3 2C | 0 | U. ,
[=] 76/0x4C | 09 6E 3F AB | 0 | .n?
[=] 77/0x4D | 0B AF 30 2A | 0 | . 0*
[=] 78/0x4E | 69 D4 24 6E | 0 | i $n
[=] 79/0x4F | BE E6 7B DF | 0 | {
[=] 80/0x50 | 0C 22 09 A4 | 0 | .".
[=] 81/0x51 | A7 7F E1 2F | 0 | . /
[=] 82/0x52 | 57 D2 43 E0 | 0 | W C
[=] 83/0x53 | 8E 9E 52 5D | 0 | R]
[=] 84/0x54 | 5F A2 C9 94 | 0 | _ ɔ
[=] 85/0x55 | 62 C2 38 24 | 0 | b 8$
[=] 86/0x56 | 7D 2A 05 7C | 0 | }*.|
[=] 87/0x57 | 35 B7 5A 3B | 0 | 5 Z;
[=] 88/0x58 | 44 36 5B 87 | 0 | D6[
[=] 89/0x59 | AE 95 6D 35 | 0 | m5
[=] 90/0x5A | 07 D4 E2 A8 | 0 | .
[=] 91/0x5B | D9 CE 9B FF | 0 | Λ
[=] 92/0x5C | F9 17 80 F8 | 0 | .
[=] 93/0x5D | 9C D7 77 3F | 0 | w?
[=] 94/0x5E | 7B 8D 88 78 | 0 | { x
[=] 95/0x5F | 45 5B 29 C5 | 0 | E[)
[=] 96/0x60 | 6B 63 D7 DA | 0 | kc
[=] 97/0x61 | C8 C4 F6 A6 | 0 |
[=] 98/0x62 | AF 51 AC 12 | 0 | Q .
[=] 99/0x63 | 17 D7 97 D8 | 0 | .ח
[=] 100/0x64 | D0 BB 0E 7B | 0 | л.{
[=] 101/0x65 | 4B F5 1B FB | 0 | K .
[=] 102/0x66 | 92 B7 6F 26 | 0 | o&
[=] 103/0x67 | BC 73 F4 6D | 0 | s m
[=] 104/0x68 | 72 83 1D 57 | 0 | r .W
[=] 105/0x69 | 69 23 BD 22 | 0 | i# "
[=] 106/0x6A | B5 63 66 2D | 0 | cf-
[=] 107/0x6B | 5B EB 50 9D | 0 | [ P
[=] 108/0x6C | 99 81 B4 85 | 0 |
[=] 109/0x6D | 2B 63 A4 CE | 0 | +c
[=] 110/0x6E | 92 14 92 AA | 0 | .
[=] 111/0x6F | 81 38 F1 8F | 0 | 8
[=] 112/0x70 | 43 BA AC 09 | 0 | C .
[=] 113/0x71 | 02 4F F8 2A | 0 | .O *
[=] 114/0x72 | F0 87 3B 7A | 0 | ;z
[=] 115/0x73 | 9A 0F 8D 20 | 0 | .
[=] 116/0x74 | 3B 7B 42 24 | 0 | ;{B$
[=] 117/0x75 | AC 9D 29 B0 | 0 | )
[=] 118/0x76 | E4 5A FF 57 | 0 | Z W
[=] 119/0x77 | 2C 45 A6 90 | 0 | ,E
[=] 120/0x78 | 81 80 C0 C2 | 0 |
[=] 121/0x79 | 13 9A DB 9C | 0 | . ۜ
[=] 122/0x7A | ED 47 DB 98 | 0 | Gۘ
[=] 123/0x7B | 8B D1 2B 4D | 0 | +M
[=] 124/0x7C | 03 A0 29 73 | 0 | . )s
[=] 125/0x7D | 83 87 07 52 | 0 | .R
[=] 126/0x7E | 4A 40 3F 94 | 0 | J@?
[=] 127/0x7F | AF EF 21 C6 | 0 | !
[=] 128/0x80 | 51 F0 4D C6 | 0 | Q M
[=] 129/0x81 | 5A B2 1D A1 | 0 | Z .
[=] 130/0x82 | 01 00 0F BD | 0 | ...
[=] 131/0x83 | 00 00 00 04 | 0 | ....
[=] 132/0x84 | 5F 00 00 00 | 0 | _...
[=] 133/0x85 | 00 00 00 00 | 0 | ....
[=] 134/0x86 | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] MIFARE Ultralight override, will use 149 blocks ( 596 bytes )
[=] Uploading to emulator memory
[=] ......................................................................................................................................................
[?] You are ready to simulate. See `hf mfu sim -h`
[=] Done!
有效的数据文件装载记录 Valid data file loading transcript
这是PM3读取可用的数据文件的记录。 This is a transcript of PM3 loading a valid
emlfile.
[usb] pm3 --> hf mfu eload --ul -f hf-mfu-04E20B66100289-dump.eml
[=] 255 blocks ( 1020 bytes ) to upload
[+] loaded 596 bytes from text file hf-mfu-04E20B66100289-dump.eml
[=] detected new mfu dump format
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 04 04 02 01 00 11 03
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 133 (536 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 E2 0B 65 | | . .e
[=] 1/0x01 | 66 10 02 89 | | f..
[=] 2/0x02 | FD 48 0F E0 | | H.
[=] 3/0x03 | F1 10 FF EE | 1 | .
[=] 4/0x04 | A5 00 0A 00 | 0 | ...
[=] 5/0x05 | A8 E1 08 B7 | 0 | .
[=] 6/0x06 | C8 DA 08 49 | 0 | .I
[=] 7/0x07 | 02 97 96 F9 | 0 | .
[=] 8/0x08 | 92 E2 82 7E | 0 | ~
[=] 9/0x09 | 4C 0F A9 C0 | 0 | L.
[=] 10/0x0A | 76 7D 03 01 | 0 | v}..
[=] 11/0x0B | 79 AB 94 11 | 0 | y .
[=] 12/0x0C | 7D B5 54 70 | 0 | } Tp
[=] 13/0x0D | C2 74 80 AB | 1 | t
[=] 14/0x0E | B8 7C C7 D3 | 1 | |
[=] 15/0x0F | BB B1 7D 51 | 1 | }Q
[=] 16/0x10 | E5 6D B4 44 | 0 | m D
[=] 17/0x11 | 12 F7 78 04 | 0 | . x.
[=] 18/0x12 | 20 81 B1 3B | 0 | ;
[=] 19/0x13 | 18 85 98 55 | 0 | . U
[=] 20/0x14 | F5 AA 5A 38 | 0 | Z8
[=] 21/0x15 | 01 00 00 00 | 0 | ....
[=] 22/0x16 | 03 4F 09 02 | 0 | .O..
[=] 23/0x17 | 0D 12 96 13 | 0 | .. .
[=] 24/0x18 | 2B F0 39 C6 | 0 | + 9
[=] 25/0x19 | 7D F3 95 1D | 0 | } .
[=] 26/0x1A | DB CE A6 81 | 0 | Φ
[=] 27/0x1B | AB 7B 6A A8 | 0 | {j
[=] 28/0x1C | 5F 2F EA 0E | 0 | _/ .
[=] 29/0x1D | D0 F1 24 89 | 0 | $
[=] 30/0x1E | D4 D2 D8 AD | 0 | ح
[=] 31/0x1F | 0A 53 93 16 | 0 | .S .
[=] 32/0x20 | 71 98 A8 99 | 0 | q
[=] 33/0x21 | B5 F2 E0 84 | 0 |
[=] 34/0x22 | B6 31 F8 20 | 0 | 1
[=] 35/0x23 | 6F F9 E1 B9 | 0 | o
[=] 36/0x24 | B1 0B 01 91 | 0 | ..
[=] 37/0x25 | 77 37 AA 2C | 0 | w7 ,
[=] 38/0x26 | 1A 52 88 DB | 0 | .R
[=] 39/0x27 | F1 EB DC 22 | 0 | "
[=] 40/0x28 | 58 9C 64 62 | 0 | X db
[=] 41/0x29 | 71 07 16 6C | 0 | q..l
[=] 42/0x2A | 98 46 9E F6 | 0 | F
[=] 43/0x2B | 1A 16 92 CE | 0 | ..
[=] 44/0x2C | 1E D8 7E 65 | 0 | . ~e
[=] 45/0x2D | 65 A5 3D 15 | 0 | e =.
[=] 46/0x2E | 73 EC AC 18 | 0 | s .
[=] 47/0x2F | 0A F2 77 E5 | 0 | . w
[=] 48/0x30 | DB 68 60 49 | 0 | h`I
[=] 49/0x31 | F1 5C 8C DA | 0 | \
[=] 50/0x32 | 8E DF AC 37 | 0 | ߬7
[=] 51/0x33 | 0F 51 A0 E5 | 0 | .Q
[=] 52/0x34 | 2E A4 75 35 | 0 | . u5
[=] 53/0x35 | D8 D1 06 4B | 0 | .K
[=] 54/0x36 | 3A 70 45 1B | 0 | :pE.
[=] 55/0x37 | 42 D1 65 02 | 0 | B e.
[=] 56/0x38 | 18 0C 07 3A | 0 | ...:
[=] 57/0x39 | 1F 58 C7 B8 | 0 | .XǸ
[=] 58/0x3A | A6 5A 63 65 | 0 | Zce
[=] 59/0x3B | D8 C7 4A C9 | 0 | J
[=] 60/0x3C | E5 56 98 39 | 0 | V 9
[=] 61/0x3D | 79 3A 11 11 | 0 | y:..
[=] 62/0x3E | 05 15 A2 81 | 0 | ..
[=] 63/0x3F | D2 05 C6 25 | 0 | . %
[=] 64/0x40 | 71 85 32 E1 | 0 | q 2
[=] 65/0x41 | 55 0A 48 01 | 0 | U.H.
[=] 66/0x42 | 0E A6 E5 CC | 0 | .
[=] 67/0x43 | 8F 7D 80 33 | 0 | } 3
[=] 68/0x44 | 8D 9C 77 4D | 0 | wM
[=] 69/0x45 | 7F 1E CE AD | 0 | ..έ
[=] 70/0x46 | 16 85 D3 E0 | 0 | .
[=] 71/0x47 | 43 C0 C1 B5 | 0 | C
[=] 72/0x48 | D3 21 40 85 | 0 | !@
[=] 73/0x49 | 76 CF 7C 77 | 0 | v |w
[=] 74/0x4A | DE BF CC 30 | 0 | 0
[=] 75/0x4B | 0E 64 82 B6 | 0 | .d
[=] 76/0x4C | D7 7D B0 99 | 0 | }
[=] 77/0x4D | 6B AC 23 6D | 0 | k #m
[=] 78/0x4E | 1A 5A BB 19 | 0 | .Z .
[=] 79/0x4F | A8 95 25 13 | 0 | %.
[=] 80/0x50 | FC 82 45 03 | 0 | E.
[=] 81/0x51 | BD 48 CA 66 | 0 | H f
[=] 82/0x52 | A1 FF 62 EA | 0 | b
[=] 83/0x53 | 7F 6E C8 6A | 0 | .n j
[=] 84/0x54 | CC 06 93 47 | 0 | . G
[=] 85/0x55 | 96 57 06 7C | 0 | W.|
[=] 86/0x56 | 28 EE FB 63 | 0 | ( c
[=] 87/0x57 | C0 DD B7 06 | 0 | ݷ.
[=] 88/0x58 | 7D 9B F1 61 | 0 | } a
[=] 89/0x59 | D4 AA 58 1C | 0 | ԪX.
[=] 90/0x5A | 0F C2 48 3E | 0 | . H>
[=] 91/0x5B | 3D C7 B6 86 | 0 | =Ƕ
[=] 92/0x5C | CF 4E FD 2A | 0 | N *
[=] 93/0x5D | F7 F6 AB 64 | 0 | d
[=] 94/0x5E | BA F9 CC 6B | 0 | k
[=] 95/0x5F | 56 44 58 57 | 0 | VDXW
[=] 96/0x60 | 1D 56 75 0B | 0 | .Vu.
[=] 97/0x61 | 50 8B E8 A3 | 0 | P
[=] 98/0x62 | 32 A0 B7 34 | 0 | 2 4
[=] 99/0x63 | EB 4B 59 9D | 0 | KY
[=] 100/0x64 | 1D 5A 2C E5 | 0 | .Z,
[=] 101/0x65 | A9 F2 F5 8B | 0 |
[=] 102/0x66 | 55 D2 00 A5 | 0 | U .
[=] 103/0x67 | 54 F6 E1 7E | 0 | T ~
[=] 104/0x68 | 5B 37 F1 A6 | 0 | [7
[=] 105/0x69 | 11 D4 82 53 | 0 | .ԂS
[=] 106/0x6A | 3B CD E6 24 | 0 | ; $
[=] 107/0x6B | 0D 1A 53 C0 | 0 | ..S
[=] 108/0x6C | 8F EC 93 A8 | 0 | 쓨
[=] 109/0x6D | BE 65 5C DE | 0 | e\
[=] 110/0x6E | 3A 84 52 08 | 0 | : R.
[=] 111/0x6F | B0 CD 73 DB | 0 | s
[=] 112/0x70 | BD 91 7B 20 | 0 | {
[=] 113/0x71 | 4F 61 E4 25 | 0 | Oa %
[=] 114/0x72 | B8 E6 D3 B1 | 0 | ӱ
[=] 115/0x73 | 20 D6 6A 1D | 0 | j.
[=] 116/0x74 | A8 DE C8 D5 | 0 |
[=] 117/0x75 | 4A FA 84 65 | 0 | J e
[=] 118/0x76 | C1 E4 69 69 | 0 | ii
[=] 119/0x77 | 7B 05 AE BE | 0 | {.
[=] 120/0x78 | AD 47 F1 03 | 0 | G .
[=] 121/0x79 | EA F5 E7 CA | 0 |
[=] 122/0x7A | FF ED 37 C8 | 0 | 7
[=] 123/0x7B | D6 25 E1 4D | 0 | % M
[=] 124/0x7C | D5 A3 6E 54 | 0 | գnT
[=] 125/0x7D | 57 66 72 2C | 0 | Wfr,
[=] 126/0x7E | 6D 10 4C CC | 0 | m.L
[=] 127/0x7F | A1 1F C0 31 | 0 | . 1
[=] 128/0x80 | DA 7A 5E 3A | 0 | z^:
[=] 129/0x81 | 5C DA E4 1E | 0 | \ .
[=] 130/0x82 | 01 00 0F BD | 0 | ...
[=] 131/0x83 | 00 00 00 04 | 0 | ....
[=] 132/0x84 | 5F 00 00 00 | 0 | _...
[=] 133/0x85 | 2E 4E CE CC | 0 | .N
[=] 134/0x86 | 80 80 00 00 | 0 | ..
[=] ---------------------------------
[=] MIFARE Ultralight override, will use 149 blocks ( 596 bytes )
[=] Uploading to emulator memory
[=] ......................................................................................................................................................
[?] You are ready to simulate. See `hf mfu sim -h`
[=] Done!
3DS模拟通信记录 3DS simulating transcript
这是PM3模拟NTAG215时在3DS上的通信记录。 This is a transcript of using PM3 to simulate NTAG215 on 3DS.
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 1286 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
2228 | 4596 | Tag |44 00 | |
455308 | 460076 | Rdr |50 00 57 cd | ok | HALT
536690 | 537682 | Rdr |52(7) | | WUPA
538982 | 541350 | Tag |44 00 | |
549944 | 552408 | Rdr |93 20 | | ANTICOLL
553580 | 559404 | Tag |88 04 e2 0b 65 | |
568172 | 578636 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
579872 | 583392 | Tag |04 da 17 | |
592000 | 594464 | Rdr |95 20 | | ANTICOLL-2
595636 | 601524 | Tag |66 10 02 89 fd | |
610246 | 620774 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
621946 | 625530 | Tag |00 fe 51 | |
4617692 | 4618748 | Rdr |26(7) | | REQA
4619920 | 4622288 | Tag |44 00 | |
4631292 | 4636060 | Rdr |50 00 57 cd | ok | HALT
4712720 | 4713712 | Rdr |52(7) | | WUPA
4714948 | 4717316 | Tag |44 00 | |
4725980 | 4728444 | Rdr |93 20 | | ANTICOLL
4729616 | 4735440 | Tag |88 04 e2 0b 65 | |
4744206 | 4754670 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
4755906 | 4759426 | Tag |04 da 17 | |
4768034 | 4770498 | Rdr |95 20 | | ANTICOLL-2
4771670 | 4777558 | Tag |66 10 02 89 fd | |
4786246 | 4796774 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
4797946 | 4801530 | Tag |00 fe 51 | |
4967352 | 4970968 | Rdr |60 f8 32 | ok | EV1 VERSION
4972140 | 4983788 | Tag |00 04 04 02 01 00 11 03 01 9e | ok |
5003226 | 5007930 | Rdr |30 03 99 9a | ok | READBLOCK(3)
5011982 | 5032846 | Tag |f1 10 ff ee a5 00 0a 00 a8 e1 08 b7 c8 da 08 49 13 91 | ok |
5059876 | 5068100 | Rdr |1b 2e 4e ce cc 5c 98 | ok | PWD-AUTH KEY: 0x2e4ececc
5070168 | 5074904 | Tag |80 80 64 16 | |
5097086 | 5103006 | Rdr |3a 00 3b 90 df | ok | READ RANGE (0-59)
5138610 | 5138610 | Tag |04 e2 0b 65 66 10 02 89 fd 48 0f e0 f1 10 ff ee a5 00 | |
| | |0a 00 a8 e1 08 b7 c8 da 08 49 02 97 96 f9 92 e2 82 7e | |
| | |4c 0f a9 c0 76 7d 03 01 79 ab 94 11 7d b5 54 70 c2 74 | |
| | |80 ab b8 7c c7 d3 bb b1 7d 51 e5 6d b4 44 12 f7 78 04 | |
| | |20 81 b1 3b 18 85 98 55 f5 aa 5a 38 01 00 00 00 03 4f | |
| | |09 02 0d 12 96 13 2b f0 39 c6 7d f3 95 1d db ce a6 81 | |
| | |ab 7b 6a a8 5f 2f ea 0e d0 f1 24 89 d4 d2 d8 ad 0a 53 | |
| | |93 16 71 98 a8 99 b5 f2 e0 84 b6 31 f8 20 6f f9 e1 b9 | |
| | |b1 0b 01 91 77 37 aa 2c 1a 52 88 db f1 eb dc 22 58 9c | |
| | |64 62 71 07 16 6c 98 46 9e f6 1a 16 92 ce 1e d8 7e 65 | |
| | |65 a5 3d 15 73 ec ac 18 0a f2 77 e5 db 68 60 49 f1 5c | |
| | |8c da 8e df ac 37 0f 51 a0 e5 2e a4 75 35 d8 d1 06 4b | |
| | |3a 70 45 1b 42 d1 65 02 18 0c 07 3a 1f 58 c7 b8 a6 5a | |
| | |63 65 d8 c7 4a c9 e9 9d | ok |
5537314 | 5543170 | Rdr |3a 3c 77 fa 48 | ok | READ RANGE (60-119)
5578966 | 5578966 | Tag |e5 56 98 39 79 3a 11 11 05 15 a2 81 d2 05 c6 25 71 85 | |
| | |32 e1 55 0a 48 01 0e a6 e5 cc 8f 7d 80 33 8d 9c 77 4d | |
| | |7f 1e ce ad 16 85 d3 e0 43 c0 c1 b5 d3 21 40 85 76 cf | |
| | |7c 77 de bf cc 30 0e 64 82 b6 d7 7d b0 99 6b ac 23 6d | |
| | |1a 5a bb 19 a8 95 25 13 fc 82 45 03 bd 48 ca 66 a1 ff | |
| | |62 ea 7f 6e c8 6a cc 06 93 47 96 57 06 7c 28 ee fb 63 | |
| | |c0 dd b7 06 7d 9b f1 61 d4 aa 58 1c 0f c2 48 3e 3d c7 | |
| | |b6 86 cf 4e fd 2a f7 f6 ab 64 ba f9 cc 6b 56 44 58 57 | |
| | |1d 56 75 0b 50 8b e8 a3 32 a0 b7 34 eb 4b 59 9d 1d 5a | |
| | |2c e5 a9 f2 f5 8b 55 d2 00 a5 54 f6 e1 7e 5b 37 f1 a6 | |
| | |11 d4 82 53 3b cd e6 24 0d 1a 53 c0 8f ec 93 a8 be 65 | |
| | |5c de 3a 84 52 08 b0 cd 73 db bd 91 7b 20 4f 61 e4 25 | |
| | |b8 e6 d3 b1 20 d6 6a 1d a8 de c8 d5 4a fa 84 65 c1 e4 | |
| | |69 69 7b 05 ae be d9 af | ok |
5975388 | 5981308 | Rdr |3a 78 86 fa 8f | ok | READ RANGE (120-134)
5991440 | 5991440 | Tag |ad 47 f1 03 ea f5 e7 ca ff ed 37 c8 d6 25 e1 4d d5 a3 | |
| | |6e 54 57 66 72 2c 6d 10 4c cc a1 1f c0 31 da 7a 5e 3a | |
| | |5c da e4 1e 01 00 0f bd 00 00 00 04 5f 00 00 00 2e 4e | |
| | |ce cc 80 80 00 00 5c 01 | ok |
18286940 | 18287996 | Rdr |26(7) | | REQA
18289168 | 18291536 | Tag |44 00 | |
18300572 | 18305340 | Rdr |50 00 57 cd | ok | HALT
18382004 | 18382996 | Rdr |52(7) | | WUPA
18384232 | 18386600 | Tag |44 00 | |
18395264 | 18397728 | Rdr |93 20 | | ANTICOLL
18398900 | 18404724 | Tag |88 04 e2 0b 65 | |
18413492 | 18423956 | Rdr |93 70 88 04 e2 0b 65 1f 17 | ok | SELECT_UID
18425192 | 18428712 | Tag |04 da 17 | |
18437284 | 18439748 | Rdr |95 20 | | ANTICOLL-2
18440920 | 18446808 | Tag |66 10 02 89 fd | |
18455514 | 18466042 | Rdr |95 70 66 10 02 89 fd dd 1a | ok | SELECT_UID-2
18467214 | 18470798 | Tag |00 fe 51 | |
转换工具 Converter
#include <iostream>
#include <fstream>
#include <iomanip>
#define BIN_SIZE 540
#define EML_HEADER "00040402\n01001103\n00000086\n00000000\n00000000\n00000000\n00000000\n00000000\n00000000\n00000000\n00000000\n00000000\n00000000\n00000000"
using namespace std;
int main(int argc, char *argv[])
{
if (argc != 3)
{
cout << "Usage: convert <path/to/amiibo>.bin <path/to/output>.eml";
exit(-1);
}
fstream bin_in(argv[1], ios::in | ios::binary);
fstream eml_out(argv[2], ios::out | ios::binary);
if (!bin_in || !eml_out)
{
cout << "Error opening file";
exit(-1);
}
char buffer[BIN_SIZE];
unsigned int int_out[BIN_SIZE] = {0};
bin_in.read(reinterpret_cast<char *>(buffer), BIN_SIZE);
for (int i = 0; i < BIN_SIZE; i++)
int_out[i] = (buffer[i] + 256) % 256;
bin_in.close();
int_out[BIN_SIZE - 8] = int_out[1] ^ int_out[4] ^ 0xAA;
int_out[BIN_SIZE - 7] = int_out[2] ^ int_out[5] ^ 0x55;
int_out[BIN_SIZE - 6] = int_out[4] ^ int_out[6] ^ 0xAA;
int_out[BIN_SIZE - 5] = int_out[5] ^ int_out[7] ^ 0x55;
int_out[BIN_SIZE - 4] = 0x80;
int_out[BIN_SIZE - 3] = 0x80;
eml_out << EML_HEADER;
for (int i = 0; i < (BIN_SIZE / 4); i++)
{
eml_out << endl;
for (int j = 0; j < 4; j++)
{
eml_out << setfill('0') << setw(2) << hex << int_out[4 * i + j];
}
}
eml_out.close();
return 0;
}