hf_mfu_amiibo_restore succeed but invalid for the switch #1861

saltbo · 2023-01-08T14:43:40Z

To Reproduce
script run hf_mfu_amiibo_restore -f myfile -k password

Expected behavior
Restore a valid amiibo card

Screenshots

dump eml content

00040402
01001103
00000086
4829121E
80649494
4B56C266
2CF4DD2E
7FE50E10
96FE7E08
1E048CAA
BCAEFC4A
00000000
00000000
00000000
0491E5F8
01EA4503
AD480FE0
F110FFEE
A5000600
3CE83A1F
907079D2
ED936922
235238B3
31D48C6C
26FA452F
80323FD8
E5C890C7
FA6E13BF
60A40B10
511C77AF
892B685D
0EC58BB7
D9F4F00C
86306CBC
EA099510
01030000
024F0902
0D123604
F59BCE70
BCAF328B
B4592BF0
E339B27D
F0AC8417
EE91F6D9
9EA425D1
725453D3
937BD2CE
7E8748E5
9DFEC870
12553F65
ECDD9360
C15AC77E
F18AA040
2C4835E5
EAE9F871
9D656E08
993AB0B6
72DC0F4F
C8BA1241
415A1193
AC7EB658
B424FA75
04DBDFFE
8B208ED2
2E2D130E
3963493A
40153AD4
8F31DE32
C686450A
9DC92512
73C6939C
3B911793
69A251D7
E4589A7F
6ACA863E
EFB403EF
1BE14E32
326319BD
7DD44C4B
D9981862
7DA8D43F
7765C8E5
3C97807A
37E94176
A527BC0C
D456EE31
AF4B3F81
081243E9
67DD4504
B3EA201B
E5AB5B56
1268CFB5
B0ECDBBE
69A26A96
4E331264
A6E2FF77
27F92B22
99277616
24B26C2F
BA0B4C88
F3900557
75C9808A
D01A348D
603303EC
DC1CB013
9A77B528
B6C7C8F0
E37690F5
769DADF5
EAECB22D
059DEB72
C97C1355
C0EE84D1
89E3FF19
A2134296
7124B7BC
4B574E0B
715F564E
8A4C5F62
D9F164B5
33521253
8732E1DD
BFD6FF1A
B3850B17
A14D84EC
EDBF2318
96A98203
43E5734F
CDC4D05C
6377ADB0
D9565DEA
8476FC1F
29E4B294
93901E33
B13EA257
F538678B
FEC97750
2BB8FA44
638FF9D8
CD6824FB
6474C0E6
B678594E
6359664F
CEE4F96E
01000FBD
00000004
5F000000
3A5AEEBC
80800000

Additional context

Hello @gtalusan, thanks for your scripts about amiibo.

I use the script hf_mfu_amiibo_sim.lua is very great, It can sim an amiibo card to use.

When I use the script hf_mfu_amiibo_restore.lua, It restores success, but I don't know why it can't be recognized by Switch.

I reviewed your script code with the post articles https://farewell-ladmin.com/backing-up-your-amiibo-with-a-proxmark3/ and https://forum.dangerousthings.com/t/cloning-amiibo-onto-new-cards/11585. I have not found any problem...

With all due respect, is there no problem for you to successfully clone it using this script?

The text was updated successfully, but these errors were encountered:

gtalusan · 2023-01-08T15:58:26Z

Both work great for me and my main test console has been the Nintendo Switch, in particular Breath of the Wild.

I have tested briefly with a Nintendo Wii U using Yoshi's Woolly World and both the simulator and restored NTAG215 worked as expected.

If you're using the "pregen" Amiibos, you'll need to first encrypt them using a null UID.

saltbo · 2023-01-09T01:06:54Z

If you're using the "pregen" Amiibos, you'll need to first encrypt them using a null UID.

How to encrypt using a null UID? I using the script https://github.com/RfidResearchGroup/proxmark3/blob/master/client/pyscripts/amiibo_change_uid.py to change the UID

gtalusan · 2023-01-09T04:36:05Z

Sorry, I was thinking about something different when I said null UID.

The proxmark3 scripts will only write/restore a binary as if it were read from an existing Amiibo. This means the data is assumed to be encrypted when estoring to a card.

So for a pregen Amiibo, your first step will be to encrypt it before using the script to restore it to an NTAG215.

Use a tool such as amiitool to encrypt and sign your pregen Amiibo since they're decrypted.

saltbo · 2023-01-09T05:48:19Z

Would you happen to know pyamiibo? The amiibo_change_uid.py base on pyamiibo.

I thought it was the same as the amiitool. Does the amiibo_change_uid.py not contain encrypt logic?
I thought it was already encrypted because it works fine for the sim script.

gtalusan · 2023-01-09T14:34:27Z

They serve the same functionality. You may use PyAmiibo as well.

If your Amiibo data is decrypted then it must be encrypted before writing it to a tag.

The UID and Amiibo identification blocks are NOT encrypted. If you are using software that only checks those pieces then it'll succeed. However, software that checks game data blocks will assume it's encrypted -- so if you have not encrypted the data properly, then the game may not work correctly with that tag.

If you dump a real Amiibo then the game data will be encrypted. This would be the perfect input into the proxmark3 scripts.

saltbo · 2023-01-09T14:58:59Z

I use the amiitool build a bin file, it's same as the pyamiibo gen

gtalusan · 2023-01-09T15:05:25Z

Right, I have no idea if your originating data is correct to begin with.

Next step would be to restore it to the card using the new card's PWD.

saltbo · 2023-01-09T15:09:43Z

My Amiibo data is encrypted. And it's dumped from a real Amiibo.

My NTAG215 can not modify the UID, so I think I only need to update the UID of bin file.

I run pm3 -c "script run amiibo_change_uid 0491DF01464503 wolf-dump-noh.bin wolf-dump-pm3.bin key_retail.bin" to get a new bin file,

Then run "script run hf_mfu_amiibo_restore -f wolf-dump-pm3.bin"

It's right?

gtalusan · 2023-01-09T15:11:04Z

The restore script will run amiibo_change_uid for you.

You only need to provide the new card's PWD and path to the bin file.

saltbo · 2023-01-09T15:16:30Z

If you dump a real Amiibo then the game data will be encrypted. This would be the perfect input into the proxmark3 scripts.

I try restore the dump data, happened errors：

[usb] pm3 --> script run hf_mfu_amiibo_restore -f hf-mfu-045A397ADF6180-dump.bin -k FFFFFFFF
[+] executing lua /usr/local/Cellar/proxmark3/4.15864/bin/../share/proxmark3/luascripts/hf_mfu_amiibo_restore.lua
[+] args '-f hf-mfu-045A397ADF6180-dump.bin -k FFFFFFFF'
----------------------------------------
----------------------------------------
Loading data from hf-mfu-045A397ADF6180-dump.bin
game: nil
[-] ⛔ error - .../../share/proxmark3/luascripts/hf_mfu_amiibo_restore.lua:119: attempt to index field '?' (a nil value)

[+] finished hf_mfu_amiibo_restore

Should I remove the header data?

saltbo · 2023-01-09T15:23:53Z

header

00040402
01001103
01000086
92580B4C
45A9C42F
A90145CE
5E5F9C43
09A43D47
D232A3D1
68CBADE6
7F8185C6
00000000
00000000
00000000

data

045a39ef
7adf6180
44480fe0
f110ffee
a5000600
dea80bdd
b13c3a52
a239506d
4ce2778d
cae45f43
952c4b26
99408148
a5656e82
58e2ecda
27d4c63d
9cb6ccfb
c47288d3
b6071142
3ce4e5c9
4b51aac3
63592e3c
01030000
024f0902
0d123604
f59bce70
bcaf328b
b4592bf0
e339b27d
f0ac8417
ee91f6d9
9ea425d1
725453d3
eb963364
deedc629
c0cd4854
dd4d60c5
93ae34d9
1ae1c0c6
8a88f72f
24a82df5
9966d7a7
793829a8
6c1a7f21
504e75ae
b1143d6f
7582277d
7b01b925
b50bdf9b
630b537d
1bd3403f
b252d7bf
4fb5b2c9
0cedd864
d4e8413b
3beaa78f
2f4a8209
d4acd8d5
b2f04762
3372f6a8
2b261d9f
6aba3e31
be47f549
ba5048c9
268a5c92
7decad03
854e6f5d
76f720ea
f5d85d98
8be6b669
114abdcd
ea9d0aa5
02c6e165
53cb91e3
16aa97c1
e90e2ae6
a479b967
324e0e96
6e315eb3
4ca502cf
b56996e8
33a39b78
7f519a4d
292ebe13
3102a548
a9f81434
722aec69
0139f8c7
306590a5
6ae0b2cd
911520f9
e0d16d32
8ecbf149
240c225b
6d0b40d1
602c45f7
6ed5f192
43c68da7
95a99472
6beba208
993ef007
bf6c6b69
d252136b
5a4d3004
5abdcdab
6d7e3ad0
e3944f20
2978e87a
5bfbc20b
7ecc3a41
bb8f75eb
84cdadcc
33f75533
27ed9335
870c06e6
abfad8f7
39ed30be
50c5a5c0
b877e97c
91f5af3d
03537227
e032ae43
ad3f7b34
16479283
e6818d66
c6f4b019
d2455443
f8f8236f
991c0dd7
26f9eb88
0dc3fa34
01000fbd
00000004
5f000000
8ab3b10a
80800000

saltbo · 2023-01-09T15:25:24Z

restore success, but still not worked...

Is there any way to troubleshoot the problem?

gtalusan · 2023-01-09T15:37:50Z

Looks like an off-by-1.

Code change here: #1863

Dumping an Amiibo:

[usb] pm3 --> hf mfu dump -k 7F4CD4ED
[+] TYPE: NTAG 215 504bytes (NT2H1511G0DU)  
[+] Reading tag memory...

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 04 04 02 01 00 11 03 
[=] TBD 0....... 00 00 
[=] TBD 1....... 00 
[=] Signature... 9F 87 F9 58 18 B2 4E 90 7D 41 00 96 CE B9 A7 4A 
[=]              B0 9E 3A 1A FA 30 E7 B2 AC BD AF 4E 89 68 38 04 
[=] Counter 0... 00 00 00 
[=] Tearing 0... 00 
[=] Counter 1... 00 00 00 
[=] Tearing 1... 00 
[=] Counter 2... 00 00 00 
[=] Tearing 2... 00 
[=] Max data page... 133 ( 536 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 CA 20 66 |   | .. f
[=]   1/0x01 | 1F 39 61 81 |   | .9a.
[=]   2/0x02 | C6 48 0F E0 |   | .H..
[=]   3/0x03 | F1 10 FF EE | 1 | ....
[=]   4/0x04 | A5 95 3C 00 | 0 | ..<.
[=]   5/0x05 | 25 35 1B 6F | 0 | %5.o
[=]   6/0x06 | C4 DC 57 93 | 0 | ..W.
[=]   7/0x07 | A0 62 C1 7A | 0 | .b.z
[=]   8/0x08 | 91 D0 2C 88 | 0 | ..,.
[=]   9/0x09 | 14 CE 2F 16 | 0 | ../.
[=]  10/0x0A | CE 44 F6 1D | 0 | .D..
[=]  11/0x0B | AD 3E 3F CD | 0 | .>?.
[=]  12/0x0C | F8 E3 A8 5B | 0 | ...[
[=]  13/0x0D | 2F 44 FA 86 | 1 | /D..
[=]  14/0x0E | 2B E7 B9 DE | 1 | +...
[=]  15/0x0F | CD 35 9B 0F | 1 | .5..
[=]  16/0x10 | 24 C6 4F A4 | 0 | $.O.
[=]  17/0x11 | 4A 40 D9 C6 | 0 | J@..
[=]  18/0x12 | 68 48 CD 71 | 0 | hH.q
[=]  19/0x13 | 88 11 60 ED | 0 | ..`.
[=]  20/0x14 | 04 33 8A 34 | 0 | .3.4
[=]  21/0x15 | 01 01 03 00 | 0 | ....
[=]  22/0x16 | 04 14 09 02 | 0 | ....
[=]  23/0x17 | 0D 12 51 06 | 0 | ..Q.
[=]  24/0x18 | F8 50 37 6D | 0 | .P7m
[=]  25/0x19 | C9 54 A0 CA | 0 | .T..
[=]  26/0x1A | 85 25 17 D2 | 0 | .%..
[=]  27/0x1B | 9F C5 2B 92 | 0 | ..+.
[=]  28/0x1C | 8F 8D 3E D0 | 0 | ..>.
[=]  29/0x1D | 03 C0 02 84 | 0 | ....
[=]  30/0x1E | EE C5 60 40 | 0 | ..`@
[=]  31/0x1F | 13 53 70 C1 | 0 | .Sp.
[=]  32/0x20 | 3C A3 73 A0 | 0 | <.s.
[=]  33/0x21 | C2 E1 7F FA | 0 | ....
[=]  34/0x22 | 82 F4 D5 CE | 0 | ....
[=]  35/0x23 | EA F7 F9 10 | 0 | ....
[=]  36/0x24 | DE C3 AB 04 | 0 | ....
[=]  37/0x25 | 25 EB D4 45 | 0 | %..E
[=]  38/0x26 | 86 DC 2B AB | 0 | ..+.
[=]  39/0x27 | 5B 58 95 13 | 0 | [X..
[=]  40/0x28 | ED BD 72 14 | 0 | ..r.
[=]  41/0x29 | B5 26 1B ED | 0 | .&..
[=]  42/0x2A | 08 79 B8 91 | 0 | .y..
[=]  43/0x2B | 24 9C 1D 0D | 0 | $...
[=]  44/0x2C | 07 83 ED 8F | 0 | ....
[=]  45/0x2D | 7D 77 17 23 | 0 | }w.#
[=]  46/0x2E | 7B B1 74 F7 | 0 | {.t.
[=]  47/0x2F | 60 F0 C6 84 | 0 | `...
[=]  48/0x30 | B8 2E 43 08 | 0 | ..C.
[=]  49/0x31 | 40 7C 0F 42 | 0 | @|.B
[=]  50/0x32 | 31 80 C7 0E | 0 | 1...
[=]  51/0x33 | B8 38 C1 D4 | 0 | .8..
[=]  52/0x34 | 8B B7 54 F8 | 0 | ..T.
[=]  53/0x35 | D0 54 01 5C | 0 | .T.\
[=]  54/0x36 | CB 15 B9 D4 | 0 | ....
[=]  55/0x37 | CD 89 45 36 | 0 | ..E6
[=]  56/0x38 | 05 98 F9 35 | 0 | ...5
[=]  57/0x39 | BD 90 F0 36 | 0 | ...6
[=]  58/0x3A | A8 8B CA A2 | 0 | ....
[=]  59/0x3B | 6E 87 24 92 | 0 | n.$.
[=]  60/0x3C | BB 51 C9 80 | 0 | .Q..
[=]  61/0x3D | CA 16 AF FB | 0 | ....
[=]  62/0x3E | 16 01 21 1C | 0 | ..!.
[=]  63/0x3F | 88 64 38 B8 | 0 | .d8.
[=]  64/0x40 | 8F 24 81 B5 | 0 | .$..
[=]  65/0x41 | 83 85 04 3D | 0 | ...=
[=]  66/0x42 | F1 D8 D9 5F | 0 | ..._
[=]  67/0x43 | 77 1F BA 44 | 0 | w..D
[=]  68/0x44 | 9B F1 8D DF | 0 | ....
[=]  69/0x45 | A4 C4 45 F1 | 0 | ..E.
[=]  70/0x46 | 2E A3 9D CE | 0 | ....
[=]  71/0x47 | 50 C7 D3 B1 | 0 | P...
[=]  72/0x48 | 14 C8 7F 52 | 0 | ...R
[=]  73/0x49 | F1 30 3B 9E | 0 | .0;.
[=]  74/0x4A | 00 1F D4 96 | 0 | ....
[=]  75/0x4B | 9A D2 57 32 | 0 | ..W2
[=]  76/0x4C | 4C 26 42 8A | 0 | L&B.
[=]  77/0x4D | 06 3C 24 48 | 0 | .<$H
[=]  78/0x4E | 4C 96 5B 82 | 0 | L.[.
[=]  79/0x4F | AB A0 E9 74 | 0 | ...t
[=]  80/0x50 | 70 23 79 9C | 0 | p#y.
[=]  81/0x51 | 45 80 9A 16 | 0 | E...
[=]  82/0x52 | C1 D2 2A 47 | 0 | ..*G
[=]  83/0x53 | 81 39 04 D5 | 0 | .9..
[=]  84/0x54 | B8 14 5A C5 | 0 | ..Z.
[=]  85/0x55 | 08 F4 8C D0 | 0 | ....
[=]  86/0x56 | D1 D9 D5 8D | 0 | ....
[=]  87/0x57 | CB DE 9C F3 | 0 | ....
[=]  88/0x58 | 52 89 C9 1F | 0 | R...
[=]  89/0x59 | 3B 63 9C 41 | 0 | ;c.A
[=]  90/0x5A | 4A DB 8B 78 | 0 | J..x
[=]  91/0x5B | 93 F0 7E A3 | 0 | ..~.
[=]  92/0x5C | 78 34 70 0E | 0 | x4p.
[=]  93/0x5D | 48 3B 29 A7 | 0 | H;).
[=]  94/0x5E | D6 79 D9 8C | 0 | .y..
[=]  95/0x5F | 46 B4 1E 38 | 0 | F..8
[=]  96/0x60 | 06 62 AD 73 | 0 | .b.s
[=]  97/0x61 | EF EA 7B 78 | 0 | ..{x
[=]  98/0x62 | 27 DC C1 58 | 0 | '..X
[=]  99/0x63 | F2 B6 6E F4 | 0 | ..n.
[=] 100/0x64 | BB 83 B0 88 | 0 | ....
[=] 101/0x65 | 0D A2 18 13 | 0 | ....
[=] 102/0x66 | A5 C9 9E EC | 0 | ....
[=] 103/0x67 | 32 5D 85 5C | 0 | 2].\
[=] 104/0x68 | A2 05 A2 35 | 0 | ...5
[=] 105/0x69 | 8C 59 8B 68 | 0 | .Y.h
[=] 106/0x6A | 05 F1 91 D8 | 0 | ....
[=] 107/0x6B | E1 21 77 43 | 0 | .!wC
[=] 108/0x6C | 18 B3 8D E3 | 0 | ....
[=] 109/0x6D | 82 95 A4 12 | 0 | ....
[=] 110/0x6E | 62 59 D2 75 | 0 | bY.u
[=] 111/0x6F | D8 81 22 9F | 0 | ..".
[=] 112/0x70 | 79 55 B7 1F | 0 | yU..
[=] 113/0x71 | 19 6B 66 E8 | 0 | .kf.
[=] 114/0x72 | 98 1D 69 1C | 0 | ..i.
[=] 115/0x73 | CB AA F2 3A | 0 | ...:
[=] 116/0x74 | A6 39 33 26 | 0 | .93&
[=] 117/0x75 | 77 F1 53 5F | 0 | w.S_
[=] 118/0x76 | CE 11 D2 2D | 0 | ...-
[=] 119/0x77 | F4 E0 4F B4 | 0 | ..O.
[=] 120/0x78 | 4F A3 4B 79 | 0 | O.Ky
[=] 121/0x79 | 3C 06 FF 26 | 0 | <..&
[=] 122/0x7A | 5F 0E BD D3 | 0 | _...
[=] 123/0x7B | FC D0 C7 DB | 0 | ....
[=] 124/0x7C | 73 7A 48 8B | 0 | szH.
[=] 125/0x7D | 41 0C C8 68 | 0 | A..h
[=] 126/0x7E | 38 B8 FE DC | 0 | 8...
[=] 127/0x7F | 19 FE FF 99 | 0 | ....
[=] 128/0x80 | 4E FA 53 45 | 0 | N.SE
[=] 129/0x81 | 9F 3C 70 CF | 0 | .<p.
[=] 130/0x82 | 01 00 0F BD | 0 | ....
[=] 131/0x83 | 00 00 00 04 | 0 | ....
[=] 132/0x84 | 5F 00 00 00 | 0 | _...
[=] 133/0x85 | 7F 4C D4 ED | 0 | .L..
[=] 134/0x86 | 80 80 00 00 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 596 bytes to binary file hf-mfu-04CA201F396181-dump.bin
[+] saved 149 blocks to text file hf-mfu-04CA201F396181-dump.eml
[+] saved to json file hf-mfu-04CA201F396181-dump.json
----------------------------------------

and restoring it to a new tag:

[usb] pm3 --> script run hf_mfu_amiibo_restore -f hf-mfu-04CA201F396181-dump.bin -k FFFFFFFF
[+] executing lua /usr/local/Cellar/proxmark3/HEAD-06e54d4/bin/../share/proxmark3/luascripts/hf_mfu_amiibo_restore.lua
[+] args '-f hf-mfu-04CA201F396181-dump.bin -k FFFFFFFF'
----------------------------------------	
----------------------------------------	
Loading data from hf-mfu-04CA201F396181-dump.bin	
game: The Legend of Zelda	
character: Zelda & Loftwing	
type: Figure	
series: Legend Of Zelda	
generating new Amiibo binary for NTAG215 04ED511F196180	
[+] executing python /usr/local/Cellar/proxmark3/HEAD-06e54d4/bin/../share/proxmark3/pyscripts/amiibo_change_uid.py
[+] args '04ED511F196180 /tmp/lua_VOetEl.bin /tmp/lua_rlDxzK.bin /usr/local/Cellar/proxmark3/HEAD-06e54d4/bin/../share/proxmark3/resources/key_retail.bin'

[+] finished amiibo_change_uid

[+] loaded 540 bytes from binary file /tmp/lua_rlDxzK.bin
[=] Restoring /tmp/lua_rlDxzK.bin to card

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00 
[=] TBD 0....... 00 00 
[=] TBD 1....... 00 
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=]              00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=] Counter 0... 00 00 00 
[=] Tearing 0... 00 
[=] Counter 1... 00 00 00 
[=] Tearing 1... 00 
[=] Counter 2... 00 00 00 
[=] Tearing 2... 00 
[=] Max data page... 133 ( 536 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 ED 51 30 |   | ..Q0
[=]   1/0x01 | 1F 19 61 80 |   | ..a.
[=]   2/0x02 | E7 48 0F E0 |   | .H..
[=]   3/0x03 | F1 10 FF EE | 1 | ....
[=]   4/0x04 | A5 95 3C 00 | 0 | ..<.
[=]   5/0x05 | E3 1B 90 E9 | 0 | ....
[=]   6/0x06 | 0B 41 5A 5C | 0 | .AZ\
[=]   7/0x07 | 69 80 A7 25 | 0 | i..%
[=]   8/0x08 | 47 D8 87 E8 | 0 | G...
[=]   9/0x09 | B0 0B B0 66 | 0 | ...f
[=]  10/0x0A | 24 D2 35 1D | 0 | $.5.
[=]  11/0x0B | D7 42 73 E9 | 0 | .Bs.
[=]  12/0x0C | 53 52 B1 D2 | 0 | SR..
[=]  13/0x0D | F8 AB 28 FB | 1 | ..(.
[=]  14/0x0E | 3C D1 77 32 | 1 | <.w2
[=]  15/0x0F | DA 97 E4 5C | 1 | ...\
[=]  16/0x10 | 85 9C 22 78 | 0 | .."x
[=]  17/0x11 | 51 76 28 BC | 0 | Qv(.
[=]  18/0x12 | 71 F6 BE 72 | 0 | q..r
[=]  19/0x13 | 0E F5 F3 F2 | 0 | ....
[=]  20/0x14 | 7B 77 51 AE | 0 | {wQ.
[=]  21/0x15 | 01 01 03 00 | 0 | ....
[=]  22/0x16 | 04 14 09 02 | 0 | ....
[=]  23/0x17 | 0D 12 51 06 | 0 | ..Q.
[=]  24/0x18 | F8 50 37 6D | 0 | .P7m
[=]  25/0x19 | C9 54 A0 CA | 0 | .T..
[=]  26/0x1A | 85 25 17 D2 | 0 | .%..
[=]  27/0x1B | 9F C5 2B 92 | 0 | ..+.
[=]  28/0x1C | 8F 8D 3E D0 | 0 | ..>.
[=]  29/0x1D | 03 C0 02 84 | 0 | ....
[=]  30/0x1E | EE C5 60 40 | 0 | ..`@
[=]  31/0x1F | 13 53 70 C1 | 0 | .Sp.
[=]  32/0x20 | EA FE 5B DB | 0 | ..[.
[=]  33/0x21 | EE 40 DB BB | 0 | .@..
[=]  34/0x22 | D8 45 79 CA | 0 | .Ey.
[=]  35/0x23 | DA CD 47 32 | 0 | ..G2
[=]  36/0x24 | 8A 8D 23 94 | 0 | ..#.
[=]  37/0x25 | 76 2A 78 D5 | 0 | v*x.
[=]  38/0x26 | 0F 87 CA 9C | 0 | ....
[=]  39/0x27 | D7 63 45 45 | 0 | .cEE
[=]  40/0x28 | EE F2 60 3D | 0 | ..`=
[=]  41/0x29 | 0C CC C7 E9 | 0 | ....
[=]  42/0x2A | 72 D2 2F C9 | 0 | r./.
[=]  43/0x2B | 3F 6E 88 36 | 0 | ?n.6
[=]  44/0x2C | CF 3A 1F 0A | 0 | .:..
[=]  45/0x2D | AA 42 E8 F9 | 0 | .B..
[=]  46/0x2E | DD 97 18 8D | 0 | ....
[=]  47/0x2F | 06 7C 0F D7 | 0 | .|..
[=]  48/0x30 | 63 F3 FE 8A | 0 | c...
[=]  49/0x31 | F7 C7 59 DF | 0 | ..Y.
[=]  50/0x32 | 0A 13 FF 81 | 0 | ....
[=]  51/0x33 | 04 4F 1B 04 | 0 | .O..
[=]  52/0x34 | 4A 40 6F 2B | 0 | J@o+
[=]  53/0x35 | 53 CF 67 02 | 0 | S.g.
[=]  54/0x36 | BC 9B 81 28 | 0 | ...(
[=]  55/0x37 | A1 38 98 00 | 0 | .8..
[=]  56/0x38 | 26 B3 56 54 | 0 | &.VT
[=]  57/0x39 | 0F E2 A0 C2 | 0 | ....
[=]  58/0x3A | 1A 6A E4 DB | 0 | .j..
[=]  59/0x3B | 43 F2 8C 40 | 0 | C..@
[=]  60/0x3C | 7C 6F 89 EC | 0 | |o..
[=]  61/0x3D | 3F D3 4E 4B | 0 | ?.NK
[=]  62/0x3E | 05 2E 4F 09 | 0 | ..O.
[=]  63/0x3F | 70 08 D1 80 | 0 | p...
[=]  64/0x40 | 8D 37 91 38 | 0 | .7.8
[=]  65/0x41 | 34 53 51 B5 | 0 | 4SQ.
[=]  66/0x42 | 5A A6 69 C7 | 0 | Z.i.
[=]  67/0x43 | 02 61 A9 BF | 0 | .a..
[=]  68/0x44 | 9D 7A 1D 8B | 0 | .z..
[=]  69/0x45 | F7 82 52 4F | 0 | ..RO
[=]  70/0x46 | 70 EE 9D 06 | 0 | p...
[=]  71/0x47 | 34 E9 F1 46 | 0 | 4..F
[=]  72/0x48 | E5 39 F4 09 | 0 | .9..
[=]  73/0x49 | 09 DD 3E 06 | 0 | ..>.
[=]  74/0x4A | 12 52 94 63 | 0 | .R.c
[=]  75/0x4B | D1 9E 61 E6 | 0 | ..a.
[=]  76/0x4C | 34 08 40 B8 | 0 | 4.@.
[=]  77/0x4D | 82 59 E4 B2 | 0 | .Y..
[=]  78/0x4E | 68 B2 9C 63 | 0 | h..c
[=]  79/0x4F | 74 35 A4 7A | 0 | t5.z
[=]  80/0x50 | 90 DB F1 8B | 0 | ....
[=]  81/0x51 | E0 38 10 30 | 0 | .8.0
[=]  82/0x52 | F9 D3 7A 01 | 0 | ..z.
[=]  83/0x53 | DE 3D A3 CC | 0 | .=..
[=]  84/0x54 | 77 3D E1 23 | 0 | w=.#
[=]  85/0x55 | 6C D8 25 F0 | 0 | l.%.
[=]  86/0x56 | C7 CE 5B 06 | 0 | ..[.
[=]  87/0x57 | 3A 2B 33 80 | 0 | :+3.
[=]  88/0x58 | F0 A5 B0 FA | 0 | ....
[=]  89/0x59 | 7C 2A 32 E9 | 0 | |*2.
[=]  90/0x5A | EC E7 83 4E | 0 | ...N
[=]  91/0x5B | 22 AD 5A E7 | 0 | ".Z.
[=]  92/0x5C | 2F BD FA 3B | 0 | /..;
[=]  93/0x5D | A6 47 B9 B0 | 0 | .G..
[=]  94/0x5E | A3 76 2D 17 | 0 | .v-.
[=]  95/0x5F | A2 BF 68 1A | 0 | ..h.
[=]  96/0x60 | 09 64 91 C3 | 0 | .d..
[=]  97/0x61 | 07 6E 68 B3 | 0 | .nh.
[=]  98/0x62 | 64 AB 60 3A | 0 | d.`:
[=]  99/0x63 | DB C7 F1 F3 | 0 | ....
[=] 100/0x64 | 2D 57 10 0B | 0 | -W..
[=] 101/0x65 | 00 CC 86 54 | 0 | ...T
[=] 102/0x66 | 93 03 73 06 | 0 | ..s.
[=] 103/0x67 | 0C 8D B6 B7 | 0 | ....
[=] 104/0x68 | FA 63 E8 09 | 0 | .c..
[=] 105/0x69 | 72 E3 95 BC | 0 | r...
[=] 106/0x6A | A4 ED CD 1D | 0 | ....
[=] 107/0x6B | D4 D4 D0 55 | 0 | ...U
[=] 108/0x6C | 4E 5A 77 6E | 0 | NZwn
[=] 109/0x6D | 9F 17 7E EF | 0 | ..~.
[=] 110/0x6E | 3F 5E E8 2B | 0 | ?^.+
[=] 111/0x6F | 7E 5C DA 6A | 0 | ~\.j
[=] 112/0x70 | 6B D7 9E 4D | 0 | k..M
[=] 113/0x71 | 32 36 C3 B1 | 0 | 26..
[=] 114/0x72 | 4C B8 2B 40 | 0 | L.+@
[=] 115/0x73 | 4B DF 93 86 | 0 | K...
[=] 116/0x74 | 5F 1A 9D 83 | 0 | _...
[=] 117/0x75 | 7A C7 87 9B | 0 | z...
[=] 118/0x76 | 5A 1C 30 D8 | 0 | Z.0.
[=] 119/0x77 | DF E0 33 83 | 0 | ..3.
[=] 120/0x78 | F8 B4 31 D7 | 0 | ..1.
[=] 121/0x79 | 58 D6 97 25 | 0 | X..%
[=] 122/0x7A | 83 D2 A9 35 | 0 | ...5
[=] 123/0x7B | 7D 0C EE 86 | 0 | }...
[=] 124/0x7C | BA 52 0E 66 | 0 | .R.f
[=] 125/0x7D | 66 01 E1 87 | 0 | f...
[=] 126/0x7E | AA 9B 5F D0 | 0 | .._.
[=] 127/0x7F | 78 43 CB 79 | 0 | xC.y
[=] 128/0x80 | 8C 5D 09 1C | 0 | .]..
[=] 129/0x81 | D5 05 F8 A7 | 0 | ....
[=] 130/0x82 | 01 00 0F BD | 0 | ....
[=] 131/0x83 | 00 00 00 04 | 0 | ....
[=] 132/0x84 | 5F 00 00 00 | 0 | _...
[=] 133/0x85 | 58 1D D4 CC | 0 | X...
[=] 134/0x86 | 80 80 00 00 | 0 | ....
[=] ---------------------------------
[=] Restoring data blocks.
[=] ...............................................................................................................................
[=] Restore finished
[=] Special block: 3 (0x03) [ F1 10 FF EE ]
[=] Using pwd FF FF FF FF 
[+] isOk:01
[=] Block: 134 (0x86) [ 80 80 00 00 ]
[=] Using pwd FF FF FF FF 
....

saltbo · 2023-01-09T15:46:01Z

It looks like it has the same effect as my manual removal.

But the Switch can not identify the new card...

gtalusan · 2023-01-09T16:09:18Z

Not sure what problem you're running into. I've cloned a few dozen Amiibo that work on the Wii U, Switch, and reportedly with 3DS.

If you're receiving errors while writing, or attempting to re-use an already flashed NTAG215, then your success will vary.

saltbo · 2023-01-10T07:02:22Z

If anyone has the same problem as me, please feedback there...

saltbo · 2023-01-10T15:42:12Z

I used the iOS App Amii NFC` to clone a card, and it works fine. I try to find the differences between them:

I find that most of the data are consistent excluding UID, C1, C2, and PWD. And I don't understand the data that marked ???, it is correct?

gtalusan · 2023-01-10T16:23:36Z

It's quite difficult to understand what's happening with very little context.

From your screenshot, it appears you have 4 dumps from 4 different cards. There's not much use in comparing the differing bytes since some of those bytes are derived from the UID. PWD which you've circled at offset 532 in particular is derived from the UID.

The bytes circled with ??? are generated by PyAmiibo/amiitool or whatever tool you used to flash the tag.

In your last two dumps, you have the magic bytes F110FFEE at byte offset 4. These is the incorrect location.

From an Amiibo dump that I have laying on my hard disk, you can see F110FFEE is at offset 12. This would correspond to block 3 in hf_mfu_restore_amiibo.

% xxd -g4 0.bin
00000000: 04107ae6 9a8e4b81 de480fe0 f110ffee  ..z...K..H......
00000010: a5000300 97c660ac ecb959bc ff57b0c1  ......`...Y..W..
00000020: 8228cf93 f4dbf96d 707e6aaa 605f0710  .(.....mp~j.`_..
00000030: 76843e5d db86cbb7 5d2f1bd5 85e8722c  v.>]....]/....r,
00000040: ebe6a1b4 7783cd4d ab999e5b 4133285a  ....w..M...[A3(Z
00000050: 3b3e9627 01030000 024f0902 0d12c50b  ;>.'.....O......
00000060: 9c4b2e64 83593d14 1bb38afd ee5f635f  .K.d.Y=......_c_
00000070: 4a2b70bd d918404c fda928cd 34a9a371  J+p...@L..(.4..q
00000080: 2c9c573a cb7ea3b1 012836ab e76972fa  ,.W:.~...(6..ir.
00000090: 2ad29828 ee908a67 5a6face3 1fcb031b  *..(...gZo......
000000a0: ead666e8 9f7d80b6 6346f0b8 257a2240  ..f..}..cF..%z"@
000000b0: 58a6ebe2 40e6e206 b9c96b64 97a47656  X...@.....kd..vV
000000c0: 5458732a 5c6777ff 5d69bcfa 6848f42f  TXs*\gw.]i..hH./
000000d0: f81201b6 304adb9f e58c25c8 45255923  ....0J....%.E%Y#
000000e0: d82df7e8 9d00383a 8ac15350 dee3db26  .-....8:..SP...&
000000f0: 3c5fbd7d 5c675b80 e3e64541 35be6b7e  <_.}\g[...EA5.k~
00000100: 19162008 e7e9ee7d 2e829a1f 4bb32601  .. ....}....K.&.
00000110: 5eb16677 41922cae bc885df4 0d96077d  ^.fwA.,...]....}
00000120: 9d737b93 828d589b 73828b21 95ed3366  .s{...X.s..!..3f
00000130: c3d0ef91 c24dc042 ff9d9fcb 41267251  .....M.B....A&rQ
00000140: ec451808 620eb1b6 561961e4 e5bd59c3  .E..b...V.a...Y.
00000150: 47e1ef56 fab9ce3f 664132ea 24cc6d4c  G..V...?fA2.$.mL
00000160: 4cb8490d 8ce1261e a9e4d755 65eca687  L.I...&....Ue...
00000170: ad9a8abb 75759057 035b7857 0ce2196b  ....uu.W.[xW...k
00000180: 80c47694 6c76d6d9 194779cd 3bd29fec  ..v.lv...Gy.;...
00000190: dbfaa8bb bad92c86 17e22976 33cce16d  ......,...)v3..m
000001a0: 65d1187c 2a8d3a53 99e57eb5 b07fd21c  e..|*.:S..~.....
000001b0: 6e9f6461 0dfb3f3f b4677a20 d1fe05a1  n.da..??.gz ....
000001c0: 8d22d6bd 393d8c50 1fba30c9 837cfb72  ."..9=.P..0..|.r
000001d0: 6cb2d801 944ed679 27eef1f3 fba304fc  l....N.y'.......
000001e0: 4c1c44db 748ad018 e64e71a0 f0c9a25b  L.D.t....Nq....[
000001f0: f5b3eccb 532e3f0c 7b65775e de03ecb6  ....S.?.{ew^....
00000200: 6f1830d7 46f1a35b 01000fbd 00000004  o.0.F..[........
00000210: 5f000000 00000000 00000000           _...........

gtalusan · 2023-01-10T16:39:35Z

Also, does "-de" happen to refer to decrypted? If you're using amiitool or an amiitool-like program to decrypt your Amiibo data, then it re-shuffles the offsets of where data is stored.

The UID is the first block on an NTAG215. After the encrypted dump is run through amiitool for decryption then you can see the UID shifting toward the end of the file.

So as I said previously, you must re-encrypt the file before giving it to the proxmark3 script.

Here's the code from amiitool that shifts the layout of the data blocks:

void nfc3d_amiibo_tag_to_internal(const uint8_t * tag, uint8_t * intl) {
        memcpy(intl + 0x000, tag + 0x008, 0x008);
        memcpy(intl + 0x008, tag + 0x080, 0x020);
        memcpy(intl + 0x028, tag + 0x010, 0x024);
        memcpy(intl + 0x04C, tag + 0x0A0, 0x168);
        memcpy(intl + 0x1B4, tag + 0x034, 0x020);
        memcpy(intl + 0x1D4, tag + 0x000, 0x008); ##### HERE THE UID IS COPIED FROM INTERNAL TO "HARDWARE" LAYOUT
        memcpy(intl + 0x1DC, tag + 0x054, 0x02C);
}

void nfc3d_amiibo_internal_to_tag(const uint8_t * intl, uint8_t * tag) {
        memcpy(tag + 0x008, intl + 0x000, 0x008);
        memcpy(tag + 0x080, intl + 0x008, 0x020);
        memcpy(tag + 0x010, intl + 0x028, 0x024);
        memcpy(tag + 0x0A0, intl + 0x04C, 0x168);
        memcpy(tag + 0x034, intl + 0x1B4, 0x020);
        memcpy(tag + 0x000, intl + 0x1D4, 0x008); # HERE THE HARDWARE LAYOUT UID IS COPIED TO INTERNAL LAYOUT
        memcpy(tag + 0x054, intl + 0x1DC, 0x02C);
}

saltbo · 2023-01-11T01:10:15Z

I'm sorry I didn't make myself clear.

There are two cards, one can work, another one not. And got the _de.bin is decrypted from them

gtalusan · 2023-01-11T03:43:15Z

TBH, I don't usually deal with the decrypted data so I can't offer help there. All of my pre-generated Amiibo's have been encrypted already.

If I clone an existing Amiibo then writing its encrypted image to a fresh NTAG215 has always worked for me unless I get errors while writing to the card. This usually happens if the tag is not positioned correctly. If you watch for errors from proxmark3, then you can cancel it and re-flash the same card if you're quick enough. Once the lock bytes have been written out, then parts of the tag become readonly.

You haven't shared any of your proxmark3 output. Can you? What game and Amiibos are you using?

saltbo · 2023-01-21T06:31:35Z

I try using a big card, and it worked!!

Maybe because not fully restore the data into the small round card

saltbo · 2023-01-21T06:35:39Z

One last question, Could we validate the data before writing the lock block?

saltbo · 2023-01-21T06:49:36Z

[usb] pm3 --> script run hf_mfu_amiibo_restore -f hf-mfu-045A397ADF6180-dump.bin -k FFFFFFFF
[+] executing lua /usr/local/Cellar/proxmark3/4.15864/bin/../share/proxmark3/luascripts/hf_mfu_amiibo_restore.lua
[+] args '-f hf-mfu-045A397ADF6180-dump.bin -k FFFFFFFF'
----------------------------------------
----------------------------------------
Loading data from hf-mfu-045A397ADF6180-dump.bin
game: The Legend of Zelda
character: Midna & Wolf Link
type: Figure
series: Legend Of Zelda
generating new Amiibo binary for NTAG215 0443FA01B30503
[+] executing python /usr/local/Cellar/proxmark3/4.15864/bin/../share/proxmark3/pyscripts/amiibo_change_uid.py
[+] args '0443FA01B30503 /tmp/lua_FiFHcg.bin /tmp/lua_TKOLy1.bin /usr/local/Cellar/proxmark3/4.15864/bin/../share/proxmark3/resources/key_retail.bin'

[+] finished amiibo_change_uid

[+] loaded 540 bytes from binary file /tmp/lua_TKOLy1.bin
[=] Restoring /tmp/lua_TKOLy1.bin to card

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=]              00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... 00
[=] Max data page... 133 ( 536 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 43 FA 35 |   | .C.5
[=]   1/0x01 | 01 B3 05 03 |   | ....
[=]   2/0x02 | B4 48 0F E0 |   | .H..
[=]   3/0x03 | F1 10 FF EE | 1 | ....
[=]   4/0x04 | A5 00 06 00 | 0 | ....
[=]   5/0x05 | B5 A8 6D 01 | 0 | ..m.
[=]   6/0x06 | 2E 94 EC 52 | 0 | ...R
[=]   7/0x07 | F7 8D 8F 43 | 0 | ...C
[=]   8/0x08 | C2 9C 05 B0 | 0 | ....
[=]   9/0x09 | A2 74 25 D5 | 0 | .t%.
[=]  10/0x0A | BA FF FD A9 | 0 | ....
[=]  11/0x0B | DB 6D 59 6A | 0 | .mYj
[=]  12/0x0C | AF 21 48 CA | 0 | .!H.
[=]  13/0x0D | FC C1 76 E6 | 1 | ..v.
[=]  14/0x0E | 5F E0 9E 47 | 1 | _..G
[=]  15/0x0F | 59 F3 01 89 | 1 | Y...
[=]  16/0x10 | F9 D9 C8 25 | 0 | ...%
[=]  17/0x11 | 48 1B EB D1 | 0 | H...
[=]  18/0x12 | 42 FF CE 6D | 0 | B..m
[=]  19/0x13 | B2 83 C3 BB | 0 | ....
[=]  20/0x14 | EB 2E 15 73 | 0 | ...s
[=]  21/0x15 | 01 03 00 00 | 0 | ....
[=]  22/0x16 | 02 4F 09 02 | 0 | .O..
[=]  23/0x17 | 0D 12 36 04 | 0 | ..6.
[=]  24/0x18 | F5 9B CE 70 | 0 | ...p
[=]  25/0x19 | BC AF 32 8B | 0 | ..2.
[=]  26/0x1A | B4 59 2B F0 | 0 | .Y+.
[=]  27/0x1B | E3 39 B2 7D | 0 | .9.}
[=]  28/0x1C | F0 AC 84 17 | 0 | ....
[=]  29/0x1D | EE 91 F6 D9 | 0 | ....
[=]  30/0x1E | 9E A4 25 D1 | 0 | ..%.
[=]  31/0x1F | 72 54 53 D3 | 0 | rTS.
[=]  32/0x20 | BA 18 9F 66 | 0 | ...f
[=]  33/0x21 | DE 84 75 EE | 0 | ..u.
[=]  34/0x22 | A1 52 99 A1 | 0 | .R..
[=]  35/0x23 | 64 50 22 44 | 0 | dP"D
[=]  36/0x24 | F7 C8 19 9F | 0 | ....
[=]  37/0x25 | 58 8D 9D A1 | 0 | X...
[=]  38/0x26 | F3 D8 46 06 | 0 | ..F.
[=]  39/0x27 | 9F 8D BE A3 | 0 | ....
[=]  40/0x28 | B6 13 8B EE | 0 | ....
[=]  41/0x29 | 0A 51 76 21 | 0 | .Qv!
[=]  42/0x2A | B7 B3 40 53 | 0 | ..@S
[=]  43/0x2B | D0 73 A8 C6 | 0 | .s..
[=]  44/0x2C | 1E 0E C2 A0 | 0 | ....
[=]  45/0x2D | 8E FB B6 AB | 0 | ....
[=]  46/0x2E | 7E 62 13 C9 | 0 | ~b..
[=]  47/0x2F | C4 24 0D 33 | 0 | .$.3
[=]  48/0x30 | 1A 0B 01 87 | 0 | ....
[=]  49/0x31 | D5 88 FB E3 | 0 | ....
[=]  50/0x32 | 3B F2 A0 7B | 0 | ;..{
[=]  51/0x33 | 35 14 11 03 | 0 | 5...
[=]  52/0x34 | AB 57 1E C1 | 0 | .W..
[=]  53/0x35 | 3F A7 F5 7C | 0 | ?..|
[=]  54/0x36 | 7C 1A 1B D9 | 0 | |...
[=]  55/0x37 | 02 C8 CA 0F | 0 | ....
[=]  56/0x38 | 18 38 E6 96 | 0 | .8..
[=]  57/0x39 | 2B E6 E4 27 | 0 | +..'
[=]  58/0x3A | 0D 37 7E 87 | 0 | .7~.
[=]  59/0x3B | 72 35 37 C3 | 0 | r57.
[=]  60/0x3C | 9B 8E E6 AF | 0 | ....
[=]  61/0x3D | EF B9 71 A6 | 0 | ..q.
[=]  62/0x3E | 4C 6A 08 FC | 0 | Lj..
[=]  63/0x3F | 50 DD 0B 34 | 0 | P..4
[=]  64/0x40 | 19 0C 86 80 | 0 | ....
[=]  65/0x41 | E7 6A A5 3C | 0 | .j.<
[=]  66/0x42 | F3 8F 7E 9A | 0 | ..~.
[=]  67/0x43 | 8E C2 BA 88 | 0 | ....
[=]  68/0x44 | DA F0 1A AE | 0 | ....
[=]  69/0x45 | D5 50 9E 19 | 0 | .P..
[=]  70/0x46 | B1 7F 3D D6 | 0 | ..=.
[=]  71/0x47 | 39 BE 4D 89 | 0 | 9.M.
[=]  72/0x48 | C5 BF DE FB | 0 | ....
[=]  73/0x49 | EB 0B 9C EA | 0 | ....
[=]  74/0x4A | 90 30 F0 A2 | 0 | .0..
[=]  75/0x4B | 0C C4 CF 50 | 0 | ...P
[=]  76/0x4C | 66 6A 91 AB | 0 | fj..
[=]  77/0x4D | BB 8A 86 2B | 0 | ...+
[=]  78/0x4E | E1 C7 C4 C4 | 0 | ....
[=]  79/0x4F | 5D D6 44 5A | 0 | ].DZ
[=]  80/0x50 | E5 49 00 5D | 0 | .I.]
[=]  81/0x51 | 2D AA 54 96 | 0 | -.T.
[=]  82/0x52 | 18 DB F2 9D | 0 | ....
[=]  83/0x53 | 4E 33 87 16 | 0 | N3..
[=]  84/0x54 | 09 83 3E B2 | 0 | ..>.
[=]  85/0x55 | FD 41 84 CF | 0 | .A..
[=]  86/0x56 | F9 29 66 84 | 0 | .)f.
[=]  87/0x57 | 43 BC 96 08 | 0 | C...
[=]  88/0x58 | EF 83 A3 97 | 0 | ....
[=]  89/0x59 | D2 9F 32 3D | 0 | ..2=
[=]  90/0x5A | 1C 9D 9D C8 | 0 | ....
[=]  91/0x5B | 6A E3 FC 35 | 0 | j..5
[=]  92/0x5C | B0 43 41 86 | 0 | .CA.
[=]  93/0x5D | FE D6 2A EE | 0 | ..*.
[=]  94/0x5E | 27 CB 52 75 | 0 | '.Ru
[=]  95/0x5F | 9E B5 18 24 | 0 | ...$
[=]  96/0x60 | AF 0F AC AB | 0 | ....
[=]  97/0x61 | DA EB 23 18 | 0 | ..#.
[=]  98/0x62 | AA 5C C7 E9 | 0 | .\..
[=]  99/0x63 | CD C2 EC 00 | 0 | ....
[=] 100/0x64 | 62 E3 05 BA | 0 | b...
[=] 101/0x65 | 22 3F B6 AA | 0 | "?..
[=] 102/0x66 | F4 63 F5 9B | 0 | .c..
[=] 103/0x67 | DB 46 E0 C1 | 0 | .F..
[=] 104/0x68 | 81 20 31 F1 | 0 | . 1.
[=] 105/0x69 | 1F F1 F1 C1 | 0 | ....
[=] 106/0x6A | 2C 4A 70 EB | 0 | ,Jp.
[=] 107/0x6B | 11 3B A1 90 | 0 | .;..
[=] 108/0x6C | 5C 90 8C 9C | 0 | \...
[=] 109/0x6D | FB E5 55 15 | 0 | ..U.
[=] 110/0x6E | 09 66 F2 23 | 0 | .f.#
[=] 111/0x6F | 7F D3 DA F8 | 0 | ....
[=] 112/0x70 | E8 5B 52 77 | 0 | .[Rw
[=] 113/0x71 | 2F 76 9F F2 | 0 | /v..
[=] 114/0x72 | C9 B1 FC 14 | 0 | ....
[=] 115/0x73 | 41 FE D0 52 | 0 | A..R
[=] 116/0x74 | 35 E2 61 B9 | 0 | 5.a.
[=] 117/0x75 | 51 F4 BD 29 | 0 | Q..)
[=] 118/0x76 | BC C7 94 76 | 0 | ...v
[=] 119/0x77 | 19 78 E9 73 | 0 | .x.s
[=] 120/0x78 | 1F E7 E5 06 | 0 | ....
[=] 121/0x79 | F8 23 6B 53 | 0 | .#kS
[=] 122/0x7A | 95 64 BB 66 | 0 | .d.f
[=] 123/0x7B | E1 C0 0E 55 | 0 | ...U
[=] 124/0x7C | 27 33 2F BA | 0 | '3/.
[=] 125/0x7D | 11 09 72 44 | 0 | ..rD
[=] 126/0x7E | 4E F0 9E 20 | 0 | N..
[=] 127/0x7F | CE ED 16 6C | 0 | ...l
[=] 128/0x80 | 6F 45 49 AE | 0 | oEI.
[=] 129/0x81 | 7A AE 9E 2A | 0 | z..*
[=] 130/0x82 | 01 00 0F BD | 0 | ....
[=] 131/0x83 | 00 00 00 04 | 0 | ....
[=] 132/0x84 | 5F 00 00 00 | 0 | _...
[=] 133/0x85 | E8 1C AE E5 | 0 | ....
[=] 134/0x86 | 80 80 00 00 | 0 | ....
[=] ---------------------------------
[=] Restoring data blocks.
[=] ...............................................................................................................................
[=] Restore finished
[=] Special block: 3 (0x03) [ F1 10 FF EE ]
[=] Using pwd FF FF FF FF
[+] isOk:01
[=] Block: 134 (0x86) [ 80 80 00 00 ]
[=] Using pwd FF FF FF FF
[+] isOk:01
[=] Block: 133 (0x85) [ E8 1C AE E5 ]
[=] Using pwd FF FF FF FF
[+] isOk:01
[=] Block: 131 (0x83) [ 00 00 00 04 ]
[=] Using pwd E8 1C AE E5
[+] isOk:01
[=] Block: 132 (0x84) [ 5F 00 00 00 ]
[=] Using pwd E8 1C AE E5
[+] isOk:01
[=] Special block: 2 (0x02) [ B4 48 0F E0 ]
[=] Using pwd E8 1C AE E5
[+] isOk:01
[=] Block: 130 (0x82) [ 01 00 0F BD ]
[=] Using pwd E8 1C AE E5
[+] isOk:01

[+] finished hf_mfu_amiibo_restore

[usb] pm3 --> script run hf_mfu_amiibo_restore -f hf-mfu-045A397ADF6180-dump.bin -k FFFFFFFF
[+] executing lua /usr/local/Cellar/proxmark3/4.15864/bin/../share/proxmark3/luascripts/hf_mfu_amiibo_restore.lua
[+] args '-f hf-mfu-045A397ADF6180-dump.bin -k FFFFFFFF'
----------------------------------------
----------------------------------------
Loading data from hf-mfu-045A397ADF6180-dump.bin
game: The Legend of Zelda
character: Midna & Wolf Link
type: Figure
series: Legend Of Zelda
generating new Amiibo binary for NTAG215 0443FC01EF0503
[+] executing python /usr/local/Cellar/proxmark3/4.15864/bin/../share/proxmark3/pyscripts/amiibo_change_uid.py
[+] args '0443FC01EF0503 /tmp/lua_n5aezC.bin /tmp/lua_U1QGTf.bin /usr/local/Cellar/proxmark3/4.15864/bin/../share/proxmark3/resources/key_retail.bin'

[+] finished amiibo_change_uid

[+] loaded 540 bytes from binary file /tmp/lua_U1QGTf.bin
[=] Restoring /tmp/lua_U1QGTf.bin to card

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=]              00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... 00
[=] Max data page... 133 ( 536 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 43 FC 33 |   | .C.3
[=]   1/0x01 | 01 EF 05 03 |   | ....
[=]   2/0x02 | E8 48 0F E0 |   | .H..
[=]   3/0x03 | F1 10 FF EE | 1 | ....
[=]   4/0x04 | A5 00 06 00 | 0 | ....
[=]   5/0x05 | 70 3B 28 CD | 0 | p;(.
[=]   6/0x06 | 3E C5 38 B0 | 0 | >.8.
[=]   7/0x07 | 3C 0A 20 48 | 0 | <. H
[=]   8/0x08 | 30 18 29 8D | 0 | 0.).
[=]   9/0x09 | 81 53 5B C8 | 0 | .S[.
[=]  10/0x0A | 74 0B 68 F2 | 0 | t.h.
[=]  11/0x0B | 96 99 34 F8 | 0 | ..4.
[=]  12/0x0C | D5 DD D7 05 | 0 | ....
[=]  13/0x0D | 72 18 89 2B | 1 | r..+
[=]  14/0x0E | F6 70 2A 4A | 1 | .p*J
[=]  15/0x0F | F6 88 33 1A | 1 | ..3.
[=]  16/0x10 | 2F 45 35 DD | 0 | /E5.
[=]  17/0x11 | 73 30 C1 EB | 0 | s0..
[=]  18/0x12 | B2 0B 13 41 | 0 | ...A
[=]  19/0x13 | 4B 3E CD 80 | 0 | K>..
[=]  20/0x14 | 79 7B D3 B0 | 0 | y{..
[=]  21/0x15 | 01 03 00 00 | 0 | ....
[=]  22/0x16 | 02 4F 09 02 | 0 | .O..
[=]  23/0x17 | 0D 12 36 04 | 0 | ..6.
[=]  24/0x18 | F5 9B CE 70 | 0 | ...p
[=]  25/0x19 | BC AF 32 8B | 0 | ..2.
[=]  26/0x1A | B4 59 2B F0 | 0 | .Y+.
[=]  27/0x1B | E3 39 B2 7D | 0 | .9.}
[=]  28/0x1C | F0 AC 84 17 | 0 | ....
[=]  29/0x1D | EE 91 F6 D9 | 0 | ....
[=]  30/0x1E | 9E A4 25 D1 | 0 | ..%.
[=]  31/0x1F | 72 54 53 D3 | 0 | rTS.
[=]  32/0x20 | A2 A6 36 6C | 0 | ..6l
[=]  33/0x21 | 90 87 36 54 | 0 | ..6T
[=]  34/0x22 | D9 29 9A 94 | 0 | .)..
[=]  35/0x23 | 85 5E EF 0D | 0 | .^..
[=]  36/0x24 | 16 43 6F C8 | 0 | .Co.
[=]  37/0x25 | 28 7D 04 00 | 0 | (}..
[=]  38/0x26 | 2E FB 43 C5 | 0 | ..C.
[=]  39/0x27 | 9E 7C 4C 61 | 0 | .|La
[=]  40/0x28 | 71 EF 0E 83 | 0 | q...
[=]  41/0x29 | A7 66 D6 70 | 0 | .f.p
[=]  42/0x2A | 48 96 7D 69 | 0 | H.}i
[=]  43/0x2B | A1 B0 51 BC | 0 | ..Q.
[=]  44/0x2C | 21 95 EE 44 | 0 | !..D
[=]  45/0x2D | EB 07 48 2A | 0 | ..H*
[=]  46/0x2E | 97 A8 F2 8B | 0 | ....
[=]  47/0x2F | 2B 4D 1F EB | 0 | +M..
[=]  48/0x30 | C8 1C 06 04 | 0 | ....
[=]  49/0x31 | F0 E1 31 73 | 0 | ..1s
[=]  50/0x32 | 50 5B 37 9F | 0 | P[7.
[=]  51/0x33 | 06 9A DB A4 | 0 | ....
[=]  52/0x34 | DB 81 76 8D | 0 | ..v.
[=]  53/0x35 | E4 3E 5D A3 | 0 | .>].
[=]  54/0x36 | 35 C4 8B E8 | 0 | 5...
[=]  55/0x37 | E2 56 9B F2 | 0 | .V..
[=]  56/0x38 | 89 99 51 3D | 0 | ..Q=
[=]  57/0x39 | E7 16 9C CB | 0 | ....
[=]  58/0x3A | 60 57 96 FF | 0 | `W..
[=]  59/0x3B | 34 38 95 96 | 0 | 48..
[=]  60/0x3C | 96 28 D9 55 | 0 | .(.U
[=]  61/0x3D | 2E DA 32 AC | 0 | ..2.
[=]  62/0x3E | 87 69 BA 76 | 0 | .i.v
[=]  63/0x3F | 2F E4 5D 02 | 0 | /.].
[=]  64/0x40 | AA B1 12 53 | 0 | ...S
[=]  65/0x41 | 9D 08 84 3C | 0 | ...<
[=]  66/0x42 | AB 84 BF 72 | 0 | ...r
[=]  67/0x43 | 22 CD F6 49 | 0 | "..I
[=]  68/0x44 | 8D AB 84 E0 | 0 | ....
[=]  69/0x45 | 4E BA 92 00 | 0 | N...
[=]  70/0x46 | 8D 63 3B DE | 0 | .c;.
[=]  71/0x47 | 69 6D F4 9B | 0 | im..
[=]  72/0x48 | A5 03 78 19 | 0 | ..x.
[=]  73/0x49 | 58 9A 3F EE | 0 | X.?.
[=]  74/0x4A | 81 82 D7 30 | 0 | ...0
[=]  75/0x4B | F6 30 A2 FE | 0 | .0..
[=]  76/0x4C | 07 F2 9B 91 | 0 | ....
[=]  77/0x4D | F8 4B D9 AB | 0 | .K..
[=]  78/0x4E | D2 13 FB 91 | 0 | ....
[=]  79/0x4F | FE 00 9E 15 | 0 | ....
[=]  80/0x50 | C9 FD 97 1E | 0 | ....
[=]  81/0x51 | C8 D1 F0 62 | 0 | ...b
[=]  82/0x52 | 89 6E B7 4E | 0 | .n.N
[=]  83/0x53 | 62 5F 8E 0F | 0 | b_..
[=]  84/0x54 | 80 8A C8 5F | 0 | ..._
[=]  85/0x55 | 0C 54 B8 2C | 0 | .T.,
[=]  86/0x56 | 9C 67 20 6E | 0 | .g n
[=]  87/0x57 | BB C0 7A A2 | 0 | ..z.
[=]  88/0x58 | 50 71 3A 67 | 0 | Pq:g
[=]  89/0x59 | 10 BD 64 18 | 0 | ..d.
[=]  90/0x5A | B2 9C 08 B0 | 0 | ....
[=]  91/0x5B | 09 2A 67 18 | 0 | .*g.
[=]  92/0x5C | 82 CA C0 FE | 0 | ....
[=]  93/0x5D | 74 8D 87 66 | 0 | t..f
[=]  94/0x5E | 10 37 A0 BA | 0 | .7..
[=]  95/0x5F | D2 07 41 FD | 0 | ..A.
[=]  96/0x60 | C9 9C 2C 7F | 0 | ..,.
[=]  97/0x61 | 7F 21 B9 E1 | 0 | .!..
[=]  98/0x62 | 59 70 14 B4 | 0 | Yp..
[=]  99/0x63 | 76 2A 8F 3A | 0 | v*.:
[=] 100/0x64 | AD 34 D4 17 | 0 | .4..
[=] 101/0x65 | 58 8D 5D BD | 0 | X.].
[=] 102/0x66 | B9 78 84 A3 | 0 | .x..
[=] 103/0x67 | 18 6E 1D 17 | 0 | .n..
[=] 104/0x68 | 4F 63 78 1C | 0 | Ocx.
[=] 105/0x69 | BD C8 71 FB | 0 | ..q.
[=] 106/0x6A | 8E 35 E0 AC | 0 | .5..
[=] 107/0x6B | FB EF E8 A3 | 0 | ....
[=] 108/0x6C | EF AA F9 B2 | 0 | ....
[=] 109/0x6D | FC 35 2E C8 | 0 | .5..
[=] 110/0x6E | D7 35 42 BC | 0 | .5B.
[=] 111/0x6F | D2 39 25 4B | 0 | .9%K
[=] 112/0x70 | EF AA 2C 85 | 0 | ..,.
[=] 113/0x71 | E6 B8 69 BF | 0 | ..i.
[=] 114/0x72 | 42 9B 38 11 | 0 | B.8.
[=] 115/0x73 | E3 0A 93 35 | 0 | ...5
[=] 116/0x74 | 0F F4 88 3B | 0 | ...;
[=] 117/0x75 | 36 91 90 EF | 0 | 6...
[=] 118/0x76 | 97 37 E9 73 | 0 | .7.s
[=] 119/0x77 | 77 E4 18 D9 | 0 | w...
[=] 120/0x78 | B9 6B 3F 13 | 0 | .k?.
[=] 121/0x79 | D8 69 E8 C6 | 0 | .i..
[=] 122/0x7A | EA F0 23 EB | 0 | ..#.
[=] 123/0x7B | A2 15 48 0B | 0 | ..H.
[=] 124/0x7C | B1 7A AD 76 | 0 | .z.v
[=] 125/0x7D | 8A A1 FC B7 | 0 | ....
[=] 126/0x7E | 7E 3C 30 51 | 0 | ~<0Q
[=] 127/0x7F | F7 48 F4 5E | 0 | .H.^
[=] 128/0x80 | 84 D4 5D D3 | 0 | ..].
[=] 129/0x81 | 1D E2 67 67 | 0 | ..gg
[=] 130/0x82 | 01 00 0F BD | 0 | ....
[=] 131/0x83 | 00 00 00 04 | 0 | ....
[=] 132/0x84 | 5F 00 00 00 | 0 | _...
[=] 133/0x85 | E8 46 AE B9 | 0 | .F..
[=] 134/0x86 | 80 80 00 00 | 0 | ....
[=] ---------------------------------
[=] Restoring data blocks.
[=] ...............................................................................................................................
[=] Restore finished
[=] Special block: 3 (0x03) [ F1 10 FF EE ]
[=] Using pwd FF FF FF FF
[+] isOk:01
[=] Block: 134 (0x86) [ 80 80 00 00 ]
[=] Using pwd FF FF FF FF
[+] isOk:01
[=] Block: 133 (0x85) [ E8 46 AE B9 ]
[=] Using pwd FF FF FF FF
[+] isOk:01
[=] Block: 131 (0x83) [ 00 00 00 04 ]
[=] Using pwd E8 46 AE B9
[+] isOk:01
[=] Block: 132 (0x84) [ 5F 00 00 00 ]
[=] Using pwd E8 46 AE B9
[+] isOk:01
[=] Special block: 2 (0x02) [ E8 48 0F E0 ]
[=] Using pwd E8 46 AE B9
[+] isOk:01
[=] Block: 130 (0x82) [ 01 00 0F BD ]
[=] Using pwd E8 46 AE B9
[+] isOk:01

[+] finished hf_mfu_amiibo_restore

I restore two cards at different heights, one work, another not.

gtalusan · 2023-01-21T15:31:11Z

Interesting! By heights do you mean different diameter/size? I've been using the white coloured 2.5cm diameter NTAG215 cards - I have a batch from Aliexpress and another from Amazon with no problems, with a few dozen successful clones.

The wrbl command already waits for an ACK from the card that the data has been written. In your above logs it's clear that no errors occurred so perhaps something else is wrong with the non-working cards.

Unfortunately, without the lock bytes written then I don't believe the Amiibo will function correctly either so it may not be a good way to determine a functioning card other than testing it with an Amiibo reading device.

iceman1001 · 2023-01-29T07:00:10Z

is this still an issue after the PR?
Or can we close?

saltbo · 2023-02-01T15:37:52Z

I have used all my cards, and only three cards work fine...

Because we only can restore once, I don't know the failed reason if it's the card or the little different location of the card on the pm3 device

iceman1001 · 2023-02-01T19:27:25Z

Why would you only be able to restore it once? You got the pwd...

saltbo · 2023-02-02T01:03:23Z

because the special block is set to lock...

iceman1001 · 2023-02-02T20:04:36Z

aha... Long time I looked into this, but... cant you modify the lock bytes and see if the switch allows it even it the blocks isn't locked?

and head over to the rfid hacking discord instead to ask questions.. there is a toy2life channel

saltbo · 2023-02-05T09:51:36Z

I bought the third batch cards, it's worked fine. I think there is a quality problem with the two batches of cards I bought before.

saltbo closed this as completed Jan 21, 2023

saltbo reopened this Jan 21, 2023

gtalusan mentioned this issue Jan 25, 2023

use Amiibo PACK if simulator PWD matches generated Amiibo PWD #1886

Merged

saltbo closed this as completed Feb 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

hf_mfu_amiibo_restore succeed but invalid for the switch #1861

hf_mfu_amiibo_restore succeed but invalid for the switch #1861

saltbo commented Jan 8, 2023 •

edited

gtalusan commented Jan 8, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

saltbo commented Jan 9, 2023

saltbo commented Jan 9, 2023 •

edited

gtalusan commented Jan 9, 2023 •

edited

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 10, 2023

saltbo commented Jan 10, 2023

gtalusan commented Jan 10, 2023

gtalusan commented Jan 10, 2023

saltbo commented Jan 11, 2023

gtalusan commented Jan 11, 2023

saltbo commented Jan 21, 2023

saltbo commented Jan 21, 2023

saltbo commented Jan 21, 2023

gtalusan commented Jan 21, 2023

iceman1001 commented Jan 29, 2023 •

edited

saltbo commented Feb 1, 2023 •

edited

iceman1001 commented Feb 1, 2023

saltbo commented Feb 2, 2023

iceman1001 commented Feb 2, 2023

saltbo commented Feb 5, 2023

hf_mfu_amiibo_restore succeed but invalid for the switch #1861

hf_mfu_amiibo_restore succeed but invalid for the switch #1861

Comments

saltbo commented Jan 8, 2023 • edited

gtalusan commented Jan 8, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 9, 2023

saltbo commented Jan 9, 2023

header

data

saltbo commented Jan 9, 2023 • edited

gtalusan commented Jan 9, 2023 • edited

saltbo commented Jan 9, 2023

gtalusan commented Jan 9, 2023

saltbo commented Jan 10, 2023

saltbo commented Jan 10, 2023

gtalusan commented Jan 10, 2023

gtalusan commented Jan 10, 2023

saltbo commented Jan 11, 2023

gtalusan commented Jan 11, 2023

saltbo commented Jan 21, 2023

saltbo commented Jan 21, 2023

saltbo commented Jan 21, 2023

gtalusan commented Jan 21, 2023

iceman1001 commented Jan 29, 2023 • edited

saltbo commented Feb 1, 2023 • edited

iceman1001 commented Feb 1, 2023

saltbo commented Feb 2, 2023

iceman1001 commented Feb 2, 2023

saltbo commented Feb 5, 2023

saltbo commented Jan 8, 2023 •

edited

saltbo commented Jan 9, 2023 •

edited

gtalusan commented Jan 9, 2023 •

edited

iceman1001 commented Jan 29, 2023 •

edited

saltbo commented Feb 1, 2023 •

edited