From WikiTemp, the GBAtemp wiki
(Created the page with a bunch of research I did. Needs more work.)
 
 
(2 intermediate revisions by 2 users not shown)
Line 12: Line 12:
 
! Byte 2  
 
! Byte 2  
 
! Byte 3
 
! Byte 3
 +
! Encrypted
 +
! Mode
 
|-
 
|-
! scope="row" | Page 0
+
! scope="row" | 0 (00h)
| UID 0
+
| UID0
| UID 1
+
| UID1
| UID 2
+
| UID2
| BCC 0
+
| BCC0
 +
| rowspan="5" | No
 +
| rowspan="4" | RO
 
|-
 
|-
! scope="row" | Page 1
+
! scope="row" | 1 (01h)
| UID 3
+
| UID3
| UID 4
+
| UID4
| UID 5
+
| UID5
| UID 6
+
| UID6
 
|-
 
|-
! scope="row" | Page 2
+
! scope="row" | 2 (02h)
| BCC 1
+
| BCC1
 
| Internal
 
| Internal
| colspan="2" | Lock Bytes
+
| colspan="2" | Static Lock
 
|-
 
|-
! scope="row" | Page 3
+
! scope="row" | 3 (03h)
| colspan="4" | Capability Container
+
| colspan="4" | CC
 
|-
 
|-
! scope="row" | Page 21
+
! scope="row" | 4 (04h)
| colspan="4" rowspan="2" | Character
+
| 0xA5
 +
| colspan="2" | Write Counter
 +
| ?
 +
| rowspan="7" | RW
 
|-
 
|-
! scope="row" | Page 22
+
! scope="row" | 5 (05h)
 +
| colspan="2" | Settings
 +
| colspan="2" | CRC Counter
 +
| rowspan="6" | Yes
 
|-
 
|-
! scope="row" | Page 130
+
! scope="row" | 6 (06h)
| colspan="3" | Dynamic Lock Bytes
+
| colspan="2" | Init Date
| Unknown
+
| colspan="2" | Write Date
 
|-
 
|-
! scope="row" | Page 131
+
! scope="row" | 7 (07h)
| colspan="4" | Configuration 0
+
| colspan="4" | CRC
 
|-
 
|-
! scope="row" | Page 132
+
! scope="row" | 8 (08h)
| colspan="4" | Configuration 1
+
| colspan="4" rowspan="3" | Nickname
 
|-
 
|-
! scope="row" | Page 133
+
! scope="row" | ...
| colspan="4" | Password
+
 
|-
 
|-
! scope="row" | Page 134
+
! scope="row" | 12 (0Ch)
| colspan="2" | Password Ack
+
|-
| colspan="2" | Unknown
+
! scope="row" | 13 (0Dh)
 +
| colspan="4" rowspan="3" | Locked Hash
 +
| rowspan="12" | No
 +
| rowspan="9" | RO
 +
|-
 +
! scope="row" | ...
 +
|-
 +
! scope="row" | 20 (14h)
 +
|-
 +
! scope="row" | 21 (15h)
 +
| colspan="2" | Character #
 +
| Variation
 +
| Form
 +
|-
 +
! scope="row" | 22 (16h)
 +
| colspan="2" | Amiibo #
 +
| Set
 +
| 0x02
 +
|-
 +
! scope="row" | 23 (17h)
 +
| colspan="4" | ?
 +
|-
 +
! scope="row" | 24 (18h)
 +
| colspan="4" rowspan="3" | Keygen Salt
 +
|-
 +
! scope="row" | ...
 +
|-
 +
! scope="row" | 31 (1Fh)
 +
|-
 +
! scope="row" | 32 (20h)
 +
| colspan="4" rowspan="3" | Unfixed Hash
 +
| rowspan="16" | RW
 +
|-
 +
! scope="row" | ...
 +
|-
 +
! scope="row" | 39 (27h)
 +
|-
 +
! scope="row" | 40 (28h)
 +
| colspan="4" rowspan="3" | Owner Mii
 +
| rowspan="13" | Yes
 +
|-
 +
! scope="row" | ...
 +
|-
 +
! scope="row" | 63 (3Fh)
 +
|-
 +
! scope="row" | 64 (40h)
 +
| colspan="4" rowspan="2" | Title ID
 +
|-
 +
! scope="row" | 65 (41h)
 +
|-
 +
! scope="row" | 66 (42h)
 +
| colspan="2" | Write Counter
 +
| colspan="2" | Amiibo AppID
 +
|-
 +
! scope="row" | 67 (43h)
 +
| colspan="2" | (cont.)
 +
| colspan="2" | ?
 +
|-
 +
! scope="row" | 68 (44h)
 +
| colspan="4" rowspan="3" | Hash (?)
 +
|-
 +
! scope="row" | ...
 +
|-
 +
! scope="row" | 75 (4Bh)
 +
|-
 +
! scope="row" | 76 (4Ch)
 +
| colspan="4" rowspan="3" | App Data
 +
|-
 +
! scope="row" | ...
 +
|-
 +
! scope="row" | 129 (81h)
 +
|-
 +
! scope="row" | 130 (82h)
 +
| colspan="3" | Dynamic Lock
 +
| RFUI
 +
| rowspan="5" | No
 +
| rowspan="3" | RO
 +
|-
 +
! scope="row" | 131 (83h)
 +
| colspan="4" | CFG0
 +
|-
 +
! scope="row" | 132 (84h)
 +
| colspan="4" | CFG1
 +
|-
 +
! scope="row" | 133 (85h)
 +
| colspan="4" | PWD
 +
| rowspan="2" | WO
 +
|-
 +
! scope="row" | 134 (86h)
 +
| colspan="2" | PACK
 +
| colspan="2" | RFUI
 
|}
 
|}
  
Line 76: Line 175:
 
The dynamic lock bytes on all Amiibo are set to 0x01, 0x00, and 0x0F. This locks pages 16-17 and blocks 16-31.
 
The dynamic lock bytes on all Amiibo are set to 0x01, 0x00, and 0x0F. This locks pages 16-17 and blocks 16-31.
  
Byte 3 of Page 130 is a value that the NFC forum has reserved for future use, yet for some reason Nintendo has set this to 0xBD.
+
Byte 3 of Page 130 is always 0xBD.
  
 
Configuration 0 is set to 0x00000004 and Configuration 1 is set to 0x5F000000 on all Amiibo.
 
Configuration 0 is set to 0x00000004 and Configuration 1 is set to 0x5F000000 on all Amiibo.

Latest revision as of 18:07, 20 January 2016

Stub.png This article is a Stub. You can help WikiTemp by expanding it.

All Amiibo appear to use Mifare Ultralight NTAG215. This tag hold 135 4-byte pages, for a total of 540 bytes.


General Amiibo data structure:

Page Byte 0 Byte 1 Byte 2 Byte 3 Encrypted Mode
0 (00h) UID0 UID1 UID2 BCC0 No RO
1 (01h) UID3 UID4 UID5 UID6
2 (02h) BCC1 Internal Static Lock
3 (03h) CC
4 (04h) 0xA5 Write Counter  ? RW
5 (05h) Settings CRC Counter Yes
6 (06h) Init Date Write Date
7 (07h) CRC
8 (08h) Nickname
...
12 (0Ch)
13 (0Dh) Locked Hash No RO
...
20 (14h)
21 (15h) Character # Variation Form
22 (16h) Amiibo # Set 0x02
23 (17h)  ?
24 (18h) Keygen Salt
...
31 (1Fh)
32 (20h) Unfixed Hash RW
...
39 (27h)
40 (28h) Owner Mii Yes
...
63 (3Fh)
64 (40h) Title ID
65 (41h)
66 (42h) Write Counter Amiibo AppID
67 (43h) (cont.)  ?
68 (44h) Hash (?)
...
75 (4Bh)
76 (4Ch) App Data
...
129 (81h)
130 (82h) Dynamic Lock RFUI No RO
131 (83h) CFG0
132 (84h) CFG1
133 (85h) PWD WO
134 (86h) PACK RFUI

The UID is the unique serial number for the NFC tag. It is written at the factory cannot be changed in most cases unless you have an emulator or a special "magic Chinese card" that has a backdoor to write the UID.

UID 0 is 0x04 on all Amiibo (and possible all NTAG21x).


BCC 0 is always equal to UID0 ⊕ UID 1 ⊕ UID 2 ⊕ 0x88

BCC 1 is always equal to UID3 ⊕ UID 4 ⊕ UID 5 ⊕ UID6

⊕ is XOR


Byte 1 of Page 2 is an internal value that is permanently set to 0x48 on all Mifare Ultralight chips (except some "magic Chinese" chips). All Amiibo also have this value set to 0x48 so using a different value would probably be pointless.

The lock bytes on all Amiibo are set to 0x0F and 0xE0. This means pages 4-10 are locked. Once these bits are set to 1, they cannot be reset to 0.

Page 21 and 22 set what character is being used. For example, Kirby is 0x1F000000 and 0x000A0002 while Link is 0x01000000 and 0x00040002.

The dynamic lock bytes on all Amiibo are set to 0x01, 0x00, and 0x0F. This locks pages 16-17 and blocks 16-31.

Byte 3 of Page 130 is always 0xBD.

Configuration 0 is set to 0x00000004 and Configuration 1 is set to 0x5F000000 on all Amiibo.