Difference between revisions of "Amiibo"

Latest revision as of 18:07, 20 January 2016

This article is a Stub. You can help WikiTemp by expanding it.

All Amiibo appear to use Mifare Ultralight NTAG215. This tag hold 135 4-byte pages, for a total of 540 bytes.

General Amiibo data structure:

Page	Byte 0	Byte 1	Byte 2	Byte 3	Encrypted	Mode
0 (00h)	UID0	UID1	UID2	BCC0	No	RO
1 (01h)	UID3	UID4	UID5	UID6
2 (02h)	BCC1	Internal	Static Lock
3 (03h)	CC
4 (04h)	0xA5	Write Counter		?		RW
5 (05h)	Settings		CRC Counter		Yes
6 (06h)	Init Date		Write Date
7 (07h)	CRC
8 (08h)	Nickname
...
12 (0Ch)
13 (0Dh)	Locked Hash				No	RO
...
20 (14h)
21 (15h)	Character #		Variation	Form
22 (16h)	Amiibo #		Set	0x02
23 (17h)	?
24 (18h)	Keygen Salt
...
31 (1Fh)
32 (20h)	Unfixed Hash					RW
...
39 (27h)
40 (28h)	Owner Mii				Yes
...
63 (3Fh)
64 (40h)	Title ID
65 (41h)	Title ID
66 (42h)	Write Counter		Amiibo AppID
67 (43h)	(cont.)		?
68 (44h)	Hash (?)
...
75 (4Bh)
76 (4Ch)	App Data
...
129 (81h)
130 (82h)	Dynamic Lock			RFUI	No	RO
131 (83h)	CFG0
132 (84h)	CFG1
133 (85h)	PWD					WO
134 (86h)	PACK		RFUI			WO

The UID is the unique serial number for the NFC tag. It is written at the factory cannot be changed in most cases unless you have an emulator or a special "magic Chinese card" that has a backdoor to write the UID.

UID 0 is 0x04 on all Amiibo (and possible all NTAG21x).

BCC 0 is always equal to UID0 ⊕ UID 1 ⊕ UID 2 ⊕ 0x88

BCC 1 is always equal to UID3 ⊕ UID 4 ⊕ UID 5 ⊕ UID6

⊕ is XOR

Byte 1 of Page 2 is an internal value that is permanently set to 0x48 on all Mifare Ultralight chips (except some "magic Chinese" chips). All Amiibo also have this value set to 0x48 so using a different value would probably be pointless.

The lock bytes on all Amiibo are set to 0x0F and 0xE0. This means pages 4-10 are locked. Once these bits are set to 1, they cannot be reset to 0.

Page 21 and 22 set what character is being used. For example, Kirby is 0x1F000000 and 0x000A0002 while Link is 0x01000000 and 0x00040002.

The dynamic lock bytes on all Amiibo are set to 0x01, 0x00, and 0x0F. This locks pages 16-17 and blocks 16-31.

Byte 3 of Page 130 is always 0xBD.

Configuration 0 is set to 0x00000004 and Configuration 1 is set to 0x5F000000 on all Amiibo.

@@ Line 12: / Line 12: @@
 ! Byte 2
 ! Byte 3
+! Encrypted
+! Mode
 |-
-! scope="row" | Page 0
+! scope="row" | 0 (00h)
-| UID 0
+| UID0
-| UID 1
+| UID1
-| UID 2
+| UID2
-| BCC 0
+| BCC0
+| rowspan="5" | No
+| rowspan="4" | RO
 |-
-! scope="row" | Page 1
+! scope="row" | 1 (01h)
-| UID 3
+| UID3
-| UID 4
+| UID4
-| UID 5
+| UID5
-| UID 6
+| UID6
 |-
-! scope="row" | Page 2
+! scope="row" | 2 (02h)
-| BCC 1
+| BCC1
 | Internal
-| colspan="2" | Lock Bytes
+| colspan="2" | Static Lock
 |-
-! scope="row" | Page 3
+! scope="row" | 3 (03h)
-| colspan="4" | Capability Container
+| colspan="4" | CC
 |-
-! scope="row" | Page 21
+! scope="row" | 4 (04h)
-| colspan="4" rowspan="2" | Character
+| 0xA5
+| colspan="2" | Write Counter
+| ?
+| rowspan="7" | RW
 |-
-! scope="row" | Page 22
+! scope="row" | 5 (05h)
+| colspan="2" | Settings
+| colspan="2" | CRC Counter
+| rowspan="6" | Yes
 |-
-! scope="row" | Page 130
+! scope="row" | 6 (06h)
-| colspan="3" | Dynamic Lock Bytes
+| colspan="2" | Init Date
-| Unknown
+| colspan="2" | Write Date
 |-
-! scope="row" | Page 131
+! scope="row" | 7 (07h)
-| colspan="4" | Configuration 0
+| colspan="4" | CRC
 |-
-! scope="row" | Page 132
+! scope="row" | 8 (08h)
-| colspan="4" | Configuration 1
+| colspan="4" rowspan="3" | Nickname
 |-
-! scope="row" | Page 133
+! scope="row" | ...
-| colspan="4" | Password
 |-
-! scope="row" | Page 134
+! scope="row" | 12 (0Ch)
-| colspan="2" | Password Ack
+|-
-| colspan="2" | Unknown
+! scope="row" | 13 (0Dh)
+| colspan="4" rowspan="3" | Locked Hash
+| rowspan="12" | No
+| rowspan="9" | RO
+|-
+! scope="row" | ...
+|-
+! scope="row" | 20 (14h)
+|-
+! scope="row" | 21 (15h)
+| colspan="2" | Character #
+| Variation
+| Form
+|-
+! scope="row" | 22 (16h)
+| colspan="2" | Amiibo #
+| Set
+| 0x02
+|-
+! scope="row" | 23 (17h)
+| colspan="4" | ?
+|-
+! scope="row" | 24 (18h)
+| colspan="4" rowspan="3" | Keygen Salt
+|-
+! scope="row" | ...
+|-
+! scope="row" | 31 (1Fh)
+|-
+! scope="row" | 32 (20h)
+| colspan="4" rowspan="3" | Unfixed Hash
+| rowspan="16" | RW
+|-
+! scope="row" | ...
+|-
+! scope="row" | 39 (27h)
+|-
+! scope="row" | 40 (28h)
+| colspan="4" rowspan="3" | Owner Mii
+| rowspan="13" | Yes
+|-
+! scope="row" | ...
+|-
+! scope="row" | 63 (3Fh)
+|-
+! scope="row" | 64 (40h)
+| colspan="4" rowspan="2" | Title ID
+|-
+! scope="row" | 65 (41h)
+|-
+! scope="row" | 66 (42h)
+| colspan="2" | Write Counter
+| colspan="2" | Amiibo AppID
+|-
+! scope="row" | 67 (43h)
+| colspan="2" | (cont.)
+| colspan="2" | ?
+|-
+! scope="row" | 68 (44h)
+| colspan="4" rowspan="3" | Hash (?)
+|-
+! scope="row" | ...
+|-
+! scope="row" | 75 (4Bh)
+|-
+! scope="row" | 76 (4Ch)
+| colspan="4" rowspan="3" | App Data
+|-
+! scope="row" | ...
+|-
+! scope="row" | 129 (81h)
+|-
+! scope="row" | 130 (82h)
+| colspan="3" | Dynamic Lock
+| RFUI
+| rowspan="5" | No
+| rowspan="3" | RO
+|-
+! scope="row" | 131 (83h)
+| colspan="4" | CFG0
+|-
+! scope="row" | 132 (84h)
+| colspan="4" | CFG1
+|-
+! scope="row" | 133 (85h)
+| colspan="4" | PWD
+| rowspan="2" | WO
+|-
+! scope="row" | 134 (86h)
+| colspan="2" | PACK
+| colspan="2" | RFUI
 |}
@@ Line 76: / Line 175: @@
 The dynamic lock bytes on all Amiibo are set to 0x01, 0x00, and 0x0F. This locks pages 16-17 and blocks 16-31.
-Byte 3 of Page 130 is a value that the NFC forum has reserved for future use, yet for some reason Nintendo has set this to 0xBD.
+Byte 3 of Page 130 is always 0xBD.
 Configuration 0 is set to 0x00000004 and Configuration 1 is set to 0x5F000000 on all Amiibo.