Return to site

Amiibo Platform For 3ds

broken image


Amiibo are a set of character figurines and cards that interact with the NFC readers in the Nintendo Switch's joycons, Wii U Gamepad,and touch screen of the New Nintendo 3DS. Nintendo released an external amiibo reader for the original Nintendo 3DS on September 25, alongside the North American launch of HHD. 1 Functionality 1.1 Welcome amiibo 1.2 New Horizons 2 Animal Crossing amiibo 2.1. Product Title Guardian Amiibo - Legend of Zelda Breath of the Wild Nintendo Switch Wii U 3DS Average Rating: ( 1.5 ) out of 5 stars 2 ratings, based on 2 reviews Current Price $99.99 $ 99.

  1. Trying To Learn The Basics Of GBA Emulation ...
  2. See Full List On En.wikipedia.org
  3. Nintendo
  4. 3ds Amiibo Homebrew

Amiibo are NFC figures made by Nintendo, used in games in different forms (different in each game). It can be used with the New3DS and the Old3DS with an IRperipheral.

  • 3Data structures
    • 3.1Structure of the data starting at page 0x15
  • 43DS read/write procedure
  • Model: NTAG215
  • Manufacturer: NXP Semiconductor
  • Page size: 4 bytes
  • Page count: 135 pages (540 bytes)
  • Data pages: 126 pages (504 bytes)

Excluding the auth-related configuration pages at the end, the structure of the NFC pages is the following:

NFC pageTotal pagesRaw byte offset in EEPROMTotal byte sizeWritableDescription
0x00x30x00xCNoStandard NTAG215: 9-byte serial-number, 'internal' u8 value, then the two lock bytes which must match raw binary '0F E0'.
0x30x10xC0x4NoStandard NTAG215: 'Capability Container (CC)'. Must match raw binary 'F1 10 FF EE'.
0x40x10x100x4YesLast 3-bytes here are used with the following HMAC where the size is 0x1DF-bytes. The u16 starting at byte1 is used for the first two bytes in the 0x40-byte input buffer for Amiibo crypto init. The first byte must be 0xA5. The remaining bytes are initially(before the Amiibo is written to) all-zero. Byte[2](maybe big-endian u16 starting at byte1?) here is incremented each time the Amiibo is written to.
0x50x80x140x20YesThe system crypts 0x1A0-bytes with some data from here, see below.
0xD0x80x340x20NoSHA256-(HMAC?) hash. The first 0x18-bytes of this hash is section3 in the encrypted buffer.
0x150xB0x540x2CNoThis is plaintext data, see below.
0x200x80x800x20YesSHA256-HMAC hash over 0x1DF-bytes: first 3-bytes are from the last 3-bytes of page[4], the rest is over the first 0x1DC-bytes of the plaintext data.
0x280x450xA00x114YesThis is section1 in the encrypted buffer.
0x6D0x150x1B40x54YesThis is section2 in the encrypted buffer.
0x820x10x2080x4NoStandard NTAG215: first 3-bytes are dynamic lock bytes. Must match raw binary '01 00 0F'.
0x830x10x20C0x4NoStandard NTAG215: CFG0. Must match raw binary '00 00 00 04'.
0x840x10x2100x4NoStandard NTAG215: CFG1. Must match raw binary '5F 00 00 00'.

Specifications can be found on this image, which is a compilation of screenshots made by scanning a Samus amiibo with the Android App 'NFC TagInfo':

See here regarding the Amiibo encryption.

Structure of the data starting at page 0x15[edit]

OffsetSizeDescription
0x00x8Amiibo Identification Block
0x80x4?
0xC0x20Probably a SHA256-(HMAC?) hash.

Structure of Amiibo Identification Block[edit]

OffsetSizeDescriptionNotes
0x00x2Game & Character IDFirst 10 bits are the Game ID and last 6 bits are Character ID.
0x20x1Character variant
0x30x1Amiibo Figure Type
0x40x2Amiibo Model Number
0x60x1Amiibo Series
0x70x1UnknownAlways 0x02

Encrypted data buffer structure[edit]

Trying To Learn The Basics Of GBA Emulation ...

Encrypted buffer offsetRaw byte offset in NFC EEPROMNFC pageByte sizeNotes
0x00x140x50x20
0x200xA00x280x114
0x1340x1B40x6D0x54
0x1880x340xD0x18This data is included in the crypto buffer, even though this data isn't actually encrypted(this is part of a hash).

Structure of the plaintext data[edit]

OffsetSizeDescription
0x00xB0Amiibo settings are stored within here.
0xB00xD8AppData, for the user-application specified in the above Amiibo settings. The data stored here is application-specific. The data stored here is normally all big-endian, even when the user-application is only for 3DS systems. Note that this data is initially uninitialized, and at least some of it will stay that way unless an application clears/initializes *all* of it.
0x1880x18Not used in 'decrypted' form, since this isn't encrypted to begin with.

Structure of Amiibo settings[edit]

Games
OffsetSizeDescription
0x00x1Flags. The low 4-bits here are copied to the struct used with NFC:GetAmiiboSettings. The below setup date is only loaded when bit4 and/or bit5 here are set, otherwise value 0 is used instead for the date. Bit4=1 indicates that the Amiibo was setup with amiibo Settings: NFC:GetAmiiboSettings will return an all-zero struct when this is not set.

Bit5=1 indicates that the AppData was initialized. NFC:InitializeWriteAppData will return an error if this is value 1, when successful that command will then set this bit to value 1.

0x10x1Country Code ID, from the system which setup this amiibo. This is copied to the struct used with NFC:GetAmiiboSettings.
0x20x2This big-endian u16 counter is incremented each time that the CRC32 at offset 0x8 gets updated by NFC:InitializeWriteAppData, due to that value not matching the calculated one. When this value is already 0xFFFF, this counter won't be updated anymore.
0x40x2u16 big-endian date value, see below. This is the date for when the Amiibo was initially setup in amiibo Settings. This is also written by NFC:InitializeWriteAppData.
0x60x2u16 big-endian date value, see below. This is the date for when the Amiibo was last written to.
0x80x4Big-endian CRC32 value with initialval=~0, with the 8-byte output from Cfg:GenHashConsoleUnique. This is written by NFC:InitializeWriteAppData, when the current value doesn't match the calculated one.
0xC0x14(10*2)UTF-16BE Amiibo nickname.
0x200x60Owner Mii.
0x800x8Big-endian application programID/titleID from the application which initialized the AppData, zero otherwise. This is only written, not compared with the user application titleID: doing the latter would break games' cross-platform compatibility with 3DS<>Wii U(Super Smash Bros 3DS/Wii U for example).
0x880x2u16 big-endian. This value is incremented each time the Amiibo is written to. When this value is already 0xFFFF, this counter won't be updated anymore.
0x8A0x4Big-endian u32 Amiibo AppID.
0x8E0x2?
0x900x20Probably a SHA256-HMAC hash.

Format of the big-endian date values:

BitDescription
0-4Day
5-8Month
9-15Year, relative to 2000.

Note this is the procedure used by the console, but isn't the only way of reading them.

Read procedure[edit]

  • GET_VERSION
  • READ, startpage=0x03.
  • PWD_AUTH. Key is based on UID.
  • FAST_READ: startpage=0x00, endpage=0x3B
  • FAST_READ: startpage=0x3C, endpage=0x77
  • FAST_READ: startpage=0x78, endpage=0x86

Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end.

Write procedure[edit]

  • GET_VERSION
  • READ, startpage=0x03.
  • PWD_AUTH. Key is based on UID.
  • Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
  • Multiple WRITE commands for writing to pages 0x20..0x81.
  • Use the last 3 commands from the above reading section.
  • WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
  • FAST_READ: startpage=0x04, endpage=0x04

The following is a list of games which actually store game-specific data on Amiibo, not *just* using Amiibo for checking character IDs:

NameAvailable for (New)3DSAvailable for Wii UAmiibo AppIDAppData structure / link to infoAppData modification for exploitation notes.
Super Smash BrosYesYes0x10110E00[1]No crash ever triggered via AppData fuzzing.
Mario Party 10NoYes?N/AN/A
Animal Crossing: Happy Home DesignerYesNo0x0014F000N/AThe initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted.
Chibi-Robo!: Zip LashYesNo0x00152600The entire AppData is read by the game, but only the first 0x10-bytes are actually used.No crash ever triggered via AppData fuzzing.
Mario & Luigi: Paper JamYesNo0x00132600Starts with the process-name('MILLION'). The rest seems to be bitmasks maybe?No crash ever triggered via AppData fuzzing, when viewing 'character cards'(just unlocks various cards).
The Legend of Zelda: Twilight Princess HDNoYes0x1019C800Unknown.No crash/hang ever occurred when using amiibo in-game for 'Cave of Shadows'.

With the amiibo quick-start option at the title-screen, only errors ever occurred( / ).

  • Wii U Gamepad and Amiibo information on WiiUBrew.
Retrieved from 'https://www.3dbrew.org/w/index.php?title=Amiibo&oldid=20167'
Platform:3DS
Tags:Puzzle
Developer:Nintendo
More Platforms:Wii U
Amiibo Platform For 3ds
OffsetSizeDescription
0x00x1Flags. The low 4-bits here are copied to the struct used with NFC:GetAmiiboSettings. The below setup date is only loaded when bit4 and/or bit5 here are set, otherwise value 0 is used instead for the date. Bit4=1 indicates that the Amiibo was setup with amiibo Settings: NFC:GetAmiiboSettings will return an all-zero struct when this is not set.

Bit5=1 indicates that the AppData was initialized. NFC:InitializeWriteAppData will return an error if this is value 1, when successful that command will then set this bit to value 1.

0x10x1Country Code ID, from the system which setup this amiibo. This is copied to the struct used with NFC:GetAmiiboSettings.
0x20x2This big-endian u16 counter is incremented each time that the CRC32 at offset 0x8 gets updated by NFC:InitializeWriteAppData, due to that value not matching the calculated one. When this value is already 0xFFFF, this counter won't be updated anymore.
0x40x2u16 big-endian date value, see below. This is the date for when the Amiibo was initially setup in amiibo Settings. This is also written by NFC:InitializeWriteAppData.
0x60x2u16 big-endian date value, see below. This is the date for when the Amiibo was last written to.
0x80x4Big-endian CRC32 value with initialval=~0, with the 8-byte output from Cfg:GenHashConsoleUnique. This is written by NFC:InitializeWriteAppData, when the current value doesn't match the calculated one.
0xC0x14(10*2)UTF-16BE Amiibo nickname.
0x200x60Owner Mii.
0x800x8Big-endian application programID/titleID from the application which initialized the AppData, zero otherwise. This is only written, not compared with the user application titleID: doing the latter would break games' cross-platform compatibility with 3DS<>Wii U(Super Smash Bros 3DS/Wii U for example).
0x880x2u16 big-endian. This value is incremented each time the Amiibo is written to. When this value is already 0xFFFF, this counter won't be updated anymore.
0x8A0x4Big-endian u32 Amiibo AppID.
0x8E0x2?
0x900x20Probably a SHA256-HMAC hash.

Format of the big-endian date values:

BitDescription
0-4Day
5-8Month
9-15Year, relative to 2000.

Note this is the procedure used by the console, but isn't the only way of reading them.

Read procedure[edit]

  • GET_VERSION
  • READ, startpage=0x03.
  • PWD_AUTH. Key is based on UID.
  • FAST_READ: startpage=0x00, endpage=0x3B
  • FAST_READ: startpage=0x3C, endpage=0x77
  • FAST_READ: startpage=0x78, endpage=0x86

Therefore, *all* pages from the Amiibo NFC tag are read, including the configuration pages at the end.

Write procedure[edit]

  • GET_VERSION
  • READ, startpage=0x03.
  • PWD_AUTH. Key is based on UID.
  • Multiple WRITE commands for writing to pages 0x04..0x0C. The first byte for page[4] is zero here.
  • Multiple WRITE commands for writing to pages 0x20..0x81.
  • Use the last 3 commands from the above reading section.
  • WRITE: page=0x04, same data as before except first byte is 0xA5 this time.
  • FAST_READ: startpage=0x04, endpage=0x04

The following is a list of games which actually store game-specific data on Amiibo, not *just* using Amiibo for checking character IDs:

NameAvailable for (New)3DSAvailable for Wii UAmiibo AppIDAppData structure / link to infoAppData modification for exploitation notes.
Super Smash BrosYesYes0x10110E00[1]No crash ever triggered via AppData fuzzing.
Mario Party 10NoYes?N/AN/A
Animal Crossing: Happy Home DesignerYesNo0x0014F000N/AThe initial AppData handling doesn't appear to have any vuln(s), going by manual code-RE for update v2.0. Fuzzing wasn't attempted.
Chibi-Robo!: Zip LashYesNo0x00152600The entire AppData is read by the game, but only the first 0x10-bytes are actually used.No crash ever triggered via AppData fuzzing.
Mario & Luigi: Paper JamYesNo0x00132600Starts with the process-name('MILLION'). The rest seems to be bitmasks maybe?No crash ever triggered via AppData fuzzing, when viewing 'character cards'(just unlocks various cards).
The Legend of Zelda: Twilight Princess HDNoYes0x1019C800Unknown.No crash/hang ever occurred when using amiibo in-game for 'Cave of Shadows'.

With the amiibo quick-start option at the title-screen, only errors ever occurred( / ).

  • Wii U Gamepad and Amiibo information on WiiUBrew.
Retrieved from 'https://www.3dbrew.org/w/index.php?title=Amiibo&oldid=20167'
Platform:3DS
Tags:Puzzle
Developer:Nintendo
More Platforms:Wii U

See Full List On En.wikipedia.org


Mini Mario & Friends: amiibo Challenge Reviews Around the Internet
Below are links to Mini Mario & Friends: amiibo Challenge reviews we found on external sites. If the site's content is still active, you can click on the rating the site awarded the game to open the review in a new tab or window, or click the name of the site to see a selection of other reviews from that outlet. The game's average score across the referenced sites (not including sites that don't offer a numerical score) is indicated to the right.

Nintendo

External Site
More 3DS Games to Consider...
DetailsNAEUJP
Pokémon Shuffle
Reviews: 3
Tags: Puzzle
Release Date: February 18, 2015 (North America)
Pushmo
Reviews: 2
Tags: Puzzle
Release Date: December 8, 2011 (North America)
Bust-A-Move Universe
Reviews: 1
Tags: Puzzle
Release Date: March 27, 2011 (North America)

3ds Amiibo Homebrew

At HonestGamers, we love reader reviews. If you're a great writer, we'd love to host your Mini Mario & Friends: amiibo Challenge review on this page. Thanks for your support, and we hope you'll let your friends know about us!

User Help|Contact|Ethics|Sponsor Guide|Links





broken image