Emulating Amiibo’s with a Proxmark 3

In this post I will share the process I went through to emulate Amiibo’s with a Proxmark 3. For this the following things are required: 

Create a new folder and put Samy K’s script and the amiibo bin file in there. To be able to run the script you’ll need to make it executable. This can be done by using the following command: chmod +x mfu2bineml. After making the script executable you can use it to create an eml file that can be used by the Proxmark. To do this use the following command: ./mfu2bineml <put_amiibo_name_here>.bin > amiibo.eml. I found that the Proxmark client dislikes spaces in filenames so it is recommended to not use them in the filenames. 

An example of the script output can be found below: 

user@ubuntu-vm:~/Desktop/amiibo$ ./mfubin2eml Champion\ Mipha.bin > amiibo.eml

Character / info: 01 07 00 00 03 5a 09 02
Game : 010 The Legend of Zelda
Character: 7 --
Variation: 00 --
Type : 00 Figure
Amiibo : 035a The Legend of Zelda
Series : 09 The Legend Of Zelda
Last : 02 (should be 02)


Looks like encrypted file but setting preventing us from decrypting
Does not contain header, adding
UID: 04c25292aa5280
PWD: 00000000

hf mf eload u Champion Mipha.bin
hf 14a sim t 7 u 04C25292AA5280

The last part of the script will tell you what commands to use in the Proxmark client to load the eml file and emulate/simulate the Amiibo. Because I love tool output here is the output from the Proxmark client: 

pm3 --> hf mf eload u /home/user/Desktop/amiibo/amiibo
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………
[+] Loaded 255 blocks from file: /home/user/Desktop/amiibo/amiibo.eml
pm3 --> hf 14a sim t 7 u 04C25292AA5280
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 C2 52 92 AA 52 80 )
[+] press pm3-button to abort simulation

And here is a video demonstration of the Amiibo emulation. 

Flashing a BIOS chip with a Raspberry Pi

I made this post as a addition or supplement to my “Flashing a BIOS chip with an Arduino” post.

While doing some research online I found several articles/posts from people using a Raspberry Pi to flash SPI flash chips. Apparently the Raspberry Pi  is very suitable for this kind of thing as it has a SPI interface and is able to run linux. I was eager to try this out for myself so I got out my Pi 3 model B and got to work. For this project I used a Winbond 25X80 salvaged from a motherboard I had lying around.

Preparing the RaspberryPi

As others have pointed out, the latest version of Raspbian (Stretch) will also work by adding the spispeed param to the Flashrom command.

Enable the SPI interfaces by typing sudo raspi-config and selecting P4 SPI under the Interfacing options.

Select option 5: Interfacing options

Select SPI to enable the SPI interfaces

The SPI interfaces will become available under /dev/spidev0.0 and /dev/spidev0.1.

Next we install the packages are needed by Flashrom by using the following command.

sudo apt install git libpci-dev libusb-1.0 libusb-dev

Make and install Flashrom.

git clone https://github.com/flashrom/flashrom.git
cd flashrom
make && sudo make install

 

Connecting the Raspberry to the SPI flash chip

The table below show the connections between the RaspberryPi and the chip.

RPi pin SPI flash
25 GND
24 CS
23 SCK
21 DO
19 DI
17 VCC 3.3V and /HOLD and /WP

Flashing the chip

In order to verify Flashrom correctly identifies the chip we run Flashrom without any operations.

pi@raspberrypi:~ $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512
flashrom p1.0-76-g291764a on Linux 4.14.34-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25X80" (1024 kB, SPI) on linux_spi.
No operations were specified.

Now that Flashrom correctly identifies the Winbond W25X80 we can continue to backup the current BIOS.

pi@raspberrypi:~ $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r flash.dat
flashrom p1.0-76-g291764a on Linux 4.14.34-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25X80" (1024 kB, SPI) on linux_spi.
Reading flash... done.

After backing up the old BIOS we can safely write the new BIOS back to the chip.

pi@raspberrypi:~ $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -w flash.dat 
flashrom p1.0-76-g291764a on Linux 4.14.34-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25X80" (1024 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... 
Warning: Chip content is identical to the requested image.
Erase/write done.

References:

Adding a YubiKey to Lastpass

In the beginning of this year I got a YubiKey NEO from a colleague. As I
was already using LastPass to manage my passwords I wanted use my YubiKey as part of the two factor authentication process.

You can register your YubiKey by going to the premium “Multi-factor options” in your LastPass account settings and enabling the YubiKey option. For the two factor authentication to work you need to press the button on the YubiKey to generate a OTP (One Time Password) which will be stored with LastPass.

When I tried this for the first time I ran into a problem and got the following error: “At least one of the YubiKey tokens provided failed to validate.”. Copy and pasting this error in Google led me to a post on the LastPass support forum in which the solution was provided.

Thank you for contacting LastPass Support.

You need to set your YubiKey configuration to OTP authentication mode:

http://www.yubico.com/products/services … bikey-otp/

Once that is done, visit the following URL: https://lastpass.com/debug.php and where it says ‘YubiKey with LastPass’, run the authenticator to make sure everything is working properly.

If no issues found, try to setup the YubiKey once again:

https://helpdesk.lastpass.com/security- … ntication/

Let me know how it goes.

Best,
Jed

After enabling OTP I could register my key and start using it with LastPass.

Updating the operating system on my Atari 1040STF

After finishing the drive swap mod on Atari 1040 STF I continued browsing the Atari forum’s hardware section and found a post/guide on how to update the operating software. In general, updating the OS is advisable as newer versions may contain bug fixes, security updates and increased I/O compatibility. The same goes for my Atari. The last available version for my machine, 1.04 a.k.a. Rainbow TOS, contains all of the above and is found to be faster overall.

On the Atari, the OS is stored on two or in my case six ROM (Read Only Memory) chips. As the name indicates, writing to ROM chips is not possible so they have to be replaced with chips containing the newer OS. While it is possible to buy a “ready to go” upgrade package it is also possible to go the DIY route and prepare the chips yourself. I opted for the latter as it is much more fun, educational and gives a real sense of achievement when finished.

Continue reading Updating the operating system on my Atari 1040STF

Fix wifi Acer Aspire 5040

I recently upgraded a Acer Aspire 5040 to Windows 7. After the upgrade I installed all the drivers and found the wifi was not working correctly.  Everything looked fine but I could not see any access points to connect to. To fix this issue I had to go Acer’s support website and download and install the Launch Manager. Before installing I had to enable compatibility mode for Windows XP and select run as administrator on the setup.exe. After rebooting the lights on the front of the laptop turned on and  I could now detect access points.

Sites used:

  1. http://www.acer.com/ac/en/GB/content/drivers
  2. http://www.sevenforums.com/network-sharing/57483-wireless-acer-aspire-5020-a.html

Flashing a bios chip with an Arduino

In this post I will describe how to flash a BIOS (SPI) chip using a Arduino Duemilanove. I first learned about this method after reading about it on hackaday. At the time I had a Asus P5B motherboard that suffered from a bad BIOS flash and needed to be recovered. I tried other methods before but found none were as easy as this one.

So lets get started.

The requirements

Hardware

  • Arduino Duemilanove (full list can be found here https://www.flashrom.org/Serprog/Arduino_flasher )
  • A flash chip that is supported by flashrom ( full list available here https://www.flashrom.org/Supported_hardware )

Software

  • Ubuntu 16/18 VM
  • Flashrom
  • Fser-duino

Preparing the environment

Installing Git and the dependencies needed for Flashrom and frser-duino:

sudo apt install git libpci-dev libusb-dev libusb-1.0 gcc-avr binutils-avr avr-libc avrdude

Compiling and installing Flashrom

git clone git://github.com/flashrom/flashrom.git
cd flashrom 
make && sudo make install

Preparing the Arduino Duemilanove

git clone --recursive git://github.com/urjaman/frser-duino
cd frser-duino
make ftdi <--- depends on your Arduino
make flash-ftdi <--- same

The table below shows which pins on the Arduino should go to which pin on the SPI flash chip.

Arduino Pins SPI Pins
12 SO
11 SI
10 CS
13 SCLK
3.3V VCC +/WP + /HOLD
GND GND

Flashing the SPI chip

To verify that everything is working correctly we first run flashrom without any operations:

tom@ubuntu-vm:~$ sudo flashrom -p serprog:dev=/dev/ttyUSB0:2000000
flashrom v0.9.9-91-g0bfa819 on Linux 4.10.0-28-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
serprog: Programmer name is "frser-duino"
Found Macronix flash chip "MX25L8005" (1024 kB, SPI) on serprog.
No operations were specified.

As can be seen from the above command output, both the Arduino and the SPI chip are detected. Now we can continue with writing the new BIOS to the chip:

tom@ubuntu-vm:~$ sudo flashrom -p serprog:dev=/dev/ttyUSB0:2000000 -w <NEWBIOS>

flashrom v0.9.9-91-g0bfa819 on Linux 4.10.0-28-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
serprog: Programmer name is "frser-duino"
Found Macronix flash chip "MX25L8005" (1024 kB, SPI) on serprog.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

And thats it, the new BIOS is written to the chip and all that is left is testing if my computer boots up again.

References:

HP ENVY SPECIFIC:

Sansa Clip+ Repair

My girlfriend was almost in tears when she told me her beloved Sansa Clip+ would not power on anymore. She handed me the little music player and told me that earlier that day, she pressed the power button a bit too hard after which she heard something break.

When inspecting the power button I noticed it was a bit loose where it usually has some tension from the switch underneath. I decided to have a closer look and used a tutorial to help me disassemble the Sansa.
Looking at the board the problem quickly revealed itself. The “extreme” use of force had broken the solder connections between the power switch and the board and as a result the switch fell off. Time to get out the soldering iron!

After reseating the switch and repairing the broken solder connections the Sansa powered up again meaning my girlfriend could listen to here favourite music again and dry her tears.

Edit: After a week my girlfriend returned to me with her Sansa. This time she was only hearing sound from one of her earbuds instead of both. Because I taught her well she had already tried multiple headphones to verify the problem was not the headphones but rather the Sansa itself. I did some research and found that this problem can be fixed by reheating the solder connections between the headphone jack and the board. It appears that the “stress” resulting from removing and plugging in the headphones weakens the connections.