Tag: samyk

In this post I will explain how to emulate/simulate Amiibo using the proxmark3. For those who don’t know what a proxmark is here is a short description from the website:

The Proxmark is an RFID swiss-army tool, allowing for both high and low level interactions with the vast majority of RFID tags and systems world-wide. Originally built by Jonathan Westhues over 10 years ago, the device has progressively evolved into the industry standard tool for RFID Analysis.

https://proxmark.com/

Proces:

1. Download and compile the proxmark client (flash proxmark)
2. Download and run mfu2bineml
3. Emulate/simulate the amiibo with the proxmark3
4. Profit!!!!

Download and compile the proxmark client

#Install dependencies
sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi

#Clone the proxmark3 GitHub repo
git clone https://github.com/tomvanveen/proxmark3.git

#Install the blacklist rules and add user to dialout group (Linux/ubuntu/debian)
make udev

#Clean and complete compilation
Make clean && make all

#Flash the bootrom and fullimage 
client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf

Download and run mfu2bineml

We are using mfu2bineml, a perl program written by Samy Kamkar, to convert the amiibo to a format the proxmark3 will understand. To do this, simply run the program with the amiibo as input and put the output into a file:

user@ubuntu-vm:~/Desktop/amiibo$ ./mfubin2eml Champion\ Mipha.bin > amiibo.eml

Character / info: 01 07 00 00 03 5a 09 02
Game : 010 The Legend of Zelda
Character: 7 --
Variation: 00 --
Type : 00 Figure
Amiibo : 035a The Legend of Zelda
Series : 09 The Legend Of Zelda
Last : 02 (should be 02)


Looks like encrypted file but setting preventing us from decrypting
Does not contain header, adding
UID: 04c25292aa5280
PWD: 00000000

hf mf eload u Champion Mipha.bin
hf 14a sim t 7 u 04C25292AA5280

Emulate/simulate the amiibo with the proxmark3

The last part of the program will tell you what commands to use in the Proxmark client to load the eml file and emulate/simulate the Amiibo. Because I love tool output here is the output from the Proxmark client: 

pm3 --> hf mf eload u /home/user/Desktop/amiibo/amiibo
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………
[+] Loaded 255 blocks from file: /home/user/Desktop/amiibo/amiibo.eml 
pm3 --> hf 14a sim t 7 u 04C25292AA5280
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 C2 52 92 AA 52 80 ) 
[+] press pm3-button to abort simulation

And here is a video demonstration of the Amiibo emulation. 

References:

• https://github.com/iceman1001/proxmark3
• https://github.com/nccgroup/proxmark3-amiimicyou
• https://jamchamb.github.io/portfolio/amiimikyu
• https://jamchamb.github.io/assets/pdf/amiibo-presentation-HOPE.pdf