Rumble U NFC Figures

From WiiUBrew
Jump to navigation Jump to search
This article is about the Pokémon Rumble U NFC Figures. For the later released Amiibo NFC Figures, see [Amiibo].

The Pokémon Rumble U NFC Figures are figures released for use with Pokémon Rumble U. The figures can be scanned using the GamePad's NFC sensor.

Internally these figures are version 0 figures, while the later released Amiibo are version 2 figures.

Tag Information

  • Type: Topaz-512
  • Manufacturer: Several (Broadcom Corporation, Innovision Research and Technology Plc (UK))
  • Page size: 8 Bytes
  • Page count: 64 (512 Bytes)

Page layout

NFC page Total pages Raw byte offset in EEPROM Total byte size Writable Description
0x0 0x1 0x0 0x8 No 7-byte UID, then 1 reserved byte
0x1 0x3 0x8 0x18 Yes Capability Container, Lock Control TLV, Memory Control TLV, NDEF Message TLV, NDEF Header with TNF 5
0x4 0x4 0x20 0x20 Yes Start of NDEF payload, contains the "unfixed infos" HMAC
0x8 0x1 0x40 0x8 Yes #NOFT Info
0x9 0x4 0x48 0x20 Yes RW Area (1)
0xD 0x1 0x68 0x8 No Reserved
0xE 0x1 0x70 0x8 No 2 lock bytes locking out pages 0x1, 0xD, 0xE and 0xF, followed by 6 reserved bytes
0xF 0x1 0x78 0x8 No 2 reserved bytes, followed by 6 lock bytes for pages 0x10 - 0x3F (as described by the Lock Control TLV).
This defines the locked area by locking out the last 16 pages.
0x10 0x20 0x80 0x100 Yes RW Area (2)
0x30 0x4 0x180 0x20 No Start of the locked area, contains the "locked secret" HMAC
0x34 0x2 0x1A0 0x10 No RW Info
0x36 0x2 0x1B0 0x10 No RO Info
0x38 0x2 0x1C0 0x10 No RO Area
0x3A 0x2 0x1D0 0x10 No #Format Info
0x3C 0x4 0x1E0 0x20 No Key generation salt encrypted using AES-CTR with the NFC key

Encryption

The RW Area is encrypted using AES-CTR. The key and nonce is derived from the key generation salt, the Format Info, the write count in the NOFT Header, and the "unfixed infos" bytes.

RW Info, RO Info and RO Area are also encrypted using AES-CTR. The key and nonce is derived from the key generation salt, the Format Info, and the "locked secret" bytes.

Internal structure

Internally the NDEF payload and locked area are copied to a contiguous buffer. This means the internal buffer starts at page 0x4 and does not include pages 0xD, 0xE and 0xF.

Data structures

NOFT Info

Offset Size Description Notes
0x0 0x4 Magic 'NOFT' (0x4E4F4654) magic value
0x4 0x1 Version Always 1
0x5 0x2 Write count Incremented before encryption on each write to the RW Area
0x7 0x1 Padding/Unused

Area Info

Offset Size Description Notes
0x0 0x2 Magic/Type 'RW' (0x5257) or 'RO' (0x524F) magic
0x2 0x2 Offset Offset in bytes to the internal buffer
0x4 0x2 Size The size of the area in bytes
0x6 0x2 Padding/Unused
0x8 0x4 Maker Code This is '0001' (0x30303031) for the Pokémon Rumble U figures
0xC 0x4 Identify Code This is 'WCN-' (0x57434E2D) for the Pokémon Rumble U figures. This is the Pokémon Rumble U product code.

Format Info

Offset Size Description Notes
0x0 0x2 RW Info offset Offset in bytes to the start of the RW info
0x2 0x2 RW Size Total RW size, including info and area
0x4 0x2 RO Info offset Offset in bytes to the start of the RO info
0x6 0x2 RO Size Total RO size, including info and area
0x8 0x7 UID Copy of the UID from page 0
0xF 0x1 Format Version Always 0

Area structure

This is the structure of the areas parsed by Pokemon Rumble U.

RW Area

Offset Size Description Notes
0x0 0x4 Magic 'CVRN' (0x4356524E) magic value. If this magic value isn't set, the RW area is not written yet.
0x4 0x11C Unknown

RO Area

Offset Size Description Notes
0x0 0x1 Unknown (always 0x01?)
0x1 0x1
Value Description
0x00 Default
0x01 Shiny
0x02 Unknown
0x2 0x2 National Pokedex number
0x4 0x1 Pokemon variant
0x5 0x1 Unknown
0x6 0x2 Initial move A
0x8 0x2 Initial move B
0xA 0x1 Base power level
0xB 0x1 Special Trait / Prefix
0xC 0x4 Unknown
Retrieved from "https://wiiubrew.org/w/index.php?title=Rumble_U_NFC_Figures&oldid=3966"