N2 Elite

From YobiWiki
Jump to navigation Jump to search

N2 Elite is sold as a game cheating product, called previously Amiiqo, an name probably too close to the original targeted game Amiibo.
I'm not interested at all in its gaming aspects but it's primarily a (multiple) NTAG215 emulator and in that respect, I'm very curious about that product :)

Intro

It's a small round passive device with one button. It can emulate up to 200 NTAG215 and can be programmed via an Android app or, if you buy their additional reader, via a PC application: N2 Manager for Windows or Mac.

Credits: I heard about it by reading a 3-page article of Patrick Gueulle in the French revue Le Virus Informatique #28. In that article, the author revealed how the emulator could be used to emulate any 7-byte UID or even a 4-byte UID (we'll come to that later) and he's providing two programs written in Basic; apparently Patrick remained true to himself ;)

N2 & NTAG Resources

Three versions of the Android app so far:

  • ed5fc865e98b33e584860b39cb70ddb6 Amiiqo_1.0.apk
  • 44d1ea2fd342c7faa3af81f473eada12 Amiiqo_1.1.apk
  • f39a091be603058329b085f1b0382caa Amiiqo_1.2.apk

Versions 1.1 and 1.2 contain both the same fw image to update older N2 Elite tags, see below the section about firmware.

Amiibo Resources

Nothing really useful fir us but well...

Hardware

Device was sold previously under the name Amiiqo, and they insist this is the same hardware as the N2 Elite. Nevertheless there are apparently two revisions of the product:

  • V1, preloaded with 10 amiibo figurines
  • V2, empty, and an alien face printed on the PCB

I got a V2.

N2elite.jpg

Patrick Gueulle mentions the QFN24 chip has a mark "SX3" but mine is completely black. Under the microscope he found two references on the die: "G4830H001I" and "DI 503 03".

Traces

Let's trace some transactions between the Android app and the device with a Proxmark3.
I've discarded the anticol and HALT/WUPA activities.

Discovery

Rdr | 30  02  10  8b                                                  |  ok | READBLOCK(2)
Tag | ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  ff  |     |
    | 37  cb                                                          |  ok |
Rdr | 60  f8  32                                                      |  ok | EV1 VERSION
Tag | 00  04  04  02  01  00  11  03  01  9e                          |  ok |
Rdr | 55  d6  54                                                      |  ok | ?
Tag | 00  01  00  03  47  3e                                          |  ok |
Rdr | 43  61  21                                                      |  ok | MAGIC WUPC2
Tag | 21  4b  87  02  52  3d  0d  10  16  3a  24  ff  ff  ff  ff  ff  |     |
    | e4  e7                                                          |  ok |
Rdr | 3b  15  16  00  8e  a7                                          |  ok | ?
Tag | ff  ff  ff  ff  ff  ff  ff  ff  5f  d2                          |  ok |

When asking the app to show the tag ID it returns 214b8702523d0d10163a24.

Lock

Rdr | 46  cc  76                                                      |  ok | ?
Tag | 0a  a4  fe                                                      |     |

Unlock

You need to press the button once the app discovers the tag and maintain it pressed. You've 2 seconds.

Rdr | 44  de  55                                                      |  ok | ?
2 secs pause.
Rdr | 45  57  44                                                      |  ok | ?
Tag | 0a  a4  fe                                                      |     |

Update number of banks

When changing the number of available banks from 1 to 2:

Rdr | a9  02  55  45                                                  |  ok | ?
Tag | 0a  a4  fe                                                      |     |

Now the discovery phase has two such commands:

Rdr | 3b  15  16  00  8e  a7                                          |  ok | ?
Tag | ff  ff  ff  ff  ff  ff  ff  ff  5f  d2                          |  ok |.
Rdr | 3b  15  16  01  07  b6                                          |  ok | ?
Tag | ff  ff  ff  ff  ff  ff  ff  ff  5f  d2                          |  ok |.

Write a dump

Rdr | 1b  ff  ff  ff  ff  63  00                                      |  ok | PWD-AUTH KEY: 0xffffffff
Tag | 80  80  64  16                                                  |     |.
Rdr | a5  00  00  04  c5  a8  e1  69  44                              |  ok | INCR(0)
Tag | 0a  a4  fe                                                      |     |.
Rdr | a5  01  00  da  aa  2b  80  d9  8d                              |  ok | INCR(1)
Tag | 0a  a4  fe                                                      |     |.
Rdr | a5  02  00  db  48  00  00  95  62                              |  ok | INCR(2)
Tag | 0a  a4  fe                                                      |     |.
Rdr | a5  03  00  e1  10  12  00  e2  15                              |  ok | INCR(3)
Tag | 0a  a4  fe                                                      |     |.
Rdr | a5  04  00  01  03  a0  10  17  ce                              |  ok | INCR(4)
Tag | 0a  a4  fe                                                      |     |.
Rdr | a5  05  00  44  03  00  fe  53  13                              |  ok | ?
Tag | 0a  a4  fe                                                      |     |.
Rdr | a5  06  00  00  00  00  00  e0  8a                              |  ok | ?
Tag | 0a  a4  fe                                                      |     |.
...
Rdr | a5  85  00  ff  ff  ff  ff  a6  70                              |  ok | ?
Tag | 0a  a4  fe                                                      |     |.
Rdr | a5  86  00  ff  ff  ff  ff  db  7c                              |  ok | ?
Tag | 0a  a4  fe                                                      |     |.

Commands

Firmware