Analyzing Super Nintendo World's Power-Up band

raleighlittles

Raleigh Littles

Posted on April 1, 2023

Analyzing Super Nintendo World's Power-Up band

Background context

Nintendo sells "Power-Up Band™" wristbands for use at their Super Mario World locations. These wristbands are used for keeping track of score information on different rides and games at their parks.

https://www.universalstudioshollywood.com/web/en/us/things-to-do/entertainment/key-challenges

power-up-bands-image

About device

On the back, apart from the Nintendo logo is the text:

56674-P-300006-1022

QR code

The back of the wristband also has a QR code, used to pair the device to an account using the Nintendo app on a smartphone.

My band's QR code data is:

011101000000000000000590880000000000FF03

NFC data

The band uses NFC to communicate with rides at the park. Using a simple NFC reader and pcscd, we can read the data from it:

Fri Mar 31 20:16:52 2023
 Reader 0: ACS ACR122U 00 00
  Event number: 1
  Card state: Card inserted, 
  ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68

ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
+ TS = 3B --> Direct Convention
+ T0 = 8F, Y(1): 1000, K: 15 (historical bytes)
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 
-----
  TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 
-----
+ Historical bytes: 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00
  Category indicator byte: 80 (compact TLV data object)
    Tag: 4, len: F (initial access data)
      Initial access data: 0C A0 00 00 03 06 03 00 03 00 00 00 00
+ TCK = 68 (correct checksum)

Possibly identified card (using /home/raleigh/.cache/smartcard_list.txt):
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
3B 8F 80 01 80 4F 0C A0 00 00 03 06 .. 00 03 00 00 00 00 ..
    MIFARE Ultralight (as per PCSC std part3)
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 .. .. 00 00 00 00 ..
    RFID - ISO 14443 Type A Part 3 (as per PCSC std part3)
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
    RFID - ISO 14443 Type A - NXP Mifare Ultralight or UltralightC
    Tempmate S1 Data Logger (Other)
    https://www.tempmate.com/
    prepaid bus card (Transport)
    https://www.t-l.ch/abos-billets/billets/carte-prepayee
Enter fullscreen mode Exit fullscreen mode

This output tells us that the wristband uses a MIFARE Ultralight NFC chip internally.

To read the data off the NFC chip, we'll use:nfc-mfultralighthttps://manpages.ubuntu.com/manpages/xenial/man1/nfc-mfultralight.1.html

NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
    046b2eb2e81090
Using MIFARE Ultralight card with UID: 046b2eb2e81090
WARNING: Tag is EV1 or NTAG - PASSWORD may be required
NTAG Type: NTAG216 (888 user bytes)
Reading 231 pages |.......................................................................................................................................................................................................................................|
Done, 231 of 231 pages read (0 pages failed).
Writing data to file: mario.mfd ... Done.
Enter fullscreen mode Exit fullscreen mode

Here's the raw output of my dumped file (mario.mfd):

046b2eb2e810900044000fe0f110ffeea50000009f9b3f450e8f58601127
c2a86618b59003bbf2fdec0e18525e6c85a5a7b3938a9ca7458bb0a3e7b2
5eb04cfe22c2fd282e588e0037476e6543cc263541bd6fbe00000003039b
ff02aabbccdd454741df649658422f4e4d304b3c3cc656eab11fe104c0ac
9d59ce7d426cb9e09345bdbe48ebe2702134d9d14f0c2a1c7242456822ce
6794c933af0064cfd8435b9c3e3361699f2cef194cea7b3207b2d00e8e56
0cdc2ed77eedd1b1ca6f7f443b3ea5fef403a12dc2686a385da30391e7fb
d8c8cee3491501130ea68fe71e99c6ef76025bdb28ccbd59e34596ca5315
2d91b2b6d9a357a3cfd186f1fe2c7663fc0b61834797bc4383627e7489ce
95596f326166afea5713923f4d6c7e6c6ec3e0de9412b657f6256b348e45
b74b1d7d8c6f4cbab0eabcaa4333fe5601864b7b25e7d8a4dd8423d13329
89579559ab7a692c24b2f49f3371a1c6ed5a60c5cb33c8f782d825f1a606
e598beb5e21f6881a1e63e025f9fd2f459934d442932ff12c988afdbb2a6
26164db2c2f1e0bbc68cc7aa75b512cd63202996b4c93239aaef62c24c91
092eb722ba55ceea486392b6c10c6723379c1654f7169d577cff3a8ac069
528579f38f17dfefee9bfda7b7afe575778d85c29eafc03ce53cf123372e
7fd5202a1a9acfa3177086555c2084206dfea3b437d559f1a73d18ddd648
287a33451541d6c9641e01000f00000000045f0000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000303131313031303030303030303030303030303030353930
383830303030303030303030464630330000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
0000000001011f0000000004070000000000000000000000
Enter fullscreen mode Exit fullscreen mode

And the formatted version via hexdump:

00000000  04 6b 2e b2 e8 10 90 00  44 00 0f e0 f1 10 ff ee  |.k......D.......|
00000010  a5 00 00 00 9f 9b 3f 45  0e 8f 58 60 11 27 c2 a8  |......?E..X`.'..|
00000020  66 18 b5 90 03 bb f2 fd  ec 0e 18 52 5e 6c 85 a5  |f..........R^l..|
00000030  a7 b3 93 8a 9c a7 45 8b  b0 a3 e7 b2 5e b0 4c fe  |......E.....^.L.|
00000040  22 c2 fd 28 2e 58 8e 00  37 47 6e 65 43 cc 26 35  |"..(.X..7GneC.&5|
00000050  41 bd 6f be 00 00 00 03  03 9b ff 02 aa bb cc dd  |A.o.............|
00000060  45 47 41 df 64 96 58 42  2f 4e 4d 30 4b 3c 3c c6  |EGA.d.XB/NM0K<<.|
00000070  56 ea b1 1f e1 04 c0 ac  9d 59 ce 7d 42 6c b9 e0  |V........Y.}Bl..|
00000080  93 45 bd be 48 eb e2 70  21 34 d9 d1 4f 0c 2a 1c  |.E..H..p!4..O.*.|
00000090  72 42 45 68 22 ce 67 94  c9 33 af 00 64 cf d8 43  |rBEh".g..3..d..C|
000000a0  5b 9c 3e 33 61 69 9f 2c  ef 19 4c ea 7b 32 07 b2  |[.>3ai.,..L.{2..|
000000b0  d0 0e 8e 56 0c dc 2e d7  7e ed d1 b1 ca 6f 7f 44  |...V....~....o.D|
000000c0  3b 3e a5 fe f4 03 a1 2d  c2 68 6a 38 5d a3 03 91  |;>.....-.hj8]...|
000000d0  e7 fb d8 c8 ce e3 49 15  01 13 0e a6 8f e7 1e 99  |......I.........|
000000e0  c6 ef 76 02 5b db 28 cc  bd 59 e3 45 96 ca 53 15  |..v.[.(..Y.E..S.|
000000f0  2d 91 b2 b6 d9 a3 57 a3  cf d1 86 f1 fe 2c 76 63  |-.....W......,vc|
00000100  fc 0b 61 83 47 97 bc 43  83 62 7e 74 89 ce 95 59  |..a.G..C.b~t...Y|
00000110  6f 32 61 66 af ea 57 13  92 3f 4d 6c 7e 6c 6e c3  |o2af..W..?Ml~ln.|
00000120  e0 de 94 12 b6 57 f6 25  6b 34 8e 45 b7 4b 1d 7d  |.....W.%k4.E.K.}|
00000130  8c 6f 4c ba b0 ea bc aa  43 33 fe 56 01 86 4b 7b  |.oL.....C3.V..K{|
00000140  25 e7 d8 a4 dd 84 23 d1  33 29 89 57 95 59 ab 7a  |%.....#.3).W.Y.z|
00000150  69 2c 24 b2 f4 9f 33 71  a1 c6 ed 5a 60 c5 cb 33  |i,$...3q...Z`..3|
00000160  c8 f7 82 d8 25 f1 a6 06  e5 98 be b5 e2 1f 68 81  |....%.........h.|
00000170  a1 e6 3e 02 5f 9f d2 f4  59 93 4d 44 29 32 ff 12  |..>._...Y.MD)2..|
00000180  c9 88 af db b2 a6 26 16  4d b2 c2 f1 e0 bb c6 8c  |......&.M.......|
00000190  c7 aa 75 b5 12 cd 63 20  29 96 b4 c9 32 39 aa ef  |..u...c )...29..|
000001a0  62 c2 4c 91 09 2e b7 22  ba 55 ce ea 48 63 92 b6  |b.L....".U..Hc..|
000001b0  c1 0c 67 23 37 9c 16 54  f7 16 9d 57 7c ff 3a 8a  |..g#7..T...W|.:.|
000001c0  c0 69 52 85 79 f3 8f 17  df ef ee 9b fd a7 b7 af  |.iR.y...........|
000001d0  e5 75 77 8d 85 c2 9e af  c0 3c e5 3c f1 23 37 2e  |.uw......<.<.#7.|
000001e0  7f d5 20 2a 1a 9a cf a3  17 70 86 55 5c 20 84 20  |.. *.....p.U\ . |
000001f0  6d fe a3 b4 37 d5 59 f1  a7 3d 18 dd d6 48 28 7a  |m...7.Y..=...H(z|
00000200  33 45 15 41 d6 c9 64 1e  01 00 0f 00 00 00 00 04  |3E.A..d.........|
00000210  5f 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |_...............|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000240  30 31 31 31 30 31 30 30  30 30 30 30 30 30 30 30  |0111010000000000|
00000250  30 30 30 30 30 35 39 30  38 38 30 30 30 30 30 30  |0000059088000000|
00000260  30 30 30 30 46 46 30 33  00 00 00 00 00 00 00 00  |0000FF03........|
00000270  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000380  00 00 00 00 00 00 00 00  01 01 1f 00 00 00 00 04  |................|
00000390  07 00 00 00 00 00 00 00  00 00 00 00              |............|
0000039c

Enter fullscreen mode Exit fullscreen mode

Things of note:

  • Based on this article, the serial numbers should be stored in the first 7 bytes, so our wristband's serial number is 04:6B:2E:B2:E8:10:90.

  • Starting at byte 0x240/576d, we see our QR code data from earlier.

💖 💪 🙅 🚩
raleighlittles
Raleigh Littles

Posted on April 1, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related