Raleigh Littles
Posted on April 1, 2023
Background context
Nintendo sells "Power-Up Band™" wristbands for use at their Super Mario World locations. These wristbands are used for keeping track of score information on different rides and games at their parks.
https://www.universalstudioshollywood.com/web/en/us/things-to-do/entertainment/key-challenges
About device
On the back, apart from the Nintendo logo is the text:
56674-P-300006-1022
QR code
The back of the wristband also has a QR code, used to pair the device to an account using the Nintendo app on a smartphone.
My band's QR code data is:
011101000000000000000590880000000000FF03
NFC data
The band uses NFC to communicate with rides at the park. Using a simple NFC reader and pcscd
, we can read the data from it:
Fri Mar 31 20:16:52 2023
Reader 0: ACS ACR122U 00 00
Event number: 1
Card state: Card inserted,
ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
+ TS = 3B --> Direct Convention
+ T0 = 8F, Y(1): 1000, K: 15 (historical bytes)
TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1
-----
+ Historical bytes: 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00
Category indicator byte: 80 (compact TLV data object)
Tag: 4, len: F (initial access data)
Initial access data: 0C A0 00 00 03 06 03 00 03 00 00 00 00
+ TCK = 68 (correct checksum)
Possibly identified card (using /home/raleigh/.cache/smartcard_list.txt):
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
3B 8F 80 01 80 4F 0C A0 00 00 03 06 .. 00 03 00 00 00 00 ..
MIFARE Ultralight (as per PCSC std part3)
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 .. .. 00 00 00 00 ..
RFID - ISO 14443 Type A Part 3 (as per PCSC std part3)
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 03 00 00 00 00 68
RFID - ISO 14443 Type A - NXP Mifare Ultralight or UltralightC
Tempmate S1 Data Logger (Other)
https://www.tempmate.com/
prepaid bus card (Transport)
https://www.t-l.ch/abos-billets/billets/carte-prepayee
This output tells us that the wristband uses a MIFARE Ultralight NFC chip internally.
To read the data off the NFC chip, we'll use:nfc-mfultralight
https://manpages.ubuntu.com/manpages/xenial/man1/nfc-mfultralight.1.html
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
046b2eb2e81090
Using MIFARE Ultralight card with UID: 046b2eb2e81090
WARNING: Tag is EV1 or NTAG - PASSWORD may be required
NTAG Type: NTAG216 (888 user bytes)
Reading 231 pages |.......................................................................................................................................................................................................................................|
Done, 231 of 231 pages read (0 pages failed).
Writing data to file: mario.mfd ... Done.
Here's the raw output of my dumped file (mario.mfd):
046b2eb2e810900044000fe0f110ffeea50000009f9b3f450e8f58601127
c2a86618b59003bbf2fdec0e18525e6c85a5a7b3938a9ca7458bb0a3e7b2
5eb04cfe22c2fd282e588e0037476e6543cc263541bd6fbe00000003039b
ff02aabbccdd454741df649658422f4e4d304b3c3cc656eab11fe104c0ac
9d59ce7d426cb9e09345bdbe48ebe2702134d9d14f0c2a1c7242456822ce
6794c933af0064cfd8435b9c3e3361699f2cef194cea7b3207b2d00e8e56
0cdc2ed77eedd1b1ca6f7f443b3ea5fef403a12dc2686a385da30391e7fb
d8c8cee3491501130ea68fe71e99c6ef76025bdb28ccbd59e34596ca5315
2d91b2b6d9a357a3cfd186f1fe2c7663fc0b61834797bc4383627e7489ce
95596f326166afea5713923f4d6c7e6c6ec3e0de9412b657f6256b348e45
b74b1d7d8c6f4cbab0eabcaa4333fe5601864b7b25e7d8a4dd8423d13329
89579559ab7a692c24b2f49f3371a1c6ed5a60c5cb33c8f782d825f1a606
e598beb5e21f6881a1e63e025f9fd2f459934d442932ff12c988afdbb2a6
26164db2c2f1e0bbc68cc7aa75b512cd63202996b4c93239aaef62c24c91
092eb722ba55ceea486392b6c10c6723379c1654f7169d577cff3a8ac069
528579f38f17dfefee9bfda7b7afe575778d85c29eafc03ce53cf123372e
7fd5202a1a9acfa3177086555c2084206dfea3b437d559f1a73d18ddd648
287a33451541d6c9641e01000f00000000045f0000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000303131313031303030303030303030303030303030353930
383830303030303030303030464630330000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
0000000001011f0000000004070000000000000000000000
And the formatted version via hexdump:
00000000 04 6b 2e b2 e8 10 90 00 44 00 0f e0 f1 10 ff ee |.k......D.......|
00000010 a5 00 00 00 9f 9b 3f 45 0e 8f 58 60 11 27 c2 a8 |......?E..X`.'..|
00000020 66 18 b5 90 03 bb f2 fd ec 0e 18 52 5e 6c 85 a5 |f..........R^l..|
00000030 a7 b3 93 8a 9c a7 45 8b b0 a3 e7 b2 5e b0 4c fe |......E.....^.L.|
00000040 22 c2 fd 28 2e 58 8e 00 37 47 6e 65 43 cc 26 35 |"..(.X..7GneC.&5|
00000050 41 bd 6f be 00 00 00 03 03 9b ff 02 aa bb cc dd |A.o.............|
00000060 45 47 41 df 64 96 58 42 2f 4e 4d 30 4b 3c 3c c6 |EGA.d.XB/NM0K<<.|
00000070 56 ea b1 1f e1 04 c0 ac 9d 59 ce 7d 42 6c b9 e0 |V........Y.}Bl..|
00000080 93 45 bd be 48 eb e2 70 21 34 d9 d1 4f 0c 2a 1c |.E..H..p!4..O.*.|
00000090 72 42 45 68 22 ce 67 94 c9 33 af 00 64 cf d8 43 |rBEh".g..3..d..C|
000000a0 5b 9c 3e 33 61 69 9f 2c ef 19 4c ea 7b 32 07 b2 |[.>3ai.,..L.{2..|
000000b0 d0 0e 8e 56 0c dc 2e d7 7e ed d1 b1 ca 6f 7f 44 |...V....~....o.D|
000000c0 3b 3e a5 fe f4 03 a1 2d c2 68 6a 38 5d a3 03 91 |;>.....-.hj8]...|
000000d0 e7 fb d8 c8 ce e3 49 15 01 13 0e a6 8f e7 1e 99 |......I.........|
000000e0 c6 ef 76 02 5b db 28 cc bd 59 e3 45 96 ca 53 15 |..v.[.(..Y.E..S.|
000000f0 2d 91 b2 b6 d9 a3 57 a3 cf d1 86 f1 fe 2c 76 63 |-.....W......,vc|
00000100 fc 0b 61 83 47 97 bc 43 83 62 7e 74 89 ce 95 59 |..a.G..C.b~t...Y|
00000110 6f 32 61 66 af ea 57 13 92 3f 4d 6c 7e 6c 6e c3 |o2af..W..?Ml~ln.|
00000120 e0 de 94 12 b6 57 f6 25 6b 34 8e 45 b7 4b 1d 7d |.....W.%k4.E.K.}|
00000130 8c 6f 4c ba b0 ea bc aa 43 33 fe 56 01 86 4b 7b |.oL.....C3.V..K{|
00000140 25 e7 d8 a4 dd 84 23 d1 33 29 89 57 95 59 ab 7a |%.....#.3).W.Y.z|
00000150 69 2c 24 b2 f4 9f 33 71 a1 c6 ed 5a 60 c5 cb 33 |i,$...3q...Z`..3|
00000160 c8 f7 82 d8 25 f1 a6 06 e5 98 be b5 e2 1f 68 81 |....%.........h.|
00000170 a1 e6 3e 02 5f 9f d2 f4 59 93 4d 44 29 32 ff 12 |..>._...Y.MD)2..|
00000180 c9 88 af db b2 a6 26 16 4d b2 c2 f1 e0 bb c6 8c |......&.M.......|
00000190 c7 aa 75 b5 12 cd 63 20 29 96 b4 c9 32 39 aa ef |..u...c )...29..|
000001a0 62 c2 4c 91 09 2e b7 22 ba 55 ce ea 48 63 92 b6 |b.L....".U..Hc..|
000001b0 c1 0c 67 23 37 9c 16 54 f7 16 9d 57 7c ff 3a 8a |..g#7..T...W|.:.|
000001c0 c0 69 52 85 79 f3 8f 17 df ef ee 9b fd a7 b7 af |.iR.y...........|
000001d0 e5 75 77 8d 85 c2 9e af c0 3c e5 3c f1 23 37 2e |.uw......<.<.#7.|
000001e0 7f d5 20 2a 1a 9a cf a3 17 70 86 55 5c 20 84 20 |.. *.....p.U\ . |
000001f0 6d fe a3 b4 37 d5 59 f1 a7 3d 18 dd d6 48 28 7a |m...7.Y..=...H(z|
00000200 33 45 15 41 d6 c9 64 1e 01 00 0f 00 00 00 00 04 |3E.A..d.........|
00000210 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |_...............|
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000240 30 31 31 31 30 31 30 30 30 30 30 30 30 30 30 30 |0111010000000000|
00000250 30 30 30 30 30 35 39 30 38 38 30 30 30 30 30 30 |0000059088000000|
00000260 30 30 30 30 46 46 30 33 00 00 00 00 00 00 00 00 |0000FF03........|
00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000380 00 00 00 00 00 00 00 00 01 01 1f 00 00 00 00 04 |................|
00000390 07 00 00 00 00 00 00 00 00 00 00 00 |............|
0000039c
Things of note:
Based on this article, the serial numbers should be stored in the first 7 bytes, so our wristband's serial number is
04:6B:2E:B2:E8:10:90
.Starting at byte 0x240/576d, we see our QR code data from earlier.
Posted on April 1, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.