Hardware 3DS IR amiibo reader hacked (better late than never)

EvilToaster · Apr 20, 2020

I have an idea to create an Arduino or ESP8266 device using the IR module and display. Do you think this is possible?

steven96 · Apr 20, 2020

I was thinking of the same thing, it's definitely possible. It's hardware wise really simple; just an arduino/esp8266 connected to an irda transceiver (ex. TFDU4101) via uart. Software also wouldn't be too hard since I documented most of the protocol on the 3dbrew wiki and the python code is on my github which is public.
However, I think most people wouldn't be interested in this project since most people use a new 3ds which cant use the infrared nfc base anymore.
Feel free to ask me more questions
about your project, I might be able to help you out.

EvilToaster · Apr 20, 2020

Well, when possible, I will order all the necessary spare parts and study them and improve my programming knowledge (they are very poor). Thanks for the info, I had doubts about such an idea.

Darksound · May 20, 2020

Thanks for your efforts! While it is several years behind the usage of old 3ds models I'm nonetheless glad to see them being tinkered with.

I myself have New 3DS's, so I can't be much help. I do have an old NFC reader for Old 3DS that I picked up for $5, and I came here looking for something to do with it. I'm getting a new phone that contains an IR blaster today, and my hope is that the reader can also write arbitrary data, not just for amiibos. I'll check out your source when I have some time :yay3ds:

Raphial · Dec 18, 2020

I am not a hacker or a very computery person by any means (i have a slightley above avrage understanding than most, but not to this extent) how do i use the code to emulate the reader/writer? What do I open or where do i copy/paste the code to? I would like some help with this as i have an og ds and want to unlock the extra modes in Metroid samus returns without buying a $75+ reader.

Vulpes-Vulpeos · Dec 18, 2020

Raphial said:
I am not a hacker or a very computery person by any means (i have a slightley above avrage understanding than most, but not to this extent) how do i use the code to emulate the reader/writer? What do I open or where do i copy/paste the code to? I would like some help with this as i have an og ds and want to unlock the extra modes in Metroid samus returns without buying a $75+ reader.

There's an app for that:
https://gbatemp.net/threads/metroid-samus-returns-amiibo-unlocker.484176/

Raphial · Dec 18, 2020

Vulpes-Vulpeos said:
There's an app for that:

Sorry, my 3ds is un homebrew-able and i already have the amiibo, just looking for a reader/writer alternitive. Thanks for the tip anyways!

lone_wolf323 · Dec 18, 2020

Raphial said:
Sorry, my 3ds is un homebrew-able and i already have the amiibo, just looking for a reader/writer alternitive. Thanks for the tip anyways!

Care to explain how? There aint a console out there that cannot get cfw'ed.

retrospect · Mar 10, 2022

Deleted-236924 said:
Stupid question, but given that N3DS can boot O3DS firmware, could O3DS nfc module potentially be made to work on N3DS, enabling the use of IR for amiibo spoofing?

steven96 said:
I'm pretty sure that will indeed work, I don't have a new 3ds to test this though

I don't mind testing this. Do I just need to install some modules from CDN?

steven96 · Dec 29, 2024

Also got it working for Disney Infinity

bonnou · Mar 22, 2025

Using the same hardware setup (a microcontroller and an IRda adapter), would it be possible to spoof the Circle Pad Pro?

steven96 · Mar 22, 2025

Yes definitely, just have a look at the wiki page for more information

Marxie · Sep 4, 2025

steven96 said:
When trying to buy a 3ds NFC reader/writer (used for amiibo) for my original 3ds I noticed that these things are becoming kinda rare and expensive, eventually I found one cheap and bought it.

After a while I decided to reverse engineer the nfc reader so other people can still use amiibo on their original 3DS, 2DS and 3DS XL without buying the expensive nfc reader.
I started by looking at existing documentation on the infrared protocol used by the 3ds to the reader, turns out there is already some work done on the most basic aspects of the protocol on the 3dbrew wiki.
Although this explained some aspects on the encryption used by the 3ds during ir transmitting and receiving it still doesn't explain a lot of other things going on.
To discover this I used an IrDA USB adapter to sniff the infrared data between the reader and the 3DS.

I then exor decrypted the data coming in from the IrDA USB adapter using Python. After a lot of work I discovered how the 3ds talks to the NFC reader and I managed to emulate the read and write capability of the NFC reader/writer by using just the irda adapter and a Python script that I wrote.
By using my python script, amiibo .bin files (can easily be downloaded from the web) can directly be used and send to the 3ds over ir. (no need to decrypt the amiibo binary)
Demonstration:

When reverse engineering I found out some interesting things about the 3ds handling amiibo data:
Every NFC tag has a unique ID and originality signature that can be used to verify that the tag is original. The Wii U and Switch perform this verification, however, the original 3DS does not do this, despite the nfc reader still sending the signature. Turns out you can send any random signature and the 3DS won't attempt to validate it.
It's also interesting to see that the UID is send twice during an NFC data dump packet by the reader. The first UID in the packet is used by the 3DS to, for example, check if the same amiibo is placed back on the nfc reader when writing to it. The first UID is also used to trigger a limit count on some games (to prevent a user from using the same amiibo over and over on the same day). Since the 3DS doesn't care about the orginality signature the first UID can be randomized to trick the 3DS into thinking that a new amiibo is being used. This will stop the limit counter from counting and you can endlessly use the same amiibo.
The first UID in the packet won't be compared to the second UID by the 3DS. This second UID is part of the whole data dump of the NFC tag. This means that randomizing the first UID and therefore differing from UID in the data dump won' t be an issue. This also means that the nfc data doesnt have to be recrypted with the new UID. A similar bug has also been found in the Wii U and Switch by James Chambers. Apparently this has been fixed on the Switch.

I will eventually post more detailed info on the packets being send by the 3ds and nfc reader when I have more time. I will also post the python script I made to emulate to nfc reader but the code still needs some cleaning and testing.

Btw, I am aware that there is a chinese nfc amiibo reader emulator on the market by jys, however i was not able to find it anywhere for sale anymore.

that's so cool! you think you can port the script to flipper zero? it has a built in NFC reader and can save NFC tags, so all you'd need to do is scan all your amiibos and the program would just need to transmit them via IR (pretty sure the flipper zero runs on C)

ASlayer9 · Apr 25, 2026

steven96 said:
Also got it working for Disney Infinity

Was able to build a base emulator for Disney Infinity based on this protocol. Thank you.

steven96 · Apr 28, 2026

Marxie said:
that's so cool! you think you can port the script to flipper zero? it has a built in NFC reader and can save NFC tags, so all you'd need to do is scan all your amiibos and the program would just need to transmit them via IR (pretty sure the flipper zero runs on C)

Working on that right now actually

ASlayer9 said:
Was able to build a base emulator for Disney Infinity based on this protocol. Thank you.

Awesome, care to share any details on your project?

ASlayer9 · May 20, 2026

steven96 said:
Working on that right now actually

Awesome, care to share any details on your project?

Basically, used a build style from an Azahar fork on Github from joshuadereeper for skylanders. Created dialog .h and .cpp files for the GUI and separate crypto and base .cpp and .h to generate and load the characters. GUI provides character and playset area to load. The system can load generated .bin files or your own dumps. Happy to send the files if you would like to take a look. Sorry for the late reply, work has been busy lately.

Hardware 3DS IR amiibo reader hacked (better late than never)

New Member

Member

New Member

Member

New Member

Well-Known Member

New Member

Well-Known Member

Well-Known Member

Member

New Member

Member

New Member

New Member

Member

New Member

Similar threads

Popular threads in this forum