When trying to buy a 3ds NFC reader/writer (used for amiibo) for my original 3ds I noticed that these things are becoming kinda rare and expensive, eventually I found one cheap and bought it.
After a while I decided to reverse engineer the nfc reader so other people can still use amiibo on their original 3DS, 2DS and 3DS XL without buying the expensive nfc reader.
I started by looking at existing documentation on the infrared protocol used by the 3ds to the reader, turns out there is already some work done on the most basic aspects of the protocol on the 3dbrew wiki.
Although this explained some aspects on the encryption used by the 3ds during ir transmitting and receiving it still doesn't explain a lot of other things going on.
To discover this I used an IrDA USB adapter to sniff the infrared data between the reader and the 3DS.
I then exor decrypted the data coming in from the IrDA USB adapter using Python. After a lot of work I discovered how the 3ds talks to the NFC reader and I managed to emulate the read and write capability of the NFC reader/writer by using just the irda adapter and a Python script that I wrote.
By using my python script, amiibo .bin files (can easily be downloaded from the web) can directly be used and send to the 3ds over ir. (no need to decrypt the amiibo binary)
Demonstration:
When reverse engineering I found out some interesting things about the 3ds handling amiibo data:
Every NFC tag has a unique ID and originality signature that can be used to verify that the tag is original. The Wii U and Switch perform this verification, however, the original 3DS does not do this, despite the nfc reader still sending the signature. Turns out you can send any random signature and the 3DS won't attempt to validate it.
It's also interesting to see that the UID is send twice during an NFC data dump packet by the reader. The first UID in the packet is used by the 3DS to, for example, check if the same amiibo is placed back on the nfc reader when writing to it. The first UID is also used to trigger a limit count on some games (to prevent a user from using the same amiibo over and over on the same day). Since the 3DS doesn't care about the orginality signature the first UID can be randomized to trick the 3DS into thinking that a new amiibo is being used. This will stop the limit counter from counting and you can endlessly use the same amiibo.
The first UID in the packet won't be compared to the second UID by the 3DS. This second UID is part of the whole data dump of the NFC tag. This means that randomizing the first UID and therefore differing from UID in the data dump won' t be an issue. This also means that the nfc data doesnt have to be recrypted with the new UID. A similar bug has also been found in the Wii U and Switch by James Chambers. Apparently this has been fixed on the Switch.
I will eventually post more detailed info on the packets being send by the 3ds and nfc reader when I have more time. I will also post the python script I made to emulate to nfc reader but the code still needs some cleaning and testing.
Btw, I am aware that there is a chinese nfc amiibo reader emulator on the market by jys, however i was not able to find it anywhere for sale anymore.
After a while I decided to reverse engineer the nfc reader so other people can still use amiibo on their original 3DS, 2DS and 3DS XL without buying the expensive nfc reader.
I started by looking at existing documentation on the infrared protocol used by the 3ds to the reader, turns out there is already some work done on the most basic aspects of the protocol on the 3dbrew wiki.
Although this explained some aspects on the encryption used by the 3ds during ir transmitting and receiving it still doesn't explain a lot of other things going on.
To discover this I used an IrDA USB adapter to sniff the infrared data between the reader and the 3DS.
I then exor decrypted the data coming in from the IrDA USB adapter using Python. After a lot of work I discovered how the 3ds talks to the NFC reader and I managed to emulate the read and write capability of the NFC reader/writer by using just the irda adapter and a Python script that I wrote.
By using my python script, amiibo .bin files (can easily be downloaded from the web) can directly be used and send to the 3ds over ir. (no need to decrypt the amiibo binary)
Demonstration:
When reverse engineering I found out some interesting things about the 3ds handling amiibo data:
Every NFC tag has a unique ID and originality signature that can be used to verify that the tag is original. The Wii U and Switch perform this verification, however, the original 3DS does not do this, despite the nfc reader still sending the signature. Turns out you can send any random signature and the 3DS won't attempt to validate it.
It's also interesting to see that the UID is send twice during an NFC data dump packet by the reader. The first UID in the packet is used by the 3DS to, for example, check if the same amiibo is placed back on the nfc reader when writing to it. The first UID is also used to trigger a limit count on some games (to prevent a user from using the same amiibo over and over on the same day). Since the 3DS doesn't care about the orginality signature the first UID can be randomized to trick the 3DS into thinking that a new amiibo is being used. This will stop the limit counter from counting and you can endlessly use the same amiibo.
The first UID in the packet won't be compared to the second UID by the 3DS. This second UID is part of the whole data dump of the NFC tag. This means that randomizing the first UID and therefore differing from UID in the data dump won' t be an issue. This also means that the nfc data doesnt have to be recrypted with the new UID. A similar bug has also been found in the Wii U and Switch by James Chambers. Apparently this has been fixed on the Switch.
I will eventually post more detailed info on the packets being send by the 3ds and nfc reader when I have more time. I will also post the python script I made to emulate to nfc reader but the code still needs some cleaning and testing.
Btw, I am aware that there is a chinese nfc amiibo reader emulator on the market by jys, however i was not able to find it anywhere for sale anymore.
Last edited by steven96,
