3DS IR amiibo reader hacked (better late than never)

Discussion in '3DS - Console, Accessories and Hardware' started by steven96, May 13, 2019.

  1. steven96
    OP

    steven96 Newbie

    Newcomer
    1
    May 13, 2019
    Netherlands
    When trying to buy a 3ds NFC reader/writer (used for amiibo) for my original 3ds I noticed that these things are becoming kinda rare and expensive, eventually I found one cheap and bought it.

    After a while I decided to reverse engineer the nfc reader so other people can still use amiibo on their original 3DS, 2DS and 3DS XL without buying the expensive nfc reader.
    I started by looking at existing documentation on the infrared protocol used by the 3ds to the reader, turns out there is already some work done on the most basic aspects of the protocol on the 3dbrew wiki.
    Although this explained some aspects on the encryption used by the 3ds during ir transmitting and receiving it still doesn't explain a lot of other things going on.
    To discover this I used an IrDA USB adapter to sniff the infrared data between the reader and the 3DS.

    I then exor decrypted the data coming in from the IrDA USB adapter using Python. After a lot of work I discovered how the 3ds talks to the NFC reader and I managed to emulate the read and write capability of the NFC reader/writer by using just the irda adapter and a Python script that I wrote.
    By using my python script, amiibo .bin files (can easily be downloaded from the web) can directly be used and send to the 3ds over ir. (no need to decrypt the amiibo binary)
    Demonstration:

    When reverse engineering I found out some interesting things about the 3ds handling amiibo data:
    Every NFC tag has a unique ID and originality signature that can be used to verify that the tag is original. The Wii U and Switch perform this verification, however, the original 3DS does not do this, despite the nfc reader still sending the signature. Turns out you can send any random signature and the 3DS won't attempt to validate it.
    It's also interesting to see that the UID is send twice during an NFC data dump packet by the reader. The first UID in the packet is used by the 3DS to, for example, check if the same amiibo is placed back on the nfc reader when writing to it. The first UID is also used to trigger a limit count on some games (to prevent a user from using the same amiibo over and over on the same day). Since the 3DS doesn't care about the orginality signature the first UID can be randomized to trick the 3DS into thinking that a new amiibo is being used. This will stop the limit counter from counting and you can endlessly use the same amiibo.
    The first UID in the packet won't be compared to the second UID by the 3DS. This second UID is part of the whole data dump of the NFC tag. This means that randomizing the first UID and therefore differing from UID in the data dump won' t be an issue. This also means that the nfc data doesnt have to be recrypted with the new UID. A similar bug has also been found in the Wii U and Switch by James Chambers. Apparently this has been fixed on the Switch.

    I will eventually post more detailed info on the packets being send by the 3ds and nfc reader when I have more time. I will also post the python script I made to emulate to nfc reader but the code still needs some cleaning and testing.

    Btw, I am aware that there is a chinese nfc amiibo reader emulator on the market by jys, however i was not able to find it anywhere for sale anymore.
     
    Last edited by steven96, May 13, 2019
    Rahkeesh, oji, Quantumcat and 9 others like this.
  2. Shadow#1

    Shadow#1 Wii & 3DS Softmod Expert

    Member
    12
    Nov 21, 2005
    United States
    Very interesting dude
     
  3. Tarmfot

    Tarmfot GBAtemp Regular

    Member
    4
    Dec 12, 2015
    Montserrat
    Great!
     
  4. wirelleus

    wirelleus Newbie

    Newcomer
    1
    Apr 30, 2019
    Brazil
    Oh, cool! I'm eagerly waiting for the emulator
     
  5. StopLight

    StopLight Member

    Newcomer
    1
    Apr 21, 2019
    United States
    Frankly, I'm surprised this wasn't done years ago in the heyday of the 3DS. It's shocking that the community settled for faking the NFC chips (which can be expensive) instead of faking the IR signal. Granted, this won't work for the Switch and Wii U, but in the days before the Switch this would have been one of the top homebrew applications.

    All of the required Amiibo data was captured years ago, and there are many devices that can send the IR signal and verify the handshake of that data: GameBoy Color, GB Advance, another 3DS/2DS, Wii U gamepad, Android smartphones, etc... Basically, anything with a screen and an IR blaster would work as long as you can load a program on to it. The device doesn't need to read NFC chips when it already contains a database of all the possible information. The challenge is figuring out how to replicate the handshake, which shouldn't be that complicated relative to all of the other things on the system that have been cracked.

    The homebrew app wouldn't need to be a very fancy. Just a simple list of all the Amiibos, you select one, then the device sends the signal and looks for the handshake. Once the homebrew works for one device, it could "easily" be ported to others; the app should at least run on 3DS/2DS, Wii U, and smartphone. The app probably would not even require updates for it's Amiibo database because I seriously doubt Nintendo is going to update their old 3DS games to recognize any future Amiibos.

    Hell, I can't believe a Chinese company never built a remote control-like device with a cheap LCD screen and an IR blaster that does this; I totally would have bought one if they did. I would still use such an app. I hope it happens. Like the OP said, better late than never.
     
    Tarmfot and Ammako like this.
  6. QuazaRayy

    QuazaRayy Advanced Member

    Newcomer
    3
    Feb 3, 2019
    United Kingdom
    England
    how do i do this.
     
  7. steven96
    OP

    steven96 Newbie

    Newcomer
    1
    May 13, 2019
    Netherlands
    Finally had some time to write some documentation about the IR protocol on the NFC adapter page on the 3dbrew wiki. It's still not finished but uploaded most of it anyway.
    Also uploaded the python scripts to emulate the Amiibo NFC adapter and to sniff IR data.

    https://github.com/HubSteven/3ds_ir
    It should work with every USB or RS232 IRda adapter
     
    Last edited by steven96, Oct 17, 2019
  8. BlackZero500

    BlackZero500 GBAtemp Regular

    Member
    1
    Mar 11, 2017
    Gambia, The
    Bavaria
    Hey there, just confirming, this wouldnt Work with the New 3DS would it?
     
  9. steven96
    OP

    steven96 Newbie

    Newcomer
    1
    May 13, 2019
    Netherlands
    Nope, only the original 3ds, 2ds and 3dsxl
     
    Tarmfot likes this.
  10. wafflaffle

    wafflaffle Newbie

    Newcomer
    1
    Oct 18, 2019
    United States
    Excited to hear how this pans out! It would be pretty useful on Smash 3DS
     
  11. BlackZero500

    BlackZero500 GBAtemp Regular

    Member
    1
    Mar 11, 2017
    Gambia, The
    Bavaria
    Well its a shame. Amiboo-stickers it is then.
     
  12. StopLight

    StopLight Member

    Newcomer
    1
    Apr 21, 2019
    United States
    I think that's right. New 3DS won't look for the NFC reader via infrared since the NFC reader is built in. But a homebrew app should be able to run on either a New or Old 3DS. You should be able to use an New 3DS to send the signals to the old 3DS/XL/2DS via infrared.

    This just made me wonder: Has anyone tried to create a homebrew app that turns a New 3DS into a NFC reader for the Old 3DS? I.e. physically scan an Amiibo on the New 3DS and it acts like an NFC Reader to send signal to Old 3DS.
     
  13. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    19
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Mar 17, 2010
    Norway
    Alola
    No one has quite figured out how to directly send/receive data through IR yet to my knowledge. Also, it may be a receiver only, don't know.
     
  14. Ammako

    Ammako I like cake.

    Member
    11
    Dec 22, 2009
    Antarctica
    Stupid question, but given that N3DS can boot O3DS firmware, could O3DS nfc module potentially be made to work on N3DS, enabling the use of IR for amiibo spoofing?

    It's both, certain games can communicate via IR.
     
    Last edited by Ammako, Oct 24, 2019
  15. BlackZero500

    BlackZero500 GBAtemp Regular

    Member
    1
    Mar 11, 2017
    Gambia, The
    Bavaria
    its an interesting idea, but how useful would it really be to emulate an NFC/AMIIBO Reader on N3ds to read from O3ds?
     
  16. Mr.Faq2015

    Mr.Faq2015 /ˈmɪstə ˈfæk/

    Member
    5
    Oct 24, 2015
    Argentina
    Rhizome 9
    No need to buy the adapter if you already have a n3ds aside from the o3ds (my case :P).
    I look forward to this, the ability to use dumps rather than buying cards or the figures themselves is more than welcomed
     
    Last edited by Mr.Faq2015, Oct 24, 2019
    Ammako likes this.
  17. BlackZero500

    BlackZero500 GBAtemp Regular

    Member
    1
    Mar 11, 2017
    Gambia, The
    Bavaria
    Oh. You are Perfectly right. Absolutly neglected the fact that some people have the N3ds and the O3ds. I Sold my O3ds after i bought an N3ds. Why still have both. Well One reason right here i guess ^^
     
  18. steven96
    OP

    steven96 Newbie

    Newcomer
    1
    May 13, 2019
    Netherlands
    I'm pretty sure that will indeed work, I don't have a new 3ds to test this though
     
  19. gohan123

    gohan123 GBAtemp Regular

    Member
    6
    Dec 26, 2012
    Germany
    could something like this work with android phones with an ir blaster?
     
  20. steven96
    OP

    steven96 Newbie

    Newcomer
    1
    May 13, 2019
    Netherlands
    It would, but only if the ir blaster has a receiver and transmitter. The receiver also shouldn't have a demodulator at 36~38kHz but rather directly send the ir pulses to the phone. Unfortunately most ir blasters have this demod because ir remotes use this frequency to modulate their ir data.
     
    Last edited by steven96, Oct 27, 2019
Quick Reply
Draft saved Draft deleted
Loading...