1. steven96

    OP steven96 Newbie
    Newcomer

    Joined:
    May 13, 2019
    Messages:
    5
    Country:
    Netherlands
    When trying to buy a 3ds NFC reader/writer (used for amiibo) for my original 3ds I noticed that these things are becoming kinda rare and expensive, eventually I found one cheap and bought it.

    After a while I decided to reverse engineer the nfc reader so other people can still use amiibo on their original 3DS, 2DS and 3DS XL without buying the expensive nfc reader.
    I started by looking at existing documentation on the infrared protocol used by the 3ds to the reader, turns out there is already some work done on the most basic aspects of the protocol on the 3dbrew wiki.
    Although this explained some aspects on the encryption used by the 3ds during ir transmitting and receiving it still doesn't explain a lot of other things going on.
    To discover this I used an IrDA USB adapter to sniff the infrared data between the reader and the 3DS.

    I then exor decrypted the data coming in from the IrDA USB adapter using Python. After a lot of work I discovered how the 3ds talks to the NFC reader and I managed to emulate the read and write capability of the NFC reader/writer by using just the irda adapter and a Python script that I wrote.
    By using my python script, amiibo .bin files (can easily be downloaded from the web) can directly be used and send to the 3ds over ir. (no need to decrypt the amiibo binary)
    Demonstration:

    When reverse engineering I found out some interesting things about the 3ds handling amiibo data:
    Every NFC tag has a unique ID and originality signature that can be used to verify that the tag is original. The Wii U and Switch perform this verification, however, the original 3DS does not do this, despite the nfc reader still sending the signature. Turns out you can send any random signature and the 3DS won't attempt to validate it.
    It's also interesting to see that the UID is send twice during an NFC data dump packet by the reader. The first UID in the packet is used by the 3DS to, for example, check if the same amiibo is placed back on the nfc reader when writing to it. The first UID is also used to trigger a limit count on some games (to prevent a user from using the same amiibo over and over on the same day). Since the 3DS doesn't care about the orginality signature the first UID can be randomized to trick the 3DS into thinking that a new amiibo is being used. This will stop the limit counter from counting and you can endlessly use the same amiibo.
    The first UID in the packet won't be compared to the second UID by the 3DS. This second UID is part of the whole data dump of the NFC tag. This means that randomizing the first UID and therefore differing from UID in the data dump won' t be an issue. This also means that the nfc data doesnt have to be recrypted with the new UID. A similar bug has also been found in the Wii U and Switch by James Chambers. Apparently this has been fixed on the Switch.

    I will eventually post more detailed info on the packets being send by the 3ds and nfc reader when I have more time. I will also post the python script I made to emulate to nfc reader but the code still needs some cleaning and testing.

    Btw, I am aware that there is a chinese nfc amiibo reader emulator on the market by jys, however i was not able to find it anywhere for sale anymore.
     
    Last edited: May 13, 2019
    Rahkeesh, oji, Quantumcat and 9 others like this.
  2. Shadow#1

    Shadow#1 Wii & 3DS Softmod Expert
    Member

    Joined:
    Nov 21, 2005
    Messages:
    6,875
    Country:
    United States
    Very interesting dude
     
  3. Tarmfot

    Tarmfot GBAtemp Regular
    Member

    Joined:
    Dec 12, 2015
    Messages:
    155
    Country:
    Montserrat
    Great!
     
  4. wirelleus

    wirelleus Newbie
    Newcomer

    Joined:
    Apr 30, 2019
    Messages:
    2
    Country:
    Brazil
    Oh, cool! I'm eagerly waiting for the emulator
     
  5. StopLight

    StopLight Member
    Newcomer

    Joined:
    Apr 21, 2019
    Messages:
    28
    Country:
    United States
    Frankly, I'm surprised this wasn't done years ago in the heyday of the 3DS. It's shocking that the community settled for faking the NFC chips (which can be expensive) instead of faking the IR signal. Granted, this won't work for the Switch and Wii U, but in the days before the Switch this would have been one of the top homebrew applications.

    All of the required Amiibo data was captured years ago, and there are many devices that can send the IR signal and verify the handshake of that data: GameBoy Color, GB Advance, another 3DS/2DS, Wii U gamepad, Android smartphones, etc... Basically, anything with a screen and an IR blaster would work as long as you can load a program on to it. The device doesn't need to read NFC chips when it already contains a database of all the possible information. The challenge is figuring out how to replicate the handshake, which shouldn't be that complicated relative to all of the other things on the system that have been cracked.

    The homebrew app wouldn't need to be a very fancy. Just a simple list of all the Amiibos, you select one, then the device sends the signal and looks for the handshake. Once the homebrew works for one device, it could "easily" be ported to others; the app should at least run on 3DS/2DS, Wii U, and smartphone. The app probably would not even require updates for it's Amiibo database because I seriously doubt Nintendo is going to update their old 3DS games to recognize any future Amiibos.

    Hell, I can't believe a Chinese company never built a remote control-like device with a cheap LCD screen and an IR blaster that does this; I totally would have bought one if they did. I would still use such an app. I hope it happens. Like the OP said, better late than never.
     
    Tarmfot and Ammako like this.
  6. QuazaRayy

    QuazaRayy elite hackerman
    Member

    Joined:
    Feb 3, 2019
    Messages:
    109
    Country:
    United Kingdom
    how do i do this.
     
  7. steven96

    OP steven96 Newbie
    Newcomer

    Joined:
    May 13, 2019
    Messages:
    5
    Country:
    Netherlands
    Finally had some time to write some documentation about the IR protocol on the NFC adapter page on the 3dbrew wiki. It's still not finished but uploaded most of it anyway.
    Also uploaded the python scripts to emulate the Amiibo NFC adapter and to sniff IR data.

    https://github.com/HubSteven/3ds_ir
    It should work with every USB or RS232 IRda adapter
     
    Last edited: Oct 17, 2019
  8. BlackZero500

    BlackZero500 GBAtemp Regular
    Member

    Joined:
    Mar 11, 2017
    Messages:
    108
    Country:
    Gambia, The
    Hey there, just confirming, this wouldnt Work with the New 3DS would it?
     
  9. steven96

    OP steven96 Newbie
    Newcomer

    Joined:
    May 13, 2019
    Messages:
    5
    Country:
    Netherlands
    Nope, only the original 3ds, 2ds and 3dsxl
     
    Tarmfot likes this.
  10. wafflaffle

    wafflaffle Newbie
    Newcomer

    Joined:
    Oct 18, 2019
    Messages:
    7
    Country:
    United States
    Excited to hear how this pans out! It would be pretty useful on Smash 3DS
     
  11. BlackZero500

    BlackZero500 GBAtemp Regular
    Member

    Joined:
    Mar 11, 2017
    Messages:
    108
    Country:
    Gambia, The
    Well its a shame. Amiboo-stickers it is then.
     
  12. StopLight

    StopLight Member
    Newcomer

    Joined:
    Apr 21, 2019
    Messages:
    28
    Country:
    United States
    I think that's right. New 3DS won't look for the NFC reader via infrared since the NFC reader is built in. But a homebrew app should be able to run on either a New or Old 3DS. You should be able to use an New 3DS to send the signals to the old 3DS/XL/2DS via infrared.

    This just made me wonder: Has anyone tried to create a homebrew app that turns a New 3DS into a NFC reader for the Old 3DS? I.e. physically scan an Amiibo on the New 3DS and it acts like an NFC Reader to send signal to Old 3DS.
     
  13. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08
    Member

    Joined:
    Mar 17, 2010
    Messages:
    18,596
    Country:
    Norway
    No one has quite figured out how to directly send/receive data through IR yet to my knowledge. Also, it may be a receiver only, don't know.
     
  14. Ammako

    Ammako I like cake.
    Member

    Joined:
    Dec 22, 2009
    Messages:
    6,635
    Country:
    Antarctica
    Stupid question, but given that N3DS can boot O3DS firmware, could O3DS nfc module potentially be made to work on N3DS, enabling the use of IR for amiibo spoofing?

    It's both, certain games can communicate via IR.
     
    Last edited: Oct 24, 2019
  15. BlackZero500

    BlackZero500 GBAtemp Regular
    Member

    Joined:
    Mar 11, 2017
    Messages:
    108
    Country:
    Gambia, The
    its an interesting idea, but how useful would it really be to emulate an NFC/AMIIBO Reader on N3ds to read from O3ds?
     
  16. Mr.Faq2015

    Mr.Faq2015 /ˈmɪstə ˈfæk/
    Member

    Joined:
    Oct 24, 2015
    Messages:
    257
    Country:
    Argentina
    No need to buy the adapter if you already have a n3ds aside from the o3ds (my case :P).
    I look forward to this, the ability to use dumps rather than buying cards or the figures themselves is more than welcomed
     
    Last edited: Oct 24, 2019
    Ammako likes this.
  17. BlackZero500

    BlackZero500 GBAtemp Regular
    Member

    Joined:
    Mar 11, 2017
    Messages:
    108
    Country:
    Gambia, The
    Oh. You are Perfectly right. Absolutly neglected the fact that some people have the N3ds and the O3ds. I Sold my O3ds after i bought an N3ds. Why still have both. Well One reason right here i guess ^^
     
  18. steven96

    OP steven96 Newbie
    Newcomer

    Joined:
    May 13, 2019
    Messages:
    5
    Country:
    Netherlands
    I'm pretty sure that will indeed work, I don't have a new 3ds to test this though
     
  19. gohan123

    gohan123 GBAtemp Regular
    Member

    Joined:
    Dec 26, 2012
    Messages:
    266
    Country:
    Germany
    could something like this work with android phones with an ir blaster?
     
  20. steven96

    OP steven96 Newbie
    Newcomer

    Joined:
    May 13, 2019
    Messages:
    5
    Country:
    Netherlands
    It would, but only if the ir blaster has a receiver and transmitter. The receiver also shouldn't have a demodulator at 36~38kHz but rather directly send the ir pulses to the phone. Unfortunately most ir blasters have this demod because ir remotes use this frequency to modulate their ir data.
     
    Last edited: Oct 27, 2019
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - (better, amiibo, reader