Writing your own data to a Nintendo Amiibo NFC toy

As discussed in the case study, by knowing the algorithm used to set the write password (PWD), we can interoperably write our own data to an Amiibo NFC toy. Read New interoperability for Nintendo Amiibo NFC toys for details on the algorithm, and a demonstration video showing it in use.

By request, this page documents a workflow similar to the demo video, using standard software available on any Mac or Linux computer.

Use at your own risk! Consider writing your own data only to toys you no longer wish to use with the game.

Prerequisites

You'll need libnfc. The last stable release, 1.7.1, is fine. Linux users should be able to install it using their package manager. Mac users may be able to use macports or homebrew, or compile it natively.

You'll also need a libnfc-supported NFC reader. These examples used the Identiv SCL3711.

You'll need to compile ulread, the open source utility to read and write NTAG215 tags. Mac users who compiled libnfc natively can compile ulread with COPT="-I$HOME/include -L$HOME/lib" make .

You'll need the pwd215.py Python 2 program, which is an example implementation of the key generation algorithm, listed in New interoperability for Nintendo Amiibo NFC toys.

Identifying an Amiibo NFC toy

Here's the output of the libnfc standard tool, nfc-list , when run against the "Duck Hunt" figure used in the demo. (This is the same as for any NTAG215 tag.)

nfc-list nfc-list uses libnfc 1.7.1 NFC device: SCM Micro / SCL3711-NFC&RW opened 1 ISO14443A passive target(s) found: ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 44 UID (NFCID1): 04 52 d7 52 01 49 81 SAK (SEL_RES): 00

An ATQA of 00 44 with an SAK of 00 means a Nintendo Amiibo NFC toy.

The UID of this figure is 04 52 d7 52 01 49 81 .

Generating the PWD for an Amiibo NFC toy

Pass the UID to the pwd215.py program:

./pwd215.py 0452d752014981 aa83b1d5

That is the PWD necessary to write to the Amiibo NFC toy, generated algorithmically, instead of sniffing.

Reading the data from an Amiibo NFC toy

Read the contents of the tag using the ulread tool, using the generated PWD, saving it into duckhunt-dump.bin . (This is the same as for any NTAG215 tag.)

./ulread > duckhunt-dump.bin Detected Ultralight - UID: 04 52 D7 52 01 49 81 - Model: NTAG215 - 135 pages (540 bytes) - 2 write-only password pages (8 bytes) Reading 133 pages starting at page 00

Convert the dump to hex to view it, using the standard Unix tool xxd .

xxd -c 4 -ps duckhunt-dump.bin 0452d709 52014981 9b480fe0 f110ffee a5000000 b78cfe6a 7f90b000 534bbd00 8620cf81 ee5c9413 79ae97a1 833c33cc c2e8b5b9 2f4a390a a8fa0212 5755bd07 bdb6c0e3 9d5bea74 dcec085e 0d6f7b2e a70a625c 07820000 002f0002 0d127501 ca3702a9 39477cf0 da0367c8 b38bf1a2 6b529e73 7ffa80a7 ac4d9d83 fb9d9f1c 6e97c048 2e840d09 e46eb315 b6314fba e1312839 7f7cf585 2e5cad49 9e86caee d04da184 67daeb44 ee0d10ea d17654c6 53f1b055 d9960038 4ec392bd 147d55d6 a53c1852 02f88092 ffb94c77 c3188f23 1562eb24 e6c133ba 2d709734 8f8c101e d2de1ae4 3af2d65c e14e4787 7f4a29b0 dff0b409 07e18c07 b2f55f2c bc1e4051 2fb8ce6d 8aa92dec be610da6 2d8031f2 6e6239a7 71355ba6 84badf4b 2edcbc2c 40fa45b5 11015157 92d1b9ab 0fe34e9e c34a6e54 32f0ca7c ae028007 823889c3 5bcbf121 ee3b3be5 04df18b2 020af3b1 4f0c3bcf b34368b8 dd623a61 9c468981 0bc7442c 495334b6 c3409a1b a08fa656 ce580711 beda8700 4ff645fa b75590e7 100f77a1 ffdc28c9 b7a09f7a ff662205 4e5da615 b78863bf 7639bfe0 64b0fab7 3a05bf2f 7e7b042f c1c140d7 63c0f671 41121151 34f524f5 2bcf2cb1 202e739f 9e07e97e 2ac3a26d 8ea74699 ebe31760 acdc6741 d81a6e46 038143e0 dec0ee31 8e13bf8c 16b77bfb bcb3d4fa 17f0ce4a ff564c3f 25248a24 e3d4deda 30505cf3 5bf26d7e 3ec7b9bf 01000fbd 00000004 5f000000

(This is similar to the data we saw on the toy in the case study.)

Extract the writable, 428 bytes from the hex output and evaluate it, using the standard Unix sed , xxd and file tools.

sed -n -e 5,13p -e 33,130p duckhunt-dump.txt | xxd -r -ps > duckhunt-428.bin file duckhunt-428.bin duckhunt-428.bin: data

Since this is the encrypted gameplay data from the toy, it's just "data", and we can't do anything further with it.

Writing our own data to an Amiibo NFC toy

Create your own data to write, up to 428 bytes, and save it. For example, this is similar text to the demo video, saved as nfctoys-ami.txt .

nfc.toys Previously, only Nintendo hardware and games had the ability to write data to Amiibo NFC toys. (Reading standard features like UID, ATQA, and SAK was always possible, and reading the encrypted data was also.) Now, with the algorithm for the password (PWD), Amiibo NFC figures are able to interoperate with other hardware and software, and can be used to store any data at all. nfc.toys

(Because we're going to write this content as-is, if it's less than 428 bytes, we should pad it out to that using spaces or null characters, to make sure we completely overwrite any old content on the figure.)

As the writable pages on the Amiibo NFC toy are split into two parts, one 36 bytes, one 392 bytes, split your data into two parts also, using the standard Unix tools head and tail .

head -c 36 nfctoys-ami.txt > nfctoys-ami.36 tail -c+37 nfctoys-ami.txt > nfctoys-ami.392

Write the contents of each file using the ulwrite tool, using the generated PWD. (This is the same as for any NTAG215 tag.)

cat nfctoys-ami.36 | ./ulwrite -s 4 -c 9 -k aa83b1d5 Detected Ultralight - UID: 04 52 D7 52 01 49 81 - Model: NTAG215 - 135 pages (540 bytes) - 2 write-only password pages (8 bytes) Writing 9 pages starting at page 0x04 (lenient: false) cat nfctoys-ami.392 | ./ulwrite -s 32 -c 98 -k aa83b1d5 Detected Ultralight - UID: 04 52 D7 52 01 49 81 - Model: NTAG215 - 135 pages (540 bytes) - 2 write-only password pages (8 bytes) Writing 98 pages starting at page 0x20 (lenient: false)

Read the data back out to verify it, using ulread , sed , xxd , file , and cat . (This is the same as for any NTAG215 tag.)

./ulread | xxd -c 4 -ps | sed -n -e 5,13p -e 33,130p | xxd -r -ps > duckhunt-verify.bin Detected Ultralight - UID: 04 52 D7 52 01 49 81 - Model: NTAG215 - 135 pages (540 bytes) - 2 write-only password pages (8 bytes) Reading 133 pages starting at page 00 file duckhunt-verify.bin duckhunt-verify.bin: ASCII English text cat duckhunt-verify.bin nfc.toys Previously, only Nintendo hardware and games had the ability to write data to Amiibo NFC toys. (Reading standard features like UID, ATQA, and SAK was always possible, and reading the encrypted data was also.) Now, with the algorithm for the password (PWD), Amiibo NFC figures are able to interoperate with other hardware and software, and can be used to store any data at all. nfc.toys

Restore the original contents of the toy using ulwrite . (This is the same as for any NTAG215 tag.)