Writing your own data to a Nintendo Amiibo NFC toy

As discussed in the case study, by knowing the algorithm used to set the write password (PWD), we can interoperably write our own data to an Amiibo NFC toy. Read New interoperability for Nintendo Amiibo NFC toys for details on the algorithm, and a demonstration video showing it in use.

By request, this page documents a workflow similar to the demo video, using standard software available on any Mac or Linux computer.

Use at your own risk!

Consider writing your own data only to toys you no longer wish to use with the game.

Prerequisites

You'll need libnfc. The last stable release, 1.7.1, is fine. Linux users should be able to install it using their package manager. Mac users may be able to use macports or homebrew, or compile it natively.

You'll also need a libnfc-supported NFC reader. These examples used the Identiv SCL3711.

You'll need to compile ulread, the open source utility to read and write NTAG215 tags. Mac users who compiled libnfc natively can compile ulread with COPT="-I$HOME/include -L$HOME/lib" make.

You'll need the pwd215.py Python 2 program, which is an example implementation of the key generation algorithm, listed in New interoperability for Nintendo Amiibo NFC toys.

Identifying an Amiibo NFC toy

Here's the output of the libnfc standard tool, nfc-list, when run against the "Duck Hunt" figure used in the demo. (This is the same as for any NTAG215 tag.)

nfc-list 
nfc-list uses libnfc 1.7.1
NFC device: SCM Micro / SCL3711-NFC&RW opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  44  
       UID (NFCID1): 04  52  d7  52  01  49  81  
      SAK (SEL_RES): 00

An ATQA of 00 44 with an SAK of 00 means a Nintendo Amiibo NFC toy.

The UID of this figure is 04 52 d7 52 01 49 81.

Generating the PWD for an Amiibo NFC toy

Pass the UID to the pwd215.py program:

./pwd215.py 0452d752014981
aa83b1d5

That is the PWD necessary to write to the Amiibo NFC toy, generated algorithmically, instead of sniffing.

Reading the data from an Amiibo NFC toy

Read the contents of the tag using the ulread tool, using the generated PWD, saving it into duckhunt-dump.bin. (This is the same as for any NTAG215 tag.)

./ulread > duckhunt-dump.bin
Detected Ultralight
 - UID: 04 52 D7 52 01 49 81
 - Model: NTAG215
 - 135 pages (540 bytes)
 - 2 write-only password pages (8 bytes)
Reading 133 pages starting at page 00

Convert the dump to hex to view it, using the standard Unix tool xxd.

xxd -c 4 -ps duckhunt-dump.bin 
0452d709
52014981
9b480fe0
f110ffee
a5000000
b78cfe6a
7f90b000
534bbd00
8620cf81
ee5c9413
79ae97a1
833c33cc
c2e8b5b9
2f4a390a
a8fa0212
5755bd07
bdb6c0e3
9d5bea74
dcec085e
0d6f7b2e
a70a625c
07820000
002f0002
0d127501
ca3702a9
39477cf0
da0367c8
b38bf1a2
6b529e73
7ffa80a7
ac4d9d83
fb9d9f1c
6e97c048
2e840d09
e46eb315
b6314fba
e1312839
7f7cf585
2e5cad49
9e86caee
d04da184
67daeb44
ee0d10ea
d17654c6
53f1b055
d9960038
4ec392bd
147d55d6
a53c1852
02f88092
ffb94c77
c3188f23
1562eb24
e6c133ba
2d709734
8f8c101e
d2de1ae4
3af2d65c
e14e4787
7f4a29b0
dff0b409
07e18c07
b2f55f2c
bc1e4051
2fb8ce6d
8aa92dec
be610da6
2d8031f2
6e6239a7
71355ba6
84badf4b
2edcbc2c
40fa45b5
11015157
92d1b9ab
0fe34e9e
c34a6e54
32f0ca7c
ae028007
823889c3
5bcbf121
ee3b3be5
04df18b2
020af3b1
4f0c3bcf
b34368b8
dd623a61
9c468981
0bc7442c
495334b6
c3409a1b
a08fa656
ce580711
beda8700
4ff645fa
b75590e7
100f77a1
ffdc28c9
b7a09f7a
ff662205
4e5da615
b78863bf
7639bfe0
64b0fab7
3a05bf2f
7e7b042f
c1c140d7
63c0f671
41121151
34f524f5
2bcf2cb1
202e739f
9e07e97e
2ac3a26d
8ea74699
ebe31760
acdc6741
d81a6e46
038143e0
dec0ee31
8e13bf8c
16b77bfb
bcb3d4fa
17f0ce4a
ff564c3f
25248a24
e3d4deda
30505cf3
5bf26d7e
3ec7b9bf
01000fbd
00000004
5f000000

(This is similar to the data we saw on the toy in the case study.)

Extract the writable, 428 bytes from the hex output and evaluate it, using the standard Unix sed, xxd and file tools.

sed -n -e 5,13p -e 33,130p duckhunt-dump.txt | xxd -r -ps > duckhunt-428.bin
file duckhunt-428.bin
duckhunt-428.bin: data

Since this is the encrypted gameplay data from the toy, it's just "data", and we can't do anything further with it.

Writing our own data to an Amiibo NFC toy

Create your own data to write, up to 428 bytes, and save it. For example, this is similar text to the demo video, saved as nfctoys-ami.txt.


nfc.toys

Previously, only Nintendo hardware and games had the ability to write data to Amiibo NFC toys.

(Reading standard features like UID, ATQA, and SAK was always possible, and reading the encrypted data was also.)

Now, with the algorithm for the password (PWD), Amiibo NFC figures are able to interoperate with other hardware and software, and can be used to store any data at all.

nfc.toys

(Because we're going to write this content as-is, if it's less than 428 bytes, we should pad it out to that using spaces or null characters, to make sure we completely overwrite any old content on the figure.)

As the writable pages on the Amiibo NFC toy are split into two parts, one 36 bytes, one 392 bytes, split your data into two parts also, using the standard Unix tools head and tail.

head -c 36 nfctoys-ami.txt > nfctoys-ami.36
tail -c+37 nfctoys-ami.txt > nfctoys-ami.392

Write the contents of each file using the ulwrite tool, using the generated PWD. (This is the same as for any NTAG215 tag.)

cat nfctoys-ami.36 | ./ulwrite -s 4 -c 9 -k aa83b1d5
Detected Ultralight
 - UID: 04 52 D7 52 01 49 81
 - Model: NTAG215
 - 135 pages (540 bytes)
 - 2 write-only password pages (8 bytes)
Writing 9 pages starting at page 0x04 (lenient: false)
cat nfctoys-ami.392 | ./ulwrite -s 32 -c 98 -k aa83b1d5
Detected Ultralight
 - UID: 04 52 D7 52 01 49 81
 - Model: NTAG215
 - 135 pages (540 bytes)
 - 2 write-only password pages (8 bytes)
Writing 98 pages starting at page 0x20 (lenient: false)

Read the data back out to verify it, using ulread, sed, xxd, file, and cat. (This is the same as for any NTAG215 tag.)

./ulread | xxd -c 4 -ps | sed -n -e 5,13p -e 33,130p | xxd -r -ps > duckhunt-verify.bin
Detected Ultralight
 - UID: 04 52 D7 52 01 49 81
 - Model: NTAG215
 - 135 pages (540 bytes)
 - 2 write-only password pages (8 bytes)
Reading 133 pages starting at page 00
file duckhunt-verify.bin 
duckhunt-verify.bin: ASCII English text
cat duckhunt-verify.bin 
nfc.toys

Previously, only Nintendo hardware and games had the ability to write data to Amiibo NFC toys.

(Reading standard features like UID, ATQA, and SAK was always possible, and reading the encrypted data was also.)

Now, with the algorithm for the password (PWD), Amiibo NFC figures are able to interoperate with other hardware and software, and can be used to store any data at all.

nfc.toys

Restore the original contents of the toy using ulwrite. (This is the same as for any NTAG215 tag.)

cat duckhunt-dump.bin | ./ulwrite -l -k aa83b1d5
Detected Ultralight
 - UID: 04 52 D7 52 01 49 81
 - Model: NTAG215
 - 135 pages (540 bytes)
 - 2 write-only password pages (8 bytes)
Writing 135 pages starting at page 0x00 (lenient: true)
* Error writing page 0x00 (2) *
* Error writing page 0x01 (2) *
* Error writing page 0x03 (2) *
* Error writing page 0x0D (2) *
* Error writing page 0x0E (2) *
* Error writing page 0x0F (2) *
* Error writing page 0x10 (2) *
* Error writing page 0x11 (2) *
* Error writing page 0x12 (2) *
* Error writing page 0x13 (2) *
* Error writing page 0x14 (2) *
* Error writing page 0x15 (2) *
* Error writing page 0x16 (2) *
* Error writing page 0x17 (2) *
* Error writing page 0x18 (2) *
* Error writing page 0x19 (2) *
* Error writing page 0x1A (2) *
* Error writing page 0x1B (2) *
* Error writing page 0x1C (2) *
* Error writing page 0x1D (2) *
* Error writing page 0x1E (2) *
* Error writing page 0x1F (2) *
* Error writing page 0x83 (2) *
* Error writing page 0x84 (2) *
* End of input stream *