Emulating Amiibo’s with a Proxmark 3

In this post I will share the process I went through to emulate Amiibo’s with a Proxmark 3. For this the following things are required: 

Create a new folder and put Samy K’s script and the amiibo bin file in there. To be able to run the script you’ll need to make it executable. This can be done by using the following command: chmod +x mfu2bineml. After making the script executable you can use it to create an eml file that can be used by the Proxmark. To do this use the following command: ./mfu2bineml <put_amiibo_name_here>.bin > amiibo.eml. I found that the Proxmark client dislikes spaces in filenames so it is recommended to not use them in the filenames. 

An example of the script output can be found below: 

user@ubuntu-vm:~/Desktop/amiibo$ ./mfubin2eml Champion\ Mipha.bin > amiibo.eml

Character / info: 01 07 00 00 03 5a 09 02
Game : 010 The Legend of Zelda
Character: 7 --
Variation: 00 --
Type : 00 Figure
Amiibo : 035a The Legend of Zelda
Series : 09 The Legend Of Zelda
Last : 02 (should be 02)


Looks like encrypted file but setting preventing us from decrypting
Does not contain header, adding
UID: 04c25292aa5280
PWD: 00000000

hf mf eload u Champion Mipha.bin
hf 14a sim t 7 u 04C25292AA5280

The last part of the script will tell you what commands to use in the Proxmark client to load the eml file and emulate/simulate the Amiibo. Because I love tool output here is the output from the Proxmark client: 

pm3 --> hf mf eload u /home/user/Desktop/amiibo/amiibo
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………
[+] Loaded 255 blocks from file: /home/user/Desktop/amiibo/amiibo.eml
pm3 --> hf 14a sim t 7 u 04C25292AA5280
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 C2 52 92 AA 52 80 )
[+] press pm3-button to abort simulation

And here is a video demonstration of the Amiibo emulation. 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.