How to emulate/simulate Amiibo with a Proxmark 3 Easy

In this post I will explain how to use a Proxmark 3 Easy to emulate an Amiibo. I have updated this post on the 19th of May 2023.

About the Proxmark 3 Easy

The Proxmark 3 Easy was designed and manufactured by Elechouse to be a lower cost alternative to the Proxmark RDV2 and therefor lacks some of the more advanced features. However, it is still capable of much of the same and is readily available from Chinese sellers for a decent price making it an interesting option to get yourself familiar with RFID. Please note that the Proxmark 3 Easy is now obsolete and superseded by the Proxmark 3 RDV 4 and the Proxmark EVO so if you are looking for the latest and greatest the Easy is not really recommended.

Proxmark3 Easy

The proces of emulating an Amiibo if fairly straightforward and I would argue that getting the proxmark and client working on your machine is the hardest part. As we are using a 256k version of the proxmark easy there are some advanced compiling options that need setting but everything is explained in the installation guide. Please find a copy of my Makefile.platform file that is confirmed working on the 19th of May 2023.

# If you want to use it, copy this file as Makefile.platform and adjust it to your needs
# Run 'make PLATFORM=' to get an exhaustive list of possible parameters for this file.

#PLATFORM=PM3RDV4
#PLATFORM=PM3GENERIC
# If you want more than one PLATFORM_EXTRAS option, separate them by spaces:
#PLATFORM_EXTRAS=BTADDON
#PLATFORM_EXTRAS=FLASH
#PLATFORM_EXTRAS=BTADDON FLASH
#STANDALONE=LF_SAMYRUN

# Uncomment the lines below in order to make a 256KB image
# and comment out the lines above

PLATFORM=PM3GENERIC
PLATFORM_SIZE=256
#STANDALONE=
SKIP_HITAG=1
SKIP_LEGICRF=1
SKIP_FELICA=1
SKIP_EM4x50=1
SKIP_HFPLOT=1
SKIP_ISO14443b=1
SKIP_NFCBARCODE=1
SKIP_ZX8211=1
SKIP_LF=1

# To accelerate repetitive compilations:
# Install package "ccache" -> Debian/Ubuntu: /usr/lib/ccache, Fedora/CentOS/RHEL: /usr/lib64/ccache
# And uncomment the following line
#export PATH := /usr/lib64/ccache:/usr/lib/ccache:${PATH}

# To install with sudo:
INSTALLSUDO=sudo

Convert the Amiibo

To be able use the Amiibo with the Proxmark it needs to be converted to an emulator file (.eml). This is done with a tool called pm3_amii_bin2eml which can be found in the tools directory inside the Proxmark repo. The command I used and the tool output are shown below.

$ tools/pm3_amii_bin2eml.pl ~/projects/amiibo/bokoblin.bin > bokoblin.eml

Character / info: 01 41 00 00 03 5c 09 02
Game     :  014 Breath of the Wild
Character:    1 --
Variation:   00 --
Type     :   00 Figure
Amiibo   : 035c The Legend of Zelda
Series   :   09 The Legend Of Zelda
Last     :   02 (should be 02)

Looks like encrypted file but setting preventing us from decrypting
PWD is blank, recalculating
ACK is blank, fixing
Does not contain header, adding
UID: 0480c72aea4c80
PWD: 0078cc3f
ACK: 80808080

hf mf eload u /home/user/projects/amiibo/bokoblin 
hf 14a sim -t 7 -u 0480C72AEA4C80

Load Amiibo onto the Proxmark’s memory

[usb] pm3 --> hf mfu eload -f u bokoblin.eml
[+] loaded 596 bytes from text file bokoblin.eml
[=] detected new mfu dump format
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | 00 04 04 02 01 00 11 03 
[=]         TBD 0 | 01 00 
[=]         TBD 1 | 00 
[=]     Signature | 92 58 0B 4C 45 A9 C4 2F A9 01 45 CE 5E 5F 9C 43 09 A4 3D 47 D2 32 A3 D1 68 CB AD E6 7F 81 85 C6 
[=]     Counter 0 | 00 00 00 
[=]     Tearing 0 | 00 
[=]     Counter 1 | 00 00 00 
[=]     Tearing 1 | 00 
[=]     Counter 2 | 00 00 00 
[=]     Tearing 2 | 00 
[=] Max data page | 133 (536 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 80 C7 CB |   | ....
[=]   1/0x01 | 2A EA 4C 80 |   | *.L.

[SNIP]

[/SNIP

[=] 134/0x86 | 80 80 80 80 | 0 | ....
[=] ---------------------------------
[=] Uploading to emulator memory
[=] ......................................................................................................................................................

[?] You are ready to simulate. See `hf mfu sim -h`
[=] Done!
[?] Try `hf mfu sim -t 7` to simulate an Amiibo

Emulate the Amiibo

[usb] pm3 --> hf mfu sim -t 7
[+] press pm3-button to abort simulation

A little video demonstration:

References:

62 thoughts on “How to emulate/simulate Amiibo with a Proxmark 3 Easy”

  1. Hello , sorry for my poor English . I did the same steps of your post , but my switch can’t recognize my pm3 as a Amiibo . Would you mind to give me the .eml file you use , so that i could figure out whether my hardware is broken or the .bin or .eml file I use is wrong

          1. I change Proxmark3 Easy to Proxmark3 RDV2 , run the same commands , and it works ! That’s weird . Anyway , thanks for your help ! Your article help me save money–I won’t have to buy NTAG215 cards , haha .

      1. Hi Ling, I encountered the same problem, my switch doesn’t detect my pm3 as amiibo at all, as if it is invisible. Did you manage to solve the problem with pm3easy?

          1. Dear Tom, and others

            Absolutely, thank you so much for getting back to me.

            See pics here: https://imgur.com/a/5EaOTpR

            Pic1: So I installed Oracle Virtualbox, and Ubuntu 19.10. I installed github proxmark3 and downloaded the bin from banks.

            Pic2: Converted the bin to eml with your perl file

            Pic3a-c: ran the two line of codes (note: 3c showed that the output of the file from the perl code, but it generated the path to original bin instead of the eml so I modified it)

            Pic4: the PM3-easy turns green during emulation

            Pic5a-c: Trying to Invite Amiibo Camper in game, 5c shows it timed out and shows fail to read amiibo.

            I actually have an amiibo card and that works no problem so that means my switch controller can read amiibos and is not a source of error.

            What could be the problem?

            thanks so much!!

          2. Hi Tom,
            Nevermind my previous message,
            I unbricked it and flashed it again but still same situation as before-
            Terminal showing it is emulating but for some reason is not at all detected by the pm3…
            🙁

          3. (edit, please delete my other two messages)
            Hi Tom,
            Nevermind my previous message,
            I unbricked it and flashed it again but still same situation as before-
            Terminal showing it is emulating but for some reason is not at all detected by the Switch*…

          4. Hi Tom

            yes I used your repo:
            git clone https://github.com/tomvanveen/proxmark3.git
            followed by
            make udev
            and make clean && make all instead of capital ‘Make’

            Oh, and I used another flasher, because
            client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
            will always gets stuck here and pm3 still shows a blue light on the pm3 right before each eject:

            .Waiting for Proxmark to appear on /dev/ttyACM0 Found.
            Entering bootloader...
            (Press and release the button only to abort)
            Waiting for Proxmark to reappear on /dev/ttyACM0............. Found.

            Flashing...
            Writing segments for file: bootrom/obj/bootrom.elf
            0x00100000..0x001001ff [0x200 / 1 blocks]. OK
            0x00100200..0x00100f5b [0xd5c / 7 blocks]....... OK

            Writing segments for file: armsrc/obj/fullimage.elf
            0x00102000..0x00139f2f [0x37f30 / 448 blocks]....................................

            My flasher.exe works however, it looks this way:

            set /p num= {INSERT port number}
            flasher.exe com%num% -b firmware_win\bootrom.elf
            ping 127.0.0.1 -n 8 >nul
            taskkill /f /im flasher.exe
            flasher.exe com%num% firmware_win\fullimage.elf
            ping 127.0.0.1 -n 3 >nul
            taskkill /f /im flasher.exe

            Could this be a source of difference? or should I try iceman 3 or RRG? But how could I unstuck the linux flashing though?
            Also, is there a variable for the emulation to select the power output NFC runs by, maybe the default value is just too low?
            It still cannot be picked up by the Switch

            Also everytime I run proxmark3.sh a bunch of these shows up until I ^c it and run it again:

            #db# unknown command:: 0x0154
            #db# unknown command:: 0x0150
            #db# unknown command:: 0x014f
            #db# unknown command:: 0x0152
            #db# unknown command:: 0x0154
            #db# unknown command:: 0xd3f4741
            #db# unknown command:: 0xd3f4754
            #db# unknown command:: 0xd3f4723
            #db# unknown command:: 0xd3f4750
            #db# unknown command:: 0xd3f474f
            #db# unknown command:: 0xd3f4752
            #db# unknown command:: 0xd3f4754
            #db# unknown command:: 0xd3f4743
            #db# unknown command:: 0xd3f4746
            #db# unknown command:: 0xd3f4747

            Not sure if that is also a concern

            1. From what I understand you should always match the repo version and firmware. So if you use the repo I link to in this blog you should also flash the firmware (bootrom and fullimage). From what I can see the bootrom is flashed fine but gets stuck on the fullimage. Have you tried flashing the fullimage only (as root)?

          5. PS I also have a card reader and it seems like the emulation can be detected but very specific placement is required. do you think it is just that the nfc couldn’t pick up the power?

            btw pm3 also has the ‘chameleon module’ with a battery on it, should I remove the battery first?

    1. Hello i have this error on tape this command hf mf eload /root/proxmark3/client/samytools/amiibo.eml

      File Content error. Block data must include 32 HEX symbols.

      Why ?

      1. You are missing the ‘u’ in your command. It should be “hf mf eload u”.

        pm3 –> hf mf eload /home/user/Desktop/amiibo/amiibo
        [!] File content error. Block data must include 32 HEX symbols
        pm3 –> hf mf eload u /home/user/Desktop/amiibo/amiibo
        …………………………………………………………………………………………………………………………………………………………………………………………………………………………………

        [+] Loaded 255 blocks from file: /home/user/Desktop/amiibo/amiibo.eml

      1. And if i’m tape hf mf eload i have :

        http://prntscr.com/ma1a30

        proxmark3> hf mf eload
        It loads emul dump from the file `filename.eml`
        Usage: hf mf eload [card memory]
        [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K

        sample: hf mf eload filename
        hf mf eload 4 filename

      2. didyouexpectthat

        Crazy. I can reproduce step-by-step with my Proxmark RDV4 but when I go to interface with a Switch, it doesn’t work. I get the same output on the same file from mfubin2eml, I eload the output file, and then simulate the serial… I was playing BotW and it did not work.

        1. didyouexpectthat

          Yes. I grabbed a fresh version of ProxSpace, built and loaded fresh radios for lf and hf from Iceman with no issues, verified everything else works (have some hid cards, read the hid). I wonder if his current version may have a bug. I’ll try some older Iceman builds or maybe on Linux instead.

          1. Please do, I’m curious why it doesn’t work. I used an Ubuntu VM previously. If you can, post the command and output here maybe I can find whats wrong.

              1. Probably not the issue but the first line of your command output shows you running Samy’s script and saving the output of the command as amibo.elf instead of .eml.

      3. When I load the eml file, it gives me: old mfu dump format, was converted on load to 243 pages. After which it says Loaded 257 blocks into emulator memory, and the switch says it might not be an amiibo.

        1. Hi Carl, it seems that the newest proxmark client from the RFID research group is the problem. I just tested the now deprecated iceman1001 version and it works just fine. I shall update my post with this information.

          1. What error were you getting on the Switch? When I use the RRG version, my Switch says “This is not an amiibo.” and in-game, it doesn’t work, but at least I get feedback that indicates failed. I may switch back to the iceman1001 myself.

      4. Hi,

        Thanks for such thorough instructions on this. However, when I was attempting to emulate amiibo with my rdv4, I can’t set the ownership for the emulated amiibo, for each time I tried to do so, my 3ds said that setting had failed, and I get a warning

        #db# Received unknown command (Len=8):
        #db# a2 04 00 00 01 00 ef ab

        on my Kali client. I’m using the depreciated Iceman repo as is specified previously. And since I can’t set the ownership, the 3ds refuse to load the content. Is there anyway to fix this?

        Thanks!

      5. Actually, that’s the only way you can use an Amiibo in a game. I’m playing Monster Hunter Stories, and when I put the rdv4 on the bottom screen of the 3ds, it tells me that the owner of the Amiibo is not set, then redirect you to the ownership and nickname setting page. My guess is that there’s an anti-sharing feature, that you can’t share a blank Amiibo with your friends and play with the character at the same time.

        Just wondering if there’s anyway to bypass this and actually use pm3 in a game? Thank you!

        1. So I just checked and it is possible while using a NTAG215 tag. There is some communication with the tag the sets the owner data in the tag. In theory it should be possible with the pm3 but I don’t know if they are going to add support.

        2. What if we set the owner beforehand? I just identified where the owner and nickname are located in the amiibo bin file. If we change it to contain your name and a nickname you want and then simulate it will the 3ds not put 1 +1 together and accept it?

      6. Hi I am quite new to the scene

        I see you guys are using linux?

        Would it work if I install perl interpreter on my windows OS?

          1. I dont know anything but I have managed to do everything but I encounter the same problem as Ling.

            My proxmark3 easy was almost like it is invisible when placed near the controller, it just wouldn’t see it what is wrong?

      7. Looks like I’m unable to find libqt4-dev when trying to install it on Ubuntu in a VirtualBox.

        Meanwhile, trying to build the iceman fork on OSX gives a undefined methodname’ for nil:NilClass`

        Which version of Ubuntu are you running?

          1. Kai,

            I have also tried Cheeplusplus’s fork which bases off RFIDrg, and still while I manage to reflash the firmware, set up the PM3 with appropriate commands, the same problem remains:
            my switch just wouldn’t see my pm3-emulation… Was that a problem you experienced and solved?

            1. So in short the RRG repo does not work. Any fork based on that one will not work. The repo that does work is the one that I mention in the blog. My advice, stick to that repo, flash the proxmark and then try to simulate an amiibo. If flashing the proxmark gets stuck, try it as root or prepare a bare metal machine with ubuntu to use instead of a VM.

            2. Unfortunately I wasn’t able to build your fork on OSX and ran into a lot of issues locating missing packages (qt4 dev) while on Ubuntu 19.1 on Virtualbox, and CheePlusPlus’ didn’t have the OSX patch either. Made the fork for other OSX users

        Leave a Reply

        Your email address will not be published. Required fields are marked *

        This site uses Akismet to reduce spam. Learn how your comment data is processed.