In this post I will explain how to emulate/simulate Amiibo using the Proxmark.
The Proxmark is an RFID swiss-army tool, allowing for both high and low level interactions with the vast majority of RFID tags and systems world-wide. Originally built by Jonathan Westhues over 10 years ago, the device has progressively evolved into the industry standard tool for RFID Analysis.
https://proxmark.com/
Requirements:
- proxmark
- proxmark client
- Samy Kamkar’s mfu2bineml script:
- An Amiibo to emulate
- Get it from your favorite supplier
Prepping the Amiibo
The Amiibo files that can be found online come in .bin format and first need to be converted to the .eml format that the proxmark uses. Samy Kamkar, a well known security researcher and hacker, wrote a script that does precisely what we need.
Create a new folder and put Samy K’s script and the amiibo bin file in there. To be able to run the script you’ll need to make it executable. This can be done by using the following command: chmod +x mfu2bineml. After making the script executable you can use it to create an eml file that can be used by the Proxmark. To do this use the following command: ./mfu2bineml <put_amiibo_name_here>.bin > amiibo.eml. I found that the Proxmark client dislikes spaces in filenames so it is recommended to not use them in the filenames.
An example of the script output can be found below:
user@ubuntu-vm:~/Desktop/amiibo$ ./mfubin2eml Champion\ Mipha.bin > amiibo.eml
Character / info: 01 07 00 00 03 5a 09 02
Game : 010 The Legend of Zelda
Character: 7 --
Variation: 00 --
Type : 00 Figure
Amiibo : 035a The Legend of Zelda
Series : 09 The Legend Of Zelda
Last : 02 (should be 02)
Looks like encrypted file but setting preventing us from decrypting
Does not contain header, adding
UID: 04c25292aa5280
PWD: 00000000
hf mf eload u Champion Mipha.bin
hf 14a sim t 7 u 04C25292AA5280
The last part of the script will tell you what commands to use in the Proxmark client to load the eml file and emulate/simulate the Amiibo. Because I love tool output here is the output from the Proxmark client:
pm3 --> hf mf eload u /home/user/Desktop/amiibo/amiibo
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………
[+] Loaded 255 blocks from file: /home/user/Desktop/amiibo/amiibo.eml
pm3 --> hf 14a sim t 7 u 04C25292AA5280
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 C2 52 92 AA 52 80 )
[+] press pm3-button to abort simulation
And here is a video demonstration of the Amiibo emulation.