Soooooo one word amibo ok two words amibo fingers lol… do you think it would be possible to put a amibo nfc tag on a chip and and rewrite it like we do with nfc spoofers for the switch?
Fingers?
Probably bad idea
Beyond that… I think I remember reading that they only work with ntag213? I don’t think DT makes anything with that
Maybe the new Magic ntag
NTAG215, but same effect, DT doesn’t make any implant with that exact chip, and I don’t believe that anyone has gotten flexMN, which supposedly supports true NTAG215 emulation, working with ambiio. Note that devices check the lock bytes, which means that were there to be a NTAG215 implant, after you wrote the first ambiio to it you could never put a different one on there afaik
If you did want to work out whether the flexMN could work, you could always buy a test card, I believe KSEC and Lab401 sell them.
You would need a pm3 to configure them, there is the pm3 easy available from DT, there are chinese sellers on Aliexpress selling the easy for a bit less with much longer shipping, or there is the official pm3 RDV4 (way overkill / $$$$$) available from proxgrind’s distributors.
Ooohhhh, so close, I have put the hyperlink in as
test card pack or test card bundle
and
magic card pack or magic card bundle
1 Like
That’s true for normal NTAG215 cards, but I know devices like the n2 Elite exist, which allow rewriting an unlimited amount of times. I’ve written/rewritten mine hundreds of times and it’s still great. Clearly the technology exists, but whether or not it’s able to be made into an implant I have no idea.
Which product are you referring to? A bunch seem to be clones or (possibly?) fake. Just curious which one works as I’m new to this as well! Seems strange they’re all out of stock?
Edit:
Looks like you can purchase them on this website for North America.
And this is the actual product website?
I’m not actually sure what the official website is. I bought mine off of eBay forever ago for like $50 I believe. I do know that the device used to be called “Amiiqo” or something similar before they changed the name. Researching that might help you a but more as well.
In short, it’s dependent on the chip used. If we had a magic chip capable of NTAG215 emulation and lock byte resetting, then we would be able to reset lock bits and update up until the memory wore out.
I don’t know the specifics of the FlexMN, but I feel like lock bytes could be reset given the emulation.
I actually wonder if any JavaCard could emulate it, if we just wrote a NDEF applet (which is all a NTAG is, a NDEF applet device) - assuming either we set as default selection or confirmed the reader auto-selects if necessary. Resetting lock bytes is easy as in that case.
That’d be interesting to test… Anyone got a flexMN they’d be willing to risk? 
The applet idea is certainly worth looking into. If I knew anything at all about writing those I’d offer to help, but alas, I’m just a lowly mortal. Definitely worth keeping in mind for the future though.
Datel Powersaves is a magic tag that can be rewritten for emulating amiibo. I’m not sure what protocol it uses not do I know what chip it uses as I don’t have a Proxmark to do testing like sniffing, but it requires using its own program and reader/writer device.
Maybe you can extract the tag from the token and convert it into a Flex
1 Like
I… never thought of using my proxmark until now. Here’s the output of hf search on my n2 elite
It looks like the flexMN will probably work with amiibo from a very quick glance due to it being a magic ntag21x. I’ll be able to look more into the n2 elite with my pm3 later today.
2 Likes
Ok so, I did a lot more testing. I read/wrote/cloned/emulated the n2 elite, “normal” NTAG215 cards with amiibo data written to them, and standard amiibo figures. The good news is that I’m 99% sure that the flexMN can handle writing/rewriting of amiibo just fine. I can’t be 100% certain unless I had a test card of course, but those are £26.99 over at ksec, which is more than I’m willing to spend on this right now. (Side note before I get into the other stuff: it was surprisingly super simple to emulate an amiibo with the pm3 easy. It makes sense, I just had never thought to do it before.)
Where things got super interesting was with the actual n2 elite itself. Here’s an example of the output of hf mfu info with a normal amiibo figure:
And here’s the output of the n2 after I wrote a dump of said amiibo to it:
n2 Elite
As you can tell, it fails pretty quickly. I’m curious if that’s because of the magic ntag, or the other stuff inside the n2.
Just for giggles, let’s look at a dump of a different amiibo after writing it to a standard NTAG215 card that you’d buy off of Amazon:
Interestingly, it doesn’t fail as early as the n2, but doesn’t give us as much info as the official figure does.
From what I can tell, the n2 acts just like a normal magic NTAG21x when read from my pm3. I’m sure it probably supports the other functions of that tag as well, but I didn’t want to write anything to it and potentially be out $50-$60.
One of its selling points is that the n2 can store up to 200 amiibo at once, and swap between them on the fly either with an app, or the physical button on the device itself. From what I can tell there’s no way to emulate that function at all on the flexMN or other magic ntags. The n2 has some other hardware inside of it that makes this all possible. I wasn’t about to take mine apart to check everything out from the inside, so luckily this person did it for me! There’s a ton of really cool and useful info on that page, but there were a couple things in particular that caught my eye:
This is pretty cool! Imagine if you were in an environment that had UID-exclusive authentication. This little device would give you 200 banks of IDs that you could cycle through without any external devices needed. There are much better ways of accomplishing the same task of course, but it’s fun to think of how to use technology in ways that weren’t intended.
The other thing that caught my eye was a little note at the bottom of the page:
N2 doesn’t emulate any of the protections (OTP locks, etc) and everything is always fully RW
That’s pretty interesting. If I’m understanding this correctly, then either the n2 is somehow successfully spoofing amiibo without lock bits, or Nintendo doesn’t actually check those. That could potentially open up a whole new world of possibilities both in terms of getting amiibo onto an implant, and amiibo spoofing as a whole. I really know next to nothing about this stuff though, so I’m probably misunderstanding that sentence.
…I really talked a lot more about the n2 than I thought I would, but it’s super interesting technology.
Anyway, if I keep making edits to this post I’ll never finish, so to quickly wrap all this up; yes, I believe that the flexMN can definitely work with amiibo. It should support rewriting them until the chip dies, but with the caveat you can only have one on there at a time. Honestly, I only ever use my n2 elite with 1 amiibo written to it at any given time anyways, and it takes literal seconds to switch out with tagmo/the n2 manager/whatever, so that’s not a huge deal at all. It’s 1am, and I don’t know a ton about these systems as it is, so I could 100% be wrong about a lot of this. If you’re seriously considering a flexMN if/when it becomes available again, it’d definitely be safest to grab a test card first just to verify that I’m not completely wrong. 
4 Likes