The Tonie figurines are used to control the Toniebox. By placing a Tonie figurine on top of the Toniebox, the Box will read the rfid chip within the figurine and start playing the corresponding story.
This article will go into the depth of the rfid chip within the Tonie figurine.
Structure of Article
- position of chip
- rfid chip type
- memory structure
- UID structure
- How to read the Tonie rfid chip
- privacy mode
- disabling privacy mode
- password for privacy mode
- alternative unlock methode
- needed Hardware
- command samples
- Arduino + PN5180
- CR95HF dev board with python script
- privacy mode
- Structure of rfid chip content
- usage within the Tonie universe
- structure around the Tonie universe
- what happens within the toniebox
- SD card content
position of chip
In each figurine there are two hallow spaces kept free during production.
One is located right at the bottom of the figurine to hold a small magnet. This attaches the figurine to the Toniebox to prevent it to fall off.
The other one is located at about 20mm higher location where the small rfid chip is located at. This must be a sweet spot of the Toniebox RF reader field.
A lot of figurines are made of two parts which are glued together after the chip is inserted into the middle section.
rfid chip type
The specific chip that is used within the Tonie figurine is an ICODE SLIX-L chip produced by NXP Semiconductors wich operates within the iso15693 Standard.
This chip works with an antenna frequency of 13,56 MHz but is not compatible with the widely known standard iso14443 nor the iso14443 rfid readers used for MiFare RFID chips.
The specific chip used by Boxine GmbH for the Tonie figurine looks a bit like an glas transponder that is used for tagging of animals but without the glas tube. According to the founders of the Toniebox this chip is produced in India.
memory structure of SLIX-L
The SLIX-L chip has a 8 Byte long UID and a 32 Byte long memory wich is structured in 8 Blocks of 4 Byte each.
The first four Bytes of each Tonie rfid chip UID (unique identifier) are the same (as of now).
E0 04 03 50 xx xx xx xx
E0 identifies the iso15693 standard
04 identifies the chip manufacturer (= NXP Semiconductors)
03 identifies the chip type (= SLIX-L)
50 part of the serial number
xx 4 Byte long Tonie identifier
How to read Tonie rfid chip
Even by using the correct rfid reader for the iso15693 standard, or using devices like the proxmark3, the Tonie figurine stays silent when standard commands are used to communicate with the chip.
With the SLIX2 class rfid chips, where the SLIX-L belongs to, NXP Semiconductors introduced some security features.
These features can be controlled, activated and deactivated by custom commands and prior set passwords.
One of these features is the privacy mode. If this is enabled the chip will only respond to two custom commands. With all others the chip will remain silent.
disabling privacy mode of Tonie figurine
To disable the privacy mode and therefore opening the Tonie figurine to the standard rfid commands for further reading of the UID and the chip memory content a few actions needs to be taken.
At first a Password is needed. This is set within the production process by the OEM and is set by Boxine GmbH.
At second with the custom command GET RANDOM NUMBER (126.96.36.199) a two Byte long random number generated by the chip itself can be retrieved.
The passwords first two bytes and the passwords second two bytes need to be XORed with the two byte long random number and set back together to a 4 byte long XORed password.
At third with the custom command SET PASSWORD (188.8.131.52) the XORed password is send to the rfid chip and will disable the privacy mode.
password for privacy mode
The password can be retrieved by snooping the communication between the Toniebox and the Tonie figurine while the Tonie is placed on top of the Toniebox.
Snooping can be done with the proxmark3.
Further information on the proxmark3 can be found within the proxmark3 forum.
In addition there are some other forums where the password is posted, so that the snooping work does not be done again.
(I will not post it!)
alternative unlock methode
When the Tonie figurine is placed on top of the Toniebox, the Box itself needs to disable the provacy mode to get the UID and the memory contenct. After these information are read, the Toniebox will enable the privacy mode again. This takes place within under a second.
I figured out, that with the “knock method”, you are able to get the Tonie figurine off the Toniebox before it activates the privacy mode.
To use the “knock method” you need to hold the Tonie in your hand and knock the stand side (side with magnet) onto the Box reader surface and lift the Tonie immediately. It should just be a knock and not a place and lift off the Tonie.
With a bit of practice you can disable the privacy mode without knowing the password and go further with standard iso15693 reader to read the chip UID and the content of the memory.
Needed Hardware for reading
After the privacy mode of the SLIX-L chip is successfully disabled you can start to read the UID and the memory content.
To read the rfid chip of a Tonie figurine with a disabled privacy mode every rfid reader that is able to read iso15693 standard chips can be used.
I will show show three rfid readers that are my first choice to go with.
The proxmark3 is a universal rfid reader for all kind of rfid standards in low frequency (125kHz) and high frequency (13,56MHz) mode.
It is so versatile that it enables sniffing, reading and cloning of rfid tags and is capable of reading, writing, and emulating many of the currently available rfid tags of multiple standards (e.g. iso14443, iso15693, ICODE ,MiFare , HID iCLASS , Legic, 125 kHz, etc.).
To work with the proxmark3 you can either use a windows based GUI, or the most common way is the terminal window.
You can find detailed information regarding setup and firmware upgrades of the proxmark3 within the following Repos at GitHub:
- RRG / Iceman Repo (RfidResearchGroup) – LINK
- Official Proxmark3 Repo – LINK
- universal Windows GUI by burma69 – LINK
some Command samples to use with Tonies:
hf 15 cmd raw -c -2 02 b2 04
The two Byte long RANDOM NUMBER is needed to generate the XORed password to disable the PRIVACY MODE with the SET PASSWORD command.
SET PASSWORD disable PRIVACY MODE
hf 15 cmd raw -c -2 02 b3 04 04 xxxxxxxx
The xxxxxxxx represents the 4 Byte long XORed password. The passwords first two bytes and the passwords second two bytes need to be XORed with the two byte long random number and set back together to a 4 byte long XORed password.
WRITE PASSWORD for PRIVACY MODE
hf 15 cmd raw -c -2 22 b4 04 04 xxxxxxxxxxxxxxxx yyyyyyyy
This command will change the password for the PRIVACY MODE. For the xxxxxxxxxxxxxxxx the 8 Byte long UID needs to be inserted in reverse order (LSB). The yyyyyyyy represents the 4 Byte long NEW password.
This command only works if the SET PASSWORD command was executed successfully right before.
(Would not recommend to use this with an original Tonie figurine.)
DUMP RFID chip
dumps UID and hole memory of rfid chip (Tonie)
hf 15 dump
This command will dump the hole information and contend of the rfid chip / Tonie figurine.
The interesting part is the 8 Byte long UID and the 32 Byte long memory content.
The ChameleonMini is a freely programmable, portable tool for ISO14443 / ISO15693 / NFC security analysis that can emulate & clone contactless cards, read RFID tags and sniff/log RF data.
The ChameleonMini can not only be used to read Tonie figurines or sniff / snoop the communication between the Tonie figurine and the Toniebox to receive the password for PRIVACY MODE, it can simulate the Tonie rfid chip as well (more to this in another post).
There are different versions of the boards available. The original ChameleonMini by Kasper & Oswald is available as “ChameleonMini RevG” Model. Two other models are available as “ChameleonMini RevE reebooted” and as of Jan. 2019 the new Model “ChameleonMini RevG rebooted” and “ChameleonTiny”. These are developed by Iceman and Proxgrind.
Most of the boards sold by the usual chinese online warehouses are the “ChameleonMini RevE rebooted” Versions.
You can buy the ChameleonMini here.
To configure the ChameleonMini, Iceman build a nice Windows based GUI. You can find it in his Git. (LINK)
You can find detailed information regarding setup and firmware upgrades of the ChameleonMini within the following Repos at GitHub:
If you like to flash the ChameleonMini within windows, then you can find here more information on that. (LINK)
Arduino with PN5180 rfid reader
My favorite toy for tinkering with rfid chips is my very own dev board with an ESP8266 and an PN5180 rfid reader. In addition I have some buttons and other components on the board like a small I2C display. With this setup I am free for everything that needs to be done to an rfid chip or a Tonie in particular.
I can programm sequences of commands, save some read information in my SPIFF for further analysis later on, etc.
It can be battery operated as well.
A good start into this is the PN5180 library by Andreas Trappmann that just got an update through trueddy for iso14443 support. That means this board is feasible to work with iso14443 and iso15693 cards.
You can find the ATrappmann Library for the PN5180 here. – LINK
Within this library you will find an example which is ready to disable the PRIVACY MODE and read further information from the rfid chip. But again: The password for disbaling the PRIVACY MODE is not included.
CR95HF dev board with python script
Frederico Cerutti (ceres-c) showed at the 36C3 conferenc some Toniebox hacking. (More on this in another post.)
Part of it was to read Tonie rfid tags with a CR95HF rfid dev-board and a python script. The script disables the PRIVACY MODE and reads the UID of the Tonie rfid chip.
(Password to disable the PRIVACY MODE is not included!)
You can find the script here – LINK
Structure of rfid chip content
Like mentioned above the chip memory structure consists of an 8 Byte long UID and a 32 Byte long memory wich is separated in 8 Blocks with 4 Bytes each.
The first 4 Bytes of the UID are always E0 01 03 50 as of now.
The last 4 Bytes is a random number according to the iso15693 standard.
The 32 Byte long memory did not show any structure to us so far. Actually I think that it might be a validation value of the UID like an SHA or a long verification string that is stored within the Tonie cloud, to verify the Tonie itself.
If you have any further information about this, please let me know.
usage withgin the Tonie universum
The structure of the systems within the Tonie universe is well thought through. I can tell you that Boxine and their staff did a really good job in designing the whole platform of the Tonie universe.
Structure of the Tonie universe
As I explained before, there are no known information within a Tonie that gives a direct hint about the audio book that it is attached to. Within the production in Tunisia where the figurines are produced (in a plant that produces the well known “Schleich Figuren” as well), the rfid chip (which is produced in India) is placed into the figurine. In addition the information about the figurine and the UID of the chip is saved within the Boxine database. This is where the information comes together.
Every time a figurine is placed on top of a Toniebox, the box will verify wether it knows already which story belongs to the figurine (to the UID) or it will ask the Tonie Cloud Server which will transfer the correct audio file to the Toniebox which can than be played.
What happens within the Toniebox
Within the Toniebox there is a MicroSD Card installed (as far as I know these are all 4 GB large).
Everytime a figurine is placed on top of the toniebox the following steps are performed:
- disabling the PRIVACY MODE
- read the 8 Byte long UID
- read the 32 Byte long memory content
- enable the PRIVACY MODE
- check wether a directory with a name of the last 4 Byte of the UID exists.
- check wether a file with a name of the first 4 Byte of the UID exists.
- If this directory and the file exists, it is verifying the header information within the file.
The Audio file is made of two parts. The first part is an information header (e.g. chapter marks) and the second part is an ogg opus audio file.
It checks wether the Audio-ID within the header is the same within the OGG audio file. And it verifies if the length value stored within the header fits the audio file.
If these checks fail it will delete the existing file and directory.
- If these checks are passed, it will start playing the audio file
- If the directory is missing, it will start communicating with the Tonie Cloud Server and will send the UID and the memory content of the rfid chip of the Tonie figurine to the Server.
- The server is verifying the UID and memory content within its database and sends in return the needed file.
- While the file is transferred it is already being played. During this the file is stored within a TEMP directory. After the transfer of the file is finished it is stored in an own directory within the CONTENT directory.
The name of the file is build out of the first 4 Bytes of the UID and the directory name consists of the last 4 Bytes of the UID written in LSB order (Byte order reversed).
- While the audio is playing the box checks on a regular base with the custom command for the RANDOM NUMBER in addressed mode wether this specific Tonie is still present. Addressed mode means that it is just asking for an rfid chip with a specific UID. When this tag is not answering the box will stop the audio.
Some detailed information regarding the structure of the audio file including detailed header explanation and OGG structure walk through will follow in another blog post..
The SD card ist structured into to following directories
all directories and files for known Tonie figurines are stored in this directory..
WITHIN the CONTENT directory:
each Tonie figurine has their own directory. The name is build out of the last 4 Bytes of the UID of the rfid chip within the Tonie.
In every directory there is one file named after the first 4 Bytes of the Tonie rfid chip UID. Because these are all the same (as of now), all files are named the same.
In addition there is one directory “00000001” and one directory “00000000” within the CONTENT directory as well. In these directories are the language files stored. These are the spoken animal error messages in german and in english.
In some cases there are two more files within the root of the sd card.
initsd.crc – a file that is created by initializing of the sd card and the standard structure.
PM2.LOG – this looks like a log file. No further information are available right now.
If you like to mention some improvements or hints which I should add to the content or just write it the right way, please let me know.
Either within the comment section or via eMail.