A step by Step Guide to implement your own custom RFID tags.
In this Blog post the focus is on custom tags that works with the Toniebox. I will guide you through the steps of using own RFID tags with Content that is already on your build in SD card of the Toniebox.
Like I described in earlier posts, within the Tonie figurines is a RFID Chip installed. This Chip consists of a total of 40 bytes length. 8 bytes are used for the UID, a unique identifier, and 32 bytes are used within the tag memory (4 blocks with 8 bytes each). The UID, like it is said by the U for unique is a identification number that only exists once within the whole Tonie universe (or only once within the RFID Standard according to NXP).
How does the RFID Chip controll the Toniebox?
As soon as the Tonie figurine is placed on top of the Toniebox, the Toniebox does some magic (deactivating the privacy mode with a given Password by Boxine) to the tag, before this is telling its UID to the Toniebox.
At first the Toniebox will make sure that the Chip within the RFID Tag is according the defined standard. It needs to be a NXP ICODE SLIX-L Chip. To verify this it checks the first three bytes being equal to “E0 04 03”. “E0” descibes the iso15693 standard, “04” says that the Chip manufacturer is NXP and the “03” defines the ICODE SLIX-L standard. If this is not given, the Toniebox will do nothing at all. Not even an error message or LED blink can be heard nor seen.
If the first step passed, at second the Box verifies the UID to the Content on its build in microSD card and checks whether the needed audio files are already downloaded from the Tonie Cloud. If this is the case it checks the audioID of the stored audio file (an ID that is generated by Boxine when the audio content is encoded prior to the release of this Tonie) to the actual audioID within the Tonie cloud. If these do not match, it will reload the content from the Tonie cloud. If the audioIDs match, it will start playing the audio files from the build in microSD card.
Just because I got this question alot:
Although two figurines look the same and play the same audio content, they will ALWAYS have different UIDs and different memory content. In addition there are no information stored within these 40 bytes, that will tell you in which type of Tonie this RFID tag is installed. The information of UID to audio Content is ONLY stored within the Tonie cloud. The 32 byte stored within the memory seems to be a kind of checksum. These 32 byte are only used for verification with the Tonie Cloud. Without the right content to a given UID a download of audio from the Tonie Cloud is not possible and is blocked.
But what happens when the Toniebox is Offline?
When the Toniebox is not connected to the internet (either manual set to offline mode or out of reach to the next known WLAN), it will just skip the verification of the audioID and will start directly with the playback of the audio content.
How can custom RFID Tags be used?
The most important thing is that the Chip of the custom RFID Tag has to be an ICODE SLIX-L type. Then it is important, that the password for the privacy mode is either set to the standard password given by NXP, which is set during production to “0F0F0F0F”, or the password needs to be the Boxine given password like all the Tonie figurines have.
Besides of this the tag can be used without any modification to the memory of the RFID tag.
The secret lays within the directory and file name!
Like described earlier, the Toniebox verifies the UID to the Content on the build in microsSD card. For a UID like “E0 03 04 50 12 34 56 78” the Toniebox is looking for a file with the name “500403E0” within a directory named “78563412”. That means that the directory name consists of the last four UID bytes in reverse byte order, and the file name consists of the first four UID bytes in reverse byte order.
How can I get the UID of a custom tag?
The UID can be read with several Android or iPhone Apps directly from the tag. For Android the best is the NXP TagInfo App (here), for Apple iOS the NFCmanager (here) works very well. If you have a proxmark3 (RFID development tool) you can use this one as well. Another possibility is to build your own reader hardware with an Arduino and an RFID reader like the PN5180 (not the MFRC522, this is iso14443 only!). The Arduino solution with an ESP8266 and a PN5180 will be introduced within an upcoming Post.
Do not put the custom tags on top of the Toniebox prior you read the UID because the Toniebox will activate the privacy mode of the tag. With this enabled you will not be able to read the UID. And disabling the privacy mode is not easy at all. It can be done with the Arduino setup, or with a special Firmware by [g3gg0] from Team RevvoX (LINK).
Another way of disabling the privacy mode is the “Knock Methode”. I figured out that you can place a RFID tag on top of the Toniebox and lift it off again quickly, before the Toniebox is able to activate the privacy mode of the tag again. This all needs to be done within half a second. The easiest way is to knock the tag gently on the surface of the Toniebox reader and immediately lift it of again. That’s why I call it the “Knock Methode” or in German the “Klopfmethode”.
What happens to the online verification?
The online verification still happens. But the Tonie cloud server does not know anything about the given UID of the custom tag. Therefor this verification step is skipped. This leads to a direct playback of the audio content on the microSD card.
Where to get custom RFID tags for the Toniebox
Like mentioned it needs to be an NXP ICODE SLIX-L chip within the RFID tag. This specific tag is not used a lot which means you can not get it at your standard RFID Tag dealers…
But if you look close enough, you will find some sellers online.
They will either sell with their own online store or you can find them at eBay Kleinanzeigen. I got tags from all three and therefor can give you one important advice. Make sure that the tags you are buying are the ORIGINAL ones from NXP. The full name is “NXP ICODE SLIX-L“. Some of them are selling ICODE SLIX-L tags with a Chinese clone chip build in that work according to the specs. But due to a design error within this clone chip these have the potential to fail. This happens usually during a command that is send from the reader to the tag within the first second after a tag is placed on top of the Toniebox. Taking the Tag off the RFID reader within this first second will risk the tag and you might loose it for good.
The seller I can recommend is [RFIDfriend] at eBay Kleinanzeigen. He sells original RFID sticker tags with a diameter of about 32 mm (LINK).
If you rather like to have cards, you could buy some colored blank cards and just place one of the RFID sticker tags on one side of the card (LINK).
All information in short:
- get custom ICODE SLIX-L tag
- read the UID
- change directory and file name on microSD card
- start enjoying your own tag creations.
Any Tools for easier success?
Most of the needed steps can be done with the Software TeddyBench by Team RevvoX (LINK). In combination with a Proxmark3 it is a snap of linking new tags to audio content that is already on the microSD card.
Therefore you just need to insert the microSD card into a card reader of your PC, start TeddyBench, double click any given content and place a custom tag on top of your proxmark (or enter the UID by hand in case of proxmark not pressend).
All this will be explained in detail in an upcoming post just about TeddyBench.
Comments are welcome
This article is mostly inspired by questions I get from community members within the Team RevvoX Telegram Channel or directly via eMail. Hope that a lot of these information will help all of you to make your own progress and first steps within the custom Tag universe.
If you think that something is not really understandable or I should go a bit more into the depth of this subject, please leave your comments below. Addition questions are always welcome as well.