A step by Step Guide to implement your own custom RFID tags.
ATTENTION: IF YOU ARE NEW TO TONIEBOX HACKING YOU WILL FIND A BETTER INTRODUCTION AND MORE UPDARTED VERSION HERE: “Toniebox Hacking – How to get started“. This article is very interesting due to the detailed information, as well, but you should start with the other blog post!
In this Blog post the focus is on custom tags that works with the Toniebox. I will guide you through the steps of using own RFID tags with Content that is already on your build in SD card of the Toniebox.
Like I described in earlier posts, within the Tonie figurines is a RFID Chip installed. This Chip consists of a total of 40 bytes length. 8 bytes are used for the UID, a unique identifier, and 32 bytes are used within the tag memory (4 blocks with 8 bytes each). The UID, like it is said by the U for unique is a identification number that only exists once within the whole Tonie universe (or only once within the RFID Standard according to NXP).
How does the RFID Chip controll the Toniebox?
As soon as the Tonie figurine is placed on top of the Toniebox, the Toniebox does some magic (deactivating the privacy mode with a given Password by Boxine) to the tag, before this is telling its UID to the Toniebox.
At first the Toniebox will make sure that the Chip within the RFID Tag is according the defined standard. It needs to be a NXP ICODE SLIX-L Chip. To verify this it checks the first three bytes being equal to “E0 04 03”. “E0” descibes the iso15693 standard, “04” says that the Chip manufacturer is NXP and the “03” defines the ICODE SLIX-L standard. If this is not given, the Toniebox will do nothing at all. Not even an error message or LED blink can be heard nor seen.
If the first step passed, at second the Box verifies the UID to the Content on its build in microSD card and checks whether the needed audio files are already downloaded from the Tonie Cloud. If this is the case it checks the audioID of the stored audio file (an ID that is generated by Boxine when the audio content is encoded prior to the release of this Tonie) to the actual audioID within the Tonie cloud. If these do not match, it will reload the content from the Tonie cloud. If the audioIDs match, it will start playing the audio files from the build in microSD card.
Just because I got this question alot:
Although two figurines look the same and play the same audio content, they will ALWAYS have different UIDs and different memory content. In addition there are no information stored within these 40 bytes, that will tell you in which type of Tonie this RFID tag is installed. The information of UID to audio Content is ONLY stored within the Tonie cloud. The 32 byte stored within the memory seems to be a kind of checksum. These 32 byte are only used for verification with the Tonie Cloud. Without the right content to a given UID a download of audio from the Tonie Cloud is not possible and is blocked.
But what happens when the Toniebox is Offline?
When the Toniebox is not connected to the internet (either manual set to offline mode or out of reach to the next known WLAN), it will just skip the verification of the audioID and will start directly with the playback of the audio content.
How can custom RFID Tags be used?
The most important thing is that the Chip of the custom RFID Tag has to be an ICODE SLIX-L type. Then it is important, that the password for the privacy mode is either set to the standard password given by NXP, which is set during production to “0F0F0F0F”, or the password needs to be the Boxine given password like all the Tonie figurines have.
Besides of this the tag can be used without any modification to the memory of the RFID tag.
The secret lays within the directory and file name!
Like described earlier, the Toniebox verifies the UID to the Content on the build in microsSD card. For a UID like “E0 03 04 50 12 34 56 78” the Toniebox is looking for a file with the name “500403E0” within a directory named “78563412”. That means that the directory name consists of the last four UID bytes in reverse byte order, and the file name consists of the first four UID bytes in reverse byte order.
How can I get the UID of a custom tag?
The UID can be read with several Android or iPhone Apps directly from the tag. For Android the best is the NXP TagInfo App (here), for Apple iOS the NFCmanager (here) works very well. If you have a proxmark3 (RFID development tool) you can use this one as well. Another possibility is to build your own reader hardware with an Arduino and an RFID reader like the PN5180 (not the MFRC522, this is iso14443 only!). The Arduino solution with an ESP8266 and a PN5180 will be introduced within an upcoming Post.
Do not put the custom tags on top of the Toniebox prior you read the UID because the Toniebox will activate the privacy mode of the tag. With this enabled you will not be able to read the UID. And disabling the privacy mode is not easy at all. It can be done with the Arduino setup, or with a special Firmware by [g3gg0] from Team RevvoX (LINK).
Another way of disabling the privacy mode is the “Knock Methode”. I figured out that you can place a RFID tag on top of the Toniebox and lift it off again quickly, before the Toniebox is able to activate the privacy mode of the tag again. This all needs to be done within half a second. The easiest way is to knock the tag gently on the surface of the Toniebox reader and immediately lift it of again. That’s why I call it the “Knock Methode” or in German the “Klopfmethode”.
What happens to the online verification?
The online verification still happens. But the Tonie cloud server does not know anything about the given UID of the custom tag. Therefor this verification step is skipped. This leads to a direct playback of the audio content on the microSD card.
Where to get custom RFID tags for the Toniebox
The seller I can recommend is [RFIDfriend]. He spent a lot of time and effort into figuring out where to get the right tags and was able to source some of these. By going back and forth with some Chinese RFID label manufactures and buying a lot of wrong NFC tags he was eventually able to get his hands on the right one. They come in the form of a round label with a diameter of 38mm.
RFIDfriend has some of these tags left and is more than willing to hand these over to some tinkerers. You can find him on Kleinanzeigen or can contact him directly via Telegram Chat or via eMail (he sends these international as well).
Be aware that there are some Chinese fakes going around as well! These tend to fail after some minimal usage. But you can be assured that RFIDfriend is just handling tags with the original NXP chip build in.
All information in short:
- get custom ICODE SLIX-L tag
- read the UID
- change directory and file name on microSD card
- start enjoying your own tag creations.
Any Tools for easier success?
Most of the needed steps can be done with the Software TeddyBench by Team RevvoX (LINK). In combination with a Proxmark3 it is a snap of linking new tags to audio content that is already on the microSD card.
Therefore you just need to insert the microSD card into a card reader of your PC, start TeddyBench, double click any given content and place a custom tag on top of your proxmark (or enter the UID by hand in case of proxmark not pressend).
All this will be explained in detail in an upcoming post just about TeddyBench.
Comments are welcome
This article is mostly inspired by questions I get from community members within the Team RevvoX Telegram Channel or directly via eMail. Hope that a lot of these information will help all of you to make your own progress and first steps within the custom Tag universe.
If you think that something is not really understandable or I should go a bit more into the depth of this subject, please leave your comments below. Addition questions are always welcome as well.