Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Anyone has already take a look at the Tonies?
You know Tonie Boxes to play radio plays.
So far, I haven't had a chance with these little figures.
With the smartphone I could see SLIX-L (SL2S5002) on some ICODE devices.
Which I don't understand why not all figures are recognized.
Neither with the Smartphone nor Pm3,etc..
The functionality is coupled with a cloud. However, this must be related to the figures and their UID.
Anyone have some ideas how to go on?
I’ll try to recognize some of them with pm3 and post more infos if successful.
Offline
Got a link?
Offline
Got a link?
Offline
As you already had find out, the "Tonies" contain a SL2S5002.
Normally, the Token is protected by something Icode calls privacy mode.
The chip will not respond to a INV request if in this state, just to commands 0xB2 (get random number, always) or 0xB3 (set password, if you submit the correct xored pw).
If you sniff the communication, you will see the Box sending continuously 0xB2 in unadressed mode until a Token responds.
At this point the box uses the acquired random number xored with the password to unlock the privacy mode, send an INV request to obtain the UID,reads Block 1 to 8 and locks the chip with 0xBA (enable privacy) again. After this, the box continously sends 0xB2 (get random number), this time in addressed mode, just to detect if the "Tonie" is still present.
Sometimes, reenabling the privacy mode seem to fail - this is the case when the "Tonie" responds to the INV send by your smartphone... If you put the tonie onto the box, you have a good chance that the box locks the Tonie at this time correctly and it will no longer respond to your smartphones INV requests afterwards :-)
Its quite easy to get the privacy mode password by sniffing the communication... With this you can script your own reader and readout the tonies without the box... (Don't do this in the next shop
You will find 32Byte of data in the SLIX-L.
This could be either a SHA256 hash, being a signature of the UID, being just the hash of the content to be downloaded, a internal serialnumber etc.
If I find the time I will read some more of them (I am specially interested in reading 2 similar tonies...), maybe I find out something more...
Offline
Great info. I didn't have much time to deal with it again. I have a lot of Tonies to test here, because my kids love them all.
I will also have to search and read the data sheet again.
If I find out more too, you'll hear from me.
Offline
[moved to correct category]
Offline
If I remember correctly is ICODE SLIX —> ISO 15693
Offline
yup. moved again
Offline
How'd you sniff out the communications? I've never dealt with ISO 15693 tags before. Do you use the pm3 Hf 15 commands? Strangely enough, I haven't had any luck yet. I'll keep trying.
Offline
As far as I can remember: "hf 15 snoop"... press the pm3 button afterwards and printout the communication with "hf list raw"...
In my setup it was a little bit tricky to get both directions (I guess the antenna in the token is not really good...).
If you see just the reader, play a bit with position of antenna and use a tonie with a "fat ass"...
BTW: In active communication, I didn't get the unlocking of a tonie be done by pm3, due the pm3 did not maintain the reader field after sending a command, see my other topic in ISO15639... I do this with a QR-15 fom http://www.metratec.com/ now.
In the meantime I was able to readout some more Tonies, especially two "identical" ones. (Reading works also on tonies in their original packaging... :-) )
Unfortunately, they differ in both, UID and data. The data does not have any conspicuous structure i can see right now... (I still believe it's a sha256 hash over Tokens UID and a secret")
Offline
I have ICode SLIX-L(SL2S5002) magic card.Can be exported in large quantities
Offline
@Json50 nice to know. I’ll come back to you later and send you an email if I need some.
Offline
I am also interested in cloning the tonies.
Has anyone had any luck so far?
Offline
I moved my Issue with scripting to the correct spot in this forum.
Last edited by Gambrius (2019-11-06 10:41:44)
Offline
@gtpy and @datatype:
Did you make any further progess with cloning of a tonie!
I used one of the iso15693 cards with the changeable uid feature.
But after setting the uid to the one of my „Kreativtonie“ and set the first 8 Blocks to the same datacontent as my Tonie it did not work on the toniebox. I guess it is the missing privacymode that i do not get to work.
What do you think?
Regards,
Gambrius
Last edited by Gambrius (2019-12-22 00:00:10)
Offline
Hallo,
Just wanted to share some information regarding the Tonies.
Tonies are using an NXP ICODE SLIX-L chip which is set into privacy mode. To enable or disable the privacy mode, the 4 Byte long password has to be known which is set by Boxine (company that sells the Toniebox)
For unlocking of any Tonie without to know the password or any fancy Hardware you could use the „knock method“ („Klopf Methode“) which I describe in detail in my blog.
The Toniebox itself verifies the the card by the following steps:
- request random number
- disable privacy mode by set password with Tonie PW, or if not successfull with the default password by NXP „0F0F0F0F“
- read Inventory (checks the first three bytes to be „E0 04 03“
- read 32 Byte memory
- enable privacy mode
- read random number in selected mode (the last step is done over and over again, until the card is taken from the reader)
Due to the verification of the first three Bytes for cloning a tonie you can only use SLIX-L chips or SLIX2 WITH a changeable UID. But the last option is unknown to me because I have not seen any SLIX2 cards with a changeable UID (there are only SLIX cards available but they are missing the privacy mode).
Because the SLIX-L chips do not have a changeable UID you can not fully clone a tonie, but you can use this chip either ways.
Within the toniebox there is a microSD card, where the audiofiles for the audio books are stored. And the name of the audio file in combination with the name of the directory states the UID of the tonie that the audio content is for. By renaming the audifile with the first four bytes of the UID of your new tag in reverse order and naming the directory by the last four bytes of the UID in reverse order.
With this change you can just use any SLIX-L tag to play your audio book.
You do not need to make any modification to the standard SLIX-L tag, because the toniebox is accepting the default password for privacy mode by NXP. And the 32byte memory is only used for downloading the audio file from the tonie server, but because the files of your audio books are already on your toniebox you do not need the memory.
I just wanted to share my findings with you.
Regards,
Gambrius
Offline
Hi Grambrius, thank you for sharing your research on this type of card. Good evening.
Offline
Pages: 1