Emulating a tonie with proxmark?

First of all, really nice work here (and those blogs), even if I can’t get through it all.

I am quite new to the subject and am trying to understand the Tonie Tags.
I bought a Proxmark3 RDV4 for this purpose and managed to dump the figures, but how can I simulate them with the Proxmark?

Privacy mode was of course already deactivated during the readout, so I have a dump and thought in my old recklessness:

hf 15 eload -f mydump
hf 15 sim -u

but nope, this does not work.
With my colleague’s Flipper Zero, on the other hand, dumping and playback works wonderfully.

too few information. but check this:

  • the box checks for the UID being E0 04 03 50 …
  • it calls NXP SLIX specific RAND (0xB2 0x04) function
  • it calls NXP SLIX specific SET PASSWORD (0xB3 0x04 0x04) function
  • it will READBLOCK (0x20) memory blocks 0x00-0x08 and wants to see an error (!!) on block 0x08
  • it will ENABLE PRIVACY (0xBA 0x04) again

if anything goes wrong, it ignores the tag

Thanks for your fast reply, but to be honest I don’t have any idea of how to follow those steps you mentioned. Guess I need to dig lil bit further in Proxmark/NFC stuff to get an understanding of what I need to do.

Hi there,

I have a proxmark3 too and I cannot simulate a tag like you with the actial iceman3 firmware and I cannot compile the old git repo which g3gg0 made a PR for the simulation.
I think build tools too new and repo too old for this.

How could we implement proper tag simulation into actual iceman firmware?


The latest TeddyBench should work.
Although there are currently reports about others having issues too.