Emulating a tonie with proxmark?

t4c · January 10, 2024, 1:14pm

First of all, really nice work here (and those blogs), even if I can’t get through it all.

I am quite new to the subject and am trying to understand the Tonie Tags.
I bought a Proxmark3 RDV4 for this purpose and managed to dump the figures, but how can I simulate them with the Proxmark?

Privacy mode was of course already deactivated during the readout, so I have a dump and thought in my old recklessness:

hf 15 eload -f mydump
hf 15 sim -u

but nope, this does not work.
With my colleague’s Flipper Zero, on the other hand, dumping and playback works wonderfully.

g3gg0 · January 10, 2024, 8:39pm

too few information. but check this:

the box checks for the UID being E0 04 03 50 …
it calls NXP SLIX specific RAND (0xB2 0x04) function
it calls NXP SLIX specific SET PASSWORD (0xB3 0x04 0x04) function
it will READBLOCK (0x20) memory blocks 0x00-0x08 and wants to see an error (!!) on block 0x08
it will ENABLE PRIVACY (0xBA 0x04) again

if anything goes wrong, it ignores the tag

t4c · January 11, 2024, 8:35am

Thanks for your fast reply, but to be honest I don’t have any idea of how to follow those steps you mentioned. Guess I need to dig lil bit further in Proxmark/NFC stuff to get an understanding of what I need to do.

Crash_Override · January 23, 2024, 1:40am

Hi there,

I have a proxmark3 too and I cannot simulate a tag like you with the actial iceman3 firmware and I cannot compile the old git repo which g3gg0 made a PR for the simulation.
I think build tools too new and repo too old for this.

How could we implement proper tag simulation into actual iceman firmware?

cheers

g3gg0 · January 23, 2024, 3:54pm

The latest TeddyBench should work.
Although there are currently reports about others having issues too.

StefanK · January 13, 2025, 12:13pm

Hi,
is this still an Issue?
Inmanaged to emulate the Tags with my Proxmark3 Easy and the Iceman Firmware

Byunei · January 3, 2026, 12:17pm

What’s your Iceman firmware ?

My configuration :

[PM3] Device info:
[PM3]   BOOTROM_PRESENT         Y
[PM3]   OSIMAGE_PRESENT         Y
[PM3]   MODE_BOOTROM            N
[PM3]   MODE_OS                 Y
[PM3]   UNDERSTANDS_START_FLASH N
[PM3]   UNDERSTANDS_VERSION     N
[PM3] Chip ID: 0x270B0A4F
[PM3] Section: 0x0005BDC1
[PM3] Version:
[PM3]      [ ARM ]
[PM3]       Bootrom… Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:25 7cdeebf82
[PM3]       OS… Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:39 7cdeebf82[PM3]       Compiler… GCC 12.2.0
[PM3]
[PM3]      [ FPGA ]
[PM3]      fpga_pm3_hf.ncd image 2s30vq100 02-01-2026 22:36:06[PM3]      fpga_pm3_lf.ncd image 2s30vq100 02-01-2026 22:36:06[PM3]      fpga_pm3_felica.ncd image 2s30vq100 02-01-2026 22:36:06[PM3]      fpga_pm3_hf_15.ncd image 2s30vq100 02-01-2026 22:36:06

I can’t emulate and dump my tonies with TeddyBench 1.7.0 and latest Iceman Firmware, my debug log from TeddyBench :

[PM3] Try port COM3
[PM3] Device info: 
[PM3]   BOOTROM_PRESENT         Y
[PM3]   OSIMAGE_PRESENT         Y
[PM3]   MODE_BOOTROM            N
[PM3]   MODE_OS                 Y
[PM3]   UNDERSTANDS_START_FLASH N
[PM3]   UNDERSTANDS_VERSION     N
[PM3] Chip ID: 0x270B0A4F
[PM3] Section: 0x0005BDC1
[PM3] Version:
[PM3]      [ ARM ]
[PM3]       Bootrom.... Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:25 7cdeebf82
[PM3]       OS......... Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:39 7cdeebf82
[PM3]       Compiler... GCC 12.2.0
[PM3]     
[PM3]      [ FPGA ] 
[PM3]      fpga_pm3_hf.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_lf.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_felica.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_hf_15.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3] UnlockTag: Send request for pass 0xDEADBEEF
[PM3] WTX received: 1500
[Pn5180Esp] Trying to stop thread
[Pn5180Esp] Trying to abort thread
[PM3] Try port COM3
[PM3] Device info: 
[PM3]   BOOTROM_PRESENT         Y
[PM3]   OSIMAGE_PRESENT         Y
[PM3]   MODE_BOOTROM            N
[PM3]   MODE_OS                 Y
[PM3]   UNDERSTANDS_START_FLASH N
[PM3]   UNDERSTANDS_VERSION     N
[PM3] Chip ID: 0x270B0A4F
[PM3] Section: 0x0005BDC1
[PM3] Version:
[PM3]      [ ARM ]
[PM3]       Bootrom.... Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:25 7cdeebf82
[PM3]       OS......... Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:39 7cdeebf82
[PM3]       Compiler... GCC 12.2.0
[PM3]     
[PM3]      [ FPGA ] 
[PM3]      fpga_pm3_hf.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_lf.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_felica.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_hf_15.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3] UnlockTag: Send request for pass 0xDEADBEEF
[PM3] timeout 
[PM3] UnlockTag: NACK (reason: -4)
[PM3] MeasureAntenna: Start
[PM3] WTX received: 1500
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] WTX received: 1500
[PM3] Device does  support SLIX-L unlock command
[PM3] TryOpen: COM3 successfully opened
[PM3] Success
[PM3] GetResponse: Send 02B2048E3C
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[Pn5180Esp] Trying to abort thread
[PM3] MainFunc: Device failed. Closing. (System.Threading.ThreadAbortException: Le thread a été abandonné.
   à System.Threading.WaitHandle.WaitOneNative(SafeHandle waitableSafeHandle, UInt32 millisecondsTimeout, Boolean hasThreadAffinity, Boolean exitContext)
   à System.Threading.WaitHandle.InternalWaitOne(SafeHandle waitableSafeHandle, Int64 millisecondsTimeout, Boolean hasThreadAffinity, Boolean exitContext)
   à System.Threading.WaitHandle.WaitOne(Int32 millisecondsTimeout, Boolean exitContext)
   à System.IO.Ports.SerialStream.EndRead(IAsyncResult asyncResult)
   à System.IO.Ports.SerialStream.Read(Byte[] array, Int32 offset, Int32 count, Int32 timeout)
   à System.IO.Ports.SerialStream.Read(Byte[] array, Int32 offset, Int32 count)
   à System.IO.Ports.SerialPort.Read(Byte[] buffer, Int32 offset, Int32 count)
   à TeddyBench.Proxmark3.Pm3UsbResponse.BlockingRead(SerialPort p, Byte[] receivedData, Int32 start, Int32 readCount, Int32 waitTime) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 273
   à TeddyBench.Proxmark3.Pm3UsbResponse..ctor(SerialPort p, Int32 waitTime) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 296
   à TeddyBench.Proxmark3.SendCommand(Byte[] command) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 740
   à TeddyBench.Proxmark3.GetRandom(Byte[] uid) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 784
   à TeddyBench.Proxmark3.ScanThreadFunc() dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 494)
[PM3] Flush: 12150 bytes to flush
[PM3] Try port COM3
[PM3] Device info: 
[PM3]   BOOTROM_PRESENT         Y
[PM3]   OSIMAGE_PRESENT         Y
[PM3]   MODE_BOOTROM            N
[PM3]   MODE_OS                 Y
[PM3]   UNDERSTANDS_START_FLASH N
[PM3]   UNDERSTANDS_VERSION     N
[PM3] Chip ID: 0x270B0A4F
[PM3] Section: 0x0005BDC1
[PM3] Version:
[PM3]      [ ARM ]
[PM3]       Bootrom.... Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:25 7cdeebf82
[PM3]       OS......... Iceman/master/v4.20728-288-g2a2c06e61-suspect 2026-01-02 22:37:39 7cdeebf82
[PM3]       Compiler... GCC 12.2.0
[PM3]     
[PM3]      [ FPGA ] 
[PM3]      fpga_pm3_hf.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_lf.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_felica.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3]      fpga_pm3_hf_15.ncd image 2s30vq100 02-01-2026 22:36:06
[PM3] UnlockTag: Send request for pass 0xDEADBEEF
[PM3] WTX received: 1500
[PM3] UnlockTag: NACK (reason: -4)
[PM3] MeasureAntenna: Start
[PM3] WTX received: 1500
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] timeout (measurement takes a while)
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[PM3] DebugMessage 1 's_toSend overflow'
[Pn5180Esp] Trying to abort thread
[PM3] MainFunc: Device failed. Closing. (System.Threading.ThreadAbortException: Le thread a été abandonné.
   à System.Threading.OverlappedData.FreeNativeOverlapped(NativeOverlapped* nativeOverlappedPtr)
   à System.Threading.Overlapped.Free(NativeOverlapped* nativeOverlappedPtr)
   à System.IO.Ports.SerialStream.EndRead(IAsyncResult asyncResult)
   à System.IO.Ports.SerialStream.Read(Byte[] array, Int32 offset, Int32 count, Int32 timeout)
   à System.IO.Ports.SerialStream.Read(Byte[] array, Int32 offset, Int32 count)
   à System.IO.Ports.SerialPort.Read(Byte[] buffer, Int32 offset, Int32 count)
   à TeddyBench.Proxmark3.Pm3UsbResponse.BlockingRead(SerialPort p, Byte[] receivedData, Int32 start, Int32 readCount, Int32 waitTime) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 273
   à TeddyBench.Proxmark3.Pm3UsbResponse..ctor(SerialPort p, Int32 waitTime) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 319
   à TeddyBench.Proxmark3.SendCommand(Byte[] command) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 740
   à TeddyBench.Proxmark3.GetRandom(Byte[] uid) dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 784
   à TeddyBench.Proxmark3.ScanThreadFunc() dans C:\Users\g3gg0\source\repos\Tonie\TeddyBench\Proxmark3.cs:ligne 494)
[PM3] Flush: 12280 bytes to flush
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)
[PM3] GetUID: Failed (no resp)

I manage to dump my tonies with Proxmark Client :

[usb] pm3 --> hf 15 info
[=] Using scan mode

[=] --- Tag Information ---------------------------
[+] UID....... E0 04 03 50 XX XX XX XX
[+] TYPE MATCH NXP (Philips); ICS5002/ICS5102 ( SLIX-L )
[+] SYSINFO... 00 0F XX XX XX XX 50 03 04 E0 00 00 07 03 03
[+] DSFID..... 0x00
[+] AFI....... 0x00
[+] IC ref.... 0x03
[+] Tag memory layout (vendor dependent)
[+]     4 ( or 3 ) bytes/blocks x 8 blocks
[+]     32 total bytes

[usb] pm3 --> hf 15 dump
[=] Using scan mode
[+] Reading memory
[\]blk   8
[=] --- Tag Memory -------------------

[=] -----+-------------+---+------
[=]  blk | data        |lck| ascii
[=] -----+-------------+---+------
[=]    0 | 3C D8 DF XX | 1 | <...
[=]    1 | DE 95 7F XX | 1 | ....
[=]    2 | ED 58 BE XX | 1 | .X.~
[=]    3 | 39 80 31 XX | 1 | 9.1~
[=]    4 | 20 C9 F7 XX | 1 |  ..S
[=]    5 | 43 55 58 XX | 1 | CUX.
[=]    6 | CC BB 88 XX | 1 | ....
[=]    7 | CE 71 5F XX | 1 | .q_Y
[=] -----+-------------+---+------

[=] Using UID as filename
[+] Saved 2235 bytes to binary file `C:\ProxSpace\pm3/hf-15-E0040350244A1E14-dump-010.bin`
[+] Saved to json file C:\ProxSpace\pm3/hf-15-E0040350244A1E14-dump-010.json

Unfortunately, emulation also doesn’t work :

[usb] pm3 --> hf 15 eload -f C:\ProxSpace\pm3/hf-15-E0040350XXXXXXXX-dump-010
[+] Loaded 2235 bytes from binary file `C:\ProxSpace\pm3/hf-15-E0040350XXXXXXXX-dump-010`
[=] Clearing emulator memory
[=] Uploading to emulator memory
[=] ..........
[+] uploaded 2235 bytes to emulator memory
[?] Hint: You are ready to simulate. See `hf 15 sim -h`
[=] Done!


[usb] pm3 --> hf 15 sim -u E0040350XXXXXXXX
[=] Press pm3 button to abort simulation

Nothing is read by the TonieBox v2.

Stefan_Kahnert · January 3, 2026, 3:27pm

Hi, its some time ago, but i think i used the default Iceman settings. I didn’t use Teddybench to dump the tonies, but i used the gitHub repo (deleted: that’s piracy!). I wrote a converter, to get them into the Proxmark json format. I used the first version of the Toniebox. It works perfecly fine for me

henryk · January 3, 2026, 6:18pm

Please do not Show that you are using piracy. That GitHub repository is pure piracy.

Byunei · January 3, 2026, 8:24pm

Sorry, it was just to test and understand why it wasn’t working.

Can I post my own dump with edited data / UID ?

Byunei · January 4, 2026, 11:10am

Does your JSON looks like that ?

{
  "Created": "proxmark3",
  "FileType": "15693 v4",
  "Card": {
    "uid": "141E4A24XXXXXXXX",
    "dsfid": "00",
    "dsfidlock": "00",
    "afi": "00",
    "afilock": "00",
    "bytesperpage": "04",
    "pagescount": "08",
    "ic": "03",
    "locks": "0101010101010101",
    "random": "0000",
    "privacypasswd": "00000000",
    "state": "00"
  },
  "blocks": {
    "0": "3CD8DFXX",
    "1": "DE957FXX",
    "2": "ED58BEXX",
    "3": "398031XX",
    "4": "20C9F7XX",
    "5": "435558XX",
    "6": "CCBB88XX",
    "7": "CE715FXX"
  }
}

Name of my dump file : hf-15-XXXXXXXX244A1E14.json