Emulating a tonie with proxmark?

t4c · January 10, 2024, 1:14pm

First of all, really nice work here (and those blogs), even if I can’t get through it all.

I am quite new to the subject and am trying to understand the Tonie Tags.
I bought a Proxmark3 RDV4 for this purpose and managed to dump the figures, but how can I simulate them with the Proxmark?

Privacy mode was of course already deactivated during the readout, so I have a dump and thought in my old recklessness:

hf 15 eload -f mydump
hf 15 sim -u

but nope, this does not work.
With my colleague’s Flipper Zero, on the other hand, dumping and playback works wonderfully.

g3gg0 · January 10, 2024, 8:39pm

too few information. but check this:

the box checks for the UID being E0 04 03 50 …
it calls NXP SLIX specific RAND (0xB2 0x04) function
it calls NXP SLIX specific SET PASSWORD (0xB3 0x04 0x04) function
it will READBLOCK (0x20) memory blocks 0x00-0x08 and wants to see an error (!!) on block 0x08
it will ENABLE PRIVACY (0xBA 0x04) again

if anything goes wrong, it ignores the tag

t4c · January 11, 2024, 8:35am

Thanks for your fast reply, but to be honest I don’t have any idea of how to follow those steps you mentioned. Guess I need to dig lil bit further in Proxmark/NFC stuff to get an understanding of what I need to do.

Crash_Override · January 23, 2024, 1:40am

Hi there,

I have a proxmark3 too and I cannot simulate a tag like you with the actial iceman3 firmware and I cannot compile the old git repo which g3gg0 made a PR for the simulation.
I think build tools too new and repo too old for this.

How could we implement proper tag simulation into actual iceman firmware?

cheers

g3gg0 · January 23, 2024, 3:54pm

The latest TeddyBench should work.
Although there are currently reports about others having issues too.