I tried decoding the Tamagotchi Friends NFC with a Proxmark 3, but had limited success, so I went back to looking at it with an oscilloscope. I was able to figure out the modulation scheme.
Previously, I tried reading the Tamagotchi Friends NFC with a Proxmark 3 using
lf -read and got unusual results. DW suggested that they might be caused by the Proxmark and the Tamagotchi trying to send excitation pulses at the same time, leading to contention in the coils (and spiky-ness in the plots). I modified the Proxmark firmware to disable the excitation pulse when reading, and got smoother, but no less baffling plots.
I decided it was time to go back to the scope and see if I could figure out the modulation.
After a bit of fiddling, I got this capture. This is the initial transmission a Tamagotchi makes if you select “BFF Bump”, and then the left side of the heart. Note that this is just the transmission made by a single Tamagotchi, I didn’t capture the response, in fact there wasn’t even a second Tamagotchi nearby to respond.
The large bursts all have exactly eight pulses between them, so I assumed these separate bytes. Looking at the pulses, there are pulses with long gaps between them and short gaps between them.
Assuming the long pulses are 1’s (this would make transmissions shorter, as usually there are more 0s than 1s), the capture can be decoded!
The decoded output is:
00 0D 00 13 00 0B 08 04 1A
Starting with the second character, and treating each value as the order of a letter in the alphabet (A is 0 because it’s the first letter, N is 0x0d or 13 because it’s the 14th letter in the alphabet), this spells “NATALIE”! This is the name I entered in my Tamagotchi when I set it up. So this is likely a valid demodulation!
Next up is trying to figure out if I can read and simulate this on the Proxmark.