Emulating the Tamagotchi Friends NFC

I used a Proxmark 3 to emulate the Tamagotchi Friends’ NFC. This confirms it is indeed low-frequency RFID, and shed some light on the NFC format.

The black thing in the background is the Proxmark antenna

The black thing in the background is the Proxmark antenna

I spent a long time playing with the Proxmark to try and get it to decode the Tamagotchi NFC. I knew the modulation format from looking at the output on an oscilloscope, so I hoped it would be possible to modify the Proxmark’s firmware to decode it.

Unfortunately, all the output was badly corrupted. I could generally make out when transmission started and stopped, but I couldn’t make out the bits. I eventually tried reading a Tamagotchi that was not transmitting, and found that the Proxmark was picking up a large amount of noise.

Keep in mind nothing is transmitting here

I think this is due to the differences in the antenna dimensions. The Tamagotchi antenna isn’t very sensitive and is basically touching the transmitting antenna, so it probably doesn’t pick up a lot of noise. Meanwhile, the Proxmark antenna is a lot larger and more sensitive and can pick up weak signals. I suspect this means that I can never use the Proxmark to receive Tamagotchi data without a custom antenna.

My antenna is too big

My antenna is too big

This doesn’t mean the Proxmark can’t transmit valid data though.

Based on the scope output, I tried to emulate the Tamagotchi Friends, but it didn’t work, the Tamagotchi didn’t even detect the output.

MrBlinky managed to sniff his Tamagotchi by finding the points where the carrier envelop is detected on the Tamagotchi PCB and connecting his Arduino to it.

coil-circuit

The connection points

He suggested I try using a coil with a resistor and capacitor attached to sniff the transmissions.

I took a coil out of an RFID access card by dissolving it in acetone, and connected it to a signal analyser.

Hey, it works

I couldn’t remember where I put my resistors or capacitors

This gave me a fairly clear image of the Tamagotchi friends transmissions.

Output!

Output!

I could also use this to compare the Tamagotchi transmissions to the Proxmark, and found out that the timing was badly off. I fixed this, and the Tamagotchi started failing when it received the transmission (which as better, as at least it was detecting an invalid packet).

Looking at MrBlinky’s analysis of the format, I discovered that the Tamagotchi NFC actually uses two transmissions per ‘bump’. I tried transmitting them 100 ms apart (as the Proxmark can’t detect when it receives a response), and it worked!

At first, I had the Proxmark act as a sender, and the Tamagotchi the receiver, and tested the BFF bump, but it turns out that it is actually the receiver of the bump that determines the outcome, so I switched it to be the receiver. With this, I was able to determine all of the outcomes of the BFF bump!

Final Packet Byte 8 value Behaviour
0-59 Each Tamagotchi receives a piece of jewelry based on the number, in the same order they are listed on the collection screen
255 Slot machine, all cherries, gain 1000 points
254 Slot machine, all flowers, gain 800 points
253 Slot machine, all music notes, gain 600 points
252 Slot machine, all stars, gain 400 points
All other values Slot machine, all hearts, gain 200 points

Next up is to figure out protocol for the other types of bumps, see if I can put the Tamagotchi into debug mode, and look for bugs that could allow code execution.

I’ve posted the Proxmark code for the BFF bump here. Be forwarned this will prevent your Proxmark from working with anything but a Tamagotchi until you reload the firmware. Why anyone would consider this a problem is beyond me.

Tamagotchi, Tamagotchi Friends

3 responses to Emulating the Tamagotchi Friends NFC


  1. Pingback: They are back! You don’t need a time machine to enjoy them again… Tamagotchi Review |

Leave a Reply

Your email address will not be published. Required fields are marked *