I used a Proxmark 3 to emulate the Tamagotchi Friends’ NFC. This confirms it is indeed low-frequency RFID, and shed some light on the NFC format.
I spent a long time playing with the Proxmark to try and get it to decode the Tamagotchi NFC. I knew the modulation format from looking at the output on an oscilloscope, so I hoped it would be possible to modify the Proxmark’s firmware to decode it.
Unfortunately, all the output was badly corrupted. I could generally make out when transmission started and stopped, but I couldn’t make out the bits. I eventually tried reading a Tamagotchi that was not transmitting, and found that the Proxmark was picking up a large amount of noise.
I think this is due to the differences in the antenna dimensions. The Tamagotchi antenna isn’t very sensitive and is basically touching the transmitting antenna, so it probably doesn’t pick up a lot of noise. Meanwhile, the Proxmark antenna is a lot larger and more sensitive and can pick up weak signals. I suspect this means that I can never use the Proxmark to receive Tamagotchi data without a custom antenna.
This doesn’t mean the Proxmark can’t transmit valid data though.
Based on the scope output, I tried to emulate the Tamagotchi Friends, but it didn’t work, the Tamagotchi didn’t even detect the output.
MrBlinky managed to sniff his Tamagotchi by finding the points where the carrier envelop is detected on the Tamagotchi PCB and connecting his Arduino to it.
He suggested I try using a coil with a resistor and capacitor attached to sniff the transmissions.
I took a coil out of an RFID access card by dissolving it in acetone, and connected it to a signal analyser.
This gave me a fairly clear image of the Tamagotchi friends transmissions.
I could also use this to compare the Tamagotchi transmissions to the Proxmark, and found out that the timing was badly off. I fixed this, and the Tamagotchi started failing when it received the transmission (which as better, as at least it was detecting an invalid packet).
Looking at MrBlinky’s analysis of the format, I discovered that the Tamagotchi NFC actually uses two transmissions per ‘bump’. I tried transmitting them 100 ms apart (as the Proxmark can’t detect when it receives a response), and it worked!
At first, I had the Proxmark act as a sender, and the Tamagotchi the receiver, and tested the BFF bump, but it turns out that it is actually the receiver of the bump that determines the outcome, so I switched it to be the receiver. With this, I was able to determine all of the outcomes of the BFF bump!
|Final Packet Byte 8 value||Behaviour|
|0-59||Each Tamagotchi receives a piece of jewelry based on the number, in the same order they are listed on the collection screen|
|255||Slot machine, all cherries, gain 1000 points|
|254||Slot machine, all flowers, gain 800 points|
|253||Slot machine, all music notes, gain 600 points|
|252||Slot machine, all stars, gain 400 points|
|All other values||Slot machine, all hearts, gain 200 points|
Next up is to figure out protocol for the other types of bumps, see if I can put the Tamagotchi into debug mode, and look for bugs that could allow code execution.
I’ve posted the Proxmark code for the BFF bump here. Be forwarned this will prevent your Proxmark from working with anything but a Tamagotchi until you reload the firmware. Why anyone would consider this a problem is beyond me.
Pingback: They are back! You don’t need a time machine to enjoy them again… Tamagotchi Review |