I got an RFIDler (thanks, Mudge) and wanted to see if I could get it to emulate a Tamagotchi Friends. My Proxmark having experienced an unfortunate demise in which its firmware got stuck in a state where it could do nothing but perform Tamagotchi weddings, I was hoping to continue testing the Tamagotchi Friends’ RFID functionality using the RFIDler.
Shiny!
I started by trying the read the Tamagotchi Friends using the RFIDler, but I got the same strange output as I did with the Proxmark, which I suspect is because the RFIDler was attempting to energize the Tamagotchi when it’s an active device. I tried putting the RFIDler in raw ASK sniffer mode, but I still didn’t get any output. This may be because the RFIDler doesn’t support the pulse modulation that the Tamagotchi uses (it differs from typical ASK in that it has a separator between bytes), and I also wondered whether I might be having antenna issues. While the size mismatch between the RFIDler antenna and the Tamagotchi antenna is not as vast as the mismatch between the Proxmark antenna and the Tamagotchi antenna, the RFIDler antenna is still a lot larger, has thicker wire and more loops than the Tamagotchi antenna. So it’s very possible that my Tamagotchi was not transmitting strongly enough to pick it up.
The inner circle on the Tamagotchi roughly outlines its internal antenna
I was hoping there would come a time I no longer had a use for this graphic. Today is not that day.
I decided to move on to transmission, and after trying quite a few commands, found out that PWM and RWD are the right commands for this type of transmission. This command allows a user to send bit strings using custom ASK modulation timings. Unfortunately, it didn’t support the Tamagotchi protocol for a few reasons. First, it assumes that the low part of the waveform for transmitting a bit is the same length whether you are transmitting a one or a zero, which it is not for the Tamagotchi.
The modulation scheme
It also doesn’t support the byte separation pattern that the Tamagotchi modulation uses. Finally, the Tamagotchi transmission contains more bytes than are supported by this command. I created separate commands, PWM2 and RWD2 that support these options, you can find the code for this here.
With these commands, I was able to emulated the Tamagotchi by calling:
PWM2 800 0 0 19 19 10 0 0 1 100 20 1 75 20
RDW2 packet
RDW2 packet2
Python code for this is here.
The following video shows the RFIDler in action!
I did a bit of testing on the new US firmware for the Tamagotchi Friends, and it appears to have similar functionality to the European version. Next up is taking a more in-depth look to see if there are any subtle changes that might allow code execution.
6 responses to Emulating the Tamagotchi Friends with an RFIDler