I recently got a Proxmark 3, and used it to read the NFC of the Tamagotchi Friends. This allowed me to get some data on the protocol.
I used an oscilloscope to measure the frequency of the Tamagotchi Friends NFC, and it turned out to be at 125 kHz, which is the right frequency for RFID (I’ll continue to call it NFC throughout this entry even though it’s technically RFID). I was hoping the Proxmark would shed more light on the protocol.
The Tamagotchi Friends ‘NFC’ supports two modes, ‘initiator’ and ‘receiver’. I started off by using the Proxmark to provide the excitation pulses and read the Tamagotchi. The result looked like this
Scanning the Tamagotchi
Scanning with nothing near the antenna resulted in this
Nothing on the antenna
Meanwhile scanning with the Tamagotchi on top of the antenna, but with NFC disabled resulted in this.
This is interesting, because it shows that some ‘spiking’ in the scan might be due to noise from non-NFC features of the Tamagotchi.
A scan of a ‘normal’ rfid tag gave this:
I looked around at other scans done with the Proxmark, and the Tamagotchi scan seems quite atypical. The majority of them have visible sinusoidal waveforms with obvious modulation. I did quite a few measurements with the Proxmark, and they were all similar, and none of them seemed to use any modulation scheme I’m aware of, and there were no obvious ‘symbols’ in the waveforms.
I also tried scanning the Tamagotchi in excitation mode (in this case, it would hopefully ignore the excitation provided by the proxmark) and got a similar waveform.
I think there’s a few possible things going on here. One is that the Proxmark isn’t reading the Tamagotchi correctly. This could be because it’s reading the wrong frequency, or not ‘exciting’ the Tamagotchi correctly (note that the Tamagotchi is powered on both sides of transmission, so it’s not depending on the excitation waveform for power, but it does use it to determine when to transmit). My guess is that it’s the second option. While it’s possible that I could be getting bad data if the frequency is wildly off, most people have reported that small frequency variations reduce range, but don’t actually impact the quality of the measurement. I also tried reading at 134 kHz, and it didn’t change the measurement.
To test this for sure, I could listen into both side of the conversation, in which case it would be obvious whether using the Tamagotchi versus the Proxmark to initiate the read makes a difference. Unfortunately, the Proxmark doesn’t support a snooping mode for the low frequency antenna, but I might see how the high-frequency snooper works, and see if I can implement a low frequency version.
It’s also possible that I just can’t figure out the modulation scheme, and the noise could be complicating that. I’ll keep playing with it just in case that’s what’s happening.
You can see some data from scanning the Tamagotchi here, here and here if you’re interested.
3 responses to Playing with the Tamagotchi Friends RFID