Hack all the things - Toniebox
17. Jun 2025
Continuing my Hack all the things series, I’m doing something slightly different today. So far I’ve hacked my PS Vita and Nintendo 3DS, but this time I want to talk about my Toniebox.
Or rather…my kids’ Toniebox.
If you’re unfamiliar with the thing, it’s a little music box with a built-in speaker, two little “ears” to raise or lower the volume and an NFC reader at the top. Instead of putting in cassettes or CDs (yes, I’m old!), you instead put little figurines (i.e. NFC tags) on top of the box. You can skim forwards and backwards by tilting the box (we never use that) and skip entire tracks by giving it a proper smack on the left or right.
These things come in multiple different colors.
Now, if you’re a bit familiar with NFC, you might be wondering where all the music is coming from. I don’t know how much information exactly an NFC tag can store, but it’s definitely way less than a 3h audio-play. And they are not using a crazy new compression algorithm either. They are using – drumroll – the cloud!
The ubiquitous cloud is also part of why I was against buying a Toniebox for the longest time. You need a Tonies account, otherwise the box is useless. The figurines are proprietary and cannot be used with any other hardware. As far as I know, there are no 3rd party “Tonies”.
The Toniebox needing an active internet connection also means that the company behind the Toniebox – Tonies SE – can theoretically track anything and everything my kids are doing with the box.
And of course it’s not a theory. Any interaction, putting on a figurine, slapping the box, using the ears, even playback progress, is recorded and sent out with a unique Toniebox ID – which of course is not anonymized and directly linked to your Tonies account.
However, the Toniebox connects to two URLs:
prod.de.tbs.toys
rtnl.bxcl.de
The first URL is used to authenticate with the Tonies servers and download music files to an internal SD card. The second one is used only for tracking. You can therefore blacklist rtnl.bxcl.de with a network wide ad blocker (e.g. Pi-Hole) to protect your kids privacy.
It’s neat that they’ve separated the URLs this clearly, but it sucks that they’re sending insane amounts of tracking information for a toy designed for and targeted at little kids. As a developer I get that having a lot of tracing information can be helpful to figure out those pesky bugs…but preferably I’d keep the privacy of little kids out of harms way.
Now the other problem with the cloud is that things no longer really belong to you. Games, movies, TV shows, audio-plays…nowadays everything is just “licensed” to you.
It might be a shot in the dark and it may never happen, but… I’ve noticed how my wife and I will often reminisce about cassettes and CDs (sometimes even LPs) we owned as kids and the audio-plays we grew up with. And we’d like to share these with our kids, now that they are the right age for them.
Good luck finding a working cassette player nowadays. All of ours are broken. But that’s not an issue, because pretty much our entire collections are gone too, lost to the inevitable decay of time (and overeager parents who cleaned them out, because “who listens to cassettes anymore!?”).
We managed to recover some of the things we loved from YouTube, but a few things remain only in our memories.
If and when my kids approach me twenty-plus years down the line with “Dad, do you remember this one audio-play about the little pirate and his crew” and want to share these stories with their kids, I want to be able to point them right at it and say “you’re looking for this!”
It’s highly unlikely that there will be Tonieboxes when I’ll have grandkids and even more unlikely that you’ll find compatible hardware and – most importantly – there’s almost zero chance that the files are still accessible in the Tonies cloud!
Luckily, you can just remove three screws, take the thing apart and pull out an SD card for some sweet backups.
I did some online research and eventually learned that the audio files are compressed with OPUS. They are not encrypted, so if you’ve got the codec installed, you should be able to open the “bigger” files on the SD card with something like VLC and play them right away.
There are some smaller files that contain metadata, e.g. how long individual tracks are. I ignored them in my own naive script, because I couldn’t figure out the metadata format.
However, after a few months someone on Mastodon mentioned this video from 37C3 (only in German). I found the talk incredibly interesting and informative. From there I also learned about https://tonies-wiki.revvox.de/ and teddyBench.
teddyBench in particular is an amazing little tool. You can point it at a directory containing files from an Tonies SD card and it’ll show a grid with pictures of the figurines and can export the content. The kicker for me was that they managed to read the metadata and automatically split the audio files into separate tracks. There’s only a Windows binary to download on GitHub, but it runs perfectly fine on Linux through WINE.
I’ll admit that this is where my own hacking ended. I didn’t really hack anything, if we’re being honest, as I merely removed three screws to take out an SD card.
But!!!! That doesn’t mean that there’s not a lot of hacking you can do!
I’ve read about some amazing projects. You’ll have to mess around with the hardware chip on the circuit board though, which is way out of my league. But if you know what you’re doing, you can do some fun things.
Flash custom firmware, so you can read custom NFC chips. I’ve read that people used these for backups or to replace the chunky figurines with coin-sized NFC tags that take up less place – handy if you’re going on vacation.
You can also extract and replace the TLS certificates on the chip. This allows you to run a Man-in-the-middle attack on your box. This goes well in combination with teddyCloud – a project that serves as a Middleware between your box and the Tonies cloud. You can add your own audio-files, define custom IDs or even play Spotify streams. At the same time, you can continue using original Tonies, as missing IDs are proxied to the official Tonies cloud and downloaded from there.
I’ve also seen some cool hardware hacks. A parent replaced the smack sensors on the sides with proper buttons to change tracks to make the box more accessible for their kid. Somebody else desoldered the SD card holder, put in some wires, drilled a hole into the top of the box and put the SD card holder there, so it’s easier to remove the card for backups.
This is a really cool community and I’m impressed and happy that people have taken it upon themselves to reverse engineer this thing so completely.
As for me…I mentioned before that I was against buying a Toniebox at first for multiple reasons. But when I saw my then one-year old kid playing with it – putting figurines on top and squeezing the little ears – I could finally see the appeal.
Within a few days he figured out that switching figurines would reset the playback process. So for a whole afternoon he stood there and used this newly discovered technique to replay an intro song he liked over and over again. And I watched him in silence, awed and smiling.
Did you like what you read? Let me hear your thoughts.
Reply on the Fediverse
Hack all the things - Toniebox written by Robert Lützner is licensed under Creative Commons Attribution - NonCommercial - ShareAlike 4.0 International license.