1.4 – Toniebox from Tonies®

I find it incredibly satisfying to imagine a product in my mind, design it, manufacture it and eventually hold it in my own hands.

But why go the hard way when you can buy nice products on the market already? I have to admit that the idea of building an RFID activated music machine came back to my mind and onto the project list when I saw the Toniebox.

That was back in autumn 2016 and I was about to be proven right when I thought: “Why did it take so long for someone to come up with such a product? The company is going to make a s*** load of money.” In the following months the device was covered in the mainstream media, family bloggers wrote about it, the music player was available through book and toy stores. So I guess, Tonies really makes the aforementioned amount of money nowadays.

In its essence, Toniebox is a cloud connected speaker cube that plays audio dramas and music when a plastic figure is set on top. Please check out their product page if you are interested.

Let’s have a closer look at the business model:

  1. Design a high quality music box and make the outer appearance superb. Not only make it child-friendly in terms of color and shape, but also robust and soft at the same time.
  2. Sell the device itself in a reasonable price range (70 – 80€) and make it even more affordable on Christmas (<60€).
  3. Sell plastic avatars and audio tracks combined.
  4. Also sell Tonies figures without any songs so the customer can upload content to the company’s cloud to be used with it.
  5. Bind the device and audio tracks to the Tonies cloud in such a way that they cannot be used without it (at least if the customer wants to update his/her music library).

Let’s examine every point on this list.

  1. The hardware is outstanding in its design and usability. There’s nothing more to say. For me it’s impressive because of its simplistic design.
  2. The price of a Toniebox is fair. My wife bought a new one in order to convince me of the high quality product for something like 55€ just before Christmas ’17.
  3. It’s totally legitimate to charge money for music. But let’s have a closer look at an example offer. The first hit on Amazon for a Tonies figure is a famous German audio drama series for kids about a child witch called ‘Bibi Blocksberg’. In my particular case the website recommends episode 100 ‘Die große Hexenparty’ (the great witch party). At the time of this writing, the Tonies avatar costs 16.62€ while the normal audio CD only costs 4.99€, the mp3 file 4.60€. That means, I’m buying Tonies’ cloud service and a plastic figure with an RFID tag for over 12€. I’m not able to update the audio content for that avatar. I do not have the chance to, for example, add another episode to my music library and use the same figure to play it. I’d have to buy another whole set. Sorry, but that’s just ridiculous. When I buy a standalone mp3 song, I am able to listen to it on all of my devices: TV, smartphone, car entertainment system, Sonos speaker, etc. When I buy a Tonie, I am only able to play it with the Toniebox. What happens if it breaks? I can’t download the songs at all.
  4. Creative Tonies  have a price of about 18€ which is simply overpriced. There are a few avatars to choose from, sold without any tracks. Instead, the user is able to upload own content to the cloud, which will then be connected to that very figure. The terms and conditions are pretty clear on what is allowed to be uploaded. Tonies claims the right to scan through your music library and delete files in order to find infringements of copyright. It seems as if I was allowed to upload the ‘Bibi Blocksberg’ mp3 from bullet point 3 (for 4.60€) and use it with the creative figure. But is it allowed to read a book out loud that I have bought? If I had to guess, I’d probably say yes. The company may delete any song at any time without telling you why and doesn’t guarantee the availability of your files. Something that is very clear is the maximum length of the audio tracks. You are allowed to upload files that have a combined length of 90 minutes per creative Tonie. In 320 Kbps mp3 that should sum up to something like 200 MB of cloud storage, if I’m not mistaken. You are currently able to overwrite the songs as often as you like and even use their app to record and upload audio fast and frequently. The company reserves the right to make the unlimited usage of their cloud a premium service at any time and at their will.
  5. As stated in the terms and conditions, the Toniebox cannot be used without the Internet. The music player needs to contact the cloud to download new audio files. It is the one and only way of getting new content to the device. How well is that data secured from and monitored for unauthorized access from employees? What if the copyright scanning algorithm flags a track as illegal? Will someone listen to the family story I read for my kid? I’m certain, the company will do its very best to secure that data, but they can’t guarantee for it. There is always a chance of illegal access. The pure thought of someone outside my family listening to my probably disguised voice reading out loud invented fantasy stories is strange to me. That is why I wouldn’t want them to be uploaded to the Internet. Instead I want the device to access my air-gapped NAS or be able to upload content to its local storage directly. Other people might instead want to listen to radio stations or stream Spotify.

I would really like to see Tonies to officially open the hardware for others to tinker with it. I imagine a system of obtaining a developer key and then being able to write own applications for the device or even replace the system image with whatever you like. For that you’d need some documentation provided by the manufacturer. The problem is, Tonies would then be a hardware company and that’s not the way they make money. It’s mostly the software and figures that define Tonies. That’s why I hesitate to ask.

Now I’ve got two options. I could try to reuse their hardware and ‘hack’ the device in order to get my own code running on their really nice product. On the other hand I could forget about the already available products and implement my own ideas as I have always planned.

The Tonies company writes, that it is not allowed to reverse engineer any of their products, neither software nor hardware. Extracting knowledge from a closed source object cannot be completely forbidden, I think. I don’t have the time to find out what’s allowed and what’s not but I think one is always legally able to research the inner workings of a device for educational purposes or to check for trojans etc.

If one would tinker with the device, here are a few ideas of what could be done. I haven’t done anything because I opted for option number two, namely to build my own hardware.

  • Find out as much as possible about the identification of avatars (most probably RFID)
  • Try to read a tag yourself
  • Figure out, if avatars identify themselves with a UUID (that is, compare two identical figures and their IDs)
  • Try to replicate a tag and use your own figures
  • Intercept the traffic between the Toniebox and the cloud (e.g. wifi mitm)
  • Examine the encryption (if any) and try to remove the encryption layer. They probably use at least SSL wherever possible, client certificates and certificate pinning because the cloud connection is their way of making money.
  • Analyze as much traffic as possible (error codes, music downloads, file formats, software updates, box identification, etc.)
  • Try to force a firmware update (use an old box for example or hard reset the box) and capture the image
  • Understand the system image’s format and OS
  • If it is a Linux (my first guess), obtain as much documentation and information from Tonies as possible. If they change the kernel or link against GPL, they are legally obliged to release parts of their software just like many Android smartphone manufacturers do.
  • See if it contains any signature checks or can be changed
  • Remove obfuscation layers
  • Try to change some functionality or add/remove features and repack the image
  • See if the box accepts your changes and installs the new software
  • Find bugs and features that allow you to access the device remotely (SSH backdoors, code execution via vulnerable libraries, etc.)
  • Try to fake server responses under certain conditions (e.g. deliver your own music)
  • You may want to open up the box to research the hardware
  • Look at every chip and find out their purposes (I guess they use an ARM SOC but don’t want to open up the box as it might break)
  • Use physical debug interfaces (i.e. JTAG, network adapters) and see what happens
  • Try to access and read/write the onboard memory directly

I do not have plans on pursuing any of these actions because the hardware doesn’t cover my requirements.

At the same time I’m not diminishing Tonies’ accomplishments at all. The whole system (including the software part) works perfectly fine. I highly recommend their music player to everyone who doesn’t have the chance to build Marta (the project I’m going to present) and knows of the limitations of the Toniebox.

There exist a few professional competitors like Jooki which address some of the points of critics. I’ve also found other DIY projects just like mine, but they all lack certain features that I demand. Some prominent examples are jukebox4kids, wheezybox and phoniebox.

I’ve always wanted to design and build a useful product from the very beginning to the point where I have a good-looking, halfway professionally manufactured working piece of hardware in my hand. That’s why I decided to go the long way of designing my own product. Another reason is, that I would like to see a video transition from the digital design to the actual real-world object. Those are kinda neat.

I want to provide as much documentation as possible, so that many people are able to rebuild Marta and understand why everything is as it is.

UPDATE: This article was written a really long time ago (early 2018). In the meantime a few people got their hand on the Toniebox. After having seen the iFixit teardown I’m even more curious to know, what’s on that little micro SD card. Unfortunately, I neither have the time nor the Toniebox anymore.

One thought on “1.4 – Toniebox from Tonies®

Leave a Reply