tamagotchi hacking
DESCRIPTION
Tamagotchi Hacking. Many Tamagotchis Were Harmed in the Making of this Presentation. Many Tamagotchis. Natalie Silvanovich @natashenka. Were Harmed in the Making of this Presentation. What are Tamagotchis?. The same virtual pet toys you remember from the 90’s - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/1.jpg)
Tamagotchi Hacking
Were Harmed in the Making of this Presentation
Many Tamagotchis
Many Tamagotchis Were Harmed in the Making of this Presentation
Natalie Silvanovich@natashenka
![Page 2: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/2.jpg)
What are Tamagotchis?
• The same virtual pet toys you remember from the 90’s
• Functionality has evolved substantially– Now they can go to school, have jobs, make
friends!
• Newer versions have an IR interfaceso that they can communicate withother Tamagotchis
![Page 3: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/3.jpg)
TamaTown Tama-Go
• The “Christmas” Tamagotchi from last year• Same functionality for smaller hands• Supports detachable ‘figures’ with extra
games and stores
![Page 4: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/4.jpg)
Goals
• Decode external communication channels• Dump Tamagotchi code• Answer the ‘deeper questions’ of Tamagotchi life• Make my gotchis rich and happy• Have fun!
![Page 5: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/5.jpg)
![Page 6: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/6.jpg)
Infrared
Communication
![Page 7: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/7.jpg)
Signal Listening
• Listened to the communication between two Tamagotchis using a digital signal analyser and a de-multiplexing IR receiver
![Page 8: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/8.jpg)
Meet Nana and Annaac 00 26 d6 0e 01 0e 01 00 01 33 8700 00 33 c0 0b 00 00 ff 01 ff ff 7d
ac 00 39 d6 01 0e 0e 01 00 00 34 8700 00 20 80 8 00
A is letter 1 in the alphabet
N is letter 14 (0x0e) in the alphabet
![Page 9: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/9.jpg)
Decoding Circuit
• Using signal analyser and python was slow• Made a circuit with the IR receiver, an IR LED
and an arduino• Wrote a program that could listen to and
decode IR input in real time• Eventually added transmission functionality
![Page 10: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/10.jpg)
Decoding Circuit
![Page 11: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/11.jpg)
The Fun Begins
• Rough protocol
• And then just try stuff!
![Page 12: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/12.jpg)
Did you know that?
• You can give your gotchi unlimited free gifts?– Possible gifts include a CD player, a cell phone and
an RC helicopter
• Too much unreciprocated gift giving damages two gotchis’ relationship?
• You can mate almost any two gotchis?• Gotchis have multiple gender markers?
![Page 13: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/13.jpg)
Teardown
![Page 14: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/14.jpg)
Hardware Teardown
• Took apart a Tama-Go and Tamagotchi to determine if code dumping was a possibility
• Looked for helpful interfaces• Also took apart a figure
![Page 15: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/15.jpg)
Tama-Go Board
EEPROM
![Page 16: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/16.jpg)
Tama-Go Figure
![Page 17: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/17.jpg)
Microcontroller
Identification
![Page 18: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/18.jpg)
Identifying the Microcontroller
• Considering the lack of external hardware, MCU and code memory were likely under the ‘blob’
• Tried several methods to remove, including acetone and a chopstick
• Travis Goodspeed kindly offered to decap the chip with acid
![Page 19: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/19.jpg)
![Page 20: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/20.jpg)
Identification
• Started by posting on my blog– No one answered (correctly)
• Counted cells to determine memory size– Wrongly
• Posted on Tamagotchi forums• Compared pad layouts
![Page 21: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/21.jpg)
• Eventually, success!
![Page 22: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/22.jpg)
GPLB5X Series LCD Controller
• 8 bit 6502 microprocessor• 1536 bytes RAM• 320 or 640 kbyte mask ROM (depending on
model), baked to perfection for each customer• 512 bytes LCD RAM• 4 color grayscale LCD controller• SPI• Audio DAC
![Page 23: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/23.jpg)
Dumping Mask ROM
• Not sure how to dump mask ROM, but had a few ideas– Restore a bad state from EEPROM– Determine the test program– Exploit a vulnerability in figure or IR processing– Read ROM with a microscope– Pin manipulation
![Page 24: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/24.jpg)
EEPROM Dump
![Page 25: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/25.jpg)
EEPROM Dump
• Attached tiny wires to EEPROM and dumped it using Arduino I2C library
• Game ‘state’ is stored in a format similar to IR
![Page 26: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/26.jpg)
EEPROM Dump
• State format is unlikely to allow mask ROM dumping
• Tried overwriting EEPROM– Very error senstive– Resets the game in case of error– Did manage to ‘advance’ myself in the game
![Page 27: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/27.jpg)
TestProgram
![Page 28: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/28.jpg)
Test Program?• GeneralPlus mask ROMs contain a GP test
program that can probably dump code• Contacted GeneralPlus for a devkit– Requires an NDA
• Looked around online– No one seems to have a devkit or know the test
program
![Page 29: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/29.jpg)
Figure ROM
![Page 30: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/30.jpg)
Figure ROM
• Decoding the figure ROM could be useful in a few ways– Making your own Tamagotchi games– Executing code on the Tamagotchi– Dumping mask ROM– Understanding Tamagotchi behaviour
![Page 31: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/31.jpg)
Figure Types
• There are two types of Tamagotchi figures, ‘reguar’ and ‘lite’
• Regular figures contain PCBs with blobs• Lite figures contain unpopulated PCB– Act as jumpers
• Tried jumper-ing regular figures– Saw functionality of different figures!
• Extremely likely figures contain mask ROM
![Page 32: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/32.jpg)
Figure ROM Pads
• The unpopulated PCBs in lite figures appear to be the same boards used in regular figures
• Makes the mask ROM pad layout visible
![Page 33: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/33.jpg)
Figure ROM Chip
• GeneralPlus makes an SPI ROM with a similar layout
• Assumed figures use this ROM
![Page 34: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/34.jpg)
Figure ROM Test
![Page 35: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/35.jpg)
Figure ROM Pins
• Based on the GeneralPlus ROM datasheet, was able to identify the figure pins
1, 4 and 8: Ground/Jumper2: Serial clock (C)3: Serial data input (D)5: Power6: Chip Select (SB)7: Serial Data Output (Q)
![Page 36: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/36.jpg)
ROM Dump
• Dumped the ROM using an Arduino as SPI master
![Page 37: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/37.jpg)
Decoding ROM
• The Tamagotchi has a four-tone display, so looked for strings of 0x00, 0x55, 0xAA and 0xFF, representing images– Found a few errors in the dumping sketch
• Noticed that these strings were preceded by values which were reasonable for length and width
![Page 38: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/38.jpg)
Decoding Images
• Tried decoding these images
• Eventually, it worked!
![Page 39: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/39.jpg)
Images
• The figure contained a lot of images• Text displays appear to be images
• Animations are series of images
![Page 40: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/40.jpg)
![Page 41: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/41.jpg)
The Rest of the ROM
• The ROM contains a lot of non-image data• None of this data is GeneralPlus code• Likely logic information in some sort of
interpreted language
![Page 42: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/42.jpg)
Simulating the ROM
• Could not obtain compatible flash• Attempted to simulate the ROM using an
Arduino, but chip is too slow• Switched to a Chipkit Uno• Got reasonable results simulating ROM, but
unreliable• Still in progress
![Page 43: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/43.jpg)
Conclusion
![Page 44: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/44.jpg)
Conclusions
• Can ‘cheat’ at Tamagotchi using the EEPROM or IR
• Learned about Tamagotchi internals• Still trying to dump the code– Continuing with simulating the figure ROM– Still *hint* looking for the test program *hint*
• Most importantly, good times were had by all…
![Page 45: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/45.jpg)
Except for the Tamagotchis
![Page 46: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/46.jpg)
Questions?
![Page 47: Tamagotchi Hacking](https://reader033.vdocuments.us/reader033/viewer/2022061506/568134ba550346895d9bdbec/html5/thumbnails/47.jpg)
More Info
http://www.kwartzlab.ca/author/natalies/@natashenka