Presentation is loading. Please wait.

Presentation is loading. Please wait.

Were Harmed in the Making of this Presentation

Similar presentations


Presentation on theme: "Were Harmed in the Making of this Presentation"— Presentation transcript:

1 Were Harmed in the Making of this Presentation
Tamagotchi Hacking Many Tamagotchis Were Harmed in the Making of this Presentation Many Tamagotchis Natalie Silvanovich @natashenka Were Harmed in the Making of this Presentation

2 What are Tamagotchis? The same virtual pet toys you remember from the 90’s Functionality has evolved substantially Now they can go to school, have jobs, make friends! Newer versions have an IR interface so that they can communicate with other Tamagotchis

3 TamaTown Tama-Go The “Christmas” Tamagotchi from last year
Same functionality for smaller hands Supports detachable ‘figures’ with extra games and stores

4 Goals Decode external communication channels Dump Tamagotchi code
Answer the ‘deeper questions’ of Tamagotchi life Make my gotchis rich and happy Have fun!

5

6 Communication Infrared

7 Signal Listening Listened to the communication between two Tamagotchis using a digital signal analyser and a de-multiplexing IR receiver

8 Meet Nana and Anna ac d6 0e 01 0e c0 0b ff 01 ff ff 7d ac d6 01 0e 0e A is letter 1 in the alphabet N is letter 14 (0x0e) in the alphabet

9 Decoding Circuit Using signal analyser and python was slow
Made a circuit with the IR receiver, an IR LED and an arduino Wrote a program that could listen to and decode IR input in real time Eventually added transmission functionality

10 Decoding Circuit

11 The Fun Begins Rough protocol And then just try stuff!

12 Did you know that? You can give your gotchi unlimited free gifts?
Possible gifts include a CD player, a cell phone and an RC helicopter Too much unreciprocated gift giving damages two gotchis’ relationship? You can mate almost any two gotchis? Gotchis have multiple gender markers?

13 Teardown

14 Hardware Teardown Took apart a Tama-Go and Tamagotchi to determine if code dumping was a possibility Looked for helpful interfaces Also took apart a figure

15 Tama-Go Board Tamagotchi board was pretty much the same EEPROM

16 Tama-Go Figure Tamagotchi board was pretty much the same

17 Microcontroller Identification

18 Identifying the Microcontroller
Considering the lack of external hardware, MCU and code memory were likely under the ‘blob’ Tried several methods to remove, including acetone and a chopstick Travis Goodspeed kindly offered to decap the chip with acid

19

20 Identification Started by posting on my blog
No one answered (correctly) Counted cells to determine memory size Wrongly Posted on Tamagotchi forums Compared pad layouts

21 Eventually, success!

22 GPLB5X Series LCD Controller
8 bit 6502 microprocessor 1536 bytes RAM 320 or 640 kbyte mask ROM (depending on model), baked to perfection for each customer 512 bytes LCD RAM 4 color grayscale LCD controller SPI Audio DAC

23 Dumping Mask ROM Not sure how to dump mask ROM, but had a few ideas
Restore a bad state from EEPROM Determine the test program Exploit a vulnerability in figure or IR processing Read ROM with a microscope Pin manipulation

24 Dump EEPROM

25 EEPROM Dump Attached tiny wires to EEPROM and dumped it using Arduino I2C library Game ‘state’ is stored in a format similar to IR

26 EEPROM Dump State format is unlikely to allow mask ROM dumping
Tried overwriting EEPROM Very error senstive Resets the game in case of error Did manage to ‘advance’ myself in the game

27 Test Program

28 Test Program? GeneralPlus mask ROMs contain a GP test program that can probably dump code Contacted GeneralPlus for a devkit Requires an NDA Looked around online No one seems to have a devkit or know the test program

29 Figure ROM

30 Figure ROM Decoding the figure ROM could be useful in a few ways
Making your own Tamagotchi games Executing code on the Tamagotchi Dumping mask ROM Understanding Tamagotchi behaviour

31 Figure Types There are two types of Tamagotchi figures, ‘reguar’ and ‘lite’ Regular figures contain PCBs with blobs Lite figures contain unpopulated PCB Act as jumpers Tried jumper-ing regular figures Saw functionality of different figures! Extremely likely figures contain mask ROM

32 Figure ROM Pads The unpopulated PCBs in lite figures appear to be the same boards used in regular figures Makes the mask ROM pad layout visible

33 Figure ROM Chip GeneralPlus makes an SPI ROM with a similar layout
Assumed figures use this ROM

34 Figure ROM Test

35 Figure ROM Pins Based on the GeneralPlus ROM datasheet, was able to identify the figure pins 1, 4 and 8: Ground/Jumper 2: Serial clock (C) 3: Serial data input (D) 5: Power 6: Chip Select (SB) 7: Serial Data Output (Q)

36 ROM Dump Dumped the ROM using an Arduino as SPI master

37 Decoding ROM The Tamagotchi has a four-tone display, so looked for strings of 0x00, 0x55, 0xAA and 0xFF, representing images Found a few errors in the dumping sketch Noticed that these strings were preceded by values which were reasonable for length and width

38 Decoding Images Tried decoding these images Eventually, it worked!

39 Images The figure contained a lot of images
Text displays appear to be images Animations are series of images

40

41 The Rest of the ROM The ROM contains a lot of non-image data
None of this data is GeneralPlus code Likely logic information in some sort of interpreted language

42 Simulating the ROM Could not obtain compatible flash
Attempted to simulate the ROM using an Arduino, but chip is too slow Switched to a Chipkit Uno Got reasonable results simulating ROM, but unreliable Still in progress

43 Conclusion

44 Conclusions Can ‘cheat’ at Tamagotchi using the EEPROM or IR
Learned about Tamagotchi internals Still trying to dump the code Continuing with simulating the figure ROM Still *hint* looking for the test program *hint* Most importantly, good times were had by all…

45 Except for the Tamagotchis

46 Questions?

47 More Info


Download ppt "Were Harmed in the Making of this Presentation"

Similar presentations


Ads by Google