Presentation on theme: "Were Harmed in the Making of this Presentation"— Presentation transcript:
1 Were Harmed in the Making of this Presentation Tamagotchi HackingMany Tamagotchis Were Harmed in the Making of this PresentationMany TamagotchisNatalie Silvanovich@natashenkaWere Harmed in the Making of this Presentation
2 What are Tamagotchis?The same virtual pet toys you remember from the 90’sFunctionality has evolved substantiallyNow they can go to school, have jobs, make friends!Newer versions have an IR interfaceso that they can communicate withother Tamagotchis
3 TamaTown Tama-Go The “Christmas” Tamagotchi from last year Same functionality for smaller handsSupports detachable ‘figures’ with extra games and stores
4 Goals Decode external communication channels Dump Tamagotchi code Answer the ‘deeper questions’ of Tamagotchi lifeMake my gotchis rich and happyHave fun!
7 Signal ListeningListened to the communication between two Tamagotchis using a digital signal analyser and a de-multiplexing IR receiver
8 Meet Nana and Annaac d6 0e 01 0e c0 0b ff 01 ff ff 7d ac d6 01 0e 0e A is letter 1 in the alphabet N is letter 14 (0x0e) in the alphabet
9 Decoding Circuit Using signal analyser and python was slow Made a circuit with the IR receiver, an IR LED and an arduinoWrote a program that could listen to and decode IR input in real timeEventually added transmission functionality
11 The Fun BeginsRough protocolAnd then just try stuff!
12 Did you know that? You can give your gotchi unlimited free gifts? Possible gifts include a CD player, a cell phone and an RC helicopterToo much unreciprocated gift giving damages two gotchis’ relationship?You can mate almost any two gotchis?Gotchis have multiple gender markers?
18 Identifying the Microcontroller Considering the lack of external hardware, MCU and code memory were likely under the ‘blob’Tried several methods to remove, including acetone and a chopstickTravis Goodspeed kindly offered to decap the chip with acid
22 GPLB5X Series LCD Controller 8 bit 6502 microprocessor1536 bytes RAM320 or 640 kbyte mask ROM (depending on model), baked to perfection for each customer512 bytes LCD RAM4 color grayscale LCD controllerSPIAudio DAC
23 Dumping Mask ROM Not sure how to dump mask ROM, but had a few ideas Restore a bad state from EEPROMDetermine the test programExploit a vulnerability in figure or IR processingRead ROM with a microscopePin manipulation
28 Test Program?GeneralPlus mask ROMs contain a GP test program that can probably dump codeContacted GeneralPlus for a devkitRequires an NDALooked around onlineNo one seems to have a devkit or know the test program
30 Figure ROM Decoding the figure ROM could be useful in a few ways Making your own Tamagotchi gamesExecuting code on the TamagotchiDumping mask ROMUnderstanding Tamagotchi behaviour
31 Figure TypesThere are two types of Tamagotchi figures, ‘reguar’ and ‘lite’Regular figures contain PCBs with blobsLite figures contain unpopulated PCBAct as jumpersTried jumper-ing regular figuresSaw functionality of different figures!Extremely likely figures contain mask ROM
32 Figure ROM PadsThe unpopulated PCBs in lite figures appear to be the same boards used in regular figuresMakes the mask ROM pad layout visible
33 Figure ROM Chip GeneralPlus makes an SPI ROM with a similar layout Assumed figures use this ROM
35 Figure ROM PinsBased on the GeneralPlus ROM datasheet, was able to identify the figure pins1, 4 and 8: Ground/Jumper2: Serial clock (C)3: Serial data input (D)5: Power6: Chip Select (SB)7: Serial Data Output (Q)
36 ROM DumpDumped the ROM using an Arduino as SPI master
37 Decoding ROMThe Tamagotchi has a four-tone display, so looked for strings of 0x00, 0x55, 0xAA and 0xFF, representing imagesFound a few errors in the dumping sketchNoticed that these strings were preceded by values which were reasonable for length and width
38 Decoding ImagesTried decoding these imagesEventually, it worked!
39 Images The figure contained a lot of images Text displays appear to be imagesAnimations are series of images
41 The Rest of the ROM The ROM contains a lot of non-image data None of this data is GeneralPlus codeLikely logic information in some sort of interpreted language
42 Simulating the ROM Could not obtain compatible flash Attempted to simulate the ROM using an Arduino, but chip is too slowSwitched to a Chipkit UnoGot reasonable results simulating ROM, but unreliableStill in progress
44 Conclusions Can ‘cheat’ at Tamagotchi using the EEPROM or IR Learned about Tamagotchi internalsStill trying to dump the codeContinuing with simulating the figure ROMStill *hint* looking for the test program *hint*Most importantly, good times were had by all…