0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/143 Thanks! 1 00:00:09,140 --> 00:00:11,389 Welcome to the talk with the most 2 00:00:11,390 --> 00:00:12,949 catchy name in this schedule. 3 00:00:12,950 --> 00:00:15,079 It's Health by Natalie Sin 4 00:00:15,080 --> 00:00:17,239 Evanovich, and she's a security 5 00:00:17,240 --> 00:00:19,189 researcher at BlackBerry. 6 00:00:19,190 --> 00:00:21,379 And as the name suggests, this 7 00:00:21,380 --> 00:00:23,509 is a sequel to her 8 00:00:23,510 --> 00:00:25,669 last year's talk and I 9 00:00:25,670 --> 00:00:28,219 would say, give her a 10 00:00:28,220 --> 00:00:30,529 huge round of applause for this 11 00:00:30,530 --> 00:00:31,729 year's even more. 12 00:00:31,730 --> 00:00:33,979 Tamagotchis were harmed in the making 13 00:00:33,980 --> 00:00:36,109 of this presentation, not to mention 14 00:00:36,110 --> 00:00:37,110 a lot of its. 15 00:00:39,670 --> 00:00:40,670 So was this on? 16 00:00:43,300 --> 00:00:45,519 So today I'm going to talk about a 17 00:00:45,520 --> 00:00:48,009 very important subject 18 00:00:48,010 --> 00:00:50,289 how to hack Tamagotchis 19 00:00:51,310 --> 00:00:53,439 at the last Congress, I 20 00:00:53,440 --> 00:00:55,449 talked about my Tamagotchi hacking 21 00:00:55,450 --> 00:00:57,699 research. And I've made a lot of progress 22 00:00:57,700 --> 00:00:58,929 since then. 23 00:00:58,930 --> 00:01:00,699 So today I'm going to give you guys a bit 24 00:01:00,700 --> 00:01:01,929 of an update. 25 00:01:01,930 --> 00:01:03,999 Tell you how I got code execution on 26 00:01:04,000 --> 00:01:06,039 the Tamagotchi, how I dumped the 27 00:01:06,040 --> 00:01:08,139 Tamagotchi ROM and how I 28 00:01:08,140 --> 00:01:10,239 created a Tamagotchi development 29 00:01:10,240 --> 00:01:11,240 environment. 30 00:01:19,650 --> 00:01:21,869 But before we begin a bit about me. 31 00:01:21,870 --> 00:01:23,759 By day, I'm a security researcher at 32 00:01:23,760 --> 00:01:25,919 BlackBerry and you'll notice my slides 33 00:01:25,920 --> 00:01:27,749 have a bit of a disclaimer in them. 34 00:01:27,750 --> 00:01:29,789 So just in case you think I get paid to 35 00:01:29,790 --> 00:01:32,379 hack Tamagotchis, I rather unfortunately 36 00:01:32,380 --> 00:01:34,049 you do not. 37 00:01:34,050 --> 00:01:35,909 I studied electrical engineering at 38 00:01:35,910 --> 00:01:38,339 university, but since then I've 39 00:01:38,340 --> 00:01:40,589 been mostly into software hacking. 40 00:01:40,590 --> 00:01:42,659 So this project really represents my 41 00:01:42,660 --> 00:01:45,149 first foray into hardware hacking, 42 00:01:45,150 --> 00:01:46,949 although I'll admit it started to become 43 00:01:46,950 --> 00:01:48,479 a bit of a lengthy project. 44 00:01:48,480 --> 00:01:50,579 So maybe I'm a bit of a hardware 45 00:01:50,580 --> 00:01:51,959 hacker by now. 46 00:01:51,960 --> 00:01:54,509 And also, just in case you didn't guess, 47 00:01:54,510 --> 00:01:56,489 I really, really, really like 48 00:01:56,490 --> 00:01:57,490 Tamagotchis. 49 00:01:59,670 --> 00:02:01,949 So just in case anyone doesn't know what 50 00:02:01,950 --> 00:02:04,049 our Tamagotchis Tamagotchis there, a 51 00:02:04,050 --> 00:02:06,239 type of virtual pet toy, the 52 00:02:06,240 --> 00:02:07,799 idea is on the screen. 53 00:02:07,800 --> 00:02:09,239 You have a picture of your pet and then 54 00:02:09,240 --> 00:02:11,789 you use the buttons to say, feed your pet 55 00:02:11,790 --> 00:02:13,799 or play with your pet or clean up after 56 00:02:13,800 --> 00:02:15,149 your pet. 57 00:02:15,150 --> 00:02:17,339 And they were really popular in the 90s. 58 00:02:17,340 --> 00:02:18,989 But if you had one say when you were a 59 00:02:18,990 --> 00:02:20,339 kid, you need to know that the 60 00:02:20,340 --> 00:02:22,679 functionality has evolved substantially 61 00:02:22,680 --> 00:02:24,149 since then. 62 00:02:24,150 --> 00:02:25,679 You know, back in the good old days, 63 00:02:25,680 --> 00:02:27,809 Tamagotchi just had to sit around 64 00:02:27,810 --> 00:02:29,459 and be fed and be played with, and if 65 00:02:29,460 --> 00:02:30,959 they didn't like the situation, they 66 00:02:30,960 --> 00:02:32,219 could run away. 67 00:02:32,220 --> 00:02:34,019 But nowadays, Tamagotchi, you have to go 68 00:02:34,020 --> 00:02:36,089 to school, they have jobs, they 69 00:02:36,090 --> 00:02:37,259 make friends. 70 00:02:37,260 --> 00:02:38,819 And if they don't do that right, they can 71 00:02:38,820 --> 00:02:40,259 forget about getting married or having 72 00:02:40,260 --> 00:02:41,260 kids. 73 00:02:42,120 --> 00:02:43,319 And how do they do this? 74 00:02:43,320 --> 00:02:45,299 Well, the newer versions have an infrared 75 00:02:45,300 --> 00:02:47,009 interface, so let's say you have to 76 00:02:47,010 --> 00:02:48,209 Tamagotchis. 77 00:02:48,210 --> 00:02:49,649 You can kind of hold them together like 78 00:02:49,650 --> 00:02:51,539 this and they'll talk to each other and 79 00:02:51,540 --> 00:02:53,339 you know, they can become friends or even 80 00:02:53,340 --> 00:02:54,340 get married. 81 00:02:56,750 --> 00:02:58,849 Now, the specific Tamagotchi version I 82 00:02:58,850 --> 00:03:01,099 looked at is called the town a town tam 83 00:03:01,100 --> 00:03:03,619 ago, and it's the Christmas 84 00:03:03,620 --> 00:03:05,899 Tamagotchi from 2010. 85 00:03:05,900 --> 00:03:07,849 I just recently updated my slides from 86 00:03:07,850 --> 00:03:09,799 saying last year because I'm in denial 87 00:03:09,800 --> 00:03:11,119 about how long I've spent on this 88 00:03:11,120 --> 00:03:12,120 project. 89 00:03:13,280 --> 00:03:14,449 I'm there this. 90 00:03:19,740 --> 00:03:21,209 They're the same functionality as the 91 00:03:21,210 --> 00:03:23,249 smaller Tamagotchis are meant for younger 92 00:03:23,250 --> 00:03:25,349 kids, so they have bigger buttons, 93 00:03:25,350 --> 00:03:26,579 and then they have one more great 94 00:03:26,580 --> 00:03:28,139 feature, which is called figures. 95 00:03:28,140 --> 00:03:29,819 And the idea is you slide the figure on 96 00:03:29,820 --> 00:03:32,129 top of the Tamagotchi and long 97 00:03:32,130 --> 00:03:34,179 unlocks extra features like, you know, a 98 00:03:34,180 --> 00:03:36,329 shop your Tamagotchi can shop at or an 99 00:03:36,330 --> 00:03:37,330 extra game. 100 00:03:39,750 --> 00:03:42,209 So what were my goals with this project? 101 00:03:42,210 --> 00:03:43,769 Well, what I wanted to do is dump the 102 00:03:43,770 --> 00:03:45,839 Tamagotchi code and answer 103 00:03:45,840 --> 00:03:47,909 what I call the deeper questions 104 00:03:47,910 --> 00:03:50,339 of Tamagotchi life. 105 00:03:50,340 --> 00:03:52,559 You know, things like does 106 00:03:52,560 --> 00:03:54,839 what your Tamagotchi eats 107 00:03:54,840 --> 00:03:56,939 affect, how happy it is 108 00:03:56,940 --> 00:03:59,159 or does it really matter 109 00:03:59,160 --> 00:04:00,719 who your Tamagotchi marries? 110 00:04:02,070 --> 00:04:04,259 Also, I wanted to make my Tamagotchi 111 00:04:04,260 --> 00:04:05,939 is rich and happy. 112 00:04:05,940 --> 00:04:08,099 I wanted to cheat at Tamagotchi and 113 00:04:08,100 --> 00:04:10,229 have the richest and the happiest 114 00:04:10,230 --> 00:04:11,699 Tamagotchis alive. 115 00:04:13,590 --> 00:04:14,590 Oh. 116 00:04:19,779 --> 00:04:21,729 Also, I wanted to make a Tamagotchi 117 00:04:21,730 --> 00:04:23,799 development environment, because it's one 118 00:04:23,800 --> 00:04:24,999 thing for me to be able to hack 119 00:04:25,000 --> 00:04:27,249 Tamagotchis, but I wanted everyone 120 00:04:27,250 --> 00:04:29,769 to be able to hack Tamagotchis. 121 00:04:29,770 --> 00:04:31,899 And finally, I just wanted to have 122 00:04:31,900 --> 00:04:33,999 fun because, you know, all those cool 123 00:04:34,000 --> 00:04:36,729 kids hanging out, going to clubs, 124 00:04:36,730 --> 00:04:38,169 they just haven't discovered reverse 125 00:04:38,170 --> 00:04:39,170 engineering yet. 126 00:04:48,270 --> 00:04:49,079 So I'm going to start off 127 00:04:49,080 --> 00:04:50,969 by talking about my previous work, what I 128 00:04:50,970 --> 00:04:52,679 presented at the last Congress for maybe 129 00:04:52,680 --> 00:04:54,179 10 minutes, and then I'm going to move on 130 00:04:54,180 --> 00:04:55,499 to what I've been doing recently. 131 00:04:56,640 --> 00:04:58,739 So when I first got the TAM a town 132 00:04:58,740 --> 00:05:00,839 TAM ago, I ran 133 00:05:00,840 --> 00:05:02,699 out to the store, you know, bought about 134 00:05:02,700 --> 00:05:04,799 five of them, made up some crazy story 135 00:05:04,800 --> 00:05:07,529 about how they were gifts for friends 136 00:05:07,530 --> 00:05:08,759 and took one apart. 137 00:05:09,780 --> 00:05:11,369 And here's what the board of the TAM town 138 00:05:11,370 --> 00:05:12,809 TAM ago looks like. 139 00:05:12,810 --> 00:05:14,039 And I say there's really only two 140 00:05:14,040 --> 00:05:15,929 interesting features on it. 141 00:05:15,930 --> 00:05:18,179 One is the prom, which is circled in red, 142 00:05:18,180 --> 00:05:20,249 and that's the only persistent, readable 143 00:05:20,250 --> 00:05:22,739 memory on the board of the Tamagotchi. 144 00:05:22,740 --> 00:05:24,139 It's what stores this day. 145 00:05:24,140 --> 00:05:25,499 So like, let's say you spent a lot of 146 00:05:25,500 --> 00:05:27,449 time getting a really cool old 147 00:05:27,450 --> 00:05:29,219 Tamagotchi. 148 00:05:29,220 --> 00:05:30,389 If you need to change the battery, it 149 00:05:30,390 --> 00:05:31,859 will make sure you get that Tamagotchi 150 00:05:31,860 --> 00:05:33,179 back. 151 00:05:33,180 --> 00:05:35,429 The other thing on the right side 152 00:05:35,430 --> 00:05:36,759 is the blob. 153 00:05:36,760 --> 00:05:37,979 And since there's no visible 154 00:05:37,980 --> 00:05:40,019 microcontroller on the board, it seemed 155 00:05:40,020 --> 00:05:41,489 pretty clear that the microcontroller was 156 00:05:41,490 --> 00:05:42,949 under there. 157 00:05:42,950 --> 00:05:44,479 Also took apart a figure. 158 00:05:44,480 --> 00:05:45,659 What was kind of interesting is there's 159 00:05:45,660 --> 00:05:47,579 two types of figure is there are some 160 00:05:47,580 --> 00:05:49,529 with an unpopulated PCB. 161 00:05:49,530 --> 00:05:51,149 And then there were some with a blob, 162 00:05:51,150 --> 00:05:53,129 which I assumed had mass from underneath 163 00:05:53,130 --> 00:05:54,130 it. 164 00:05:54,810 --> 00:05:57,089 So the first thing I needed to do was to 165 00:05:57,090 --> 00:05:59,219 identify the microcontroller. 166 00:05:59,220 --> 00:06:01,919 I tried many crazy, dangerous 167 00:06:01,920 --> 00:06:03,809 and ineffective ways of removing the 168 00:06:03,810 --> 00:06:05,909 epoxy before Travis Goodspeed 169 00:06:05,910 --> 00:06:07,859 was kind enough to to cap it with acid. 170 00:06:09,060 --> 00:06:11,459 So here's a picture 171 00:06:11,460 --> 00:06:14,099 of the dye and I finally, 172 00:06:14,100 --> 00:06:16,019 after a lot of looking managed to 173 00:06:16,020 --> 00:06:18,119 identify it and what it is 174 00:06:18,120 --> 00:06:20,639 is it's a general plus LCD controller. 175 00:06:20,640 --> 00:06:22,889 I'd say that the two most interesting 176 00:06:22,890 --> 00:06:25,439 things about it is that it runs 65 177 00:06:25,440 --> 00:06:27,599 02 like a Commodore and that 178 00:06:27,600 --> 00:06:29,069 it has mass Graham. 179 00:06:29,070 --> 00:06:31,169 And I guess there's pros and cons 180 00:06:31,170 --> 00:06:33,389 to that. But the major con to 181 00:06:33,390 --> 00:06:35,669 ask Graham is that I can never reprogram 182 00:06:35,670 --> 00:06:37,589 it. It's manufactured directly into the 183 00:06:37,590 --> 00:06:39,359 transistors, so it's pretty much ruled 184 00:06:39,360 --> 00:06:41,609 out permanently modifying 185 00:06:41,610 --> 00:06:42,839 the Tamagotchi in any way. 186 00:06:45,380 --> 00:06:47,059 So at this point, I really wanted to dump 187 00:06:47,060 --> 00:06:49,429 this mask from, and I had a few ideas 188 00:06:49,430 --> 00:06:51,439 of how I could do it. 189 00:06:51,440 --> 00:06:53,059 And one of them was to restore a bad 190 00:06:53,060 --> 00:06:54,409 state from the prom. 191 00:06:54,410 --> 00:06:56,419 I was hoping that maybe it had, you know, 192 00:06:56,420 --> 00:06:59,239 stack pointers and instruction pointers 193 00:06:59,240 --> 00:07:00,799 in there, but unfortunately it did. 194 00:07:00,800 --> 00:07:02,449 This totally didn't work because it 195 00:07:02,450 --> 00:07:04,429 contained serialized data. 196 00:07:04,430 --> 00:07:06,679 Another idea I had was to look 197 00:07:06,680 --> 00:07:08,449 for test functionality because some 198 00:07:08,450 --> 00:07:10,399 microcontrollers will have test functions 199 00:07:10,400 --> 00:07:11,400 that can dump the code. 200 00:07:12,650 --> 00:07:14,299 Another idea was to exploit a 201 00:07:14,300 --> 00:07:16,309 vulnerability in the processing of the 202 00:07:16,310 --> 00:07:18,739 figure data or the infrared data, 203 00:07:18,740 --> 00:07:20,539 because these are basically untrusted 204 00:07:20,540 --> 00:07:22,939 data that is processed by the Tamagotchi. 205 00:07:22,940 --> 00:07:24,649 So there really is a possibility there 206 00:07:24,650 --> 00:07:27,229 could be bugs in there. 207 00:07:27,230 --> 00:07:29,149 Another option would be to read the ROM 208 00:07:29,150 --> 00:07:30,649 with a microscope. 209 00:07:30,650 --> 00:07:32,479 One of the benefits of mascara and 210 00:07:32,480 --> 00:07:34,279 reverse engineering is that the bits, 211 00:07:34,280 --> 00:07:35,539 because they're manufactured into the 212 00:07:35,540 --> 00:07:37,699 transistors are visible, so you could 213 00:07:37,700 --> 00:07:38,629 theoretically look at it with a 214 00:07:38,630 --> 00:07:39,889 microscope. 215 00:07:39,890 --> 00:07:42,769 And another option was pin manipulation. 216 00:07:42,770 --> 00:07:44,449 You know, maybe if I was able to listen 217 00:07:44,450 --> 00:07:46,909 into the right pin or even the right area 218 00:07:46,910 --> 00:07:49,099 on the dye, maybe I could see 219 00:07:49,100 --> 00:07:50,690 what instructions were being executed. 220 00:07:51,980 --> 00:07:53,539 So the first thing I did was I looked at 221 00:07:53,540 --> 00:07:55,939 the test functionality, and 222 00:07:55,940 --> 00:07:57,679 it turns out that all general plus 223 00:07:57,680 --> 00:07:59,509 microcontrollers have a mandatory test 224 00:07:59,510 --> 00:08:00,769 program. 225 00:08:00,770 --> 00:08:02,569 And I suspected that this would probably 226 00:08:02,570 --> 00:08:05,149 allow you to dump code just because 227 00:08:05,150 --> 00:08:06,739 the nature of Mascaro means that it's 228 00:08:06,740 --> 00:08:08,809 very expensive up front, but very 229 00:08:08,810 --> 00:08:10,429 cheap to make copies. 230 00:08:10,430 --> 00:08:11,929 So I think it would be a common problem 231 00:08:11,930 --> 00:08:13,669 that customers complained that the mask 232 00:08:13,670 --> 00:08:15,359 around wasn't manufactured correctly, so 233 00:08:15,360 --> 00:08:17,059 it makes sense they would have a way to 234 00:08:17,060 --> 00:08:19,009 prove that it was correct. 235 00:08:19,010 --> 00:08:20,959 So I looked around for this quite hard, 236 00:08:20,960 --> 00:08:22,819 but unfortunately at this point I could 237 00:08:22,820 --> 00:08:25,009 not find the test program, so I had to 238 00:08:25,010 --> 00:08:26,539 move on. 239 00:08:26,540 --> 00:08:28,639 So the next thing I did was I 240 00:08:28,640 --> 00:08:31,129 looked at the figure rom 241 00:08:31,130 --> 00:08:32,928 and I thought this could be useful in a 242 00:08:32,929 --> 00:08:34,249 few ways. 243 00:08:34,250 --> 00:08:36,319 As I said, my main goal was to dump 244 00:08:36,320 --> 00:08:37,969 their arm. But I thought there were some 245 00:08:37,970 --> 00:08:39,408 other fun things I could do. 246 00:08:39,409 --> 00:08:41,149 Maybe I could execute code on the 247 00:08:41,150 --> 00:08:42,529 Tamagotchi. 248 00:08:42,530 --> 00:08:44,359 Maybe I could make my own Tamagotchi 249 00:08:44,360 --> 00:08:46,819 games because the figure support games, 250 00:08:46,820 --> 00:08:48,499 and if nothing else, I was sure it would 251 00:08:48,500 --> 00:08:50,449 make me better understand the Tamagotchi 252 00:08:50,450 --> 00:08:51,450 behavior. 253 00:08:53,300 --> 00:08:55,369 So to figure out what was inside a 254 00:08:55,370 --> 00:08:57,469 figure, I scraped off the 255 00:08:57,470 --> 00:08:59,629 slaughter mask of the unpopulated 256 00:08:59,630 --> 00:09:01,789 PCB and I compared it to a bunch 257 00:09:01,790 --> 00:09:04,159 of pad layouts, and it turned out 258 00:09:04,160 --> 00:09:06,229 that it was an spy run 259 00:09:06,230 --> 00:09:07,279 by the same company that made the 260 00:09:07,280 --> 00:09:09,709 microcontroller general plus. 261 00:09:09,710 --> 00:09:11,839 This allowed me to figure out the notes 262 00:09:11,840 --> 00:09:13,999 on the figure interface, which in turn 263 00:09:14,000 --> 00:09:15,619 allowed me to dump a figure. 264 00:09:17,000 --> 00:09:18,889 Then I was able to look at the format of 265 00:09:18,890 --> 00:09:20,869 the dump, and eventually I figured out 266 00:09:20,870 --> 00:09:22,429 how to decode images and there was a 267 00:09:22,430 --> 00:09:23,430 picture of it there. 268 00:09:24,610 --> 00:09:26,379 At this point, I could look at all the 269 00:09:26,380 --> 00:09:28,389 images, and I already knew a few things 270 00:09:28,390 --> 00:09:30,489 about the Tamagotchi from them. 271 00:09:30,490 --> 00:09:32,559 One thing that was interesting is that 272 00:09:32,560 --> 00:09:34,809 all of the text was an image. 273 00:09:34,810 --> 00:09:37,059 So there is no ASCII or other text 274 00:09:37,060 --> 00:09:38,439 format in there. 275 00:09:38,440 --> 00:09:40,539 If the Tamagotchi said address on 276 00:09:40,540 --> 00:09:42,339 the screen, there was a bitmap that had 277 00:09:42,340 --> 00:09:43,809 the word dress on it. 278 00:09:43,810 --> 00:09:45,189 So that kind of shows the Tamagotchi 279 00:09:45,190 --> 00:09:47,769 isn't very advanced in its programing. 280 00:09:47,770 --> 00:09:49,479 The other thing I noticed was that every 281 00:09:49,480 --> 00:09:51,549 animation was a series of images. 282 00:09:51,550 --> 00:09:53,289 So, for example, if your Tamagotchi was 283 00:09:53,290 --> 00:09:55,539 wearing the dress, there would be every 284 00:09:55,540 --> 00:09:58,059 single sprite with every single dress 285 00:09:58,060 --> 00:10:00,369 drawn. There was no, you know, sprite 286 00:10:00,370 --> 00:10:02,109 handling or overlays or anything like 287 00:10:02,110 --> 00:10:03,110 that. 288 00:10:04,000 --> 00:10:06,069 So I looked into the rest 289 00:10:06,070 --> 00:10:07,889 of the rom hoping that there might be, 290 00:10:07,890 --> 00:10:08,919 say, code in there. 291 00:10:08,920 --> 00:10:10,989 But there wasn't, and 292 00:10:10,990 --> 00:10:13,419 there wasn't, I'd say, even a lot of 293 00:10:13,420 --> 00:10:15,219 image data, not compared to the size of 294 00:10:15,220 --> 00:10:16,809 the image data. 295 00:10:16,810 --> 00:10:18,549 So I assume that was probably logic 296 00:10:18,550 --> 00:10:20,049 information in some sort of serialized 297 00:10:20,050 --> 00:10:21,050 format. 298 00:10:21,910 --> 00:10:23,949 Now to understand this a bit better. 299 00:10:23,950 --> 00:10:25,509 I didn't think that reading the ROM was 300 00:10:25,510 --> 00:10:27,009 enough. I thought that I had to be able 301 00:10:27,010 --> 00:10:29,079 to write the ROM so I could change things 302 00:10:29,080 --> 00:10:31,119 and see what they do. 303 00:10:31,120 --> 00:10:33,279 So eventually I made a rig that 304 00:10:33,280 --> 00:10:35,679 basically simulated the ROM 305 00:10:35,680 --> 00:10:36,969 by bit banging. 306 00:10:36,970 --> 00:10:39,009 That's a picture of it there. 307 00:10:39,010 --> 00:10:41,619 And from this, I was able to 308 00:10:41,620 --> 00:10:43,149 do a few things to start off. 309 00:10:43,150 --> 00:10:44,769 I could put different pictures on the 310 00:10:44,770 --> 00:10:46,389 front of the Tamagotchi. 311 00:10:46,390 --> 00:10:47,589 That was fairly simple. 312 00:10:47,590 --> 00:10:49,599 When you put a figure on it draws a 313 00:10:49,600 --> 00:10:51,609 picture of like a wardrobe or a chest 314 00:10:51,610 --> 00:10:53,169 that you keep your toys in or something 315 00:10:53,170 --> 00:10:55,119 like that. So I was able to swap that out 316 00:10:55,120 --> 00:10:57,069 for a different images. 317 00:10:57,070 --> 00:10:59,079 Also, I was able to play around with some 318 00:10:59,080 --> 00:11:00,339 of the logic. 319 00:11:00,340 --> 00:11:02,199 One thing that I found interesting was 320 00:11:02,200 --> 00:11:04,029 the game logic. 321 00:11:04,030 --> 00:11:06,159 I was expecting the game logic to take up 322 00:11:06,160 --> 00:11:07,779 a lot of memory because games are 323 00:11:07,780 --> 00:11:09,459 complex, but it turned out to be quite 324 00:11:09,460 --> 00:11:11,769 small less than 50 bytes of nine image 325 00:11:11,770 --> 00:11:13,989 data read at any point 326 00:11:13,990 --> 00:11:15,939 during the figure functionality. 327 00:11:15,940 --> 00:11:18,129 Even more interesting was that the game 328 00:11:18,130 --> 00:11:20,559 logic like what decided 329 00:11:20,560 --> 00:11:22,179 you know when you got points and stuff 330 00:11:22,180 --> 00:11:24,369 like that was represented by 331 00:11:24,370 --> 00:11:26,649 a single byte code, 332 00:11:26,650 --> 00:11:28,449 which basically what this means is, you 333 00:11:28,450 --> 00:11:30,039 know, there's a few types of games. 334 00:11:30,040 --> 00:11:31,209 You know, there's the one where you catch 335 00:11:31,210 --> 00:11:32,649 falling stuff and there's the one where 336 00:11:32,650 --> 00:11:34,719 you match stuff and those 337 00:11:34,720 --> 00:11:36,459 are all actually in the internal realm of 338 00:11:36,460 --> 00:11:37,689 the Tamagotchi. 339 00:11:37,690 --> 00:11:39,639 And the figure just, you know, says which 340 00:11:39,640 --> 00:11:41,320 one, which bit of logic it is. 341 00:11:42,620 --> 00:11:43,729 The other thing that was even more 342 00:11:43,730 --> 00:11:45,829 interesting was what happened if I put 343 00:11:45,830 --> 00:11:47,989 in an invalid index, 344 00:11:47,990 --> 00:11:49,999 this would cause me to jump to other 345 00:11:50,000 --> 00:11:51,649 valid screens that had nothing to do with 346 00:11:51,650 --> 00:11:54,229 games. So I put in like one invalid index 347 00:11:54,230 --> 00:11:55,639 and I'd go to the screen where you feed 348 00:11:55,640 --> 00:11:56,869 your Tamagotchi. 349 00:11:56,870 --> 00:11:59,179 And I put in another invalid index 350 00:11:59,180 --> 00:12:00,709 and it would go to say what your 351 00:12:00,710 --> 00:12:03,109 Tamagotchi takes a shower. 352 00:12:03,110 --> 00:12:05,179 And what was also interesting was 353 00:12:05,180 --> 00:12:07,169 that there was it wasn't very smart. 354 00:12:07,170 --> 00:12:09,259 Once again, if I say went to the 355 00:12:09,260 --> 00:12:12,139 feeding screen screen and hit back, 356 00:12:12,140 --> 00:12:14,149 I would go back to the screen that you 357 00:12:14,150 --> 00:12:15,709 would normally go to from that screen, 358 00:12:15,710 --> 00:12:17,359 not the one I'd come from. 359 00:12:17,360 --> 00:12:19,519 So this basically meant to me that the 360 00:12:19,520 --> 00:12:21,589 Tamagotchi was one big state machine 361 00:12:21,590 --> 00:12:23,569 with no concept of a state stack or a 362 00:12:23,570 --> 00:12:24,829 screen stack. 363 00:12:24,830 --> 00:12:26,419 So I thought this was quite interesting. 364 00:12:26,420 --> 00:12:27,829 And then the final thing which at the 365 00:12:27,830 --> 00:12:29,659 time I had no idea what to make of was 366 00:12:29,660 --> 00:12:31,849 that some invalid codes caused freezing 367 00:12:31,850 --> 00:12:32,809 and I actually had to reset my 368 00:12:32,810 --> 00:12:34,129 Tamagotchi. 369 00:12:34,130 --> 00:12:35,689 But I didn't have any way to find out 370 00:12:35,690 --> 00:12:38,259 more about what was going on than that. 371 00:12:38,260 --> 00:12:40,759 So here's a quick example of this 372 00:12:40,760 --> 00:12:43,069 in this video I am jumping 373 00:12:43,070 --> 00:12:45,049 to the evolve function. 374 00:12:45,050 --> 00:12:47,029 So basically, this is what makes your 375 00:12:47,030 --> 00:12:48,409 Tamagotchi grow older. 376 00:13:36,600 --> 00:13:37,709 So there we go. 377 00:13:37,710 --> 00:13:39,390 My Tamagotchi is now older. 378 00:13:49,220 --> 00:13:50,959 So this is where I was at at the last 379 00:13:50,960 --> 00:13:53,089 Congress, and right afterwards I 380 00:13:53,090 --> 00:13:55,729 was contacted by a guy called Mr. Blinky, 381 00:13:55,730 --> 00:13:58,159 and he wanted to order his own figures 382 00:13:58,160 --> 00:14:00,199 and reproduce my research. 383 00:14:00,200 --> 00:14:01,849 But something funny happened when he 384 00:14:01,850 --> 00:14:04,189 ordered his figure is they had flashing 385 00:14:04,190 --> 00:14:06,469 them. And it turns out there's actually 386 00:14:06,470 --> 00:14:08,059 three types of figures. 387 00:14:08,060 --> 00:14:09,349 There's the ones with the unpopulated 388 00:14:09,350 --> 00:14:11,899 PCBs, and there's the one with the mask. 389 00:14:11,900 --> 00:14:13,399 And there's actually a tape that contains 390 00:14:13,400 --> 00:14:14,419 flash. 391 00:14:14,420 --> 00:14:16,189 And what was even cooler is that you 392 00:14:16,190 --> 00:14:18,169 could basically just program the flash 393 00:14:18,170 --> 00:14:20,329 right through the context of the figure. 394 00:14:20,330 --> 00:14:22,279 The picture I have in here has a wire 395 00:14:22,280 --> 00:14:24,049 connecting the right pin, but that's 396 00:14:24,050 --> 00:14:25,129 completely unnecessary. 397 00:14:25,130 --> 00:14:26,359 I just didn't want to open up a second 398 00:14:26,360 --> 00:14:27,829 one to take a picture. 399 00:14:27,830 --> 00:14:29,509 But basically, all you need to do is make 400 00:14:29,510 --> 00:14:30,979 a programmer and you're good to go and 401 00:14:30,980 --> 00:14:32,989 you can really flash the figure, which 402 00:14:32,990 --> 00:14:34,339 was great. 403 00:14:34,340 --> 00:14:36,859 So this is Mr. Blinkist programmer. 404 00:14:36,860 --> 00:14:38,449 And basically the idea is you put in a 405 00:14:38,450 --> 00:14:41,029 standard SPI flash programmer 406 00:14:41,030 --> 00:14:42,739 in there and there's also a switch. 407 00:14:42,740 --> 00:14:44,479 Then you could go into programing mode or 408 00:14:44,480 --> 00:14:46,879 regular mode in the Tamagotchi. 409 00:14:46,880 --> 00:14:49,039 I guy called Asterix, also made a similar 410 00:14:49,040 --> 00:14:51,139 programmer, and this is 411 00:14:51,140 --> 00:14:52,140 my programmer, 412 00:14:54,290 --> 00:14:55,969 but I promise it still works. 413 00:15:02,950 --> 00:15:04,299 So at this point in time, I could play a 414 00:15:04,300 --> 00:15:06,069 bit more with the functionality. 415 00:15:06,070 --> 00:15:08,649 So one thing I played with was items, 416 00:15:08,650 --> 00:15:10,209 and the Tamagotchi supports lots of 417 00:15:10,210 --> 00:15:11,589 different types of items. 418 00:15:11,590 --> 00:15:13,719 For example, you can see on the left 419 00:15:13,720 --> 00:15:15,129 and the right at the bottom, there's the 420 00:15:15,130 --> 00:15:16,599 clothing store and then you can buy a 421 00:15:16,600 --> 00:15:18,789 dress that your Tamagotchi wears. 422 00:15:18,790 --> 00:15:21,189 And then you can also do things like 423 00:15:21,190 --> 00:15:23,349 Take your Tamagotchi on a trip to see 424 00:15:23,350 --> 00:15:24,789 the statue of Abraham Lincoln in 425 00:15:24,790 --> 00:15:26,529 Washington, D.C., which is the middle 426 00:15:26,530 --> 00:15:27,819 picture. 427 00:15:27,820 --> 00:15:30,189 So I played around with this a bit, 428 00:15:30,190 --> 00:15:31,839 and I found out it was in a bytecode 429 00:15:31,840 --> 00:15:33,999 format and you could do things 430 00:15:34,000 --> 00:15:35,979 like display an image on the screen, play 431 00:15:35,980 --> 00:15:38,329 a sound and you can also change a 432 00:15:38,330 --> 00:15:40,089 stat. So for example, when your 433 00:15:40,090 --> 00:15:42,159 Tamagotchi sees Abraham Lincoln, it 434 00:15:42,160 --> 00:15:44,109 gets really, really happy. 435 00:15:44,110 --> 00:15:45,879 But there is nothing really useful in 436 00:15:45,880 --> 00:15:47,919 there. There were some unusual behavior 437 00:15:47,920 --> 00:15:50,079 for invalid instructions, but nothing 438 00:15:50,080 --> 00:15:51,999 else that I could use to dump the code. 439 00:15:52,000 --> 00:15:53,469 But thankfully, I could do some fun 440 00:15:53,470 --> 00:15:55,689 things like make a music video or make 441 00:15:55,690 --> 00:15:57,580 my Tamagotchi do the Harlem Shake. 442 00:16:38,550 --> 00:16:40,829 So that was a lot of fun, but once 443 00:16:40,830 --> 00:16:42,359 again, I really just wanted to dump the 444 00:16:42,360 --> 00:16:44,669 rum. So I started thinking again 445 00:16:44,670 --> 00:16:46,439 about this game logic. 446 00:16:46,440 --> 00:16:48,599 And as I said earlier, it was represented 447 00:16:48,600 --> 00:16:50,279 by this one byte code that would 448 00:16:50,280 --> 00:16:52,469 sometimes jump to a different state 449 00:16:52,470 --> 00:16:54,599 and sometimes cause freezing. 450 00:16:54,600 --> 00:16:56,699 And I didn't know quite what to make of 451 00:16:56,700 --> 00:16:58,139 this, but I thought it was possible that 452 00:16:58,140 --> 00:16:59,999 this could be exploitable. 453 00:17:00,000 --> 00:17:02,069 So I started looking into how sixty five 454 00:17:02,070 --> 00:17:04,169 02 worked, and I found out some 455 00:17:04,170 --> 00:17:06,749 very interesting things, 456 00:17:06,750 --> 00:17:07,679 for one thing. 457 00:17:07,680 --> 00:17:09,479 Sixty five 02 is mapped into a single 458 00:17:09,480 --> 00:17:10,679 address space. 459 00:17:10,680 --> 00:17:13,259 So when you execute code, you can access 460 00:17:13,260 --> 00:17:15,118 every single memory address. 461 00:17:15,119 --> 00:17:16,618 You'll never, for example, get an 462 00:17:16,619 --> 00:17:18,838 exception and you'll never reset. 463 00:17:18,839 --> 00:17:20,578 And this is because there's no you. 464 00:17:20,579 --> 00:17:22,769 So basically, what will happen if 465 00:17:22,770 --> 00:17:25,409 you access unmapped 466 00:17:25,410 --> 00:17:27,989 memory or memory that doesn't exist, 467 00:17:27,990 --> 00:17:29,459 it will usually return zero. 468 00:17:29,460 --> 00:17:31,289 It might return another value, but it 469 00:17:31,290 --> 00:17:33,419 will never stop execution. 470 00:17:33,420 --> 00:17:35,849 The same thing with invalid instructions. 471 00:17:35,850 --> 00:17:37,769 I think what the standard says is it will 472 00:17:37,770 --> 00:17:39,929 execute undefined behavior, taking an 473 00:17:39,930 --> 00:17:42,029 undefined amount of time. 474 00:17:42,030 --> 00:17:43,949 But practically speaking, this means that 475 00:17:43,950 --> 00:17:46,109 it acts as a no op and 476 00:17:46,110 --> 00:17:47,339 basically reset is rare. 477 00:17:47,340 --> 00:17:49,769 The only way you can reset a 65 02 device 478 00:17:49,770 --> 00:17:52,079 is basically jump to the reset vector, 479 00:17:52,080 --> 00:17:53,579 which actually, if you think about this, 480 00:17:53,580 --> 00:17:55,859 this is like great for exploitation 481 00:17:55,860 --> 00:17:57,359 because usually, you know, like, let's 482 00:17:57,360 --> 00:17:59,249 say you can move your instruction pointer 483 00:17:59,250 --> 00:18:01,379 somewhere and you get it wrong. 484 00:18:01,380 --> 00:18:03,449 You'll have problems because say 485 00:18:03,450 --> 00:18:05,159 you'll access an invalid memory address 486 00:18:05,160 --> 00:18:07,349 or you'll get an invalid instruction and 487 00:18:07,350 --> 00:18:09,649 then you'll crash, but 488 00:18:09,650 --> 00:18:10,829 was 65 02. 489 00:18:10,830 --> 00:18:12,629 If you're a little bit off the code, 490 00:18:12,630 --> 00:18:13,559 you're trying to jump to it. 491 00:18:13,560 --> 00:18:15,149 You still might make it because 492 00:18:15,150 --> 00:18:17,219 everything acts like a no op. 493 00:18:17,220 --> 00:18:18,689 And even if you don't write, it's just 494 00:18:18,690 --> 00:18:20,399 going to keep executing and wild loops 495 00:18:20,400 --> 00:18:22,829 forever, and maybe you'll get there. 496 00:18:22,830 --> 00:18:23,830 So I thought, 497 00:18:25,890 --> 00:18:27,539 I thought knowing this, it was worth, you 498 00:18:27,540 --> 00:18:29,759 know, just trying to exploit this. 499 00:18:29,760 --> 00:18:31,949 So I kind of just imagined how it might 500 00:18:31,950 --> 00:18:34,379 work internally, and I thought, Well, 501 00:18:34,380 --> 00:18:36,599 you know, maybe game code or indexes into 502 00:18:36,600 --> 00:18:38,759 a jump table and there's 503 00:18:38,760 --> 00:18:40,889 only a small amount of RAM that I 504 00:18:40,890 --> 00:18:42,659 can control from a figure. 505 00:18:42,660 --> 00:18:44,039 And that's the stuff that's displayed on 506 00:18:44,040 --> 00:18:46,079 the screen, but that's about 200 bytes of 507 00:18:46,080 --> 00:18:47,699 RAM. And I thought, Well, I'll just make 508 00:18:47,700 --> 00:18:48,960 a not sled and hope. 509 00:18:50,350 --> 00:18:52,479 So this is mariachi in front 510 00:18:52,480 --> 00:18:54,009 of me, not sled. 511 00:18:54,010 --> 00:18:55,779 I eventually figured out how to make her 512 00:18:55,780 --> 00:18:58,779 move as not to mess with my exploit. 513 00:18:58,780 --> 00:19:00,519 And I tried all two hundred and fifty 514 00:19:00,520 --> 00:19:02,589 codes and hoped I would jump 515 00:19:02,590 --> 00:19:03,699 to the shellcode. 516 00:19:03,700 --> 00:19:05,949 And I did not, but 517 00:19:05,950 --> 00:19:08,409 I did find some very interesting behavior 518 00:19:08,410 --> 00:19:10,329 in a code. I'm CC. 519 00:19:10,330 --> 00:19:11,859 Basically, I found that, you know, the 520 00:19:11,860 --> 00:19:13,959 first time I tried it, it buzzed. 521 00:19:13,960 --> 00:19:15,999 And what the buzzing was dependent on was 522 00:19:16,000 --> 00:19:17,679 this bit three of eight sixty eight of 523 00:19:17,680 --> 00:19:19,809 the LCD ram was set. 524 00:19:19,810 --> 00:19:22,689 It would buzz, otherwise it would freeze. 525 00:19:22,690 --> 00:19:24,429 So I thought that was kind of odd. 526 00:19:24,430 --> 00:19:26,379 The other thing that I thought was odd 527 00:19:26,380 --> 00:19:28,479 was that some of the middle indexes 528 00:19:28,480 --> 00:19:29,769 worked. 529 00:19:29,770 --> 00:19:31,479 When I was first playing with this, it 530 00:19:31,480 --> 00:19:33,279 was the top and the bottom of the range 531 00:19:33,280 --> 00:19:34,989 that would work and the middle always 532 00:19:34,990 --> 00:19:36,669 froze. But once I started trying every 533 00:19:36,670 --> 00:19:38,889 single index, some of them worked. 534 00:19:38,890 --> 00:19:41,019 So I came up with kind of a new theory, 535 00:19:41,020 --> 00:19:42,519 which was that all the indexes were 536 00:19:42,520 --> 00:19:44,529 valid, but maybe it was something else 537 00:19:44,530 --> 00:19:45,729 that was causing the freezing. 538 00:19:45,730 --> 00:19:47,169 Maybe the stack wasn't set right. 539 00:19:47,170 --> 00:19:48,879 Maybe memory addresses weren't set right. 540 00:19:48,880 --> 00:19:50,859 Maybe registers weren't set right. 541 00:19:50,860 --> 00:19:52,179 And then they kind of came up with a 542 00:19:52,180 --> 00:19:54,429 theory of why I was hearing the noise, 543 00:19:54,430 --> 00:19:56,649 right? Maybe it's checking if sound 544 00:19:56,650 --> 00:19:58,869 is enabled and 545 00:19:58,870 --> 00:20:01,029 then, but it's accidentally setting 546 00:20:01,030 --> 00:20:02,379 checking the LCD round because 547 00:20:02,380 --> 00:20:04,179 something's corrupted and then it's 548 00:20:04,180 --> 00:20:05,349 playing a sound. 549 00:20:05,350 --> 00:20:07,629 And then maybe 550 00:20:07,630 --> 00:20:08,919 it's doing jumps based on corrupted 551 00:20:08,920 --> 00:20:11,169 memory, which would cause basically based 552 00:20:11,170 --> 00:20:12,879 on this bit for it to sometimes play 553 00:20:12,880 --> 00:20:15,010 sound repeatedly and sometimes not. 554 00:20:16,120 --> 00:20:18,279 But this started to drive me crazy. 555 00:20:18,280 --> 00:20:21,129 I thought, if this is how it works 556 00:20:21,130 --> 00:20:24,069 and I have 255 vulnerabilities 557 00:20:24,070 --> 00:20:26,739 and I have this fairly large chunk of RAM 558 00:20:26,740 --> 00:20:28,869 full of Inot sled, you know, 559 00:20:28,870 --> 00:20:29,979 why isn't it working? 560 00:20:29,980 --> 00:20:31,479 I could be very unlucky. 561 00:20:31,480 --> 00:20:33,309 But, you know, probably not. 562 00:20:34,540 --> 00:20:37,029 So I went and I looked at my shell code, 563 00:20:37,030 --> 00:20:39,339 and at this point I had used OnePlus 564 00:20:39,340 --> 00:20:41,499 6T five 02 for my shell code because I 565 00:20:41,500 --> 00:20:43,539 thought, Well, why have a table if it's 566 00:20:43,540 --> 00:20:45,279 regular sixty 02? 567 00:20:45,280 --> 00:20:47,079 But I switched my shell code to regular 568 00:20:47,080 --> 00:20:48,849 sixty five O two and it made it something 569 00:20:48,850 --> 00:20:51,009 a little bit more foolproof. 570 00:20:51,010 --> 00:20:53,349 And at this point, it worked the fourth 571 00:20:53,350 --> 00:20:55,180 time I tried Index D for. 572 00:21:03,250 --> 00:21:05,799 So this is an example of my exploit 573 00:21:05,800 --> 00:21:08,019 circled in blue at the bottom is the 574 00:21:08,020 --> 00:21:10,029 stub of shellcode I hit. 575 00:21:10,030 --> 00:21:11,769 It actually turns out that the LCD RAM 576 00:21:11,770 --> 00:21:13,779 isn't contiguous, so that's actually a 577 00:21:13,780 --> 00:21:15,999 very tiny not sled, and it was quite 578 00:21:16,000 --> 00:21:18,159 fortunate I ended up hitting it 579 00:21:18,160 --> 00:21:19,479 at the top because I don't have enough 580 00:21:19,480 --> 00:21:21,759 room. I'm jumping to the actual shellcode 581 00:21:21,760 --> 00:21:22,809 circled in yellow. 582 00:21:22,810 --> 00:21:24,609 And what this shell code actually does, 583 00:21:24,610 --> 00:21:27,309 is it right? Some white to the LCD ram 584 00:21:27,310 --> 00:21:28,779 and that's circled in red. 585 00:21:28,780 --> 00:21:30,609 And what I was trying to do here is since 586 00:21:30,610 --> 00:21:32,589 I now knew the LCD RAM wasn't contiguous, 587 00:21:32,590 --> 00:21:33,639 I was trying to figure out where all the 588 00:21:33,640 --> 00:21:35,109 addresses were. 589 00:21:35,110 --> 00:21:36,489 But that's just a simple example that 590 00:21:36,490 --> 00:21:37,490 shows that it works. 591 00:21:38,960 --> 00:21:41,059 So the next thing I wanted to do was 592 00:21:41,060 --> 00:21:42,619 to dump the Tamagotchis Raw. 593 00:21:43,700 --> 00:21:45,889 So what I did is I broke out the Badin 594 00:21:45,890 --> 00:21:47,779 lines, which are Port A.. 595 00:21:47,780 --> 00:21:49,789 And then I just wrote out the entire 596 00:21:49,790 --> 00:21:51,979 memory space using 597 00:21:51,980 --> 00:21:52,879 Spy. 598 00:21:52,880 --> 00:21:54,949 And then I use my signal analyzer 599 00:21:54,950 --> 00:21:56,180 to analyze it. 600 00:21:57,470 --> 00:21:59,549 And fortunately, this wasn't the entire 601 00:21:59,550 --> 00:22:01,309 Iran because the problem is actually much 602 00:22:01,310 --> 00:22:03,619 larger than the memory space, and it uses 603 00:22:03,620 --> 00:22:06,019 rampaging to 604 00:22:06,020 --> 00:22:07,759 make its memory space larger. 605 00:22:07,760 --> 00:22:09,439 So basically, the way it works is the 606 00:22:09,440 --> 00:22:11,539 first page of Iran is always mapped, and 607 00:22:11,540 --> 00:22:13,549 that's in the upper half of addresses. 608 00:22:13,550 --> 00:22:16,159 And then the lower half of addresses 609 00:22:16,160 --> 00:22:18,409 can be different parts of the room, 610 00:22:18,410 --> 00:22:20,059 depending on a register. 611 00:22:20,060 --> 00:22:22,129 And looking at the first page, which 612 00:22:22,130 --> 00:22:23,959 I managed to dump, I was able to figure 613 00:22:23,960 --> 00:22:25,279 out what this register was. 614 00:22:25,280 --> 00:22:27,199 It was three thousand and then I was able 615 00:22:27,200 --> 00:22:28,819 to dump all 19 pages of ROM. 616 00:22:30,510 --> 00:22:32,039 So looking at them quickly, I could 617 00:22:32,040 --> 00:22:34,109 figure out what they all were Peaches, 618 00:22:34,110 --> 00:22:36,179 zero to six were code pages, 619 00:22:36,180 --> 00:22:37,979 seven to nine were unused. 620 00:22:37,980 --> 00:22:39,929 Page 10 contained a pointer table for 621 00:22:39,930 --> 00:22:41,069 images. 622 00:22:41,070 --> 00:22:43,529 Pages 11 to 18 contain images 623 00:22:43,530 --> 00:22:45,389 and I don't know what Page 19 contains, 624 00:22:45,390 --> 00:22:46,979 but I'm figuring it's audio because where 625 00:22:46,980 --> 00:22:48,660 else would the audio be otherwise? 626 00:22:50,850 --> 00:22:52,919 So here's some of the key highlights 627 00:22:52,920 --> 00:22:54,989 of my RAM dump you can see at 628 00:22:54,990 --> 00:22:57,059 the bottom are some close ups of all the 629 00:22:57,060 --> 00:22:58,319 Tamagotchis. 630 00:22:58,320 --> 00:23:00,389 Some other interesting things is circled 631 00:23:00,390 --> 00:23:02,369 in blue is a bunch of text. 632 00:23:02,370 --> 00:23:04,289 So once again, the Tamagotchi has no text 633 00:23:04,290 --> 00:23:06,509 encoding. They're all images. 634 00:23:06,510 --> 00:23:08,789 And also circled in red is some stuff 635 00:23:08,790 --> 00:23:11,069 from a startup test program, 636 00:23:11,070 --> 00:23:11,969 which is also interesting. 637 00:23:11,970 --> 00:23:12,959 It meant that basically, you know, 638 00:23:12,960 --> 00:23:15,119 everything was in the ROM, 639 00:23:15,120 --> 00:23:17,249 which which is cool and made me 640 00:23:17,250 --> 00:23:18,509 think that I dumped everything. 641 00:23:20,340 --> 00:23:22,679 So my next step here was to reverse 642 00:23:22,680 --> 00:23:24,509 the Rahm, you know, figure out the 643 00:23:24,510 --> 00:23:26,459 secrets of Tamagotchi life I had been 644 00:23:26,460 --> 00:23:28,619 wanting to know the learning curve 645 00:23:28,620 --> 00:23:29,969 was a bit steep. 646 00:23:29,970 --> 00:23:32,039 I started off using it and there was no 647 00:23:32,040 --> 00:23:33,059 paging support. 648 00:23:33,060 --> 00:23:35,159 So eventually I wrote a simulator 649 00:23:35,160 --> 00:23:37,469 based on a tool called PI 65 650 00:23:37,470 --> 00:23:38,819 to try and figure out what it did. 651 00:23:40,140 --> 00:23:41,939 And then a guy called Asterisk wrote A 652 00:23:41,940 --> 00:23:43,679 way better simulator. 653 00:23:43,680 --> 00:23:44,969 I would actually recommend if you like 654 00:23:44,970 --> 00:23:46,529 Tamagotchis, download this. 655 00:23:46,530 --> 00:23:48,269 It's really cool. 656 00:23:48,270 --> 00:23:50,279 You can see you can step through all the 657 00:23:50,280 --> 00:23:51,539 different locations. 658 00:23:51,540 --> 00:23:53,699 You can look at the values of the E 659 00:23:53,700 --> 00:23:55,829 trigger, the interrupts, all that stuff. 660 00:23:55,830 --> 00:23:57,659 So I thought that was awesome. 661 00:23:57,660 --> 00:23:59,309 So basically, here's how a Tamagotchi 662 00:23:59,310 --> 00:24:01,649 works. After start up, 663 00:24:01,650 --> 00:24:02,879 it's in one big loop. 664 00:24:02,880 --> 00:24:04,769 So a state machine like I expected, and 665 00:24:04,770 --> 00:24:06,359 every time the internet gets triggered, 666 00:24:06,360 --> 00:24:07,709 it cycles around the loop and then it 667 00:24:07,710 --> 00:24:09,089 waits, and then it cycles, and then it 668 00:24:09,090 --> 00:24:11,189 waits. And it's always in one 669 00:24:11,190 --> 00:24:13,259 of Hex 41 states 670 00:24:13,260 --> 00:24:15,119 and there is a big table that determines 671 00:24:15,120 --> 00:24:16,799 the state actions. 672 00:24:16,800 --> 00:24:18,509 And some of the states have said states 673 00:24:18,510 --> 00:24:21,029 and subsub states and subsub sub states, 674 00:24:21,030 --> 00:24:22,559 and it's the state itself that is 675 00:24:22,560 --> 00:24:25,049 responsible for handling that. 676 00:24:25,050 --> 00:24:26,909 So basically, when you enter a state, it 677 00:24:26,910 --> 00:24:28,859 will have, you know, startup behavior. 678 00:24:28,860 --> 00:24:30,929 And then after that, it will be 679 00:24:30,930 --> 00:24:33,299 responsible for everything except 680 00:24:33,300 --> 00:24:35,249 for LCD update and SBI Pool. 681 00:24:35,250 --> 00:24:36,929 So it will have to play sound. 682 00:24:36,930 --> 00:24:38,669 It will have to handle memory, it will 683 00:24:38,670 --> 00:24:40,169 have to even put you into the next state 684 00:24:40,170 --> 00:24:41,369 you need to be in. 685 00:24:41,370 --> 00:24:43,589 And the only things it doesn't do is it 686 00:24:43,590 --> 00:24:45,749 will write into a fake LCD buffer. 687 00:24:45,750 --> 00:24:47,879 And then there is an LCD update function 688 00:24:47,880 --> 00:24:49,619 that actually updates the LCD. 689 00:24:49,620 --> 00:24:51,119 And also you're not responsible for 690 00:24:51,120 --> 00:24:52,169 pulling spy. 691 00:24:52,170 --> 00:24:53,969 That's the one thing that's done outside 692 00:24:53,970 --> 00:24:55,259 of your state. 693 00:24:55,260 --> 00:24:57,059 And just a general note, there were tons 694 00:24:57,060 --> 00:24:58,379 and tons of pointer tables. 695 00:24:58,380 --> 00:24:59,849 I don't know quite why they like them so 696 00:24:59,850 --> 00:25:02,039 much, but there were pointers to pointers 697 00:25:02,040 --> 00:25:03,329 to pointers everywhere. 698 00:25:05,670 --> 00:25:07,739 So I was able to figure out a 699 00:25:07,740 --> 00:25:08,789 few secrets. 700 00:25:08,790 --> 00:25:11,129 One was what makes a Tamagotchi a boy 701 00:25:11,130 --> 00:25:12,149 or a girl? 702 00:25:12,150 --> 00:25:13,709 And I found out that there was an entropy 703 00:25:13,710 --> 00:25:15,899 source C4 704 00:25:15,900 --> 00:25:17,729 that is based on how many times a timer 705 00:25:17,730 --> 00:25:19,259 one has fired. 706 00:25:19,260 --> 00:25:20,759 And basically, this is what determines 707 00:25:20,760 --> 00:25:22,169 whether it's a boy or a girl. 708 00:25:22,170 --> 00:25:23,249 So when you're starting up your 709 00:25:23,250 --> 00:25:25,319 Tamagotchi, the instant at which 710 00:25:25,320 --> 00:25:27,479 you press the button to enter your name, 711 00:25:27,480 --> 00:25:29,489 that's what seals your Tamagotchis fate. 712 00:25:31,680 --> 00:25:32,819 Also, I found out, right? 713 00:25:32,820 --> 00:25:34,709 You start off with a baby Tamagotchi that 714 00:25:34,710 --> 00:25:36,449 grows into a toddler. 715 00:25:36,450 --> 00:25:37,949 And I found out that this is completely 716 00:25:37,950 --> 00:25:40,139 random, except sometimes it's 717 00:25:40,140 --> 00:25:42,029 even. So basically, if you had one 718 00:25:42,030 --> 00:25:44,069 toddler last time, you'll it's more 719 00:25:44,070 --> 00:25:45,869 likely than not. You'll get a different 720 00:25:45,870 --> 00:25:47,519 toddler the next time you raise a 721 00:25:47,520 --> 00:25:48,869 Tamagotchi. 722 00:25:48,870 --> 00:25:50,699 But I also thought was fun was that some 723 00:25:50,700 --> 00:25:52,289 toddlers are higher maintenance than 724 00:25:52,290 --> 00:25:54,539 others. Some you hardly need to 725 00:25:54,540 --> 00:25:55,949 care for them and they'll become, you 726 00:25:55,950 --> 00:25:57,509 know, the best teenager. 727 00:25:57,510 --> 00:25:59,669 And Sam, you got to care for a lot, and 728 00:25:59,670 --> 00:26:01,109 it doesn't even seem to have an effect. 729 00:26:02,790 --> 00:26:04,949 So I found what teen 730 00:26:04,950 --> 00:26:06,929 a toddler becomes is much more complex, 731 00:26:06,930 --> 00:26:08,759 though. Basically, there's two care 732 00:26:08,760 --> 00:26:11,219 factors and they start off at zero. 733 00:26:11,220 --> 00:26:12,599 And every time you mistreat your 734 00:26:12,600 --> 00:26:14,549 Tamagotchi, you know, don't feed it or 735 00:26:14,550 --> 00:26:17,159 something, you get dinged on them. 736 00:26:17,160 --> 00:26:19,419 And then based on, you know, how 737 00:26:19,420 --> 00:26:21,029 low these factors are, you get different 738 00:26:21,030 --> 00:26:22,030 Tamagotchis. 739 00:26:23,040 --> 00:26:25,019 But there still is some entropy involved. 740 00:26:25,020 --> 00:26:26,879 For example, which factor gets dinged is 741 00:26:26,880 --> 00:26:28,179 random. 742 00:26:28,180 --> 00:26:30,749 Also, what adult teen becomes 743 00:26:30,750 --> 00:26:32,909 becomes on depends 744 00:26:32,910 --> 00:26:34,079 on these same factors. 745 00:26:34,080 --> 00:26:35,999 But there's also a third factor, which is 746 00:26:36,000 --> 00:26:38,999 how well disciplined your Tamagotchi is. 747 00:26:39,000 --> 00:26:41,129 And also, I found that toddler 748 00:26:41,130 --> 00:26:43,259 care matter isn't what adult or teen 749 00:26:43,260 --> 00:26:45,419 becomes. Basically, you know, if you take 750 00:26:45,420 --> 00:26:47,069 great care of your toddler, you don't 751 00:26:47,070 --> 00:26:48,749 have to take such good care of your teen 752 00:26:48,750 --> 00:26:50,219 for it to become a great adult. 753 00:26:50,220 --> 00:26:52,079 But if you've neglected your toddler, 754 00:26:52,080 --> 00:26:53,939 you've got a lot of catching up to do if 755 00:26:53,940 --> 00:26:55,259 you want to get the great adult 756 00:26:55,260 --> 00:26:57,029 Tamagotchi. 757 00:26:57,030 --> 00:26:59,159 Another fun thing is that you can 758 00:26:59,160 --> 00:27:01,649 potty train your Tamagotchi 759 00:27:01,650 --> 00:27:03,419 every time you see your Tamagotchi doing 760 00:27:03,420 --> 00:27:04,589 the potty dance. 761 00:27:04,590 --> 00:27:06,509 You can drag it to the toilet, and this 762 00:27:06,510 --> 00:27:07,889 will increment its discipline. 763 00:27:07,890 --> 00:27:09,569 And eventually, if you wait long enough, 764 00:27:09,570 --> 00:27:11,939 it'll start going itself, you 765 00:27:11,940 --> 00:27:12,940 know. 766 00:27:14,520 --> 00:27:16,679 Another fun thing I discovered 767 00:27:16,680 --> 00:27:18,749 is that the Tamagotchi has a test mode in 768 00:27:18,750 --> 00:27:20,459 it, and this was kind of cool. 769 00:27:20,460 --> 00:27:22,619 I was looking at the figure processing, 770 00:27:22,620 --> 00:27:24,479 and there's really two types of figure 771 00:27:24,480 --> 00:27:26,069 this ones with restaurants and ones with 772 00:27:26,070 --> 00:27:27,119 shops. 773 00:27:27,120 --> 00:27:28,319 But I found there was a third type of 774 00:27:28,320 --> 00:27:30,689 figure, so I made a figure of this type 775 00:27:30,690 --> 00:27:32,879 and I put it on my Tamagotchi and I found 776 00:27:32,880 --> 00:27:35,459 it has a debug mode in it and 777 00:27:35,460 --> 00:27:37,289 it's pretty cool. It allows every stat to 778 00:27:37,290 --> 00:27:38,429 be altered so you can make your 779 00:27:38,430 --> 00:27:39,869 Tamagotchi less hungry. 780 00:27:39,870 --> 00:27:42,029 You can make it every single character 781 00:27:42,030 --> 00:27:43,469 you can change. You know what its spouse 782 00:27:43,470 --> 00:27:44,639 looks like? 783 00:27:44,640 --> 00:27:46,769 You can see the care factor, and I also 784 00:27:46,770 --> 00:27:48,869 found a bunch of unused functionality 785 00:27:48,870 --> 00:27:49,870 in this. 786 00:27:50,730 --> 00:27:52,049 So there were some other secrets this 787 00:27:52,050 --> 00:27:54,509 helped me figure out, for example. 788 00:27:54,510 --> 00:27:55,889 For example, I found out it doesn't 789 00:27:55,890 --> 00:27:58,319 matter who your Tamagotchi marries, 790 00:27:58,320 --> 00:28:00,359 they're just as happy and the kids turn 791 00:28:00,360 --> 00:28:01,499 out just the same. 792 00:28:02,700 --> 00:28:04,169 The exception being, there's kind of a 793 00:28:04,170 --> 00:28:06,269 well known Tamagotchi trick where if 794 00:28:06,270 --> 00:28:08,219 you marry a certain Tamagotchi called an 795 00:28:08,220 --> 00:28:10,410 odyssey, you do get a special toddler. 796 00:28:11,640 --> 00:28:14,009 Also, I found that figures 797 00:28:14,010 --> 00:28:15,269 there had been some debate about, you 798 00:28:15,270 --> 00:28:16,949 know, if you have a figure just on your 799 00:28:16,950 --> 00:28:18,779 Tamagotchi but aren't using it. 800 00:28:18,780 --> 00:28:20,249 Does it change how your Tamagotchi 801 00:28:20,250 --> 00:28:21,659 behaves? And I found out the answer to 802 00:28:21,660 --> 00:28:22,769 that is no. 803 00:28:22,770 --> 00:28:24,779 There's just a special display if you 804 00:28:24,780 --> 00:28:26,730 have 100 figures for your Tamagotchi. 805 00:28:28,110 --> 00:28:30,329 So I put this online and I got some 806 00:28:30,330 --> 00:28:32,159 interesting reactions. 807 00:28:32,160 --> 00:28:34,439 Number one, just be aware the user 808 00:28:34,440 --> 00:28:35,879 cannot be held responsible. 809 00:28:35,880 --> 00:28:37,859 If you do these, these are your choice at 810 00:28:37,860 --> 00:28:40,079 your own risk and my personal 811 00:28:40,080 --> 00:28:41,009 favorite. 812 00:28:41,010 --> 00:28:41,999 Interesting. 813 00:28:42,000 --> 00:28:43,679 You are putting much effort into 814 00:28:43,680 --> 00:28:45,239 something that most consider not worth 815 00:28:45,240 --> 00:28:46,950 it. Kudos to you. 816 00:28:48,250 --> 00:28:49,710 Oh, well, what can you do? 817 00:29:00,030 --> 00:29:02,159 So the next thing I did was I analyzed 818 00:29:02,160 --> 00:29:04,589 the General Plus test program, 819 00:29:04,590 --> 00:29:06,719 and this was of interest to me because 820 00:29:06,720 --> 00:29:08,489 as I mentioned earlier, this is on every 821 00:29:08,490 --> 00:29:10,689 single general test LCD controller. 822 00:29:10,690 --> 00:29:12,569 So I thought it would be useful in 823 00:29:12,570 --> 00:29:14,819 dumping, say, older Tamagotchi is in just 824 00:29:14,820 --> 00:29:16,589 a generally useful for everything that 825 00:29:16,590 --> 00:29:18,449 runs General Plus. 826 00:29:18,450 --> 00:29:20,129 And basically, I looked at it and it 827 00:29:20,130 --> 00:29:21,299 turns out it pool. 828 00:29:21,300 --> 00:29:23,519 Basically, you start up with the test pin 829 00:29:23,520 --> 00:29:25,409 pulled and then it pulls Port A for a 830 00:29:25,410 --> 00:29:28,289 code and then puts out put on Port B. 831 00:29:28,290 --> 00:29:30,359 And the most interesting code was code 832 00:29:30,360 --> 00:29:32,579 16, which would actually 833 00:29:32,580 --> 00:29:35,459 take code off of Port B, 834 00:29:35,460 --> 00:29:37,529 fill up RAM with it and jump to it. 835 00:29:37,530 --> 00:29:38,579 So that's pretty cool. 836 00:29:38,580 --> 00:29:40,169 That basically means that there's now a 837 00:29:40,170 --> 00:29:42,359 method you can use to dump code from any 838 00:29:42,360 --> 00:29:44,279 general plus LCD controller. 839 00:29:44,280 --> 00:29:46,439 The caveat being that Port A, Port 840 00:29:46,440 --> 00:29:48,239 B and Test have to be bonded. 841 00:29:48,240 --> 00:29:49,799 So on some ships, you might actually have 842 00:29:49,800 --> 00:29:51,989 to remove the epoxy, but this can be 843 00:29:51,990 --> 00:29:53,669 always be used to dump the code, which I 844 00:29:53,670 --> 00:29:54,670 thought was pretty cool. 845 00:29:57,270 --> 00:29:59,549 So the next thing I wanted to do 846 00:29:59,550 --> 00:30:02,099 was make some dev tools, 847 00:30:02,100 --> 00:30:03,719 and I already had two of them that I had 848 00:30:03,720 --> 00:30:05,849 made in the process of reversing. 849 00:30:05,850 --> 00:30:08,549 The first one is called Portrait Dot Pie. 850 00:30:08,550 --> 00:30:10,229 And I use that to put the screen the 851 00:30:10,230 --> 00:30:11,669 image on the screen of the Tamagotchi. 852 00:30:11,670 --> 00:30:13,019 So that's a simple one. 853 00:30:13,020 --> 00:30:15,029 I also had item make, which is what I 854 00:30:15,030 --> 00:30:18,029 used to make the Tamagotchi music videos. 855 00:30:18,030 --> 00:30:19,469 If you like the Harlem Shake, you can 856 00:30:19,470 --> 00:30:21,089 check out my YouTube channel. 857 00:30:21,090 --> 00:30:23,279 I have a few others, but 858 00:30:23,280 --> 00:30:26,909 they both have some serious limitations. 859 00:30:26,910 --> 00:30:28,019 You know, they're both for specific 860 00:30:28,020 --> 00:30:29,339 things. So I wanted to write a generic 861 00:30:29,340 --> 00:30:31,109 tool that you can use to run generic 862 00:30:31,110 --> 00:30:32,110 assembly. 863 00:30:33,030 --> 00:30:35,219 But the big problem I ran into 864 00:30:35,220 --> 00:30:37,979 was that my exploit wasn't very reliable. 865 00:30:37,980 --> 00:30:39,479 I would say it's 30 to 40 percent 866 00:30:39,480 --> 00:30:41,069 reliable, but it was very finicky. 867 00:30:41,070 --> 00:30:43,349 Sometimes it tended to work really well 868 00:30:43,350 --> 00:30:44,609 if the Tamagotchi had been running for a 869 00:30:44,610 --> 00:30:46,019 long time, but as soon as I started 870 00:30:46,020 --> 00:30:48,089 resetting, it stopped working 871 00:30:48,090 --> 00:30:49,199 and I thought about it and I thought, 872 00:30:49,200 --> 00:30:51,029 Well, really, for a useful tool, you need 873 00:30:51,030 --> 00:30:52,469 100 percent reliability. 874 00:30:52,470 --> 00:30:54,689 So I couldn't use this phone. 875 00:30:54,690 --> 00:30:56,639 So I started to look into how it worked. 876 00:30:56,640 --> 00:30:58,589 And basically, I was right about it being 877 00:30:58,590 --> 00:30:59,789 a jump table. 878 00:30:59,790 --> 00:31:01,049 And basically what 879 00:31:02,460 --> 00:31:04,589 the figure does is it will fetch the game 880 00:31:04,590 --> 00:31:06,899 index that one value 881 00:31:06,900 --> 00:31:08,489 that determines what game you're playing. 882 00:31:08,490 --> 00:31:10,619 Add Hex 27 to it and then 883 00:31:10,620 --> 00:31:12,569 jump to that in the state table. 884 00:31:12,570 --> 00:31:13,899 And there's no validity check. 885 00:31:13,900 --> 00:31:16,139 So your problem is that you're jumping 886 00:31:16,140 --> 00:31:18,059 to a state that's out of range. 887 00:31:18,060 --> 00:31:19,679 But then what's the Tamagotchi actually 888 00:31:19,680 --> 00:31:21,689 do with that invalid state? 889 00:31:21,690 --> 00:31:23,369 Well, it turns out when the Tamagotchi 890 00:31:23,370 --> 00:31:25,589 does a state change, it jumps into 891 00:31:25,590 --> 00:31:27,239 the state table. 892 00:31:27,240 --> 00:31:29,459 But it actually does is it pulls a page 893 00:31:29,460 --> 00:31:31,289 number out of that table and then jumps 894 00:31:31,290 --> 00:31:33,719 into Address 4000 there 895 00:31:33,720 --> 00:31:35,609 and then address four thousand in that 896 00:31:35,610 --> 00:31:36,519 page table. 897 00:31:36,520 --> 00:31:38,099 It has code that will make you jump into 898 00:31:38,100 --> 00:31:40,049 another jump table. 899 00:31:40,050 --> 00:31:41,549 So this means that invalid states could 900 00:31:41,550 --> 00:31:42,959 do a few things. 901 00:31:42,960 --> 00:31:45,149 They could jump to an on code 902 00:31:45,150 --> 00:31:46,829 page, they could jump to an unexpected 903 00:31:46,830 --> 00:31:48,419 address. They could bring up an invalid 904 00:31:48,420 --> 00:31:50,039 page. Lots of options there. 905 00:31:51,150 --> 00:31:52,499 And if you look at what this original 906 00:31:52,500 --> 00:31:54,629 vulnerability did is it would 907 00:31:54,630 --> 00:31:56,789 return instead of a valid page 908 00:31:56,790 --> 00:31:58,469 part of the LCD table, which is three. 909 00:31:58,470 --> 00:32:00,659 See, and what happens 910 00:32:00,660 --> 00:32:02,819 when you make a general plus LCD 911 00:32:02,820 --> 00:32:05,069 control or go to an invalid page? 912 00:32:05,070 --> 00:32:07,139 Well, I don't really know. 913 00:32:07,140 --> 00:32:08,939 I tried playing around with this, writing 914 00:32:08,940 --> 00:32:11,219 it out to the LCD and I got 915 00:32:11,220 --> 00:32:13,619 all dark, all f f f. 916 00:32:13,620 --> 00:32:14,699 But I didn't know what this meant. 917 00:32:14,700 --> 00:32:16,499 I think it can mean to have one of two 918 00:32:16,500 --> 00:32:18,629 things basically, either when you go 919 00:32:18,630 --> 00:32:21,029 to an invalid 920 00:32:21,030 --> 00:32:23,219 page, it causes the memory to float 921 00:32:23,220 --> 00:32:24,389 and that would be what's causing my 922 00:32:24,390 --> 00:32:26,519 execution that this floating data 923 00:32:26,520 --> 00:32:28,589 somehow caused jumps into my code. 924 00:32:28,590 --> 00:32:31,199 The other option would be that executing 925 00:32:31,200 --> 00:32:33,509 f f for whatever reason, caused a jump 926 00:32:33,510 --> 00:32:34,829 into my code. 927 00:32:34,830 --> 00:32:37,109 Both of these are very weird, 928 00:32:37,110 --> 00:32:39,239 but for whatever reason, seem to work. 929 00:32:39,240 --> 00:32:41,549 But no wonder this exploit is unreliable, 930 00:32:41,550 --> 00:32:43,019 and certainly there's no way to make it 931 00:32:43,020 --> 00:32:44,729 more reliable. 932 00:32:44,730 --> 00:32:46,949 So I did what I call vulnerability 933 00:32:46,950 --> 00:32:48,029 idle. 934 00:32:48,030 --> 00:32:50,249 I tried out all the other indexes 935 00:32:50,250 --> 00:32:52,469 and I eliminated ones, you know, voted 936 00:32:52,470 --> 00:32:55,289 against them if they started failing. 937 00:32:55,290 --> 00:32:57,029 And I found out, you know, which 938 00:32:57,030 --> 00:32:58,949 vulnerability was going to star in the 939 00:32:58,950 --> 00:33:01,229 Tamagotchi Dev Kit, and that was 940 00:33:01,230 --> 00:33:02,230 seedy. 941 00:33:03,000 --> 00:33:05,219 And I looked into it and figure out how 942 00:33:05,220 --> 00:33:06,629 it worked. And basically, what's 943 00:33:06,630 --> 00:33:08,909 happening here is it's 944 00:33:08,910 --> 00:33:11,579 adding 27 to CD and going to f four, 945 00:33:11,580 --> 00:33:13,019 and it's returning another piece of the 946 00:33:13,020 --> 00:33:15,569 LCD table, which is four, 947 00:33:15,570 --> 00:33:18,179 but this is a valid page. 948 00:33:18,180 --> 00:33:20,399 So then it goes and executes 949 00:33:20,400 --> 00:33:22,739 the jump code in that valid page, 950 00:33:22,740 --> 00:33:25,139 but it goes somewhere that's invalid 951 00:33:25,140 --> 00:33:27,209 in the jump table and it's actually 952 00:33:27,210 --> 00:33:28,349 a code locations. 953 00:33:28,350 --> 00:33:30,419 So it's treating ink 954 00:33:30,420 --> 00:33:32,669 1:1 e as 955 00:33:32,670 --> 00:33:35,429 a pointer, which is actually one EEG. 956 00:33:35,430 --> 00:33:37,589 But very fortunately, the way L CD 957 00:33:37,590 --> 00:33:39,509 ROM is addressed on the microcontroller, 958 00:33:39,510 --> 00:33:42,089 it actually ignores those internal bits 959 00:33:42,090 --> 00:33:44,279 that you know aren't part of the proper 960 00:33:44,280 --> 00:33:45,179 address. 961 00:33:45,180 --> 00:33:47,819 So money will 962 00:33:47,820 --> 00:33:50,309 resolve to one which is in the LCD 963 00:33:50,310 --> 00:33:52,349 lab so that so this means that this 964 00:33:52,350 --> 00:33:54,289 exploit will jump to the code in the LCD 965 00:33:54,290 --> 00:33:56,369 around 100 percent of the time, which 966 00:33:56,370 --> 00:33:57,370 is great. 967 00:34:05,380 --> 00:34:08,169 So now it is ready to make my dev kit 968 00:34:08,170 --> 00:34:10,779 and I made it hasn't got she the 65 969 00:34:10,780 --> 00:34:13,899 oh two assembler for Tamagotchi. 970 00:34:13,900 --> 00:34:15,939 And what it does is it basically outputs 971 00:34:15,940 --> 00:34:17,829 a binary ready to be loaded on the figure 972 00:34:17,830 --> 00:34:19,269 so you don't need to mess around with 973 00:34:19,270 --> 00:34:20,589 exploits or anything. 974 00:34:20,590 --> 00:34:22,658 You just need to compile load 975 00:34:22,659 --> 00:34:24,999 and then you can execute the code. 976 00:34:25,000 --> 00:34:27,069 And basically, what it does is it 977 00:34:27,070 --> 00:34:28,479 loads the code into RAM and then 978 00:34:28,480 --> 00:34:30,849 executes. It contains a few convenience 979 00:34:30,850 --> 00:34:32,649 functions for things like writing to the 980 00:34:32,650 --> 00:34:34,329 LCD and air. 981 00:34:34,330 --> 00:34:35,439 And these are largely based on the 982 00:34:35,440 --> 00:34:37,629 Tamagotchi ROM, and it's 983 00:34:37,630 --> 00:34:39,759 based on a 65 or two assembler for 984 00:34:39,760 --> 00:34:41,050 Python called office. 985 00:34:42,250 --> 00:34:43,839 So making the dev kit was a little bit 986 00:34:43,840 --> 00:34:44,799 difficult. 987 00:34:44,800 --> 00:34:46,928 One of the main problems was 988 00:34:46,929 --> 00:34:49,029 the lack of data 989 00:34:49,030 --> 00:34:51,158 sheets, so I still don't know 990 00:34:51,159 --> 00:34:53,109 what all the ports in this general plus 991 00:34:53,110 --> 00:34:55,059 LCD controller do. 992 00:34:55,060 --> 00:34:56,649 So I was able to determine some of the 993 00:34:56,650 --> 00:34:58,929 functionality from the test program. 994 00:34:58,930 --> 00:35:00,259 But there's still, you know, some 995 00:35:00,260 --> 00:35:02,139 interrupts. We don't know when their file 996 00:35:02,140 --> 00:35:03,399 fired. 997 00:35:03,400 --> 00:35:05,079 We don't know how power management works. 998 00:35:05,080 --> 00:35:07,149 The SPU, the watchdog 999 00:35:07,150 --> 00:35:08,709 and I just want to mention if anyone does 1000 00:35:08,710 --> 00:35:10,449 figure this out, contributions are 1001 00:35:10,450 --> 00:35:11,450 welcome. 1002 00:35:12,780 --> 00:35:15,149 So take the dev kit 1003 00:35:15,150 --> 00:35:16,829 more generally useful. 1004 00:35:16,830 --> 00:35:19,079 I made a programing board called 1005 00:35:19,080 --> 00:35:21,179 an eggshell and this is basically an 1006 00:35:21,180 --> 00:35:23,699 API programmer for the Tamagotchi. 1007 00:35:23,700 --> 00:35:25,289 So you can take your figure and push it 1008 00:35:25,290 --> 00:35:27,690 on and then program it over USB. 1009 00:35:28,830 --> 00:35:31,469 I also put on infrared there. 1010 00:35:31,470 --> 00:35:33,659 Right now, there are no Tamagotchi 1011 00:35:33,660 --> 00:35:36,149 remote exploits where you can reprogram 1012 00:35:36,150 --> 00:35:38,399 it over air, but I'm not 100 percent sure 1013 00:35:38,400 --> 00:35:39,569 that isn't possible. 1014 00:35:39,570 --> 00:35:41,339 So I put on the components, you know, 1015 00:35:41,340 --> 00:35:43,649 just in case we ever find one. 1016 00:35:43,650 --> 00:35:46,079 And it's also a lily pad, USC, 1017 00:35:46,080 --> 00:35:47,249 Arduino, if you want to use it for 1018 00:35:47,250 --> 00:35:48,629 something else. 1019 00:35:48,630 --> 00:35:51,359 So I basically have all my tools there, 1020 00:35:51,360 --> 00:35:53,669 the three programing tools and 1021 00:35:53,670 --> 00:35:54,809 also the board specs. 1022 00:35:56,070 --> 00:35:58,709 So today I'm going to do a workshop 1023 00:35:58,710 --> 00:36:00,299 if people want to learn how to use these 1024 00:36:00,300 --> 00:36:02,459 tools today. 1025 00:36:02,460 --> 00:36:04,559 The room opens at 7:30 and I'll 1026 00:36:04,560 --> 00:36:07,229 start talking at 8:00 and I'll be selling 1027 00:36:07,230 --> 00:36:09,429 kits for 30 euros, including that. 1028 00:36:09,430 --> 00:36:11,939 And they include basically the board 1029 00:36:11,940 --> 00:36:13,889 and the figure and the Tamagotchi. 1030 00:36:13,890 --> 00:36:15,329 Everything you need to learn how to 1031 00:36:15,330 --> 00:36:17,279 program a Tamagotchi. 1032 00:36:17,280 --> 00:36:18,569 I mean, if you want to sign up or learn 1033 00:36:18,570 --> 00:36:20,429 more about it, I have a link there. 1034 00:36:22,260 --> 00:36:24,479 I also wanted to do a quick plug for my 1035 00:36:24,480 --> 00:36:26,309 boards. I'm selling these at the URL 1036 00:36:26,310 --> 00:36:28,889 below, and I don't profit from these 1037 00:36:28,890 --> 00:36:31,019 or from the workshop, but I 1038 00:36:31,020 --> 00:36:32,639 ended up doing a very large run of them 1039 00:36:32,640 --> 00:36:34,319 because I wanted the unit price to be 1040 00:36:34,320 --> 00:36:36,479 affordable to everyone who wants to 1041 00:36:36,480 --> 00:36:37,859 hack Tamagotchis. 1042 00:36:37,860 --> 00:36:39,299 So if you like my project and want to 1043 00:36:39,300 --> 00:36:41,579 support it, I'd appreciate if you bought 1044 00:36:41,580 --> 00:36:43,679 a board, there's a URL where you 1045 00:36:43,680 --> 00:36:45,079 can get more info below. 1046 00:36:54,850 --> 00:36:56,979 And so I'm going to 1047 00:36:56,980 --> 00:36:58,419 do a quick demo here. 1048 00:36:58,420 --> 00:37:01,419 This is basically 1049 00:37:01,420 --> 00:37:03,189 what the Dev Kit does is a simple 1050 00:37:03,190 --> 00:37:05,169 program, but you can see get to the 1051 00:37:05,170 --> 00:37:07,029 exploit, you have to play the game and 1052 00:37:07,030 --> 00:37:08,739 then that's the shell code and then it 1053 00:37:08,740 --> 00:37:10,149 jumps into user code. 1054 00:37:10,150 --> 00:37:12,069 You can see it there and then the user 1055 00:37:12,070 --> 00:37:13,959 code just every time you press the button 1056 00:37:13,960 --> 00:37:15,309 and says the letter of the bug in. 1057 00:37:20,590 --> 00:37:21,909 So basically, that's the dev kit. 1058 00:37:30,380 --> 00:37:32,030 So basically, this is it 1059 00:37:33,830 --> 00:37:35,509 in this project, I managed to dump the 1060 00:37:35,510 --> 00:37:37,729 Tamagotchi code, I learned about 1061 00:37:37,730 --> 00:37:39,799 Tamagotchi internals, 1062 00:37:39,800 --> 00:37:42,079 I learned about the secrets of Tamagotchi 1063 00:37:42,080 --> 00:37:43,099 life. 1064 00:37:43,100 --> 00:37:45,709 I made my Tamagotchi do new things. 1065 00:37:45,710 --> 00:37:47,899 But most importantly, good times were had 1066 00:37:47,900 --> 00:37:50,809 by all except for the Tamagotchis. 1067 00:38:06,470 --> 00:38:07,069 So since we 1068 00:38:07,070 --> 00:38:09,079 have a little bit of extra time here, I 1069 00:38:09,080 --> 00:38:10,909 wanted to run through, I made some bonus 1070 00:38:10,910 --> 00:38:13,849 slides about the new Tamagotchi. 1071 00:38:13,850 --> 00:38:15,529 There is actually a new Tamagotchi that 1072 00:38:15,530 --> 00:38:17,839 was released on December the 26th. 1073 00:38:17,840 --> 00:38:19,669 And so I have some speculation on it 1074 00:38:19,670 --> 00:38:20,629 here. 1075 00:38:20,630 --> 00:38:22,699 Basically, this is the new Tamagotchi, 1076 00:38:22,700 --> 00:38:25,009 and here are its features 1077 00:38:25,010 --> 00:38:27,019 Tamagotchi. 1078 00:38:28,150 --> 00:38:30,919 We've got a voice 1079 00:38:30,920 --> 00:38:32,569 where you can feed 1080 00:38:32,570 --> 00:38:35,179 and take care of your Tamagotchi. 1081 00:38:35,180 --> 00:38:36,859 So can I see you, me? 1082 00:38:36,860 --> 00:38:38,119 She's hungry. 1083 00:38:38,120 --> 00:38:39,120 Time to take 1084 00:38:40,220 --> 00:38:42,529 your Tamagotchi tech 1085 00:38:42,530 --> 00:38:44,389 for the occasion, and I'll bump you back 1086 00:38:44,390 --> 00:38:46,339 for a great Monday down. 1087 00:38:46,340 --> 00:38:47,739 Oh my god, she. 1088 00:38:48,830 --> 00:38:50,839 Tamagotchis, I'm still calling for even 1089 00:38:50,840 --> 00:38:52,669 more cool stuff, Tamagotchi, 1090 00:38:52,670 --> 00:38:54,050 friends from Bandai. 1091 00:39:02,710 --> 00:39:04,779 So it is still what that ad said, 1092 00:39:04,780 --> 00:39:06,969 basically, it's the same LCD 1093 00:39:06,970 --> 00:39:09,159 and form factor as the tomato in town 1094 00:39:09,160 --> 00:39:11,409 they go. But it doesn't have IRA figures 1095 00:39:11,410 --> 00:39:14,079 anymore. Instead, it supports NFC 1096 00:39:14,080 --> 00:39:16,269 and you use the NFC bumper 1097 00:39:16,270 --> 00:39:18,759 to do all the air 1098 00:39:18,760 --> 00:39:21,029 and figure functionality, sending GIFs 1099 00:39:21,030 --> 00:39:22,030 so you can visit. 1100 00:39:23,050 --> 00:39:25,359 You can also send text messages using 1101 00:39:25,360 --> 00:39:27,159 these new Tamagotchis, which is a new 1102 00:39:27,160 --> 00:39:28,719 feature. 1103 00:39:28,720 --> 00:39:31,059 And one limiting factor 1104 00:39:31,060 --> 00:39:33,159 which I'm already having problems with 1105 00:39:33,160 --> 00:39:34,899 is that there's daily limits. 1106 00:39:34,900 --> 00:39:36,969 So with the figure and with the air, 1107 00:39:36,970 --> 00:39:38,559 you could do that as many times a day as 1108 00:39:38,560 --> 00:39:40,659 you wanted, but now you 1109 00:39:40,660 --> 00:39:42,279 can only do it five times a day. 1110 00:39:42,280 --> 00:39:43,269 So one of the first things I'm going to 1111 00:39:43,270 --> 00:39:45,219 try and do is circumvent that limit. 1112 00:39:48,040 --> 00:39:50,409 So here's a picture of the 1113 00:39:50,410 --> 00:39:51,939 board, and what's interesting is it's a 1114 00:39:51,940 --> 00:39:54,459 lot sparser than the previous Tamagotchi. 1115 00:39:54,460 --> 00:39:56,109 But I think it has basically the same 1116 00:39:56,110 --> 00:39:57,729 functionality. That components are just 1117 00:39:57,730 --> 00:40:00,099 smaller now, and you can see the 1118 00:40:00,100 --> 00:40:02,379 prom at the lower right and also 1119 00:40:02,380 --> 00:40:04,659 you can see the NFC antenna 1120 00:40:04,660 --> 00:40:05,649 on the other side. 1121 00:40:05,650 --> 00:40:08,739 And that's not hugely interesting. 1122 00:40:08,740 --> 00:40:10,359 You can just see there's a tiny PCB on 1123 00:40:10,360 --> 00:40:12,459 it. And once again, this 1124 00:40:12,460 --> 00:40:15,189 is the same blob. 1125 00:40:15,190 --> 00:40:16,509 I'm not sure if it's the same 1126 00:40:16,510 --> 00:40:18,279 microcontroller because this looks a tiny 1127 00:40:18,280 --> 00:40:19,959 bit smaller than the time ago, but the 1128 00:40:19,960 --> 00:40:22,059 functionality is so similar it even uses 1129 00:40:22,060 --> 00:40:23,919 the same images that I think it probably 1130 00:40:23,920 --> 00:40:24,920 is. 1131 00:40:25,660 --> 00:40:27,909 So it's just some quick speculation. 1132 00:40:27,910 --> 00:40:30,099 I think it probably uses the same 1133 00:40:30,100 --> 00:40:31,479 MCU. 1134 00:40:31,480 --> 00:40:33,639 So that means that we could 1135 00:40:33,640 --> 00:40:35,379 probably dump the code using the General 1136 00:40:35,380 --> 00:40:37,599 Plus test program, although kneecapping 1137 00:40:37,600 --> 00:40:39,969 may be required to bond the wires. 1138 00:40:39,970 --> 00:40:41,949 And also, there's a reduced attack 1139 00:40:41,950 --> 00:40:43,509 surface for code execution because there 1140 00:40:43,510 --> 00:40:45,009 aren't the figures anymore. 1141 00:40:45,010 --> 00:40:47,169 But I'd say there's about a 50 50 chance 1142 00:40:47,170 --> 00:40:48,189 that there's probably there's a 1143 00:40:48,190 --> 00:40:50,259 vulnerability in the NFC that can be used 1144 00:40:50,260 --> 00:40:51,279 to execute code. 1145 00:40:51,280 --> 00:40:52,929 So it's just a wait and see thing. 1146 00:40:52,930 --> 00:40:54,999 It may or may not be possible, 1147 00:40:55,000 --> 00:40:56,709 but hopefully. 1148 00:40:56,710 --> 00:40:58,119 And then just one last thing, which I 1149 00:40:58,120 --> 00:40:59,499 think is a lot of fun. 1150 00:40:59,500 --> 00:41:01,569 This is the chart they provide of 1151 00:41:01,570 --> 00:41:03,279 how the Tamagotchi works. 1152 00:41:03,280 --> 00:41:05,289 So, you know, if this is for small 1153 00:41:05,290 --> 00:41:07,299 children, wow, I imagine what it looks 1154 00:41:07,300 --> 00:41:08,300 like an idea. 1155 00:41:18,730 --> 00:41:20,439 So that's it, I'd be happy to take any 1156 00:41:20,440 --> 00:41:21,760 questions that people have. 1157 00:41:22,900 --> 00:41:25,209 OK. Yeah, well, we have. 1158 00:41:25,210 --> 00:41:26,979 Well, first, thanks for this wonderful 1159 00:41:26,980 --> 00:41:29,589 talk. We might see you again 1160 00:41:29,590 --> 00:41:30,590 on this stage. 1161 00:41:38,380 --> 00:41:40,419 Always, always add some color to these 1162 00:41:40,420 --> 00:41:43,029 slides, which we're seeing usually 1163 00:41:43,030 --> 00:41:44,349 do, we have some questions? 1164 00:41:44,350 --> 00:41:46,449 Signal Angel, no questions 1165 00:41:46,450 --> 00:41:48,279 from the internet so far. 1166 00:41:48,280 --> 00:41:50,949 OK, so then we need something from 1167 00:41:50,950 --> 00:41:53,079 in here. I see someone at number 1168 00:41:53,080 --> 00:41:54,519 four. Maybe? 1169 00:41:54,520 --> 00:41:55,520 Yes, hi. 1170 00:41:56,140 --> 00:41:58,329 I just have a short question due to 1171 00:41:58,330 --> 00:42:00,519 Tamagotchis, so to 1172 00:42:00,520 --> 00:42:02,469 support same sex marriage. 1173 00:42:13,090 --> 00:42:15,159 Not officially, but the 1174 00:42:15,160 --> 00:42:17,349 marriage checks are what hackers like 1175 00:42:17,350 --> 00:42:19,479 to call a client side. 1176 00:42:19,480 --> 00:42:21,729 So if you make your own device, 1177 00:42:21,730 --> 00:42:22,730 you can do this. 1178 00:42:24,820 --> 00:42:25,820 Number three. Yeah. 1179 00:42:26,740 --> 00:42:27,819 Sort of the same. 1180 00:42:27,820 --> 00:42:30,579 But in the last year talk, you said 1181 00:42:30,580 --> 00:42:32,709 the gender is determined by a three 1182 00:42:32,710 --> 00:42:34,989 bit code and you couldn't 1183 00:42:34,990 --> 00:42:37,289 figure out one of these three bits. 1184 00:42:37,290 --> 00:42:39,219 Who did you get some more knowledge on 1185 00:42:39,220 --> 00:42:40,220 that? 1186 00:42:40,510 --> 00:42:42,669 I guess I'd say sort of sort of know 1187 00:42:42,670 --> 00:42:44,799 like, I can definitely see where it has 1188 00:42:44,800 --> 00:42:46,869 the three bits and where it checks them 1189 00:42:46,870 --> 00:42:48,159 and kind of what it does with each of 1190 00:42:48,160 --> 00:42:50,349 them. Now why they chose to have 1191 00:42:50,350 --> 00:42:52,749 three instead of one, I still don't know. 1192 00:42:52,750 --> 00:42:53,769 I think it might have just been a 1193 00:42:53,770 --> 00:42:54,789 convenience thing. 1194 00:42:56,230 --> 00:42:57,230 OK, thank you. 1195 00:42:59,710 --> 00:43:00,710 OK. What was that? 1196 00:43:01,960 --> 00:43:02,919 Yeah. 1197 00:43:02,920 --> 00:43:05,289 Is there is this use 1198 00:43:05,290 --> 00:43:07,659 at number four? No, I think that's 1199 00:43:07,660 --> 00:43:08,779 it for right now. 1200 00:43:08,780 --> 00:43:10,609 I guess maybe one one more thing. 1201 00:43:10,610 --> 00:43:12,789 That's the thing is, do you have any 1202 00:43:12,790 --> 00:43:14,619 feedback, maybe of the people 1203 00:43:14,620 --> 00:43:16,989 manufacturing their toys 1204 00:43:16,990 --> 00:43:19,059 to you to to to know about 1205 00:43:19,060 --> 00:43:20,709 your work? Or have you ever got any 1206 00:43:20,710 --> 00:43:22,599 feedback? Or is it just silence? 1207 00:43:22,600 --> 00:43:24,219 Yeah, silence. I haven't heard a word 1208 00:43:24,220 --> 00:43:26,439 from them yet, which I guess is so far 1209 00:43:26,440 --> 00:43:27,440 so good. 1210 00:43:29,070 --> 00:43:30,070 OK. 1211 00:43:35,220 --> 00:43:37,229 We have some more at number four, please. 1212 00:43:37,230 --> 00:43:38,849 Yeah, I have a question. 1213 00:43:38,850 --> 00:43:41,279 Do you have any knowledge, how many hours 1214 00:43:41,280 --> 00:43:43,199 you did spend on this awesome project? 1215 00:43:45,130 --> 00:43:46,869 Like with the number of years I've spent 1216 00:43:46,870 --> 00:43:48,609 on it, I'm in complete denial on that 1217 00:43:48,610 --> 00:43:49,610 subject. 1218 00:43:57,480 --> 00:44:00,449 OK. I think then 1219 00:44:00,450 --> 00:44:02,429 we have some more at number two. 1220 00:44:02,430 --> 00:44:03,149 Go ahead. 1221 00:44:03,150 --> 00:44:04,889 But have you figured out how to give the 1222 00:44:04,890 --> 00:44:06,300 Tamagotchi a soul? 1223 00:44:09,270 --> 00:44:10,889 I don't know. This has actually been a 1224 00:44:10,890 --> 00:44:12,959 debate on several Tamagotchi 1225 00:44:12,960 --> 00:44:14,730 forums, whether it 1226 00:44:16,290 --> 00:44:18,659 was their Tamagotchis have souls 1227 00:44:18,660 --> 00:44:20,729 and whether I've destroyed 1228 00:44:20,730 --> 00:44:21,989 the magic of that. 1229 00:44:23,670 --> 00:44:25,589 Unfortunately, I think this is more of a 1230 00:44:25,590 --> 00:44:27,779 philosophical subject that 1231 00:44:27,780 --> 00:44:29,879 can't be determined by technical means. 1232 00:44:33,040 --> 00:44:35,379 Again, do you know of any other 1233 00:44:35,380 --> 00:44:37,659 products using these same general plus 1234 00:44:37,660 --> 00:44:39,759 chips that you're sort 1235 00:44:39,760 --> 00:44:41,649 of reverse engineering efforts could be 1236 00:44:41,650 --> 00:44:42,650 applicable to, 1237 00:44:43,390 --> 00:44:45,519 not the exact chip, although I've heard 1238 00:44:45,520 --> 00:44:48,339 that Furbys also use general plus 1239 00:44:48,340 --> 00:44:50,529 also I was looking into General Plus 1240 00:44:50,530 --> 00:44:53,199 and basically a lot of toy manufacturers 1241 00:44:53,200 --> 00:44:54,639 or toy consulting companies. 1242 00:44:54,640 --> 00:44:56,559 One of the things they offer to do is, 1243 00:44:56,560 --> 00:44:58,749 you know, set you up with General Plus. 1244 00:44:58,750 --> 00:45:00,879 So I think like my guess is that a very 1245 00:45:00,880 --> 00:45:03,069 large number of toys actually 1246 00:45:03,070 --> 00:45:04,749 use, use it actually. 1247 00:45:04,750 --> 00:45:06,459 Now that I think of it, there is actually 1248 00:45:06,460 --> 00:45:08,499 a third one that I found out about, which 1249 00:45:08,500 --> 00:45:10,779 was a Hannah Montana toy, 1250 00:45:10,780 --> 00:45:12,549 and they actually managed to dump the 1251 00:45:12,550 --> 00:45:15,039 code of that using an internal test 1252 00:45:15,040 --> 00:45:17,169 mode of the toy. 1253 00:45:17,170 --> 00:45:18,219 Jumping it off. 1254 00:45:18,220 --> 00:45:20,349 Dumping it off the LCD. 1255 00:45:20,350 --> 00:45:21,639 But yeah, those are, I guess, the two 1256 00:45:21,640 --> 00:45:22,640 I've heard of. 1257 00:45:24,530 --> 00:45:26,879 So now that that, yeah, 1258 00:45:26,880 --> 00:45:28,939 OK, so now that this theft all 1259 00:45:28,940 --> 00:45:30,809 this out, so we are maybe looking forward 1260 00:45:30,810 --> 00:45:32,959 to maybe next time see people doing 1261 00:45:32,960 --> 00:45:34,759 great stuff with this with these toys and 1262 00:45:34,760 --> 00:45:36,859 maybe have some some, you 1263 00:45:36,860 --> 00:45:38,929 know, some new software for it and maybe 1264 00:45:38,930 --> 00:45:41,149 some users, maybe 1265 00:45:41,150 --> 00:45:43,039 next year on the Congress. 1266 00:45:43,040 --> 00:45:44,269 Yeah, I'm excited to see what everyone 1267 00:45:44,270 --> 00:45:45,270 does with it. 1268 00:45:46,100 --> 00:45:48,229 OK. I think that we have 1269 00:45:48,230 --> 00:45:50,269 it. So, uh. 1270 00:45:50,270 --> 00:45:52,709 Thanks a lot again for having you here. 1271 00:45:52,710 --> 00:45:54,439 And yeah, let's see what house?