The GeneralPlus Test Program

Note: I am reposting this blog post from 2106, as the site hosting it has gone down, but the chip covered is still widely used

GeneralPlus (and SunPlus) microcontrollers contain a mandatory test program in their ROM. It has been long speculated that this program could allow the ROM of any GeneralPlus microcontroller to be dumped. I analyzed the GeneralPlus test program from my Tamagotchi ROM dump, and found it can be used to execute code from RAM, and therefore dump the ROM of the chip.

Somehow I thought it would look more exciting than this

According to the data sheet (note that the specific model this was dumped from was the GPLB52640A), the test program is from 0xC000 to 0xCBBF, and then its interrupt vectors go up to 0xCBFF. However, when I looked at address 0xC000, it didn’t look like code. Looking at the reset vectors for the user code, I saw the following vectors:

 OxFFF2: 0xC2B0

OxFFF4: 0xc104

OxFFF6: 0xC2AF

This is a bit odd, as these pointers to the test program are in the user area of the ROM, but looking at some of the application notes on the GeneralPlus website, it’s not unprecedented for GP to ask users to put specific values in their ROM outside of the test program. Assuming these are in the same order as the regular 6502 reset vectors, these are NMI, RESET and then IRQ. Starting disassembling the code at 0xc104, it looks like a real program



That’s more like it!

The test program appears to check port 0x3005, and in most cases set a value on port B, and go into a tight loop. But in one situation (I’m assuming this is preliminary tests ‘passing’), it jumps into a subroutine that goes to a different location in a jump table based on the value on port A. This means the chip can run different test cases based on the value on portA when the test program is started. There’s 24 test cases total.


A jump table!

Going through the different locations, here are some notes on the functionality

Test codeFunctionality
0 Not sure, seems to put device into sleep mode
1A whacked out loop that sets and checks a lot of RAM, and then sets a value on port b. Probably a RAM test
2More instructions, plus sets to 3004. Perhaps stressing the chip to see if altering that port too much causes arithmetic malfunction
3ROM checksum (see details below)
4This takes values clocked from port B and sets LCD port values as them. An LCD test.
5Takes the value from port B, stores it in 3077, and loops doing this. I wish I knew what port 3077 was for
6Reads and writes similar values (0xAA and 0x55) from port A and port B repeatedly. Might be a port stress test
7Probably a timer interrupt test
8Another LCD test
9Stores port B to 3060 and port A to 3062. Not sure what either of these are
APlays with some ports including 3005. This test is also reachable on startup based on the value of 3005
BSame test as 9, but 3065 is set to 1, not 2
CA wakeup test similar to 0
DSets LCD values based on port B. Similar to 4
ENot sure about this one, lots of memory and port manipulation
FNot 100% sure, but I suspect this one is an SPI test
10Changes port 300B and 300C, and loc 80 in memory
11Another LCD test
12Similar to 16
13Same as 3 (the same address is in the jump table twice)
14Code exec! Input code one bit at a time over p8, p1 and p2 will light up when it’s ready for the next bit. Reading stops at FF once at lead 5 bytes have been read! Code is executed out of RAM at 0x200
12Not sure, there’s an endless loop, so maybe an interrupt test
16Just jumps into RAM at 200 (maybe there’s a write to RAM function I missed above)
17Sets ports 300B and 300C

There’s two quite interesting values in here. The first is number 3, which does a checksum of the ROM.


Test Program Test 3

As you can see, there are two options. Either port B is not set, and all pages of the entire ROM is checksummed (note ROM is mapped from 0x4000 to 0xBFFF), or the range to be check-summed is edged in. This might be helpful in dumping ROM (although the smallest range you can checksum is still 255), but it looks like there’s a bug that makes the custom checksums not work. You can see after setting the default addresses, port B is set to be an output, but after setting custom addresses it is not.  It’s possible that there’s something I don’t know about port B, and it’s somehow set to be bidirectional already, but my guess is that custom checksums just don’t work. It’s probably not very often that they use a custom range versus the entire ROM.

Test code 14 is also very interesting. It appears to allow you to execute code sent over port B!


Code!

This looks like it accepts code over port B.7 one bit at a time, and then sends signals over bits 2 and 4 of port B when it is ready for another bit. It copies the received data to 0x0200 and stops once it reaches the address 0x5FF.

So this could be used to execute code on and dump code from any GeneralPlus microcontroller! The only requirements are that the test pin and ports A and B are available.

The test program is available here if anyone wants to take a look at it.

I’ve also started a list of know ports for the  GPLB52640A, I would be very grateful to anyone who contributes

Uncategorized

Reversing My Tamagotchi Forever Evolution

My Tamagotchi Forever is a mobile application released in early 2018 that allows you to raise and care for your very own Tamagotchi. Like the Tamagotchi devices I’ve reversed in the past, the Tamagotchis in the game go through different stages of life (baby, toddler, teen and adult) and pursue different careers.

I can’t decide who’s cuter: Lord Kuchipatchi or Pilot Sebiretchi

They also evolve into different characters as they get older, and there is a secret character that is more difficult to get than the others. There has been a lot of speculation on how to get the secret character (Gozarutuchi), but nothing seems to work consistently. The two rumors I heard was that feeding the teen nothing but grilled salmon would lead to the secret character and that feeding the Tamagotchi nothing at all as a teenager (which is really mean!) would do the same. I tried both of these, and both teens evolved into Mametchi instead. Fed up, I decided to reverse engineer the app, and find out the answer for once and for all!

Where are you, little ninja?

So, I downloaded the APK file for the app, and unzipped it. Looking inside, it contained a large number of assets that are unusual for an APK file. In particular, it had a lot of DLL files even though it doesn’t run on Windows. Looking up some of the names of the DLLs, it turns out that the app was created using a framework called Unity, which is used to create multiplatform games.

Unity applications are written in C#, which I had no idea how to reverse engineer. Thankfully, someone asked this question on their support forums, and got an excellent answer. Loading the DLLs into dotPeek as recommended, they mostly decompiled and gave me code!

Thankfully, the app was written with descriptive variable names.

There really is a namespace Pooping

Browsing a bit, there was a class called TamagotchiID, which had a member called isSecret and also a member called onlyGainEvolutionPointsWhenItemPlaced.

This made me think that evolving the secret character involved placing an item in TamaTown (renovating TamaTown is an aspect of gameplay). But which item? Looking further, each TamagotchiID is serialized, and the object is deserialized from a hash.

Luckily, there was a file with the same name as the hash in the APK. Looking in this file, it was mostly incomprehensible, but there were six hashes in ASCII in the file. Could these be members of the TamagotchiID object, including the TownItem? Opening up the files with the same names as the hashes, one of them contained the string “Training course”. So I guess to get the secret character, you need to place the training course!

Becoming a ninja requires training!

But what happens once the training course is placed? Looking for where the placement is checked, it is used to decide whether to add points for the secret character when it is fed (CanGetEvolutionPoints checks the training course placement).

What are these points used for? It looks like they are called during evolution! The following method looks like it selects the character with the most points, or returns a random character if more than one is tied.

Now I had a good idea of how evolution worked, but there was a major problem testing this. My Tamagotchi Forever only lets you raise one Tamagotchi per week, so it could take weeks to figure out whether this worked for sure! I looked at the code for a way to speed up time, and I found that there were a number of classes with the name Cheat in them. Investigating a bit more, they were reachable from a class called TweakPanel.

Unfortunately, this class kept checking a value called isDebugBuild which was false in the app. I decided to try changing this value to true. Unfortunately, the value was linked to a native bound getter, which means that the value is fetched from native code. I opened up the library that the app was getting the value from in IDA, but unfortunately, it wasn’t very clear how to change the value without learning a lot more about C# bindings. I eventually decided to stub out the check of this flag in the C# code instead. Looking up how to do this, I found a great tutorial.

Going through the steps in the tutorial, I made the method BuildHasTweakPanel always return true. I then replaced the main DLL in the unzipped APK directory with the patched one, and zipped it back up again. Then I signed and installed it. Starting up the app, it had a “Tweak Panel” button!

Yay!!

Pressing this button, there was a test panel!

This panel has a lot of features. It can change the current character, give you free money, increase your level and more! Everything a tester could want to test every feature of the game. Interestingly, the panel allows you to see and reset evolution points, and trigger the evolution timer. This made testing evolution a lot easier!

Evolving Tamagotchis is a precise business.

I then spent a lot of time feeding different teenagers different foods, and seeing the results. I eventually made this chart, which shows the effect that each food has towards obtaining each character.

To get a specific character, you have to feed it a combination of foods that make its score higher than that of any other character. I’ve explained the chart in more detail here.

So that’s it! That’s how you evolve your Tamagotchi, with seven digits of precision. And I was able to get my Gozarutchi, who immediately decided he wanted to be a hula dancer.

Dare to dream, Gozarutchi. Dare to dream!

It turns out both of the rumors I heard about how to get the secret character were somewhat correct. Not feeding your teenage Tamagotchi will give you a random character, so it’s very possible you’ll get the secret one. Feeding your teen Tama nothing but grilled salmon will give you the secret character one third of the time if the training course is placed. So both of these probably happened.

One more fun thing I discovered while reversing. There’s a tiny easter egg in the credits screen.

If you click “My Tamagotchi Friends” three times in the credits screen, you can see the secret character, Gozarutchi in the tree behind the credits waving at you.

I’m happy to see him too!

Uncategorized

Emulating the Tamagotchi Friends with an RFIDler

I got an RFIDler (thanks, Mudge) and wanted to see if I could get it to emulate a Tamagotchi Friends. My Proxmark having experienced an unfortunate demise in which its firmware got stuck in a state where it could do nothing but perform Tamagotchi weddings, I was hoping to continue testing the Tamagotchi Friends’ RFID functionality using the RFIDler.

Shiny!

Shiny!

Read more »

Uncategorized

Hardware Excuse Generator

Circuit not working and don’t know why? Save yourself the work of making up a plausible explanation! Just enter your text into the following form, adding in REASON every time you need an excuse. Or use one of the examples below!
Read more »

Uncategorized

Printable SSL Posters

I’ve uploaded a printable set of SSL posters. Having learned from past poster experience, the posters are clearer and in a larger array of sizes. Feel free to print these and use them anywhere!
Letter Ledger A3 B4

Slide5

Slide6

Slide7

Uncategorized

Tamagotchi Friends Growth Chart

I reversed the ‘evolve’ function in the Tamagotchi Friends to make the first ‘growth chart’ for this Tamagotchi version. Growth on the Tamagotchi Friends is determined by how well the Tamagotchi is cared for, its personality, which is set by specific user behaviours and randomness.

Yikes.

Yikes.

Read more »

Tamagotchi, Tamagotchi Friends

Tamagotchi Friends Code Dump

I used voltage glitching to dump the code of the Tamagotchi Friends.

Yumemetchi, Spaceytchi Julietchi and Hoshigirltchi are very excited with this development!

Yumemetchi, Spaceytchi Julietchi and Hoshigirltchi are very excited with this development!

Recently, I experimented with the EEPROM of the Tamagotchi Friends. I didn’t manage to get code execution, but it was evident that segments of the EEPROM were copied into RAM, which could be used as a shell code buffer if need be. James Slater suggested using glitching to jump into this buffer, similar to how a Gameboy ROM was dumped.

Read more »

Tamagotchi, Tamagotchi Friends

Tamagotchi Friends EEPROM

I dumped the EEPROM of the Tamagotchi Friends and altered it to see if it could be used achieve code execution on the device. The Tamagotchi Friends’ processing of EEPROM data is much more robust than the processing on the TamaTown Tama-Go, and did not contain any obvious vulnerabilities.

This makes Terupatchi very sad

This makes Terupatchi very sad

Read more »

Tamagotchi, Tamagotchi Friends

Emulating the Tamagotchi Friends NFC

I used a Proxmark 3 to emulate the Tamagotchi Friends’ NFC. This confirms it is indeed low-frequency RFID, and shed some light on the NFC format.

The black thing in the background is the Proxmark antenna

The black thing in the background is the Proxmark antenna

Read more »

Tamagotchi, Tamagotchi Friends

Tamagotchi Friends Modulation

I tried decoding the Tamagotchi Friends NFC with a Proxmark 3, but had limited success, so I went back to looking at it with an oscilloscope. I was able to figure out the modulation scheme.

NFC Sampling

NFC Sampling

Read more »

Tamagotchi, Tamagotchi Friends