Tamagotchi Friends Code Dump

I used voltage glitching to dump the code of the Tamagotchi Friends.

Yumemetchi, Spaceytchi Julietchi and Hoshigirltchi are very excited with this development!

Yumemetchi, Spaceytchi Julietchi and Hoshigirltchi are very excited with this development!

Recently, I experimented with the EEPROM of the Tamagotchi Friends. I didn’t manage to get code execution, but it was evident that segments of the EEPROM were copied into RAM, which could be used as a shell code buffer if need be. James Slater suggested using glitching to jump into this buffer, similar to how a Gameboy ROM was dumped.

In the past, I’ve been skeptical of using glitching to dump the Tamagotchi ROM, as it doesn’t have any evident security mechanisms or instructions that would be useful to bypass, but the suggestion made sense. The original vulnerability I used to dump the TamaTown Tama-Go had very long odds of working, but ended up working because 6502 is so forgiving with regard to exploitation (in that it doesn’t have an MMU, and always continues executing in the face of invalid opcodes and memory addresses). I figured that if I could move the program counter at all through glitching, even randomly, there was a good chance that it would eventually execute any code I had placed in RAM.

I started by putting some code that would write to the LCD plus a NOP sled into the EEPROM, and cycled the power.

Set-up. The wires to the Arduino are used to write the EEPROM and glitch the power. The drill bit is to push the buttons

Set-up. The wires to the Arduino are used to write the EEPROM and glitch the power. The drill bit is to push the buttons

I started by turning the power on and off repeatedly, but the Tamagotchi reacted very forcefully to this, shaking hard enough to fall off the table due to the noisemaker vibrating. I eventually changed the code to turn the power on and off only a few times. After a few tweaks, it was executing the code in the EEPROM about 10% of the time!

The video below shows the code execution, if you look very closely, one segment (four pixel) of the LCD near the top left becomes all black due to the code executing.

Playing with the code a bit, it turned out I could execute roughly 50 bytes total of code in two pieces of RAM I could jump between. With some help from Mr. Blinky, I wrote code that would dump the ROM via SPI through the buttons of the device (port A). It was pretty slow going, in 50 bytes there wasn’t room to initialize everything, so the code depended on some values already being set correctly, so was quite unreliable. But it did work, and I was able to slowly dump the ROM.

Looking at the ROM, it was very similar to the TamaTown Tama-Go ROM. Some of the ROM pages are in different places though. Pages 0 through 3 were code pages and page 4 was all code ‘stubs’, which is two fewer code pages than the Tama-Go. Pages 5-9 were blank, and pages 10-18 were images. The image pointer table was in page 14. Pages 19-21 contain mysterious data which could be compressed audio, or could be the Tamagotchi’s soul. It’s hard to tell. Pages 22 on were all 0xFF (disclaimer: I didn’t actually dump after the first few).

Some cute highlights of the image pages are below.

The cutest highlights of the code dump!

My hack is cuter than your hack

Awww …

Next up is to analyze the ROM!

Tamagotchi, Tamagotchi Friends

6 responses to Tamagotchi Friends Code Dump

  1. Anonymous

    Great work, again! Could you upload the ROM-dump and the software you used for this? BTW: You should really consider getting a nicer bench 😉

  2. James

    Wow, nice one! A ~10% success rate seems really impressive. Thanks 6502!

    I was going to ask what sort of rate and duration you cycled the power (to the whole board?) – but I see you’ve linked to some code above. It looks it was 35 times with a few milliseconds in between?

    I had thought that you might need to synchronise the glitching to between when the EEPROM was read and when the code overwrote it with defaults again – I guess that wasn’t the case?

    Thanks for the mention!

    • Natalie Silvanovich

      Yeah, supposed to be 5 ms, but I wouldn’t trust an Arduino to be that accurate.

      I used parts of the EEPROM data that can be any value– like the amount of money the Tamagotchi has and the number of chocolate sundaes it has in its inventory. This is what limited the size of my shellcode, there’s not that many values like this, but had the benfit of avoiding the timing problem.

  3. Mike

    are you aware of Mr. Blinky’s work? he is currently trying to hack the IR communication rate of the latest Tamagotchi M!x: https://www.instagram.com/p/BJQlKDHBon5/?hl=en

Leave a Reply

Your email address will not be published. Required fields are marked *