Embedded - 111: Potty Train Your Tamagotchi (Repeat)
Episode Date: July 19, 2017Natalie Silvanovich (@natashenka) discussed reverse engineering hardware, working on security software, and the fantastic world of Tamagotchis. Natalie's site and blog Hardware Excuse Generator Or...iginal CCC 2012 talk: Many Tamagotchis Were Harmed in the Making of this Presentation CCC 2013 talk: Even More Tamagotchis Were Harmed in the Making of this Presentation Natalie's upcoming BlackHat talk: Attacking ECMAScript Engines with Redefinition Flash exploit article for Project Zero: One Perfect Bug: Exploiting Type Confusion in Flash Tamagotchis are still available as are the works of Shel Silverstein (Snowball is in Falling Up). Natalie's Tamagotchi board Â
Transcript
Discussion (0)
Welcome to Embedded FM, the show for people who love building gadgets.
I'm Alicia White, here with Christopher White.
This week we have Natalie Silvanovich.
We're going to talk about electronic pets.
Hi Natalie, thanks for joining us today.
Hi.
Could you tell us a bit about yourself? So I'm Natalie Silvanovich, and I really enjoy hacking children's toys, especially Tamagotchis.
I've done a few projects related to that, so I'm hoping to talk a bit about them today.
Well, I have to admit, I sort of missed the Tamagotchi craze. I mean, I knew what they were, but for people who don't, we do have listeners
outside the U.S. and I'm sure in Japan they all know, but what is a Tamagotchi?
A sure thing, actually. It's a good thing to go through because they've actually changed a lot.
You might remember in the 1990s when I was maybe nine or ten years old, they were the first
really electronic toy for kids. They had a screen
and buttons and they would have a picture of a pet on them and then you could feed it,
you could play with it, you can clean up after it even. And that was all the functionality.
And they died if you didn't take care of them, right?
Yes. They're a little bit ambiguous on that subject. You know, sometimes they die, sometimes they run away. They don't want to traumatize children too much. But yeah, it's basically like a game. And if you don't play the game well, you die or you don't get to play anymore, at least.
Sometimes they go back to the farm.
Yeah, that sort of thing.
I had a dog that did that. But anyhow, they've evolved a lot, especially recently.
So the first one I looked at was called the Tamatown Tamago,
and it was still black and white, but had a lot of other features in it.
For example, your Tamagotchi would grow up, get a job, get married,
have kids, buy appliances, that sort of thing.
Buy appliances.
Would it support you in your retirement?
No, not really.
They're still just as needy as they used to be.
And they also had this great feature.
You could basically buy what they called figures,
which were kind of expansion packs
where you could put them on
and you could play different games with your Tamagotchi,
get different items, that sort of thing.
And even more recently, I've been working with some cooler Tamagotchi, get different items, that sort of thing. And even
more recently, I've been working with some cooler Tamagotchis. There is the Tamagotchi
Friends, which has NFC on it, except it's not true NFC, it's actually RFID. And if you
tap them together, though, you can send text messages, they can play with each other, that
sort of thing. And then I also got a Japanese version, which is full NFC.
So what you can do with it, it's called the Tamagotchi for you,
is you can get your phone and even buy items using the app on your phone
and then flash them to your Tamagotchi.
So really it's a 32-bit ARM Tamagotchi,
and it's just over the top with features.
Apps and everything.
So one of the things I saw from looking at some of your presentations is they can have babies.
Yes, they can.
And one reason to hack them was to RFID impregnate everybody else's?
I heard that. It was not my idea. It was actually maybe 10 years ago now,
someone in Make Magazine, they had an article about hacking Tamagotchis. And then one of the comments was, I want to make it so my laptop can impregnate all the kids' Tamagotchis have to be initiated by the user.
You know, it's not just listening for radio all the time.
You have to actually start it to turn that part of the circuit on.
So you can realistically do that.
But you can definitely expand the range of possibilities.
For example, you can make two-guy Tamagotchis have a baby if you hack it.
Meanwhile, in real life, with real Tamagotchis, it would prevent that.
Also, you know, you don't have to wait until, usually you have to wait until your Tamagotchi
is an adult for it to have a baby. But if you hack it, you can just like any Tamagotchi can
have a baby with any Tamagotchi. So can you practice Tamagotchi eugenics?
Well, it's funny. That was, bizarrely, that was one of my goals. Maybe eugenics is a strong word,
but I wanted to be able to, you know,
like any other video game,
the better you play, the better character you get.
You know, if you take perfect care of it,
you get, like, a really beautiful one.
And if you don't take good care of it,
you get, like, a whiny one.
So I wanted to figure out how to get the best Tamagotchi.
But I found out that, like, basically
who their parents are is a very, very small factor compared to how you take care of them.
They're all about nurture over nature.
And you can't breed a Tamagotchi that's beautiful and not whiny.
Exactly.
Actually, one of my other goals is to answer what I call the deeper questions of Tamagotchi life. Basically, what determines whether you win or lose the game? What makes them run away? What determines what they grow into? What decides whether they're born a girl or a boy? All those questions that Tamagotchi fans like me spend a lot of time debating. I thought, if I look at the code, if I dump it and put it in IDA, I can definitively answer these questions.
Well, and we should talk more about that.
So you took them apart.
And then, I mean, you took many of them apart.
You had nice pictures of piles of Tamakotchis who died for this effort.
Yes, unfortunately, it's a destructive process.
But I really had two goals with these these and I'm still working on it.
But basically one is to get a code dump and basically answer all the questions about the Tamagotchi.
Be able to get all the images of all the Tamagotchis you can get, figure out what makes me win and lose every game, that sort of thing.
The other half was I wanted to make a Tamagotchi dev kit so that you could basically write your own code on the Tamagotchi.
So just opening it, looking at the hardware, what's in there? I mean, you already said IDA,
which I think we know from Micah's visit here is the disassembler, but just opening it, what would I find? Are they potted or are they?
Yeah, they are potted. Basically, you open up, you find a
big blob. And what's under the blob is actually a 6502 processor by a company called General Plus.
I'm laughing because Chris over there showed a lot of enthusiasm for 6502, as many people do.
Well, and I have a lot of enthusiasm for General Plus because we used them at LeapFrog.
Oh, that's awesome.
I'm going to talk to you afterwards because one of the challenges I had with General Plus is that a very small number of people have actually used the processors.
I've heard it called the largest microprocessor company that no one's ever heard of.
Oh, yeah.
And I found there was basically lots of challenges in getting documentation
and the information I needed to actually understand them well enough to write code for them. They were a bit secretive. Yes, yes, yes. We can talk about
that later. But what else does it have? I mean, it's got the display. Yeah, I guess the General
Plus element is called an LCD controller, and then it connects to the General Plus LCD, and basically everything it needs to use the LCD is on chip.
The only piece of hardware that's really been added in,
I guess there's a few, but the only really functional one
is there's a beeper on it so it can make noise,
and that plugs into the General Plus SPU, which is also on board.
There's, of course, buttons that go into it,
and then a few elements like voltage regulators,
and there's also an EEPROM.
But basically, that's the entire device.
There's not a lot of stuff on the board other than that LCD controller.
But it's got an EEPROM and not just a mask ROM or something.
It does.
Now, the EEPROM is not for code, which was a challenge.
Basically, back in the day when I was a kid, if my Tamagotchi ran out of
batteries or reset, that was it. It was
done. You had to start from the beginning.
Now it actually saves
state, so if you have to reset it,
it'll
deserialize the state and then give you your game back.
So that's what the EEPROM is for, but all the code
is on Mask ROM on board
the LCD controller.
And so that was one of the things with General Plus
is it was always masked ROM
because you're doing millions of units.
And the General Plus processors are 20 cents.
I mean, that's kind of a high-end one for them.
Yeah, definitely.
It's actually interesting.
For all the American versions, they still use mask ROM,
although I've noticed recently they've started ramping up the rate at which they come out with
new masks. It used to be that for every Tamagotchi, there was one rev, but the latest one,
which came out just two years ago, there's actually been three revs of mask ROM since then.
So I'm not sure how that plugs into cost. I'm starting to wonder if, you know, maybe it's
cheaper to do the new masks these days than it used to, but I've noticed they are starting to, even though they use Mask ROM, come out with
new ROMs a lot more quickly. Somebody I was talking to last week said, why would you ever
do Mask ROM? Flash is so easy and you have to do firmware updates. And thinking about toys,
I was like, no, you really don't have to do firmware updates. Yeah, definitely for Tamagotchi.
I mean, even how would you ever do a firmware?
Like, unless you have the other infrastructure you need,
then using Flash isn't the greatest thing.
Although there is one area where they swap between
bit ROM or mask ROM and Flash,
and that's for these figure accessories.
It was kind of exciting.
The first ones I got were all mask ROM
and it was interesting.
They contained some jumpers
and then when you bought different figures,
it was actually three different plastic shelves
because they're supposed to be
like different Tamagotchi characters,
but three of them would all have the same mask ROM in it
and then the jumpers would just be set differently
to give you the functionality of each character.
And I think that was another cost-saving thing.
You're better off getting a big mask ROM and have it made lots of times and then just disable the parts you don't need versus having a different one for every figure.
But then they came out with some higher-end figures, which were hand-painted in a smaller run, and they all had Flash in it, I'm assuming because it was cheaper.
But what was also nice about that
is that made them programmable.
So when I did my Tamagotchi dev kit,
it's based on those figures that are programmable,
because then you can basically program them directly
and put them on top of the Tamagotchi.
Okay, so you opened the Tamagotchi,
you looked at what's inside,
you determined that you couldn't actually
read out the general plus code?
I did eventually.
That was quite a challenge.
It took me a while to figure out how to do it.
What I ended up doing is these figures, as I mentioned, you can reprogram them.
And I found basically a vulnerability in how it processed the stuff on the figure.
So if you reprogrammed it, for certain games,
it'll jump into a jump table to go to some code
in the ROM of the Tamagotchi,
but it didn't check the bounds on that.
So if you put in a really high number,
it would jump somewhere outside of the table,
which was actually an instruction.
And I ended up finding somewhere it jumped
that it would actually jump into the LCD RAM.
So the way my dev kit actually works is you put the figure on,
it fills up the LCD with shell code
and then uses this bug to jump to it,
and then it starts executing out of the LCD RAM,
which will then jump into the regular RAM.
It's like a string copy overflow. I mean, it's just sort of exactly how you hack things
i know it was funny to find what was different here is one of the challenges of it is you have
no debug output so like the way i found this was basically i tried changing random values
in these figure roms which was actually two minutes per trial.
So it was not a fast process.
But there were only 255 different values in this one that had the weird behavior.
So I tried different values, and I eventually found one that was behaving inconsistently
enough.
I thought it might be executing random stuff, and then kept working with that one so that
I could get it to the first time.
The first bug I tried
actually executed code very, very inconsistently,
but it was enough that I could use that to basically dump the code out of the buttons.
I attached wires to the buttons and then had it use SPI to tell me what the code was.
And once I dumped the code, I could find a better bug that I could use to execute code all the time.
So you jumped to something that basically read out the ROM image.
Yeah.
And then that's when you started to use the disassembler, the IDA program?
Yeah.
It was a little bit different than that.
You can actually execute code out of RAM in a Tamagotchi.
So I just jumped to
code that I'd written in RAM, but same concept. And then that code, yeah, just dumped the codes
that I had a copy of it. So you put the code out the buttons, like you made those outputs and just...
Yeah. I mean, they're inputs, but you just have to set a different register for them to be outputs.
And then I just used SPI to dump the code out.
And read it with something else?
Yeah, I read it with a SLA logic analyzer.
Aren't those wonderful?
Oh, yeah, they're my favorite thing. There were two tools I really used for the Tamagotchi stuff.
One was an Arduino board, which I basically just used when I needed to jiggle pins for
whatever reason. And I used the Saly logic analyzer and that was basically all I needed
to get this done.
Well, but that's, I mean, you had to read out a couple of K of code. You didn't hand
parse all of that and write it down, did you?
No, the Saly logic analyzer if you use spi it can actually
export it as bytes and then i use that feature to get it all and we've seen that i only use the
protocol analyzer when i'm actually staring at it so all right you can download bytes yay good to So why? I mean, really, this is very cool.
Why?
This is definitely my frequently asked question.
Why not?
Don't worry.
Basically, yes.
As you might have guessed, I'm a bit of an enthusiast of the Tamagotchi.
And as a kid, I always wondered how it worked.
I would, me and a friend, the girl next door, we would get graph
paper and draw the pixels and try and figure out, you know, how often does it walk across the screen?
You know, is there a pattern to the motion? And then one day I realized I'm an adult and I can
actually figure this stuff out unequivocally. Were you an engineer? What is your background, actually?
I guess I was an engineer when I did this.
I studied electrical engineering at UBC, and then my first job was at BlackBerry on their security team.
And that's when I started doing this project. So I had some experience hacking mobile devices, but not so much hardware.
So this is really my first foray into hardware hacking.
And did you at any point think this is going to become big this such that I would talk
about it a lot at mini conferences?
Absolutely not.
Actually, even the first conference I did, I was surprised that anyone was interested.
Which one was that?
I was CCC.
That was a pretty popular talk.
I saw it on YouTube, I think.
You know, I'm surprised by the enthusiasm I got.
Also, at that point, I was stuck.
So one of the reasons I did the talk was to kind of ask for help and see who contacted me.
And I was actually overwhelmed by the number of responses I got.
So have you had any contact or interest from,
I don't know who makes Tamagotchi,
the Tamagotchi Overlord Corporation?
Yes, Tamagotchi is made by Bandai,
and I have never heard from them, and that surprises me.
I mean, it's better to never hear than to cease and desist.
I know, and actually, at the time I started this, I could never find a contact at Bandai.
But the more recent ones, the NFC ones, they actually have to file with the FCC.
So now I have a few emails of Bandai engineers, but I can't quite decide whether to reach out to them or not.
Oh, absolutely. I mean, it might really amuse them
to see that somebody has spent so much time thinking and working with their things.
Yeah, we'll see. Actually, one thing that's held me back is that Tamagotchi is clearly not developed
in English. And actually, as soon as you do something a bit odd, it suddenly starts running
on the Tamagotchi in Japanese.
That's obviously their default development language
and then they put in the English at the last minute.
So I do kind of wonder if I wrote to them
if I would get someone who spoke English at all.
Google Translate.
No.
No?
No.
Okay.
I think that would lead to them just being very confused
about what I was talking about.
Are there any Easter eggs in the code or things that surprised you,
having used it for a while, things you didn't know about or expect?
For sure.
There were the things I guess I was sort of expecting to find,
which was basically the definitive growth chart,
all kind of the answers to the questions of how it worked.
But some of them were a bit interesting.
For example, I discovered you could potty train your Tamagotchi.
If you took basically the way the modern ones work
is when your Tamagotchi needs to go to the potty,
it starts doing the potty dance.
And then if you drag it to the potty when it's doing that,
it'll use it.
Otherwise you have to clean up after it.
But I discovered that if you actually catch it doing the potty dance enough,
it'll actually just start using the toilet on its own,
and then you don't have to worry about it at all.
Wow, the miracles of potty training.
Were other people surprised to hear that they could potty train their Tamagotchi?
Well, it's so much.
Yes, they were.
It's actually on the forums.
It's been a subject of discussion.
Every so often, one person says, I potty trained my Tamagotchi.
But it happens so rarely that people are like, no, that person is nuts.
But I saw it in the code, and actually, I was eventually able to do it.
So we now have proof that you can potty train it.
The other thing I found that was really cool
is I found basically their debug mode.
That's kind of early Tamagotchi hacking.
For the earliest versions, there were actually jumpers on the back
you could use to put it into debug mode,
so you actually had to take it apart and solder it,
and then you could use it in this mode.
It lets you do things like set whatever character you want,
fast- forward time,
the sort of things you would need to do if there was a bug in the Tamagotchi and you wanted to make it happen multiple times. Now, on these new Tamagotchis, no one could figure out how to put
them into debug mode. But then eventually I figured out if you put the flash in the figure
a certain way, that's what triggered the debug mode. So I was able to do that. And that's kind
of fun. Then I could get any character I wanted,
and then even for potty training, I could just set the bit
so it's potty trained and not even have to do it.
Woohoo!
Are there Tamagotchi conferences?
I mean, you've spoken at computer conferences.
Yeah.
There are.
There's online a few communities, but not so much um they were
big communities i was so surprised i was spending so much time going what yeah well like there's
definitely fans although i've never heard of a conference at least not in english language one
and i would have to say that i've kind of got you know mixed mixed reviews of my work from people who are big Tamagotchi fans.
There's some people who think it's really cool.
There's some people who think I'm destroying the magic.
Yeah, I was about to say piercing the mystery.
Yeah.
And then there's also people who kind of question the authoritativeness of what I'm doing.
Like before, you know, the way you got all your information about a Tamagotchi was that you would observe what it did
and there was always disagreements
but the disagreements always ended in
well, my Tamagotchi might have done this
your Tamagotchi might have done that
and who knows what you saw
so when I come in and say
no, there is actually a definitive way
you can figure out exactly what it will and will not do.
And that's like the final answer.
A lot of people are kind of taken aback by that and kind of don't trust that there can be that type of answer for something that's been like a shouted in mystery for so long.
Did you feel like one of those doctors who used to practice on cadavers before it was legal and it was all a shady underpinning of of british or
society italian society funnily enough i get asked that a lot too
um sometimes but i'd say mostly i consider it a technical problem
i actually compared to some fans i've met i don't really think my Tamagotchis are alive.
Are people totally appalled by the idea of taking apart what is their pet?
I mean, if you tried to take apart my Beagle, I would be pretty irate.
Oh, definitely there are, especially like there's little kids on this forum.
And some of them are still at the age where they do think it's real.
And then, you know, this eight-year-old's like, like oh I love my Tama so much I would never hurt him and actually
one of the funniest emails I got was from this uh 11 year old Russian hacker who was like oh you
know I'm a fan of your work I want to hack my Furby can you help me with it and then I'm like
sure and then he gets back to me and he's like I'm sorry I can't hack my Furby, can you help me with it? And then I'm like, sure. And then he gets back to me and he's like, I'm sorry, I can't hack my Furby because I asked it and it said no.
It didn't give consent.
Yeah. I thought it was adorable because this kid was obviously
still at an age where he truly thought his Furby was real.
Wow. Have there been other toys you've hacked?
Mostly the Tamagotchi's. I've strayed a little bit into other virtual pets, like nanopets, some generic ones.
I've done nothing quite as in-depth, but I do enjoy just taking them apart and looking at how the circuit boards differ.
The Tamagotchi was actually very well made, and of the 90s ones were definitely like not that level.
Like one thing that blew my mind is I took a, I actually ordered a nanopack because that was my favorite type when I was a kid and then it didn't work.
So I'm like, well, I might as well take it apart.
And I discovered, okay, there was a huge solder bridge on it.
And then it was a one-sided PCB and they had at some point drilled two holes through it and then put a wire bridge on the back and then put it back through
and then put masking tape on the wire bridge
to prevent it from like rubbing against the other components.
I'm telling you, toy engineering is all about the pennies.
Masking tape is cheap.
You know, absolutely.
And I suspect, yeah, it might have just been cheap or it could have been.
It's like, well, we've made all these boards.
We can either throw them away or we can put a piece of masking tape on them
i would have used kapton tape but then in the factory they would have changed to masking tape
yeah no it made me sad though because this type of pet i really enjoyed um like they're just not
going to survive at all because of the way they were engineered.
It's, I guess, I hate to say, maybe 15 years now, maybe more, and yeah, there's
no way they're going to survive another 10 years.
Oh, the longevity of our electronic pets. That's just sad.
That's not a word.
Longevity. Longevity?
That's the word.
Thank you.
Whatever.
We're not cutting that because Christopher finds it amusing when I can't figure out the words.
I remember in college, a woman from Mattel came to our engineering club and gave this talk that I don't remember anything about the talk except
that she brought a Barbie doll and an X-Acto knife. And we looked at Barbie's skeleton and I was
from that point fascinated by the thought and engineering that goes into toys, not just the
cheapness part, which is sort of fascinating that you can do buttons for that cheap. But the, yeah, there's a reason why
the knees click. It made me, I mean, I was already in engineering school, but it made me
want to do more with mechanical and electrical and less with software. Did the Tamagotchi draw you into your electrical engineering field
or was it just unrelated?
It was something I did after I had decided to pursue that field.
But you played with them before.
I understand hacking came later.
Yeah, I guess so. That's true.
I've never really thought of it that way,
but definitely my enthusiasm for electronics, probably, including Tamagotchi's, was one of the things that got me into it for sure.
What else drew you into engineering? and I'll admit maybe when I signed up I wasn't clear on what the difference between software engineering and computer engineering and electrical engineering were.
So I picked electrical because the classes I could sign up for sounded the most interesting.
But yeah, I'd say I really enjoy
learning about software and just making things work. There's nothing more rewarding
when it's a board or a piece of software and you start from nothing
and it actually works.
And now Tamagotchi Hacking definitely is not your full-time job, right?
No, I wish it was maybe,
but I'm actually on a team called Project Zero at Google
and we're focused on the software that has the most users
with regards to security
and we try to find bugs that we think attackers might be using
and get them fixed.
You recently wrote a blog post about a Flash bug,
which, I mean, I keep hearing Flash is just so ridiculously insecure,
but you have one that's incredibly reliable,
that it's easy to reproduce.
Can you tell us?
Yes.
That was some interesting research to do.
Basically, since I joined Project Zero, I've been focused on Flash.
I've found a fair number of bugs in it, but this particular bug I thought was special
in that I thought it could be exploited very reliably.
Most exploitation methods used in Flash, they're fairly reliable, but they don't reach the 100% reliable.
But the nature of this bug, it was type confusion, and you could basically use integers and floats to overwrite pointers.
And I thought the nature of that made it so that you could basically
exploit it much more reliably than most bugs.
Is it weird being known as the Tamagotchi person in security circles?
Yeah, I definitely get some interesting comments.
How do these things go together?
I mean, they're both reverse engineering.
And looking, I mean, what skills are the same
and what skills are just not transferable?
That's an interesting question.
And I find it sometimes, you know,
I probably talk about my Tamagotchi hobby way too much,
often to people who do, like, real hardware security
and real software security.
I'd say it's the same concepts.
Definitely working in security made me believe I could do it.
Probably if you'd asked me a few years earlier
if I could take the device and get all the code out of it,
I would have been like, no way.
But after working in security and realizing that most things
do have problems you can take advantage of,
I was a lot more confident.
But what I ended up dealing with was the big differences between the high-end and the low-end devices.
I mostly worked in the mobile space.
That tends to be ARM processors that are fairly high-end as far as processors go.
They have a lot of security features, that sort of thing.
So quite often, you know, I'll tell people about this and they'll be like, well, do you have to
deal with non-executable memory, that sort of thing? And the answer is no, because the sort of,
you know, 20-cent processor used on a Tamagotchi doesn't have those type of features.
It doesn't have many types of features.
Yes. But then the challenges were kind of the reverse.
The things that they put in for cheapness
weren't necessarily intended to make it to filter reverse engineer,
but did.
So for example, everyone will ask,
oh, well, did you have debug output?
And it's like, ha, ha, ha.
No, never.
There's no debug serial port?
No.
Yeah, I had two outputs,
which was looking at the screen and listening to it,
and I did everything with that. Also, just the sheer lack of documentation and, I guess, general interest in
these sort of small processors was another challenge. So things like, you know, find the
docs, that sort of thing, were applicable. So I'd say it's kind of the same skill set, but definitely
like high-end versus low-end in terms of hardware is just a completely different problem.
If somebody asked how should they get into being a security engineer, what would you recommend?
I'm really in favor of just trying stuff and doing stuff.
I'd say find something you're interested in and learn a lot about it.
Be it, you know, if you want to hack websites and there's lots of different things online,
either, you know, hackable websites, that sort of thing that you can try. I'd also recommend,
you know, if you're interested in finding vulnerabilities to like look at existing
vulnerabilities and, you know, understand how they work. And I'd say just really dig in and do it.
I find I do meet a lot of people who are like,
how can I get into security?
And say they're really interested in it.
But then if you ask them, well, have you read anything about it?
Have you tried anything?
They haven't.
So I think if you're interested in it,
the important thing is to kind of show your interest
and read about security, do things, that sort of thing.
It gets a little difficult because the community around security can be a little more vicious than the community around other forms of even reverse engineering.
Have you found that to be true? It seems true.
I'm not sure it is.
It's maybe a little bit.
And I'd say I felt that a little bit
when I was getting into it,
that definitely there are people
who might make fun of you if you don't know stuff.
That said, it's in the last few years.
It's really improved a lot in that regard
like i know recently say at defcon there's been like a lot of you know beginners classes people
can take and go to and it never used to be like that but i think there's a lot more people who
are focused in getting into the community and the other thing is that at least the way i started you
know i started off maybe not by necessarily trying to engage
in the community right away,
but just by reading a few interesting papers every week,
that sort of thing.
Oh, yeah. No, I think that's the way to go.
You should be a little bit more knowledgeable.
Walking in and saying, I want to be a security person
and not having any passwords on your device
seems like a good way to learn a
lot about security in a short period of time, but not the stuff you want to learn. But Black Hat,
you're going next month, right? Yes. And you're speaking. What are you speaking on?
More about Flash. Basically about a class of vulnerability. I found quite a few of
just basically explaining how it works and some of the bugs I found.
Have you been to Black Hat before?
I've been about three times.
Can you describe it?
It's got this reputation of constant hacking of all of your personal devices and buy a separate phone before you go.
And don't even take your laptop to Vegas that week
because it's just going to get...
Close your eyes and wear earplugs.
That too, yes.
To be honest, I don't really buy any of that stuff.
And who knows, maybe one year I'll get totally hacked
and change my mind.
But I think there's a lot of paranoia about that
and I don't feel that way.
I really enjoy both conferences.
I really like the talks at Black Hat.
There's a lot of basically interesting talks on every subject you can imagine,
from hacking Windows to hacking refrigerators.
I think they're fun events. With regards to security, my biggest fear is always just getting
stuff stolen. So maybe I don't bring so much stuff I care about a lot.
And obviously, don't plug stuff into
untrusted networks, that sort of stuff. But I've never been a subscriber
to the be completely paranoid and bring nothing with you sort of thing.
And let's just say if I've been hacked so far, I don't know about it, maybe.
Well, I gave a talk last week, and part of it was that there are trolls
and jerks and hackers, and they're all out there,
and yet that shouldn't stop you from what you might truly enjoy.
Fear of them, it's just not enough to stop you from what you might truly enjoy. Fear of them is, it's just not, it's not enough
to stop you. And it does stop so many people.
Yeah, I think that's actually really unfortunate.
So back to the Tamagotchis, you teach a class on how to hack them.
Yeah, it's funny. I've done it a few times. Basically, I made a dev kit for it. You can't see it because it's obviously a podcast.
But she brought me one. I know how much I like it when guests bring hardware. And it has a SIM card holder that has the same pinouts. And then so you basically hold your figure on it
and then you can program it over USB.
And I have a kit including an assembler I call Tasmgotchi.
So you can assemble your code and then put it on and it'll run it.
So basically my course is on how to basically write your own software for Tamagotchi.
There's different levels.
The easiest one is just putting your photo on it.
Then you can write a music video.
And then if you're really advanced,
you can start writing directly in 6502.
And so what is this connector here?
This must be what you connect to the Tamagotchi with?
Yeah, that is the biggest pain in the world.
It is a SIM card connector.
And those on a mobile device cost about one and a half cents.
If you try to buy them in quantities of like less than a million,
they cost close to a dollar each.
That's definitely, other than the microcontroller,
the most expensive component on that board.
And yeah, that's what they used for the Tamagotchi figures, though.
They were actually SIM connectors.
And when you slide it on, it connects through a SIM connector.
And that's a pretty much identical one on the board.
And so you can't modify the ROM inside the Tamagotchi?
No.
So what my assembler does is it runs all the code out of RAM, and it takes care of things like paging.
So you can just compile, and then it will, as you try and execute code, pull it out of the Flash, put it in RAM,
and then jump into it bit by bit.
So not exactly for performance programming,
but if you want to run large amounts of code,
it'll kind of put it slowly into RAM as it executes
and then put it back into Flash.
And so this RAM dance happens with the help of this uh at mega yeah that's just
for programming basically it's just a flash programmer and yeah you just send it over usb
and then i felt like i had to draw tons of tamagotchis on the board and it also has some
other kind of features for the future um which is these um components. And I put those on because a lot of Tamagotchis, especially
early ones, support IR for communicating with each other. And I've never actually hacked the
Tamagotchi IR, but if I ever do, I want the boards to be prepared. Why did you decide to make a
separate board? Because you wanted to teach these classes or was there another impetus?
Basically, it was to teach the classes.
The way I did it is I took the head of the Tamagotchi
with the connector and then connected wires to it
to an Arduino, but that wasn't scalable
to be able to do the class with cutting like half,
you know, then you'd need one and a half Tamagotchis
per participant, which would make it more expensive.
So I ended up making these boards.
They are basically equivalent to the Arduino LilyPad USB,
and the only difference is they have the SIM connector on them.
And they were $10 each to make,
which is cheaper than cannibalizing a Tamagotchi.
So that's why I went in that direction.
So you've reverse engineered these things,
and you've had a good look at their code.
I'm curious what their code looks like
from a software engineering standpoint.
Does it look like something well-des mean does it have a are you aware of the structure of how it handles events and how
they structure things or is it i mean they did the best they could do considering the micro
controller the only thing i find a bit odd about it and i guess that like on one hand i don't like
it on the other hand i can't think of how I'd do it better. But basically, it's actually bizarrely similar to how a Nintendo works with the 6502,
except the way paging works, it only half pages.
So basically, the bottom half of the address space is always the same.
It's always page one.
And then there's the top half of the address space.
And then there's a register you change.
And that page is a different memory in ROM.
We talked about this yesterday on a totally different processor.
Yes.
Yeah, well, 6502 does this a lot, but I'm sure other ones do too.
Basically, the memory space isn't large enough for the ROM, so it has to do with paging.
So basically, the Tamagotchi is full of jump table after jump table after jump table
basically whenever it needs to change a page
or even if it doesn't, it'll basically go from jump table to jump table
and I think that makes it easier because say you might be coming from somewhere
that's a different page, that sort of thing, but it does make the code fairly difficult to
follow because
basically strings going everywhere?
Yeah, and within the code,
half of it's jump tables and half of it's code.
And even figuring out which is which can be a bit of a pain.
So this is something they probably wrote in assembly directly?
Yeah, it's possible.
I know General Plus does have a C compiler,
but I'd be surprised based on what I'm seeing.
I don't think they had one then.
Not in 96 or even in 2000.
Sorry if I wasn't clear.
I've actually only been looking at modern Tamagotchis.
The earliest one I looked at was in 2010.
Sorry.
Well, then they might have C compilers. I don't know. Have you considered
making a whole Tamagotchi yourself that is more easily hackable? People ask me about that all the
time. And I'd say that's kind of not what interests me. I like the reverse engineering,
the taking apart aspect. It's, you know, I didn't do this because I like I wanted a device I had more control over, really.
So changing subjects, you also created the hardware excuse generator. Can you tell us about that?
Yeah, that was really fun. Basically, I find I have this problem when working with hardware,
and many people do as well, where something doesn't work exactly as you expected and you don't know why. And you know, sometimes you'll say stuff like, oh, it's crosstalk, I think.
I think it's because these two lines are too close to each other.
Ground loops. Ground loops. It's always ground.
Yeah, exactly.
And when stuff breaks, I always say it was due to ESD,
electrostatic discharge,
even though I have no idea why my hardware broke.
So I made this hardware excuse generator
that just will generate your excuse, you know.
Oh, there was crosstalk in C1 that led to spurious voltage in C2.
You know, whatever you can think of. And you're allowed to specify, you know, what components you especially want to blame.
And actually, I've had some fun with it.
I'll be on IRC and then, you know, people will be talking about it.
And then I'll just generate something with it and put it in.
Occasionally I'll fool people.
Most people will be like, wait a sec, that makes absolutely no sense.
But a few people have commented, oh, you almost got me.
Okay, so I just type in, the processor is stopping intermittently because of reasons.
Yep.
I think just reason.
Because reason.
I know, you guys love listening to me type.
Isn't that awesome?
Listening to me type.
The processor is stopping intermittently because reason.
Wait, no, that was what I typed in.
I didn't spell reason correctly.
So I got the processor is stopping intermittently due to the spy bus not being manufactured to specification.
I think I've used that excuse.
I've certainly heard many other people use the I2C bus instead.
But it's a good excuse.
Yeah, it's funny.
I don't have anything about I2C in there.
I think I need to update my database to include that too.
So this is web-based.
What's it written in?
Python.
Cool.
I guess it's web-based,
so I probably can look at the code somewhere in here.
You can't look in there.
I'm trying to remember.
I think I put on GitHub the excuse generator,
so you can make excuse generators of your own.
Yeah, it's probably worth saying my GitHub is Natashanka.
It has all the Tamagotchi code as well as the excuse generator if anyone's interested in checking it out.
And the link will be in the show notes, of course.
Of course.
Well, I guess I only have one more question, and that is, do you have a Tamagotchi
on you? No, I don't. I just brought the board as a demo, but I don't have one with me.
Do you have a Fitbit or other sort of health wearable?
I used to actually use a Fitbit. I actually even wrote a BlackBerry application for it because I was such a fan. But I don't know, now it's moving more towards the mobile apps that kind of track your fitness based on GPS. So I'm kind of trying Fitbit as a way of saying I have been sitting here for far too long. Please let me out of this meeting.
It's all about subtext.
Do you think our health devices will become electronic pets?
Maybe.
People say that, but I'm sorry, it's just not as good.
It won't bring you as much joy as a Tamagotchi.
I'm sorry.
Yeah, I think it's an interesting concept, though.
There's something about the Tamagotchi, like every video game,
it's basically arbitrary motives, arbitrary obstacles, that sort of thing.
But there's something really compelling about it.
For me, as a kid, it was always, I wanted to see what's that next thing that it'll grow into.
And then I liked, for the more modern ones, the fact that you want it to get the best grades in school,
that sort of thing.
So I think that was the really fun part. And I think, you know, people might eventually,
you know, try and figure out what it is that makes that appealing and, you know,
apply it to things that, you know, maybe are more good for you, like doing exercise.
I really like how every time we talk about Tamagotchis, you just light up. These are the best, coolest thing ever.
I just really am impressed by your enthusiasm.
Well, I'm surprised they still seem to be thriving, right?
In the face of mobile phones and tablets and other things.
It would be a simple app to write.
Yeah, well, they're really embracing it,
and I think that's why they're starting to come back.
There is a mobile app that's just a Tamagotchi you can download,
and it's got ads in app purchases, so that's kind of one way they're making money off it.
Actually, that was kind of cool.
I visited Japan recently and went to the main Tamagotchi store.
In Japan, they're still quite big, And with the NFC Tamagotchis,
they're actually promotions, some which I tried to partake in. So basically, it was stuff like
at SoftBank, a big mobile phone store, you'd go into the store and you could tap your Tamagotchi
and then get a phone for your Tamagotchi. There is also a restaurant called Coco Curry and the
same thing, you go there and get curry for your Tamagotchi and they're kind
of like promos which you know encourage you to go to different stores that maybe you wouldn't go
to before to get the items so that's kind of something that I'd say you know mobile phones
aren't taking away from I'd say it's you know improving the ability to you know tell people
like with these Tamagotchi for use there's actually the app where you can buy stuff there,
but it can also tell you about the promotions,
and then you can go there.
And it was even on the Tamagotchi,
like I won some game and I got a coupon
that you could use for 20% off,
like actually at the department store where I bought it.
So, you know, I think they're really...
In America?
No, in Japan.
Okay.
Yeah, but it's amazing how they're really uh in america no in japan okay yeah and it's uh it was yeah but like it's amazing how
they're like kind of using the ability to sync with mobile to do all sorts of things that you
couldn't imagine you know before they were connected i really can't no are they going to
add are they going to add ble to them so you can transfer your tamagotchi from one to another and
then into a phone and then out and brain transplants for the Tamagotchi?
No, not the brain, just the creature.
And then you'd have it and it'd be empty because you'd transferred it somewhere.
Well,
they don't do that for brains,
but they actually do for the new ones,
do it for items. So you can
basically transfer the items to different Tamagotchis
and the same with the
phone. For whatever reason, they've
gone in the NFC, not the BLE direction,
probably because of the cost of the component.
For now.
Yeah, who knows what the future will look like.
I just want to transfer everybody's into mine.
I have this huge crowd of Tamagotchis in the one device.
In the little egg thing.
Yeah, I wish.
Actually, I've really been enjoying the new ones,
just because what they can do is nuts. For example,
I'm going through and I'm like, what is this? And it says cleaning closet. And I'm like,
whatever. Then one day I come home and my Tamagotchi has made a mess and there's garbage things all over. And then I have to go to the cleaning closet and get it
to use the vacuum cleaner to clean his apartment up.
Have you heard of a game called Sims?
Yes, I actually did like The Sims a lot.
Now I want to ask you personal questions.
Do you have kids, and do you think having kids will decrease your Tamagotchi?
But I think instead I'm going to ask Christopher
if he has any last questions as we finish this up.
So there's a bunch of different Tamagotchis
and there have been for years.
Do you have like a favorite
model or
creature or?
Yeah, I guess. So I mean
it's changed as I've hacked them. I think I
like the ones that I can hack the best now.
That makes sense. But yeah, I'd say
you know, it's a hobby, but I
like try and spend a reasonable amount of money on it.
So like the really cool Tamagotchis,
especially the old ones are really expensive.
So I don't have any,
I've been focusing more on the modern ones
because those ones you can still get like for 10 bucks each.
And the old ones are vintage.
Is there like a vintage trading rare Tamagotchi from 97 kind of thing?
Yeah, there's definitely that.
Now, I go to a reverse engineering group,
and there there's a lot of people that do the more hardware stuff.
They'll decap chips and look at it under a microscope.
So I did donate.
I had just the board of an original version 1 Tamagotchi.
So I donated that, and they were able to quite easily look at it
through a microscope and make an emulator for it.
Oh, so they looked at it through the microscope and they could emulate the processor. Could they look at the ROMs and the code?
Yeah, that's what they did. They were both able to figure out the microcontroller,
which I think was an ASIC, so that makes it a bit more difficult.
And then they were able to actually look at the ones and zeros on the ROM
and use that to decode the code and make an emulator
basically by writing no software or anything,
just by looking at the board really close.
Neat.
Well, Natalie, do you have any last thoughts you'd like to leave us with?
No, I don't. Thanks a lot for having me.
My guest has been Natalie Silvanovich,
hacker of Tamagotchis and security engineer. Special thank you to Alvaro for suggesting
we invite Natalie on the show. I really enjoyed hearing about the Tamagotchis.
Thank you, as always, to Christopher White for co-hosting, producing, and raising his
Yoda Tamagotchi, or killing it, I'm not quite sure.
It might run away. And of course, thank you for listening. I usually have a couple of final
thoughts here, and I try to make whichever one is relevant the one that I choose, but this week
there was only one. It's from Shel Silverstein. I made myself a snowball, as perfect as can be.
I thought I'd keep it as a pet and let it sleep with me.
I made it some pajamas and a pillow for its head.
Then last night it ran away, but first it wet the bed.