Look Ma! My Welcotchi is a part of the metaverse!
In case you weren't aware, a new Tamagotchi was released over the weekend, the Tamagotchi Uni. The main difference this time around was the inclusion of wifi. This allows for firmware updates, time-limited items, and to interact with the "tamaverse." While the tamaverse is mostly offline, you're able to interact with other tamas online (marry them off, etc.)
^ This is Rash. He will most likely die because I have a full-time job and he sleeps from 8pm to 8am.
This thread will be to document what I've found (and if anyone wants to join in, they can). The goal (at least at the moment) is to grab any firmware updates/document how the Uni talks with the servers.
What I've found out so far:
- It uses TLS 1.2
- Only 2.4Ghz networks supported
- The first URL it checks is apiuni-tmgc.tyb.jp
- The cloud server is on AWS Northeast-1 in Japan
- The wireless module claims to be made by ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. so it's an ESP32 MCU
- Doesn't seem to have Bluetooth
- According to the manual, firmware downloads are as large as 9.5mb
- https://apiuni-tmgc.tyb.jp/ jumps to any one of the following IPs (this could of course change with an update):
- 35.79.59.252
- 52.199.19.128
- 35.78.56.100
- 54.95.78.200
- 18.182.80.137
- 52.194.44.193
- 35.73.234.2
- 18.181.64.19
- It tries to connect to the server 5 times before giving up
Post automatically merged:
Day 2! (Yes, I know it's the same day, but I did the research for my first post yesterday)
Rash isn't dead surprisingly. However, he's seemed to have de-aged:
He's also getting into social media which I am concerned about...
Thanks to u/siabe on Reddit, I know a lot more about the hardware itself:
- The Wifi Module is an ESP32-S3-WROOM-1
- The SoC is an Xtensa LX7
- 1300mah battery
What I've learned today:
- My Uni is currently on firmware 1.0.2.
- The apiuni server also points to 54.250.16.101. When you connect to the apiuni server, it gives a redirect to one of the IPs.
- When you connect to the apiuni server, whichever IP it sends back is locked on until either A) You disconnect, or B) a new DHCP lease is sent. So if you manually set the IP, never let it go to sleep, and never leave the range of your router, it will always connect to the exact same server.
- A new DHCP lease is requested each time the Uni wakes from sleep.
- When checking for updates, the Uni loves exchanging certificates. After every three or four transmissions of application data, it verifies the server certificate. It makes me wonder if there's no checks done by the Uni itself on whether a firmware image is valid.
- The server certs are generated by AWS, not Bandai specific. However, The ESP32 module declares itself as belonging to Bandai when it first connects.
- When you download items, all it's doing is downloading from an AWS S3 bucket (after exchanging a server cert twice). Presumably it is hashing the item code you've given it and identifying that hash with a specific s3 bucket.
- I downloaded the "hip-hop cap" and it looks like it's 2kb in size. No idea yet if every item is exactly 2kb or not
If it was possible to install a new CA on the Uni, I could get a lot more info out of it.
Last edited by Zhongtiao1,