Hacking Tamagotchi Uni Research/Hacking

Zhongtiao1

Zhongtiao1

Well-Known Member
OP
Member
Level 11
Joined
Feb 24, 2015
Messages
831
Trophies
0
Age
26
XP
2,766
Country
United States
Look Ma! My Welcotchi is a part of the metaverse!

In case you weren't aware, a new Tamagotchi was released over the weekend, the Tamagotchi Uni. The main difference this time around was the inclusion of wifi. This allows for firmware updates, time-limited items, and to interact with the "tamaverse." While the tamaverse is mostly offline, you're able to interact with other tamas online (marry them off, etc.)

image.png.b2b581ebda817c503f160741de473cc5.png


^ This is Rash. He will most likely die because I have a full-time job and he sleeps from 8pm to 8am.

This thread will be to document what I've found (and if anyone wants to join in, they can). The goal (at least at the moment) is to grab any firmware updates/document how the Uni talks with the servers.

What I've found out so far:
  • It uses TLS 1.2
  • Only 2.4Ghz networks supported
  • The first URL it checks is apiuni-tmgc.tyb.jp
  • The cloud server is on AWS Northeast-1 in Japan
  • The wireless module claims to be made by ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. so it's an ESP32 MCU
  • Doesn't seem to have Bluetooth
  • According to the manual, firmware downloads are as large as 9.5mb
  • https://apiuni-tmgc.tyb.jp/ jumps to any one of the following IPs (this could of course change with an update):
    • 35.79.59.252
    • 52.199.19.128
    • 35.78.56.100
    • 54.95.78.200
    • 18.182.80.137
    • 52.194.44.193
    • 35.73.234.2
    • 18.181.64.19
  • It tries to connect to the server 5 times before giving up
One annoyance is that if you choose "automatic" for the network settings, it's impossible to set the DNS server separately. If you choose manual though, it doesn't allow you to set DHCP for the IP. To get the network dumps so far, I've had to create my own mitm hotspot using wihotspot on Ubuntu. While I've done similar things before, for some reason the Uni gives an error when connecting. Wireshark isn't giving me a whole lot of info as to why though. The server just resets the connection, and then the Uni tries again.
Post automatically merged:

Day 2! (Yes, I know it's the same day, but I did the research for my first post yesterday)

Rash isn't dead surprisingly. However, he's seemed to have de-aged:
1689820766815.png


He's also getting into social media which I am concerned about...

Thanks to u/siabe on Reddit, I know a lot more about the hardware itself:
  • The Wifi Module is an ESP32-S3-WROOM-1
  • The SoC is an Xtensa LX7
  • 1300mah battery

What I've learned today:
  • My Uni is currently on firmware 1.0.2.
  • The apiuni server also points to 54.250.16.101. When you connect to the apiuni server, it gives a redirect to one of the IPs.
  • When you connect to the apiuni server, whichever IP it sends back is locked on until either A) You disconnect, or B) a new DHCP lease is sent. So if you manually set the IP, never let it go to sleep, and never leave the range of your router, it will always connect to the exact same server.
  • A new DHCP lease is requested each time the Uni wakes from sleep.
  • When checking for updates, the Uni loves exchanging certificates. After every three or four transmissions of application data, it verifies the server certificate. It makes me wonder if there's no checks done by the Uni itself on whether a firmware image is valid.
  • The server certs are generated by AWS, not Bandai specific. However, The ESP32 module declares itself as belonging to Bandai when it first connects.
  • When you download items, all it's doing is downloading from an AWS S3 bucket (after exchanging a server cert twice). Presumably it is hashing the item code you've given it and identifying that hash with a specific s3 bucket.
  • I downloaded the "hip-hop cap" and it looks like it's 2kb in size. No idea yet if every item is exactly 2kb or not
I explored the "tamaverse" a bit, and most things are closed at the moment. Potentially these open in a software update down the line?

If it was possible to install a new CA on the Uni, I could get a lot more info out of it.
 
Last edited by Zhongtiao1,
  • Like
Reactions: ryanjf97, rantex92, tabzer and 2 others
Zhongtiao1

Zhongtiao1

Well-Known Member
OP
Member
Level 11
Joined
Feb 24, 2015
Messages
831
Trophies
0
Age
26
XP
2,766
Country
United States
Day 3!

Rash has confusing tastes in social media:
1689902966230.png


When you download the "news," it looks like it downloads 40KB of data every time, and the promotional items/gifts are embedded in that.

Beyond that, I'm kind of at a standstill until we can get an mitm CA installed on the Uni. Nearly everything that the Uni does is communicated via TLS, and we need to be able to to decrypt that to get more info on its workings.
 
  • Like
Reactions: Titney
ManuXD32

ManuXD32

New Member
Newbie
Level 1
Joined
Jul 21, 2023
Messages
1
Trophies
0
Age
24
XP
17
Country
Spain
Wow, thank you so much for sharing this info. I am so excited to see If we can make our own games or content and send It to the tama
Post automatically merged:

Wow, thank you so much for sharing this info. I am so excited to see If we can make our own games or content and send It to the tama
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why are SNES consoles dying?

GB Picross 2, no progress possible?

PS2 with ripper modchip, issues

does the super nintendo have hdmi mod?

PS2 not spinning up disc

Hardware  Dreamcast CDI Burner (DCDIB) : Burn ALL Sega Dreamcast .CDI Files On Linux With Open Source Software

Hacking ROM Hack  Help reverse engineering snes games

Need Help with Used Xbox Classic

General chit-chat
Help Users
    S @ salazarcosplay: @BakerMan can one play cod from hen ps3?