

Reverse Engineering a Furby - Moral_
http://poppopret.org/2013/12/18/reverse-engineering-a-furby/

======
shabble
Whilst some impressive hacks (and especially convincing university staff to
lend you their Expensive Toys), my understanding is that the really tricky bit
is going from die scans to netlist/circuit diagram, and thence simulation/code
extraction.

The Visual6502[1] folks are probably the best example of how well it can be
done (assuming you can't afford to pay ChipWorks or FlyLogic to do it for
you), but if you're working with a standardish MCU core and some masked ROM, a
lower tech solution like the Dangerous Prototypes "rompar"[2] might work.

Probably requires quite a few dies, or plenty of experience in extracting them
before you succeed though.

For actually reverse engineering the flash contents, I think it'd be easier to
sniff the bus traffic as you probe it, or make a read/write capable emulator
that logs what's going on. With the hacked phone-side control library, you
could probably build a mostly automated harness to exercise the various
settings and see what gets stored in flash.

[1] [http://visual6502.org/](http://visual6502.org/)

[2] [http://adamsblog.aperturelabs.com/2013/01/fun-with-masked-
ro...](http://adamsblog.aperturelabs.com/2013/01/fun-with-masked-roms.html)

~~~
userbinator
Coincidentally it's very likely the new Furby also uses a GeneralPlus 6502
(CMOS) core.

------
drpancake
From the Wikipedia article: "Furbies were banned from the National Security
Agency of the United States due to concerns that they may be used to record
and repeat classified information."

[http://en.wikipedia.org/wiki/Furby](http://en.wikipedia.org/wiki/Furby)

------
voltagex_
I knew I remembered the GeneralPlus name from somewhere -

"Many Tamagotchis Were Harmed in the Making of This Presentation"

PDF:
[http://recon.cx/2013/slides/Recon2013-Natalie%20Silvanovich-...](http://recon.cx/2013/slides/Recon2013-Natalie%20Silvanovich-
Many%20More%20Tamagotchis%20Were%20Harmed%20in%20the%20Making%20of%20this%20Presentation.pdf)

Video (original? talk):
[https://www.youtube.com/watch?v=WOJfUcCOhJ0](https://www.youtube.com/watch?v=WOJfUcCOhJ0)

Video (newer talk at ReCon):
[http://recon.cx/2013/video/Recon2013-Natalie%20Silvanovich-%...](http://recon.cx/2013/video/Recon2013-Natalie%20Silvanovich-%20Many%20More%20Tamagotchis%20Were%20Harmed%20in%20the%20Making%20of%20this%20Presentation.mp4)

Natalie Silvanovich did this kind of reversing on a few Tamagotchi products
with great success.

------
tumes
"A Furby is an evil robotic children’s toy wrapped in colored fur."

If only all technical reviews started this honestly...

------
rhgraysonii
It's projects like this that spark me to always go out and try to learn new
things. I forget how much of our surrounded world is hackable sometimes, and
it really is sad to think I get so caught up I don't think of these projects
near as often as I used to. Hopefully this guy gets somewhere :) these
writeups are inspiring, interesting, and educational all wrapped into one nice
little package.

------
mschuster91
Are there maybe some JTAG lines exposed on the board?

Maybe these could be used for finding out the contents of the mem chip and the
CPU used.

~~~
q3k
This class of devices is often made at a ridiculously huge volume and the
cheapest way possible, so they're very likely to contain one-time-programmable
devices with no test / debug lines.

~~~
mschuster91
Yet there are labeled(!) test points visible for the I2C lines on the board,
and a number of other labels... so the question is, why doing the epoxy stuff
while leaving the labeling on the PCB?

~~~
duskwuff
Epoxy blobs tend to be more about cheap mass-production than anti-reverse-
engineering. If you're getting a custom chip manufactured, it's often easier
to just stick the die straight on the board than it would be to have it put in
a package, _then_ put on the board.

~~~
mschuster91
How is the bonding from the pads on the die to the pads on the PCB
accomplished? Sounds easier to do with packaging compared to PCB for me.

~~~
csmuk
Exactly the same way the die connects to the pins on the package (usually fine
wire). Then they cap it all.

------
agoandanon
So, remember that virus that communicates using high-pitched sound? If no,
here's an article:

[http://arstechnica.com/security/2013/10/meet-badbios-the-
mys...](http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-
mac-and-pc-malware-that-jumps-airgaps/)

This article says that the Furby communicates in the same way. It would be
interesting if the Furby was a vector for spreading messages via this virus.
Very, very interesting.

~~~
mschuster91
I doubt this (Furbys are kiddy toys, after all); but this article proves that
audio is indeed a viable data communication channel for bypassing air-gaps.

~~~
Juno5143
lets ban audio

~~~
fphhotchips
New security measure, from now on I will only allow our user to use their PCs
in this room.

[http://blogs.smithsonianmag.com/smartnews/2013/12/earths-
qui...](http://blogs.smithsonianmag.com/smartnews/2013/12/earths-quietest-
place-will-drive-you-crazy-in-45-minutes/)

~~~
superuser2
If anything, data over audio would be easier in an anechoic chamber since you
don't have to worry about reverb or background noise.

US Military guidelines do require acoustic isolation of all SCIFs (Secure
Compartmentalized Information Facilities). You just need isolation, though;
deadening the rooms is not really necessary.

------
pbhjpbhj
I've seen something along this line before - but this article is dated for
Yesterday.

[https://github.com/iafan/Hacksby](https://github.com/iafan/Hacksby) found via
hnsearch.com but I don't think that's where I saw the details last time.

There's this
[http://news.ycombinator.com/item?id=4984100](http://news.ycombinator.com/item?id=4984100)
too - about open-source furby-like projects.

------
zdw
It would probably be easier to read the chip in-situ with a Bus Pirate and
flashrom :

[http://dangerousprototypes.com/docs/Bus_Pirate](http://dangerousprototypes.com/docs/Bus_Pirate)

[http://flashrom.org](http://flashrom.org)

I used one of these to reflash the BIOS on a logic board after the utility
provided died, without removing the BIOS from the board.

------
glifchits
Just funny to think that its possible that a dev who hacked on that Furby
firmware is reading this and said "hey, I wrote that routine!"

