 Okay, so I'm gonna start with the good news here's a video of a Happy child and a happy mom after it was working that was today And so I'll start with that and then we'll work back from there Okay, so a lady to okay, how'd you get So you you bought this Teddy Ruck Spade? Well, this was released in 2017 and you bought one I think when it first came out in 2019 and I'm like, I'm gonna do something this one day Yeah, and it was on the shelf one day and then like a couple weeks ago or two weeks ago You you brought a hook viewer at the office like oh, yeah, the Teddy Ruck Spade So you brought home you had in the box and you brought it back and like oh, that's cool It has like the animatronic eyes and voice. I was like, let's see, you know what you can do with it So, um, you know your first step you look up that I fix it, you know Teardowns it's got this Processor in it and it can do again, you know the mouth moves and there's these TFT displays for the eyeballs I'm going to say that they borrowed the idea or were inspired by Philby's eyeball code What is really easy is on the back next to the battery port. There's this micro USB slot and the micro USB slot Is you when you plug it in it shows up at files, but the way you're supposed to kind of use this is You download one of the apps, so I just took this, you know screenshot It has low ratings because it doesn't really work anymore But there's a there was a Google Play app for Android and there's an iOS app and the app still kind of where you didn't eventually get it working after like Sort of kind of it kind of sort of maybe But the idea is that you would use the app and it would You would connect to the teddy bear over Bluetooth and then the story book would appear on the screen There's like a video from an emanga plus any any manga plus, which is the app developer The toy was made by wicked cool toys with the app was done by any manga plus and When you connect it sinks and so like you can read the story on the Instead of having a paper book you would read the story on the tablet and it would like follow along as you like You know when you press the next button it would go to the next page and all that good stuff Okay, so you plug it in To us being it shows up as a disk drive with a folder called books and initially it only has a couple This is the one. I just plugged in it has all the stories, but initially actually had Three stories I think and the idol and intro band intro band is that first thing when you turn it on it says Hello, my name is Teddy. Wexman. Can you and I be friends idol is actually just that animation of the when it's not Doing anything the eyes move back and forth or just like plays this idol animation And then the stories each are about 15 minutes long or whatever six five 15 minutes long and their songs and and they're pretty Cool everything don't get me wrong You know you can get the songs In case you ever lose them or maybe it did come with the song if you can get the songs from Internet archives somebody uploaded all of them or maybe the app given to you I don't remember the story, but basically you can get the binary files here And it has all all the stories all 15 stories But you can't like if you drag it off the SD card that's in the bear that the micro USB port It doesn't like magically play them. You have to unlock them by paying through the app and that's what's gonna be eventually Not gonna work. I mean it works now, but I think eventually it's not gonna run on Like we even sell on Android, you know, every once every few years They're like we don't let you run old APKs anymore. You have to Forgery compile them and who knows if this company is gonna do it And then if you actually look for the company that made the toy that website doesn't exist I think they were purchased by another company Anyways, like that's gone. I mean like it's a kind of cool when the domain doesn't even really exist Like there's usually the SSL failure that happens when they don't renew their SSL certificate And then they they went past that so that there's not even around anymore Okay, but that's fine, you know, I keep googling and and there was a talk at DEFCON on Dissecting universe engineering smart pair and I'm like, oh perfect like this is exactly what I want to do I want to update the audio And the math movements and I want to make my own story files because like the stories that come with that are cool But like I want to make my own stories I think that would be neat if I was telling a story or like, you know, grandmother's story You're telling the story or like you had an AI Version of, you know, some famous person like a story or whatever. I can do deep-pakes on the smart bear That's okay. It's gonna be mostly me telling the story. Well, the thing is So a lot of people have these. Yeah, they're still available Like I said, if you want to if you want to go in and get one right now because probably after we release all this stuff You know people will start to charge more in eBay. We can get them for eight bucks, but I think the there's a lot though I'm not I think Yeah, the dream is to always have a animatronic Toy that you can hack and mod there's oh like there's so many things that you can do with it from it being an accessory for a cosplay thing to Just wanting all of it's so hard to do all of those things and whether you're trying to three printed and do motors and like Whatever it is putting that all together the injection molding the battery Having it even be safe. Yeah, you know, it's one of the double a batteries It's a very well-made and you can see that I fix it video or whatever. It's very well made Okay, so this presentation. There's also a video Those are the file format of the binary and this is really useful because like This group of people Zina facts and exploit heroes is a group. They you know figured out the like by messing with bites I think what each bite does and basically said like hey, here's where the The eyeball data lives and uncompressed and here's where like the file format and here's the audio data. Okay, cool so You know, I opened up the The binaries that I've gotten I'm like, yes, okay It is the same format that sounds cool in the talk they mentioned releasing, you know, maybe some Creation software at some point, but it was never released So you're kind of starting from just whatever was in the documentation in the presentation and we creating The extractor and then once I have an extractor like once I get the data out, of course, I can put data back in So I started writing some Python code and it's like, you know, struct unpack look for the magic bite bubbleblah all of everything at ground and getting the eyeball images out was pretty easy because they're just 128 by 128 while RGB 565 which I'm super familiar with because all of our TFTs are RGB 565 So it's like, oh, yeah, this file format is like I'm Also an interesting study in eyeballs on LCD screens. Yeah, so very nice And I mean the eyeballs also do this animation thing which was not extracted But I probably won't be creating the animations like that. They do like these are hard sparkle things. Anyways the good news is that I Just, you know, you gave me like it's a different logo 120 by 128. I use pillow as Python image library and You know pasted that back into the eyeball code for the idle screen and like boom, you know that works So that was that just showed like, okay, there's no like CRC. You can edit the file and put it back on You can you know inject and change the data without any issue. Okay, so the next issue is I want to do something with the audio. So the audio has this thing called the mark table at the beginning So you see that there's like a you and that's like the you know, the magic bites and then there's a bunch of Numbers that are like zeros and ones and that that tells the bear The chip running the bear how to open the mouth for the audio file like what when does it open the mouth at what point? And that's where the timing table And then after that there's all these ffs and then there's the beginning of the audio So audio is kind of two-thirds down is the audio starting and so I was like, okay You know, is this uncompressed audio and open it up in audacity and it's definitely not uncompressed It's compressed audio, which doesn't surprise me too much Because audio is really really big and Some of these audio files are 15 megabytes and they probably will like look maybe we'll transfer it over Bluetooth We should compress it in some way So, um, you know looking through the documentation in the DEF CON thing and also the chip itself is called the sonics chip this is called the sonics audio 32 format and it's Preparatory sound really documented and I found a you know couple projects the project on the top half of the screen is someone who Was hacking some like Japanese toy That used the same sonics chipset and audio 32 file format and they used QMU to run the ROM of the toy and use that to decode audio like it literally just used the toy ROM as a the firmware as a way to encode and Sorry to decode the audio or maybe encode it as well The only thing is that you need to have the ROM of the toy to run it So that was kind of like a no no go and then at the bottom, you know, there was this other person Zach And they were like on the ffmpeg IRC channel and they're like also kind of trying to do the same thing and They were kind of researching the sonics codec So I actually just followed along with this like IRC chat and you know like it was kind of fun Because I was like back in time. This was like from 2021. I was like watching You know, they didn't know that like what was gonna happen with COVID or something. I don't know and Got to watch this person kind of going through this audio 32 hacking Also like looking up the datasheet and I googled the data sheet and Google files And blah, it's basically a lot of googling and like github searching Etc. And I found you know, I'll document all this, you know, but in the end I found This repo that had the SDK for this the sonics chipset and it included this libSNX Audio.so link library file It also had some code that you could run that would encode or decode audio and I'm like, oh my god This is it finally. It's like I've got the library file. I've got some code. I'll just compile it Okay, but the only problem is that when you look at the file type for That lib SNX audio audio 32. It's not x86. It's ARM Okay, no, not a problem. It's went to ARM. There's no x86 version So I'm going to have to run it on like a Raspberry Pi, but I have Raspberry Pi It's not a big deal But then actually I ran on the Raspberry Pi didn't get a great screenshot of it But it doesn't work with glibc. It needs uclibc and uclibc is what's used on like embedded Linux setups that are minimal to make sense. This could be like some product That uses the sonics audio stuff and it's like a small device or a toy It's not gonna be running like a full-fledged Debian install. It's gonna be running something like buildroot So I've always been wanting to learn how to use buildroot. Buildroot lets you build these Automatically build these very simple small Linux installations for embedded Linux. It's not like a full Debian install. It's very minimal Lots of things are missing like Wget, but work my way around it got it running and It's all in the Raspberry Pi ARM computer Tried to compile this code with piles and it doesn't run it fails And it says I can't it's not succeeding in opening the codec. Okay. What does that mean? Try all these different things and I try every argument like I expand the argument list and it's just It will absolutely not run. I'm like there's something going on here That's causing it to fail and then I'm like, well, you know what? if you go back to uh This no, sorry this one You'll notice it's got debug info. It's not stripped. Cool. That means it's prime for Ghidra, which is a reverse engineering decompilation tool released by the NSA Really good tool and I actually did an amazing job. If you look at the code on the right that is Decompiled from the ARM assembly on the left. Like it's completely readable. Like it's complete. It is like code That's scary. It's really scary. Yeah, it's like well It's very good and so you can actually see what's going on. It's opening dev mem You look up the sysconf. It's memory mapping One page worth of data and then it's it's reading it and it's trying it's it's reading something from the registers on the chip and it's checking it against A value f8 and I don't know what it is and it's like it's some register value and I guess It's never used again. I don't know if it's like a security check or if it's like verifying you're on the right version I don't know. But what's really cool is with Ghidra You can hot patch so that check where it returns zero if it's not on the right chip set Or if it doesn't get that right memory map value I just changed it from a not equal to an equal and then it just like totally ran Um, the only problem is that the audio that came out, you know I tried encoding and decoding and the audio was not intelligible Like I tried decoding the audio from the bear and it didn't come out, right I don't know why but I was kind of asked for the for a few hours and I was like not really working out And then I was like looking around and everyone keeps saying oh the audio 32 codec. It's just g 7 2 2 1 everyone's like it's just g 7 2 2 1. Okay, cool Download some g 7 2 2 1 encoders decoders point 1 point 1 annex c non annex not c not 1 Try it all them none of them were able to decode the audio There's something you know, it's it's somehow modified from g 7 2 2 1 Anyways, that's kind of like messing around. I was like, I'm not really getting anywhere I can always go back to that decomplation code and try to like recompile it for like processor I know or like see what's different with g 7 7 2 1 You know audio codec, but I kind of was like this isn't really going anywhere. Okay, so I kept Looking around and then I found a different library called live audio 32 encoder. Ah, and then I found PDJ stone who is like the hero in this story This is like the hero's story like, you know, the like the standard Archetype of the hero. Yeah at the darkest corner there You know an angel comes down and gives the hero or like some mystical beast hanging on the edge of the glass Yeah, tell them like oh, here's the sword you need to defeat the dragon and you're like, you know, you're saved by um some outside Deus ex machina. Anyways, this is PDJ stone. Great. Thank you Well this cloud pets toy Encoder so you could play audio on this cloud pets towards a unicorn that's doesn't have a moving mouth but uses the same sonics tool toolchain and chip It doesn't it and you send the audio over bluetooth So he uses a web bluetooth thing to send the audio over doesn't you don't drag it over on a Micro SD card instead you you do this web audio 32 and here's what he's actually very smart This person was quite smart. They took the um apk For android and it's a zip. So you unzip it and he grabbed the um Library from inside that so I didn't realize you could do so cool. Uh, I looked in the s in fact in the apk for um The apk that he's got in the apk from um the android app for The teddy wuxman is the same thing lib audio 32 encoder and decoder.sl It's also available in like a zip in one of those sdk things and i'm like, okay, and you can even see like the a u File header thing the sample rate. Okay, everything's matching up. This looks like it's the right file format It's named audio 32 and it's got that correct header um But then um The only yeah, oh wait, you know what I didn't uh send you the next Oh, no, I didn't send you 23 and 24. Oh, I must have forgotten or maybe you can check They forget The images Are they're gone? Oh, no, I didn't okay. No because this is where we we we stop. Um, so This is kind of where I was this morning so the good news is that this um his code actually does run but it only runs on um I did I did it was like, okay, I'm gonna run android on a raspberry pi installed android on a raspberry pi computer Because again, I needed arm 32 Try to run it and it said you can't use anything with api 23 or higher because the linked library uses relocatable text Um, you can go to us because yeah, yeah, you don't want to just leave it on the screen for Well, I mean I want to read this code, but I want my I have my nexus seven so um, so tried running the python code on Raspberry pi it said you can't be using apk 23 or higher apk 22 or lower is android 5.1 So I need a device that can run android 5.1 and that's when I grabbed my nexus seven Um, everyone has a nexus seven. They were given out for free basically in 2022 Um, and even says like hi, you're running android 5.1 So I pulled this out wiped it cleaned it up Charged it which takes overnight. Don't forget to charge, you know, it basically was at a battery like 25 And run term accent actually within like 20 minutes. I was able to encode The audio this was like it only took me like 30 hours to get to this point one of 20 30 hours But I did get there So now unfortunately, you know, the only way I've got right now to do the audio encoding and decoding is um, if you've got Something running arm 32 based android 5.1 But I think this is I think now that I've got it working I have this golden path because like like I can change the audio I can go back and I think I can probably get that android. Yeah, there's a 64 app There's a 64 bit app which may have libraries at least you'll need 32 bit Um, and might be maybe it's we compiled with non relocatable texts Um, I didn't think to even look into it. I was like, oh, maybe there's a different like I was like Oh, maybe there's a 64 bit and there's an app and it's like never mentioned anywhere There's on the youtube for the any manga because I was looking at the any manga The youtube and they mentioned like, oh, yeah, we released a 64 bit version of this app like two years ago So I just got that and hopefully with that we'll be able to run the code on a modern operating system So you can generate the audio. Yeah, and um, we'll do a question here because I asked the same question Did you consider using the android vm? Wow? Did I try? Yes, yes, there's a reason it didn't work though. It doesn't work. So if you're using the android Well, you can't use an android vm on your desktop, which I tried I skipped that because it was like such a failure Um, first time I couldn't even get android 5. There's an android 5 1 build for mmu But it just didn't even like I wouldn't you know turn off hyper v because you have to turn out like at some point A project you're turning on or off hyper v Random you with the android 5.1 it did doesn't even boot but even if it did um I don't think that mmu is compiled for 32 bit and I the x86 library won't work It was kind of like there's a lot of pieces that would have to fit like remember. It's not just Um, you have to be running android you have to be running android 5.1 And it has to be 32 bit And it has to be on an arm core and jeppeler tried q emu To run android and he said actually um, he tried you know, he got to the point where you run the code And it dies with the cpu um off exception So it's like there's something in this file that's just totally horrible and that q emu doesn't even support. So it is like Not yeah, this is like a software version of my visit to the toy fair It's like and like you have to go it's like you have to travel back in time Like let's travel back in time to 2017 in this landscape of all these things But the good news, I know it's went on for like 20 minutes, but the good news is um Now that I've got a golden path like the way I reverse engineer is I get The final thing and then now that I've got it working from beginning to end I can like make it easier like I'll I'll attack it from both sides and then a lot of toys use this chipset Um, so it might be handy for reverse engineering a variety of of toys. So it's happening It's just like I only got it like working in like this morning at 11. Yeah, such a long time With you