 Let's give Xenifex a big round of applause. All right, hi everyone. I guess we're going to get started two minutes early, which is great because I packed in a lot of content into this period. So my talk is dissecting the Teddy Rucks been reverse engineering the smart bear. It's essentially my experience taking my child's toy and trying to see if it was going to cause any security nightmares for me. But we'll get into some fun things here on this presentation. So a little bit about me. First of all, my Twitter handle's at Xenifex. I go by Xenifex. I'm a security researcher at Stylance. I'm a founding member of a hardware hacking group called the Exploiteers. And I'm a contributing member to a local community that we have called Austin Hackers. A little bit about Exploiteers. We have roughly 10 members give or take a few that don't officially associate with us, but they are pretty much part of the group. We have Agent HH, CJ, Cody, Guinephage, Maximus, MBM, Sarek, TD Wing, and XOO String, or Null String. And of course, me. So our general goal is to just hack things, anything, anywhere. We originally started hacking Google TVs, and then Google killed off the Google TV. So then we just started hacking anything we could get our hands on. We have a pretty decent community, and we're all very helpful. So check out our Exploiteers site where we have like 60 plus embedded devices that have roots and other hacks. We also have an IRC network that I'll talk about at the end. So a little disclaimer, first of all, the data within this presentation was all stuff that I reverse engineered. I didn't have official documentation or anything else. So a lot of my attempts were just essentially trial and error in reversing what I could, when I could. I literally have been working on this for a very long time. And you'll see why it's essentially an RTOS environment, which can be a little more difficult because after you want to interface with the peripherals. So terminology. You, Teddy O'Files, will already know this, but an Iliop is a brown bear-like creature with a kind disposition. You might think Teddy Rockston's a bear, but he's actually an Iliop. So the OG Iliop. This was the 1980s, Teddy Rockston, I think a lot of us are probably familiar with. It used cassette tapes on its back that you replaced and you had physical books that read along with the cassette tapes. His mouth moved and his eyes opened and closed, but it was a physical movement, not an LCD screen like the newest revision. So the new Iliop. The new Iliop is this guy. Essentially he has animated eyes, a moving mouth, speaker, Bluetooth low energy, USB mask storage that is used via an internal micro SD card and a companion mobile app. Getting inside, Teddy. So I'm about to show y'all what this looks like. It's terrifying. So a little about Teddy. This particular revision comes with a mask that you put on him so he doesn't scare your kids when he's off. It's needed too, because like I said, it's crazy. But let's take his jacket off and get him out of here. This is essentially Teddy Rockston. This is Teddy's skin. So it's pretty enjoyable. And here's Teddy on. No. No. I actually tried to wear his skin. It doesn't fit on my face. So inside of Teddy we have a logic board and this is the top of the logic board. It's actually stored right in this eye area here. There's this chip called the Sonics MCU. I don't remember what the actual name of it was, but there's a speaker driver, the Bluetooth low energy, there's an SPI flash and then there's this SD card slot that actually ends up holding the storybooks that are stored on Teddy Rockston. This is the logic board's bottom. You can see there are two 128 by 128 LCDs that are used for each individual eye. And then on that previous picture, we'll go two slides back. You can see that there's on the, I guess right side there is a module that says Teddy firmware 1.1. That module is an MYN822BLE module, which is essentially just a module for the Nordic NRF51822 chip. So here is the diagram for interfacing with its SWD port and also all the different GPIO pins that are used within Teddy. They only have roughly 11 GPIO pins in use of the 22 or so that are available, or 26 that are available. And then of course they have SWDIO and SWCLOCK hooked up, which is the debug pin out for software debugging Cortex M0 chips. So with that particular pin out, we were able to dump the firmware for Teddy and also the RAM. You can dump it with open OCD, but I had a Seger J-Link based on doing some badge development for the whole Badge Life project. And I just used that with NRFJprog to dump the firmware and RAM. Like I said, you can use open OCD and if you ping me I can give you a config to make that work. So this particular Teddy, instead of having physical books, he uses a mobile app. And so you can see in the mobile app picture they have a little cartoon picture of Teddy and his best friend Grubby. So the mobile app works essentially by using a BLE to communicate when each page is turned and when a next story should be read. So I took that and I threw it, I took the APK and I threw it into JADX, Grubby. And it was really nothing more than a wrapper for a bunch of Adobe Air content. So within the APK was a Swift file and I took that Swift file and then I threw it into JPEXs. Essentially, this is a flash decompiler and all the BLE stuff was within this Swift. So if you are poking at your own Teddy, you're better off not even looking at the APK, just unzip it, grab the Swift and throw it into JPEXs. So I went ahead and I listed all the BLE info, the receive and transmit UUID characteristics and all the commands to jump between story books and to choose individual story books. I didn't, I don't plan on reading you all that, you can look and reference the slides. At the bottom of the presentation, I didn't mention this at the beginning, but at the bottom of the presentation is a web address for our website. If you go to that website here after the talk, I'll have slides and some of my research content, but I've been having trouble updating it and I really don't want to on the hotel Wi-Fi. So just check it when you get home. So you take the firmware that you dumped with SWD and you can throw it into IDA and it shows up as just binary data, but then if you choose ARMv7, LE, and enter in these settings, you can actually go and look at the disassembly and try to reverse some of it yourself. But realistically, most of my stuff was done through visual analysis of the story book files and a ton of trial and error. So I got it in IDA a little too late for me to spend too much time in that, in this particular section. So the Teddy Ruxpin book, so I showed you all Teddy's face and body. On the back, there's a micro SD pin out or header and you can essentially connect into that and it pops up this mass storage device and has all the books on it, which are an intro file, an idle file, and then the 10 story books that they provide. I'm thinking the idea was that they would release books at a later point for purchase and you just copy them over to the bear because they don't provide functionality to transfer it over through BLE. So within the story books, the files that are the container format for the story books are these SNX ROM files. Since I don't have the documentation, they could be called something else, but the magic string at the top of each file is SNX ROM in wide character, so each one is individually null terminated. The target exclusive contains two extra stories, but it was always a little more expensive than I wanted to pay and I bought six of these. So I have way too many Teddy's. So the SNX ROM files, I'd mentioned that they start with a magic string at the top, but then there was also the header format. The header format starts with a record stop and a record end and then the table itself ends with FFFF. The data after you use that to extract the files within, you end up with the raw image data first and then the audio files. The audio files always start with AU and the raw image files are all the rest of them. If you take the image files and you throw them into GIMP, GIMP has a feature that you can import raw data and then you can kind of play with the settings to see what the data is, which is on the left. You see the picture there. You can see that they're RGB 565 and then they're 128 by 128 sizing. And yeah. So then the audio files. This is where things get a little bit crazier and this is where I spend a ton of my time. It's a proprietary file format used by Sonic's and it actually uses this thing called a mark table to store the triggers for the data that shows on the eyes and then also for the mouth movement. Essentially, and I'll get on that in the next slide, but we'll get there now. So the header structure for this format is essentially the AU string, two bytes, an unknown constant value. Since I was using a lot of trial and error and I didn't have the documentation or anything for this format, there was a bunch of values that didn't seem to impact my tests and I couldn't figure out what they were actually used for. So the unknown constant value is the two bytes that seems like it's on every single file and never changes. There's then the sample rate, which is two bytes, the channel, which is always one, but it's also two bytes, another unknown value, another unknown value. And then a zero or one to dictate if there's a mark table, a silence table, another unknown value, and then the mark table data, silence table data, and audio data. The actual data structure, when I say audio data, mark table data, and silence table data, is the mark table is defined by two to four bytes that signify the position, two bytes that signify the value of the data at that position, and then that particular table ends with OXFFF. It also, if the position value is over 80000 hex, it takes that and uses the next two bytes, adds them together and uses that as the position value. The silence table, it was OX0 in every single Teddy Ruksman file that I checked, and so I don't know too much about that particular table outside of just what I've done for some internet sleuthing, which we'll talk about soon, and then the audio data, which is 16-bit signed little Indian. The mark table, so when you're looking at the mark table, how this thing actually works is the mark table has the position value and then the actual value. If the value is a zero, the mouth is closed. If the value is one, the mouth is tap open. If the value is two, the mouth is full open. Now anything after that that you specify will correlate to image frames that are within the storybook. So if you want to make, let's say a special logo pop up or his eyes blink or something, you would essentially put the value of that image data and then you would set up multiples to essentially make it a moving image or whatever you're trying to do. But everything that you do, let's say your image file is number one, well, you're still gonna have to be offset by the mouth open, mouth closed, and full mouth open values. So whatever it is, you have to offset it by three. So then let's look at the silence table. So I talked about it earlier, but I didn't actually mention what it's for. The only thing this is here for is compression. They don't use it. I guess the stories weren't big enough or it wasn't needed, but it essentially just references silent data and marks the position in the table. And the only reason I knew that is because of just random internet searches on the subject. Unfortunately, Teddy doesn't use it. I just know that the files themselves have that field and in my tests, they completely broke anytime I tried to enable it. So then we go to the audio data. It is 16-bit little Indian stored signed data that's stored after the mark table and silence detection table. It only supports 16 kilohertz sample rates and then it supports bit rates from 16, 20, 24, 28 and 32 kilobits per second. So what I've done for people who want to hack their own Teddy Ruxpin is I created this Teddy Ruxpone and essentially there's no ode in this presentation. It's simply just reverse engineering stuff. So I threw together some Python code that essentially takes an input file. It breaks it down into a folder structure that contains an eye folder, an audio folder and it throws all the eyes and all the audio into those folders. You modify what you want and then you use that folder as an input to recreate a new file. So if you take your Teddy, connect him to USB, take one of the files, decompress it or extract all the portions, modify it, rebuild it, then you can put that on the bear's mass storage drive or device and be able to see the new content that you created. This is an example of said content. It's been the background for all the slides but I felt like for DEF CON, it was important to throw the DEF CON logo into the eyes. So let me show you a little demo that I created which is generally all the fun. I hope you don't mind. I know there's no video photography roller used to be but I got this 3D camera that is awesome and I really want to use it so everyone can just deal with me breaking that rule. Okay, cool. So let's make sure that it's nice and zoomed in. Let's play this guy right there and let me get this mic. Hello? Okay, cool. Here's Anilia, Anilia is my best friend. And that's the outcome of months of work. So I hope you guys enjoyed that. Let me give thanks to the exploiters. One of my ex-colleagues, Ryan Smith, the DEF CON staff for helping me on every presentation I've ever done. My family, especially my kid and wife for tolerating me destroying all of my kid's toys and then filling the kitchen with tons of hardware hacking gear. By the way, if you're leaving, I got free stuff to give out so you may not want to. Hack all the things. We have an IRC server where people just jump in and they tell us what they're hacking on and if they have any problems and we help them. So if you are hacking on something, you're new, you just want to chat with my people, jump on FreeNode channel exploiters. There shouldn't be a dot in that channel name, my bad. So just exploiters without the dot. And yeah, if you go to the last three, the back three doors, I got some of my exploiters friends. They're going to be handing out these SD breakouts that we created based on a previous talk, but you can grab one of those. We got some stickers. We have some SAOs for your badges. They don't work, but you can just tape them on or something who cares. And yeah, thank you everyone for coming out and braving the heat together. Thank you.