 My name is Teddy Ruxton. Can you and I be friends? Welcome to disability data. Hey everybody and welcome to my desk. I hope everyone's having a wonderful Memorial Day weekend, a long weekend for many of us, a great weekend to do some hacking. You don't have any news or updates, right? No, we'll have our regular shows during the week and full speed ahead. Yeah, okay. What's on your desk this week? This on my desk is this stuffed animal bear. This is the 2017 version of the Teddy Rockspin, which when I was a kid was like the toy to have, which I didn't have the Teddy Rockspin, but I saw one once in person and I was like, wow, had a cassette tape that you'd put in and the cassette tape, I guess, used like the different tracks to control the mouth, like maybe through it, you know, the reverse tracking, the B track, or like a sub frequency actually never looked into how it worked. And then it would, of course, play audio and it had a little like robotic mouth. So this is the modernized version. So you bought this in 2017 actually. Yeah, for some reason I thought I might need it one day. It turns out I did. Since then the company's got out of business and you can get these, yeah, or something, but you can get these on the cheap and we have a kid now. So we thought, hey, let's see if we can hack it. Yeah. This is by Wicked Cool Toys, yeah, I guess in 2017. I'm not going to show you the overhead because it's like, you know, this is pretty big, but over here you can see there's a micro USB port and then it has the standard off low volume, high volume. Yes, this is off now and then I can put it on low volume and then it turns on. Hi, my name is Teddy Ruxpin. Can you and I be friends? And then, you know, this is the one that I've hacked. So when it's idle, it has a little Adafruit star on the TFT. So it has two TFTs for eyes. Now I'm not going to say that they were inspired by Philby's TFT eyeball code, but I, you know, a lot of stuff that Paint Your Dragon has done here at Adafruit has turned into toys or Halloween props two or three years later. So, you know, it's a really well designed toy. Like, you know, we've covered a lot of toy hacking on this show and other shows because they're just, you know, great as platforms for firmware and electronics hacking. And of course it's like very well made and, you know, the TFTs are just 128 by 120 TFTs, but they've got the nice lens to kind of give it a nice eyeball look and it's cute and fluffy. But yeah, as Phil mentioned, the company that made this, you know, they got purchased or in our business, you know, the website that was there doesn't exist. I think the app still kind of works, but it's like zombie mode app. But the way it was designed is like, you know, we, I said there was this micro USB port on the back. So you can plug it in and it shows it as a disk drive. There's actually, I didn't want to take this apart because, you know, it's still playing with it. But there's a like a one gig or more, like a couple gig SD card that's exposed to the mass storage of the micro USB. And you drag story files over to it. And then the story files contain like the LED animations, the mouth movements, the audio. And then you can sync it with an app on your phone using Bluetooth, which I'll show in a second. And then the app is also used to unlock the stories. So this is like, unfortunately, like kind of a thing with modern toys. It's like, you know, it's you have to, instead of like buying a cassette, you have to unlock the binary app files. But of course, the company doesn't exist anymore. And their format for making binary files was never released. And they were like going to release 30 stories, but they like did 10. And then their sales weren't good enough or something. The toy market's like a fickle, it's a very fickle thing. So, you know, you got this in 2017, Mr. Lady, and I got this. And, you know, we played with it and immediately we're like, Oh my God, like, you know, there's there's no, you know, there's no more stories being made for it. I thought it would be cool if we could make our own story files. And, you know, we went on, let me go to the computer. You know, the first thing I tried was like, Oh, let's just go to like, you know, like, I googled for like Teddy Rocksman audio files. And, you know, it turns out that somebody uploaded, oh, you know, the archive is busy. I've never seen that before. The Internet Archive has, they're down, but they were up earlier. They do have the Teddy Rocksman files as a downloadable binary, which I already downloaded. And this is what the binary files look like. So, like, story zero through story 14 or 15. And what's interesting is if you drag these over to the bear, they don't play because they're not, like, authenticated through. Now, there's a SPIE prom on there, which, you know, I'm going to get a secondary bear, because I'll gut it and I'll read the SPIE prom. And I bet that's where the, like, authentication bits are stored. It's probably just like a little bit flag to determine whether it's allowed to play those binary files. But these are, this is what you, you don't, this is what the, it looks like. So there's idle, intro, and then story one through 15. These XML and torrent files, it's not from the original document. That's our Internet Archive, whenever you have a zip, it has, you know, this metadata in it. The actual binaries are this. And then if you open them up, they're like, okay, SNX ROM. And then, you know, you can see there are some patterns to the data. Of course, it's like, you know, this FFF, okay, there's filler. But then after a while, you get this kind of repeating data. And then, you know, it's because it's very patterning, non compressed, obviously, because you see a lot of repeating elements. And it turns out those are the TFT eyeball images. And as you keep going down, there is, at the end, this compressed audio. It's not uncompressed, unlike the graphics, you can see again, very, very uncompressed. And I was kind of like messing around with this. I was like, well, I'm going to Google to see if anyone else was hacked. This device, it turns out. There was, there was a Defcon talk four years ago by Xenofax and a bunch of folks at exploit.ears. And these folks all kind of, they got this bear like when it first came out. And they hacked the heck out of it. So there's actually also a video presentation, which obviously I'm not going to play, but you can go to YouTube and just let Google for the Defcon teddy bear. And they did a lot of, they actually did a lot of work, which is great because it's, it, it, you know, got me going quite far. So this is the motherboard. These are the two TFT screens. So it's funny is it's, you know, this is even like a standard con connector that we use as FBC connector with 22 pins. These are 128 by 128 TFTs again, like restock them in the shop. They're almost certainly, well, it looks like this is a little differential signal action going on here, but it's probably SPI or maybe parallel data inputs. Looks like, you know, a bunch of pins are used. So who knows, maybe it's SPI probably 28 pins, although I don't know, could be like, I don't, you know, it's probably not going to be mippy. It looks like there's like a cluster of eight here, so it's probably eight bit parallel. That way you can draw to the screen like very, very quickly. And then there's two TFTs, you know, crystal, some passives. This blob chip here is the SNC 7001A by a company named Sonics. We did find a data sheet for this chip. There's a 16 bits processor. Oh, you know, I thought it was an ARM Cortex, but it's actually not. I don't know why I thought that. I think, I think other chips. So yeah, it's a 16 bit DSP processor. It's a 16 bit chip. It's got, you know, the LCD interface for the TFT displays, SDMMC controller, useful for that. And then USB so it can act as that mass storage device so you can drag files over. You're wondering why doesn't it use Bluetooth to download. I think it was like, they were thinking, oh, maybe people would, first off, the files are huge. So it's like not easy to download over Bluetooth without like disconnection issues. But maybe they had ideas that like you would have like other ways of authenticating the data or something. I don't know. DSP core, you know, all sorts of fun stuff. One thing that's interesting is it's got DMA and it's got a DAC. There's an audio DAC built in with high current output, I believe, like it can drive a speaker. Yeah. So it's got a 16 bit DAC with class AB embedded. So it can, it can drive a speaker on like these toys directly, which is, you know, going to reduce your costs. Although I think there might be a separate speaker driver. I think this is the speaker driver and maybe this is, this is some flash memory. So it's probably either storing the code or the configuration for this chip. Maybe this is another is the speaker driver, a motor driver. This is that SD card I said where the data is actually stored and that's exposed through the micro USB port, which I think is on the other side. And then this is, this I think goes to all the buttons. There's like a lot of buttons because it's like there's actually turns out there's like one behind the logo too, which I didn't realize. And then this is a Bluetooth low energy module, which I thought was interesting. Why did they go with the BLE module? It turns out this is an NRF 51 822, which is of course, I know very well, because we've had firmware and modules and devices that use the NRF 51 for a very long time. So this provides the Bluetooth low energy. And you know, why did they just not, why did they do it this way? You know, I actually have a feeling that they designed this and then later we're like, Oh, we have to add Bluetooth. And they were kind of in a little bit of a rush because it's odd that they're using a module, although I couldn't even make, I mean, this is a double sided PCB. So it's not like they saved a lot of money by going with a separate module. Like if it was a single sided PCB or like the process didn't allow for this chip, I can understand, but like it isn't like it's an FCC certified module. Like they didn't save any certification time by having this. So I'm clear why they went with a module instead of having the chip just directly onto the PCB. Um, mysterious, could be, could be maybe it's paper phenolic and so the PCB material. And so maybe it, it didn't have the, the right substrate impedances for onboard antenna, whatever the case. This is an NRF 51 and they, you know, you can, um, you can dump it because the, the, uh, this, you can even see the pads down here, SDIO and, um, uh, SC, uh, SW clock. These are the two TFTs. Um, there's a Teddy main PCB, even has some components on the back. It was a lot unusual. Um, usually they don't do double sided, uh, design with, um, toys because it's more expensive. Uh, this module NRF 51, a 22 based, and you can, you know, dump the firmware for it. Um, you know, again, we've done development for the NRF 51. It's, uh, it was funny is we actually use it also as like a helper chip. Like we have SPI to Bluetooth software that we've run that like it gives basically AT command over UART or SPI. Um, and that's what's on like the, um, Feather 324 BLE. This is, um, this is an NRF 51 module as well. So yeah, because I'm very familiar with it. And then there's that app and they were sent here in the app. Um, but so the thing I was really interested in is, um, how to, um, how to, uh, create or modify these files. So, um, the files, like I said, intro and idle, uh, the intro is that like, you know, my name is Teddy Rockspan. Can you join me friends with me? Whatever. Can you be my friend? Idle is just like it's sitting there and its eyes just move back and forth. And that's the thing that I modified with the eyeballs. Um, and then they talk about the format for the, um, SNX ROM file, which is really handy. So those non-compressed images, the non-compressed area, like this stuff, those are, um, literally just 128 by 128 by 2 by like RGB 565 data. Like it's uncompressed. It's right there. And then you can extract them very easily. Um, and we've done that. And it turns out like Gimp can read it in. So the Audio 32 is where I'm at now. And so it's like, there's a cliffhanger because I haven't gotten this working yet. The Audio 32, um, format, it's like kind of hard to figure out what's going on here. This is, it's definitely compressed. Um, you know, it, um, what's funny is Jepler was like, oh, like he actually had a really good idea. I was like, oh, is it compressed or uncompressed audio? And well, you know, obviously we looked at it in like a audacity and there's no pattern to it. And then he actually tried like G zipping it. And he's like, well, it doesn't compress. Um, like if you, if you have binary data and you try to G zip it or zip it and the file doesn't change size, it means it's already compressed. So like, okay, some compressed format. Um, they, they did figure out like the people who wrote this did figure out, the compression format, or at least they figured out a way to create a new file because they did a demo where, you know, they also changed the eyeballs and they had it like talking to the crowd at the presentation, which is kind of a standard thing. You know, if you go, if you go to a DEF CON talk, there has to be this like money shot at the end where it's like, you know, the ATM spits out cash. So, which is always a fun time. CCC docs and DEF CON talks are, you know, kind of like that. They're definitely entertaining. So this tool, which was mentioned here, which would allow you to edit the file, was never released or I couldn't find it. But there was enough information here, as well as in some other notes, they also posted up a document here, which kind of has like a C types struct file. And this was great because it actually has like pretty much all the formatting you need to extract the data. So I sort of started taking apart the the binary file by writing my own program. I've done this a billion times where it's like, you open up a file and you start reading and you unpack the data. So, you know, I find the asset tables, you know, just follow it up and then, you know, just re-getting Python, finding the animations, finding the audio and then extracting, you know, what they've got as the sample rate, bit rate, channels and frame count. Each frame is 80 bytes, which you can calculate by it's like the frame count and then the file size you divide it and it's like the frame count. So each frame is 80 bytes per frame. There's the mark table, which I think is actually kind of interesting. So, you know, you're wondering like, well, how does it synchronize the mouth movement with the audio? And there's this thing called a mark table. And I ran this earlier. So the mark table looks like this. And what it does is this is the intro. So it's very short, which is kind of, you know, it's like, it's this very short thing. Hello, my name is Teddy Wuxman. Will you be my friend? So it's done by having alternating length in 16 bits and a value of 16 bits. And the length is in milliseconds. And then this tells you whether the mouth is open all the way or closed. And then you can see it goes 0101 with these millisecond delays in between to tell you like, you know, at which mark does it open and close the mouth? And then there's audio data after that. But yeah, so I got this audio data. So I've been kind of messing around with how to get the audio out. And we are one out of times have to get to the great search. But it's kind of been like a little bit of adventure. So one thing I did find is on the internet, I found a audio, you know, it's for some other device by Sonics that has audio32.c, which is like this test program for the audio32 format. And it has like these numbers, which kind of match up what it says in that header file. And of course, it's not open source, like they don't publish the codec. But what they do do is they give you this, whoops, they give you libsnx audio underscore audio32 so, which is the shared linkable library. But that library isn't linkable on an x86 computer. This type is, let's see, this is file lib. Yeah, so this is, so this file is a it's an elf for an arm chip. It is dynamically linked with debug info not stripped, which is like kind of nice. Love that when the developers, for some reason or another, don't strip the file and don't remove the debug info. It's very handy. I don't know if they do it on purpose or whether it's just like coincidence. They also have an archive file, which is you can we can statically link to it. So I tried running, I was like, okay, well, it's armed. So I like load it up into a Raspberry Pi. And I linked, I tried to compile that example code, this snex audio codec, and tried to run it, but then it's like faulted. And then it turns out, I figured out that this shared object is not only arm, but it's uc libc, not glibc. And uc libc is used for like small like open wrt type computers. So then I learned how to use build root, and I created an arm build root that I then installed onto a Raspberry Pi computer. And I don't think I don't I don't know if it's still running, but I can see it's still running. Okay. So so this is like, yeah, okay, so here's the thing build root, it's like really, really, but there's no gcc, no gdb, no blah, blah, blah, no nothing. And I was running this program, and it was not I don't know if it was, let's see. Oh, it also doesn't have any way to like transfer files around. So as you're encoding to get the files back and forth, like just pasting them in snex. It's not here. So I tried running the compiled version. And I got it to run, sorry, I got it to input tests, sorry, intro.au. I don't know if this is the version that I patched. Yeah. So it was failing. And I tried like, okay, what if you form a try every single format, and it would like never launch the decoder. And I was like a little annoyed. And I was like, why isn't it like, it's like the just the call to open, initialize the encoder or decoder wasn't working. And so I was like, well, you know, it's not stripped and it's not debugged. So I was like, okay, let's let's now I was going to run HexRays IDA, which I actually bought the license for back when I was reverse engineering the SAMD 21's capacitive touch. But like I lost the file. And like it's been six years, I kind of want to go through like getting them to resend me this old version, because it was like, you know, the old license and you don't run it. And then I realized like, oh, you know, there's this new thing called Ghidra, which is like designed by the NSA. It's like a really nice reverse engineer tool. And I was like, well, you know, I've never used it before. So like, let's learn it and see like what's in this shared object file that's not stripped. So let's see if I can open. It's got this like amazing interface. So I loaded this up and it actually like, Ghidra is really, really good. It did an excellent job reverse engineering the assembly using like the uns, you know, the unstripped debug info, of course, it helps a lot because you can you get the functions and any like debug data, like it probably helps with a bunch of like details. Actually, I don't know that exactly what it helps with them. In addition to the function calls that are exposed, maybe it does like the static function calls as well. I don't know. But it's like you can even see here, it's like this is the the open. So this is the function that was failing SNX Audio 32 open. And it was failing because and I don't understand why it was doing this. It was opening Dev mem. And then it, it, this just gets the page size. And then it maps a page and then it reads a value from this address LX 9800010. Or like the value at the end of this page, I don't know. And then it compares it to 58,000 hex. Again, why? I don't know. These variables are never used again. None of this data is ever used again. It's just this weird check at the beginning. I really don't understand what it was, but it was failing here because it was like trying to like I'm running on a Raspberry Pi and it was initially designed to maybe run on a particular chipset. Maybe this is the thing to check that it's running on the chipset it's expecting to run on. I don't know. But here's the really cool thing. Originally, sorry, this, yes, this checked if the value was equal to and and if it wasn't, it returns. And what I did is you can actually find this function and you can edit. I mean, I don't, I'm not going to do it right correctly here, but here you can like here, no, here. So like this branch if not equal because you're checking against this comparison. I can just edit this with patch instruction and then load this dragon. And then I can just turn it into a branch if equal. Hold on. Branch if equal. Although I don't know why it's not working now. It totally worked before. Branch if equal. It could be it wasn't. Okay, there you go. Right, you have to select it. It does the assembly for you gives it to you. And it's like, wow, I just like hot patch this file. I tried running it again. And you know, this time at least the encoder worked, but it or the decoder and the encoder and sorry, the decoder worked the encoder still, I didn't work, but the decoder stills and decoding the audio in the format I want. So I'm still in impasse, trying a couple other things. And I tried like finding a decoder for the actual codec who knows. It's kind of a mystery tune in next time. This is I think hopefully more exciting and thrilling than succession, which I've never watched, but apparently the everybody in the world is watching. So that's where I'm at. But here's a good thing I learned build route, which I've always wanted to learn how to use. And I made a working build route system for Raspberry Pi, which is super cool. And I learned Gidra and I learned how to hot patch a binary, which I think is also really cool because I never got to use Gidra. And it's definitely got like the hot patching is amazing. Being able to dynamically change the code is like any like in search the right assembler and everything for you on an ARM Cortex chip is super cool. And I'm going to be very, very handy because there's many times where chip silicon vendors give you stuff and it's like in a linkable binary and you're like, I don't want the linkable binary, I want the source code. And you want to do something with the source code, pop into Gidra and it will probably give you something useful. So anyway, that's my hacking. I went along. But hopefully somebody out there, if you have ever decoded the audio 32 codec standard, which is I guess somehow based on G722.1, but isn't because I tried G7221 decoders, that didn't work either. Let me know. Post up in the comments. Like, share and subscribe. All right, so let's go on to the great search maybe by couple now. Let's take a look at this chip. So here we go. The great search where Lady 8 tries to find that codec thing. Oh no, the great search. Spreaded by Digikey and Adafruit where we look at ways for you to find the thing that you're looking for on digikey.com. Thanks, Digikey. Lady 8, what is this week's great search? Okay, so what I wanted to show was I've been hacking this bear and it was kind of cool to see that inside. Oh, sorry, yes. The bear. And inside there's this Sonic's chip and separately a Bluetooth chip using the NRF 51822, which is a chipset I know and love because we've used it many times to do Bluetooth connectivity. It's not a very powerful chip. It's like I think 16 or 32K of flash. It's very minimal or RAM. It's very minimal. It's good for Bluetooth, but it's like, well, why not just have everything run on this chip? Well, this was designed in 2017 and this chip is actually a pretty powerful DSP. They can do a lot. It's got native USB. It's got SD card interfacing. It's got built-in audio. It's great for toys, which is what it is. It's a toy chipset or apparently also used for IP cameras. So they wanted to add Bluetooth. They added it with a Bluetooth or energy module. Now, these days, the NR51 is like, I mean, it's not discontinued. You can still get it, but it's like very long in the tooth. You'll probably want to go with an NR52 or NR53 series that NR53 is a little newer and the NR52 is definitely the workhorse of the Nordic family. So I thought I'd show that you can get ready-to-go modules at Digikey for doing your either adding Bluetooth or existing design. Like it could be that you really cannot run your entire code on the NR52, although you should try because it's a Cortex-M4 chip and so it's quite powerful. I think the 52840 is a Cortex-M4. The 832 might be a Cortex-M3, but they're very powerful processors, lots of flash, lots of RAM. So you might be able to do a lot of your design completely on that chip, in which case you could use a module. You pluck it in. It's got the antenna, it's got the crystal, it's got the passives, it's got everything ready to go, maybe even certifications. Or you can use it like this with some other chip that you are forced to use. Maybe you need a DSP, you need RISC-5, what have you, and you can add it as an assistant chip. So let's go to Digikey. I'll just close all these things about hacking this codec. Don't forget Digikey no longer has a dash. That's a big new thing and it's a brighter red color. So let's go to Bluetooth modules and there's a whole area for modules and modems. There's also separately transceiver ICs, but I want in particular I want to show you guys modules that are ready to go. They'll speed up your development greatly. They usually come with a variety of different antenna options. They're tinned, they're certified for FCC, CE, TELIC, you know, whatever, which can really speed up your certification process. You'll still need to do it for your finished product, but it's nice if the intentional emitter is already done, so you don't have to worry about like, oh is that going to cause me any issues. Let's go with active and let's go with normally stocking. What a coincidence, 840. That's the NR52 840 is my favorite. And so look at what is available down here. Let me just bear out of the way. Lots of options. So again, the modules, they come in various sizes, but most of them are very small. This one is kind of cool because it's like, it's just micro miniature. It's got, and so you can look over here, it says what chip. This is the NR52 832. Doesn't have native USB, but is otherwise a very powerful chip with a lot of peripherals. The only thing it doesn't have is USB. The 833 did add USB, I guess. I haven't used that particular one, but this is very, very cute. I like that it's like, it's, you know, it's extremely compact. It's a little bit more expensive than the non-compact version. Ublox makes a lot of great modules. I definitely use them. This one is also tiny. You can see the little antenna on there. So tiny, you need like a macro, macro lens to get it. The Nordic chipset though, Ublox makes modules for it, but they're not the only one. Panasonic also makes them as well. But in particular, let's look for, you can actually search for what chip is inside, which is kind of nice, utilized IC part. So let's look for the NR52. And then we'll just select them all. Again, the 52 comes in a couple different configurations. The 811 I think is either fewer pins or less RAM. Like there's, there's versions of this chip that are less RAM or less flash, less pins, you know, and you'll pay a little bit less for them. So depends on whether you want the chip to run your entire program, you might need more flash, more RAM. You know, if you're making something like, you know, those air tags or tiles where it's just running a little bit of program or it makes a Bluetooth beacon, you can get away with very minimal flash chips, flash pins and memory. So you can see here the different memory configurations up to one mega flash and 256 K of RAM. That's the NR52 840. Okay. So looking at pricing, there's a few options. So you can get Nordic, sorry, Nordic chips through the MDBT series from RayTac. I've used RayTac. They're great. These modules are fairly easy to place. They come with PCB antennas or chip antennas. Usually chip antennas will get you a little bit more range, but they're a little more expensive because they have that antenna on there. Nothing's cheaper than just a trace on a PCB. So that's going to be inexpensive. This NR52 810 is also fairly inexpensive. It's about five dollars. This one, 192 K of flash, 24 K of RAM. So it's a little sister to the 840 basically, which has a megabyte of flash and 256 K of RAM. 52, 820, 832. Let's look at, let's now look at marketplace products. We'll just look at what's stocked immediately on the Juki. So if you're actually looking for like the absolute cheapest of all time, the fan snail modules are going to be very inexpensive. They're bare bones, but they work very well. They will come with PCB antennas because again, they're very cost effective. However, they do all have SEC certification. If you open up the data sheet, they have TELEC, Australia CE, I said, and they also have a QDID. By the way, you will want that because if you don't have a QDID, the Bluetooth group will email you and say you have to pay us for a QDID, which I found out after the fact. It's not well documented to explain. You do need to have it have a QDID. So that's great handy. But almost everything that comes from the Nordic family has it, except for the NRF 8001, which is very discontinued. So you're not going to probably be using that chip. But this one's great. I mean, this is Cortex N4 64 megahertz. Again, it's the little sister to the 840 just doesn't have a ton of flash and RAM, only 192K, but that's still a lot. Don't forget, you're going to have to share that with the soft device that needs to be loaded. Don't remember how big the soft device is, but I think it's like about half of that. And if you want to do, you may not have enough space to do over-the-air updates because the soft device is taking up space. And then depending on whether you have a bootloader, whether you have how much over-the-air slots you want to get, if you don't do over-the-air, maybe this is okay. And only 24K of RAM. Again, you're going to have to share that with the soft device. But for very simple Bluetooth devices, this could definitely do the job for you. The 832 is also inexpensive, a little under four bucks. Here, this has also 192K of flash and 24K of RAM. This one definitely doesn't have USB. I don't know if the 805 does. Sounds like it doesn't. But the 832 is a slightly older family, but looks like it's still available. And we have a core for this chip as well. So even though we don't support it, if you want to get started quickly, you can use the Adafruit 832 core to bootstrap your project. Looks like they have it available also with a UFL connector, which is kind of handy if you want to have a nicer antenna. So these are some options. I say like kind of hard to beat 250. This is my pick for the great search. Very inexpensive Bluetooth friend. And that's a great search. And that's our show tonight. We have a big exciting night plan. We're going to try to do some more bear hacking, some baby bathing, and we're going to bed. That's right. We're tired. All right. Have a beautiful weekend everybody. See everybody next week. Thanks for joining us. Bye-bye.