Reverse Engineering TamaTown?

[SilicaAndPina]

Sorry if this is the wrong place to post this, im new to the fourm.

So. i was feeling very nostellgic when i found my old tamagotchi v5 (surprisingly, it still works!) i remembered there was a TamaTown Website thing you could goto to send your Tamagotchi data (it used like some password system) and then it would generate a code based on what you did, unfortunately this website does not exist anymore (doesnt even load on the web archive (except for V3 which gets to the login screen, but it cant get much further than that)

Now, these days i do alot of Software Reverse Engineering (mostly of the PlayStation Vita OS..) Which got me thinking about how this thing probably works behind the scenes:

Obviously the Tamagotchi device itself doesnt have an internet connection, which means there is probably some password generation algorithm on TamaTown (as well as a inverse of it on the device itself but, mainly due to lack of hardware knowledge and also because this is my *original* tamagotchi, im not about to open the thing up to try dump out the ROM (though i could maybe get another one..) (as nice of a resource that would be for static analysis) i did a quick google search for "Tamagotchi ROM Dump" it seems some people have mannaged to dump the rom of some of the older devices (but i couldnt find any downloads) its possible the password stuff was done server-side in which case reversing the ROM would be the only way to get the secrets.

i figured the clock is probably how it does everything, it seems its even used for login password generation since changing the clock also seemed to change the password. im guessing your tamagotchi probably had to have the right time (to some degree) to be able to login to the server?

besides that i havent been able to find much about how the device works internally, so i assume id have to take a look at the TamaTown Binaries at first i wondered if anyone ever made a private server for TamaTown (simular to the club penguin private servers) i came across this (also dead) site https://tamagotch.org/tamatown/ and this GIT repository https://github.com/loociano/tamatown which has a link to a few SWF files and goes over how the authentication worked for a few of them, so it seems like attempts where made? (though there was just a post with some more swfs for v4 posted just a few ago here)

So basically im posting here, what (if any) progress has been made on reversing and hacking tamagotchi in general, what has allready been done ?

 

[Kurb]

Someone here at Tamatalk has created SWF files for TamaTown, and i think many people are trying to revive Tamatown

le gif:

 

[SilicaAndPina]

Someone here at Tamatalk has created SWF files for TamaTown, and i think many people are trying to revive Tamatown

le gif:

yea i was reading stuff here after posting. it seems V4 is the most popular? also from what i gather yes code generation was server side, meaning you would have to dump the ROM of the tamagotchi device itself in order to work out how its generated ..

it also might be possible to dump it via exploits instead of hardware hacking

 

[Kurb]

*clears throat*

Anyone willing to make a sacrifice?

also, paging @hwd45

 

[SilicaAndPina]

So i read how that person mannaged to dump the Tama-go's ROM, they used a vulnerability in the software, tbh i have a tama-go too which i got more recently-ish. *just not any figures which are needed to trigger the exploit* the idea of homebrew development on a tamagotchi just sounds awesome though.

Anyway more interesting is that they foundGeneralPlus have whats basically a backdoor on all there ROM's that allows you to do arbitary code execution (and thus dump the ROM) via there "GeneralPlus Test Program" so maybe dumping ROM wont be so hard after all, i thought it would require decapping the chip and reading it out under a microscope 

 

[hwd45]

Recovering Tamatown is a popular topic, so let's go over all the most popular queries in one:

Preserved Tamatown Files
I've got a spreadsheet here containing all that's currently known about what files have been preserved and which are missing. So far, the Wayback Machine has been our only source for recovering the lost Tamatown files, and no other attempts at recovery have been successful.

You may have noticed that there have been several attempts to "revive" Tamatown by stitching together the few files we have. These are often sensationalised or misunderstood, so let me explain with a sort of stock reply I give to people first hearing about the revivals:

• Tamatown was shut down in early 2013 and the servers were put offline.
  
• Although there were some archived versions of the site only a few of the necessary files were archived on the wayback machine and as such the majority of all versions of Tamatown are currently missing and will likely stay that way forever.
  
• There have been at least two "recovery" attempts that gained popularity:
  
  
  The first, by a guy called Luc Rubio, attempted to fully document how the sites technically functioned and they compiled all known flash files that have been recovered in one place. Contrary to popular misconception, he was not able to recover anything that had not been found before, nor did he attempt to fill in the gaps with fan-made content, and it's thought that the DMCA rumours are also just that... rumours. In fact, searching through some old threads on the topic reveals that someone warned him that a DMCA was something to be aware of and he shut down his website in fear of legal action, not because any legal action was actually taken.
  
• In a similar vein someone called Alex Grigoriou is currently hosting a fan-made remake of Tamatown that once again takes the recovered files, stitches them together using Flash and he's filled in some of the gaps with videos taken from YouTube showing what the missing locations looked like, or games from the Japanese equivalents of Tamatown (which were also not fully archived). There is no password generation aspect to this version of Tamatown, and the files responsible for displaying the names and images of the items accessible on the site were also not archived. Again, there's a misconception that he's been recovering things that have been lost for years - he's not, as all the recovered flash files are ones that had already been preserved on the WayBack Machine. He had made some attempts to use the Temporary Internet Files folder (which was apparently notorious for not being cleared automatically on WinXP when using IE) to recover the Tamatown files, but sadly these attempts have been fruitless, as have my attempts. If it's true that this folder can cache the necessary files then it's possible that fragments of the site still lie on people's old laptops, and it's possible that data recovery tools can recover these files if the computer has already deleted them, but the outlook isn't good.
  

Password Generation
So, if the Tamatown files weren't fully preserved, one might wonder if the elements that allowed for password generation were? There were password generators that were active in the past, after all. However, as you correctly speculated, the generation was done server-side:

• A .cgi common gateway interface file was used to access server-side password generation programs and so by their very nature these server-side files are not cached or archived as only the .cgi file is directly accessed and these files are simply information request files that gather information from the servers.
  
• All previously accessible password generators simply took in input parameters like item ID or user name and they'd perform the same server request that is done when accessing Tamatown normally. As such, when the servers went down, so did the generators.
  

Password Cracking
I made a thread a few months ago here about the potential for cracking passwords with brute force. The tl;dr of it is that while it's potentially possible to further our understanding of the password system this way, it would take immense amounts of effort. I've been able to figure out something of a pattern in the Passport passwords for the username "TMGC!", but I could only do so because I was able to obtain a list of several hundred passwords which all gave the same outcome. If I had access to a similarly large list of passwords for a different item or username then I'd probably be able to make significant progress on understanding the passwords, but alas, as far as I can tell no such list has ever been produced. This means that, unless a miracle happens, there's only one way to crack the passwords:

ROM Dumping
Of the connection series devices, only the ROMs of the Friends (specifically ROM version 8.0 00 USA) and the Tama-Go (ROM version 7.0 01 32.0 USA) have been dumped so far. It's not impossible to extend this to other devices too - there are plenty of people capable of doing this - but a lot of efforts at the moment are focused towards newer devices, of which multiple have been successfully dumped. Furthermore, there's also the issue that the V3 would have likely used a SunPlus microcontroller instead of a GeneralPlus one like the Tama-Go uses - as such, it's harder to find the required data sheets to understand and successfully dump the device's ROM.

Basically, a ROM dump will definitely happen at some point, but I don't really have any idea of when that'll be, sadly. I've got my fingers crossed, though.

 

[SilicaAndPina]

Recovering Tamatown is a popular topic, so let's go over all the most popular queries in one:

Preserved Tamatown Files
I've got a spreadsheet here containing all that's currently known about what files have been preserved and which are missing. So far, the Wayback Machine has been our only source for recovering the lost Tamatown files, and no other attempts at recovery have been successful.

You may have noticed that there have been several attempts to "revive" Tamatown by stitching together the few files we have. These are often sensationalised or misunderstood, so let me explain with a sort of stock reply I give to people first hearing about the revivals:

Password Generation
So, if the Tamatown files weren't fully preserved, one might wonder if the elements that allowed for password generation were? There were password generators that were active in the past, after all. However, as you correctly speculated, the generation was done server-side:

• A .cgi common gateway interface file was used to access server-side password generation programs and so by their very nature these server-side files are not cached or archived as only the .cgi file is directly accessed and these files are simply information request files that gather information from the servers.
  
• All previously accessible password generators simply took in input parameters like item ID or user name and they'd perform the same server request that is done when accessing Tamatown normally. As such, when the servers went down, so did the generators.
  

Password Cracking
I made a thread a few months ago here about the potential for cracking passwords with brute force. The tl;dr of it is that while it's potentially possible to further our understanding of the password system this way, it would take immense amounts of effort. I've been able to figure out something of a pattern in the Passport passwords for the username "TMGC!", but I could only do so because I was able to obtain a list of several hundred passwords which all gave the same outcome. If I had access to a similarly large list of passwords for a different item or username then I'd probably be able to make significant progress on understanding the passwords, but alas, as far as I can tell no such list has ever been produced. This means that, unless a miracle happens, there's only one way to crack the passwords:

ROM Dumping
Of the connection series devices, only the ROMs of the Friends (specifically ROM version 8.0 00 USA) and the Tama-Go (ROM version 7.0 01 32.0 USA) have been dumped so far. It's not impossible to extend this to other devices too - there are plenty of people capable of doing this - but a lot of efforts at the moment are focused towards newer devices, of which multiple have been successfully dumped. Furthermore, there's also the issue that the V3 would have likely used a SunPlus microcontroller instead of a GeneralPlus one like the Tama-Go uses - as such, it's harder to find the required data sheets to understand and successfully dump the device's ROM.

Basically, a ROM dump will definitely happen at some point, but I don't really have any idea of when that'll be, sadly. I've got my fingers crossed, though.

V5's passwords acturally wherent tied to your username (atleast, there where a few that where not. i remember having a DVD that had a bunch of passwords on it (the wiki says this was only for the original release of the famaletchi, "Tama DVD", probably super rare now. i no longer have it though).. though it seems TamGo is definitely based on the username. anyway obviously with a ROM dump you can just reverse the code that generates the passwords easily.

(also! i found a nice money dupe on TamaGo ->

enter amount of $$$ u want onto the PC connection ->

enter login code as logout code ->

enter PC connection again but enter 0 points this time ->

enter old login code(from last one) as logout again, repeat for infinite points)

its probably allready known but whatever thought it was interesting that they use the same algorithm :? 

 

[Eggiweg]

The V5 passwords were not username specific and a list of them can be found here.

 

[SilicaAndPina]

The V5 passwords were not username specific and a list of them can be found here.

the "special" ones where not, i think tamatown codes still needed your login password which was different every time.

it even said it on the Tamatown & Earth EXPO 

 

[Kurb]

I'm stumped. The only solution I can think of is to search GitHub and pray. Also, just in case, paging @binary

 

[SilicaAndPina]

I'm stumped. The only solution I can think of is to search GitHub and pray. Also, just in case, paging @binary

I worked a bit out about the v5 password generation



using this list tells me alot, first that only thing that matters is what tamagotchi you have (and its gender)

21000 < this is obviously your tamagotchi region where 0 = japan, 1 = oceania 2 = america 3 = europe (i think v5 celebrity had like 4?) maybe 2 is like type "give GP" or something.

10554 < the pattern i noticed here was x05x maybe 05 is the prize number (05 being 1000GP) and its like x05x where the 2 x's represent what tama you have. so "15" (another theroy i had is this is some sort of list maybe the first is like what stage its in (baby, toddler, teen, adult, etc) and then the 2nd one is which of those it is . not sure)

now then whats this 4 at the end? well its a checksum of the rest of the code, like a litteral checksum

it is the sum of the entire code (minus the check digit) modulo 10 

2+1+0+0+0+1+0+5+5 = 14

14 mod 10 = 4

check byte is 4, so the code is 21000 10554

:0 thou hast been reversed? maybe im wrong about how "your current tamagotchi" is encoded it seems like a weird way to do it

 

[Kurb]

boom. Now, would anyone step up to the testing plate?

@hwd45, we've done it.

 

[SilicaAndPina]

Finally had the chance to try this on my V5 and well it seems i was right about the prize amount being specified by a single number for example (if you have a male futabatchi) 

21000 00452 gives you 700GP

21000 00351 gives you 500GP

Also, yes i was right about the "2" being a type identifier. 

31000 00550 gave me a food item erh a cinamon roll sort of thing. idk its actural name. 

but anyway, 

first digit is type- 

1 = no prize

2 = gotchi points

3 = gift / item 

ahahah

next thing i need to work out is *login password* in theroy. login password should contain all the information needed to create a logout password, which is. what tam you have, and your region. (00, 01, 02, 03 etc)

Login password is different every time, luckily we can still create them today

here are some examples from my Futabatchi(M) in Oceiana Region (1)

10070 01540

10060 01530

01035 01000

01085 10500

01035 01000

Notice how they all have those required values? my V5 is region 1 and the tamagotchi i have is 0,5 all these passwords have a 5 and a 0 somewhere just in differnet places, also the checksum is different (if there even is a checksum on login password, 0+0+1+5+5+1+0+2+0 = 14, 14 mod 10 = 4. soo thats wrong)

looking at this i allready have an idea, it seems like theres 2 3 formats

if the first digit is 1 then the tama index'es are on the 2nd part in position 0 and 1 see how on these (both begin with 1) 10070 01540 & 10060 01530 both have "015" which gives us the current tamagotchi (0,5) and also the region "1" however if its 0 then its on the first part with 01035 10x5 again has all the information it would need atleast thats what i thought until i got 01000 00157 but wait a minute.. 0+1+0+0+0+0+0+1+5 = 7 mod 10 its still 7 wew maybe thats anoher format where if the check byte matches then its got like "015" right at the end :-: IDK this is complicated but im guessing that was to stop people using tamaown without a tamagotchi honesly i need more login codes from other tama's and regions

so with that. if you have a V5 (thats not oceania region or a Futabatchi) please just go generate a bunch of login passwords so i can see better how region is encoded 

 

[SilicaAndPina]

based on the "multiple variations" theroy- i wrote this python3 code: https://pastebin.com/Q15QFTGp there are some variables im not quite sure are for (maybe integretity checking?) but there not important lel it works anyway without knowing what they are

still not entirely sure how items work (only item id 01 is valid apparently (maybe its acturally a quantity?)) it can generate login passwords from my logout passwords consistantly (atleast for me) anyone else wanna give it a try?, my tama's evolved from there baby state and it still worked. (went from 0,5 to 1,1 btw which backs up the stage:tama list theroy~) . i really just need ppl with other-region v5's to try it .

 

[hwd45]

This is all incredible work!

Also, can confirm that there's (probably) only four regional releases - they seem to correspond with the region codes:

0 - Japan - ROM versions 28.2, 28.3

1 - Asia / Oceania - ROM version 30.1

2 - US - ROM version 32.1

3 - Europe - ROM version 34.1

Not sure if there's any difference in the passwords between the two Japanese revisions and the ROM version of the Spanish release is currently unconfirmed (but it's probably just 32.2).

 

[SilicaAndPina]

This is all incredible work!

Also, can confirm that there's (probably) only four regional releases - they seem to correspond with the region codes:

0 - Japan - ROM versions 28.2, 28.3

1 - Asia / Oceania - ROM version 30.1

2 - US - ROM version 32.1

3 - Europe - ROM version 34.1

Not sure if there's any difference in the passwords between the two Japanese revisions and the ROM version of the Spanish release is currently unconfirmed (but it's probably just 32.2).

I need to try this code on other regions.. if you have a famitama from another region please send me login password .-.

also u forgot that region 5 is v5.5 / cleb according to this chart binary did:

 

 

[hwd45]

I need to try this code on other regions.. if you have a famitama from another region please send me login password .-.

also u forgot that region 5 is v5.5 / cleb according to this chart binary did:

 

I didn't forget, I was entirely unaware! Hahaha

It makes sense though, given the V5.5 is version 36.0 in all regions.

I guess the character-related integers in the password are to do with the character's ID and gender? Looking at the image above, a male futabatchi would have ID 05 and Mataritchi would have ID 11.

 

[SilicaAndPina]

I didn't forget, I was entirely unaware! Hahaha

It makes sense though, given the V5.5 is version 36.0 in all regions.

I guess the character-related integers in the password are to do with the character's ID and gender? Looking at the image above, a male futabatchi would have ID 05 and Mataritchi would have ID 11.

it seems more like a stage:index type thing to me, like how futabachi is 0:5 (because 0 = baby tamagotchi & 5 is the index, basically its the 6th baby (because we count from 0)) 

when it evolved into toddler status it became 1:1 which sorta backs up the theroy either way what it means doesnt matter, we have the 2 digits for what tama you have in login password, and we can use the smae 2 digits for creating logout

ANYWAY~ my work here is done:

v5 Password Generator: https://github.com/KuromeSan/V5-Password-Generator/tree/v1.0

Famitama.cgi re-write: https://github.com/KuromeSan/TamaTown/blob/master/V5/pc/cgi/Famitama.cgi

btw my Tama & Earth EXPO rebuild now uses this code and you can login / logout with any v5 or v5.5