So I recently purchased a little tikes dream machine (LINK) for my little one.
Ofc, immediately I felt the itch to poke at it. So, I purchased a second one lol.
Turns out its a pretty big black box and that is in regards to all of these child electronics.
Originally I was going to wait until I finished my research to post it all however, it looks like its going to take me a lot longer then I thought.
So here we are with part 1. Moving forward the parts will be smaller, more organized and easier to digest. This part however, I cannot promise the same.
So lets jump in. The main pieces are the projector, the minibooks and the figures. It turns out that the minibooks are just a SPI 1MB chip.
Interestingly, they just have the uart(ish) pads exposed and is actually how the minibook is read by the projector.
Here’s the chipset:
Manufacturer: PUYA Semiconductor
Part Number: P25D80SH
Memory Size: 8 Mbit (1 MB)
Interface: SPI (Serial Peripheral Interface)
Package: SOP-8
Here’s the pinout:
Chip Pin Label Bus Pirate Pin
1 CS CS (Chip Select)
2 SO MISO
3 WP Tie to 3.3V or use AUX (pull high)
4 GND GND
5 SI MOSI
6 SCK CLK
7 HOLD Tie to 3.3V or use AUX (pull high)
8 VCC 3.3V
I couldn’t get ISP dumping working, so I ended up desoldering one of the minibooks and dumping it that way.
Unfortunately it looks to be encrypted, both obviously by looking at it as well as when you run entropy checks.
I have uploaded the raw dump to my GitHub and you can grab it from <HERE>.
It looks to be encrypted and certainly doesn’t take up the hole space, which you have one of these you’d know b/c the minibooks are so short.
I ended up trying making some assumptions and trying to decrypt it based off what stands out at the end of the bin. Interestingly, there seems to be what I think is the the IV or key (could be a hash or who knows I guess though).
I ended up trying a bunch of basic implementations based off the chipset, manufacturer, etc to try to decrypt the BIN using these bytes the IV and/or Key. To no avail.
Anyway, so at this point it was obviously not going to be a quick win, so let me cover some stuff about the manufacturer of the MCU in the project b/c ultimately that is who is likely to have the documentation/hardware/software to debug or program their own chipset obviously.
The main manufacturer is GeneralPlus who have contracts with a few children’s toy organizations.
They don’t have much online but they have accidently leaked stuff over the years.
For example, here is a list of chipsets and the name of their supported documents.
In the next post I’ll cover the manufacturer more and introduce the project itself.
END TRANSMISSION