Whilst some impressive hacks (and especially convincing university staff to lend you their Expensive Toys), my understanding is that the really tricky bit is going from die scans to netlist/circuit diagram, and thence simulation/code extraction.<p>The Visual6502[1] folks are probably the best example of how well it can be done (assuming you can't afford to pay ChipWorks or FlyLogic to do it for you), but if you're working with a standardish MCU core and some masked ROM, a lower tech solution like the Dangerous Prototypes "rompar"[2] might work.<p>Probably requires quite a few dies, or plenty of experience in extracting them before you succeed though.<p>For actually reverse engineering the flash contents, I think it'd be easier to sniff the bus traffic as you probe it, or make a read/write capable emulator that logs what's going on. With the hacked phone-side control library, you could probably build a mostly automated harness to exercise the various settings and see what gets stored in flash.<p>[1] <a href="http://visual6502.org/" rel="nofollow">http://visual6502.org/</a><p>[2] <a href="http://adamsblog.aperturelabs.com/2013/01/fun-with-masked-roms.html" rel="nofollow">http://adamsblog.aperturelabs.com/2013/01/fun-with-masked-ro...</a>
From the Wikipedia article: "Furbies were banned from the National Security Agency of the United States due to concerns that they may be used to record and repeat classified information."<p><a href="http://en.wikipedia.org/wiki/Furby" rel="nofollow">http://en.wikipedia.org/wiki/Furby</a>
I knew I remembered the GeneralPlus name from somewhere -<p>"Many Tamagotchis Were Harmed in the Making of This Presentation"<p>PDF: <a href="http://recon.cx/2013/slides/Recon2013-Natalie%20Silvanovich-Many%20More%20Tamagotchis%20Were%20Harmed%20in%20the%20Making%20of%20this%20Presentation.pdf" rel="nofollow">http://recon.cx/2013/slides/Recon2013-Natalie%20Silvanovich-...</a><p>Video (original? talk): <a href="https://www.youtube.com/watch?v=WOJfUcCOhJ0" rel="nofollow">https://www.youtube.com/watch?v=WOJfUcCOhJ0</a><p>Video (newer talk at ReCon): <a href="http://recon.cx/2013/video/Recon2013-Natalie%20Silvanovich-%20Many%20More%20Tamagotchis%20Were%20Harmed%20in%20the%20Making%20of%20this%20Presentation.mp4" rel="nofollow">http://recon.cx/2013/video/Recon2013-Natalie%20Silvanovich-%...</a><p>Natalie Silvanovich did this kind of reversing on a few Tamagotchi products with great success.
It's projects like this that spark me to always go out and try to learn new things. I forget how much of our surrounded world is hackable sometimes, and it really is sad to think I get so caught up I don't think of these projects near as often as I used to. Hopefully this guy gets somewhere :) these writeups are inspiring, interesting, and educational all wrapped into one nice little package.
So, remember that virus that communicates using high-pitched sound? If no, here's an article:<p><a href="http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/" rel="nofollow">http://arstechnica.com/security/2013/10/meet-badbios-the-mys...</a><p>This article says that the Furby communicates in the same way. It would be interesting if the Furby was a vector for spreading messages via this virus. Very, very interesting.
I've seen something along this line before - but this article is dated for Yesterday.<p><a href="https://github.com/iafan/Hacksby" rel="nofollow">https://github.com/iafan/Hacksby</a> found via hnsearch.com but I don't think that's where I saw the details last time.<p>There's this <a href="http://news.ycombinator.com/item?id=4984100" rel="nofollow">http://news.ycombinator.com/item?id=4984100</a> too - about open-source furby-like projects.
It would probably be easier to read the chip in-situ with a Bus Pirate and flashrom :<p><a href="http://dangerousprototypes.com/docs/Bus_Pirate" rel="nofollow">http://dangerousprototypes.com/docs/Bus_Pirate</a><p><a href="http://flashrom.org" rel="nofollow">http://flashrom.org</a><p>I used one of these to reflash the BIOS on a logic board after the utility provided died, without removing the BIOS from the board.