Adding some funk to an old Vtech toy

The Scrounge

it was the first weekend of reading week. the thought of the midterms immediately after the reading week was not yet a concern. lets take apart some electronics and mess with them, we said. a value village run ensued. a slew of various used electronics were acquired including most importantly: the vtech Kidi Star Dance.

the vtech Kidi Star Dance.

this toy had all the peripherals that someone in our position could want: speakers, buttons, an lcd, lights. lots of potential to express our funkiness after we were able to run custom code on it.

this device was immediately dismantled upon returning back to the apartment. all the IC numbers were taken and plugged into google. few satisfying results were found but enough to determine:
1. the processor was a SoC based on the ARM v4 instruction set
2. it had an external 64Mbit (~8.4MB) flash memory, which was a `BY25Q64AS` manufactured by Boya Microelectronics

the SoC and flash memory.

with these two pieces of information we would be able to read and write to the external flash memory and it would help to reverse engineer the code on it if desired.

the main pcb with a chip clip on the flash chip.

using my handy SOIC 8 DIP chip clip and a ch341a flash programmer, we attempted to read the flash memory using flashrom.

there were some initial unfun errors mostly related to running flashrom on an M1 chip + macOS, but after those were resolved we realized flashrom didn't support our memory chip as well. we forked flashrom, added support for the chip, and compiled. things work now and we could read/write to the external flash memory.

this is flashrom after the successful flash memory dump. the 0xFFs are just padding at the end of the memory. this was our first time doing this. exciting moment.

after the memory contents were dumped, it was time to mess around with things. this part of the process was not too familiar to us at this point, so we just inspected the binary in a hex editor.
the binary data in hex format looked like this:

it can be seen that there are some ascii strings present in the binary data. if `strings` is run on the binary data, all the ascii strings found in the binary will be returned:

some interesting stuff here. a lot of debug info, but some strings like "You're a dancing genius!" are clearly displayed to the user.
let's replace some of the strings that are obviously displayed to the user with more fun strings. we will ensure they are the same length however, because that feels like it will reduce the chance of things breaking. the string that was to be changed was directly changed in the hex editor and the external memory was flashed with the updated firmware. it worked.

free jarvis.