Tamagotchi boards contain an EEPROM mounted externally from the MCU, to save the game state so it can be restored if power is lost or the Tamagotchi crashes.
I hoped that the instruction pointer would be cached as a part of the game state. Spoiler Alert: it isn’t.
I soldered short leads to the EEPROM, and used the Arduino Wire library to read the memory using I2C. I found the library very easy to use, and the sample program required almost no modification to access the chip.
The contents of the EEPROM were minimal, and are identifiable as parts of the game state.
Unfortunately, this means that the EEPROM stores a ‘game’ type of state and not a ‘stack and registers’ type of state, so probably won’t be useful in dumping the code from the MCU.
So, from here there are a few ways I could try to dump the code (listed in the order I plan on trying them):
1) Dump a figure mask ROM, and hope it contains code, pointers or something that could be tampered with to get code execution on the Tama-Go
2) Play around the the image formats supported over IR and through figures. I think it’s unlikely there’s any vulns in these, but it’s worth a shot.
3) Try harder to get a GeneralPlus eval board or the contents of the test program. Also, there are some SunPlus MCUs with pins and writable flash that contain a test program, maybe get one of those and dump it and hope the programs are similar.
4) Put the mask ROM under a microscope.
5) Learn about the glitching thing everybody’s always talking about.