Jan
20
Tama-Go ROM Format
I’ve been continuing to work out the format of the Tama-Go figure ROM. Using the figure simulation circuit I set up in my last post, and a digital logic analyzer, I’ve determined the purpose of most of the data in the figure ROM.
No one say ‘cross talk’ and maybe it won’t happen
I started by looking at the game functionality. It turns out that the functionality is fairly simple, and a very limited amount of the game logic is controlled by data fetched from the figure. The majority of data is images. Near the beginning of the ROM is a pointer table which contains the locations of images used by games, shops, items and other figure functionality. The location of this table is in turn controlled by another pointer at the head of the ROM. The Tama-Go fetches images by first fetching an image pointer from the table, and then fetching the image.
When “GAME” is selected, the Tama-Go starts fetching the needed images from the figure as they are displayed. Interestingly, they are fetched exactly when they are show, and are fetched multiple times if they are displayed multiple times. This suggests that the Tama-Go does not store the images fetched from the figure, but writes them directly to the LCD.
Only two pieces of data appear to affect the logic behavior of the game. The first are the “commands” at addresses 0×18 and 0×19 (note I’m using a Mametchi figure, this might differ for other figures). These appear to control what game logic the Tama-Go executes when the specific game is selected. It turns out that if these are altered, the Tama-Go can not only jump into different games, but any screen on the Tamagotchi, such as the meal screen, going to the park or taking a bath. If the back button (C) is pressed on any of these screens, the Tama-Go jumps back to the screen it would normally go back to after the current screen, not the figure screen. This suggests that essentially the Tamagotchi acts as a large switch statement or jump table, with no memory of where it has previously jumped to.
I went through some of the possible command values, and found that many of them caused the Tamagotchi to freeze up and require a reset. This is likely because the commands do not exist, or the device is not in the right state for them to work correctly. It might be possible to exploit one of these invalid commands to dump the code of the Tamagotchi, although the lack of debugging information would make it difficult.
Of course, these commands can be used to ‘cheat’ at Tamagotchi. The video below shows this functionality used to ‘evolve’ the Tamagotchi (make it get older).
There is also a series of bytes that gets read at the very end of the game. This seems to be related to how many points the Tamagotchi is awarded for playing the game. The Tama-Go appears to read more data the higher the game score is, so my guess is it’s some sort of cumulative algorithm for calculating the points awarded from the game score. Randomly tampering with these values caused my Tamagotchi to be awarded an extremely large number of points (which was useful in testing item functionality), but I’m still not clear how the values translate to points exactly.
83009250 points has got to be enough for any Tamagotchi
Next, I looked at the shop functionality of the figure. This was also quite simple. The entire store functionality appears to be in the Tama-Go’s internal ROM, and it just fetched the images. The only interesting value was the item price, which can be altered in the ROM. This would probably be more useful had I not just given my Tamagotchi infinite points.
Lastly, I tried using an item, and this was quite interesting. The Tama-Go fetches one byte of non-image data from the figure, from inside the expected segment before using an item, and then fetches more than 200 bytes of non-image data from near the end of the ROM (not the segment, the entire ROM) while the item is being used. This is so bizzare, I tested it several times to make sure it was actually what was happening, and I’m confident that it is.
What I suspect is happening is that the first byte is a command similar to the game commands, jumping to code that relies on both image data and other data from the figure, which it then fetches. I’m not sure what this “other data” is. It could be the location of the images on the screen, it could be audio data (items make sounds) or it could be some type of metadata related to the behavior of the item (for example, whether it gives points, or the probability of behaving a certain way for items that don’t do the same thing every time). As for why this information is at such a strange location, my only guess is that its used by all three characters in the figure, so it can’t be a part of any of their segments. But this is wild speculation.
A complete list of memory addresses I’ve identified is below:
| Address Range (inclusive) | Comment |
| 0×000001-0×000003 | Test command (detects if figure is properly attached) |
| 0×000011-0×000013 | Another test command, detects the ‘segment’ controlled by the jumper |
| 0×000013 | Unknown, possibly version |
| 0×000014 | Figure ID |
| 0×000015-0×000017 | Unknown |
| 0×000018-0×000019 | Game commands |
| 0×000020-000022 | Pointer to background pointer (offset of 40 is added) |
| 0×000050-0×000052 | Walking sprite 1 pointer |
| 0×000053-0×000055 | Walking sprite 2 pointer |
| 0×000056-0×000058 | Happy sprite 1 pointer |
| 0×000059-0x00005B | Side smile sprite pointer |
| 0x00005c-0x00005f | Jumping for joy sprite pointer |
| 0×000068-0x00006a | Jumping sprite pointer |
| 0x00006e-0×000070 | Side walk sprite 1 pointer |
| 0×000071-0×000073 | Side walk sprite 2 pointer |
| 0x00008c-0x00008f | Startled sprite image pointer |
| 0x00009e-0x0000a0 | After travel background pointer |
| 0x0000a4-0x0000a6 | Travel image 1 pointer |
| 0x0000a7-0x0000a9 | Travel image 2 pointer |
| 0x0000aa-0x0000ac | Ready image pointer |
| 0x0000ad-0x0000af | Go image pointer |
| 0x0000b6-0x0000b8 | Hip hop game name pointer |
| 0x0000b9-0x0000bb | Speed runner game name pointer |
| 0x0000BC-0x0000C7 | Store front pointers |
| 0x0000CE-0x0000D0 | Background image pointer |
| 0x0000d1-0x0000d3 | Background image open pointer |
| 0x0000D4-0x000000eb | Hip hop image pointers |
| 0x0000F5-0x00011d | Speed runner image pointers |
| 0×000119-0x00011b | Pointer to large Speed Runner image |
| 0x00011f-0×000127 | Read as loading images for item (maybe logic) |
| 0×000148-0×000170 | Item prices (note probably a broader range) |
| 0x0001a1-0x0001d4 | Read at the end of Hip Hop game, appear to be related to scoring, but I’m not sure how. Appears to read farther the better you do. Corrupting them corrupts score display |
| 0x00021d-0x00024c | Read at the end of speed runner |
| 0x0002a2-0x0002db | Pointers to shop item images |
| 0×000620- 0×000629 | Pointers to fun box images |
| 0x0011bf | Fun box beginning |
| 0×001251-0x0012B6 | Walking sprite 1 image |
| 0x0012B7-0x00131C | Walking sprite 2 image |
| 0x001A49-0x001AAE | Startled sprite image |
| 0x00131d-0×001382 | Happy sprite 1 image |
| 0×001383-0x0013e8 | Side smile sprite image |
| 0x0013e9-0x00144e | Jumping for joy sprite image |
| 0×001581-0x0015e6 | Jumping sprite image |
| 0x00164d-0x0016b6 | Side walk sprite 1 image |
| 0x0016b3-0x00171c | Side walk sprite 2 image |
| 0x001cad-0x001e24 | After travel background pointer |
| 0x001f99-0x00210e | Travel image 1 |
| 0x00210f-0×002284 | Travel image 2 |
| 0×002285-0x0023fa | Ready image |
| 0x0023fb-0×002571 | Go image |
| 0x00285d-0x0028fa | Hip hop game name image |
| 0x0028fb-0×002998 | Speed runner game name image |
| 0×002999-0x002b2d | Store front images |
| 0x002BAA-0x002C14 | Background image |
| 0x002C15-0x002C7F | Background image open |
| 0x002c80-0x002cf8 | Hip hop images |
| 0x002f6f-0x002fd3 | Large speed runner image |
| 0x002d8f-0x002fd5 | Speed runner images |
| 0×003058-0×003634 | Item images |
| 0×009052-0x0090bc | Fun box images |
| 0×0022499-0x00226e5 | Read while playing with fun box, not image data |
And a list of game codes I’ve tried so far:
| Code | Description |
| FF | A game with squares |
| FE | Coin game |
| FD | Dropping game (cradles) |
| FcC | “Sorry Nothing” screen |
| FB | Away screen (and egg hatching) |
| FA | Park |
| F0 | Remodelling store |
| F9 | Odd , piano, then aliens, then IR |
| F8 | Ready screen, can escape |
| F7 | Ready screen, no escape |
| F6 | Park with Violetchi |
| F5 | Long jump game (with everything!) |
| F4 | Shoot the bug |
| F2/F3 | Also pair of games |
| F1 | Ready screen, can escape |
| EF | Crying, returns to game choice screen |
| EE | Contrast screen |
| ED | Sound screen |
| EC | Pause Tamagotchi |
| EB | Tamagotchi runs away |
| EA | Evolve! |
| E9 | Bath |
| E8 | Figure “See you next time” screen |
| E7 | Figure “Welcome” screen |
| E6 | Reset screen |
| E5 | Book (friends, memory screen) |
| E4 | IR screen |
| E3 | Tama says no |
| E2 | Discipline screen |
| E1 | Game shop item figure screen |
| E0 | Tama comes back in door |
| DF | Bath |
| DE | Meal / snack |
| DD | Stats |
| DC | Clock |
| DD | main screen |
| DA | escape free egg (hatched, so restart) |
| D9 | reset, not lock (can change details) |
| D8 | stuck (must reset) |
| D7/D6/D5 | frozen |
| 99 | screen reverse |
| 98 | bottom icons light up (and stuck) |
| 97 | frozen |
Subscribe to RSS Feed
Follow us on Twitter
Our Mailing Lists
Visit Kwartzlab TV
Looking more at the Tamagotchi figure ROM format http://t.co/mW9yZ6k2