I dumped the ROM of a Tamagotchi using the code execution ability I posted previously. I wrote 6502 code that dumped each byte of the memory space of the Tamagotchi, and output it over port A (which is usually the Tamagotchi button input) via SPI.
It would have been more convenient to dump the ROM via IR or the SPI ports at the top of the Tamagotchi, but unfortunately, I don’t have any information on how to write to those ports. There is an application note describing how to write to port A on the General Plus site, though.
I started by dumping the entire memory space, from 0×0000 to 0xffff, which included all mapped memory, such as ROM, RAM and ports. This only dumped some of the ROM, though, as the GPLB52x microcontroller supports paging outside of 6502 paging. The first 16 kilobytes of the ROM are always mapped to 0xc000-0xffff, and then the rest of the ROM is split into 19 pages that can be mapped to 0×4000-0xbfff as needed. To dump the entire ROM, I needed to figure out how to page.
Loading oxc000-0xffff into IDA, it became apparent how to page pretty quickly.
The address 0×3000 was written to quite often before jumps, and there were several subroutines that pushed and restored this value before jumping to another subroutine. Trying this in my dumping code, I was able to dump the entire ROM!
Doing a quick analysis, pages 0 through 6 appear to be code, pages 7, 8 and 9 are empty, pages 11-18 contain image data, page 10 contains some image data and some other data and I’m not sure what 19 contains (if I had to guess it would probably be audio).
Decoding the image data, you can already find out some interesting things. For example, here’s some of the images from page 18:
In blue are all the possible Tamagotchi characters you can get on the Tama-Go! And in red below are the images from the factory test program, one of which I’ve never seen before, suggesting that there’s features of this program that haven’t been found yet.
For the Tamagotchi fans in the room, I’ve posted all the images I dumped here. I’ll be posting the rest of the code as I make sense of it.
In the mean time, here are some of the cuter highlights of the ROM dump.