caralynx teardowns
@teardowns.caralynx.com
Hack all the toys. Teardowns and analysis of various toys and electronics by @sudo.caralynx.com
Misspoke about the warning panel on the right side of the box. It's actually Chinese and English.
December 11, 2025 at 7:50 AM
Misspoke about the warning panel on the right side of the box. It's actually Chinese and English.
I guess the only thing left is to play it and see if there's anything different.
December 11, 2025 at 7:10 AM
I guess the only thing left is to play it and see if there's anything different.
There is indeed a firmware update. This one is from 2022 instead of 2020. I'm not sure what's changed. The main code probably got rearranged due to the linker, but the data pack seems to be the same as last time.
December 11, 2025 at 7:10 AM
There is indeed a firmware update. This one is from 2022 instead of 2020. I'm not sure what's changed. The main code probably got rearranged due to the linker, but the data pack seems to be the same as last time.
The inside is basically the same as before. Same slightly weird disassembly, same PCB (the only change appears to be the manufacturing date code), same GeneralPlus GPL95101UB. The 8MB flash is KH branded this time, but the original GeneralPlus brand is just a rebadge of the same chip.
December 11, 2025 at 7:10 AM
The inside is basically the same as before. Same slightly weird disassembly, same PCB (the only change appears to be the manufacturing date code), same GeneralPlus GPL95101UB. The 8MB flash is KH branded this time, but the original GeneralPlus brand is just a rebadge of the same chip.
FWIW if I'd have bought this sooner, I would have noticed that the text probably meant a US release, which did happen. You can buy Puni Boba-chan at Barnes & Noble. Still, I don't understand why there's FCC text on the Japanese version. Surely the US SKU is different?
December 11, 2025 at 7:10 AM
FWIW if I'd have bought this sooner, I would have noticed that the text probably meant a US release, which did happen. You can buy Puni Boba-chan at Barnes & Noble. Still, I don't understand why there's FCC text on the Japanese version. Surely the US SKU is different?
The device itself looks the same as the original release, except for the battery door, which has a bit of a different design. Instead of a Tapioca illustration, it has uhhhh... FCC notice. Really weird. The SKU is also lasered in instead of molded.
December 11, 2025 at 7:10 AM
The device itself looks the same as the original release, except for the battery door, which has a bit of a different design. Instead of a Tapioca illustration, it has uhhhh... FCC notice. Really weird. The SKU is also lasered in instead of molded.
Inside are the device and the manual.
December 11, 2025 at 7:10 AM
Inside are the device and the manual.
The box looks mostly the same as the original, except the right side got replaced with warnings, in both Japanese and English (weird).
December 11, 2025 at 7:10 AM
The box looks mostly the same as the original, except the right side got replaced with warnings, in both Japanese and English (weird).
Interesting new regulation somewhere that requires you to certify that Kaspersky is not installed on the EUT. This filing's factually incorrect with the amount of storage anyway (PAN1026 does not have accessible storage). They fixed it in the latest filing.
November 24, 2025 at 12:57 AM
Interesting new regulation somewhere that requires you to certify that Kaspersky is not installed on the EUT. This filing's factually incorrect with the amount of storage anyway (PAN1026 does not have accessible storage). They fixed it in the latest filing.
I guess that solution's fine, but the force of the rotating arm is probably throwing the accelerometer off a bit and not making the orientation of the screen totally stable.
November 24, 2025 at 12:51 AM
I guess that solution's fine, but the force of the rotating arm is probably throwing the accelerometer off a bit and not making the orientation of the screen totally stable.
That explains how the rotor and stator kept orientation, and some of the unpopulated components. Looks like originally they were using IR LEDs to figure synchronize, but they now changed it to a hall effect sensor.
November 24, 2025 at 12:51 AM
That explains how the rotor and stator kept orientation, and some of the unpopulated components. Looks like originally they were using IR LEDs to figure synchronize, but they now changed it to a hall effect sensor.
The FCC Equipment Authorization Electronic System is finally back online, and I'm downloading the exhibits. Looks like there's a third ID for the hamster ball filed recently. Meanwhile, I found the third page to the schematics that I was wondering about in the original filing. It's a changelog.
November 24, 2025 at 12:51 AM
The FCC Equipment Authorization Electronic System is finally back online, and I'm downloading the exhibits. Looks like there's a third ID for the hamster ball filed recently. Meanwhile, I found the third page to the schematics that I was wondering about in the original filing. It's a changelog.
The client syncs app installation status with the web service, but it doesn't seem to acknowledge any extra apps that are not licensed. It just doesn't report on it for some reason.
November 20, 2025 at 10:44 AM
The client syncs app installation status with the web service, but it doesn't seem to acknowledge any extra apps that are not licensed. It just doesn't report on it for some reason.
They were nice enough to leave in Mbed TLS' testing functions that obviously identified the cipher family.
The LDI file is generated by the web service, so theoretically there's nothing to hack on the client, but the system app is easy to locate and download, so that didn't really stop anything.
The LDI file is generated by the web service, so theoretically there's nothing to hack on the client, but the system app is easy to locate and download, so that didn't really stop anything.
November 20, 2025 at 10:40 AM
They were nice enough to leave in Mbed TLS' testing functions that obviously identified the cipher family.
The LDI file is generated by the web service, so theoretically there's nothing to hack on the client, but the system app is easy to locate and download, so that didn't really stop anything.
The LDI file is generated by the web service, so theoretically there's nothing to hack on the client, but the system app is easy to locate and download, so that didn't really stop anything.
The LDI file is pretty simple, it's just a comma-separated list of package IDs bookended by header and footer strings, encrypted with AES-256-CBC. The key is the SHA-256 hash of the device serial and a static string, and the IV is another static value.
November 20, 2025 at 10:40 AM
The LDI file is pretty simple, it's just a comma-separated list of package IDs bookended by header and footer strings, encrypted with AES-256-CBC. The key is the SHA-256 hash of the device serial and a static string, and the IV is another static value.
I also found how it does DRM. If you just upload a package without corresponding authorization in the LDI file (\LDI.dat), the package folder just gets deleted on boot.
November 20, 2025 at 10:40 AM
I also found how it does DRM. If you just upload a package without corresponding authorization in the LDI file (\LDI.dat), the package folder just gets deleted on boot.
Finished implementing upload/download functionality, and also package upload, so I can also send .tar files to the device to unpack. Code is a bit of a mess because of everything being top level statements instead of classes, so I've got a mess of nesting IEnumerable<string>s going on.
November 20, 2025 at 10:40 AM
Finished implementing upload/download functionality, and also package upload, so I can also send .tar files to the device to unpack. Code is a bit of a mess because of everything being top level statements instead of classes, so I've got a mess of nesting IEnumerable<string>s going on.
I've now got a DFTP client. No upload/download yet, going to figure that out soon.
November 20, 2025 at 2:27 AM
I've now got a DFTP client. No upload/download yet, going to figure that out soon.
Forgot to mention, .cbf files are also documented and were previously used on other devices.
November 19, 2025 at 7:33 AM
Forgot to mention, .cbf files are also documented and were previously used on other devices.
That implies it has GeneralPlus' USB protocol implemented, which should be interesting. I may have to try that at some point once I can pull my save data and stuff off via DFTP.
November 19, 2025 at 7:32 AM
That implies it has GeneralPlus' USB protocol implemented, which should be interesting. I may have to try that at some point once I can pull my save data and stuff off via DFTP.
7. LeapFrog Connect is allegedly capable of recovering even a bricked device. There's a binary called NandUsbBin that loads as a raw image into memory, and presumably receives .cbf files to reload the bootloader and application code.
November 19, 2025 at 7:32 AM
7. LeapFrog Connect is allegedly capable of recovering even a bricked device. There's a binary called NandUsbBin that loads as a raw image into memory, and presumably receives .cbf files to reload the bootloader and application code.
It seems to run in two modes, USB mode and update mode. Not sure what update mode actually does. I've currently got Surgeon loaded for analysis. Looks like applications are loaded at 0x100 in RAM, and copies a vector table to 0x0 as part of initialization.
November 19, 2025 at 7:32 AM
It seems to run in two modes, USB mode and update mode. Not sure what update mode actually does. I've currently got Surgeon loaded for analysis. Looks like applications are loaded at 0x100 in RAM, and copies a vector table to 0x0 as part of initialization.
6. Surgeon is what boots when you hold the power button. Normally it's used for recovery, and the main system would have a DFTP server running, but LeapFrog made a design choice to not enable any USB in normal operating mode, so Surgeon is the sole method for data transfer.
November 19, 2025 at 7:32 AM
6. Surgeon is what boots when you hold the power button. Normally it's used for recovery, and the main system would have a DFTP server running, but LeapFrog made a design choice to not enable any USB in normal operating mode, so Surgeon is the sole method for data transfer.
and another partition called MfgData. MfgData contains the serial number, product ID, and I think language and some other stuff. After that is a normal FAT partition where the content, boot videos, and resources for the manufacturing test live.
November 19, 2025 at 7:32 AM
and another partition called MfgData. MfgData contains the serial number, product ID, and I think language and some other stuff. After that is a normal FAT partition where the content, boot videos, and resources for the manufacturing test live.