V3 Password Experimentation

TamaTalk

Help Support TamaTalk:

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
It's been less than a day since my last update - normally I'd just edit my last post but I feel like it might be worth bumping the thread for this update.

Unless I'm mistaken... I've figured out how the checksum works in the V3 passwords, thus cracking the algorithm.

There's still more to understand - with this I'm only capable of generating half the allowed password combinations (which is still obviously more than is necessary, so it's not really a big deal) due to that one variable which, when turned on, seems to make everything more difficult. I think, after this most recent revelation, it should be easier to figure out, though.

Recall that there's a five-byte structure to the passwords, which we'll represent as follows:

BYTE_5 | BYTE_4 | BYTE_3 | BYTE_2 | BYTE_1


For now we'll set BYTE_5 to zero to make things a bit easier. Recall also that a username constant is XOR'd onto this structure - for now we'll pretend we've already XOR'd out this username factor so the username is no longer affecting the password. Since BYTE_5 is zero, we get the following password structure, just by the nature of how these passwords work:

0 | BYTE_4 | BYTE_3 | BYTE_2 | 199

BYTE_2 = ITEM_ID XOR 70
BYTE_3 may be any integer from 0 to 255
BYTE_4 may be the checksum?


That random 70 was definitely raising my eyebrows and when adding together all of the bytes I noticed that the result I got most of the time was exactly 140 away from 256, a power of two. So I tried XORing out a couple 70s here and there:

0 | BYTE_4 | BYTE_3 | BYTE_2 | 199

XOR

0 | 70 | 70 | 70 | 70

=

0 | BYTE_4 XOR 70 | BYTE_3 XOR 70 | ITEM_ID | 129


This seems like it's in a format that would make more sense for the password decoder to read - the item ID can now just be read out instead of needing to apply a random 70 to it. It should also be noted that BYTE_3 XOR 70 is once again just another integer from 0 to 255 so we can consider this the random element (if you'd like a more technical definition, the XOR 70 operator is a bijective function on the set of integers from 0 to 255 to itself). We'll notate BYTE_3 XOR 70 as just "RAND" and BYTE_4 XOR 70 as "CHECK". Here's the breakthrough:

129 + ITEM_ID + RAND + CHECK = 0 mod 256

Hence,

CHECK = 127 - ITEM_ID - RAND mod 256


A slightly unusual checksum, but it makes a certain amount of sense. To verify the checksum, all the device would need to do is add the four bytes together and check that they equal zero (mod 256).

I have a generator spreadsheet ready for those who want to generate passwords using this now, but I'd prefer to get it into a more accessible state, so I'm writing up some javascript for this purpose instead. I'm also considering creating a sort of EnWarehouse-like program for this purpose too, once I figure out some of the other password systems as well.

I'll get the script out as soon as possible. Thanks to all those who have helped me on this journey!

---

EDIT: I've embedded the script into this page: https://hazzabobbo.wixsite.com/mamemamelabs/password-generator

The presentation is a bit sloppy for now but it's something I'm working on! There'll probably be some item IDs which don't work so any feedback is helpful.

 
Last edited by a moderator:

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
One more update:

  • I've figured out that one strange 0 / 1 (the leftmost byte) that seems to mess everything up - it turns out that after XORing out those extra 106's the checksum is calculated in basically the same way - after removing the username, the 106's and the 70's, the sum of the bytes (now including the extra "1") is once again a multiple of 256, all the time.
  • Analysing Parent / Grandparent / Travel passwords, too, it seems as though once all the encryption is stripped as before, the only difference from other passwords is that the rightmost byte is 130 or 131 instead of 129 (130 for parents and grandparents, 131 for travel items - I think these passwords only work when you've actually got parent characters or when you've actually travelled, though!). I do not know if the Famous Picture souvenir also acts this way, but if it does, I will need to make a very minor modification to my script.
  • So basically... V3 item passwords are cracked.
  • V4 passwords seem to act identically, except that instead of a 106 it's a 109 and instead of a 70 it's an 87. I have not been able to confirm if they still treat parent / grandparent passwords the same, however. Either way, I've added a V4 option to the generator.

Okay... which passwords to tackle next? :D  Since the V3 and V4 passwords were so similar, I expect that other passwords covered by the V3 (login passwords) also use similar checksum calculation techniques. Perhaps V4 login passwords do too! Music Star passwords are still a mystery, though.

 

MasterPengo

Member
Joined
Apr 15, 2018
Messages
11
Reaction score
15
First off, thank you so much for this. I've been waiting ages for a password generator now that TamaTown is gone.

I tried them all out. The souvenirs that didn't work were, as expected, the travel based items and (grand)parent items, although the famous picture did work. Am I right in thinking that the codes are the same every time but they don't work because the Tamagotchi has a way of knowing that my character doesn't have parents and hasn't travelled? Like it doesn't need to know who the parent characters are or anything?

Thanks again

 

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
First off, thank you so much for this. I've been waiting ages for a password generator now that TamaTown is gone.

I tried them all out. The souvenirs that didn't work were, as expected, the travel based items and (grand)parent items, although the famous picture did work. Am I right in thinking that the codes are the same every time but they don't work because the Tamagotchi has a way of knowing that my character doesn't have parents and hasn't travelled? Like it doesn't need to know who the parent characters are or anything?

Thanks again
The codes for these passwords are slightly different from other passwords in that the underlying "base" password has a 130 or a 131 instead of a 129, but otherwise they're basically the same as other passwords. You're correct in guessing, though, that the reason they don't work is that your character doesn't have a parent or hasn't travelled. If you fulfil the correct conditions it should make those souvenirs obtainable. As I recall, though, the travel and parent passwords used on Tamatown actually do contain information about what character your Tamagotchi currently is - I don't know if this information is used at all, though.

The V4 seems to act a little bit differently though - I think it requires a specific successful logout password before you're allowed to get these items.

 

MasterPengo

Member
Joined
Apr 15, 2018
Messages
11
Reaction score
15
I got the parent and grandparent souvenirs to work once I made sure my character was at least third generation, but for one of them I had to enter a few different codes before it worked, possibly because I forgot to view the "Password for PC" first.

I tried out the password for Skis once my character had used the Switzerland ticket but it hasn't worked, even after I generated a few different codes. I also found that the ticket codes don't seem to work. Is it to do with the base password, or have I been doing something wrong? Thanks.

 

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
I got the parent and grandparent souvenirs to work once I made sure my character was at least third generation, but for one of them I had to enter a few different codes before it worked, possibly because I forgot to view the "Password for PC" first.

I tried out the password for Skis once my character had used the Switzerland ticket but it hasn't worked, even after I generated a few different codes. I also found that the ticket codes don't seem to work. Is it to do with the base password, or have I been doing something wrong? Thanks.
It's probably something I've done wrong - I think there might be extra information encoded into the password that I haven't accounted for. I think the character ID is supposed to go in there somewhere - probably in place of the random byte.

As for the parent password, it's curious that you had to type several passwords in before it worked. I guess, as you say, that this is to do with the fact that you hadn't viewed the "Password for PC!!" thing first, but it definitely requires some investigation.

---

So I've been continuing to experiment with various password types and it seems as though the V4 login and logout passwords use a similar checksum to the item passwords, but instead of adding each byte of the "base" password it adds each hexidecimal character of the "base" password (obtained after removing the pattern information and the username). Logout passwords seem to change one digit according to how much money you are to take back from Tamatown, and one binary digit is flipped, too, before recalculating the checksum and reapplying the pattern and username variables. However, in practice, logout passwords I've attempted to generate have not worked so far. Either the pattern of the logout needs to be something very specific with relation to the login password, or my calculator has a mistake in it, or these passwords have more information I've not yet accounted for. I'm hoping it's not the latter due to how infrequently valid pairs of login and logout passwords appear online (I've only managed to find one pair so far, so any old logout passwords you might have would be appreciated, though I understand many people won't still own these passwords because they're basically useless).

---

EDIT: Okay, I think I've found the problem with travel passwords. And possibly parent passwords too? It seems like the random component of the travel items are instead replaced with the numbers 129, 130, 131, 132 or 133 depending on the item. Not really sure why, but it's simple enough. As for parent / grandparent items, these ones I've observed to use either 1 or 65, which might just be a coincidence.

Interestingly the fact that the travel passwords require the numbers I listed above - an arithmetic progression - is part of the reason why some of the passwords I observed in my very first post on this topic formed an arithmetic progression!

 
Last edited by a moderator:

MasterPengo

Member
Joined
Apr 15, 2018
Messages
11
Reaction score
15
https://www.tamatalk.com/IB/topic/186883-v3-guide/

So I tried out the codes here and they all worked without needing to use the tickets or be any generation later than first. Strange, since I distinctly remember a few years ago any codes for these souvenirs didn't work for me despite using the correct username.

Additionally, I wanted to add that I've uploaded a sheet of the souvenir sprites to TSR and I've credited you for the work you did for the code generator. Let me know if you'd like any changes to the name used or anything else.

https://www.spriters-resource.com/lcd_handhelds/tamagotchiconnectionversion3/sheet/128510/

 

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
https://www.tamatalk.com/IB/topic/186883-v3-guide/

So I tried out the codes here and they all worked without needing to use the tickets or be any generation later than first. Strange, since I distinctly remember a few years ago any codes for these souvenirs didn't work for me despite using the correct username.

Additionally, I wanted to add that I've uploaded a sheet of the souvenir sprites to TSR and I've credited you for the work you did for the code generator. Let me know if you'd like any changes to the name used or anything else.

https://www.spriters-resource.com/lcd_handhelds/tamagotchiconnectionversion3/sheet/128510/
Ahh, that's awesome! I think there's a few more glitch souvenir sprites that I've not had the time to personally try out myself, as I recall, so they might be an addition for the future.

And yeah, I think there must still be a bit of a mystery surrounding the ticket items and souvenirs. I'm wondering if it depends on the ROM version of the device the passwords are entered into?

 

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
Don’t know if this will help, but i purchased a v3 (region  unknown)  and i could test to see if this stuff works
It's been a while since the item password algorithm was cracked and I'm not actively working on cracking the other password types at the moment but thanks anyway :)

-----

Actually, on that note, it's probably worth saying that while I'm not currently working on them, I do intend on cracking the other password varieties in the future, especially the Music Star (which had proven to be very tricky to crack). There's still so much to learn :)

 

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
As per my previous post I'm now finally taking another crack at Music Star passwords. I've actually managed to make some progress recently and I'm starting to get an idea of how the data is laid out in the password - the next steps are to map out the data, identify how the usernames work and then finally we should have a way of completely decomposing the passwords. At that point we can start taking a look at item passwords too.

For now, some more login code progress is required. In order to crack them I'll need more data to work with.

As such, if anyone wants to help out, then generating a bunch of passwords (ideally at least 3 passwords for each set of data, just to be sure) and listing the passwords alongside the following data would help out a lot:
* User Name (required)
* Character (required)
* Gender (required)
* "Tone" stat (required)
* "Rhythm" stat (required)
* "Original" stat (required)
* Favourite genre (required)
* Job stage (i.e. school / unemployed / debut, ideal)
* ROM Version (if known)

Then, once these passwords are obtained, if you could change just one of the variables (e.g. increase one of the stats) and then generate some passwords again with the new data that would be ideal. **I should stress that without this second set of passwords there isn't much I can do with the first set either!**

Bonus points if, for any given password, you can also give me any working item passwords alongside the item they give. These are tricky to find but not impossible.

Please try to ensure the accuracy of the passwords you submit - if any are inaccurate it can make figuring out the passwords a bit trickier.

I'll update as soon as I make any more progress!

 

cmarie

Well-known member
Joined
Jan 29, 2007
Messages
391
Reaction score
71
Location
California
Hi there!  This project is fascinating.  I just happened to find an old notebook of mine that contained a handful of codes for the v3 and v4 items and foods.  I am not sure if you are still in need of new data or not, but if you are I'd be happy to share.  

Editing because I just found the website with the code generator.  Everything I have tried has worked.  This is truly amazing.  I had lost hope of ever being able to gain the items I hadn't recorded back in the early 2000's.  Thank you so much for taking on this project and sharing!

 
Last edited by a moderator:

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
Hi there!  This project is fascinating.  I just happened to find an old notebook of mine that contained a handful of codes for the v3 and v4 items and foods.  I am not sure if you are still in need of new data or not, but if you are I'd be happy to share.  

Editing because I just found the website with the code generator.  Everything I have tried has worked.  This is truly amazing.  I had lost hope of ever being able to gain the items I hadn't recorded back in the early 2000's.  Thank you so much for taking on this project and sharing!
Really glad you like it!

---

I've been taking a bit of a break from a lot of this stuff lately - though I was looking at Music Star passwords last summer, I started to hit some roadblocks and eventually my focus was switched to another large-scale project which involved most of my free time. This project is still continuing and when I'm not focusing on that I'm usually working through one of my other projects so Tamagotchi has been a bit sidelined as of late, though with the recent release of the Pix I've started to get back into the mood again. At the moment I'm taking a crack at the Pix QR codes and already confirmed some things about the Pix QR data, which is pretty cool. Unrelated and a bit off-topic, but the Pix also has this awesome test mode too with a curious new version number / revision display, which is really neat - the Pix we tested is apparently version 1.01 and revision 2372... this doesn't mean much right now, but in the future, I'm sure that'll come in handy.

 

mariahctchi

New member
Joined
Apr 2, 2021
Messages
1
Reaction score
2
As per my previous post I'm now finally taking another crack at Music Star passwords. I've actually managed to make some progress recently and I'm starting to get an idea of how the data is laid out in the password - the next steps are to map out the data, identify how the usernames work and then finally we should have a way of completely decomposing the passwords. At that point we can start taking a look at item passwords too.

For now, some more login code progress is required. In order to crack them I'll need more data to work with.

As such, if anyone wants to help out, then generating a bunch of passwords (ideally at least 3 passwords for each set of data, just to be sure) and listing the passwords alongside the following data would help out a lot:
* User Name (required)
* Character (required)
* Gender (required)
* "Tone" stat (required)
* "Rhythm" stat (required)
* "Original" stat (required)
* Favourite genre (required)
* Job stage (i.e. school / unemployed / debut, ideal)
* ROM Version (if known)

Then, once these passwords are obtained, if you could change just one of the variables (e.g. increase one of the stats) and then generate some passwords again with the new data that would be ideal. **I should stress that without this second set of passwords there isn't much I can do with the first set either!**

Bonus points if, for any given password, you can also give me any working item passwords alongside the item they give. These are tricky to find but not impossible.

Please try to ensure the accuracy of the passwords you submit - if any are inaccurate it can make figuring out the passwords a bit trickier.

I'll update as soon as I make any more progress!
Hi! I've actually been trying to experiment and found some item codes! Unfortunately, I wasn't able to check the stat numbers because they changed so frequently!

Luckily, even without the log-out password, I was still able to get the items. I hope this helps! I'll try to test some more





Username


ARIA.


 


 


 


 


Item password


 


Item




Generation


1


 


Log-in


9410470


 


000113


 


Jeans




Sex


Boy


 


 


646619E


 


000117


 


 




Tamagotchi


Hinotamatchi


 


 


 


 


000136


 


Dinosaur




Job stage


School


 


 


 


 


000159


 


Pirate Ship




Genre


Rock n' Roll


 


 


 


 


000328


 


Dinosaur




 


 


 


 


 


 


 


 


 




 


 


 


 


 


 


 


 


 




 


 


 


Log-in


75F4A6E


 


100035


 


Sausage




 


 


 


 


7A78093


 


100058


 


Snake




 


 


 


 


 


 


100204


 


Hotdog




 


 


 


 


 


 


100210


 


Snake




 


 


 


 


 


 


900035


 


Teriyaki Chicken




 


 


 


 


 


 


900059


 


Snake




 


 


 


 


 


 


920012


 


Tokyo Ticket




 


 


 


 


 


 


920031


 


R&B CD




 


 


 


 


 


 


920016


 


Pizza slice




 


 


 


 


 


 


920039


 


Snake




 


 


 


 


 


 


920077


 


Jazz CD









Edited: I needed to add that the snake isn't an actual item! It shows up apparently when the code is valid but there isn't any corresponding item to it. I also wasn't able to catch what the 000117 code corresponded to!

 
Last edited by a moderator:

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
Hi all - after taking a little bit of a break, I decided to have another crack at the V4 login / logout passwords. After a few days I managed to figure out the format of the codes and write a logout password generator:


I would like to create some documentation explaining how the generator works, but I'll leave that for a later date. Enjoy!
 

hwd45

Well-known member
Joined
Aug 7, 2007
Messages
662
Reaction score
531
Location
Abingdon, Oxfordshire, England, United Kingdom
Just a quick update: after a small breakthrough earlier today, I’ve managed to crack the V6 login passwords. Logout passwords and item passwords are still uncracked but this revelation puts us significantly closer to cracking them. I’ll do another post soon with more information about how they work (if I remember to do so!)
 
Top