Dancing Cactus

From Leo's Notes
Last edited on 30 September 2023, at 08:13.
A dancing cactus that sings
A dancing cactus that sings

The dancing cactus is a toy that stirred up a small controversy in late 2021 after a Polish grandmother purchased it from Walmart only to find out that it contains the Polish cow meme song. I found and purchased one on Ebay for approximately $17 CAD which supposedly contains 120 songs and the ability to record a short message. My intention is to hack it to play my own sound clips.

Short Review[edit | edit source]

After receiving the cactus, my initial impression of the toy is mixed. I like how silly the thing looks, but the audio is terrible and obnoxiously loud. Despite the listing saying it contains 120 songs, I think there are around a total of a dozen songs or sound clips which would be played twice in random order when the playback button is pressed. There is a second 'recorder' button which when held down will activate the voice recorder feature. It is capable of recording any custom sound clip of up to 10 seconds and can be replayed back by pressing the recorder button again. When switched on, it will play back any loud sounds the microphone picks up, similar to those cheap mimicry toys that have been available for the past few years. Interestingly, I noticed that pressing the record button and then immediately pressing the playback button will play a sound clip without the dancing and lights.

Pros Cons
+ Looks pretty good and funky

+ Has a voice recorder feature for one up to 10 second clip

+ Takes 3 AA batteries

+ Cheap

- Doesn't have 120 songs. Probably has around 12 unique songs.

- Music playback is annoyingly loud and audio quality is pretty poor

- Despite it being marketed as a dancing cactus, it doesn't actually dance to the music.

- Arrived without any packaging which resulted in the bottom zip tie being broken during shipment. The felt part was sliding up as a result.

- Doesn't come with any instructions

Hardware[edit | edit source]

The cactus has a small board with a 16-pin JL microprocessor (labeled AB21BP0K098-42A0) and a T25S80 flash chip. JL is likely Zhuhai Jieli Technology. There is a Stack Exchange thread about similar chips and the label is likely some sort of serial number with the '21' being the year of manufacturing. The flash chip appears to be similar to the N25S80 SPI flash chip from a different vendor.

An image of the board is available below.

Dancing Cactus Board
Dancing Cactus Board

Connected to the board are:

  • 2 buttons (one for playing a random track, one for recording/replaying a voice recording)
  • a tiny speaker (I later connected a 200 ohm resistor in series to lower the volume)
  • a microphone
  • a motor which goes through some gears and up to the dancing cactus
  • a string of LED lights

Flash dump[edit | edit source]

Because the flash chip has both DI and DO connected together on the board and that the microprocessor is powered by the same rail, I decided to desolder the flash chip for the dump to avoid any interference from the microprocessor. The flash dump was done using a Raspberry Pi using its SPI interface. While the flash chip was removed, the cactus doesn't work which suggests that some program code is stored on the flash. None of the buttons respond and no playback occurs. The motor and lights were constantly on however.

After some tinkering with the flashrom utility to force it to accept the flash chip ID, I was able to dump the contents of the flash chip. Unfortunately, I'm unable to make much of the flash layout since most of the content appears to be encoded. There are 34 sections of what appears to be some sort of audio tracks near the end of the dump which corresponds to the amount of unique sound clips.

Address Comment
0x0000

+0xfff

~4Kbytes

Boot data? The microprocessor's firmware? Starts with some header and then "SH54"?
00000000: 2558 bf1d 302e 3031 f0c1 b367 c4ad ff97  %X..0.01...g....
00000010: 5348 3534 ffff ffff ffff ffff ffff ffff  SH54............
00000020: 8896 456f 9f3e 7cf8 76cf a367 8ebd 5b97  ..Eo.>|.v..g..[.
00000030: 7a7c 5317 a5ad 4521 f36d 13d9 b367 cf9f  z|S...E!.m...g..
00000040: 8ee3 e6b3 1931 7cf8 cbc1 a367 cc42 5b97  .....1|....g.B[.
00000050: 666d 5827 b2ec 4928 f57e 3d4f 22f1 309f  fmX'..I(.~=O".0.
00000060: 0c1d 60e0 1f2e 7cf8 0f3e 5c98 4f42 5a97  ..`...|..>\.OBZ.
00000070: 6e6e 4c27 b5ea 5511 f47c 7242 4c67 cf9f  nnL'..U..|rBLg..
00000080: fedf e911 1f2e 7cf8 e0c1 a367 98ac bddf  ......|....g....
00000090: ffef 9f1f 1f3e 70f8 f081 a367 7eac 5b97  .....>p....g~.[.
000000a0: 4de1 da7f d19f 076a 5c38 0f06 6aac 247c  M......j\8..j.$|
000000b0: e051 170b ee36 4392 e634 2040 26f2 8453  .Q...6C..4 @&..S
000000c0: fae0 63d7 ea61 47e7 349d 6d82 cd3b 175a  ..c..aG.4.m..;.Z
000000d0: 7e19 8094 cb54 d9fc 3ac4 0e3d 0036 8694  ~....T..:..=.6..
000000e0: fbef 4a2e 3e9b dd03 8e1f bbb6 4ebc a66d  ..J.>.......N..m
000000f0: f1b7 734c 7f94 07b3 2d98 df11 7d3d 5ab5  ..sL....-...}=Z.
Ends with the only strings in the blob. "SPI", "0_3_0", and "BOOT_TYPE":
00000f00: c78e 1011 1707 2034 13d6 5997 fa2e 6f41  ...... 4..Y...oA
00000f10: 7689 28f0 1eb8 1c4b b54a a815 520a 5af9  v.(....K.J..R.Z.
00000f20: 9457 570b 2e22 92bd 0553 5049 0030 5f33  .WW.."...SPI.0_3
00000f30: 5f30 0442 4f4f 545f 5459 5045 0000 0000  _0.BOOT_TYPE....
00000f40: 00ff ffff ffff ffff ffff ffff ffff ffff  ................
0x1000

+ 0xBA000

(761,856) bytes

Encoded data? Some sort of cypher?
00001000: efd6 722b 1f3f 6cf8 dc9b a267 4dbf 5b97  ..r+.?l....gM.[.
00001010: 6e6e 4c27 b0f1 422f c371 7647 2898 cf9f  nnL'..B/.qvG(...
00001020: ec0e d049 9f3f 7cf8 dc98 a267 4c63 1913  ...I.?|....gLc..
00001030: 665f 2e92 3bdb 2b8a ca95 0a15 2b57 af5f  f_..;.+.....+W._
00001040: ab7f 2060 1f8e 77f8 f031 a067 fd7f df9f  .. `..w..1.g....
00001050: 6831 f80f 1f1e 1c18 1000 2041 7c98 f0c1  h1........ A|...
...
000ba800: e977 8d66 b519 d4f4 02aa dbfc d7fd 9fec  .w.f............
000ba810: 311a 9a6d bc3b a612 451b eb17 489a c4fe  1..m.;..E...H...
000ba820: 82dc 63c7 77fd d40f 1b36 21a3 67c8 012a  ..c.w....6!.g..*
000ba830: 3694 be6d a7e6 6169 0ddd 4bf9 9077 fe9d  6..m..ai..K..w..
000ba840: cad7 b868 9087 7c04 3a38 6121 4e8d d88b  ...h..|.:8a!N...
000ba850: 348a 150a 3448 b040 8122 64c9 ffff ffff  4...4H.@."d.....
000ba860: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0x0BB000

+0x1000

(4096) bytes

Audio data 1 - a short clip
000bb000: 41c6 1000 00ff ffff 3401 0000 1801 0000  A.......4.......
000bb010: 5741 5604 77ff ffff 1758 888b 8080 8808  WAV.w....X......
000bb020: 0088 0088 081c 9100 8088 11ab 12da 1270  ...............p
000bb030: 8118 c900 bb24 0014 0db1 318a 818e a194  .....$....1.....
000bb040: 58a0 31ea 02ac 3421 9249 ea22 8d92 8a81  X.1...4!.I."....
000bb050: 428a a109 29fa 6308 8018 ea14 0a02 1d91  B...).c.........
000bb060: 9ac1 1011 1331 eeb9 328b 4628 8a90 0a91  .....1..2.F(....
000bb070: 0230 ca12 3887 3ada 81bb 3738 0110 cdba  .0..8.:...78....
000bb080: 0100 2953 22dc 0a09 9652 9a91 39cb 80fa  ..)S"....R..9...
000bb090: 0210 0815 2801 bf90 3199 121b 9931 fe02  ....(...1....1..
000bb0a0: 1088 5288 200e b818 8bea 0289 0751 018b  ..R. ........Q..
000bb0b0: ba00 9916 28a1 2ac0 2289 0182 0fa8 09ff  ....(.*.".......
000bb0c0: 0882 4109 0010 0a24 9fa1 10ab a836 619a  ..A....$.....6a.
000bb0d0: 888a 808b c350 ba14 1892 1ab0 72ca a945  .....P......r..E
000bb0e0: 2289 1238 eea8 0140 9910 229b 0884 888b  "..8...@..".....
000bb0f0: fb99 3300 5738 9cb8 8811 9d90 1388 0aa5  ..3.W8..........
000bb100: 38db 9074 1120 aabb 0c13 4208 c963 9cba  8..t. ....B..c..
000bb110: 8200 109f 9923 0afe 1331 9981 1100 cd98  .....#...1......
000bb120: 836b 8621 8bc8 808a 9632 19cb 99b0 440b  .k.!.....2....D.
000bb130: ea13 119a 4510 9fa8 2200 1881 0b84 0c90  ....E...".......
000bb140: 0322 afa1 ffff ffff ffff ffff ffff ffff  ."..............
000bb150: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0x0BC000 Audio data 2 -- a longer clip than the previous one.
000bc000: 8daa 1000 00ff ffff 8407 0000 1901 0000  ................
000bc010: 5741 5604 ffff ffff f118 0815 0880 0880  WAV.............
000bc020: 0808 8008 091d a281 9880 8119 bbf8 291a  ..............).
000bc030: 9234 6189 a998 bd91 3421 8802 0435 328a  .4a.....4!...52.
000bc040: b1b9 69ba 0902 0acb 1132 8777 18bb aa98  ..i......2.w....
000bc050: a9a0 6541 2210 808a cba8 20ba cc83 3149  ..eA"..... ...1I
000bc060: bca1 249e f922 0081 3009 cea0 1112 1623  ..$.."..0......#
000bc070: 09b9 3409 bfcb 9814 418b 9131 aafc 9800  ..4.....A..1....
000bc080: 0010 2223 1004 631a eb89 bcc9 2333 1231  .."#..c.....#3.1
000bc090: 139f fc18 0802 2228 8341 ccbb 9422 7312  ......"(.A..."s.
000bc0a0: 0808 a1bf f998 1222 8aa1 200b fba8 2611  .......".. ...&.
000bc0b0: 8812 1489 8a86 1089 9a0b 92ff 8022 328a  ............."2.
000bc0c0: ba29 f90a 0207 3001 8a83 8a8f 9117 3198  .)....0.......1.
...
000bcb10: 009a 12dc 889a a249 c800 1913 4143 b375  .......I....AC.u
000bcb20: 0898 888a b828 f830 1219 ea21 999b 81af  .....(.0...!....
000bcb30: 8312 9982 03bf f8a1 4130 4408 189a f919  ........A0D.....
000bcb40: a180 40b9 841d a9ba 810b 8750 8242 00aa  ..@........P.B..
000bcb50: 828a aa16 4182 418b adc9 ada9 0234 8350  ....A.A......4.P
000bcb60: 09c9 ab12 8011 4729 baa0 2990 4641 b920  ......G)..).FA.
000bcb70: ccca 319b e921 b834 32a8 0998 ba83 2672  ..1..!.42.....&r
000bcb80: 1052 00bc 8a81 a12b a3cb 9c51 8102 ccb9  .R.....+...Q....
000bcb90: ad85 2110 ffff ffff ffff ffff ffff ffff  ..!.............
000bcba0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0x0bd000

...

0x0dafff

A total of 27 audio clips (including the two above). Most spans 1 0x1000 blocks. A few spans 2 0x1000 blocks. I wrote a quick bash script to printt out these boundaries.
Audio clip 1 at address 0xbb for  1  sections
Audio clip 2 at address 0xbc for  1  sections
Audio clip 3 at address 0xbd for  1  sections
Audio clip 4 at address 0xbe for  1  sections
Audio clip 5 at address 0xbf for  1  sections
Audio clip 6 at address 0xc0 for  2  sections
Audio clip 7 at address 0xc2 for  1  sections
Audio clip 8 at address 0xc3 for  1  sections
Audio clip 9 at address 0xc4 for  1  sections
Audio clip 10 at address 0xc5 for  1  sections
Audio clip 11 at address 0xc6 for  1  sections
Audio clip 12 at address 0xc7 for  1  sections
Audio clip 13 at address 0xc8 for  1  sections
Audio clip 14 at address 0xc9 for  1  sections
Audio clip 15 at address 0xca for  1  sections
Audio clip 16 at address 0xcb for  2  sections
Audio clip 17 at address 0xcd for  2  sections
Audio clip 18 at address 0xcf for  2  sections
Audio clip 19 at address 0xd1 for  1  sections
Audio clip 20 at address 0xd2 for  1  sections
Audio clip 21 at address 0xd3 for  1  sections
Audio clip 22 at address 0xd4 for  1  sections
Audio clip 23 at address 0xd5 for  1  sections
Audio clip 24 at address 0xd6 for  1  sections
Audio clip 25 at address 0xd7 for  1  sections
Audio clip 26 at address 0xd8 for  1  sections
Audio clip 27 at address 0xd9 for  1  sections
Audio clip 28 at address 0xda for  1  sections
0x0DB000

to the end?

This might be the user's voice recording. It initially had a few WAV entries, but when I recorded for the full 10 seconds, this section was completely overwritten with data. There is no WAV header.

Audio data analysis[edit | edit source]

Based on the headers starting at location 0x0BB000 and every subsequent 0x1000 onward, we see a repeating audio header. What's the structure?

Byte 1+2 byte 3+4 byte 5+6 byte 7+8 Byte 9+10 Byte 11+12 Byte 13+14 Byte 15+16
???? Always, bits per sample?

1000

Always

00ff

Always

FFFF

Length? /8?

3401, 8407, f400 ?

0000 (prerecorded?)

0100 (custom?)

Track ID


Always

0000

Header "WA"

5741

Header "V."

5604

???

7777, 77ff, 7fff, ffff

???

ffff, 77ff, ffb9,

??? ??? Audio ??? Audio

8080, 0880

??? Audio
?? Audio ?? Audio ?? Audio ?? Audio ?? Audio ?? Audio ?? Audio ?? Audio

Some random thoughts:

  • Interestingly, the track ID starts from 1801 through to 1b01, then looping back to 0001, 0101, ... 1701. The last audio clip after 1701 is 0d00.
  • It's odd that the bulk of the flash (744KB) isn't for audio data. Perhaps these records here refer to the data stored there?
  • The headers here don't match any of the audio formats that JL provides for the AD140 (.a, .e, .f1a, f1c, f1x, ump3)
  • I think some tracks loop indefinitely. Everything else seems to play back two times. Is this controlled by a flag somewhere?

I slapped on a real .wav file header to each of these audio tracks to see what I can hear. All tracks sound like noise. The last one however does contain my custom recording but it was also full of noise implying there's still some sort of encoding that's happening.

Here are the headers from the entire dump: 

000bb000: 41c6 1000 00ff ffff 3401 0000 1801 0000  A.......4.......
000bb010: 5741 5604 77ff ffff 1758 888b 8080 8808  WAV.w....X......
000bb020: 0088 0088 081c 9100 8088 11ab 12da 1270  ...............p
--
000bc000: 8daa 1000 00ff ffff 8407 0000 1901 0000  ................
000bc010: 5741 5604 ffff ffff f118 0815 0880 0880  WAV.............
000bc020: 0808 8008 091d a281 9880 8119 bbf8 291a  ..............).
--
000bd000: 1998 1000 00ff ffff f400 0000 1a01 0000  ................
000bd010: 5741 5604 7fff 77ff 41bc 862a 8080 8088  WAV...w.A..*....
000bd020: 0088 0808 081b a101 8908 a805 8802 ab19  ................
--
000be000: f603 1000 00ff ffff 9402 0000 1b01 0000  ................
000be010: 5741 5604 7fff ffb9 2943 f851 8080 8080  WAV.....)C.Q....
000be020: 8088 1919 2c6f fa91 1098 1008 12bb 011c  ....,o..........
--
000bf000: fa3b 1000 00ff ffff 8402 0000 0001 0000  .;..............
000bf010: 5741 5604 7777 77fb 75bd 052c 8080 8080  WAV.www.u..,....
000bf020: 8800 8800 8808 80cb 239d a111 1092 5988  ........#.....Y.
--
000c0000: 8262 1000 00ff ffff 1411 0000 0101 0000  .b..............
000c0010: 5741 5604 77ff 7779 a341 8c71 b41b 8ae0  WAV.w.wy.A.q....
000c0020: 8800 8800 8088 0080 92fc 38b1 5a91 0808  ..........8.Z...
--
000c2000: 0a89 1000 00ff ffff b405 0000 0201 0000  ................
000c2010: 5741 5604 ffff ffcf 9099 08a2 72a0 3060  WAV.........r.0`
000c2020: 8088 0088 0088 0088 0093 0071 99b3 789b  ...........q..x.
--
000c3000: 72d8 1000 00ff ffff 1403 0000 0301 0000  r...............
000c3010: 5741 5604 77ff 7777 ff25 0998 8080 8800  WAV.w.ww.%......
000c3020: 8088 0800 8808 900b 862a a8c8 3111 b93a  .........*..1..:
--
000c4000: 564a 1000 00ff ffff 3402 0000 0401 0000  VJ......4.......
000c4010: 5741 5604 7777 7777 7188 8801 900f d080  WAV.wwwwq.......
000c4020: 8080 8808 0088 0089 b063 cd83 289a 8102  .........c..(...
--
000c5000: 8c11 1000 00ff ffff c400 0000 0501 0000  ................
000c5010: 5741 5604 77ff 37f9 7ff5 39d1 0808 8008  WAV.w.7...9.....
000c5020: 0880 0880 8009 8080 0880 1888 0008 8b40  ...............@
--
000c6000: 55f9 1000 00ff ffff 9401 0000 0601 0000  U...............
000c6010: 5741 5604 77ff ff9f a741 eb14 8080 8080  WAV.w....A......
000c6020: 8088 0088 081d f032 71fb 2328 be03 1988  .......2q.#(....
--
000c7000: bc34 1000 00ff ffff 2401 0000 0701 0000  .4......$.......
000c7010: 5741 5604 f775 f17f f64b e848 8080 8080  WAV..u...K.H....
000c7020: 8080 8008 8084 bf04 2bb0 32bc 150b b071  ........+.2....q
--
000c8000: 0698 1000 00ff ffff b400 0000 0801 0000  ................
000c8010: 5741 5604 7777 f7ff 78e2 0800 8080 8080  WAV.ww..x.......
000c8020: 8080 8080 8088 0090 8081 0990 28a0 981a  ............(...
--
000c9000: 0a63 1000 00ff ffff d400 0000 0901 0000  .c..............
000c9010: 5741 5604 ff77 fff2 55af 9322 c808 0808  WAV..w..U.."....
000c9020: 0808 0808 0881 b82c 0994 1ca0 22a1 0c51  .......,...."..Q
--
000ca000: df3b 1000 00ff ffff f401 0000 0a01 0000  .;..............
000ca010: 5741 5604 fe77 fffa 76ab 8340 ca12 11c8  WAV..w..v..@....
000ca020: 0808 0808 8080 8191 a7ff 1a90 000a 271b  ..............'.
--
000cb000: 67f9 1000 00ff ffff 141b 0000 0b01 0000  g...............
000cb010: 5741 5604 ffff 0ff7 78cb 250a 8080 8080  WAV.....x.%.....
000cb020: 8808 0088 080a 75fc 739e 9218 8898 3198  ......u.s.....1.
--
000cd000: 045b 1000 00ff ffff 1411 0000 0c01 0000  .[..............
000cd010: 5741 5604 f77f ff77 6c90 860c 0808 0808  WAV....wl.......
000cd020: 8008 8008 8082 6109 d26d 930b 0293 59aa  ......a..m....Y.
--
000cf000: 0410 1000 00ff ffff 0411 0000 0d01 0000  ................
000cf010: 5741 5604 777f ffff c112 8131 0080 8088  WAV.w......1....
000cf020: 0088 0808 192e 77ea 8150 aa92 7992 802c  ......w..P..y..,
--
000d1000: 734a 1000 00ff ffff 4401 0000 0e01 0000  sJ......D.......
000d1010: 5741 5604 7fff 773f f976 cb85 8080 8080  WAV...w?.v......
000d1020: 8080 8080 8809 8000 8901 818a 0338 ba28  .............8.(
--
000d2000: fb3f 1000 00ff ffff f400 0000 0f01 0000  .?..............
000d2010: 5741 5604 7fff 775f d034 89c2 8080 8080  WAV...w_.4......
000d2020: 8080 8080 800c b088 8088 0091 2000 e831  ............ ..1
--
000d3000: b2f0 1000 00ff ffff f400 0000 1001 0000  ................
000d3010: 5741 5604 ffff fff7 7738 080f b008 0880  WAV.....w8......
000d3020: 8008 0880 0809 8080 0808 0080 8088 8810  ................
--
000d4000: 8d9d 1000 00ff ffff d402 0000 1101 0000  ................
000d4010: 5741 5604 f777 7777 3e81 89c1 8008 8008  WAV..www>.......
000d4020: 8008 8008 080d 8213 0244 2199 8240 b90a  .........D!..@..
--
000d5000: 67e3 1000 00ff ffff c401 0000 1201 0000  g...............
000d5010: 5741 5604 ffff ffff d100 8117 0880 0880  WAV.............
000d5020: 0808 8008 091d 02ab f908 9043 1282 4822  ...........C..H"
--
000d6000: 6e6b 1000 00ff ffff f400 0000 1301 0000  nk..............
000d6010: 5741 5604 ff77 77c8 0fb0 3409 0088 0088  WAV..ww...4.....
000d6020: 0080 8800 8089 5089 99b9 b89a b404 8f31  ......P........1
--
000d7000: 9a0f 1000 00ff ffff 9401 0000 1401 0000  ................
000d7010: 5741 5604 ffff fffb 0898 1887 7088 0088  WAV.........p...
000d7020: 0088 0800 8809 69fb 0340 a811 120b e930  ......i..@.....0
--
000d8000: 2e79 1000 00ff ffff 9401 0000 1501 0000  .y..............
000d8010: 5741 5604 7777 2375 f838 042f a080 8080  WAV.ww#u.8./....
000d8020: 8080 8009 193f fb08 0880 0888 1000 9019  .....?..........
--
000d9000: 9fea 1000 00ff ffff e400 0000 1601 0000  ................
000d9010: 5741 5604 7fff 7778 fe16 29b8 0808 0808  WAV...wx..).....
000d9020: 0808 0808 080b a209 91b2 59a8 840b 0993  ..........Y.....
--
000da000: 860f 1000 00ff ffff e408 0000 1701 0000  ................
000da010: 5741 5604 77f7 7671 bcfb 9469 0808 0808  WAV.w.vq...i....
000da020: 0808 0880 8097 73f9 7c82 98ba 749b 9033  ......s.|...t..3
--
000f2000: a2fc 1000 00ff ffff f0eb 0100 0d00 0000  ................
000f2010: 5741 5604 f110 0800 9192 b3b5 d4d4 d7ff  WAV.............
000f2020: 8880 0891 0009 1819 0a2a a11c 9c07 aa70  .........*.....p

See Also[edit | edit source]

Big Clive's Buddha flower[edit | edit source]

Big Clive did a teardown of a buddha flower a few months earlier. There's a discussion on the flash dump that he uploaded on Reddit: https://old.reddit.com/r/BigCliveDotCom/comments/pmt390/buddha_machine_teardown_with_flash_dump/?sort=new

The flash dump and similar ones others have uploaded are quite different from this one, but I think it's based on a similar JL microprocessor.

Tinkering
3D Printing