Teardown: The electronics of Hello Barbie

Parents leery of privacy invasion have little to fear from Barbie, whose language skills mainly reside in the cloud.

There’s been a lot of discussion in the media about privacy and home appliances that listen to conversations. The Hello Barbie doll is a voice-enabled toy that has been part of the controversy. It uses Wi-Fi and speech recognition technology to engage in a two-way dialogue. You start a conversation by pressing a button built into her belt buckle. You press the button to start the conversation and release it to hear Barbie respond. More to the point, if Barbie’s belt buckle isn’t depressed, she can’t listen to anything. The belt buckle switch is mechanical, so no hacker could bypass it without having physical access to Barbie’s circuit board.

Barbie actually works a lot like a push-to-talk walkie-talkie. So you don’t have to worry about her listening in surreptitiously on what you say, despite reports in the media to the contrary. To get the doll to respond to speech, Barbie’s creator Mattel worked with a company called ToyTalk to come up with 8,000 lines of dialog for Barbie. Barbie’s dialog is actually stored in the cloud, so you need a constant connection to the internet for her to say anything interesting. Barbie listens to what you say, tries to understand some key words, then selects a piece of dialog that would make sense in context.

barbie communication diagram — Hello Barbie must be commissioned via smartphone so she can access your home Wi-Fi network and the ToyTalk cloud database. If she loses contact with your Wi-Fi network, not much can happen.

We tried talking to Barbie with varying levels of success. One thing that’s obvious from seeing typical interactions with Barbie is that Mattel won’t have the same kinds of problems that arose when Microsoft unveiled Tay — a Twitter bot described as an experiment in conversational understanding. When people tweeted at the bot with misogynistic and racist remarks, Tay started tweeting back these sentiments.

In contrast, Barbie can only say things from a memorized list. But the list of responses doesn’t seem to mimic what you might expect to hear from a kid. At least to us, Barbie appears to come across as more of a teacher than a playmate for a child. She seems to keep trying to steer the conversation in directions you might find during a kindergarten class. So we think a lot of kids will find Barbie annoying, and they’ll get tired of her pretty quickly.

Doll internals

disassembled Barbie torso — Barbie’s rechargeable lithium-ion battery is in her left leg.

It turns out there isn’t much to Barbie’s electronics. She has a lithium-ion battery in one of her legs that recharges when Barbie is in her stand and plugged in. So there’s no wireless charging here.
Barbie contains a single circuit board inside her torso. The top of the board holds an AzureWave Wi-Fi microcontroller module built on a widely-used Marvell microcontroller called the 88MW300 that implements an ARM Cortex-M4F processor. So the Marvell chip handles both the Wi-Fi connection as well as running the code for the rest of Hello Barbie’s functions. A 24-bit audio codec from Nuvoton also sits on the board. It provides analog-to-digital and digital-to-analog conversion, and input/output mixers for both the doll’s microphone and speaker. The other significant chip on the board is a 16-Mbit SPI Flash from Gigadevice in China. It serves as the system’s main non-volatile memory.

A point to note is that the Flash memory doesn’t store audio from people talking to Barbie. The doll uses Wi-Fi to send that information to the cloud to figure out how to respond. But that mode of operation also necessitates that Barbie be associated with your home Wi-Fi. That happens through a mobile phone app which the user (or more likely the user’s parents) download. The app also serves as a means for setting up a ToyTalk account.

Barbie electronics w plastic shield — Barbie’s PCB is oriented so most components mount on the board surface facing the back of the doll. Masking tape is one of the construction components.

Barbie back of board — Barbie’s microphone and speaker mount in the upper part of her torso.

Barbie main board with callouts — Barbie’s PCB. The meal shield goes on top of the Marvell MCU. The white objects visible in the image are connectors for the mic, battery, and speaker.

Once the setup is complete, Barbie beams data back and forth with ToyTalk servers, doing all its storage and data processing in the cloud. According to security experts who’ve looked at Barbie, one good thing about that scheme is that it’s tough for a hacker to compromise things. Barbie stores network SSIDs and passwords on her Flash, but the passwords are encrypted in the doll’s memory and are difficult to extract. And the only way a hacker could really get at the audio recordings could be through a data breach of the ToyTalk website. But that sort of eavesdropping would require that the hacker generate a valid toytalk.com certificate, which apparently is not easy.

Barbie chip — There was one IC on Barbie’s PCB we couldn’t identify, but it’s position on the board seems to indicate it manages battery charging.

Consequently, the chances of bad guys getting hold of whatever kids say to Barbie seem slim. But though the voice processing is pretty sophisticated, the construction of the doll itself is on the primitive side. For example, masking tape is one of the doll’s construction materials. The tape is used to hold a clear plastic shield in place over part of the circuit board. The wiring in the doll for the speakers and battery connection connects to the circuit board through connectors, but the wiring comes to the board at odd angles. So there seems to be a lot of hand assembly involved in putting Barbie together.

All in all, Hello Barbie seems to provide hints of what one-day may be possible through sophisticated cloud processing. Privacy wise, she is nothing to get alarmed about.

References
Marvell 88MW300
GigaDevice
Nuvoton