Dissecting the Teddy Ruxpin: Reverse Engineering the Smart Bear

Conference:  Defcon 26



The presentation discusses the process of hacking a Teddy Ruxpin toy to access and modify its content.
  • The Teddy Ruxpin toy has a micro SD pin header that allows access to its mass storage device
  • The storybooks in the toy are stored in a proprietary file format that uses a mark table to store triggers for eye and mouth movement
  • The audio files in the storybooks have a header structure that includes sample rate, channel, and mark table data
  • The speaker provides a demo of modifying the content of a storybook to include the DEF CON logo
The speaker demonstrates how they were able to modify a storybook to include the DEF CON logo, which was displayed on the toy's eyes. They also mention that they have free giveaways for attendees who visit their booth after the presentation.


The Teddy Ruxpin is an iconic toy from the 1980's featuring an animatronic teddy bear that reads stories from cassette tapes to children. In late 2017, a new model of the toy was released with improvements including Bluetooth connectivity, LCD eyes, and a companion mobile application. While the new bear features a number of improvements, the Teddy Ruxpin's original ability to add new stories by replacing the included cassettes is no longer applicable, and it requires users to supply files to the bear in a proprietary format. This presentation aims to show how the new Teddy Ruxpin was reverse engineered down to a very low level in order to create new content. I will reveal the inner workings of the hardware and software within the bear and document the process used to reverse engineer it. I will then examine the communication between the mobile application and Teddy Ruxpin as well as the custom structure of the digital books read by the bear. I will end the presentation by releasing a toolset that allows users to create their own stories followed by a demo showcasing the Teddy Ruxpin greeting the DEF CON audience.