Hacking Hardware Picofly - a HWFLY switch modchip

[lemongrab]

I'm a bit lost. If I understood correctly the firmware is encrypted and tied to the id to the flash. How many people are there with a working picofly and where did they even get it when the original dev cancelled the release. Because if the encrypted/flash id part is outdated, I would look into the firmware and see if I can patch the SD loader, which is said to be broken.

 

[renoob]

Page 34, unlocked fw

 

[TheSynthax]

I'm a bit lost. If I understood correctly the firmware is encrypted and tied to the id to the flash. How many people are there with a working picofly and where did they even get it when the original dev cancelled the release. Because if the encrypted/flash id part is outdated, I would look into the firmware and see if I can patch the SD loader, which is said to be broken.

If you can manage to swap out the SD loader for a known-good loader (Spacecraft or HWFLY) then this will be a fully functional chip.

 

[FruithatMods]

You also have to hope there isn't a CRC check of the payload which I doubt there is.
I would use a hex editor in combination with a decompiler to find the payload region.
You can cut the region using a hex editor and replace it with a working payload.

1. Find the payload start and end
2. Replace the payload

But everybody also understands it is better and cleaner to write the firmware from scratch.
There are already efforts underway by at least one community member from what I know.

 

[vittorio]

it's easier to unid the other fw than to fix this one

 

[Tafty]

you can boot in official mode, it s strange no one test to apply the patch on Boot0 that hwfly of sx core do the Emmc.
Maybe it s the fix for boot in CFW mode.

I've allready tried this, doesn't work

 

[nqtal]

Maybe my idea is nonsense, sorry. But what if to attract AI ? For example ChatGPT. To write the firmware or find errors.

 

[Doodka]

Maybe my idea is nonsense, sorry. But what if to attract AI ? For example ChatGPT. To write the firmware or find errors.

I don’t think this is a good idea, chatgpt itself often makes mistakes, but here you need to write code based on specific documentation and for specific hardware

 

[SUPERBANEN]

Maybe my idea is nonsense, sorry. But what if to attract AI ? For example ChatGPT. To write the firmware or find errors.

Probably it would say that it is illegal and would do absolutely nothing but anyway you could try

 

[binkinator]

We can ask DAN to Do Anything Now.

https://www.fastcompany.com/90845689/chatgpt-dan-jailbreak-violence-reddit-rules

 

[Doodka]

Probably it would say that it is illegal and would do absolutely nothing but anyway you could try

ai does not know the concept of "legality" in this context, you can simply say "we need a program for rp2040 that will generate such and such data based on such and such timings for certain pins"
but firstly, ai can make mistakes, and secondly, we ourselves need to understand what the algorithm of actions is
we can feed him information from the github about the exploit and other things, but it is not clear how he will analyze it
if someone has a desire, he can try to take ready-made packages for training and test everything on Stable Diffusion

 

[binkinator]

ai does not know the concept of "legality" in this context, you can simply say "we need a program for rp2040 that will generate such and such data based on such and such timings for certain pins"
but firstly, ai can make mistakes, and secondly, we ourselves need to understand what the algorithm of actions is
we can feed him information from the github about the exploit and other things, but it is not clear how he will analyze it
if someone has a desire, he can try to take ready-made packages for training and test everything on Stable Diffusion

My money is still on @FruithatMods. Better AI with 2022 and 2023 information already uploaded. UI is a little rough around the edges but still far from worthless.

 

[tecfreak]

Maybe my idea is nonsense, sorry. But what if to attract AI ? For example ChatGPT. To write the firmware or find errors.

The humanity is doomed - and this post is the proof.

 

[Tafty]

I've allready tried this, doesn't work

I'm replying to myself lol, but for everyone else here it's also worth noting I took the boot0 from the pico and moved it to a hwfly system and did get the same error I was seeing on pico about BEK keys etc... But moving a hwfly boot0 over to pico didn't get me into HOS.

And before anyone asks, I tried fusee I tried from hekate... I tried injecting boot0 and trying to boot straight in, and also injecting then rebooting and trying again.

One thing I did notice and may be of important, when you first install the pico you will see the white led... This is either training Or some sort of initial diagnostic to check everything is working correctly or even the initial modification to boot0, the white led is either followed with a color to indicate a problem Or a blue led while it starting glitch timing.

Now when I flashed the hwfly boot0 and rebooted before attempting to launch in HOS I was greated with the white led again as if this was it's first boot, this makes me believe its coded to rewrite boot0 If the data/checksum whatever doesn't match its own code.

Im pretty confident that there is nothing we can do from a hekate/payload point to get this to "work", which I'm using very loosely because while I understand everyone is hyped and wants this to work NOW this isn't the correct way to go about this. As I have allready said and some others here have aswell, we need a completely open source firmware, this benefits everyone in the long run rather then some bodged up work around.

So can I ask, please stop sending me payloads etc to ask me to test, because I'm not going to bother at this point.. But I will still continue to test any UF2 firmwares for the pico itself.

 

[Doodka]

ok, I want to clarify something
So far, are we making progress with code disassembly for the encrypted/unlocked version?
Or is anyone writing code from scratch? If yes, please give us a sign
Perhaps we should involve third-party developers who have already been involved in hacking or modchips? because I have a feeling that there are no people in the thread with knowledge of the rp2040 architecture or knowledge of where to dig at all

 

[Tafty]

ok, I want to clarify something
So far, are we making progress with code disassembly for the encrypted/unlocked version?
Or is anyone writing code from scratch? If yes, please give us a sign
Perhaps we should involve third-party developers who have already been involved in hacking or modchips? because I have a feeling that there are no people in the thread with knowledge of the rp2040 architecture or knowledge of where to dig at all

people are looking at it...at least a few are in this thread....again this is likely going to take time to understand.

but the bigger problem is everyone here wants a solution now and doesn't want to wait....or doesn't even want to read through the entire thread to find out what's going on(people everyday asking for updates)

if you want a solution now, your better off paying whoever created the original firmware to give it up.

but yes any devs that can help would obviously speed up things

 

[vittorio]

I'm working on the disassembly of the fw, if someone can help me it's better, I'm doing some tests with a guy

 

[scd]

people are looking at it...at least a few are in this thread....again this is likely going to take time to understand.

but the bigger problem is everyone here wants a solution now and doesn't want to wait....or doesn't even want to read through the entire thread to find out what's going on(people everyday asking for updates)

if you want a solution now, your better off paying whoever created the original firmware to give it up.

but yes any devs that can help would obviously speed up things

I kinda wish that we can pin posts here, or get the OP to edit their post so it links to the newest update. when I found this thread I found it kinda annoying I had to go through 20 pages just to find an actual update on it y'know?

 

[hippy dave]

I kinda wish that we can pin posts here, or get the OP to edit their post so it links to the newest update. when I found this thread I found it kinda annoying I had to go through 20 pages just to find an actual update on it y'know?

You or OP or anyone can ask a mod to mark a particular comment as important, and these important posts can be listed and jumped to from the top of the thread. Press report on a post and ask for it to be marked important.

 

[Adran_Marit]

I'm replying to myself lol, but for everyone else here it's also worth noting I took the boot0 from the pico and moved it to a hwfly system and did get the same error I was seeing on pico about BEK keys etc... But moving a hwfly boot0 over to pico didn't get me into HOS.

And before anyone asks, I tried fusee I tried from hekate... I tried injecting boot0 and trying to boot straight in, and also injecting then rebooting and trying again.

One thing I did notice and may be of important, when you first install the pico you will see the white led... This is either training Or some sort of initial diagnostic to check everything is working correctly or even the initial modification to boot0, the white led is either followed with a color to indicate a problem Or a blue led while it starting glitch timing.

Now when I flashed the hwfly boot0 and rebooted before attempting to launch in HOS I was greated with the white led again as if this was it's first boot, this makes me believe its coded to rewrite boot0 If the data/checksum whatever doesn't match its own code.

Im pretty confident that there is nothing we can do from a hekate/payload point to get this to "work", which I'm using very loosely because while I understand everyone is hyped and wants this to work NOW this isn't the correct way to go about this. As I have allready said and some others here have aswell, we need a completely open source firmware, this benefits everyone in the long run rather then some bodged up work around.

So can I ask, please stop sending me payloads etc to ask me to test, because I'm not going to bother at this point.. But I will still continue to test any UF2 firmwares for the pico itself.

I'm curious for the sake of sanity, could you use the pico to boot into rcm and try from there as it seems this is the only thing we haven't tried