Recent content by KAAAsS

  1. KAAAsS

    Hacking Hardware Picofly - a HWFLY switch modchip

    Since 0x20041fa0 is located in stack and didn't get cleared before get_unique_id, I guess those data were written by other functions. The difference between injected and original firmware might be because the injected firmware didn't run the flash_get_unique_id function, so the stack contents...
  2. KAAAsS

    Hacking Hardware Picofly - a HWFLY switch modchip

    Thx for the info! that really helps me to understand the program since it uses the atomic IO a lot. Since the program looks like uses several MMIO addresses to pass data in the decryption, I guess this is the reason that my emulation got wrong. Will try to implement this later. EDIT: sadly the...
  3. KAAAsS

    Hacking Hardware Picofly - a HWFLY switch modchip

    @thesjaakspoiler Thx for the info! But I still suspect it's an anti-debugger because the program only read the value of SYSCFG_DBGFORCE. So I guess it is detection or something? Besides, it is weird that the address 0x40006014 and 0x40007014 are not documented in RP2040 datasheet (maybe i miss...
  4. KAAAsS

    Hacking Hardware Picofly - a HWFLY switch modchip

    Just notice that in emulation, the program frequently does R/W to SYSCFG before the decryption, and 0x40004014 is SYSCFG_DBGFORCE. I'm not familiar with RP2040, could anyone tell me if is this an anti-debugger or sort of thing? just a guess IO_MEM[SYSCFG] write:pc:200200CA addr:40006014 size:4...
  5. KAAAsS

    Hacking Hardware Picofly - a HWFLY switch modchip

    @renoob Good news! It means the firmware had started the decryption. What about the register value? Could you print the value of R3 and R6? My fault, misreading that
  6. KAAAsS

    Hacking Hardware Picofly - a HWFLY switch modchip

    Yes. It's a mapped address. 0x200200C0 ~ 0x200212F0 is loaded from .bin offset 0x1591C. Yes but not that mysterious, most of them are just the normal boot process. Like 0x10002608 is _retrieve_unique_id_on_boot, and triggered during the boot. The chip could hang in a loop check about hardware...
  7. KAAAsS

    Hacking Hardware Picofly - a HWFLY switch modchip

    Try to run the firmware by emulating RP2040 but so far had no luck. The program just keeps decrypting and never triggers 0x20020440. The problem might occur in emulating peripherals, since the decryption code uses them everywhere (like disabling the irq, and using PPB_VTOR to pass data, if I...
See more