Hacking Hardware Picofly - a HWFLY switch modchip

impeeza · Jan 28, 2023

FruithatMods said:
Who here would buy one of these chips? Would you pay 10€ for one?

I brought mines on Amazon all three under 9 USD including shipping to colombia, you can get on other places for 3 or 4 usd but the sipping on your own.

FruithatMods · Jan 28, 2023

How much is it if you pay for your own shipping?

linuxares · Jan 28, 2023

saladus said:
i was gonna say that but i didn't want to sound mean . our best bet would be linuxares

The OG dev won't give me a copy either so... nope :<

Adran_Marit · Jan 28, 2023

linuxares said:
The OG dev won't give me a copy either so... nope :<

Need to bat the eyelids more XD all joking aside it seems it's up to us to get it working

vittorio · Jan 28, 2023

Has anyone opened the fw with some disassembly program??

FruithatMods · Jan 28, 2023

linuxares said:
The OG dev won't give me a copy either so... nope :<

When you say OG dev do you mean the OG dev or the OG OG dev?

linuxares · Jan 28, 2023

FruithatMods said:
When you say OG dev do you mean the OG dev or the OG OG dev?

The one that made the first (?) firmware for the rp2040 for the Switch. That never got released. It's canned.

SylverReZ · Jan 28, 2023

vittorio said:
Has anyone opened the fw with some disassembly program??

It's encrypted so it isn't possible without decrypting.

FruithatMods · Jan 28, 2023

linuxares said:
The one that made the first (?) firmware for the rp2040 for the Switch. That never got released. It's canned.

It was put to me that two different people developed a firmware for the rp2040.
The beta version which zecoxao wrote about and the one which pre-dates the beta version by a different unknown dev.

linuxares · Jan 29, 2023

FruithatMods said:
It was put to me that two different people developed a firmware for the rp2040.
The beta version which zecoxao wrote about and the one which pre-dates the beta version by a different unknown dev.

Zeco? No he just posted a video he got sent. He haven't developed anything for the Switch as far as I know. He is in the Playstation scene right?

Hayato213 · Jan 29, 2023

FruithatMods said:
How much is it if you pay for your own shipping?

Depends where you buy it from, like Amazon that offer prime shipping you can get it like $9+ tax.

TheSynthax · Jan 29, 2023

Pi pico have a swd port

Mansi said:
yep

What's the Flash ID of your chip?

FruithatMods · Jan 29, 2023

Another hwfly variant observed in its wild habitat!
Can anyone do me a massive favour and measure the thickness of a normal hwfly chip?

impeeza · Jan 29, 2023

FruithatMods said:
How much is it if you pay for your own shipping?

on the WaveShare the shipping to Colombia is 20 USD, so buying on amazon was a lot cheaper to me, I did buy 35 USD on different items and the shipping was free to Colombia.

Post automatically merged: Jan 29, 2023

binkinator said:
You bet!

Trying to catch up with everyone else in this thread that seems to know how to do everything already.

End goal is to get my device ID so if this thing every materializes I'll be ready...

Here's the next thing that stumped me for a bit while trying to get the pico-examples to compile (you might have breezed through this but I'm a nüb sometimes.)

DILLIGAF!

Code:

wwiii@wwiii-VAIO MSYS ~/projects/pico-examples/build $ cmake .. -- Building for: Ninja Using PICO_SDK_PATH from environment ('C:/Users/wwiii/projects/pico-sdk/') PICO_SDK_PATH is C:/Users/wwiii/projects/pico-sdk Defaulting PICO_PLATFORM to rp2040 since not specified. Defaulting PICO platform compiler to pico_arm_gcc since not specified. -- Defaulting build type to 'Release' since not specified. PICO compiler is pico_arm_gcc CMake Error at C:/Users/wwiii/projects/pico-sdk/cmake/preload/toolchains/find_compiler.cmake:28 (message): Compiler 'arm-none-eabi-gcc' not found, you can specify search path with "PICO_TOOLCHAIN_PATH". Call Stack (most recent call first): C:/Users/wwiii/projects/pico-sdk/cmake/preload/toolchains/pico_arm_gcc.cmake:20 (pico_find_compiler) C:/devkitPro/msys2/mingw64/share/cmake/Modules/CMakeDetermineSystem.cmake:124 (include) CMakeLists.txt:6 (project) CMake Error: CMake was unable to find a build program corresponding to "Ninja". CMAKE_MAKE_PROGRAM is not set. You probably need to select a different build tool . CMake Error: CMAKE_C_COMPILER not set, after EnableLanguage CMake Error: CMAKE_CXX_COMPILER not set, after EnableLanguage CMake Error: CMAKE_ASM_COMPILER not set, after EnableLanguage -- Configuring incomplete, errors occurred!

Install the following (and select all 4 packages)

Code:

pacman -S mingw-w64-x86_64-arm-none-eabi-toolchain

wwiii@wwiii-VAIO MSYS ~/projects/pico-examples
$ mkdir build; cd build

wwiii@wwiii-VAIO MSYS ~/projects/pico-examples/build
$ cmake ..
PICO_SDK_PATH is C:/Users/wwiii/projects/pico-sdk
PICO platform is rp2040.
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- The ASM compiler identification is GNU
-- Found assembler: C:/devkitPro/msys2/mingw64/bin/arm-none-eabi-gcc.exe
Build type is Release
Defaulting PICO target board to pico since not specified.
Using board configuration from C:/Users/wwiii/projects/pico-sdk/src/boards/include/boards/pico.h
-- Found Python3: C:/Users/wwiii/AppData/Local/Programs/Python/Python310/python.exe (found version "3.10.0") found components: Interpreter
TinyUSB available at C:/Users/wwiii/projects/pico-sdk/lib/tinyusb/src/portable/raspberrypi/rp2040; enabling build support for USB.
cyw43-driver available at C:/Users/wwiii/projects/pico-sdk/lib/cyw43-driver
lwIP available at C:/Users/wwiii/projects/pico-sdk/lib/lwip
-- Configuring done
-- Generating done
-- Build files have been written to: C:/Users/wwiii/projects/pico-examples/build

to get your Pico ID (the NOR Flash one) you have different methods:

Using Arduino Genuino

Or run this program on the Pico:

C:

#include "pico/unique_id.h"
String cadena;
String cadenaHex;

void setup() {
  Serial.begin(115200);
  while (!Serial) {
    ; // wait for serial port to connect. Needed for native USB port only
  }
  // send an intro:
  Serial.println("\n\nPico Unique Board ID:");
  Serial.println();
  // initialize digital pin LED_BUILTIN as an output.
  pinMode(LED_BUILTIN, OUTPUT);
}

// the loop function runs over and over again forever
void loop() {
  digitalWrite(LED_BUILTIN, HIGH);
  cadena = "";
  cadenaHex = "";
  pico_unique_board_id_t board_id;
  pico_get_unique_board_id(&board_id);
  for (int i = 0; i < PICO_UNIQUE_BOARD_ID_SIZE_BYTES; ++i) {
    cadena += String(" " + String(board_id.id[i], DEC));
    cadenaHex += String(" " + String(board_id.id[i], HEX));
  }
  Serial.println("Flash ID (int): " + cadena);
  Serial.println("Flash ID (hex): " + cadenaHex);
  delay(250);
  digitalWrite(LED_BUILTIN, LOW);
  delay(250);
}

then connect to computer and monitor the COM port of the connected pico, you will get something like:

This program DO NOT start running on the pico until you open a COM monitor

TheSynthax · Jan 29, 2023

TheSynthax said:
binwalk

There's a blowfish-256 section as well. Here's the raw output:
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 317964 0x4DA0C mcrypt 2.2 encrypted data, algorithm: blowfish-256, mode: CBC, keymode: 4bit 317971 0x4DA13 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit

Interestingly, binwalk only sees these encrypted binary sections in the uf2, when flashed and then dumped it no longer detects anything- just pure binary.

vittorio · Jan 29, 2023

Try on fw.bin

saladus · Jan 29, 2023

vittorio said:
Try on fw.bin

nothing

shaunsingh0207 · Jan 29, 2023

you aren't going to have any luck decompiling the uf2 file. I tried to decrypt the binary file and while it worked, it seems they've done their homework and removed any useful information from that file. It would genuinely be easier to write your own.
From what I understand they're using the PIO on the rp2040 to perform the glitch instead of the fgpa on the hwfly boards

binkinator · Jan 29, 2023

impeeza said:
on the WaveShare the shipping to Colombia is 20 USD, so buying on amazon was a lot cheaper to me, I did buy 35 USD on different items and the shipping was free to Colombia.

Post automatically merged: Jan 29, 2023

to get your Pico ID (the NOR Flash one) you have different methods:

Using Arduino Genuino
View attachment 349912
View attachment 349913

Or run this program on the Pico:

C:

#include "pico/unique_id.h" String cadena; String cadenaHex; void setup() { Serial.begin(115200); while (!Serial) { ; // wait for serial port to connect. Needed for native USB port only } // send an intro: Serial.println("\n\nPico Unique Board ID:"); Serial.println(); // initialize digital pin LED_BUILTIN as an output. pinMode(LED_BUILTIN, OUTPUT); } // the loop function runs over and over again forever void loop() { digitalWrite(LED_BUILTIN, HIGH); cadena = ""; cadenaHex = ""; pico_unique_board_id_t board_id; pico_get_unique_board_id(&board_id); for (int i = 0; i < PICO_UNIQUE_BOARD_ID_SIZE_BYTES; ++i) { cadena += String(" " + String(board_id.id[i], DEC)); cadenaHex += String(" " + String(board_id.id[i], HEX)); } Serial.println("Flash ID (int): " + cadena); Serial.println("Flash ID (hex): " + cadenaHex); delay(250); digitalWrite(LED_BUILTIN, LOW); delay(250); }

then connect to computer and monitor the COM port of the connected pico, you will get something like:

View attachment 349914

This program DO NOT start running on the pico until you open a COM monitor

Yeah…heh…that’s what I was uhhhh….going to try next. Had the code typed up and everything. Yeah…that’s the ticket.

(Thanks buddy! It would have taken me quite a bit longer to get to that!)

vittorio · Jan 29, 2023

shaunsingh0207 said:
you aren't going to have any luck decompiling the uf2 file. I tried to decrypt the binary file and while it worked, it seems they've done their homework and removed any useful information from that file. It would genuinely be easier to write your own.
From what I understand they're using the PIO on the rp2040 to perform the glitch instead of the fgpa on the hwfly boards

actually maybe it's easier to write it than to decrypt it, but how does it work?

Hacking Hardware Picofly - a HWFLY switch modchip

¡Kabito!

Well-Known Member

The inadequate, autocratic beast!

Walküre's Hacker

Well-Known Member

Well-Known Member

The inadequate, autocratic beast!

Dat one with the Rez

Well-Known Member

The inadequate, autocratic beast!

Newcomer

Well-Known Member

Well-Known Member

¡Kabito!

Well-Known Member

Well-Known Member

Well-Known Member

New Member

Garfield’s Fitness Coach

Well-Known Member

Similar threads

Popular threads in this forum