Hacking Hardware Picofly - a HWFLY switch modchip

FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
Project File Name: firmware.bin
Last Modified: Fri Feb 03 18:35:59 CET 2023
Readonly: false
Program Name: firmware.bin

Minimum Address: 00000000
Maximum Address: 00014cff
# of Bytes: 85248
# of Memory Blocks: 1
# of Instructions: 0
# of Defined Data: 0
# of Functions: 0
# of Symbols: 17
# of Data Types: 0
# of Data Type Categories: 1

Executable MD5: d40587baee6549652a2ca0e9dec0e307
Executable SHA256: 0343c6fd1ba1ff773dbcc688a14c55dc61fef4df96a294366c4f33c5d4c84abc

These are the hashes of the file from the other thread.
Is this the same one as the previous leak?
Post automatically merged:

I decompiled the firmware from the YouTube video. These are ALL the readable strings using the same decompilation method as the guy does in the video. There is nothing more to it.

Perhaps someone who is more knowledgeable can comment on this.
 

Attachments

  • Screenshot 2023-02-03 at 18.42.06.png
    Screenshot 2023-02-03 at 18.42.06.png
    258.6 KB · Views: 61
Last edited by FruithatMods,
  • Like
Reactions: binkinator, DreedPL, peteruk and 1 other person
impeeza

impeeza

¡Kabito!
Member
Level 27
Joined
Apr 5, 2011
Messages
6,318
Trophies
3
Age
46
Location
At my chair.
XP
18,561
Country
Colombia
FruithatMods said:
Project File Name: firmware.bin
Last Modified: Fri Feb 03 18:35:59 CET 2023
Readonly: false
Program Name: firmware.bin

Minimum Address: 00000000
Maximum Address: 00014cff
# of Bytes: 85248
# of Memory Blocks: 1
# of Instructions: 0
# of Defined Data: 0
# of Functions: 0
# of Symbols: 17
# of Data Types: 0
# of Data Type Categories: 1

Executable MD5: d40587baee6549652a2ca0e9dec0e307
Executable SHA256: 0343c6fd1ba1ff773dbcc688a14c55dc61fef4df96a294366c4f33c5d4c84abc

These are the hashes of the file from the other thread.
Is this the same one as the previous leak?
Post automatically merged:

I decompiled the firmware from the YouTube video. These are ALL the readable strings using the same decompilation method as the guy does in the video. There is nothing more to it.

Perhaps someone who is more knowledgeable can comment on this.
Click to expand...
the file from YT and mediafire is bit at bit equal to the one on the start of thread.
 
  • Like
  • Sad
Reactions: binkinator and FruithatMods
peteruk

peteruk

Well-Known Member
Member
Level 18
Joined
Jun 26, 2015
Messages
3,003
Trophies
2
XP
7,323
Country
United Kingdom
The collaboration of community dev's, engineers and all round try hard's working on this together with no thought of monetry gain is what I love about this community.... it so often gets called toxic, but this is what happens when clever people work together - it benefits everyone..

It reminds me of days gone by when Dark Samus, plailect and all those other cool people worked publicly on arm9loaderhax, screen init functions and tons of other stuff on freenode (irc).... not just that but they encouraged normies to join up and always made you feel a part of things (really happy memories)
 
  • Like
Reactions: binkinator, V-T, mathew77 and 5 others
FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
Here is the decompiled file in C from the original leak which is the same as the YouTube video.
Post automatically merged:

ByteFun said:
The first thing the startup code does is initialize the hardware, copy the contents of flash memory into RAM, and start the main function. We get the identifier of the flash memory. The chip voltage rises and the clock frequency rises to 333 MHz. In this mode, we can no longer work with flash memory. Perhaps the decryption algorithm expands the flash ID as a key into block 0x100, but perhaps this is the context for the decryptor.
Click to expand...
Can you point me to the location in the disassembled code when this occurs? I know there is a string at 00002947 which is related to this function.

When I was researching how to code the firmware from scratch I hypothesised that it is likely that we will need to overclock the rp2040 for it to be fast enough to sniff the emmc signals. The reason why it is loading the code into iram is because the flash chip can only operate at about 300mhz before it refuses to work. The rp2040 can be pushed to about 400mhz.
 

Attachments

  • firmware.txt
    41.1 KB · Views: 106
Last edited by FruithatMods,
  • Like
  • Wow
Reactions: binkinator, DreedPL, Avellea and 3 others
AntonIX

AntonIX

Active Member
Newcomer
Level 2
Joined
Jan 14, 2023
Messages
34
Trophies
0
Age
23
Website
devpins.org
XP
207
Country
Russia
Hey, just found leaked sources about how hwfly works.
Post automatically merged:

Also I read on 4pda thats fpga used to fastly generate rsa keys to emulate cartridge. I am not completely understand what does it mean. Looks like it is wrong machine translate.
 

Attachments

  • GD32F3x0_Firmware_Library_User_Guide_Rev1.0.pdf.txt
    5.3 MB · Views: 144
  • GD32F350xx_Datasheet_Rev1.4.pdf.txt
    2.4 MB · Views: 37
  • Modchip Research Monography.pdf
    62.9 KB · Views: 79
  • SXCORE_old_schemes.zip.txt
    8.2 MB · Views: 55
  • GD32F3x0_User_Manual_EN_v2.1.pdf
    8.8 MB · Views: 98
  • Like
Reactions: SylverReZ, binkinator, FruithatMods and 3 others
Doodka

Doodka

Active Member
Newcomer
Level 1
Joined
Jan 26, 2023
Messages
25
Trophies
0
Age
21
XP
104
Country
Belarus
Tafty said:
yeh that was me, sorry i didnt see your question i just used the uf2 provided.
Click to expand...
You can try upload it through picotool, and verify firmware with it
Post automatically merged:

AntonIX said:
Hey, just found leaked sources about how hwfly works.
Post automatically merged:

Also I read on 4pda thats fpga used to fastly generate rsa keys to emulate cartridge. I am not completely understand what does it mean. Looks like it is wrong machine translate.
Click to expand...
Can you give a link to this phrase?
I found only about emulating cartridge slot, but I don't understand why this is necessary
 
Last edited by Doodka,
AntonIX

AntonIX

Active Member
Newcomer
Level 2
Joined
Jan 14, 2023
Messages
34
Trophies
0
Age
23
Website
devpins.org
XP
207
Country
Russia
  • Like
Reactions: SylverReZ, binkinator, impeeza and 1 other person
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
I got a question regarding the CLK pin that the HWFLY/SXCore use, do the chips generate the clock signal themselves or does the CLK signal come from the Switch SoC?
 
FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
Piorjade said:
I got a question regarding the CLK pin that the HWFLY/SXCore use, do the chips generate the clock signal themselves or does the CLK signal come from the Switch SoC?
Click to expand...
Usually it is both, but not at the same time. Whatever is talking to the emmc generates the CLK.

When the hwfly is just listening the switch soc should be producing the signal.
 
  • Like
Reactions: overcode
Piorjade

Piorjade

Well-Known Member
Member
Level 4
Joined
Nov 8, 2015
Messages
142
Trophies
0
XP
407
Country
Gambia, The
FruithatMods said:
Usually it is both, but not at the same time. Whatever is talking to the emmc generates the CLK.

When the hwfly is just listening the switch soc should be producing the signal.
Click to expand...
Alright, so in the payload flashing process we generate it ourselves, got it.
 
impeeza

impeeza

¡Kabito!
Member
Level 27
Joined
Apr 5, 2011
Messages
6,318
Trophies
3
Age
46
Location
At my chair.
XP
18,561
Country
Colombia
saladus said:
wdym, I'm pretty sure uf2 and bing go on the pico and you put hekate as payload.bin on the sd. regardless, i haven't done this, another person in the thread did
Click to expand...
yes the bin on the Pico (or the UF2) and hekate on the console's SD will work on the original pico, because the firmware is mostly encrypted.
 
FruithatMods

FruithatMods

Well-Known Member
Member
Level 4
Joined
Dec 16, 2018
Messages
128
Trophies
0
Age
34
XP
450
Country
Germany
saladus said:
the consensus is that it's encrypted using the pico's flash id
Click to expand...
It does check for the pico id. We should ask @ByteFun what he thinks though. It seems like he understands assembly enough to know what the code does.

The reason why that is the concensus is because someone here analysed the uf2 file with a tool which shows there are two regions in the file that contain data which is encrypted with blowfish. I ran the same tool on both the uf2 and the bin file. No such encrypted regions are present in the bin file. I can confirm the findings of the uf2 file.
 
  • Love
  • Like
Reactions: impeeza and binkinator
V

vittorio

Well-Known Member
Member
Level 6
Joined
May 12, 2014
Messages
243
Trophies
0
Age
26
XP
955
Country
Italy

Attachments

  • firmware.rar
    111 KB · Views: 46
Last edited by vittorio,

Site & Scene News

Go to forum More news

Popular threads in this forum

The MIG Switch Thread

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

General chit-chat
Help Users
    Veho @ Veho: https://i.imgur.com/kTzpzBF.mp4