Hacking Hardware Picofly - a HWFLY switch modchip

[marhalloweenvt]

the code is on C, I am not getting there yet.

If somebody likes, this is my code on Arduino:

#include "pico/unique_id.h"
String cadena;


void setup() {
  // put your setup code here, to run once:

  Serial.begin(115200);
  while (!Serial) {
    ; // wait for serial port to connect. Needed for native USB port only
  }
  // send an intro:
  Serial.println("\n\nPico Unique Board ID:");
  Serial.println();
}

void loop() {
  pico_unique_board_id_t board_id;
  pico_get_unique_board_id(&board_id);
  //pico_get_unique_board_id_string;
  cadena = "";
  for (int i = 0; i < PICO_UNIQUE_BOARD_ID_SIZE_BYTES; ++i) {
 //   Serial.write(board_id.id[i]);
    //Serial.write(13);
    //Serial.write(10);
    cadena += board_id.id[i];
  }
  Serial.println(cadena);
  delay(5000);
}

I am using Raspberry Pi Pico/RP2040 https://github.com/earlephilhower/arduino-pico board library on the Arduino IDE, that have the unique_id.h file.

If you use micropython, you can simple run this in Shell (I am using Thorny to communicate with Pico):

>>> import ubinascii
>>> import machine
>>> ubinascii.hexlify(machine.unique_id())

 

[duckbill007]

You need encrypt 2nd stage firmware

Or decrypt existed and remove decryptor from 1st stage.

 

[vittorio]

if you can find the payload let's try to decrypt it, theoretically a software hack on the switch is also possible since a webkit exploit has come out, only a kernel exploit is missing

 

[ByteFun]

Or decrypt existed and remove decryptor from 1st stage.

This is the goal. I mean, you can't just patch one place by changing the ID. But, is it possible to make the get ID function return the same set of bytes? Sounds like a dirty patch, but can work as a temporary security bypass solution ))

Post automatically merged: Jan 20, 2023

The encrypted firmware is located at 1000297C, the decryption magic happens at about 10013622. But I still can't start debugging and the context is missing. SWD disabled, OpenOCD saying "DAP init failed"

 

[ByteFun]

Well. I successfully connected the debugger. The container is not checked for integrity, but any modification of the firmware will reset the chip into firmware download mode. Perhaps there are some checks during the execution of the firmware. But after doing something, I was able to start debugging and breakpoints also work. Gradually learning microcontrollers))

 

[Mansi]

Well. I successfully connected the debugger. The container is not checked for integrity, but any modification of the firmware will reset the chip into firmware download mode. Perhaps there are some checks during the execution of the firmware. But after doing something, I was able to start debugging and breakpoints also work. Gradually learning microcontrollers))

Сan you write to me on 4pda?

 

[wurstpistole]

The amount of new users who just register to dip in on this exact topic is, at least, a little suspicious.

 

[Vladjaye]

The amount of new users who just register to dip in on this exact topic is, at least, a little suspicious.

Because the forum is quite popular and the specific topic might be discussed in different languages elsewhere. They join this place to ask\provide some feedback on their findings, no?

 

[Deleted member 194275]

The amount of new users who just register to dip in on this exact topic is, at least, a little suspicious.

Given how popular the switch is and how expansive the hwfly is, it's expected that an alternative raise attention.

 

[coldfire0101]

any updates to the op ?? is this pikofly a real deal or fake ??

 

[impeeza]

any updates to the op ?? is this pikofly a real deal or fake ??

please read the thread.

 

[Donnie-Burger]

any updates to the op ?? is this pikofly a real deal or fake ??

Yes.No.Maybe So

 

[Mansi]

any updates to the op ?? is this pikofly a real deal or fake ??

50/50

 

[cowboy619]

any updates to the op ?? is this pikofly a real deal or fake ??

It’s fake. Some people say the sky is blue but that is fake


Sent from my iPhone using Tapatalk

 

[binkinator]

Schrödinger‘s modchip. It’s both fake and not fake until we observe it.

 

[Deleted member 194275]

Trust me, the lack of a definitive answer now is a huge advancement in this SBC modding situation. A month or so ago there was no reasons to be unsure, it was a definitive "no, it's not happening".

 

[Adran_Marit]

any updates to the op ?? is this pikofly a real deal or fake ??

50/50

It’s fake. Some people say the sky is blue but that is fake


Sent from my iPhone using Tapatalk

Schrödinger‘s modchip. It’s both fake and not fake until we observe it.

It's been said to be legit, also said the dev stopped because people were impatient sooooo idk anymore

 

[PicoPro]

Some people still don't belive in PicoFly? That's funny
I wonder if i should make a video-proof of glitching, huh...
Sadly i'm not allowed... for now.

 

[Vladjaye]

Some people still don't belive in PicoFly? That's funny
I wonder if i should make a video-proof of glitching, huh...
Sadly i'm not allowed... for now.

So is it like actively under development in China with closed source code?

 

[PicoPro]

So is it like actively under development in China with closed source code?

The only thing i can say, it works fine with Mariko (with few exceptions).

I can't say who is bEhind the development, but Right now I wonder is thiS the only Thing they cAn do...