Toggle sidebar

Hacking Hardware Picofly - a HWFLY switch modchip

  • Thread starter Thread starter mathew77
  • Start date Start date
  • Views Views 3,677,414
  • Replies Replies 17,052
  • Likes Likes 15
thesjaakspoiler said:
The original id is just a 64bit number and it is retrieved from the flash chip.
The RP2040 does not have an internal id in the cpu itself (according to the documentation) :
https://raspberrypi.github.io/pico-sdk-doxygen/group__pico__unique__id.html
I don't know if the dump is just a raw dump of the flash chip?
If so, then it should be there.

If not, someone will be able to hack it.
Just speculating here but the firmware is probably the same as for the hwfly.
So we know the decoding algorithm. Then it is just a matter of trying all keys and comparing the output.
With a 64bit key, that will be peanuts for a normal cpu.
I'm sure there are smart kids here who can break this encryption on a Sunday afternoon.
Click to expand...
I messaged one guy from 4pda and he gave me contacts of guy who got this dump. This guy said that he bought this picofly on platform like ebay. He said it costs about 50$. And also as I get in, it is just his dump and not complete flash solution. Read command somewhere, like ""some tool" dump all".
 
  • Like
Reactions: peteruk and Tafty
We have a dump of firmware from another one, but I've allready flashed that and it isn't working, so obviously a step is missing etc.
 
  • Like
Reactions: peteruk
AntonIX said:
I messaged one guy from 4pda and he gave me contacts of guy who got this dump. This guy said that he bought this picofly on platform like ebay. He said it costs about 50$. And also as I get in, it is just his dump and not complete flash solution. Read command somewhere, like ""some tool" dump all".
Click to expand...
yeah, "PicoToll save --all" is the command.
 
  • Like
Reactions: binkinator and AntonIX
I have thoughts about he is dev, because he ignores any asks about seller and answer parically. He said that it is starting in different time. Can start immediately or takes much more than hwfly.
 
  • Like
Reactions: impeeza
binkinator said:
i thought we already had the firmware. Is yours different?
Click to expand...
Yes,
Tafty said:
We have a dump of firmware from another one, but I've allready flashed that and it isn't working, so obviously a step is missing etc.
Click to expand...
Of course it doesn't work lol. there is a binding by id. on your flash another id
other
 
  • Like
Reactions: FruithatMods
AntonIX said:
I messaged one guy from 4pda and he gave me contacts of guy who got this dump. This guy said that he bought this picofly on platform like ebay. He said it costs about 50$. And also as I get in, it is just his dump and not complete flash solution. Read command somewhere, like ""some tool" dump all".
Click to expand...
i think thats the same guy, who drop firmware here
u can install picotool from github and compare it with this dump in hxd
 
IgraBIT1 said:
getting the id of your flash is not a problem.
Click to expand...
We can compare bytecode of two different dumps.
Post automatically merged:

Doodka said:
i think thats the same guy, who drop firmware here
u can install picotool from github and compare it with this dump in hxd
Click to expand...
Yes it is.
 
  • Like
Reactions: Tafty
saladus said:
well we'd need a second dump wouldn't we?
Click to expand...
Just checked both dumps, md5 is different. Possibly this is dumps from different chips. Uf2 is the same
Post automatically merged:

IgraBIT1 said:
View attachment 349725difficult to read?) delete it is not a pity.
and you are bald, I will not give the firmware)))
Click to expand...
Can you share your firmware too? Or you dont have it?
 

Attachments

  • Like
Reactions: binkinator, Tafty and DreedPL
My best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who is able to crack these sort of ID checks.

That kid would need a legit firmware dump though for him to do his magic. Can anyone fill me in on the firmware? Do we have any binaries? Is the posted blob a single program or are those a bunch of binaries?
 
  • Like
Reactions: ron2797k, binkinator and impeeza
FruithatMods said:
My best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who is able to crack these sort of ID checks.

That kid would need a legit firmware dump though for him to do his magic. Can anyone fill me in on the firmware? Do we have any binaries? Is the posted blob a single program or are those a bunch of binaries?
Click to expand...
a little higher in the subject there is an archive with a firmware dump
AntonIX said:
Just checked both dumps, md5 is different. Possibly this is dumps from different chips. Uf2 is the same
Click to expand...
bins same too, its just cleared of empty blocks, so md5 must be identical
 
  • Like
Reactions: SylverReZ
Doodka said:
a little higher in the subject there is an archive with a firmware dump

bins same too, its just cleared of empty blocks, so md5 must be identical
Click to expand...
The dump is the same as this guy's dump here: https://gbatemp.net/threads/pikofly...y-modchips-or-not.622701/page-8#post-10049937

They just added extra padding to the dump to make it more convincing. You ain't fooling nobody, kiddo.

thingy.jpg
 
  • Like
  • Love
Reactions: DreedPL, peteruk and binkinator
IgraBIT1 said:
View attachment 349725difficult to read?) delete it is not a pity.
and you are bald, I will not give the firmware)))
Click to expand...
so, is it works? can you upload video? and can you upload dump?
Post automatically merged:

Tafty said:
Little update on this...after posting I thought I better go and check I had soldered in the flex's correctly so took the rp out and wired up a sx core manually using the same wires i was using for the rp(dont have any lites currently) and it wouldn't glitch...turns out I hadn't soldered dat 0 correctly.

fixed that issue and confirmed my wiring was good with the sx, rewired the RP back in but unfortunately getting the same result. blue light then red light...BUT now im NOT getting into OFW like I was before, this is similar to what happens when you have soldered a sx/hw chip in incorrectly(again I confirmed this wasn't the case)

removing 3.3v does allow the console to then boot OFW like normal(expected behaviour)

so IMO at this point its trying to do something and failing...maybe this is to do with the ID encryption I read a few pages back...maybe its missing something but im now in a position where I can test anything hardware side. so please let me know.

also ive tested the install with and without resistors as the picture on page 1 clearly doesn't have them installed. so not sure why schematic a few pages ago does
Click to expand...
how did you upload uf2? by using usb or picotool?
Post automatically merged:

M4x1mumReZ said:
The dump is the same as this guy's dump here: https://gbatemp.net/threads/pikofly...y-modchips-or-not.622701/page-8#post-10049937

They just added extra padding to the dump to make it more convincing. You ain't fooling nobody, kiddo.

View attachment 349743
Click to expand...
he said that he received the file from the 4PDA user, most likely this is the same guy who threw off the first dump
 
Last edited by Doodka,
  • Like
Reactions: SylverReZ

Site & Scene News

Go to forum More news

Popular threads in this forum

Dusk for switch (TLoZ Twilight Princess port)

Homebrew  Full List of N64 Recompilation Switch ports

Homebrew  New Homebrew "Foil Server"?

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

Is it fixable