Hacking Hardware Picofly - a HWFLY switch modchip

[FruithatMods]

Have you considered that the binary payload might be encrypted?

Also it appears like something has gotten lost in translation. Some people here claimed it was someone from China who developed this... It wasn't. The "chinese boards" are referring to the waveshare company who makes the rp2040 pico zero pcb.

 

[impeeza]

The dump is the same as this guy's dump here: https://gbatemp.net/threads/pikofly...y-modchips-or-not.622701/page-8#post-10049937

They just added extra padding to the dump to make it more convincing. You ain't fooling nobody, kiddo.

View attachment 349743

on the pico, using picotool you can read the "program" area or the full memory chip, if you only read the program area you don't get the "garbagge" on the chip, however on that "garbagge" you can store information read by the program. so if you are going to do a backup of your chip make a full one, you never know what is on that, and is only 2MB!

 

[vittorio]

with ida pro you could see where it does the checking of id and apply the patch

 

[Mansi]

I see the controversy has begun If you think that someone has created another account and is trolling you, it could be.
Russian guys are capable of it) The problem is that the firmware that I threw off was provided to me by Heinrich_frei as is.
I didn’t do anything else and didn’t throw off. What IgraBIT1 showed does not prove the functionality of the glitch.
Because it's just a normal photo.
The cooler stays in place, does not spin. And in rp2040, the usual glow is flashed with a green LED.
With such success, I could also take my switch, remove the hwfly glitch and put rp2040 in its place and prove that it works and I don’t want to share it with you.

Not all people are good(

 

[IgraBIT1]

you are wrong, the chip is working and copes well with it))

 

[darrin41]

View attachment 349785you are wrong, the chip is working and copes well with it))

There’s nothing loading

 

[kimitoboku101]

View attachment 349785you are wrong, the chip is working and copes well with it))

how about your firmware ??

 

[vittorio]

View attachment 349785you are wrong, the chip is working and copes well with it))

Can share the fw

Post automatically merged: Jan 28, 2023

someone send me an id of a rp2040

 

[marhalloweenvt]

someone send me an id of a rp2040

RP2040 does not have an on-board unique identifier (all instances of RP2040 silicon are identical and have no persistent state). However, RP2040 boots from serial NOR flash devices which have a 64-bit unique ID as a standard feature, and there is a 1:1 association between RP2040 and flash, so this is suitable for use as a unique identifier for an RP2040-based board.

ID of rp2040-zero (which is made by Waveshare and show in this thread) is the ID of winbond nor flash. You can use one of mine: "In your DM box"

 

[saladus]

someone send me an id of a rp2040

here's the id of my seeed xiao

e6 61 41 03 e7 28 91 24

 

[Adran_Marit]

ID of rp2040-zero (which is made by Waveshare and show in this thread) is the ID of winbond nor flash. You can use one of mine: "In your DM box"

Sharing is caring.

 

[saladus]

yeah i don't see why you'd be so secretive about an id

 

[marhalloweenvt]

Sharing is caring.

I already sent it to his PM box, if you like, I can leave it here: e66160f423153a37

 

[TheSynthax]

Not sure why it would matter what your ID is, by my understanding the only ID that would be useful to anyone is the unique ID of the same RP2040-Zero as someone's *paired* firmware dump. An ID from a different Zero than the one it was dumped from is useless.

 

[saladus]

Not sure why it would matter what your ID is, by my understanding the only ID that would be useful to anyone is the unique ID of the same RP2040-Zero as someone's *paired* firmware dump. An ID from a different Zero than the one it was dumped from is useless.

i assume that the reason vittorio asked for ids is that the id might be stored in the bin file and just checked against the pico's id

 

[TheSynthax]

i assume that the reason vittorio asked for ids is that the id might be stored in the bin file and just checked against the pico's id

Didn't someone say that the 2nd stage is encrypted using the unique ID of the NOR?

 

[saladus]

Didn't someone say that the 2nd stage is encrypted using the unique ID of the NOR?

might be, but i don't see how it would decrypt itself. 1st stage is stored in the rp2040, can't be modified

 

[TheSynthax]

might be, but i don't see how it would decrypt itself. 1st stage is stored in the rp2040, can't be modified

Presumably stage 1 requests the UID of the NOR, then uses it to decrypt stage 2.

 

[saladus]

Presumably stage 1 requests the UID of the NOR, then uses it to decrypt stage 2.

interesting. so what you're saying is that all picos encrypt their code?

 

[TheSynthax]

interesting. so what you're saying is that all picos encrypt their code?

No, no reason to unless you have something you don't want reverse engineered. The first stage is part of the Chinese firmware, it's just there to make it hard to understand what it's doing. It handles that decryption step.