Hacking Hardware Picofly - a HWFLY switch modchip

TheStonedModder

Well-Known Member
Member
Joined
Dec 25, 2022
Messages
231
Trophies
0
Age
26
XP
371
Country
United States
i would like to remind you about ps4 9.00 webkit exploit. people was complaining about USB DRIVE was needed to perform the exploit. Such a vile idiots
People feel so entitled to free “hacks”

It’s crazy. Like I’m sure their broke asses can afford these cheap parts every once in a while if they really wanted too.

Even when I was broke working in a grocery store I understand ~$20ish worth of parts vs weeks more of entertainment was a no brain decision
 

l7777

Well-Known Member
Member
Joined
Apr 13, 2022
Messages
255
Trophies
0
Location
Earth
XP
681
Country
United States
the vid only shows pico booting hekate, prolly never even booted hos to begin with
I may be mistaken but I believe booting Hekate at all indicates that the security has been broken and glitching worked. The part that is being worked on is what happens after. The firmware we have does not use the same loader for HOS as the known working loaders possibly by design.
 

renoob

Active Member
Newcomer
Joined
Feb 6, 2023
Messages
42
Trophies
0
XP
147
Country
France
So I've managed to inject partially new id at the address where the id is stored at boot (which is later read by get_unique_id).
Long story short created code cave at free space, branched to it from get unique id on boot function (bypassing call to send msg to flash to get the ID with 4b command)

And the result from GDB while pico is connected, it is in that address


Code:
Thread 1 hit Breakpoint 1, 0x10020000 in ?? ()
(gdb) ni
0x10020002 in ?? ()
(gdb) ni
0x10020004 in ?? ()
(gdb) x/8x $r0
0x200259c8:     0x11    0x22    0x33    0x44    0x00    0x00    0x00    0x00
(gdb) x/8x 0x200259c8
0x200259c8:     0x11    0x22    0x33    0x44    0x00    0x00    0x00    0x00
(gdb)

vs original where it reads my pico id

Code:
(gdb) x/8x 0x200259C8
0x200259c8:    0xe6    0x61    0x41    0x04    0x03    0x79    0xa7    0x39
(gdb)
The thing is I cannot store full value to register so it needs to somehow inject the rest in the lower half. Not sure how to do it yet (load other half in another register then combine them) .
Anyway maybe this will work or maybe it wont, maybe worth a shoot. BTW this is that firmware where we have ID.
If someone more knowledgeable in ASM can chime in.
 
Last edited by renoob,

renoob

Active Member
Newcomer
Joined
Feb 6, 2023
Messages
42
Trophies
0
XP
147
Country
France
Code:
(gdb) x/s $r0
0x200259c8:     "\346a\034\267\037\062h)W\003"
(gdb) x/8x $r0
0x200259c8:     0xe6    0x61    0x1c    0xb7    0x1f    0x32    0x68    0x29
(gdb) x/8x 0x200259c8
0x200259c8:     0xe6    0x61    0x1c    0xb7    0x1f    0x32    0x68    0x29
(gdb)

needs picotool


fingers crossed! Will lose my shit if it works
 
Last edited by renoob,

Tafty

Well-Known Member
Member
Joined
Sep 23, 2016
Messages
116
Trophies
0
Age
35
XP
855
Country
shame.....worth of try...did you tried bin file with picotool? Maybe uf2 file is weird
No I don't have it setup here. Its abit late in the day to do it, but I'm sure someone else here can test that, the fact it flashed the pico and attempted to load is a good sign though means the code you changed didn't break the chip attempted to boot
 
  • Like
Reactions: binkinator

renoob

Active Member
Newcomer
Joined
Feb 6, 2023
Messages
42
Trophies
0
XP
147
Country
France
well I tested that, it behaves just like original as I see in gdb. First few attempts was breaking but I would see that immediately in openocd. Curious if address changed or something. But as I see in ghidra it should be the same on any pico
edit: Hm.. let me try something since get_unique_id function calls some memory function, maybe data gets scrambled there
Post automatically merged:

probably wont work. but lets see
edit: nop this wont do anything... removed
 
Last edited by renoob,

Tafty

Well-Known Member
Member
Joined
Sep 23, 2016
Messages
116
Trophies
0
Age
35
XP
855
Country
well I tested that, it behaves just like original as I see in gdb. First few attempts was breaking but I would see that immediately in openocd. Curious if address changed or something. But as I see in ghidra it should be the same on any pico
edit: Hm.. let me try something since get_unique_id function calls some memory function, maybe data gets scrambled there
Post automatically merged:

probably wont work. but lets see
edit: nop this wont do anything... removed
same outcome

Nop, Bin is a backup of the complete NOR Chip, UF2 is only the "program" section.
is it worth testing flashing the bin?
 
  • Like
Reactions: impeeza

renoob

Active Member
Newcomer
Joined
Feb 6, 2023
Messages
42
Trophies
0
XP
147
Country
France
Have one more idea will do tomorrow since its late now
Post automatically merged:

If someone can test bin file with picotool that would be great. Bin file is directly from ghidra, uf2 file is dumped from pico (flashed bin with picotool then dumped again with pico tool)

And its dumped from normal pico not zero.

Which gives me another idea....
Post automatically merged:

Tafty if you can please flash the original firmware and dump it via picotool to bin (picotool save -a fw.bin) so I can compare addreses/functions
 
Last edited by renoob,
General chit-chat
Help Users
  • No one is chatting at the moment.
    Skelletonike @ Skelletonike: No idea what that is tbh, is that like the iso or something?