Hacking Hardware Picofly - a HWFLY switch modchip

Rozetkin · Feb 16, 2023

renoob said:
Will try to modify flash_send_cmd function then, but yeah you are right since this function is referenced in another function aswell

Good luck! I'm willing to help with this.

I also found the crc8 initialization, and that scares me. In this firmware it is 256 bytes at address 0x200217B0. This table is definitely used for decryption, but frankly I'm too lazy to figure out how exactly it decrypts payload.

I also really need to understand what function on offset 0x10015CF4 does, because it affects decryption and is called three times for every 16 bytes of payload. Also, there is an interesting nested function at offset 0x10015C5C. Only from it you can probably get to the remaining unknown code.

renoob2 · Feb 16, 2023

I've messed up my account... @IgraBIT1 can you message me again please on this account.
Who can I contact to fix my original account (renoob)? I dont have privilages there to read or post or do anything

hippy dave · Feb 16, 2023

renoob2 said:
I've messed up my account... @IgraBIT1 can you message me again please on this account.
Who can I contact to fix my original account (renoob)? I dont have privilages there to read or post or do anything

Staff should be able to help you with your account - I've reported your post asking them to help 🤞

renoob2 · Feb 16, 2023

Thank you very much, I've send the message to Supervisor. Found some info in the staff section

IgraBIT1 · Feb 16, 2023

renoob said:
Инъекция работает на 100%

Итак, я заразился этим:
https://forums.raspberrypi.com/viewtopic.php?t=336409
Парень сделал файл uf2, когда вы его прошиваете, вы получаете результат «Это программное обеспечение для этой платы». Да нормально все работает
Потом сбрасываете эту прошивку, прошиваете на разных пико и бесплатно "программа не для этой платы". Все работает так, как написано здесь, когда я сделал это и прошил свой второй пико, я получил вывод:
[КОД]Добро пожаловать в minicom 2.8

ВАРИАНТЫ: I18n
Порт /dev/ttyACM0, 13:35:20

Нажмите CTRL-A Z, чтобы получить помощь по поручению клавишников.

======= ЭТО ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ БЫЛО УКРАДЕНО =======
Это программное обеспечение не будет работать на этой плате

======= ЭТО ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ БЫЛО УКРАДЕНО =======
Это программное обеспечение не будет работать на этой плате

-------------------------------------------------- -------[/КОД]
Затем я сделал эту инъекцию на этой дампе, так как первый uf2 блокирует прошивку выше по уникальному идентификатору первого пика, я просто ввел идентификатор первого пика в дампе, который выдал ошибку на втором пико... и:

[КОД]Добро пожаловать в minicom 2.8

ВАРИАНТЫ: I18n
Порт /dev/ttyACM0, 13:51:11

Нажмите CTRL-A Z, чтобы получить помощь по поручению клавишников.

Это программное обеспечение для этой платы
Это программное обеспечение для этой платы
Это программное обеспечение для этой платы
[/КОД]
Он успешно работает и не выдает ошибок на втором большем пико. Таким образом, мой вывод таков, что инъекция работает на 100%, так как unique_board из выводов пико-примеры модифицировали одну, и этот вышепример был заблокирован, а теперь разблокирован после инъекции.
....
Так что, возможно, идентификатор, предоставленный пользователем с прошивкой, не подтвержден ИЛИ что-то еще

renoob2 said:
Большое спасибо, я отправил сообщение супервайзеру. Нашла информацию в разделе персонала.

solved with an account? do you need more files?

renoob2 · Feb 16, 2023

IgraBIT1 said:
solved with an account? do you need more files?

Not yet solved still waiting. Can you check is the ID you gave correct (E6_61_1C_B7_1F_32_68_29)? That is from your pico?
Also it would be great if you can take a better picture of wiring just we are sure that its properly connected (you cant see much on picture you already posted).
Thank you very much

IgraBIT1 · Feb 16, 2023

renoob2 said:
Not yet solved still waiting. Can you check is the ID you gave correct (E6_61_1C_B7_1F_32_68_29)? That is from your pico?
Also it would be great if you can take a better picture of wiring just we are sure that its properly connected (you cant see much on picture you already posted).
Thank you very much

my working pico works fine, in the LAN I will send you additional files and old ones with those that you worked with
Id correct

renoob2 · Feb 16, 2023

Ok thank you!

Post automatically merged: Feb 16, 2023

inspecting agan and there is no other call for flash_cmd_send anywhere, only get_unique_id is referenced 2 times so no need to patch flash_cmd_send function

RealYoti · Feb 16, 2023

renoob2 said:
Can you check is the ID you gave correct (E6_61_1C_B7_1F_32_68_29)?

Try to reverse it (change bytes order).

renoob2 · Feb 16, 2023

RealYoti said:
Try to reverse it (change bytes order).

No its correct, its little endian

Adran_Marit · Feb 16, 2023

Rozetkin said:
Good luck! I'm willing to help with this.

I also found the crc8 initialization, and that scares me. In this firmware it is 256 bytes at address 0x200217B0. This table is definitely used for decryption, but frankly I'm too lazy to figure out how exactly it decrypts payload.

I also really need to understand what function on offset 0x10015CF4 does, because it affects decryption and is called three times for every 16 bytes of payload. Also, there is an interesting nested function at offset 0x10015C5C. Only from it you can probably get to the remaining unknown code.

Curious

linuxares · Feb 16, 2023

If you got an issue with your account Renoob. Just PM a super.

vittorio · Feb 16, 2023

renoob2 said:
No its correct, its little endian

we need to test if your firmware works on @IgraBIT1 raspberry

Adran_Marit · Feb 17, 2023

Wait has anyone tried using the semi unlocked firmware to boot hekate then booted the regular hekate via payload to try to boot HOS

Mansi · Feb 17, 2023

Adran_Marit said:
Wait has anyone tried using the semi unlocked firmware to boot hekate then booted the regular hekate via payload to try to boot HOS

This will not help, because boot0 is patched during glitching. And after rebooting the hekate, nothing will change)
The system will not boot either. Tatfy, if I'm not mistaken, I tried to change boot0 from hwfly and the system did not boot.
Right?

TheSynthax · Feb 17, 2023

Has anyone asked CTCaer or SciresM for their expertise? Perhaps they would know of a workaround.

OMAR1982 · Feb 17, 2023

following up

renoob · Feb 17, 2023

My account got sorted out! Thanks mods/supers

Adran_Marit · Feb 17, 2023

Mansi said:
This will not help, because boot0 is patched during glitching. And after rebooting the hekate, nothing will change)
The system will not boot either. Tatfy, if I'm not mistaken, I tried to change boot0 from hwfly and the system did not boot.
Right?

My understanding is the current fw is clearing the keyslots when it boots into hekate so rebooting into hekate after its already glitched once might work no? And has anyone tried to test that theory of rebooting back to hekate?

Mansi · Feb 17, 2023

it doesn't work that way)

Hacking Hardware Picofly - a HWFLY switch modchip

New Member

Member

BBMB

Member

Member

Member

Member

Member

Well-Known Member

Member

Walküre's Hacker

The inadequate, autocratic beast!

Well-Known Member

Walküre's Hacker

Well-Known Member

Well-Known Member

Member

Active Member

Walküre's Hacker

Well-Known Member

Similar threads