Hacking Hardware Picofly - a HWFLY switch modchip

Adran_Marit

Adran_Marit

Walküre's Hacker
Member
Level 14
Joined
Oct 3, 2015
Messages
3,661
Trophies
1
Location
42*South
XP
4,252
Country
Australia
This might be a dumb question, but to me, logically, why don't we just use the uf2 we currently have and just overwrite it with the working one, then resale the uf2 after the fact?

I assume there I'd a technical reason why yhag won't actually work
 
flynnsmt4

flynnsmt4

Member
Newcomer
Level 2
Joined
Feb 20, 2023
Messages
11
Trophies
0
XP
155
Country
United States
Okay, after taking some time off I decided to look at this again and realized that they're most definitely fingerprinting (or rather, changing behaviour) based on the flash ID. They call flash_get_unique_id as part of an init callback (I thought this was some random flash func) and then continuously copy the unique ID: (lol I initially missed that mov R2, R4)
1678094030726.png

Based on this data it writes to memory in a specific pattern which is much more complicated to patch out than a simple check; the easiest way to go about this would be if someone dumped a firmware and a unique ID and then emulated it instruction-by-instruction. At the very least it would be helpful to see what they're doing with the 0x110B0 bytes copied from 0x1000297C to the SRAM base (0x20000000). The only problem I see from this would maybe be navigating the function that looks for the sequence on the CMD pin.

I also realized that they probably exit the XIP flash because it runs off of clk_sys which they're changing, because otherwise the dumped firmware.bin would look strange and I don't think the flash would be able to keep up anyways.

For reference, the initially dumped firmware grabs the unique ID in the init routine at 0x10002608, which gets copied into a 256-byte structure at 0x20025868 in the routine at 0x1000070C. Interestingly, the other .uf2s posted here do something slightly different when copying the unique ID, for some reason.

Other than this, I'm basically stuck until someone does what I suggested or if it turns out that binary blob has easy-to-disassemble ARM code.
 
  • Like
Reactions: derfreaker, hippy dave, Some1CP and 4 others
mrdude

mrdude

Developer
Developer
Level 17
Joined
Dec 11, 2015
Messages
2,482
Trophies
1
Age
55
XP
6,616
vittorio said:
are the 0.7mm cables for rp2040 soldering ok?
Click to expand...
If you look at the amount of power you are going to use, you can calculate the wire thickness. For this application you don't need anything more than 25 AWG (0.45mm) - that's more than thick enough, so the 0.7mm wire you are using is fine.
 
  • Like
Reactions: vittorio
B

batwings21

Active Member
Newcomer
Level 3
Joined
Dec 2, 2006
Messages
42
Trophies
1
Location
USA
XP
342
Country
United States
flynnsmt4 said:
Okay, after taking some time off I decided to look at this again and realized that they're most definitely fingerprinting (or rather, changing behaviour) based on the flash ID. They call flash_get_unique_id as part of an init callback (I thought this was some random flash func) and then continuously copy the unique ID: (lol I initially missed that mov R2, R4)
View attachment 357376
Based on this data it writes to memory in a specific pattern which is much more complicated to patch out than a simple check; the easiest way to go about this would be if someone dumped a firmware and a unique ID and then emulated it instruction-by-instruction. At the very least it would be helpful to see what they're doing with the 0x110B0 bytes copied from 0x1000297C to the SRAM base (0x20000000). The only problem I see from this would maybe be navigating the function that looks for the sequence on the CMD pin.

I also realized that they probably exit the XIP flash because it runs off of clk_sys which they're changing, because otherwise the dumped firmware.bin would look strange and I don't think the flash would be able to keep up anyways.

For reference, the initially dumped firmware grabs the unique ID in the init routine at 0x10002608, which gets copied into a 256-byte structure at 0x20025868 in the routine at 0x1000070C. Interestingly, the other .uf2s posted here do something slightly different when copying the unique ID, for some reason.

Other than this, I'm basically stuck until someone does what I suggested or if it turns out that binary blob has easy-to-disassemble ARM code.
Click to expand...
For anyone wanting to reverse engineering this, the focus needs to be on getting both a dump and the unique id of the same working chip. Adding a check to verify the unique id is kindergarten stuff, they wouldn't do that. At minimum they would encrypt the rest of the information using the unique id as a key or part of the key.
 
R

rehius

Well-Known Member
Member
Level 8
Joined
Feb 6, 2023
Messages
287
Trophies
1
Age
33
XP
1,328
Country
Canada
batwings21 said:
For anyone wanting to reverse engineering this, the focus needs to be on getting both a dump and the unique id of the same working chip. Adding a check to verify the unique id is kindergarten stuff, they wouldn't do that. At minimum they would encrypt the rest of the information using the unique id as a key or part of the key.
Click to expand...
Page 40
 
Bekir57

Bekir57

Member
Newcomer
Level 1
Joined
Feb 25, 2023
Messages
11
Trophies
0
Age
23
XP
29
Country
Turkey
3F654252-74D4-4E47-887B-A29F694984FD.jpeg

hello guys, there is a problem, after breaking the capacitor at 3.3 v, I got a blue screen error, I hope it's from the capacitor, because at the same time, it short-circuited the 2 cables I connected the mosfet, so I hope tegra x1 is not broken.
 
General chit-chat
Help Users
  • SylverReZ @ SylverReZ:
    Hope they made lots of spaget
  • Sonic Angel Knight @ Sonic Angel Knight:
    Chili dog :ninja:
  • K3N1 @ K3N1:
    Chill dog
  • SylverReZ @ SylverReZ:
    Chilli dog
  • Skelletonike @ Skelletonike:
    Damn, I'm loving the new zelda.
  • xtremegamer @ xtremegamer:
    yo
  • xtremegamer @ xtremegamer:
    loving the new zelda, i started a game, it was so fucking good, so i
    am waiting on my friend to get home so we can start a new one together
  • Skelletonike @ Skelletonike:
    I just dislike that they don't let me choose the voices before the game starts. Happened with botw as well, had to change to japanese and restart.
  • K3N1 @ K3N1:
    But the important question is can you choose gender
  • Skelletonike @ Skelletonike:
    Same way you can choose Gerald's gender.
  • Skelletonike @ Skelletonike:
    *Geralt, damn autocorrect.
  • Psionic Roshambo @ Psionic Roshambo:
    But can he be trans? Lol
  • K3N1 @ K3N1:
    Zelda transforms into link
  • Psionic Roshambo @ Psionic Roshambo:
    Link I'm not the princess your looking for.... *Pulls a crying game*
  • K3N1 @ K3N1:
    *skirt up* it's exactly what I always wanted
  • Skelletonike @ Skelletonike:
    Just scanned all my zelda amiibos, took a while but didn't get anything that cool, did get the lon lon ranch hylian fabrics though.
  • Skelletonike @ Skelletonike:
    It was pretty funny when I scanned wolf link and got a shit load of meat.
  • K3N1 @ K3N1:
    @Skelletonike, btw I ran that custom for mgs4 on the deck I'm amazed it got that far in game
  • K3N1 @ K3N1:
    Plug in*
  • Psionic Roshambo @ Psionic Roshambo:
    Butt
  • K3N1 @ K3N1:
    Your favorite activity
  • BentlyMods @ BentlyMods:
    My fav actvity is:

    mario-dancing.gif
  • Psionic Roshambo @ Psionic Roshambo:
    Do the Mario lol
  • K3N1 @ K3N1:
    🍑
  • K3N1 @ K3N1:
    Whoever developed Bramble was smoking that good shit fucking gnomes
    K3N1 @ K3N1: Whoever developed Bramble was smoking that good shit fucking gnomes